I ask, because I just successfully changed my PIN to an 8-digit number at an ATM.
I think I read in other places that this may be accepted, but only the first 4 digits are used. I tested this, and I can confirm that they did not work - the entire 8 digits were required, at both the ATM and a POS.
The ‘officially’ part lies in the fact that when I viewed my PIN in the Monzo app, it only gave the first 4 digits…
Is this a bug in the app, or is it a bug in the card in that it is allowing long PIN numbers to be set?
This is not something we officially offer and are not officially supporting at this time but it technically works for card payments.
Be warned that setting a long PIN currently breaks your ability to send money in the app and PIN reminders will only show the first four digits of the PIN you set. This is not something I would recommend attempting unless you’re fully aware of what you’re doing and able to visit an ATM to set it back.
Ah yes, I should clarify that if you have Touch ID or Face ID for payments enabled, it works until you need to enter your PIN again. Then you would be stuck.
@RichardR out of curiosity, how much work would be required for long PINs to be officially supported? Is it just the app needing tweaking to receive a variable length PIN, or would something on the backend need tweaking as well?
Also, would it be possible to allow us to set separate online and offline PINs @RichardR?
So the PIN used in a shop (which will generally be offline PIN based on the card’s CVM list, except for the very very rare incident where a terminal supported online PIN but not offline PIN - something I can’t imagine many, if any, terminals have) can’t be skimmed to use with a (later stolen) card in an ATM (or at a magstripe ATM).
It would mostly just be some UI work on our side but the bigger issue would be making sure our cards would still be accepted everywhere. There are many ATMs and terminal firmware versions out there that fall over or behave in strange ways when presented with a card that has a PIN longer than four digits. Given that we’re still a relatively new bank, acceptance of our card is a priority over offering this.
At this time, you can think of this more as the technical support being there if the UK payments industry as a whole ever decides to move in this direction.
Absolutely not unfortunately. This would be a support nightmare for us, especially as terminals have no indication to the average user as to which PIN should be used.
Totally fair. I definitely saw it as more of an experimental thing that would be well-hidden. I also figured it would be easy to know for users since ATMs always use online PIN and I’ve never seen a POS terminal that supported online PIN but not offline. If it did occur it would be obvious it was online PIN used since it would, well, go online to attempt it. At that point one would know to try the transaction again with their online PIN.
But, I do totally understand the fear. However, what about the slightly more complex to develop option of separate ATM and POS PINs? Obviously, the backend system for online PIN would then need to be able to look at what type of transaction it was before accepting/rejecting the PIN. So that might (I have no idea) be harder to develop. But it would eliminate the concern of users not knowing which PIN to use.
“ATM machines can be online or offline.” http://www.security-faqs.com/how-to-avoid-automatic-teller-machine-atm-scams.html
“ATMs have an offline operation mode (CAP blah blah) that is quite permissive with what you can withdraw. This is for the obvious reason that the mainframe is not always reachable and available; but to halt the operation of all cash machines is generally considered less than ideal.”