A personal identification number is an anti-fraud measure that helps authenticate the cardholder at physical points of sale and ATMs. At the time customers activate their cards they also set a PIN. Customers may also want to set a new PIN at a later time.

Note

When you reissue or replace a card with a new <<glossary:PAN>>, you must also set a new PIN. Reissued cards with the same PAN but new expiry do not need a new PIN.

You can set a PIN for a physical card or for a virtual card that is provisioned to a mobile wallet, in the event that the wallet is presented at a physical <<glossary:NFC>> device that accepts PINs. For virtual-only cards that are not in mobile wallets you do not set a PIN.

At account creation, you can set a default PIN by setting the product parameter CASPO to one of these options:

  • Last 4 digits of home phone

  • Last 4 digits of mobile phone

  • Last 4 digits of <<glossary:PRN>>

  • No PIN

For other use cases you have these options for setting a PIN for a card, either as part of the <a href="doc:activate-card-procedure" target="_blank">card-activation procedure</a> or to reset a PIN.

  • **Direct render** — The cardholder goes to your web page or mobile app and enters the new PIN through a form that Galileo hosts. You do not need to be PCI compliant to use this method. See [Direct Render PIN-Set Procedure](🔗).

  • **Direct POST** — The cardholder goes to a web page or mobile app and enters the new PIN through a web page that you host. You must complete <<glossary:PCI-DSS>> Self-Assessment Questionnaire A-EP (191 of 250 PCI requirements) to use this procedure. See [Direct POST PIN-Set Procedure](🔗).

  • **Offline PIN** — Some non-U.S. jurisdictions require offline PIN validation, where the PIN is written to the <<glossary:EMV>> chip and the card reader validates the typed PIN against the PIN on the chip. See [Offline PIN](🔗) for directions.

  • **Galileo IVR (automated phone system)** — The cardholder calls a number that is on a sticker on the new card and inputs the card and PIN information using the phone keypad. You do not need to be PCI compliant to use this method.