Hacker News new | comments | ask | show | jobs | submit login
Card.io - fast and easy mobile credit card scanning (card.io)
166 points by davidedicillo on June 23, 2011 | hide | past | web | favorite | 55 comments

(Full disclosure, I'm a stock holder in Square)

There are two good reasons Square doesn't do this that I can think of off the top of my head.

First, CNP vs CP card processing rates. http://en.wikipedia.org/wiki/Card_not_present_transaction

Every credit card has the CC number encoded in to the back of the card, but in addition to that, it has a couple bytes of extra information. That extra information qualifies the merchant for a lower processing rate if they SWIPE the card. That means, when you take a picture, you are paying closer to 3.5% instead of 2.75% for every transaction. (rates quoted are square's cp vs cnp rates)

Some merchants are extremely sensitive to this, other aren't. The larger a merchant is, the more likely they are going to care. On the other hand, no merchant wants to lose a sale, 3.5% of a sale is still better than 100% of a lost sale.

The other reason is based on UX. It feels really weird to have someone take a picture of your credit card using their cell phone. The apps that use this technology might be doing anything with that image.

Otoh, more people should take credit cards!

(edit: Sidenote, Square considered doing this before the swiper was invented, during the very first month or so. Doesn't mean it is a bad idea, just that Square moved away from it in favor of a swiper.)

When I first saw this, I had a different use-case in mind, where a person would just take a picture of their own credit card for an in-app purchase, instead of a vendor using it to accept money from another person. (Hence the focus on developers.)

If you AB tested giving someone a screen where they put in their credit card number, or a screen where they just took a picture of it, you might find that people are more willing to take a picture. People are probably more comfortable with a photo of their credit card being taken on their own phone than someone else's phone. To the app, both of these are CNP transactions.

That was my initial thought too. Instead of having to type all of your information using a tiny keyboard or on-screen one, you just snap a picture. I suppose, though, that most online markets allow you to save your information and the problem really isn't that big after the first entry. Something like this is kind of neat, but nothing new or novel. OCR has been good enough to do this for a long time.

> The other reason is based on UX. It feels really weird to have someone take a picture of your credit card using their cell phone. The apps that use this technology might be doing anything with that image.

To be fair, any company that gets my credit card number (restaurants, Walmart, Amazon, every random e-shop on the internet) could be doing anything with my credit card, so this concern isn't exactly new or very scary.

To you, no.

Consumers have an irrational understanding that swiping a credit card is safe. Taking a picture of it is likely the sketchiest action a merchant could take, in the eyes of the average uneducated consumer.

This cannot be overstated. Companies live or die based on the perceptions they create, technical details be damned.

I think you are missing the point. This is not meant to be used like Square is. This is meant to be embedded into other application that accepts in app purchases that can't be done with the In App system provided by Apple.

Otoh, more people should take credit cards!

We should be moving away from credit cards. They are becoming an archaic technology.

While low-tech, credit cards are very flexible. I worry that the more high tech approaches (NFC, etc) are motivated not because its a step forward, but because its an opportunity to grab more control of the market, and leave consumers more exposed to fraud.

How are credit cards more flexible than a computer in your hand? Worst case your phone acts exactly like your credit card where you read numbers off of it.

Also, how would a phone lead to more fraud? You could authorize each transaction by cryptographically signing it after entering a passphrase. With a credit card anyone that steals your numbers can charge to it.

Magnetic credit card readers are cheap; look at how much Square charges.

The fraud prevention mechanism for magnetic cards is mostly reactive and doesn't require "passphrases" or "cryptographically signing," which is a big usability win.

Since issuers are on the hook for unauthorized charges, and generally make money from transaction fees, it's in their best interest to find a good compromise between fraud protection and usability. Adding consumer software and a wide variety of commoditized portable computing devices into the mix doesn't seem worth the cost.

What do you propose we replace them with?

Our phones

Also did you notice its 15¢ per scan!! I believe it will add on to the 10¢-15¢ + percentage merchants have to pay to the processor per Transaction.

Yeah, this matters way more for transactions less than 5 dollars where it starts to be a large %. If you go to 100 dollar range, it doesn't matter at all. The 10-15 cents just means they are looking for people who sell big things, not coffee shops.

