@bob Except this technology is out there an exists, but most companies aren't using it and refuse to because it involves additional infrastructure.  I've been helping a friend recently with a semi-retail-and-also-online-store startup and he was asking me what the difference between two payment providers which had very disparate rates was ... the more expensive one was using an actual secure-ish system, the cheapy one was using the PCI standard stuff that isn't securing shit.

The PCI standards are basically predicated on the fact that usually its regarded as cheaper for a company to pay out a fraud claim on unauthorised transactions than it is to try to prevent them.  Most of the stuff around it (verified by visa and the mastercard equivalent) for example, is security theatre.  Or more like, just normal theatre, since security isn't involved.