(no title)

Credit cards are also required to be "tokenized" when stored at a merchant or payment aggregator - the user authorizes the bank to allow the merchant or the aggregator to "store" the card details for use later, and the bank then issues a card token, tied to the specific merchant/aggregator. They are not allowed to store the original card info at all - just this token. This makes the token not worth stealing, as it can be only used by that merchant, and is trivial to de-auth if needed, with or without merchant cooperation.