Summary: Merchants store the token, instead of credit card details. Token is only valid for use between merchant and payment provider (requests very likely need to originate from the registered merchant URL). Conceptually, similar to OAuth. Why hasn’t this been done before?