It should be an easy question; we work in the card payment industry and it’s a pretty fundamental part of card security. The Personal Identification Number (PIN) has been with us since the first ATMs exchanged tenners for punched cards. The term has become ubiquitous; “PIN” and “ATM” are now as much a part of our language as skateboard and tweet!

The first Personal Identification Numbers were 6 digits long and were used to access cash in a machine that was primarily mechanical, with the exception of the cryptographic processes deployed electronically to validate the PIN.

The PINs were local to the ATM and the ATMs were stand-alone devices without connectivity. Card transactions were picked up by the branch staff in the morning and were processed as cheque withdrawals. The cards were retained by the ATM and later posted back to the cardholders, so a far cry from today’s electronic wizardry.

The first ATMs predated Visa’s Base l by several years, but since the ATMs weren’t interoperable, it really didn’t matter except to establish that six-digit PINs were already in use.

Base l was developed from 1973 and ISO8583 was introduced in 1987. ISO8583 is now the international standard for financial transaction messaging, especially for card-based transactions. The length of the PIN is mentioned but is not specifically defined. The standard does, however, reference ISO9564, where the PIN length is clearly defined.

These standards are global and well established, they are easy to check and it’s all quite clear. So why is such an easy question so difficult to answer?

I have some banking apps that restrict the PIN visibility to 4 digits, and in some cases, the PIN length is restricted to 4 digits on issue and on PIN Change.

I have other apps that also restrict PIN visibility to 4 digits, but these don’t show me the whole of my PIN, they only show the first four digits!

If you look at the Link ATM standard, it will tell you that the length of a PIN should be the maximum length allowed by the chip, but it doesn’t specify a length. The PIN length is important because it is set in the Financial Institution Table (FIT) and determines how the ATM will react to different cards.

I worked at the Halifax as we upgraded the debit card systems for the introduction of EMV. I had worked for the Halifax previously, establishing their first connection to the Visa network, so I had seen the Visa specifications. We built the Halifax systems to support the PIN length reflected in the Visa manuals, in ISO8583 and ISO9564, by reference to the PIN length in the Link Standards and the to the maximum PIN length supported by the chip.

The chip cards were issued with 4-digit PINs, but as per the standards, they weren’t restricted to 4 digits. The ATM PIN Change function supported the standards, they were supported by the authorisation host, and they are also supported by the POS terminal standards as certified by Mastercard’s TIP tests.

The standards are clear, there is no ambiguity and there is NO excuse.

The Halifax fell (bad management and greed) and was rescued by Lloyds. Lloyds assimilated the Halifax systems and the Halifax Debit Card that I had been using since the EMV upgrade would no longer work in Halifax ATMs. It did, however, continue to work in other ATMs. The Halifax ATMs would not allow me to enter the full number, after four digits, it assumed I had finished and then automatically proceeded to the next page. The PIN that was entered was inevitably rejected by the host and no money was to be had. The ATMs that didn’t support the Link FIT table still accepted my PIN, and so did the authorisation host!

The Product Managers and Developers and everyone else involved had assumed that PINs were 4 digits long. They had delivered a service that was based on assumptions, which nobody had bothered to check. Why would they?

The Visa manuals from the mid-19th Century (wink!) tell you that the supported PIN length is 12-digits, ISO8583 (by reference to ISO9564) tells you that the supported PIN length is 12 digits, the chip specifications support chips with up to 12 digits and the Link Standards say the FIT table should reflect the maximum PIN length supported by the chip.

There are no anomalies across the standards, so the weak link must be the people who don’t read the standards, preferring instead to make assumptions based on their own incomplete experience.

In answer to the question, PINs can be anything up to 12 digits long. The minimum length is 4 digits, but this is no reason or justification to restrict the maximum to the same.

If something goes wrong, and it may be coincidental that things seem to be going wrong more and more, how would you approach the activity of troubleshooting when you don’t know if the error is a genuine error or if it is caused by Product Managers and Developers making assumptions.

Technical debt is on the increase, and it will need to be paid back with interest.