This is an excerpt from Dollar Scholar, the Money newsletter where news editor Julia Glum teaches you modern money lessons you NEED to know, one week at a time. Don't miss out on the next issue. Sign up at money.com/subscribe and join our community of 160,000+ Scholars.
Grab a broom, some Clorox wipes and a whole lot of iced coffee: It's time for spring cleaning.
After a cold, interminable winter, I'm more than ready to cram my sweaters into the back of my closet and forget about them until November. I'm excited to swap my snow boots for my Tevas and trade my heavy-duty moisturizer for sunscreen. I'm even going to pause my sad girl winter music for Spotify's "my life is a movie" playlist.
Out with the old, in with the new. I love a fresh start, but I'm not sure how spring cleaning applies to my finances. Like, I'm getting rid of old clothes — should I do the same with my debit card's years-old personal identification number, aka PIN?
Before I commence scrubbing every surface in my apartment, I wanted to check with the experts.
How often should I change my debit card PIN?
Robert Siciliano, CEO of Protect Now, says that, in general, security must be easy in order for consumers like me to partake. If it’s inconvenient, people tend to get lazy — and open themselves up to risk.
For that reason, he says he only recommends changing my debit card PIN if it gets compromised. If my card is part of a retailer’s data breach, I should change it. If I lost my card after a drunken night at the bar, I should change it. If I told my PIN to a significant other and then we broke up, I should change it.
“Otherwise, there’s no real set in stone ‘change it every year, this and that,’” Siciliano says. “To be perfectly frank, I’ve had the same four- to six-digit PIN for 15 years.”
If I’m going to do that, though, I have to make sure my PIN is extra-strong. Siciliano says I can’t choose something simple. My PIN should be memorable to me but not easy for a stranger to figure out by, say, looking at my social media profiles. My publicly findable birthday is off-limits; so is the numeric version of the name of my dog about whom I post about on Instagram all the time. (“A pet you had when you were 6 that nobody knows about, that’s fine,” Siciliano adds.)
Tyler Moffitt, senior security analyst at Webroot, advised me also not to do repeating or sequential numbers. He points to a 2012 DataGenetics survey that found 10.7% of PINs were 1234. Another 6% were 1111, and just over 1% of PINs were 1212.
“Don’t pick any dates, don’t pick anything repeating or patterns on the columns,” Moffitt adds. “They have common lists you can Google.”
Moffitt says it’s OK for me to have a few solid PINs that I cycle through every couple of years because “it’s easier on the brain.” He personally tries to switch up his PINs every two years.
Similarly, Siciliano says it’s all right to have the same PIN across multiple cards.
“There’s nothing categorically wrong with that,” he says. “The risk you might face of one card getting compromised and then six or eight cards getting compromised lies in whether you have that one PIN code on a yellow sticky note inside your wallet along with six or eight cards.”
Of course, a strong PIN by itself won’t protect me from fraud. I need to use it in conjunction with good financial habits like setting up two-factor authentication, taking advantage of transaction alerts and even checking for card skimmers before using an ATM.
The bottom line
I should definitely change my PIN if the card or account it’s linked to is compromised in any way, but there’s not really a set schedule. When I do reset it, I should choose carefully to avoid popular PINs and ones that can be guessed by looking at my posts.
Security and ease of adoption are more important than sticking to a rigid rule of thumb here.
“Here’s the thing: It’s whatever works for you,” Moffitt adds. “If you’re changing your PIN once a year and you can’t remember it, that’s going to be inconvenient. When it comes to security and convenience, it’s a scale.”