Comment by lxgr
1 year ago
"Must support 6-digit PINs" is not part of "the spec for secure credit card transaction handling" – which is also not a (or at least one) thing: There are dozens of card networks, and many of them have tons of regional variations.
In some markets, issuers only allow 4 digit PINs, and customers don't expect to have to press an "enter" key when they're done entering their 4 digit PIN – so the reasonable implementation is to allow only 4 digit PINs, or you'll be left with people staring at the ATM/POS terminal, waiting for something to happen.
4 is the minimum number of digits required, but there are over a dozen different PIN block standards, and most allow between 4..9 and 4..16 digits: https://www.eftlab.com/knowledge-base/complete-list-of-pin-b...
Making an ATM that can accept cards from multiple issuers (which is the norm these days) and allowing only 4 digits is the same category of error as requiring that the first character of someone's last name start with a capital letter, or to block symbol characters in names.
I agree: An annoying/avoidable implementation shortcoming, but arguably relatively orthogonal to security.
> there are over a dozen different PIN block standards
You almost certainly don't need to support all of these inside the PIN pad or even ATM/POS. If necessary, translation can happen in other parts of the system.
> or to block symbol characters in names.
People tend to very very quickly their mind on that one once they get a few right-to-left control characters that flip over the text layout of the entire program.
"We'll just not do business with anyone named O'Neill, that's just a made-up name designed to trick the database with SQL injection."
Also: https://www.ancestry.com.au/name-origin?surname=null
1 reply →