There's far better ways to do it if you can use online - I submit my card number to them, they pass the card number, their account number, and the amount to my provider, I authorise they payment with my provider.
If you're doing it over the phone though things like public key won't really work - to be long enough would make the numbers impossible to read out reliably, let alone the calculation I would need to do with my private key to prove I own it.
> There's far better ways to do it if you can use online - I submit my card number to them, they pass the card number, their account number, and the amount to my provider, I authorise they payment with my provider.
Visa does support this scheme and I hate it when it happens. I try to use my bank password the less possible. I also believe it's a huge phishing risk as people don't look at the URL.
I personally prefer that the bank assume the current risk. It's not like it's making them bankrupt to do it right now...
Nah, think again, in either the merchant's or bank's perspective: how can they tell you are really who you claimed to be? That's the core question and why all the hustle. And again, even some design can perfectly solve that problem, there are additional problems to resolve: how to implement that change with reasonable cost, within reasonable time frame and with good user experience? And most importantly, does not break existing facilities. That's exactly how we get into the current situation, there are simply too much historical burden and while someone is trying to make things better, there maybe more organizations are putting sh*ts into it. For example, I really don't know if there were any banks ever used 5 digits PIN, but there are POS machines only accept 5 digits.
Isn't what the GP mentioned how the "verified by Visa" works? You enter your card details, and you're redirected to your bank's site to authenticate the transaction. You use whatever (normally 2fa) method to login to the bank's page, OK the transaction, and are redirected back to the merchant's site.
Online you don't have to prove your account ownership to the merchant, just the bank. The merchant tells bank "I want $50 from account 17", the bank then says "Hey user, prove you own account 17 and are happy to spend $50", the user says "yes that's me", the bank tells the merchant "transaction approved".
If you're doing it over the phone though things like public key won't really work - to be long enough would make the numbers impossible to read out reliably, let alone the calculation I would need to do with my private key to prove I own it.