The way I understand, the usual (non-contactless) payment is a prime example of 2FA: you present your card, and then either sign or enter PIN code. First option ticks something you have (card) + something you are (the person who can white a signature matching the card’s one), second – something you have (card) + something you know (PIN code).
I get that online purchases can’t match the signature – but why between PIN and CSC you’d pick the latter as a security measure? It reduces the security to single factor (if I steal a wallet I can spend all the money on the card until it’s blocked, having the object is all I need), and doesn’t even add any speed to the transaction. What’s the benefit of CSC as the verification?
Post about it from 3 years ago that go over a few points:
Just saying typically Banks don’t check signatures, they might but most likely won’t check if there is a charge that you didn’t make.
This is something that is changing in the EU. They are going to add in 2 factor authentication for cards. For example one of the cards I have requires me to unlock my banking app using my pin or fingerprint and approve the transaction.
Effectively requiring someone to steal and unlock your phone and card.
Currently it’s not uncommon for Visa or Mastercard to add a secondary check where you enter a password as part of the transaction.