Has a benefit been demonstrated for credit card machines asking for ZIP code?
Is there any evidence that this actually leads to a significant reduction in successful credit card fraud?
Yes there is evidence, and Yes, it absolutely has resulted in reducing many types of card fraud:
The fraud prevention feature you are referring to is called Address Verification Service (AVS). AVS service checks that the street number and/or the zip code presented at the terminal match the data present for the card holder at the issuing bank.
In real-time, the payment processor will return an AVS Response. Based on the response, the merchant can decide to reject a non-conforming transaction.
It has been adopted by nearly every card issuer in the US.
See Merchant Guide to the Visa Address Verification Service
The possible response codes, and the configurable reject settings are shown here:
In a gas station terminal setting, the terminal might be set to reject AVS Response codes N and A, for example.
You bring up a good point that's often overlooked in Security. Data.
"In God we Trust, all others must bring data". -W Edwards Demming
I think it's unlikely you're going to find actual data for the effectiveness of a security policy. I don't know of a lot of actual scientific analysis in the security industry, and that's a terrible shame. So people are left to speculate, and speculate they will.
Like gowenfawr, I don't have any data either, and can only offer speculation.
You're right that the "stolen wallet attack" won't offer any protection from fraud. But a lot of credit cards these days are stolen from insecure automated processing systems. Target and Home Depot are examples of this. Attackers are taking the information from these systems and cloning cards. I don't believe these systems generally contain the zip code of the cardholder, and it's not encoded on the card itself.
The point being, asking for a zip code at a gas station will make cloning attempts harder to perform. I'd speculate that this will reduce fraud by some amount.
It's for deterrence, and some things that are used for deterrence are really for the customer to feel safe and secure and do very little for "security." Take surveillance cameras. I probably install about 200+ cameras a year, and as I do everything possible to make the cameras protect the site as best as I can, there are ways around that. They are for deterrence. People see cameras and go "Oh they have cameras, I can't rob this place." Not saying cameras are useless, I've help store owners capture probably about 50 employees/customers stealing over the years.
So, let's start with this example. I've stolen your wallet, now whether you realized this happen 5 minutes ago or 5 hours ago you are going to call your banks/credit card and cancel your cards. As the thief I have to use your cards quickly as I know your going to cancel your cards. I'd be more worried about identity theft from a stolen wallet instead of my cards being used.
You are right, if I have your wallet I know your zip code. Maybe I can't use your business card, but I can still get away with something for free. I'll go buy pre-paid cards to use and trash your wallet maybe keeping your ID cards.
Let's say instead of stealing your wallet, I hack a POS network and get card information from there. I don't have your zip code, but I could still make a duplicate copy of your card if I got enough information from the hacking I did at the POS network. You wouldn't know your card information had been compromised until the company releases that they've been hacked. Still I could still use that card data to buy stuff, but not at a "pay at the pump" type setting.
You are asked for the ZIP code at locations where you aren't "interacting" with a person. It's a prevention method to keep thieves with your CC info from stealing gas. However they could go inside with a "copied" card and buy gas inside.
Simply, if you are paying with a card 'face to face' with someone, they don't need any extra information from you besides what's on the card. They may ask for Photo-ID to confirm you are the card holder.
If you are at kiosk paying station (gas pump, store kiosk) and the system asks you for the zip code of the billing address of the card, it's to check for fraud.
That zip code check, is verified by the card-holder's bank and is not used in any way other than to verify the information is correct.
In a 'face to face' any extra information they ask, is most likely for marketing purposes and they cannot deny your transaction by you failing to give that extra information out.
California Beverly Credit Card Act of 1971 deals with that, and amendments have been made to it over the years.
Does it cut down on fraud, maybe. However, I could still go inside with "your" card and buy gas there. Granted, there's more chance of failure going inside. Cameras, cashier asking for ID, card being reported stolen.
By trying to use the card outside with no employees around, I'm going to get two responses from the gas pump:
- Accepted
- Your card was declined, see attendant.
If I got option #2, I would just leave and try another zip code at another gas station.