The Internet has been buzzing about Coin, a credit card replacement announced last Thursday. Currently taking pre-orders, and planning to launch Summer 2014, Coin is a credit card-sized device which is capable of storing and behaving as pretty much any card with a magnetic strip: credit cards, gift cards, membership cards, etc. Coin allows you to select which card you want to use, and when you or a merchant swipe your credit card, the information for the appropriate card can be read from Coin. Replacing every card in your wallet with a single, card-sized device is exciting to think about, but obviously a product like this raises a lot of questions.
When you're putting a considerable amount of your payment information into a device, you want to know how well your information will be protected. Coin has answered many questions in their FAQ including several about security, but they leave some questions unanswered.
Coin states that their servers, mobile apps, and card use "128-bit or 256-bit encryption for all storage and communication (http and bluetooth)." This sounds nice, but doesn't mean a whole lot. The effectiveness of encryption depends greatly on its implementation. It doesn't matter how strong your encryption is if your implementation is flawed – a locked gate isn't very secure if somebody can easily climb over or walk around it. This is not to say that I think Coin's implementation is flawed – I have absolutely no clue what their implementation looks like because they haven't shared those details – I only mean to point out that Coin's answer doesn't tell us much.
How much does this matter? Not as much as you might think. It would certainly be preferable to see Coin use a rock-solid, peer-reviewed, highly-secure implementation, but it's important to remember that credit cards are pretty insecure to begin with. Not only are credit cards not encrypted, nearly all of the information necessary to make a clone of your credit card is printed visibly on the card itself. Even if Coin totally botches the encryption (and I'm not trying to imply in any way that I think they will), if a criminal acquired a Coin with several of your credit cards on it, and for some reason you didn't have it set to deactivate (a security feature offered by Coin when your card is away from your phone for too long), they would be in possession of the same payment information as if you had lost your wallet with several of your credit cards in it. Coin does offer several security advantages over actual credit cards (alerting you when you leave your card behind and automatic deactivation), but even if those fail, the information you stand to lose is the same. In fact, considerably less information is available from the physical appearance of Coin than the information printed on your credit cards.
The only possibility I see for greater exposure to fraud with Coin would be a scenario where a merchant has the ability to swipe your Coin outside of your presence, such as at a restaurant when a waiter or waitress takes your card. If they were taking cards in the back to run through a skimmer in order to grab all of your credit card info for fraud later, with a Coin they could copy the information for all cards on your Coin, whereas using a normal credit card they would only have access to a single card's information. This sort of fraud does happen, albeit to a relatively small percentage of card holders, so people will have to evaluate for themselves how much of a concern this specific type of scenario is. In cases like this, consumers in the are usually covered by fraud protection which only leaves them responsible for a maximum of $50 per card, and in some cases, none at all.
This raises an interesting question: who is responsible for fraud committed when Coin is involved? U.S. consumers are protected from credit card fraud by the Fair Credit Billing Act (FCBA). According to the FTC, consumer liability for a stolen credit card is limited to $50 per card. If somebody uses your credit card number for fraud, but the card was never lost or stolen, you're not liable for any unauthorized use. This is noteworthy because it's unclear how Coin will be seen in the eyes of merchants, credit card companies, and the law. If you lost your wallet, you could be on the hook for $50 for every stolen card used for fraud. If you lost your Coin... well you never technically lost the actual card, so the argument could be made that you shouldn't be liable for anything. But this is where things get a little hazy, is Coin a credit card or not?
While consumer liability for fraud is limited, somebody has to pay when fraud is committed. The brunt of this responsibility falls on the merchant who processed the fraudulent purchase and the financial institution who issued the credit card. Merchants who process credit cards have merchant agreements with credit card companies that establish rules and guidelines between the two parties. The specifics will vary between merchants and financial institutions, but generally speaking if a merchant follows guidelines set forth in their agreement for taking payment, their liability for any chargebacks made as a result of fraud will be limited. However, if the merchant does not follow the guidelines and does not perform their due-diligence to ensure a purchase is not fraudulent, they may be the one liable for fraud.
Some of the most fundamental mechanisms for fraud prevention are the security features present on all credit cards. All credit cards include visible features to help verify the authenticity of a card such as the credit card company's logo, holograms, embossed security characters, and tamper-evident signature panels. Merchants have to be cautious about accepting suspicious looking cards because if they do, they could be held liable if it's a fraudulent purchase. While a Coin card may hold the credit card information necessary to make a purchase, it looks nothing like existing credit cards that merchants have been trained to accept. It doesn't include security features that all major credit cards companies specifically instruct their merchants to verify. Discover even offers a handy reference to help merchants identify valid cards. Many merchants may have no problem accepting Coin, but they also have no obligation to and may not for fear of being held liable for fraud.
