Why doesn't changing the PIN affect recorded data on magnetic card?

In the past they may have encoded the PIN on the card, however hopefully (as your test indicates) they have stopped. It looks like the article that you cite is from 2009, which is rather out of date.

As to why they should not encode the PIN onto the card take a look at the NIST Special Publication 800-63-2, the Electronic Authentication Guideline. In the case of Multi-Factor authentication it should consist of a combination of "Something you know, something you have and something you are". For a card and PIN system you have something (the card) and know something (the PIN). If you encode the PIN onto the card then you only have something, which is single factor authentication and is not as secure.

If you are interested in the security of PINs in credit cards you can take a look at: https://www.pcisecuritystandards.org/documents/PCI_PIN_Security_Requirements.pdf. This is the PCI requirements for securing PINS.

As for the differences in the Discretionary Data these may come from several sources. From ISO/IEC 7813 the maximum record length of track 1 and 2 are different. The DD is used to fill the balance of characters.

For Discretionary Data the implementation is left up to the issuing company. As to what it might contain you may be able to find out by looking at the documentation from the issuing company (I rather doubt you will find anything but stranger things have happened). It may just be random padding to reach the proper length or it could contain additional data. See https://stackoverflow.com/questions/12239855/discretionary-data-from-magnetic-strip-credit-card-how-to-parse.


The whole point of the pin is that it is not on the card, but rather in the bank's computers so that physical access to the card cannot give you that information. If it were on the card, it would just be a longer account number.


No PIN is stored on the magstripe. There are essentially 2 types of PIN strategies commonly used in card payments: Offline and Online PIN.

Offline PIN requires the PIN value be stored securely within the chip in a tamper-proof module. During verification, the cardholder-entered PIN value is sent to the module for verification.

Online PIN scenarios send the PIN in the authorization request to the financial institution's host for verification against the secured PIN value in their database.

If you are able to accomplish changing a PIN on a chip card, using scripts, then you are likely changing the offline PIN in the chip. There is no visibility to PINs in the magstripe.