The reason why MasterCard has (finally) dropped cardholder signatures — is about what matters more than a payment token
It’s all about you.
The news broken by MasterCard, that it would in 2018 discard the need to sign the dotted line, by deleting it altogether, signifies at least several challenges the scheme is currently facing, underlines general progress to a cardless future — and what would really matters.
Signature was a sign of the past — artfully described by NPR anchors in their brilliant 2014's Episode 564: The Signature : Planet Money : NPR, where the signing on a piece of paper manifested a public, social and spiritual binding act. As the technology matured, the need for personal tokens — or personal oaths waned. Where faustian tricks were needed for a life-line or a huge overdraft, a simple PIN or another magic tech-trick now works just fine.
And it is this “just fine” moment that does not allow the duo of the major payment schemes to sleep at night. The Chip-and-PIN implementation, allowing magstripe cards to discard the flim-flam of “sign the cheque please” — as the name, and not the additional secret tested and successfully implemented in the PIN world — denigrates the end-to-end encryption once heralded as a breakthrough in terms of costs — and speed — in the US.
The Name Surname is the reason most people went for signing their receipts as Sergio Aguero or Nikolay Petrov — depending on a country they use their cards. The number of methods for next-gen payments confuse the non-tech savvy majority that falls back on either cash or magstripe (as processors, issuers, ISOs all haggle and disallow for a synchronised implementation of a new use-case of card payments).
In part, the decision to drop signatures is a response to a stalled EMV implementation, where a dearth of major identity theft cases push schemes to drop an already obsolete way of matching payments with originators (also be mindful of the 1000x increase in number of transactions since the times first cards were signed and receipts verified against the original).
What’s more, US banks left a critical loophole for special groups to harvest cards for name and surname, as these physical (and compromised) tokens can be rendered into mobile form — as banks failed to provide adequate levels of account verification. Sometimes even, where banks have done everything right, the widespread hacking incidents taking core identity assets from medical institutions, credit scoring agencies and retailers. Where the migration of the payment mechanism, or the discontinuation of some field on it is a timely challenge, the real one is whether the underlying data from this has not already been cloned and (mis)used.
The future — including a safe one for payments — is all about you.
Most say AI and ML is a force of good. That depends on the point of view. This apparatus can train a network, based on core identity assets — to farm positive behaviour and apply for loans — as not just cards, virtually everything is going digital. Where payments are becoming the lifeblood of credit and other decisions (basically, a key to built trust in an pseudonimised and federated environment), cloning tokens and mimicking behaviour becomes an easier tasks with AI and ML around.
In short:
Names are obsolete — and probably already farmed — as algorithms are becoming more savvy to mimic behaviour.
Payment data tokenisation will only work together with identity tokenisation — otherwise coupling channels to build a holistic payment data profile allows criminals to rebuild an identity one — where you can discard your payment token, you cannot change your identity.
