The foundational design of payment systems prioritized ease of adoption by widely distributing theoretically secret information, like credit card and bank account numbers. This decision created a permanent security vulnerability that has required decades of reactive, add-on security measures.
Businesses and financial institutions intentionally accept a certain level of fraud. The friction required to eliminate it entirely would block too many legitimate transactions, ultimately costing more in lost revenue (lower conversion) than the fraud itself. It is a calculated trade-off between security and usability.
Smartphones succeeded where dedicated hardware failed because users willingly manage the entire device lifecycle themselves—they purchase, secure, and rapidly replace them at their own expense. This solved the banks' biggest operational and logistical barrier to deploying a hardware-based security token.
The primary security of the Card Verification Value (CVV) isn't its secrecy during transmission but the PCI DSS rule that merchants must forget it immediately after authorization. This prevents its capture in large-scale database breaches, making its security a function of process compliance, not just cryptography.
Early single-purpose authentication devices, like TOTP fobs, fell out of favor primarily due to the operational nightmare of device management. The logistics of shipping, replacing, and supporting lost or broken devices at scale proved far more challenging and costly for banks than the security technology itself.
AVS for credit cards doesn't return a simple pass/fail. It provides a range of statuses because perfect address matching is impossible due to data entry variations and stale bank records. Businesses choose an acceptable risk threshold, often just matching the ZIP code, to avoid declining legitimate sales.
The modern consumer economy relies on 'pull' payments, where users pre-authorize businesses to charge variable amounts (like utility bills). This is incompatible with high-security enterprise systems like Positive Pay, which require pre-approval for the exact amount of every single transaction, creating too much friction for households.