Yes and who cares? It still is not secure. Anyone who gains the virtual card number can use it and the merchant system can charge arbitrary amounts of money to it.
A payment system that wasn't cooked up by weirdos would include actual security features such as your phone's display shows the amount of the transaction and you enter pin or password or other knowledge and your phone signs the transaction. That would be nonrepudiable and you could clear such transactions at negligible cost because there's little risk.
Square, which isn't exactly winning out there, at least does include a modest security feature of displaying the picture of the authorized card user on the terminal.
