A Finextra member 27 June, 2013, 15:32 0 likes

110% agreed with you. infact we have a solution for the same where we deliver PIN through two channels after user verification.

we use Q&A with BI to figure out if the user is valid and then generate a complex PIN (based on the password policy)....

most important we do not deliver the PIN in single channel... we split the PIN into 2-3 parts and then deliver it through multiple channels like email, sms, voice call etc in different points in time....

so there is no way any hacker can get the complete PIN. 

i hope it supports your article and look forward to hear from you more. 

Ketharaman Swaminathan - GTM360 Marketing Solutions - Pune 27 June, 2013, 17:17 0 likes

Credit cards came into existence more than 50 years ago. Despite the progress of technology during this period, they're still around. Rightly or wrongly, card issuance still uses KYC norms that are centered around identity and address (and not mobile phone # or email address). As a result, it'd logically follow that conventional PIN Mailers, sent to the KYC'd name at the KYC'd address, would be the only legally valid approach. Besides, they work well and, compared to the alternatives, are free of friction for the average cardholder. I for one wouldn't want to go thru' different channels to assemble different pieces of passwords just to get to my PIN.

A Finextra member 01 July, 2013, 11:45 0 likes

I completely agree with your blog. It is inconvenient, untimely and uncompetitive to continue delivering PINs via post. And, with today's techonology paper and spit are no more secure.

I like the above comment using multiple channels although I would still rather the PIN be delivered as a whole, using the multiple channels to verify my identity. And I trust that banks would find seperating the PIN into multiple parts would clog up their call centres to no end. Consumers on the whole are just not that detail oriented.

I'd suggest using an encrypted PDF attachment to the customer's email address and then using a two factor authentication to decrypt it, part of which could be a hard token sent to a mobile phone. Banks tend to like using 'something they have and something they know' strategy. With 256 BIT encryption, it would take hundreds of years for a hacker to crack into a document such as this and they would still need the physical card to take advantage of the detail within if they were still alive. Not practical from a large scale fraud perspective.

Thanks for the interesting post!!

Ketharaman Swaminathan - GTM360 Marketing Solutions - Pune 08 July, 2013, 12:35 0 likes

@Finextra: Are detailed company-specific pitches now allowed on your blog posts / comments?

Matt White - Finextra - Toronto 08 July, 2013, 13:19 0 likes

No, Ketharaman, they're not. 

Patrick, I've deleted your comment. Please stick to the community rules.

A Finextra member 09 July, 2013, 12:45 0 likes

I apologise if I overstepped the mark with my initial post.  However, I agree with Mark and many others that the topic of PIN mailer replacement receives far less attention than it deserves.

 It seems to me that we’re way overdue for banks to offer alternatives to the slow and insecure PIN mailer. The benefits of electronic distribution are considerable. They include significant cost savings and management efficiencies for the issuer and immediacy of availability and greater security for the card holder.

 Actually I feel bad that we, as an industry, have taken so long to produce such an alternative!

Ketharaman Swaminathan - GTM360 Marketing Solutions - Pune 09 July, 2013, 13:34 0 likes

Actually, the industry is way off from coming up with compelling alternatives for many even more critical paper-based items: cash (its use is raising), cheques (UK government canceled abolition of cheques even by 2018), bills (ebills have less than 30% penetration), plastic cards (where are the mobile wallets?), and so on. PIN Mailers will have to wait their turn!

A Finextra member 10 July, 2013, 11:09 0 likes

Alas whatever new method of delivery is considered, the fear of interception is ever present.  Via mobile - SIM swap, email - phishing/other nasties, even post with mail intercepts.  In branch registration - only if they are open 24/7.   

In theory this is where contactless wins hands down, but until you can pay for that party food you need to the weekend on a single tap/hover, it will remain a nice to have.

How about something completely Sci fi?!  Everyone has an implant that is linked to everything they require to make a payment.  The card itself has something that is configured to that implant and will only work when in extreme close proximity to the user.  They only stop working when there is no sign of life... ok it's way out there.  But as I said at the start everything else just carries with it seemingly easy ways to get at the information.

Mark McMurtrie - Payments Consultancy Limited - Woking 12 July, 2013, 11:09 0 likes

Thank you for the various comments made on this blog so far.

My view is that as an industry we should be moving to electronic PIN delivery as an alternative to paper based PIN mailers.

Just because there are many new payment technologies and challenges this is not a reason for banks not to make the first steps.

Consumers should be offered choice and this can include current and new PIN delivery options. Banks are often criticised for providing poor customer service. Electronic PIN Delivery is a small way to show they are looking to serve customer needs better.

The banking industry knows how to deliver secure banking services and these can be applied to PIN delivery.

Early adopters of electronic delivery can establish competitive advantage. 

I hope to learn of many implementations soon.

Ketharaman Swaminathan - GTM360 Marketing Solutions - Pune 12 July, 2013, 11:45 0 likes

I'd love to hear about any adopters - early or late - of electronic PIN delivery achieving competitive advantage. 

A Finextra member 20 July, 2013, 07:00 0 likes

I suggested the same way as Mark mentioned above , we should be moving to electronic PIN delivery as an alternative to paper based PIN mailers.

 I'd suggest to send a Email notification to customers those who want to generate the Pin number. Once the customer complete the few security questions and verified by the system, bank sends the PIN numbers to customers at the right movement in encrypted format.

It any manner we need to overcome this old school system (Physical PIN mailers). So my vote goes to Epin mailers.

Thnx for the interesting and great thinking post.