I mean, it makes sense. I haven’t pulled out a CC at a U.S. Hilton in a decade. So theoretically anyone with my login credentials could go to town.

In general, the lack of verification of identity by merchants for CC users is one of those things that is surprising when you step back and think about it. But some baseline level of fraud is just baked into the system and everyone is fine with it.