Every one of you is probably smarter than I am. And not a damn thing anyone said helped me understand.anything.. So thanks for the mouth farts, I guess. As a blanket rule, check your jargon at the door, start simple...but not stupid. and if you think you're so gods damned smart, learn the difference between wise words and an info-dump.

I think this website has a relatively easy graphics of token creation process.

Now, once a store has a token, this graphics shows how it's used for payments.

To decode:
Technology eg servers, 2 factor authentication, encryption etc. relatively strong in security
People - dumb as crap, clicking on enlarge my penis emails and opening the door, totally not secure
Result doesn’t change from my earlier mail though :o)

It's a terrible idea to keep a credit card linked to ANY service, honestly. And really, if you can, definitely look into options (Paypal, Privacy.com, other credit card protective services) to protect. Ultimately, the best option is to use something like Paysafecard or a disposable/prepaid credit card.

As for your other things outside of GOG... first off, you only really benefit with a VPN if you're trying to evade censorship or if you're visiting a lower-level site that you don't really know well, as all it REALLY does is protects your IP. It's not really a privacy tool as all the Youtubers and VPN providers claim, though they do help on sites that still haven't enabled HTTPS yet (which isn't many, at least at higher levels).

Vivaldi is a solid browser option but I wouldn't call it "security oriented" per-se, not by default. Using 2FA is smart and in terms of AV, more often than not, paid solutions are bloated and give you features you most likely will never use. I use Windows Defender and while it's not quite Kaspersky-level good in terms of detection and features, it's solid enough as I don't visit sketchy sites and I'm cautious with emails and downloads. Plus, it has features to guard against most ransomware and to protect against some zero-day exploits so it pretty much has everything you truly need without much bloat. Also, be sure you run with a limited (non-admin) local account if you have Windows, as this helps a bit in preventing malware from running on your PC; Linux usually does similar by default. You also need to ensure you keep your OS and all your programs up to date; I recommend checking all of them once per week (or use a maintenance toolbox to help; I recommend Glary Utilities).

Those aren't the only ways you can protect yourself. You have to make sure your browser is configured properly as well. Ensure that you use HTTPS Everywhere (as Vivaldi hasn't enabled the ability to force HTTPS connections, at least last I checked). If you have the option, definitely enable DNS over HTTPS (which encrypts your DNS traffic, hiding it from snoopers and protecting against DNS-related MITM attacks), using a service like Cloudflare's 1.1.1.1 or Quad9; the former has an option to filter out malware domains at a DNS level, whereas the latter automatically blocks malware domains and is a bit more private overall (though 1.1.1.1 is slightly faster, not to the point of being noticeable though). It'd also be wise to switch your OS DNS settings to the same service. Additionally, I recommend using both Adguard (enabling their security lists alongside the ad and tracker blocking) and Privacy Badger.

Also, it's a bit more advanced but you should definitely make sure your router and modem are regularly updated and have proper security settings enabled. It'd also be wise to make sure you start using a local password manager (I recommend KeyPass, as it's open source and powerful), storing the encrypted backups of your password databases on at least two or three storage drives. Oh, and it's a bit more advanced but it's particularly useful if you're using a laptop and take it out of your house regularly: definitely look into encrypting your PC. Windows Pro versions have Bitlocker, which is the easiest, but if you don't have that, VeraCrypt is a good option. Again, that's a bit more advanced so I only recommend messing with that if you do regular backups of your data (you should) and definitely watch a guide a few times just to be on the safe side.

There's no silver bullet for security or privacy but ultimately, users can't really do anything on the server end. They can, however, ensure that their PC, browser and internet connections are as secure and private as possible. That said, you'd be surprised how many banks actually have pretty chump security compared to some high-end tech companies. I even remember a story about how former Jagex CEO, Mark Gerhard, used to work with bank cybersecurity and was astonished at how much stronger that company's security was than all the banks he ever worked with. That was a while back so I'm sure banks have gotten better with it but yeah, it's not a one size fits all situation. GOG has yet to have been hit with any sort of leak or security scandal (other than the leak of Cyberpunk's source code but that's a different situation).

