Sure, I know credit cards exist and that the numbers are stolen because they're so trivially easy to abuse, but payment systems are not very related to my work. I very rarely come across a product where I have to test payment features, and when I do, it's out of scope. Either the payment is handled by some third party (the usual case), or it has already been tested years ago and they're now asking to test some new feature (all other cases).
More typical projects are testing traffic filtering solutions (firewall-like), blockchain startups (those are the worst), back-end (no payment) or b2b (contract-based payment, not online) applications... Even in the months that I was consulting at a bank, I never touched any sort of money system, there were a thousand other applications, services, websites, infrastructure things, and mobile apps to test. To give you a random example, they wanted to give people advice when buying a house through an app (where the final screen goes "and that's where $bank comes in: we can finance all this!"), so they had some external company prototype an app that was riddled with bugs in the login system. Or some internal service that POSTs data from one system into another. Or some API endpoint used for statistics. Etc.
So the cases that I see are as a consumer, where I pay either by bank transfer (logging into my own bank's website), via iDeal (which also redirects you to your own bank's website to complete the transaction, but that one is instant instead of having to wait a working day), or sometimes via PayPal if that is the only option (I guess paypal do their own bot detection? No idea). So from my perspective, when I paid for something, the money is in the hands of the merchant and only customer support or a lawsuit would get it back.
> As a security consultant
Hm? How does a security consultant not know that credit card numbers can be stolen and used by bots?