I am currently developing a system that has functionality where customers can view information about their purchases / renewals / etc by supplying a PIN code "number".

Instead of the login data, a PIN is used due to the type of customers we are targeting. The PIN is printed on documents sent to them.

The view displayed when submitting the PIN code does not display highly sensitive information, such as a credit card, etc., but less sensitive, such as the name of the product, type, price, barcode, repair, etc.

This question is about PIN. I decided to use a random 5-character PIN (0-9, az AZ) - case sensitive. I will delete some homoglyphs ('I', '1', 'l', '0', 'O', 'rn', 'vv'), so the actual number of combinations is actually lower.

I have a few questions about this:

• Is this practice acceptable?
• Do I have to write a blocking mechanism to “block” traffic from IP addresses with a lot of failed attempts? *
• Do I have to write an error checking system (similar to Luhn algo in credit card numbers)?
• * Should I use captcha?