Or lots of little things over time. The user only needs to scan the card the first time.

The other reason to run CP .vs CNP is, of course, fraud resolution. If you had the card in your hand, it's much less likely to have been someone running an online scam.

But the, why doesn't having a photo of the card in-question also qualify for a CP?

I think Square moved toward being able to swipe because it's more 'traditional'. People were going to be upset about vendors taking a pic of their card.

On the other hand, Square requires a merchant to have particular hardware to receive payments (swiper), this method does not. Good point on the CNP vs CP though, I never knew about that.

Hi gang, this is Mike from card.io.

socmoth, CrazedGeek, and tbgvi are right that this is considered a CNP transaction and rates are higher. However, our focus is on mobile developers, not retail merchants. By taking friction out of the mobile checkout flow for those developers (because customers don't have to type out their cc number), conversions are higher, and thus revenues are higher.

Regarding the user experience: folks are used to scanning barcodes with RedLaser, business cards with CardMunch, and checks with PayPal and the Chase mobile app. If we can make credit card purchasing easy and fast on the phone, that's a good user experience.

Thanks for the feedback!

This is completely from left field, but should you ever move the project to an alternate domain name, card.io would be a perfect domain for a fitness-related app focusing on cardio workouts.

I can see the title on HN: "Card.io - fast and easy workouts"

I honestly thought that this was a fitness related site. I can't help but still think of it that way even though I know what it is now.

I also thought it was going to be fitness-related.

CardMuch, Checks are both examples of me taking a picture of something I own (check, biz card) using my own cell phone. Card.io is someone else taking a picture of my credit card, using their cell phone. In the first two examples, I have control and ownership. In the last example, I have ownership (of the data/card) but no control of the software.

Anything that increases conversions is great! Best of luck! I look forward to seeing it in the wild. In fact, are there any merchants in SF I can watch use it yet?

I may be wrong, but I believe the premise behind card.io is that you buy something in an app (a good old in app purchase), and instead of typing in all your credit card info, you simply take a picture of your credit card for payment.

Doesn't seem that card.io is trying to get merchants to use this as a Square replacement at this point.

timjahn, you're right (I've seen it in action). Users will be scanning their own cards for purchases made on third party apps. It's really slick.

Invariably, anytime someone writes "simply" what they mean is "quite a bit clumsier than the alternative".

It seems to me that all this app does is OCR your name/number/date, instead of having you type it in. I'm sure there will be some users who will be wary of it, but it's not like it can get any more info than you would type into a game or whatnot.

Of course, I'm not sure how this is useful, since I understand that in-app purchases need to be tied to the App Store account, but it might be more useful for Android.

Thanks! We're working with mobile app developers, not retailers or physical merchants. So, instead of typing in your card number into a purchase form, you'll just scan your card from your own phone. We'll have more info about developer partners soon!

Interesting. I was talking about this idea 2 weeks ago with some friends. Here in France Square doesn't work since only chip cards are accepted, not magnetic stripe cards. So card.io could have a greater market penetration worldwide than Square.

This looks even smoother than Square, but I'm curious to see how it handles credit cards with the silvery ink worn off of the numbers, or cards with complex graphics on the front.

This is Josh, CTO of card.io. Those are definitely challenges, but we've put quite a lot of effort into handling exactly those sorts of problems, and we do pretty well with them (if I say so myself).

One interesting tidbit on this front, from someone who spends a lot of time admiring credit cards: Only some cards have silvery ink on top of the numbers. Some others have silvery plastic underneath the main ink layer (usually part of the card's overall graphic design), so the numbers become more silvery with wear, not less. And yet others have no silver anywhere at all. TAANSTAFL. :)

This looks awesome. One thing I could see becoming an issue is in your best case scenario.

Say things are wildly successful and people come to expect that merchants will be taking a pic of your credit card with their phone. So you easily hand over your card to some random person to take a pic of it - assuming they are using Card.io.

However, what is to prevent nefarious people from just taking a pic with their own app or their own camera ?

So what would be good would be if there is some way to indicate (quickly) to the cardholder that the user is actually using Card.io to take the pic, rather than the Camera app - so they are not paranoid about people stealing their numbers.

