I don't own a credit card but read much about fraud with stolen credit cards. Since I don't own one, I don't know how you exactly buy online using your credit card, so please correct me, if I am wrong (and I hope so).
- Customer choses articles in online shop and puts them into shopping cart.
- Customer goes to the virtual check out.
- Customer enters delivery address and his cc data(?) and sends them to the server of the shop owner.
- Shop server sends the cc data the customer entered and his data and the amount to the cc card server and receives the money.
- Customer receives bought articles.
- The shop owner wasn't very honest and uses the cc data the customer entered to shop on other online shops (especially non-trackable goods like software licenses, ...). Since the data is the same for all shops, nobody knows which shop misused the cc data.
Why not use an one-time authentification code or token instead? For example the customer enters the cc data on the server of the cc company which sends a confirmation to the shop owner or gives a signed token (like gpg) which the user gives the shop to prove he sent the money or the shop just waits till it sees the money on its account? Since I have basic it-security knowledge you might also add technical details. So are my assumptions right and if so, what prevents web shop owners from misusing credit card data?