We allow our customers to make transfers via a touchtone banking setup by using the last four digits of their social security number (PIN). This is available to all customers and they are not required to enter into a plan to allow this. Is the "PIN" considered an unauthorized access device?

I think as you describe it, it falls into this definition:

Reg E Section 205.5

(b) Unsolicited issuance. A financial institution may distribute an access device to a consumer on an unsolicited basis if the access device is:

(1) Not validated, meaning that the institution has not yet performed all the procedures that would enable a consumer to initiate an electronic fund transfer using the access device;

(2) Accompanied by a clear explanation that the access device is not validated and how the consumer may dispose of it if validation is not desired;

(3) Accompanied by the disclosures required by §205.7, of the consumer's rights and liabilities that will apply if the access device is validated; and

(4) Validated only in response to the consumer's oral or written request for validation, after the institution has verified the consumer's identity by a reasonable means.