The CVC2 code, or equivalent, is printed on the card but not encoded into the magnetic stripe, and ideally should never be stored by a payment processor.

Thus, it provides a very technically simple solution to verify that the card is present (or memorized by the person entering it) in an online transaction.

In addition, after a few incorrect entries, either the service accepting payment or the issuer would probably block the user and/or card.

It’s adding a step of needing to have physical access to the card. That number isn’t encoded into the card. Would you agree that not having that number would lower the security of the card, even if you think it’s a small amount?

If someone was able to get my credit card number through illicit means, it doesn’t mean they have the 3 digit code unless the card was physically stolen.

Credit card “security” has a very different approach from computer security. In computer security we try to ensure that attacking is so hard that is is utterly impractical, and we try to use solutions where that hardness can be mathematically proved: if your password is *x* characters long, and uses *y* different kinds of symbols, an attacker will require *z* years to crack it. (And then we are undermined by people who set their password to “12345”.)

But credit cards started with all the information required to steal the card printed on the front in raised letters. (A fraudster might additionally need to sign a shitty forgery of the legitimate cardholder’s signature.) So credit card security starts from there, and tries to improve that position. The three digit number, printed on the back of the card and not on the front, thus adds a small amount of security.

You’re absolutely right that this is the sort of thing that a cryptographer would sneer at. But for the companies and alliances running the credit card system, that three-digit number decreases the total amount of fraud that occurs in the system, and that’s what they care about: measures that drive down the total cost of fraud are good, even if they’re not perfect.