Coin – Making a bad thing worse

Coin, the new startup that plans to replace credit cards with their high tech card, is all the rage on TechCrunch.

One Coin for All of Your Cards

Watch this video on YouTube or on Easy Youtube.

The first thing that caught my eye was the technology vs. the price.

You can still pre-order (how “limited” is this campaign anyway?) even after they have reached their goal of $50.000 for $50. $50, minus sales tax, minus (potentially) $5 fee for recommending Coin to a friend, will buy you a swipe card reader to attach to your iPhone (like Square), a piece of software to manage your Coin card, and the Coin card itself with wireless connectivity, a display, button, power, and all that in a package as small as a credit card.

Amazing, isn’t it?

Then, as the FAQ states, you’re supposed to swipe your credit cards through the reader on the iPhone and transfer them to the Coin card wirelessly (how does the card charge?). You’re also entering your CVV for good measure, which is a PCI violation right there, or at least a security concern (as coin is supposed to replace cards in a swipe scenario, and NOT in an online scenario, what business does it have to store the CVV/CVC???).

Next, what will a merchant say if you approach them with something that doesn’t have the VISA / Mastercard logo on it? If you’re running a pizza joint, would you accept a blank white stripe card for payment? How do you verify the cardholder signature? You can’t even run ID against the card details.

Coin does not support EMV (how could they??) so you’ll still have to carry the original cards for chip terminals.

Coin’s statements to PCI are very contradictory, too:

“Q. Does Coin satisfy PCI DSS standards for storing and transmitting card data?
A. Coin is in the process of earning a PCI DSS certification.

Q. Does Coin have a PCI PA-DSS validation?
A. The PCI Security Standards Council PA-DSS program addresses payment applications used to accept and process payment for goods and services. A device such as a Coin is seen as similar to a payment card in a consumer’s wallet and the standard does not apply.”

They charge your credit card immediately for something they’re planning to ship summer 2014. I’ll be following this closely, I would be surprised if credit card issuers would not be taking issue with the whole thing in the meantime.

I’m all for supporting startups, but thsi one raises way too many red lights for my taste.

This is going to be a huge hit with airport security everywhere


“CardSharp a superlight and supersharp utility knife, the same size as a credit card.
Just three ingenious folding operations metamorphosise the card into an elegant pocket utility tool. Slimmer and lighter than an ordinary knife.

The extra long stainless steel surgical blade ensures longer lasting rust free sharpness. The built-in protective sheath helps prevent injury or blunting. CardSharp® is an ingenious conversation piece. A sharp idea that slips safely inside your wallet or kit bag.

Test marketing in various territories has proven CardSharp is a hit: ‘I have been selling knives for 15 years and have rarely seen anything sell so quickly’ – Howard Korn, KnifeCentre USA.

CardSharp samples are now shipping for media and press. Estimated shipping date for public: Q1 2011.”

I’m a credit card fraud victim

So it finally hit me as well. Two days ago my bank called me and informed me that they suspected my credit card data had been used illegally.


I once heard that if you want your credit card to be locked, fill up your tank at a gas station and then go and buy some sneakers. Supposedly that’s a typical behaviour for someone who found a credit card, and it seems there’s something to it.

Well, that had to happen at some point, right? I know what some of my friends will be saying – “you and all your online activities”, “you’re too careless with your personal data” and all that. And that as a former ePayment expert…

So, am I going to change my credit card use? Most likely not. Most of my online transactions are with (rather) trustworthy partners like, or they go through PayPal or similar services that hide my credit card data.
It’s just much more likely that my credit card data was acquired by some dumpster diver in a Starbucks in the US or that small mexican restaurant I’ve been dining in Denmark lately. POS is still the main point of careless credit card data management.

Actually, most of the fraud has to be attributed to the fact that the credit card issuers simply don’t care enough. Smart card based authentication has been available for more than 10 years, but credit card companies fear that taking away the possibility to just enter the card number will lower their transaction volume (they’re probably right).
So we’ll have to stick with the hassle and they’ll gladly cover the risk, just because it’s cheaper.

Weird world, isn’t it?

Why do payment terminals still use dial-up?

I’m looking for some enlightenement here.

Background: in germany, you can use debit cards and credit cards to pay in retail stores. The cashier swipes the card through a terminal, which then dials the payment service provider to authorize the payment. This sometimes takes quite a while (especially on saturdays, when everyone goes shopping – there’s no 24 hour shopping in germany…), and today it failed in my case due to a connection error. Mostly ISDN lines are used, but sometimes they even do dial-up with analog modems. The backup method was to print out a slip and do a direct debit (for you americans out there: this is like using a credit card, but instead of going to your credit card account, it gets billed on your checkings account directly). This is obviously more risky, as it can’t be authorized – the card might even be stolen, or the payment rejected due to lack of funds.

So, why do they still do this? Why don’t they use the internet with much faster connections and always-on mode? It can’t be security – there’s VPNs, and the payment terminals carry all kinds of crypto, anyway.

Is there anybody who can tell me why this is still so arcane?