The Straight Dope

Go Back   Straight Dope Message Board > Main > General Questions

Reply
 
Thread Tools Display Modes
  #1  
Old 05-27-2010, 07:11 AM
OziDaniel OziDaniel is offline
Guest
 
Join Date: May 2010
Credit/Debit card PIN - where is it stored?

Hello there, google finds for me conflicting information about where (or even if) a PIN is stored. Talking about cards with magnetic strips, not the new ones with a chip.

Some sites say it is encrypted and stored on the card. Others say it is on track 3 even though this track is not standardised for use among banks. And other sites say the PIN is not stored anywhere but the number a customer enters is compared with the account number's natural PIN.

So what's the truth?

And which website gives the best true answer?

Thanks in advance.
Reply With Quote
Advertisements  
  #2  
Old 05-27-2010, 07:20 AM
Joey P Joey P is offline
Charter Member
 
Join Date: Jun 1999
Location: Milwaukee, WI
Posts: 21,624
Quote:
Originally Posted by OziDaniel View Post
Hello there, google finds for me conflicting information about where (or even if) a PIN is stored. Talking about cards with magnetic strips, not the new ones with a chip.

Some sites say it is encrypted and stored on the card. Others say it is on track 3 even though this track is not standardised for use among banks. And other sites say the PIN is not stored anywhere but the number a customer enters is compared with the account number's natural PIN.

So what's the truth?

And which website gives the best true answer?

Thanks in advance.
It's been a long time since I've used a debit card, but IIRC, it's possible to change your pin over the phone, right? Assuming that's the case, it's stored at the bank. If it was stored on the card, it would have to be done at an ATM or some other place where your card could be physically swiped to do it.
Reply With Quote
  #3  
Old 05-27-2010, 08:49 AM
OldGuy OldGuy is offline
Charter Member
 
Join Date: Dec 2002
Location: Very east of Foggybog, WI
Posts: 2,914
Quote:
Originally Posted by Joey P View Post
It's been a long time since I've used a debit card, but IIRC, it's possible to change your pin over the phone, right? Assuming that's the case, it's stored at the bank. If it was stored on the card, it would have to be done at an ATM or some other place where your card could be physically swiped to do it.
I don't believe a standard ATM can write to the magnetic strip on a card.
Reply With Quote
  #4  
Old 05-27-2010, 09:12 AM
robert_columbia robert_columbia is offline
Guest
 
Join Date: Oct 2009
A few years back, I asked SunTrust Bank if I could change my atm/debit card pin. They told me that they would have to order me a new card because the PIN was stored on the card.
Reply With Quote
  #5  
Old 05-27-2010, 09:27 AM
Gary Robson Gary Robson is offline
Charter Member
Charter Member
 
Join Date: Mar 2003
Location: Montana, U.S.A.
Posts: 9,447
Welcome to the Straight Dope, OziDaniel.

When a brand-new guest signs up and asks a question like this, I feel compelled to ask, "why are you asking?" While we do discuss just about any topic here, there is a prohibition on any discussion that advocates illegal activity. If you're looking for ways to hack ATM cards, this isn't the place to ask--and you might want to know that such activities can land you in jail.
__________________
---
Yes, I have joined the ranks of former moderators. Being a mod was eating my life. Now I'm a member just like you. Except smarter and better looking.
Reply With Quote
  #6  
Old 05-27-2010, 09:37 AM
Cheshire Human Cheshire Human is offline
BANNED
 
Join Date: Jan 2010
Location: NY, USA
Posts: 4,547
It's stored at the bank. The ATM sends the account info (from the magnetic stripe) and the PIN you entered to the bank, the bank looks up the account and compares the PIN to what they have on file for that account, then approves or rejects the transaction. When I got my latest ATM card, they gave me the card, first, then had me choose a PIN. The card was already in my hands before I even filled out the "choose a PIN" form.

ETA: I don't have a website to refer you to that says this, this is just from my existing store of general knowledge.

Last edited by Cheshire Human; 05-27-2010 at 09:39 AM..
Reply With Quote
  #7  
Old 05-27-2010, 09:51 AM
kayaker kayaker is offline
Member
 
Join Date: Jul 2009
Location: Western Pennsylvania
Posts: 15,235
Personally, all of mine are on the back of a business card with frayed corners that has been in my wallet for years.
Reply With Quote
  #8  
Old 05-27-2010, 11:59 AM
Lips_Obsession Lips_Obsession is offline
Guest
 
Join Date: Apr 2004
In the past I remember being able to set and change the PIN number over the phone. More recent cards I have had (which have been from smaller, more local banks) have required "pre-setting" the PIN when the card is made. Not sure if this is a change in the industry or just because I have been with smaller banks.
Reply With Quote
  #9  
Old 05-27-2010, 10:01 PM
Apocalypso Apocalypso is offline
Guest
 
Join Date: Jan 2008
I spent some time programming for banks and I'll just say that storing ANY account information on a debit/credit card would be time consuming, expensive (relatively), completely unnecessary, and would introduce huge security holes. Your cards contain a routing number and the number of the card itself. This is all that is necessary for the atm/pos terminal to look up your account information.
Reply With Quote
  #10  
Old 05-28-2010, 03:11 AM
OziDaniel OziDaniel is offline
Guest
 
Join Date: May 2010
Credit/Debit card PIN - where is it stored?

Hello Wombat you sound like the GQ Police. Everyone knows the easiest way to get a PIN is to stick a wireless video camera above the keypad. A decent one will even resolve the card number. We read about it in the news occasionally.

It's a disagreement I am having with my girlfriend. She says her dad was told by the bank that the PIN was stored on the card itself. Because he lost his card one day and money was taken out of the account, supposedly by someone using a PIN despite his claim that he specifically did not activate the PIN on that card. I think the bank was trying to handball the blame to him so he would go away.

