I think the problem with one-time card nums is an architectural one, not unlike IPv4. I don't know the exact structure of card numbers, but I know the first four or more are the issuing merchant info, followed by the rest identifying the account. So you have a finite number remaining to identify the user account. I first heard of one-time numbers long before the likes of Amazon appeared and it never seemed to catch on. And now we have this mess.

I once heard of an interesting methodology that superficially seems good to me. All electronic, all with high crypto. I'm making a purchase at a merchant, the merchant sends me a packet identifying the transaction number and price, I transmit a packet that encapsulates that and authorizes it, it goes to my bank to authorize payment, which sends it to the merchant's bank and transfers the payment electrons. The merchant doesn't hold my payment account info, nor does the merchant's bank. Confirmation of payment flows back down the chain, and everything is solid, signed, crypto.

The problem is updating infrastructure, no one wants to pay the money, so they add layer upon layer of creaking and teetering old code. Look at how long IPv6 is taking for universal adoption, and how many security vulnerabilities are still being found in v4.