It would be fairly trivial to implement. At this point even WordPress does it – offers two factor authentication. All you have to do is install Google Authenticator on your phone, turn on two factor and presto. Username, password and six digit ever changing PIN.
So I read that they want to force all credit card transactions to use a PIN. That will partially solve the problem. But if someone has a skimmer on the POS terminal which is wont to happen with far more alarming frequency lately. In fact you can always tell when a business using a particular type of credit card acceptance terminal got hacked at the end node level. They suddenly roll out all new end nodes but so do other businesses. I note Trader Joe’s and even Wally World are doing that now.
But we could eliminate even that potential if you implemented either Google Authenticator of an RSA token or even better if Google produced their own token that didn’t have to rely on having a cell phone. Just have the banks issue them with the cards.
The beauty of this is that the PIN would change every 30 to 60 seconds. So even if they were skimming there’s no way they’re gonna hit on a pin that has a 1:100000 shot in that short time span.