Side note - it is extremely simple to write credit card data onto a magstripe card. Fargo makes card printers that can produce a printed card (like employee ID cards) for a couple of hundred dollars; and you can buy magnetic stripe blanks. Embossing can also be done in any small shop that has the equipment. Chip cards - not so easy. Apparently the newest trick is to take an old expired card with a chip, and then fry the chip so it doesn’t work. heat the card to remove the embossing and emboss with new fraudulent information, rewrite the stripe. Then when presented to a merchant, the chip will fail and the merchant (they hope) will fall back to stripe reader processing.
First - if a retail establishment or its employees engage in repeated theft, the bank security systems will pick up the pattern - “oh look, all these fraudulent charges were made with cards that recently had a transaction at Joe’s Coffee Shop.” The first debit PIN scam I read about, several decades ago, involved a small merchant in downtown Toronto where the cards were skimmed when swiped and there was a camera embedded in the ceiling to read the PIN as it was entered. Until all ATM’s are converted to CHIP, stealing with a fake debit card and stolen PIN is easy at unattended ATM’s - the card does not even have to look right, it just needs the correct content on the stripe. They were of course caught when the pattern became too obvious.
Next - how else do you convert a credit card to money? A merchant who has too many contested charges will get massive chargebacks, may lose the guarantee the credit card company will absorb the loss, and will possibly be under criminal investigation. Newer computer security programs at the banks are excellent at spotting odd patterns that indicate compromised credit cards. Plus, that security code may not seem secure - but merchants are AFAIK forbidden from storing it. It is accepted for the transaction and then deleted; so a typical compute breach will not get the associated code necessary for freewheeling online ordering. Plus, you need to know the billing address. So the number isn’t enough - they need a pretty good profile on you.
When I was involved with a group that accepted credit cards, the rule was - card present, signature matched. Frankly, nobody cared about the signature, because nobody was an expert in signatures. Today in Canada with Chip and PIN, the merchant is on the hook if the transaction is not done with the chip and PIN. For online, the merchant is on the hook - so it’s up to them to have good security practices for delivering goods, such as no PO boxes or commercial drops. (There was a whole discussion I read once about not allowing parcels to be redirected by the recipient once they had shipped - crook would get tracking number, then call FedEx and have it delivered elsewhere.)
With more and more software requiring online activation and regularly “phoning home”, it’s even hard to buy software activation keys online and get away with it.
In the early days of the internet, apparently one billing company - for assorted porn services - was responsible for 50% or more of charge reversals in the USA. From that came severe penalties for companies with high reversal rates.
Plus, as each scam bubbles to the surface, credit card companies find ways to guard against them. One old trick, for example, was to call and change the billing address, ask for a new card (or steal it from the mailbox), activate it and go on a spree until the bills come due and the card is cancelled for overdue payments. So card companies are careful about both such requests today and computers are watching for it. Some scams require a physical presence.