To ELI5 the already good answers in this thread at a lower level:

Suppose you want to give me some money periodically, but you don’t trust me. How could you give me money without me knowing your card or account details?

One way would be for you to go to the bank, open a NEW account, then give me a copy of the card to that account. You’ll only put money in that account when you want to pay me, so I can’t ever get more money than you wish from it, and I don’t know anything about your REAL account.

The digital equivalents are very similar. The “right” way to handle online payments is to send the user to a payment processor’s page and let the user enter their data there. If they present a valid card, the payment processor gives *me* a magic number that *represents* your card and is only valid if I use it. I store the magic number, and from now on if you ask me to take some money from you I use that number and the payment processor handles the details.

So if someone steals the number from me, it’s not of great use to them because they also have to steal other digital things that lets them identify themselves as me. And even if they do, I can call the payment processor, explain I’ve been hacked, and they will cancel ALL magic numbers they’ve given me immediately.

The payment processor themselves are probably doing the same thing with the bank. When you put the information in, the processor asked the bank if your card details were valid, and if they were the processor got their own magic number representing your account. This *can* be stolen, but just like my magic number it’s only useful if the thief can trick the bank and it’s only useful until I tell the bank it’s stolen.

So it’s sort of like there are a couple of layers of “fake” bank accounts in between the internet and your real account. That way if someone steals information about the “fake” account, while they can cause some harm in a short time period, they can’t learn anything permanent about your account that lets them have long-term access.