yfan wrote: You say your zip is easy to guess, I say there are only 10,000 combinations for 4 digits, which takes substantially less than a half a nanosecond for a computer to go through (without even going into the question of how your waitress would even know you aren't from out of town just by looking at your credit card). So yes, I stand by my assessment that when it comes to online shopping, chip and pin (or chip and anything else) along with a reader that most people don't own both doesn't have merit or any added actual security.
The computer can enumerate 10,000 four digit pins quickly, but if the pin is being processed online (the pin is sent to the issuing bank for verification), they won't get more than a handful before the bank says "I smell fraud!" and kills the card. If the card is doing offline pin (the card itself verifies the pin, and issues a cryptographically signed request when the proper pin is provided, which is passed along as proof of the card being involved and properly authenticated.), it's going to take a bit to process each one, and you don't get more than a handfull before the card says "I smell fraud!" and either shuts itself off, or says "we must do an online auth".