Constellation Insights
 

This week, payment card startup Plastc abruptly went belly-up, telling more than 80,000 customers who had preordered the devices that it is filing for bankruptcy and will not ship a single item.  

“We are disappointed and emotionally distraught, and while we know this is extremely disappointing for you, we want our backers to know that we did everything we could to make Plastc Card a reality,” the company told disappointed would-be customers, who apparently won't be reimbursed.  

The programmable card would have allowed users to store up to 20 cards on the unit itself, with access to an unlimited number of cards through Plastc's app.  

Plastc says it had landed $3.5 million in venture capital as recently as February, but the investors subsequently withdrew the funding. That money would have been enough to ship working cards. A second investor came forward with a $6.75 million offer but also withdrew at the eleventh hour, according to Plastc: "The round was a signature away from closing and we were extremely caught off guard when they notified us yesterday they were backing out." 

Plastc's fate isn't quite as dire as that befell Coin, another payment card startup. Last year, Fitbit acquired Coin for its payments platform technology, but production and sale of its devices were immediately halted. Fitbit is expected to incorporate payment capabilities into its devices as early as this year. 

Stratos, yet another card startup, went out of business abruptly in 2015 after just six months, but its assets were recently acquired by the Danish company CardLab, which is planning to revive the product. 

Plastc and other failed “super cards” supported magstripe and claimed to be upgradeable to chip-based card technology to. Given that mag stripe is being phased out, this was a crucial promise.  There was never any point in trying to squeeze any life out of obsolete mag stripes, says Constellation Research VP and principal analyst Steve Wilson.  

"You had Coin and Plastc, and also Loop Pay, which was acquired by Samsung, that basically simulates a mag stripe card electromagnetically by blasting EM waves at a POS machine to trick it into thinking a real card has been run over the read head," Wilson says. "All these gizmos sought to keep the old card technology alive, while the US payments industry was slowly catching up with the rest of the world going to chip. Why would you try to keep mag stripe alive, when it was actually the cause of so much fraud?" 

Moreover, programmable third party cards play in a legally murky realm, Wilson notes. "Their operation was in violation of the payment scheme rules, which forbid cloning cards and actually forbid merchants accepting a payment card that is not properly branded," he says. "Coin and Plastc would have put merchants in a difficult position, of enticing them to accept a non-standard pseudocard, just so some customers could enjoy yet another gimmicky way of paying." 

The idea of a programmable mag stripe card seemed clever but it was ignoring far more pressing problems, Wilson says. The most important innovation needed in the payments space is chip-grade security for online payments through various channels. "Card present" payments—those made in person—with chip cards have a robust approach to security woefully missing online. 

Each Card Present payment instruction made with a chip card is signed with a unique cardholder key, which uniquely stamps each payment so it's tied to the cardholder, cannot be tampered with, and cannot be replayed, Wilson says: "You cannot clone a chip card because the key is held inside the chip and only ever activated, on a transaction-by-transaction basis. No attacker can skim chip cards, and then clone the cards." 

It’s for that reason Wilson said from the outset that Coin and Plastc could not promise an upgrade to chip cards. “It’s just not possible to take your chip cards and copy them into one super card, as Plastc and Coin did with mag stripe cards.” 

However, thieves can still steal card holder details and use them online, because "card not present" payments still use unsigned personal data, Wilson adds. 

While the payments industry has pushed the 3-D Secure protocol, which provides an additional authentication layer for online purchases, it has a poor user experience and isn't all that secure, Wilson says. 

"The industry has been avoiding the inevitable—transaction signing in the online environment just as we do offline," he says. The barrier has been figuring out how to get chip cards interfaced through commodity computers, but there's another way—replicating cardholder data within mobile phones. 

This is how ApplePay and SamsungPay essentially work, given they store cardholder details inside special security chips, known as secure elements, in the phones, Wilson says. The problem is that these solutions are proprietary. 

"How about we just replicate chip card functionality in phones, in an open manner," Wilson says. "Let banks issue virtual cards by writing their card data and keys into the secure elements in an open, standards-based and non discriminatory way. 

"Banks and innovators need access to the secure elements, but that's controlled by handset manufacturers and carriers, because they are wedded to a rent-based business model where the precious secure element storage is levied," he adds. "The tech innovation is pretty easy. The business models need changing."

24/7 Access to Constellation Insights
Subscribe today for unrestricted access to expert analyst views on breaking news.