Credit cards and most banks are on the 20th century. A bank I know provides the users with 7 digit codes (THEY DEFINE) but when you try to login they ask randomly for 3 of these digits. Piece of cake for those trying to hack the account, specially because they do not use zeros, so finding the correct code is just 1/512.

Payment system writer here. I agree with most of these comments but would like to add that passwords are generally hashed and PINs are encrypted with 3DES or DUKPT keys that are different for every store location and change often.

It’s a two factor authentication in the case of credit cards. You need to prove that you have access to that bank account *twice* by both having the card and your pin.

As many mentioned 2 factor security, the other part of this is how long a password can stand up to attacks.
A four days digit password can be cracked in a flash with multiple attacks. Those attacks made online can use methods to mask where the attack I’d coming from. And often just keep trying forever.
Your pin tied to its card has 3 tries and you are locked out.
Also money isn’t as big of a loss as information. Most banks cap how much can be taken per day. Where if sensitive information is stolen damages have the potential to be far higher than a few thousand dollars. Especially when you consider the ability of the provider to pay damages. Banks are well financed not all apps are.

Statistically speaking you’d need 1000 “opportunies” for every “success”, but it’s much easier to get 1000 random emails to try than to steal 1000 credit cards