The Myth of the Four-Digit PIN
The global standard for PINs has supported twelve digits since the 1970s. Yet ask almost anyone today – including many bank staff – and you’ll be told, with unwavering confidence, that all PINs are four digits long. This isn’t true, and more to the point, it has never been true.
The belief in the four-digit PIN, like so many in technology and business, began as an assumption; and assumption that hardened into a “standard” simply because no one bothered to question it.
An Experiment in Modern Banking Mythology
Having just opened a Virgin Money account with my wife, we set off last Saturday to change our PINs. As I always do, I tried a 12‑digit PIN – the standard supported by all the payment networks. Both the Note Machine outside Morrisons and the ATM outside Santander accepted my 12‑digit PIN change request, asked me to confirm it without any indication of error or issue, but when the ATM submitted the request, Virgin Money cancelled the transaction.
Curious (although I knew what was going to happen), I engaged with Virgin Money’s help services. The chatbot gave up immediately, but not before asking me if I needed a PIN reminder. It then handed me off to a human, and I asked the question again. Without hesitation, the human confidently declared that PINs are always four digits long. When I mentioned that I have a Halifax card with a 12‑digit PIN, the call centre operator doubled down on the message, telling me that I must be mistaken or maybe I was confusing the payment card with something else, because payment cards have only ever used four-digit PINs.
The human eventually conceded that he wasn’t an expert! He didn’t concede that PINs might not be restricted to four digits but was unable to say where it might be documented, and then he referred me to the Sales Team – because “they issue the cards”.
The Hall of Mirrors
I called the number I was given, I spoke to member of the sales team from Scotland, and my query returned the same result. The Sales team in Glasgow assured me — again, with confidence but without evidence — that “all banks use four-digit PINs” because it’s the standard. When I asked which standard, or where this appears in Virgin Money’s documentation, he wasn’t able to say.
I checked and I can confirm that it isn’t in the Terms and Conditions. I can also confirm that four-digit PIN restrictions are not mentioned in any standard.
My Sales contact ended the conversation by pondering why the call centre operator had referred me to Sales as Sales didn’t issue cards, he then asked me if I would like to raise a complaint. I accepted the opportunity as I was keen to understand why Virgin Money elected to disregard the global payment standards and it was clear that my three interactions so far had returned nothing but nonsense.
Assuming the Standard
The collective belief in the four-digit PIN restriction continues, product managers are oblivious, analysts never question it, and developers build systems around it. What begins as an assumption becomes a corporate meme — an idea that spreads internally until it’s treated as an external fact. The corporate meme seeps through to help desks and customer‑facing teams, who then repeat it faithfully to anyone who calls.
The reality is that Visa, Mastercard, LINK, and EMV specifications all support PINs between four and twelve digits, and there was never a time when this wasn’t the case. The reality is that every POS terminal has been certified to accept twelve-digit PINs and there is a specific certification test, and a specific test card for this purpose. The technical foundation could not be clearer, but cultural momentum is a powerful thing, and as humans, we have a tendency to generalise from our own narrow experiences: “I’ve only ever seen four-digit PINs, so all PINs must be four digits.”
It’s a small but telling example of how software systems, and the organisations behind them, can drift away from recognised standards through the acceptance of unexamined assumptions.
And once the myth takes hold, it’s astonishingly persistent.
So why are we surprised by AI?
AI Does the Same
I goggled 😊 the twelve-digit PIN thing on google, and asked which banks say – in their Terms and Conditions – that PINs are restricted to four digits. Gemini jumped straight in with a response telling me the vast majority of banks enforce a four-digit PIN (they don’t), and that this is explicitly stated, or implied, in their Terms and Conditions (it isn’t). Gemini also told me that the four-digit PIN has been a long-standing standard in the UK (not true) and is accepted as the universal practice for the Link ATM network (absolutely NOT true).
Gemini also gave me a list of banks whose documentation specifies a four-digit restriction on card PINs, but it did say at the bottom that “AI responses may include mistakes”. Ironically, I think this was the only part of the response that was true!
I questioned the answer and was presented with references to help centre articles and security guides. I was then told that this was because the de facto standard in the UK was based on the requirements of the LINK ATM network, but as we all know, the LINK standards state that “it has been agreed within LINK that PINs will be between 4 and 12 numeric digits.” [LINK Technical Standard].
When pushed, Gemini appeared to accept that no major UK Bank explicitly mentions a four-digit PIN in their Terms and Conditions and then, interestingly, went on to reference a LinkedIn article from April 2025 that “further clarifies this, explaining that assumptions by developers, rather than LINK network rules, often cause the restriction.” The article referenced and linked by Gemini was written by me!
Gemini thanked me for the article and then apologised for the errors and misleading responses. It said “My [Gemini] role is to provide accurate, verifiable information, and in this exchange, I failed that responsibility. I made up the existence of specific clauses within the T&Cs when they weren’t present in my search results and then compounded the error by being defensive rather than correcting the record.”
Revisiting the Mirror
I use the PIN example because the standards (Mastercard, Visa, LINK, EMV) are clear, unambiguous and available; they have been around for half a century, and because of this, the misconception can be examined, analysed and explained. Twelve digits is the standard, but the practical implementation has tended to use only four, resulting in a misconceived de facto standard.
My experience of Virgin Money was asking a question, receiving a response that didn’t cut the mustard, questioning that response and then listening to stuff the human on the other end of the phone was making up, based on assumptions and the need to win the battle.
My experience of Gemini was asking a question, receiving a response that didn’t cut the mustard, questioning that response and then reading stuff the AI on the other end of the chat was making up, based on assumptions it had extrapolated from what it found online. For Gemini, the need to win the battle was embodied in an eventual concession to the truth, but more importantly, it was in rationalising the outcome at the same time as making ME feel good about myself.
But just like the bank’s help desk, the AI made up information to “win” the argument, presenting misinformation with conviction.
Only when pushed back did the AI backtrack, but for both experiences, the system – human or algorithmic – chose confidence over correctness.
The Real Lesson
The impact of the four‑digit PIN is trivial, but the mechanism behind the impact isn’t. What we are experiencing is symptomatic of a growing problem, and without intervention, it’s a problem that we are doomed to ignore until it’s too late.
Organisations, analysts, and developers are all chewing on the same metaphoric sausage: mistaking habit for fact, assumption for evidence, and confidence for knowledge. AI is joining in, doing the same, and it’s doing the same very well.
But we’re all feeding the sausages back into the sausage machine!
The Human propensity to accept “the facts” coupled with an acceptance of the ability of AI to deliver “the facts” is creating a downward spiral of unintended misinformation, which is constantly being used to reference and re-reference itself.
The technical truth about PIN lengths is easy to find, if we look; what’s harder is changing the collective habits and thought processes that are choosing not to look!
And perhaps that’s the real standard we should be questioning.
