diff --git a/src/controllers/auth.controller.js b/src/controllers/auth.controller.js
index 8e1f73e..2c0c88f 100644
--- a/src/controllers/auth.controller.js
+++ b/src/controllers/auth.controller.js
@@ -187,12 +187,12 @@ async function changeTpin(req, res) {
     if (!user.tpin)
       return res.status(400).json({ error: 'USER_DOESNT_HAVE_A_TPIN' });
     const { oldTpin, newTpin } = req.body;
-    if (oldTpin !== user.tpin)
-      return res.status(400).json({ error: 'TPIN_DOESNT_MATCH' });
+    const isMatch = await comparePassword(oldTpin, user.tpin);
+    if (!isMatch) return res.status(400).json({ error: 'TPIN_DOESNT_MATCH' });
 
     if (!/^\d{6}$/.test(newTpin))
       return res.status(400).json({ error: 'INVALID_TPIN_FORMAT' });
-    authService.setTpin(customerNo, tpin);
+    await authService.setTpin(customerNo, newTpin);
     return res.json({ message: 'TPIN_SET' });
   } catch (error) {
     logger.error(error);