It worked so well for SecurID. RSA finally comes clean: SecurID is compromised | Ars Technica
The security comes from the algorithm that creates the security code. Find or crack the algorithm and you pwn the system.
It's a better system than is in place now, but not the be all and end all. And depending on how quickly the token is refreshed and how slowly the online pay system works, I could see some problems with online purchasing. I'm sure it can be resolved, though. All in all I think it would be a good step.
Edit: I missed the part where the token would be good for 40 - 60 minutes. No problem there with online purchasing. SecurID used to refresh every minute, if I remember correctly. It was a PITA sometimes.