Is your Zip-Code also a security code?

The other day I stopped at a local Exxon gas station that I don’t usually use. I put my credit card in the slot and was prompted to enter my 5 digit Zip-Code. I figured this was to authenticate that I was, in fact, the proper holder of that credit card.

I’ve gotten used to entering a lot of information whenever I use my credit card for online purchases. Usually, I am required to either have the item shipped to my credit card address, or at least supply the proper home address if I want to ship the item to my office. I figured the gas station Zip-Code thing was just a short-hand security check to make sure I knew the Zip-Code of the address associated with the credit card. But maybe not.

A friend of mine suggested that the Zip-Code was simply a way of gathering marketing information. I realize that marketers keep track of the spending habits of households by Zip-Code, but somehow I would figure they wouldn’t need me to key in that information to get their data. I guess there is only one way for me to find out if the Zip-Code is a security feature: next time I go to that gas station I’m going to purposely enter the wrong code and see what happens. If my credit card is denied then I’ll know it’s a security feature.

Obviously, requiring the Zip-Code as a security measure would be an extremely ‘light’ form of security. If someone steals my wallet they can easily get my Zip-Code from my driver’s license, so the odds are that they aren’t going to have trouble using the credit card to make a fraudulent purchase. On the other hand, the transactional cost of requiring a card holder to enter a 5 digit number that they are going to know by heart is small. And in at least a few fraud transactions the credit card thief is not going to know, or be able to quickly ascertain, the proper Zip-Code. So in those cases a Zip Code security requirement might be worth the effort.