We have a few more questions that we're waiting to hear back from Coin on that seem worth mentioning here. We previously discussed the security of the Coin card itself and how it stacks up to losing a wallet, but what about information stored on Coin servers? The Coin FAQ states that your Coin is tied to your account, not your specific device. This means if you ever lose your phone, you can simply pair your Coin with a new phone using their app. Since the Coin card loads your credit card information from the app, this means syncing to a new phone would either require you to re-enter all of your cards and re-sync data to your Coin, or your Coin account holds all of your credit card information and can sync to the app once you sign in. The latter is obviously the more convenient route, but would require Coin to store all of your credit card information on their servers. We have yet to get confirmation that this is the case, but if it is, it obviously poses some security concerns. You're not just trusting Coin to securely store your credit card information on your Coin card and in their app, but on their servers. That's entrusting a lot of financial information into a single location in the cloud. And we're not just talking credit card numbers, but full track data. It's everything necessary to create an exact copy of your credit cards.
For their part, Coin has stated in their FAQ that they are currently in the process of getting PCI DSS (Payment Card Industry Data Security Standard) certified. PCI DSS is a payment industry standard for any organizations that handle cardholder information. PCI DSS is good in that it establishes a security baseline for organizations to follow who will be processing credit card information. It's bad in that it's pretty much limited to what most would consider common sense. PCI DSS requirements offer sage advice such as "Do not use vendor-supplied defaults for system passwords and other security parameters" and "Use and regularly update anti-virus software on all systems commonly affected by malware". The effectiveness of PCI DSS is certainly up for debate, but there's no harm in Coin getting certified – it at least shows a desire to meet industry standards.
That said, it's unclear if Coin will be able to obtain PCI DSS certification. One of the pieces of information that Coin stores for each card is the CVV. The CVV is the three-digit number on the back of the card and is usually required for "card not present" purchases, like online shopping or placing an order over the phone. The purpose of CVV is to prove that the consumer is in possession of the actual credit card. In order to ensure its effectiveness, PCI DSS requires that no organization that stores, processes, or transmits credit card information saves the CVV (or full track data for that matter). Coin doesn't (and can't, in order for its product to work) meet these requirements. However, PCI DSS does offer exemptions for "issuers and companies that support issuing services" if there is a business justification and the data is stored securely. Once again Coin falls into a big of a gray area. They're not a card issuer, but do they qualify as a company that supports an issuer? We've reached out to Coin asking about these requirements and look forward to getting clarification from them – we'll update this post when we do.
Technical questions aside, Coin has generated a lot of buzz, and the real question is: does it have what it takes to gain the traction needed to stick around? Square has been wildly successful at shaking up the payment industry, but there are two key differences between Square's approach and Coin's. First of all, Square established relationships with major credit card companies before rolling out. Square's situation was a little different than Coin's because Coin won't actually be processing payments, but being backed by credit card companies gave Square immediate trustworthiness with merchants and consumers. Square also targeted merchants first. Offering benefits over traditional card processing companies meant merchants had incentive to use Square. For many merchants, Square meant being able to accept credit cards for the first time. Consumers were on board because it meant being able to pay with credit cards in more places, and it had no negative impact on their ability to pay. Coin is targeting consumers first. In fact, Coin's CEO told CNN Money that they have no intention to talk with merchants:
"We don't plan to go out of our way to educate the merchant world about it, because we're focused on the consumer side, and anyone who works on the merchant side is also a consumer anyway."
Of course, in many cases merchants won't have a say. Anywhere that a customer can swipe their own card, merchant concerns essentially become a non-issue. Though Coin users may want to carry a backup card for any instances where a non-compliant cashier is the one who has to swipe.
In the long run, Coin would stand to benefit by getting merchants to recognize and willingly accept Coin. Credit card companies will need to openly support the product with clear policies for consumers and businesses. Once card companies state that merchants accepting Coin cards won't be liable for fraud, merchants will need to be educated on accepting Coin. Having a single Coin card to store all of my credit cards offers some convenience, but not nearly as much convenience as handing over a credit card to pay without having to explain my latest gadget to the cashier, or wait for the establishment to call the credit card company for authorization. Some credit card companies even have policies stating that if a merchant suspects a card to be fraudulent, they should keep it if possible. Tech-savvy gadget-lovers are intrigued by the idea of Coin, but some merchants might just be left confused as hell.
Coin isn't set to be available until Summer 2014, which gives them a lot of time to iron out any wrinkles and talk with credit card companies if they so desire. Should card companies choose to stay silent, it would likely have a minimal impact on Coin. Consumers have already shown a great deal of interest, with Coin hitting its $50,000 fundraising goal in only 40 minutes. The backing of a major credit card company could be what takes Coin from a niche product to gaining widespread public adoption – regardless, consumers are already showing significant interest.