It adds a "something you know" (password, PIN/Password to your token generator) factor to the "something I have" (The card, with numbers on front and back) factor, so I would say it's fair to call it two-factor authentication.
I beg to disagree. The credit card is "something you know" just as much as "something you have", because when used on the web it is just a (copyable) 23 digit number. Whether you remember the number or look it up in your wallet is no different than whether you remember your password or store it on a post-it.
Other things "you have" in popular 2FA solutions are quite different, for instance your mobile phone number identity (for SMS) or your Google Authenticator.
Other things "you have" in popular 2FA solutions are quite different, for instance your mobile phone number identity (for SMS) or your Google Authenticator.