Here’s the problem. Something you have and something you know. That’s a pretty good system. 4 digits or 400 digits, it doesn’t matter. Enter your pin wrong three times and they’ll lock the card and call you.

Feel safe, you’re card is insured. Unauthorized transaction? No worries. You get the money back. The banks all are on your side.

There are some excessively complicated things regarding credit card processing and data retention but PCI/PA-DSS is a whole certification thing that takes a bit to learn.

Because a bank card has a lot more security features.

For example, to pay for something online, you can’t simply use your pin. You need the long number on the front, your name, expiry date, and the numbers at the back. All of this acts like a password in a way. Then if you have it enabled (Which I recommend) 2FA on your online bank account to prevent someone from leaking your bank information and freely using your details anyway.

​

Then as others have said, your bank card has 2FA anyway – The card itself as well as the pin. Although in some places in the world the pin is being phased out with “Tap and pay” or paywave. (Contactless payment.).

On a practical level, nobody wants to stand behind a guy in line while he types zSxDcFvGbHnJmK,L.:/”

As well as 2fa and lockouts…the card Is just a key for a bigger system.

In the old days you basically left your details with someone, they sent it to the bank and it took time to clear. You could technically still do this with a cheque or manual processing sheet if you had no internet connection….but you don’t because it has zero security. The bank assumes no responsibily if it turns out to be fake later.

The bigger system should know if the card is stolen, how much you can spend and if it’s been used 80 times in the last 3 minutes in 6 countries.
The system also knows who’s putting through 85 transactions on stolen cards every day and will, eventually, tell someone.

Frankly it’s easier to mug someone and make them use the card to get cash than try to clone or use a stolen chip and pin in a shop.

Americans that thought they could buy stuff with their unsigned cards on the security of their signature were once the bane of my retail life.

The developer of the ATM as we would recognise it originally wanted to use six digits, however his wife said that would she wouldn’t remember that many, so he settled on four.

Lol, 4

5 is the standard here.

When I visited the UK a decade ago the Tesco cashier instantly asked me where I was from when she heard me enter 5 digits.

If you try to use your credit card for an online purchase, in the EU, you are also required to verify the purchase, using a mobile device.

I assume this improvement was implemented, because it’s a lot easier to use a stolen credit card online, without getting caught, than doing so in a shop.

My credit card needs a 6 digit PIN for offline transaction, and OTP over SMS or app for online transaction.

For a 4 digit PIN there is a three in 10000 chance it will be guessed with the usual implementation. The implementation behind passwords varies but many allow you to retry without limit. Some passwords allow three tries before a block or an increasing time delay between retries.

The oldest form of two factor authentication (2FA) is something you have (physical) and something you know (password/code). The credit card is the physical form, and the PIN is the secret. You need both to make it work.

With a password, you have single factor authentication. It uses a potentially public identifier (username/email address) and a secret that anyone can guess at (password). The longer and more complex the secret, the harder it is to guess/figure out by a human or more likely, a machine.

Website owners learned the hard way that 2FA is far more secure than a long and complex secret, hence why today most financial and other important online services use tokens/authenticators or other forms of the old have/know combination.

In the late 90s a company called RSA made their name with the introduction of the rolling code hardware token, although these days we tend to use software tokens like Google authenticator or other App based token/code generators