[brokenmachine]

Of course the bank has your PIN (or hashed PIN), how else would they be able to check if you were entering it correctly?

The security is based on how hardened the server storing those PINs is.

[rrobukef]

By storing the public key of your unique debit card and you only have the PIN inside the chip. This limits attacks to physical access and trained professionals in chip deconstruction.

This however needs a way to send your initial PIN over an insecure channel. To limit the attack surface go to the secure website to receive your PIN (no humans) (either an old card/digital state ID) or go in person and force a new PIN.

[brokenmachine]

Thanks for the reply. Interesting, I didn't think of this possibility.

[flukus]

By storing it as a hash, just like how every other password should be stored.

[brokenmachine]

That's what I said.

> Of course the bank has your PIN (or hashed PIN)

All the previous poster said was that the bank said they sent him a card with the same PIN. The bank can do this by storing PINs or hashed PINs.

As rrobukef noted, storing a PIN hashed offers little additional security as storing them unhashed because of the small number of unique PINS that are possible.