An investigation into credit card information disclosure through Point of Sale purchases

Abstract

The use of debit and credit cards has become indispensable to consumers worldwide. This cashless method of payment offers flexibility and convenience. It eliminates the safety risk of carrying large cash amounts in person and cards can be cancelled as soon as it is lost or stolen. One of the most popular methods of non-cash transactions is through a Point of Sale (POS) terminal. A POS is a quick and convenient method for a customer to pay a business, but may lead to the disclosure of sensitive information without the knowledge of the customer. By investigating the information printed on the customer and merchant transaction receipts at various POS devices in South Africa, it is shown that information provided on the POS transaction receipts can put the consumer at risk as the credit card number, expiry date and name of the card holder may be printed on these transaction receipts. This paper investigates various POS devices used by South African businesses and the relevant information printed on the merchant and customer transaction receipts after a transaction. It is shown that the information contained in the transaction receipts from certain POS terminals is sufficient to perform successful online purchases at multiple online shopping sites. We also show that when the CVV number on the back of the credit card can be obtained while the transaction is in progress, even more online shopping sites can be successfully used without the authorisation or knowledge of the credit card owner.