PIN-Set Procedures
A personal identification number is an anti-fraud measure that helps authenticate the cardholder at physical points of sale and ATMs. At the time customers activate their cards they also set a PIN. Customers may also want to set a new PIN at a later time.
Note
When you replace a card with a new PAN, you must also set a new PIN. Reissued cards with the same PAN but new expiry do not need a new PIN.
Setting a PIN
You can set a PIN for a physical card or for a virtual card that is provisioned to a mobile wallet, in the event that the wallet is presented at a physical NFC device that accepts PINs. For virtual-only cards that are not in mobile wallets you do not set a PIN.
At account creation, you can set a default PIN by setting the product parameter CASPO to one of these options:
- Last 4 digits of home phone
- Last 4 digits of mobile phone
- Last 4 digits of PRN
- No PIN
For other use cases you have these options for setting a PIN for a card, either as part of the card-activation procedure or to reset a PIN.
- Direct render — The cardholder goes to your web page or mobile app and enters the new PIN through a form that Galileo hosts. You do not need to be PCI compliant to use this method. See Direct Render PIN-Set Procedure.
- Direct POST — The cardholder goes to a web page or mobile app and enters the new PIN through a web page that you host. You must complete PCI-DSS Self-Assessment Questionnaire A-EP (191 of 250 PCI requirements) to use this procedure. See Direct POST PIN-Set Procedure.
- Offline PIN — Some non-U.S. jurisdictions require offline PIN validation, where the PIN is written to the EMV chip and the card reader validates the typed PIN against the PIN on the chip. See Offline PIN for directions.
- Galileo IVR (automated phone system) — The cardholder calls a number that is on a sticker on the new card and inputs the card and PIN information using the phone keypad. You do not need to be PCI compliant to use this method.
PIN-fail counts
For each card product, you specify how many times a cardholder can input an erroneous PIN before the PIN locks, and then the card cannot be used where a PIN is required (default: 3).
To reset the PIN after it is locked, you can provide cardholders with these options:
- Call customer service — An agent can reset the PIN-fail count in the CST.
- Wait until the lock expires — The interval is controlled by the PBTIM parameter.
- Activate a control on your interface — You call the Reset Card PIN-Fail Count endpoint.
Note
These options are not available for offline PIN.
Galileo setup
Galileo sets up these product parameters for PIN-failure scenarios according to your use case. See the PINs parameters table for the full list of product parameters to be configured at Galileo for PIN-failure scenario-related settings.
| Parameter | Description |
|---|---|
| PBACT | Specifies which action to take after the maximum number of PIN validation failures is reached: the PIN is blocked until the interval in PBTIM elapses, or the card is set to status: B (blocked). Not valid for offline PIN. |
| PBSUC | Controls whether to reset the failed-PIN count to zero after a PIN entry is successful. For example, if the cardholder enters an erroneous PIN once, the failed-PIN count is 1. If the second attempt is successful, this parameter controls whether the count is reset to 0 or if it remains at 1. Not valid for offline PIN. |
| PBTIM | Specifies the number of hours after the last failed PIN attempt that the PIN-fail count is reset to zero. For example, if the value for this parameter is 3, then the PIN-fail counter is reset to zero three hours after the last failed PIN attempt. If this parameter is not set or is set to 0, then the PIN-fail counter does not reset automatically. Not valid for offline PIN. |
Updated about 2 months ago