Oh good grief.  They validate only half of a 7-digit (+checksum digit) number at once, and tell you whether you got the first half right before asking for the second half?  I don't know anything about encryption algorithms, and even I know not to do that.

Bonus points for limiting the PIN to a very restricted set of characters (0-9), making it fixed length, and making it immutable for any given AP.

http://sviehb.files.wordpress.com/2011/12/viehboeck_wps.pdf

Goons.