Pretty much. If they didn't have a problem with it before, why now? I've NEVER had anyone card me for debit purchases. You would think the fact that I know what my PIN for it would be enough security?
Well, there are three principles ("factors") of authentication:
1) Something you have (card and ID)
2) Something you are
3) Something you know (PIN)
The strongest factor is the second one, since it is hard to imitate. Sometimes you could see your signature as something you are, but it's pretty weak on the scale of signature to biometric devices.
The weakest is something you have, but by asking for two things it's another hoop that someone would have to jump through to use your debit card. If you think about how many people write their passwords on post-its, I imagine there are a lot of people who don't guard their PIN very well either... and with the PIN and the card, someone can escape unscathed. Asking for ID is a minor inconvenience for those of us who guard our PIN, but it could save someone else
The third factor is only as good as we protect it. Passphrases are better than passwords which are better than PINs, based on length and complexity. I can't believe banks still use 4-number PINs, and websites that only accept [a-zA-Z0-9] and no special characters piss me off too.
In the end, you're right, ID is a pretty weak third thing to ask for... but it's better than nothing. Anyone can use your card with your PIN and get away with it, hell I use my husband's card at the grocery store sometimes when I don't have mine
What would be cool for credit/debit cards would be one-time use numbers, or limited time use+limited amount numbers... so they would "expire" or have such limited use that it wouldn't be worth scamming. Could be pretty inconvenient though, hard to do easily.
Anyway, sorry for the lesson, just one of those security things...Here
is a short website that has some good thoughts on authentication, a better job than I could do without an editor