The card number itself and other information on the card is also required to process a credit card transaction.

Because not all that information is visible, just a photocopy of the card can’t be used to make a transaction. If the card is lost/stolen, it’s assumed the cardholder would cancel it quickly.

If you live in the US credit cards don’t even require a PIN at all. The only real security you have is just your ability to physically secure the card. It’s fairly different than a website though where anyone from anywhere in the world can try to use your login whereas with a card they have to physically access it to get the information.

In security there are generally considered to be 3 different authentication factors, in ascending order of their inherent security:

1. Something you _know_ (pins, passwords etc.)

2. Something you _have_ (Keyfobs etc.)

3. Something you _are_ (Fingerprints etc.)

A bankcard automatically falls under 2 security factors, Nr. 1, the PIN and Nr. 2 the physical card. Because it relies on both of these factors, neither one has to be super powerful. Most websites only have an inherent requirement for 1 factor, the password. Because one singular factor, and the weakest one at that, is much easier to compromise than 2 simultaneous factors, the requirements for the password strength have to be higher.

Also, as a PSA: You should use 2 factor authentication on **every single one** of your important accounts, no matter how secure or complex your passwords are. I’m not kidding, if you don’t already, go and set up right now. Using a second factor increases security exponentially. A weak password and 2nd factor is much harder to compromise than a strong password with no other factors.

In security, you can authenticate someone by using 4 factors:

* What they know (A password, a secret question)
* What they have (A key, a badge, a phone)
* What they are (Their fingerprints, their DNA)
* Where they are (Their office’s network)

A card is something you own and security is provided by you owning it. It can still be stolen just like a password.

By the way, 2 factors authentication means you use 2 of those to authenticate, mostly a password and a physical device.