Expiration date is not normally an authenticating factor. I used to successfully submit charges all the time with made up expiration dates. The reason the rules require the merchant to provide that is to prevent the merchant from neglecting to check the expiration date.
The key value of the card verification code (the few digits printed somewhere on the card, aka CCV2 et al) is that it isn't recorded and transmitted all around, like the card account number obviously is. Anyone involved in accounting can see your card account number, but few people ever see your card verification code.
In the original design, secrecy of the card account number wasn't considered a security feature at all. It was public knowledge and security was provided by physical presence of the card and a signature alone. As telephone ordering became more important, banks started trying to keep the account numbers secret as a security measure, but that's obviously pretty weak. Likewise, even secrecy of checking account numbers is now considered a security measure.
Copyright © 2017, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds