[zrobotics]

I'm not trying to be snarky, but it sounds like you have never had to implement an online payment system directly using a merchant account. If you've only used something like Stripe, there's a lot of requirements and compliance that the card companies do that has been abstracted away.

Visa & Mastercard have pretty singularly forced online payments to the level of security they are currently at. PCI compliance is pretty much solely driven by the card companies. If your payment details leak then yes, they want to issue you a new card. Half of that is making the customer feel better, but the other half is that the secrets need to be rotated since they've been exposed. SSH keys aren't vulnerable if generated properly, but if you expose the private key then the key needs rotated.

If you actually follow PCI compliance standards, there is no way to leak a customer's full payment details that I'm aware of. You could still leak other PII, but card # and CVC are something you can't access even with admin privileges on your recurring billing app.

So the card companies do quite a lot to protect against fraud and make people comfortable using their cards for online purchases. They just do this by requiring merchants to follow specific minimum practices. I'm not trying to glaze them, there is more they could do; and they do this to protect their bottom line. But fraud charges cost them a lot of money, and their interests align with consumers in this case to prevent fraud as much as they can.