Hello there, google finds for me conflicting information about where (or even if) a PIN is stored. Talking about cards with magnetic strips, not the new ones with a chip.
Some sites say it is encrypted and stored on the card. Others say it is on track 3 even though this track is not standardised for use among banks. And other sites say the PIN is not stored anywhere but the number a customer enters is compared with the account number’s natural PIN.
It’s been a long time since I’ve used a debit card, but IIRC, it’s possible to change your pin over the phone, right? Assuming that’s the case, it’s stored at the bank. If it was stored on the card, it would have to be done at an ATM or some other place where your card could be physically swiped to do it.
A few years back, I asked SunTrust Bank if I could change my atm/debit card pin. They told me that they would have to order me a new card because the PIN was stored on the card.
When a brand-new guest signs up and asks a question like this, I feel compelled to ask, “why are you asking?” While we do discuss just about any topic here, there is a prohibition on any discussion that advocates illegal activity. If you’re looking for ways to hack ATM cards, this isn’t the place to ask–and you might want to know that such activities can land you in jail.
It’s stored at the bank. The ATM sends the account info (from the magnetic stripe) and the PIN you entered to the bank, the bank looks up the account and compares the PIN to what they have on file for that account, then approves or rejects the transaction. When I got my latest ATM card, they gave me the card, first, then had me choose a PIN. The card was already in my hands before I even filled out the “choose a PIN” form.
ETA: I don’t have a website to refer you to that says this, this is just from my existing store of general knowledge.
In the past I remember being able to set and change the PIN number over the phone. More recent cards I have had (which have been from smaller, more local banks) have required “pre-setting” the PIN when the card is made. Not sure if this is a change in the industry or just because I have been with smaller banks.
I spent some time programming for banks and I’ll just say that storing ANY account information on a debit/credit card would be time consuming, expensive (relatively), completely unnecessary, and would introduce huge security holes. Your cards contain a routing number and the number of the card itself. This is all that is necessary for the atm/pos terminal to look up your account information.
Hello Wombat you sound like the GQ Police. Everyone knows the easiest way to get a PIN is to stick a wireless video camera above the keypad. A decent one will even resolve the card number. We read about it in the news occasionally.
It’s a disagreement I am having with my girlfriend. She says her dad was told by the bank that the PIN was stored on the card itself. Because he lost his card one day and money was taken out of the account, supposedly by someone using a PIN despite his claim that he specifically did not activate the PIN on that card. I think the bank was trying to handball the blame to him so he would go away.
But I always thought the card only stored an rewritable offset number so you can change the PIN but the PIN is always on the server. Then I found a website that said the PIN is not stored anywhere and instead is generated by some algorithm to result in the account number’s natural PIN. The server compares the natural PIN with that which was entered via the keypad. Sort of what Apocalypso is saying in the previous post.
I asked this question myself on this very board a while ago. The general conlusion was that it varied. Some banks keep it on the server, others keep it on both.
For example, if you forget you PIN you can ask the bank to post it to you. Atleast with all the banks I’ve dealt with. So they must always have it on their side.
Also, think about the fact that all PDQ terminals are hooked into a phone line.
If the pin was stored locally on the card a PDQ terminal would be able to verify the pin without a connection and process a transaction, maybe offloading the details once per day when plugged back in to a line.
As far as I can see, there is no such terminal out there.
On the Straight Dope, we have a fairly large moderator/administrator staff (usually around 20), and we’re all assigned to various beats. I’m one of the moderators assigned to GQ.
The phone line is used to verify both the PIN and the account balance. ATM’s are often programmed so that if the phone line is down, they will only allow you to withdraw a limited amount of cash (usually $50 to $100), so as to limit the risk to the bank. There would be no risk if it just said ‘out of order’ in those cases, but that would annoy the customers. They basically aren’t cross-checking the PIN at all in those situations, because they can’t communicate with the bank’s mainframe. But that is a risk the banks are willing to take. (They do record the PIN that was entered, and video of the person doing that.)
I think Wombat has over-reacted. There are all sorts of reasons why one may wonder about this (including pure unadulterated curiosity, the reason I looked at it). I recently got a new credit card, the kind with a PIN that can be used without a signature if the merchant has the right kind of reader and was at the bank to get a card for my wife. I had intended to change the PIN, but had forgotten to bring along the assigned one. I mentioned this to the teller (a woman I have known for years) who did something with the card and then said, go the ATM and use 1234 as the pin and change it to whatever you want. Which I did. But I am still curious.
I can’t believe it is stored on the card. Someone, somewhere, would have worked out how to read it. So I assume it is at the bank.
All I did was ask why he wanted to know, Hari. Over-reaction would have been closing the thread or banning the OP. I was just keeping an eye on things.
