Can Coin survive? Project delayed, backers outraged, doubts loom (Updated)

Coin, the credit card that holds all your credit cards, has been delayed from its summer 2014 launch until spring of next year.

The card’s developers have tried to ease the pain by offering up a beta program this fall for 15,000 of its backers. Many remain nevertheless frustrated with the delays, and some are asking for refunds from the company as concerns grow over the adoption of EMV chips in the U.S. as well as the necessary compliance standards Coin needs to launch.

Update on 9-03-2014 from Joshua Sherman: Due to high interest in the beta program from iOS users, Coin has noted that it’s unlikely users will be able to participate in the beta unless they had packed within the first six hours of the pre-sale from last November. The company noted that, “Due to a high opt-in rate of 96.25 percent, if you ordered after November 14th  3:06:38 PM PST it is unlikely that you are eligible for Coin Beta.” Coin also added that it was reserving 24 percent of the beta slots for Android users who will be able to opt-in once the Android app becomes available on Sept. 25. Everyone else will have to wait until next spring for their Coin.

Beta testers to get free final version

In a message to backers titled “An Apology and an Update,” Coin stated that it will delay the official launch of the Coin until the spring of 2015 to ensure its product works flawlessly for everyone who gets it. It has dialed back the date for manufacturing so it can get feedback from beta testers. Coin will launch a beta program this fall for backers to receive a pre-release version of the Coin, try it out and send feedback.

“We apologize for our lack of transparency and clarity in our communications to you,” the company said in an email obtained by Digital Trends. “We honestly thought we could make our timeline.”

As part of an update published on August 23, Coin is now offering up 15,000 beta versions of Coin for this fall (from 10,000) for free to test out the e-wallet. Originally Coin wanted beta testers to pay an additional $30 to get the updated final version next spring, but this fee has now been waived. While the community was originally outraged at the additional fee, Coin’s decision waive the fee has been met with much relief, knowing they can help improve the product and still get the finished version in eight months. Some backers are still upset over how Coin handled this whole predicament.

The beta remains optional and backers can choose to:

  • Opt-in with a link from their e-mail and get the Coin. If they want the first generation Coin later they’ll get it for free
  • Wait until the spring and get their first generation Coin
  • Email for a refund

Getting accepted into the beta depends on how early you first backed the project. Right now Coin is admitting if you didn’t back on the first day there’s pretty much no chance you’ll get in the beta. There’s also no guarantee the project will not encounter further delays, and little information has been made public outside of Coin’s blog for backers about the status of Coin as a finished product. This has led to some serious speculation about the success of Coin given this already existing delay, as well as two major issues that haven’t been addressed: PCI compliance and the eventual EMV adoption.

Coin still hasn’t mentioned PCI compliance

Coin more or less skims and stores your credit card information

In order for a device to accept or handle credit card transactions, it needs to be compliant with the Payment Card Industry (PCI) standards to ensure security for not just the customer, but also the merchant. While we all have the best intentions when using a credit card, a thief or hacker can very easily acquire credit card information if PCI standards are not kept or if a device’s security is compromised. With Coin, the very design of the device not only questions the ability for it to receive PCI DSS Compliance, but also suggests how easy it may be for someone to use it maliciously.

Based on demonstrations and interviews with other news sources, it appears that Coin works by scanning your credit card with a magnetic stripe card reader, storing that information either on your device or on Coin’s servers, and then distributing that information to your Coin card when you want to add a card to it.  This entire process goes against the PCI cardinal rule not to store a credit card’s magnetic stripe information. This is because in the U.S. a magnetic stripe contains everything needed to execute a transaction. Storing this means you won’t need the card with you to use it (just as Coin is intended) but it also means anyone with your credit card for about five minutes (such as in a restaurant) can use Coin to duplicate your card without your knowledge.

Coin does state in an interview that you need to enter verifiable information to add the card to your Coin app, but no details are yet available about how specific this information is, how exactly it prevents others from adding your card to a Coin and where this information is being stored or sent. The Coin e-wallet also uses Bluetooth, not NFC to communicate the credit card information, something that hasn’t yet been demonstrated as a secure option.

Without PCI compliance, Coin will not only be insecure, but could be under threat from the major card companies because it compromises the security of their customers. It’s been nine months since Coin was announced and we know just as much about PCI compliance as we did on the day it was revealed. Coin’s website still says it’s looking into compliance and no documentation has been published suggesting Coin has received its approval.

Coin more or less skims and stores your credit card information, and we know far less than we should about how this process will be kept secure.

With EMVs coming, Coin will be outdated

Coin’s very concept of reading cards doesn’t work with EMVs

In October 2015, the United States will officially switch to the EMV integrated chip (which looks like a smartphone SIM card) for credit cards. In Europe and other parts of the world, EMVs are the new standard for secure credit card transactions. This is because EMVs are more secure and cannot be easily copied, skimmed, or duplicated as can a credit card’s magnetic stripe. The tech will slowly but surely replace traditional credit cards in the U.S. and make products like the Coin more or less obsolete. Coin’s very concept of reading cards doesn’t work with EMVs. Even if Coin were to figure out a new way for its technology to work with EMV Chips, it goes against why the credit card companies want to switch to EMV to help prevent credit card theft.

Coin also isn’t the only e-wallet out there, and competitors like the ISIS Mobile Wallet and Google Wallet are not only free, unlike Coin, but are also more secure and backed by major card companies. The only advantage Coin has is that you can use it at any merchant that accepts credit cards today. Now that Coin’s launch is just a few months before the switch happens, new credit card users will be encouraged to use EMV before using their magnetic stripe. This makes Coin both obsolete and less secure even if merchants continue to accept it. NFC and EMV payment solutions will offer the safe functionality and only become more popular over time, leaving Coin in the dust.

Ultimately we have no idea just what Coin’s status is on PCI Compliance or EMV. We have reached out for more information and should we learn more we will update this story.

One thing is clear though: Coin is in trouble, and it needs to prove it’s still a viable tool for its thousands of backers.

Update on 8-23-2014 from Joshua Sherman: Noting that it was “overly optimistic” with its plan to launch nationwide by this summer, Coin has delayed launch and unveiled a beta program to give the company time to fix issues. Coin issued an apology to its backers and will now be letting those that beta test upgrade to the final version for free, instead of the original $30 charge. There is still no word from the company on its PCI compliance or long-term plans with moving to EMV.

Get our Top Stories delivered to your inbox: