Sunday, January 10, 2010

Not changing the PIN 'more secure'?

I recently got a new VISA credit card from a bank in Qatar. The system-generated PIN for the card came in a tamper-evident envelope by postal mail along with the card.

Following a well-known security best practice, I decided to change the PIN on the card immediately. So today, I went to my nearest ATM machine and inserted the credit card. There was no option to change the PIN from the ATM machine.

Puzzled,I went ahead to call the bank’s customer care unit at about 17:45 today, the 10th of January. An impolite, yet ignorant customer care agent answered my call and I had an interesting discussion. Here’s a re-collection from memory:

***

Me: I have a QIIB credit card and I want to change the PIN. How do I do that?

Customer Care Agent: You can’t change your PIN.

Me: What? What if I NEED to change the PIN

CCA: They will issue you a new card.

Me (more puzzled): What if someone sees my PIN and I want to change it immediately?

CCA: You have to contact your branch. They will cancel your card and issue you a new one.

Me: WOW. Is that your bank’s policy? Why??

CCA (stereotypically): This is from Credits Card Department – they told us like this.

Me: Usually, all banks tell us to change our PIN regularly – its safer.

CCA (rude, and arguing): No, no – THIS (not changing the PIN) is safer.

Me (agitated): What if I’m shopping with my credit card at a store and while I’m entering my PIN someone sees the PIN. What do I do?

CCA: You shouldn’t let others see your PIN.

Me: I know that. But what if someone sees it? (repeat) All banks ask us to change our PIN regularly for security purposes.

CCA: Didn’t you know about this when you applied for the card?

Me: No

CCA (rude and blunt): This is the year 2010. How come you don’t know?

(I should have probably asked him that question first)

Me: I know this is the year 2010. And I know that changing the PIN regularly is more secure. For your information, I work in the Information Security space and I know what I’m talking about!

Just tell me if it’s your bank’s policy not to allow changing PIN on credit cards?

CCA: Yes. that’s the policy.

Me: OK – that’s all I want to know, I already know it’s 2010. Good bye.

***

That was a thoroughly agitating experience.I don’t know if all banks follow this policy, but to me this is ridiculous. I’m leaving this thread open to your comments – write a comment below on what you think about this encounter and the PIN change policy.

As for me, I’ve decided to keep a lower credit limit and use the card solely for online shopping, where I don’t need to enter a PIN.