As long as you're doing all you can, I wouldn't worry about the rest. There's no perfect solution and never will be. It's why physical purchases are typically a lot safer (and one of a million reasons why I will always prefer in-store shopping when it's possible).

EDIT: If you are looking for help with any of this, you can typically find it on Youtube and other video sites. I personally recommend Youtube) as they have a boatload of privacy and security videos, including a series of free course videos. Definitely one to binge if you're interested in this stuff but there are also others so pick your favorite.

I prefer the added step of using PayPal, and it is in their best interest to never get hacked, because their reputation rests on it.

paypal ?:O
the only good is many sites accept it and there it ends

Late to the party, but one thing that could help to mitigate the risks is to manually block your credit card from transactions if your company allows, and unblock it whenever you're going to pay for something.
Also, some companies let you generate a second, digital card with a few clicks which is linked to the bill and expenses limit of your main card, and that can easily be deleted and re-generated. I'd suggest using such a feature if you have the option, since it's much less of a hassle to replace a secondary digital card than your main one.

I've been using those two things for ~2 years now, and thankfully it was needed only once in this period, but in the one time it was needed, I didn't get to lose any money and I didn't need to talk with my bank's support to fix the situation.

Paypal is better when it comes to sites you don't trust as much (for me, sites like Kinguin get that treatment) but technically, it's also a bad idea to route through Paypal for everything due to the fact that you're just centralizing all of your data. Paypal's rep does depend on security but nobody is immune to potential attacks. There are also many issues the service has had over the years that have lessened their reputation. Watch this for more info on that, it's at least good to know before placing all your trust in them.

Privacy.com is also a really reputable credit card protection service, though it's US only and it does concern me that they claim they require you to give them your SSN to use it, which is a bit shady IMO. However, every major privacy and security channel promotes it so it may just be me being paranoid; I was just always taught to NEVER give out your SSN except to banks and government agencies.

I do not think that I am smarter than anyone. Do I really come across as that? I sincerely hope not, because that is not who I am as a person.

In fact, the reason I posted here was because I was drawn by your post. I even bookmarked it! I thought to myself, cool, this guy is taking some smart precautions, like using a malware suite, a VPN, a security-oriented browser (I was unfamiliar with Vivaldi, so you taught me something!) and two-factor authentication.

In post number 7, you stated "probably the best advice so far" so I assumed nightcraw1er.488 gave you the answers that you needed. I was just contributing to the thread in a friendly manner, or so I thought.

I'm feeling somewhat flustered right now. :( I will show myself out.

I didn't notice OP's posts about that sort of thing. I wouldn't worry about that. I understand it can be frustrating but their attitude toward people who are truly trying to offer support is uncalled for. Shoot, my post rambled on quite a bit and now I feel like it was pointless if OP is gonna act that way toward people that just want to help.

Let me apologize, sincerely . I didn't want to attack or insult anyone. I honestly started wanting clear info about GOG and my CC. I got that. I can't change 2FA, but I've deleted any purchase info, and next time I want a game, I'll put $10 in my wallet.
Perfect? Hells no. But as good as I can get for now.

Respect for clarifying, I get that you were frustrated. I would say that doing that is definitely your best option right now. As I said, there's no silver bullet, you just have to do whatever you can and trust that GOG would be up front and transparent if they ever had a security breach of some sort.

Well I've been using PayPal for many years, just as a customer, and I have had no real significant issues with them, and to my mind it seems logical they would be trying harder (dedicate more resources) than most places to stay secure, as that is their primary job, unlike a store such as GOG with your credit card, where their primary job is marketing games. I also only use PayPal as an intermediary, and don't store any funds with them. And I only use PayPal with a Visa Debit card, so limited funds anyway.

As they say, if it ain't broke don't fix it ... and better the devil you know.