For Finextra's free daily newsletter, breaking news and flashes and weekly job board.
Ever since banks started issuing credit and debit cards they also needed to supply customers with a PIN for cardholder verification purposes. These were for card usage at the ATM or POS terminal. The delivery method chosen was PIN Mailers.
PIN mailers hide the PIN number with scratch-off or peel-back panels that highlights any attemps at tampering. They are generally sent to the cardholders address using the postal service. Sometimes couriers are used to counter mail-in-transit risks.
PIN mailers are used to advise cardholder of the PIN to be used with a new card and for PIN reminders.
It seems that not much has changed in the process used by banks in the last 30 years.
But in the same time period so much else has changed.
So I pose the question are there better alternatives now available?
If so what are these?
With customers looking for immediacy and banks always looking to reduce their costs perhaps the time has come for a change.
I look forward to hearing your thoughts and suggestions.
110% agreed with you. infact we have a solution for the same where we deliver PIN through two channels after user verification.
we use Q&A with BI to figure out if the user is valid and then generate a complex PIN (based on the password policy)....
most important we do not deliver the PIN in single channel... we split the PIN into 2-3 parts and then deliver it through multiple channels like email, sms, voice call etc in different points in time....
so there is no way any hacker can get the complete PIN.
i hope it supports your article and look forward to hear from you more.
Credit cards came into existence more than 50 years ago. Despite the progress of technology during this period, they're still around. Rightly or wrongly, card issuance still uses KYC norms that are centered around identity and address (and not mobile phone
# or email address). As a result, it'd logically follow that conventional PIN Mailers, sent to the KYC'd name at the KYC'd address, would be the only legally valid approach. Besides, they work well and, compared to the alternatives, are free of friction for
the average cardholder. I for one wouldn't want to go thru' different channels to assemble different pieces of passwords just to get to my PIN.
I completely agree with your blog. It is inconvenient, untimely and uncompetitive to continue delivering PINs via post. And, with today's techonology paper and spit are no more secure.
I like the above comment using multiple channels although I would still rather the PIN be delivered as a whole, using the multiple channels to verify my identity. And I trust that banks would find seperating the PIN into multiple parts would clog up their
call centres to no end. Consumers on the whole are just not that detail oriented.
I'd suggest using an encrypted PDF attachment to the customer's email address and then using a two factor authentication to decrypt it, part of which could be a hard token sent to a mobile phone. Banks tend to like using 'something they have and something
they know' strategy. With 256 BIT encryption, it would take hundreds of years for a hacker to crack into a document such as this and they would still need the physical card to take advantage of the detail within if they were still alive. Not practical from
a large scale fraud perspective.
Thanks for the interesting post!!
@Finextra: Are detailed company-specific pitches now allowed on your blog posts / comments?
No, Ketharaman, they're not.
Patrick, I've deleted your comment. Please stick to the
I apologise if I overstepped the mark with my initial post. However, I agree with Mark and many others that the topic of PIN mailer replacement receives far less attention than it deserves.
It seems to me that we’re way overdue for banks to offer alternatives to the slow and insecure PIN mailer. The benefits of electronic distribution are considerable. They include significant cost savings and management efficiencies for the issuer and immediacy
of availability and greater security for the card holder.
Actually I feel bad that we, as an industry, have taken so long to produce such an alternative!
Actually, the industry is way off from coming up with compelling alternatives for many even more critical paper-based items: cash (its use is raising), cheques (UK government canceled abolition of cheques even by 2018), bills (ebills have less than 30% penetration),
plastic cards (where are the mobile wallets?), and so on. PIN Mailers will have to wait their turn!
Alas whatever new method of delivery is considered, the fear of interception is ever present. Via mobile - SIM swap, email - phishing/other nasties, even post with mail intercepts. In branch registration - only if they are open 24/7.
In theory this is where contactless wins hands down, but until you can pay for that party food you need to the weekend on a single tap/hover, it will remain a nice to have.
How about something completely Sci fi?! Everyone has an implant that is linked to everything they require to make a payment. The card itself has something that is configured to that implant and will only work when in extreme close proximity to the user.
They only stop working when there is no sign of life... ok it's way out there. But as I said at the start everything else just carries with it seemingly easy ways to get at the information.
Thank you for the various comments made on this blog so far.
My view is that as an industry we should be moving to electronic PIN delivery as an alternative to paper based PIN mailers.
Just because there are many new payment technologies and challenges this is not a reason for banks not to make the first steps.
Consumers should be offered choice and this can include current and new PIN delivery options. Banks are often criticised for providing poor customer service. Electronic PIN Delivery is a small way to show they are looking to serve customer needs better.
The banking industry knows how to deliver secure banking services and these can be applied to PIN delivery.
Early adopters of electronic delivery can establish competitive advantage.
I hope to learn of many implementations soon.
I'd love to hear about any adopters - early or late - of electronic PIN delivery achieving competitive advantage.
I suggested the same way as Mark mentioned above , we should be moving to electronic PIN delivery as an alternative to paper based PIN mailers.
I'd suggest to send a Email notification to customers those who want to generate the Pin number. Once the customer complete the few security questions and verified by the system, bank sends the PIN numbers to customers at the right movement in encrypted
It any manner we need to overcome this old school system (Physical PIN mailers). So my vote goes to Epin mailers.
Thnx for the interesting and great thinking post.
Payments Consultancy Limited
03 Apr 2013
This post is from a series of posts in the group:
Payments systems visions, strategies, trends, pilots, forecasting, and planning for the short-, medium-, and far-term.