I'm talking about cards like Ballet Crypto and Coinfinity, which have a QR code on them, and possibly a public or private key. What is inside the QR code, and how do you load it with funds? If private keys are revealed then how is that possible without compromising security?
Looking at the Ballet Crypto one... the
visible QR Code is simply used for encoding the the deposit address... the underneath side of QR sticker, has a second QR code that contains the "encoded private key" (it's a BIP38 encrypted private key).
4. In Ballet’s secure printing facility, a two-layer QR code sticker is printed with the EPK on the concealed bottom layer and the deposit address on the exposed top layer.
To load with funds, you simply scan the QR code (or type in the displayed address) and send funds to the address as a normal transaction.
The passphrase for this BIP38 encrypted private key is stored under the "scratch off panel" on the front of the card...
8. At Ballet’s secure facility in the United States, the wallet passphrase and serial number are laser-etched onto the physical product.
a. The physical products and QR code stickers are double checked to ensure that all three serial numbers match correctly.
b. A strip of tamper-evident scratch-off material is then applied over the wallet passphrase to conceal it.
Is it true that cards are supposed to be for one-way sending, and when you extract the funds, the card becomes unusable? So it's effectively a piggy bank?
Yes, it is effectively a piggy bank... once you peel the sticker and scratch off the panel, the private key is essentially "compromised"... the key should be "swept" ASAP and funds transferred to another secure wallet. Re-use should be avoided if possible.
Essentially, it's just a fancy "paper wallet" (or "physical bitcoin"), just in a plastic credit card format instead of being printed on paper or on a "coin" shaped object. You can also get tamper evident stickers/seals for paper wallets and most physical bitcoins use them as well.