Personal identification number (PIN): purpose, format, history and security

A personal identification number (PIN) is a short numeric or alphanumeric code used to verify identity for banking, payments, devices and secure systems; this article covers formats, history and security considerations.

A personal identification number, commonly abbreviated as PIN, is a secret code chosen by or issued to a user to verify identity when accessing an account, a device, or a secured service. A PIN is one factor of authentication that combines knowledge of the code with possession of a token (for example, a payment card or mobile device). It is commonly discussed in the wider context of authentication and system integration for secure services.

Characteristics and typical formats

PINs are designed to be short and memorable while providing adequate security for on-the-spot human entry. Typical characteristics include:

Length: Many payment cards and ATMs use four to six digits, though some systems support longer codes or require at least six characters for higher security.
Character set: Historically numeric-only, some institutions now permit alphanumeric PINs to increase possible combinations.
Entry and hardware: PINs are entered on physical keypads or touchscreens designed to resist observation and interception; design considerations for entry devices are discussed under keypad design.
Storage and verification: PINs are protected by encryption, secure hardware elements, or dedicated verification modules; verification may occur offline (chip-to-card) or online (host-based).

Origins and development

The concept of a short secret code for access predates modern computing but became widely used with automated teller machines in the late 1960s and 1970s. Payment standards evolved to include PINs as a reliable way to confirm the cardholder when withdrawing cash or making purchases. Card and terminal specifications such as EMV formalized PIN use for chip-based cards, enabling secure cardholder verification even without a continuous network connection.

Common uses

PINs appear across financial and consumer contexts. Typical uses include:

ATMs: cash withdrawals, balance checks and account access.
Card payments: chip-and-PIN transactions where the cardholder enters a PIN to authorize a purchase under EMV or similar frameworks and to support transaction authorization.
Device and application access: unlocking mobile wallets or devices and authorizing in-app payments.
Account recovery and administrative actions: some services require a PIN to confirm identity before changing sensitive settings or issuing a temporary credential for account access.
Card and payment systems: verifying a cardholder when using a credit or debit card in-person.

Security considerations and mitigations

Although simple to use, PINs face several threats: observation (shoulder surfing), interception by compromised terminals, guessing or brute force, and card-skimming devices. Common mitigations include limiting incorrect attempts, encrypting PIN entry and transmission, using secure PIN-entry devices, and isolating verification in tamper-resistant hardware. Organizations that manage PINs publish procedures and rules for protection and recovery; for policy matters see guidance from relevant bank policies and standards bodies.

PINs are often combined with additional factors to form multi-factor authentication. Alternatives and enhancements include biometric methods (for example, fingerprint or facial recognition), one-time passcodes delivered to a trusted device, and emerging security innovations such as tokenization. Each approach balances usability, deployment cost, and the ability to operate offline.

Choosing and managing a PIN

Good practices for PIN selection discourage predictable patterns (repeated digits, sequential numbers, or easily guessed dates). Where allowed, alphanumeric PINs increase entropy but may reduce memorability. Institutions typically offer mechanisms for PIN reset or unblocking, distinct from one-time authentication codes; related recovery codes include PUKs (PIN Unblocking Keys) or temporary passwords used for short-term access.

For further exploration of related topics, see entries on PIN definition, core authentication concepts, system integration, data protection, ATM operations, keypad design, account access, EMV standards, cardholder verification, transaction authorization, bank policies, alphanumeric PINs, security innovations, and biometric alternatives.

While authentication methods continue to evolve, the PIN remains a widely used, low-cost way to verify identity where simple human entry and offline operation are required. Its effectiveness depends on secure implementation, device protections, sensible user choice, and integration with broader security controls.