Andy,
We're doing the same, but we're not supplying new PIN's. We're allowing the customer to keep their old PIN. To activate the new debit card, we require input of the old PIN and new card number. Is this sufficient to validate our customer's identity in order to activate the new card?
I'd say yes, and no. Yes because they should have this confidential PIN which is a security protection. And it sounds like you're substituting a new card for an old one.
No, for partially the same reason. People give out their PINs. So I see this as a weakness, but not to the same level as my "yes" answer, meaning "yes" wins in my opinion book. I haven't researched this in detail though.
My opinion from the customer service perspective would be to ask them, for some of the reasons noted above. I don't have a debit card, just an ATM card requiring a PIN. I like the security better. But more and more debit is more widely accepted. I may have to bite the bullet and get the debit card. But at my bank there is a fee for that. I hate fees.
The following is a shameless plug: If you want the 101 on Reg. E, including disclosures, cards and claims, check out my webinar coming up the 10th.
http://calendar.bollearningconnect.com/main.php?view=event&eventid=1173781974101