But I always thought the card only stored an rewritable offset number so you can change the PIN but the PIN is always on the server. Then I found a website that said the PIN is not stored anywhere and instead is generated by some algorithm to result in the account number's natural PIN. The server compares the natural PIN with that which was entered via the keypad. Sort of what Apocalypso is saying in the previous post.

The problem is that too many websites imply the PIN is on the card (talking about magnetic strip only, not the cards with a chip). And only one website so far has backed up what Apocalypso says. http://blog.creditorweb.com/index.ph...atm-pins-work/

I just want to prove that I was right and that the PIN is NOT stored on the card. Nothing advocating illegal activity that I can think of Wombat.

Thanks everyone else for the replies so far.

Daniel.
Reply With Quote
  #11  
Old 05-28-2010, 07:51 AM
MeanJoe MeanJoe is offline
Guest
 
Join Date: Feb 2000
They are probably confusing the PIN offset (which is typically stored on the card's magnetic stripe) with the PIN.

Check out: http://windforwings.blogspot.com/200...validated.html

Basic explanation of PIN generation and validation, including the role of the PIN offset.

MeanJoe

Last edited by MeanJoe; 05-28-2010 at 07:54 AM.. Reason: Found the link I was looking for.
Reply With Quote
  #12  
Old 05-28-2010, 09:52 AM
essell essell is offline
Guest
 
Join Date: Sep 2006
I asked this question myself on this very board a while ago. The general conlusion was that it varied. Some banks keep it on the server, others keep it on both.

For example, if you forget you PIN you can ask the bank to post it to you. Atleast with all the banks I've dealt with. So they must always have it on their side.

Also, think about the fact that all PDQ terminals are hooked into a phone line.

If the pin was stored locally on the card a PDQ terminal would be able to verify the pin without a connection and process a transaction, maybe offloading the details once per day when plugged back in to a line.

As far as I can see, there is no such terminal out there.
Reply With Quote
  #13  
Old 06-03-2010, 02:33 PM
Gary Robson Gary Robson is offline
Charter Member
Charter Member
 
Join Date: Mar 2003
Location: Montana, U.S.A.
Posts: 9,447
Quote:
Originally Posted by OziDaniel View Post
Hello Wombat you sound like the GQ Police.
I am the GQ police.

On the Straight Dope, we have a fairly large moderator/administrator staff (usually around 20), and we're all assigned to various beats. I'm one of the moderators assigned to GQ.
Reply With Quote
  #14  
Old 06-03-2010, 05:02 PM
t-bonham@scc.net t-bonham@scc.net is online now
Guest
 
Join Date: Mar 2003
Quote:
Originally Posted by essell View Post
Also, think about the fact that all PDQ terminals are hooked into a phone line.

If the pin was stored locally on the card a PDQ terminal would be able to verify the pin without a connection and process a transaction, maybe offloading the details once per day when plugged back in to a line.

As far as I can see, there is no such terminal out there.
The phone line is used to verify both the PIN and the account balance. ATM's are often programmed so that if the phone line is down, they will only allow you to withdraw a limited amount of cash (usually $50 to $100), so as to limit the risk to the bank. There would be no risk if it just said 'out of order' in those cases, but that would annoy the customers. They basically aren't cross-checking the PIN at all in those situations, because they can't communicate with the bank's mainframe. But that is a risk the banks are willing to take. (They do record the PIN that was entered, and video of the person doing that.)
Reply With Quote
  #15  
Old 06-03-2010, 05:48 PM
Hari Seldon Hari Seldon is online now
Guest
 
Join Date: Mar 2002
I think Wombat has over-reacted. There are all sorts of reasons why one may wonder about this (including pure unadulterated curiosity, the reason I looked at it). I recently got a new credit card, the kind with a PIN that can be used without a signature if the merchant has the right kind of reader and was at the bank to get a card for my wife. I had intended to change the PIN, but had forgotten to bring along the assigned one. I mentioned this to the teller (a woman I have known for years) who did something with the card and then said, go the ATM and use 1234 as the pin and change it to whatever you want. Which I did. But I am still curious.

I can't believe it is stored on the card. Someone, somewhere, would have worked out how to read it. So I assume it is at the bank.
Reply With Quote
  #16  
Old 06-05-2010, 01:13 PM
Gary Robson Gary Robson is offline
Charter Member
Charter Member
 
Join Date: Mar 2003
Location: Montana, U.S.A.
Posts: 9,447
Quote:
Originally Posted by Hari Seldon View Post
I think Wombat has over-reacted.
All I did was ask why he wanted to know, Hari. Over-reaction would have been closing the thread or banning the OP. I was just keeping an eye on things.
Reply With Quote
  #17  
Old 06-05-2010, 02:39 PM
shefDave shefDave is offline
Guest
 
Join Date: Jan 2005
In the UK's implementation of Chip & PIN it's stored on the card, otherwise systems like this wouldn't work.
Reply With Quote
Reply



Bookmarks

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off

Forum Jump


All times are GMT -5. The time now is 02:54 PM.


Powered by vBulletin® Version 3.8.7
Copyright ©2000 - 2014, vBulletin Solutions, Inc.

Send questions for Cecil Adams to: cecil@chicagoreader.com

Send comments about this website to: webmaster@straightdope.com

Terms of Use / Privacy Policy

Advertise on the Straight Dope!
(Your direct line to thousands of the smartest, hippest people on the planet, plus a few total dipsticks.)

Publishers - interested in subscribing to the Straight Dope?
Write to: sdsubscriptions@chicagoreader.com.

Copyright 2013 Sun-Times Media, LLC.