Maybe turning the flash light red (is that even possible?) or something subtle that is a unique indicator that Card.io is being used and not some other app.

With Square, it is that little dongle - although I know that once Square gets big enough and the incentive gets large enough for people to create knock-offs of that dongle, I think it's much harder than say using a Camera.

Otherwise, awesome app.

> Say things are wildly successful and people come to expect that merchants will be taking a pic of your credit card with their phone. So you easily hand over your card to some random person to take a pic of it - assuming they are using Card.io.

When you're sitting in a restaurant and hand over your credit card, the waiter is now in total posssesion of it.

They could take a picture of it.

They could go to their laptop and make purchases from China.

They could run out the backdoor and never return it.

Handing over your credit card is a common enough thing, because you are protected from fraud by the credit card companies policies---not by your own regard for if the person you're giving your card is trust worthy or not.

That may be true, just saying....it could provide another avenue of fraud if the best case scenario does play itself out.

Not saying other avenues of fraud don't exist or cardholders aren't as vulnerable without it.

Just stating what I think will likely be a side-effect, that these guys should at least pay attention to.

This is Mike from card.io. That's a great suggestion - we'll be watching the user experience very closely and will give your idea some thought!

Based on developer interest, a common use case will be scanning your card from an app on your own phone - in that case, you're scanning your own card, and you're in control. But this us a great suggestion for retail usage.


Just throwing it out there...and the truth is...it might not even materialize...but you never know.

Can you scan the back to get the CVV2 code? All the information you need from the front is embossed so you can read it on the back too.

When I buy stuff online then I always make sure the browser's sending data over HTTPS (both on my mobile & desktop). I don't think I'd trust a 3rd party app to safely store and transmit my credit card data. Even non-technical people know to "look for the padlock". Have there been any usability studies to see if users are happy scanning their card from an app?

Looks pretty cool, but wouldn't apple screw you? I don't think they'll like this, they want users to buy with the app store.

Thats true. I don't think anyone yet has thought about that. Nonetheless, it's a interesting idea. For me, I don't know if I'm comfortable with taking a picture of my card. But who knows.

card.io shouldn't be used for in-app purchases (Apple's StoreKit works quite well there), but for mobile commerce: selling goods, travel purchases, daily deal sites, local services, and the like. These are all places where commerce is taking place outside of the App Store.

(edited to add that this is Mike from card.io)

Is anyone aware of any direct competition in the credit card "scanning" space?

FirstData is king. Huge market share.

There's also FaceCash by Think Computers/Aaron Greenspan[1].

[1] http://news.ycombinator.com/user?id=thinkcomp

I mean, there's Square... but they use a hardware piece. I'm interested to understand why the hardware piece is better than the photo scanner. Is it more secure? More reliable?

I might be wrong, but I seem to recall that credit card companies charge less in fees for magnetic strip readings than just entering in the number, which the photo scanner would be analogous to.

No, you're right :) Swiping a card makes it a card present transaction, which have lower rates than keyed entry. Some processors will even shut you down if too many of your transactions are keyed (worried about fraud).

From what I can tell, this just does the scanning and doesn't actually process the transaction though? Could be wrong on that. Also, 15 cents per scan seems expensive.

At the same time it's possible that they cut deals with the processors to be certified in some way, so that if the numbers are retrieved using their service the card is considered present.

I'm a little unclear on this--does Card.io handle the payment processing too, or just the card capture itself? If they don't handle the payment processing, how does the card number get passed along?

Hi Kyle, we're just doing the card capture today. Many of our developers already had merchant accounts and were just looking to get rid of the pain of having their customers type in the card number. We scan the card and return the number via SSL to the developer who finalizes the transaction.

-Mike from card.io

Constructive criticism: This is an example how how the illusion of a beautifully designed, professional-looking site is easily burst by an amateur how-to video.

Hi Pud, Mike from card.io here. I totally agree, and thanks for the criticism. This video goes up tomorrow, courtesy of @zumpangofilms: http://youtu.be/7lg0nMH4NFk?hd=1

How reliable is this? I can barely read my american co-founders credit card numbers on his card.

Gaaahh! Shaky camera action!

Mike from card.io here. Sorry about that. Try this one: http://youtu.be/7lg0nMH4NFk?hd=1

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact