The PIN is allowing the card reader to access the card. The same kind of technology is used in a phone SIM card, the SIM card is requesting a PIN code so the phone can read it.

Online we don’t have a card reader we only have an software API. PIN for websites wouldn’t make sense here. Instead we use the 3 digit code which proves we have the card in our possession. We also use a billing address we shows we know the account holder details.

In Person

Card -> Reader (We have the card, just need the PIN)

Online

Card -> API (Prove you have the card, also do you have the billing address?)

This form of security is Something we have and Something we know.