[mainde]

I think that enforcing what you're suggesting is incredibly hard and I don't think can scale, it's what PCI-DSS and similar are meant to tackle, it really doesn't work in my experience.

This is a protocol/product problem, it's wild that to make a payment all the crown jewels need to be put on the wire. It's about time that payment devices and the whole ecosystem adopts some sensible cryptography that, at minimum allows signing payment requests, and ideally keeps its keys private.

Although this whole problem is kind of already solved by 3DS2, albeit not in a great way.