This means that if you log in and get keylogged/shoulder surfed etc they don’t get the full pin. The next time you login you will get asked for different characters.
This seems somehow worse than simply requiring the same few characters each time, since they would either have to store the complete passwords in plaintext, or compute and store the hash for every permutation of 2-3 characters, which is wildly inefficient. You’d also be susceptible to leaking your password if for some reason you are under long term surveillance, since at some point you would presumably have provided all of the characters making up the password.