Credit card shouldn’t need to be shared with all and sundry. The concept is very old fashioned. We wouldn’t share out side project github keys like this!
Quite the opposite: It should, in an ideal world, be perfectly safe to share your credit card number with everyone, because all it should be is arguably an account number.
Payment initiation or confirmation can be an entirely separate layer (such as chip + PIN or 3D Secure).
This is actually the goal of European regulators right now (with some carve-outs for low value and low-risk transactions).
At the moment you need to provide a complete "private key" to each processor, who up the ante to: CC Number + Expiry + Security Code + Name + Address. They all ask for it, so any of them could leak it, or it could be phished.
The system works because it's mostly reversible. If my card gets leaked and someone tries to use it. I just disable my card in the app, contact the bank, they refund the money and issue a new card. Perhaps sometimes the bank has to eat the loss but it works out perfect for the consumer.
Payment initiation or confirmation can be an entirely separate layer (such as chip + PIN or 3D Secure).
This is actually the goal of European regulators right now (with some carve-outs for low value and low-risk transactions).