Card security

▶ Run in Postman


Your PIN is a four- or six-digit code that verifies a cardholder's identity. To complete an ATM or a point-of-sale (POS) transaction, you're required to enter your card PIN.

Your PIN authorizes your transaction when you use your card. As soon as you enter your PIN, the payment system automatically matches it with your card profile before facilitating the transaction. This ensures that you're the only one authorizing your transactions and nobody else; thus, making your card safe and secure. Never share your card PIN with others to avoid any fraudulent activities on your account.

Set a card PIN

A PIN lets you access your account to get private sensitive information about your finances and help you make monetary transactions. Every country has a PIN-length requirement.

Country or regionPIN digits
Europe and the United Kingdom4
Hong Kong6

If you're outside of the European Union (EU) and United Kingdom (UK) regions, you can use the Set/Reset PIN API to set your personalized card PIN to provide a Base64 encoded PIN value. If you're within the EU and UK, you won't be able to use the Set/Reset PIN API.

Offline PIN for EU and UK

An offline PIN is a method of card verification valid for Europay, MasterCard®, and Visa® (EMV) chip cards in the EU and UK. The PIN is encrypted and stored in the card’s EMV chip. This facilitates the user to make a transaction at a terminal with offline PIN validation capabilities.

The key difference between an offline and an online PIN is the method of validation. When a cardholder uses the EMV chip card at a terminal with offline capabilities, the PIN entered is validated against the securely stored PIN in the EMV chip card. This is different from the online PIN method where the validation is performed by the card issuer over the network.

In the case of offline PIN verification, the transmission of the PIN from the terminal to the card may be enciphered or in plain text, depending upon the terminal. If the entered PIN matches the stored offline PIN, the verification is successful. Otherwise, the verification fails.

Get card PIN

Use the Fetch ATM PIN API to retrieve the preset PIN and display the PIN to the cardholder. Customers in the EU and UK receive physical cards with a preset PIN. This means the PIN is already present for first-time or subsequent use. Nium provides the Fetch ATM PIN operation to the client for implementation and the customer can then see the existing PIN from the client’s mobile app or website. The PIN block is encrypted for additional security and needs to be decoded before displaying it to the end customer in the client’s mobile app or website.

If the customer intends to change the 4-digit PIN, they can do so at an ATM or terminal with the appropriate capabilities. When a customer updates it at an ATM or point-of-sale terminal, the same information is updated in the EMV chip card.

Get a PIN status

If the card PIN is entered incorrectly three times, the PIN is blocked, and the card cannot be used for any transactions. Nium provides a Fetch PIN Status API to the client for implementation and the customer can see the PIN's status from the client’s mobile app or website.

Unblock PIN

If the card PIN is entered incorrectly three times, the PIN is blocked, and the card cannot be used for any PIN-based transactions. Nium provides the Unblock PIN API to unblock a card PIN if it's been blocked from your client’s mobile app or website.

This API is allowed only for the APAC region.


Nium's Fetch ATM PIN API allows you to fetch the base64-encoded ATM PIN for physical cards and virtual-upgrade-to-physical cards.

This API does not work for virtual cards.

This is allowed only for EU and UK cards.

Get card data

Nium's Fetch Card Data Encrypted V2 API helps you get the card details in a secure manner and display it in your mobile app or website. The secured details, such as the unmasked card number, CVV, and expiration date, are encrypted with the Pretty Good Privacy (PGP) method according to Payment Card Industry security regulations to maintain your customer’s data safe. To use this API, you have to exchange PGP keys with Nium as the entire API payload is encrypted.

Encrypt Fetch Card Data response payload with client PGP key

The Fetch card data encrypted API combines two existing APIs into one, providing you with a single-use API to get the Card Number, CVV2, and Expiration Date to display on your application and mobile app. This API has also been enhanced to transmit data in PGP-encrypted format.

NOTE: This API is accessible only where encryption is enabled.

Example request

curl --location -g --request GET '{clientHashId}/customer/{customerHashId}/wallet/{walletHashId}/card/{cardhashId}/retrieve' \
--header 'content-type: application/json' \
--header 'x-api-key: 0mZpIhaLVM1qd8IJhCfgjGJDsY7b5pdr00j' \
--header 'x-request-id: 123e4567-e89b-12d3-a456-426655440000' \
--header 'x-client-name: client1'\

Example response – encrypted payload

Version: BCPG v1.63


Example response – payload after decryption

    "cvv": "715",
    "expiry": "12/26",
    "unMaskedCardNumber": "4613200505649498"

Use cases

CaseEncryption flagCard statusResponseMessage
2falseFailureclient encryption setup is not available
  • Active
  • Inactive
  • Virtual_Active
  • Success
  • Expired
  • P_Block
  • Failure