Application specific credit card numbers really needs to be a legally required thing.
My card has been skimmed a couple of times and by far the most annoying part of the experience is having to reset and update regular accounts with the new number.
Of course for online purchases the whole flow here should be inverted: businesses should just be registering against my payment provider directly, no account numbers involved (under the hood maybe have it be managed by ED25519 public keys for identity?)
EDIT: while we're at it, why even have persistent numbers for in person cards? Let me tap it against my phone, invalidate the stored key from that time on, and generate a new one.
> Application specific credit card numbers really needs to be a legally required thing.
My latest card (debit) one has a feature I've not seen elsewhere, but I think kind of solves that too. It has a new CVC number every 10 minutes, which I kind of both hate and love. Love it for the obvious reasons of "not even having the physical card lets you use it digitally" but also because I cannot have it 100% in my password manager, I have to use the banking app to get the latest CVC code when I need it.
I’ve want a physical one of these that changes both the CVC and the entire 16-digit number. Heck let the name submitted with the number be a longer checksum that can be verified at point of sale to figure out who’s actual account it is.
Plus then my gibberish name on my card number will match the gibberish secret question answers.
> Heck let the name submitted with the number be a longer checksum that can be verified at point of sale to figure out who’s actual account it is.
That's going to be one hell of a lot of an issue in practice. Hotels, car rentals and AFAIK even some airlines want that the name of the card holder matches the name on the ID card.
My card has been skimmed a couple of times and by far the most annoying part of the experience is having to reset and update regular accounts with the new number.
Of course for online purchases the whole flow here should be inverted: businesses should just be registering against my payment provider directly, no account numbers involved (under the hood maybe have it be managed by ED25519 public keys for identity?)
EDIT: while we're at it, why even have persistent numbers for in person cards? Let me tap it against my phone, invalidate the stored key from that time on, and generate a new one.