> If we were talking about 3 extra digits on the card number, that would be one thing. But we're talking about a separate authentication factor, which seems pretty worthwhile to me.
It's not really another factor in the sense of the three types of factors: Something you know, something you have, something you are. It's just more digits of "something you know" so it's the same factor. It's why 2-factor auth isn't just 2 separate passwords.
Seems to me that when you turn it into data, it pretty much all becomes "something you know." If a credit card required biometric authentication to make credit card transactions and a vendor stored my biometric signature in a database along with my credit card number, it would be no more or less secure than a 3 digit number.
There are better ways to handle it. Policy is a good interim step to mitigate damage before they're implemented.
It's not really another factor in the sense of the three types of factors: Something you know, something you have, something you are. It's just more digits of "something you know" so it's the same factor. It's why 2-factor auth isn't just 2 separate passwords.