Credit card “security” has a very different approach from computer security. In computer security we try to ensure that attacking is so hard that is is utterly impractical, and we try to use solutions where that hardness can be mathematically proved: if your password is *x* characters long, and uses *y* different kinds of symbols, an attacker will require *z* years to crack it. (And then we are undermined by people who set their password to “12345”.)

But credit cards started with all the information required to steal the card printed on the front in raised letters. (A fraudster might additionally need to sign a shitty forgery of the legitimate cardholder’s signature.) So credit card security starts from there, and tries to improve that position. The three digit number, printed on the back of the card and not on the front, thus adds a small amount of security.

You’re absolutely right that this is the sort of thing that a cryptographer would sneer at. But for the companies and alliances running the credit card system, that three-digit number decreases the total amount of fraud that occurs in the system, and that’s what they care about: measures that drive down the total cost of fraud are good, even if they’re not perfect.