You generally don't even need to get the right expiration date. As long as the date you supply is in the future it will usually work.
The security code also can sometimes be skipped. This varies from region to region, but in the US the credit card companies do not actually require a security code match for card not present transactions. The merchant can supply the code, and if so, the credit card processing system will report back on whether or not it matched, but it is up to the merchant to decide whether or not that should disallow completing the transaction.
Similar for customer address, by the way. The merchant can supply it and ask whether it matches, but whether or not a mismatch disallows the purchase is up to the merchant.
I think it also varies by processor, but I'm not sure on that one. One particular jerk merchant accepted my order for a few hundred dollars worth of car parts, then told me that he would only ship to my billing address. When I told him no and explained that my mail gets frequently stolen at that address, which is why I wanted my order shipped to the other address, he refused to cancel my order, and told me I'd need to call my bank to add the other address before he could ship my stuff.
At this point, he had not charged my card. I told him that if he did charge my card, I would file a chargeback. He charged it, I charged back, waited 2 months, and got a letter saying the chargeback was finalized and my refund was no longer "pending". Idiot cost himself probably 6% of the transaction both running it and paying for processing the refund, plus got a bad mark with his merchant account. He did all of this because he thought my transaction was fraud since the billing and shipping address didn't match (yet he refused to cancel it and charged it anyway).
The security code also can sometimes be skipped. This varies from region to region, but in the US the credit card companies do not actually require a security code match for card not present transactions. The merchant can supply the code, and if so, the credit card processing system will report back on whether or not it matched, but it is up to the merchant to decide whether or not that should disallow completing the transaction.
Similar for customer address, by the way. The merchant can supply it and ask whether it matches, but whether or not a mismatch disallows the purchase is up to the merchant.