Keeping your card number off the internet: the quiet shift in how Australians pay online

In the first half of 2025, Australian organisations reported 532 data breaches to the Office of the Australian Information Commissioner, and close to six in ten of those traced back to deliberate criminal attacks rather than honest mistakes. The finance sector recorded the second-highest number of incidents of any industry. For anyone who shops, banks, streams or plays online, those figures carry a plain message. Every card number you type into a website becomes one more copy of your details sitting on a server you do not control, and any one of those servers can be breached.

That is the backdrop to a change in habits that has been building quietly for years. Australians are not paying less online. They are paying differently, picking methods that keep the long string of digits on the front of their card out of as many hands as possible.

Why the card became the weak point

The plastic card was built for a counter, not a browser. When you tap at a cafe, the terminal never sees your real card number. It receives a one-time token that is useless to anyone who intercepts it. Type the same card into a checkout page, though, and you usually hand over the full number, the expiry date and the security code in one go. Many sites then store those details so the next purchase is faster, which is convenient right up until the moment the store is breached.

Stored card data is exactly what criminals are after, because it can be sold, reused, or tested against other sites in bulk. The steady run of breach notifications shows how often that data gets out. The logical response, and the one a growing number of shoppers have already reached, is to stop handing the number over in the first place.

The methods Australians are moving to

A handful of options now do that job, each in a slightly different way.

Mobile wallets such as Apple Pay and Google Pay are the most familiar. They swap your card number for a device-specific token, so the merchant never receives the real digits. Australia is one of the heaviest users of mobile wallets in the world, and the same technology that powers a tap in a shop now works at a growing share of online checkouts.

PayID has carried the idea further for bank transfers. Part of the New Payments Platform that launched in 2018, it lets you register a mobile number, an email address, or an ABN against your bank account. Whoever is paying you, or a service you are paying, uses that simple identifier instead of your BSB and account number, and the money generally lands within seconds rather than the next business day. No card is involved, and you are not handing your full account details to the other party either.

PayPal and similar services play a related role, sitting between you and the seller so the seller only ever sees an email address rather than your card or bank details. Buy now, pay later apps add another layer of separation, though they come with repayment terms worth reading closely before you sign up.

The shift is easiest to spot in the small, repeated payments that fill an ordinary week. Streaming and software subscriptions increasingly run through a stored wallet rather than raw card data. Online marketplaces steer buyers toward bank-linked transfers instead of card numbers sent over a message. Many of the platforms that accept PayID let players fund an account straight from a banking app, with the deposit clearing in seconds and no card number entered on the site. Utility providers and local councils take BPAY and bank transfers that never touch a card at all. 

The habits that make it work

Choosing a safer payment method does not remove the need for ordinary caution. In some cases it just shifts where that caution needs to go.

A credit card, for all its exposure, still holds one advantage worth keeping in mind. If a purchase from an unfamiliar seller goes wrong, a card payment is usually easier to dispute and claw back than a direct bank transfer. For a brand you do not know, that protection can be worth more than the privacy of a transfer. The balance tips the other way once you trust the recipient, where a bank-linked method keeps your card out of the picture entirely.

Bank-linked transfers have also attracted their own breed of scam. Consumer advocates and local reporting have flagged a recurring trap in which a supposed seller asks a buyer to send money to several different PayIDs, or to an account whose registered name does not match the business. Both are warning signs. A genuine PayID shows you the account holder’s name before you confirm, so it pays to read that name rather than skim past it.

The rest is familiar advice that matters more as scams get more polished. Type a retailer’s address into the browser yourself rather than following a link from a text or email. Treat any deal that leans hard on urgency with suspicion. And keep separate passwords on the accounts that hold your money, since a reused password is often how a single breach turns into several.

Where it is heading

None of this makes online payments risk-free. Breaches will keep happening, and criminals adapt quickly. What has changed is how much exposure an ordinary person has to accept. A decade ago, paying online generally meant trusting every store with your full card details. Today, between mobile wallets and bank-linked transfers, most everyday payments can be made without a single shop ever seeing the number printed on your card. For a country that took to digital payments faster than almost anywhere else, that quiet change may turn out to be the most practical defence of all.

//This content is provided by a third party