Personal Identification Number

A Personal Identification Number – or PIN – is a numeric password shared between a user and a system that can be used to authenticate the user to the system. The user is typically required to provide a non-confidential user identifier or token, such as a credit card or other banking card, and a confidential PIN to gain access to the system. The numeric code is usually secret – one known only by the cardholder/user and special personnel from the issuing banking institution. Upon receipt of the user identification and Personal Identification Number, the system looks up the PIN that is based on the User ID and compares the Personal Identification Number on records with the received PIN. The user is only granted access only when the number entered exactly matches the number that is stored on record in the system.

Personal Identification Numbers are most often used for Automatic Transaction machines – or ATMs – but are increasingly used at the point of sale terminals, especially for debit card sales. In Europe, the traditional in-store credit card receipt-signing process is newly being replaced with a system whereby the cardholder customer is required to enter their PIN instead of signing the sales draft or touch screen. In other parts of Europe, there exists something called an EMV chip which authenticates material usually corroborated when PIN matches are made. PINs in this location of the world were introduced at the same time as EMV chips on major credit and debit cards. In other sections of the world, PINs have been used before the introduction of the somewhat more complex EMV protection system. Apart from obvious financial and banking uses, many GSM mobile phones allow users to enter Personal Identification Numbers between four and eight digits in length. The PIN is actually recorded in the SIM card itself.


Scottish inventor James Goodfellow patented Personal Identification Number technology and is largely recognized as the inventor of Automatic Teller Machine (or ATM) technology, while John Shepherd-Barron has also provided a substantially large contribution in both of their development.

The concept of a Personal Identification Number originates with the inventor of the ATM, Mr. Shepherd-Barron. In 1967, while creating ideas about more efficient methods that banking intuitions could disburse cash to their customers, it occurred to him that the operation of candy vending machine models was a good start. For authentication, Mr. Shepherd-Barron at first used a six-digit numeric code, however, his wife preferred four digits, which became the standard used today internationally.

Financial PINs are often 4-digit numbers in the range 0000-9999, resulting in 10,000 possible numbers. However, some banks do not give out numbers where all digits are identical (such as 3333) or consecutive (6789) or numbers that start with one or more zeroes. Many PIN verification systems allow only three initial attempts, thereby providing a credit card fraudulent user a fractional chance to guess the correct PIN before the card is blocked from further usage. This holds true only if all Personal Identification Numbers are equally likely and the fraudulent user has no further information available, which has not been the case with some of the many PIN generation and verification algorithms that banking institutions and Automated Teller Machine manufacturers have used in the past years.

If a cellular telephone PIN is incorrectly entered three times, the SIM card is blocked until a Personal Unblocking Code – or PUC – is provided by the service operator, which must then be entered. If the PUC is entered incorrectly ten times, the SIM card is permanently blocked, requiring a new replacement SIM card.

In 2002, two PhD students at Cambridge University – Mike Bond and Piotr Zieliński – discovered a security flaw in the Personal Identification Number generation system of the IBM 3624, which was duplicated and passed along in most later similar hardware. Known as the decimalization table attack, the flaw that Zieliński and Bond found would allow someone who has access to the computer system of a bank to determine the Personal Identification Number for an ATM card in an average of fifteen guesses or less.