It's for deterrence, and some things that are used for deterrence are really for the customer to feel safe and secure and do very little for "security." Take surveillance cameras. I probably install about 200+ cameras a year, and as I do everything possible to make the cameras protect the site as best as I can, there are ways around that. They are for deterrence. People see cameras and go "Oh they have cameras, I can't rob this place." Not saying cameras are useless, I've help store owners capture probably about 50 employees/customers stealing over the years.
So, let's start with this example. I've stolen your wallet, now whether you realized this happen 5 minutes ago or 5 hours ago you are going to call your banks/credit card and cancel your cards. As the thief I have to use your cards quickly as I know your going to cancel your cards. I'd be more worried about identity theft from a stolen wallet instead of my cards being used.
You are right, if I have your wallet I know your zip code. Maybe I can't use your business card, but I can still get away with something for free. I'll go buy pre-paid cards to use and trash your wallet maybe keeping your ID cards.
Let's say instead of stealing your wallet, I hack a POS network and get card information from there. I don't have your zip code, but I could still make a duplicate copy of your card if I got enough information from the hacking I did at the POS network. You wouldn't know your card information had been compromised until the company releases that they've been hacked. Still I could still use that card data to buy stuff, but not at a "pay at the pump" type setting.
You are asked for the ZIP code at locations where you aren't "interacting" with a person. It's a prevention method to keep thieves with your CC info from stealing gas. However they could go inside with a "copied" card and buy gas inside.
Simply, if you are paying with a card 'face to face' with someone, they don't need any extra information from you besides what's on the card. They may ask for Photo-ID to confirm you are the card holder.
If you are at kiosk paying station (gas pump, store kiosk) and the system asks you for the zip code of the billing address of the card, it's to check for fraud.
That zip code check, is verified by the card-holder's bank and is not used in any way other than to verify the information is correct.
In a 'face to face' any extra information they ask, is most likely for marketing purposes and they cannot deny your transaction by you failing to give that extra information out.
California Beverly Credit Card Act of 1971 deals with that, and amendments have been made to it over the years.
Does it cut down on fraud, maybe. However, I could still go inside with "your" card and buy gas there. Granted, there's more chance of failure going inside. Cameras, cashier asking for ID, card being reported stolen.
By trying to use the card outside with no employees around, I'm going to get two responses from the gas pump:
- Accepted
- Your card was declined, see attendant.
If I got option #2, I would just leave and try another zip code at another gas station.