Coin – Making a bad thing worse

Screen Shot 2013-11-18 at 11.32.03

Coin, the new startup that plans to replace credit cards with their high tech card, is all the rage on TechCrunch.

One Coin for All of Your Cards

Watch this video on YouTube or on Easy Youtube.

The first thing that caught my eye was the technology vs. the price.

You can still pre-order (how “limited” is this campaign anyway?) even after they have reached their goal of $50.000 for $50. $50, minus sales tax, minus (potentially) $5 fee for recommending Coin to a friend, will buy you a swipe card reader to attach to your iPhone (like Square), a piece of software to manage your Coin card, and the Coin card itself with wireless connectivity, a display, button, power, and all that in a package as small as a credit card.

Amazing, isn’t it?

Then, as the FAQ states, you’re supposed to swipe your credit cards through the reader on the iPhone and transfer them to the Coin card wirelessly (how does the card charge?). You’re also entering your CVV for good measure, which is a PCI violation right there, or at least a security concern (as coin is supposed to replace cards in a swipe scenario, and NOT in an online scenario, what business does it have to store the CVV/CVC???).

Next, what will a merchant say if you approach them with something that doesn’t have the VISA / Mastercard logo on it? If you’re running a pizza joint, would you accept a blank white stripe card for payment? How do you verify the cardholder signature? You can’t even run ID against the card details.

Coin does not support EMV (how could they??) so you’ll still have to carry the original cards for chip terminals.

Coin’s statements to PCI are very contradictory, too:

“Q. Does Coin satisfy PCI DSS standards for storing and transmitting card data?
A. Coin is in the process of earning a PCI DSS certification.

Q. Does Coin have a PCI PA-DSS validation?
A. The PCI Security Standards Council PA-DSS program addresses payment applications used to accept and process payment for goods and services. A device such as a Coin is seen as similar to a payment card in a consumer’s wallet and the standard does not apply.”

They charge your credit card immediately for something they’re planning to ship summer 2014. I’ll be following this closely, I would be surprised if credit card issuers would not be taking issue with the whole thing in the meantime.

I’m all for supporting startups, but thsi one raises way too many red lights for my taste.

I’m a credit card fraud victim

So it finally hit me as well. Two days ago my bank called me and informed me that they suspected my credit card data had been used illegally.


I once heard that if you want your credit card to be locked, fill up your tank at a gas station and then go and buy some sneakers. Supposedly that’s a typical behaviour for someone who found a credit card, and it seems there’s something to it.

Well, that had to happen at some point, right? I know what some of my friends will be saying – “you and all your online activities”, “you’re too careless with your personal data” and all that. And that as a former ePayment expert…

So, am I going to change my credit card use? Most likely not. Most of my online transactions are with (rather) trustworthy partners like, or they go through PayPal or similar services that hide my credit card data.
It’s just much more likely that my credit card data was acquired by some dumpster diver in a Starbucks in the US or that small mexican restaurant I’ve been dining in Denmark lately. POS is still the main point of careless credit card data management.

Actually, most of the fraud has to be attributed to the fact that the credit card issuers simply don’t care enough. Smart card based authentication has been available for more than 10 years, but credit card companies fear that taking away the possibility to just enter the card number will lower their transaction volume (they’re probably right).
So we’ll have to stick with the hassle and they’ll gladly cover the risk, just because it’s cheaper.

Weird world, isn’t it?