PINs
Use the /pins endpoint to create, update, or reveal a personal identification number (PIN) for a card.
Create or update PIN
Copy section link
Action: PUT
Endpoint: /pins
Creates or updates a personal identification number (PIN) for an existing card.
If you want to manage a card’s PIN, first create a new control token for the card by sending a POST request to /pins/controltoken, and then use that token to update the PIN.
You must create a card before you can manage a PIN.
Unless PIN reveal functionality has been enabled for your program, you cannot retrieve a PIN that has previously been created. If the PIN has been forgotten, you must either update the card’s PIN or create a new card and PIN.
If you have enabled PIN reveal functionality for your program, you can send a POST request to the /pins/reveal endpoint to retrieve an existing PIN.
See Reveal PIN on this page for details.
Warning
Sending a request to this endpoint requires PCI DSS compliance. You must comply with PCI DSS data security requirements if you want to store, transmit, or process sensitive card data such as the cardholder’s primary account number (PAN), personal identification number (PIN), and card expiration date.
Request body
Copy section link
| Fields | Description |
|---|---|
control_token
string
|
Unique value generated as a result of issuing a Allowable Values: 1–36 chars |
pin
string
|
Four-digit number to associate with the card. Allowable Values: 4 chars |
Create PIN control token
Copy section link
Action: POST
Endpoint: /pins/controltoken
Creates a control token necessary when creating or updating a card’s personal identification number (PIN).
Creating, updating, or revealing a card’s PIN is a two-step process. You must first create the control token that is required to create the PIN, and then you create, update, or reveal the PIN itself.
The lifespan of the control token in a production environment is either five minutes or one hour from creation, depending on the token type. If multiple tokens are requested for a single card, only the most recent one is valid. Once redeemed, a token cannot be reused.
Request body
Copy section link
| Fields | Description |
|---|---|
card_token
string
|
The unique identifier of the card for which you want to generate a control token. Allowable Values: 1–36 chars Send a |
controltoken_type
string
|
Specifies the type of action completed by this request. WARNING: Sending a request to this endpoint with a The lifespan of the control token depends on the token type:
Allowable Values:
|
Response body
Copy section link
| Fields | Description |
|---|---|
control_token
string
|
Unique value generated as a result of issuing a Allowable Values: 1-36 chars |
Reveal PIN
Copy section link
Action: POST
Endpoint: /pins/reveal
Reveals the personal identification number (PIN) of an existing, active card.
Warning
Only use this endpoint to access a PIN in order to reveal it to its cardholder. Do not use this endpoint for the purpose of storing a PIN at any location.Sending a request to this endpoint requires PCI DSS compliance. You must comply with PCI DSS data security requirements if you want to store, transmit, or process sensitive card data such as the cardholder’s primary account number (PAN), personal identification number (PIN), and card expiration date.
If you want to update a card’s PIN instead, send a PUT request to the /pins endpoint.
See Create or Update PIN on this page for details.
Revealing a card’s PIN is a two-step process.
You must first create a new control token for the card by sending a POST request to /pins/controltoken, and then use that token to reveal the PIN.
Request body
Copy section link
| Fields | Description |
|---|---|
cardholder_verification_method
string
|
The supplemental method used to verify the cardholder’s identity before revealing the card’s personal identification number (PIN). The possible cardholder verification methods are:
Allowable Values:
|
control_token
string
|
Unique value generated as a result of issuing a Allowable Values: 1–36 chars |