because the physical layer of security is supposed to protect you ( AKA online nearly the whole world can try with your pin they need your card first limiting the attacks.

Because the other parts of security (usuallywhen the physical card isn’t present or can’t be seen) are the card #, expiration date, and ccv code. In person, that’s all verified through card swiping or inserting your card chip.

Credit cards are the first common 2 factor authentication.

You need physical possession of the card *as well as* the 4 digit PIN. A thief may get the card, but won’t have the PIN. If you follow security.

Yes, a 4 digit PIN seems unsecure by modern standards. But it is an old standard. The main security is physical possession of the card, or card details. Which is why it’s a huge deal when websites have a breach and leak thousands or 10s of thousands if card details.

You get very few chances to use a PIN incorrectly so brute force is less of an issue. Plus, a mag strip or chip is needed along with the PIN.

Aside from what others have said, most services online allow multiple attempts + password recovery. In contrast, if you get your pin wrong 3 times your card is blocked and you must physically go to your bank and/or get a human to verify you so that you can recover your card.

Pretty much what everyone has said, also when using a card in an ATM and you get the wrong pin too many times the ATM doesn’t give you the card back. Had it happen to me with my own card once( had 2 cards at the time and got them mixed up), it just ate the card and I had to contact my bank for a replacement.

After three wrong attempts you effectively lose your card. That’s a huge hammer for that security nail – just imagine a website would permanently ban you from using it in any way until you go to a physical location and get mailed a new password.

Adding to a “physical form” as a security layer – 4 digit pin is good enough if you don’t have unlimited amount of “guessing”. Usually it’s 3 times and the card is blocked.

You need the card in the first place and lost cards can be easily and immediately canceled when you realize you lost them, you can log into a website anywhere but getting someone’s credit card and cracking the pin in time requires significantly more effort

A password cracker can live in the middle of nowhere, have 100 computers running 100 browsers trying to break your password all, day all night forever, at nearly zero risk.

For a credit card you need to steal the physical card, then physically go to stores a and you get maybe 2-3 attempts before you raise suspicion. Maybe you go to an ATM at midnight and try 10 combinations before the machine shuts you out, all while security cameras are recording you.