Well, if they contain the information rather than a pointer, they aren't harvestable (not sure what phishable means) because only the people you give cards to get them. It is true that URLs to vcards could get into databases if you hard your business cards out indiscriminately (for example in prize drawings etc.) and then those databases could leak.

You probably want a 2-way confirmation on this, in a social networking style. You put a small code on your business card. This code lets somebody establish a contact to you on a social networking site. You have to confirm that contact, and you can revoke it later if it turns out to be a source of spam or other problems. One nice aspect of this is that it can make all business cards two-way: If either one of us gives a card to the other, and the recipient enters it into the business network tool, the option is open for the reverse link to also be created as though we exchanged cards in both directions.