What I don't get is why CC payments cannot be done in a OAuth-like manner.<p>For RL payments, the card would, supplied with the correct PIN, generate an OAuth token that allows the merchant's processor (and ONLY it!) to withdraw money from the card onto ONLY the merchant's account.<p>For online payments, the customer would be redirected to a central, MasterCard/Visa/foo supplied site, once again giving out access tokens valid only for a specific destination account, as well as optionally locked money/time limits for recurring withdrawals.