Your CC number never leaves your card unencrypted. Your card details are encrypted on a server somewhere. A transaction consists of a record of sale that is signed by the merchant's private key, sent to your card, which then signs it with your private key.
Said package of data is delivered up to Visa's servers. Your digital signature is validated with your public key, merchant's key is validated, the order goes through. Yes this requires an internet connection, yes it breaks offline processing. It also cuts fraud to 0.
Online purchases get more complicated, sure. Lazy way is to have something running on client machine that can sign data downloaded from merchant, make it a browser plugin or even better a standard all browsers implement, so long as the private key is stored somewhere and can be applied to a message. This is not exactly a hard problem. Doing it right is tricky, thankfully a good number of correct implementations already exist. Use one of those.
A more secure solution, especially for PCs, is to have a dongle, everything is processed on card. Then even if the PC is rooted 50 ways to Sunday all orders are still secure.
This is no more convoluted (and many would argue less) than the current way by which credit card orders are processed.
Credit Card companies currently place the entire burden of fraud onto merchants. They don't really have a reason to care about fraud, other than that it is bad customer service to have your customer's identity stolen.
The real problem here is how to deal with crap like reoccurring payments. Too many organizations are used to a workflow where in they store your credit card number. That is obviously insecure (see: news stories that come out all the time). I am not sure how to solve that particular problem though. Obviously it is a big blocker to getting a more secure system implemented!
The solution is hardly "complex".
Your CC number never leaves your card unencrypted. Your card details are encrypted on a server somewhere. A transaction consists of a record of sale that is signed by the merchant's private key, sent to your card, which then signs it with your private key.
Said package of data is delivered up to Visa's servers. Your digital signature is validated with your public key, merchant's key is validated, the order goes through. Yes this requires an internet connection, yes it breaks offline processing. It also cuts fraud to 0.
Online purchases get more complicated, sure. Lazy way is to have something running on client machine that can sign data downloaded from merchant, make it a browser plugin or even better a standard all browsers implement, so long as the private key is stored somewhere and can be applied to a message. This is not exactly a hard problem. Doing it right is tricky, thankfully a good number of correct implementations already exist. Use one of those.
A more secure solution, especially for PCs, is to have a dongle, everything is processed on card. Then even if the PC is rooted 50 ways to Sunday all orders are still secure.
This is no more convoluted (and many would argue less) than the current way by which credit card orders are processed.
Credit Card companies currently place the entire burden of fraud onto merchants. They don't really have a reason to care about fraud, other than that it is bad customer service to have your customer's identity stolen.
The real problem here is how to deal with crap like reoccurring payments. Too many organizations are used to a workflow where in they store your credit card number. That is obviously insecure (see: news stories that come out all the time). I am not sure how to solve that particular problem though. Obviously it is a big blocker to getting a more secure system implemented!