Obviously the generation algorithm is not sufficient to protect the customer.
Here's how it could work: the customer goes to the Amex site, inputs his card number, his name and a private key, and gets his temporary card number and a "public" key. When he makes his purchase, he enters the temp card number and the public key; the site looks up the combination on a secure server at Amex and allows (or not) the transaction.
Slashdot Mirror
Obviously the generation algorithm is not sufficient to protect the customer.
Here's how it could work: the customer goes to the Amex site, inputs his card number, his name and a private key, and gets his temporary card number and a "public" key. When he makes his purchase, he enters the temp card number and the public key; the site looks up the combination on a secure server at Amex and allows (or not) the transaction.
So the search engines get moved offshore, out of reach of meddling government.
More power to us, less to them.