Well that article was completely devoid of information.

Here's the post by the researchers themselves: https://srlabs.de/pos-vulns/

tldr: POS card readers have poor security - their HSMs leak their keys, and many of them don't have unique keys so you can impersonate them

Ok, we changed the URL to that from https://www.rt.com/news/327161-credit-card-protocal-vulnerab....

The guys have also done a presentation on this in Hamburg a couple of days ago: https://events.ccc.de/congress/2015/Fahrplan/events/7368.htm...

Cannot find a recording yet

Recording is here: https://streaming.media.ccc.de/32c3/relive/7368/

But warning! This is pure stream dump, don’t expect high quality yet.

Official recording is out now: https://media.ccc.de/v/32c3-7368-shopshifting#video

It's not my job to defend the payments industry - I think it's full of dinosaurs putting out bad code slowly - but I will say that the flaws here are not universal.

I've worked on the security systems for some reader/terminal devices that contain their own master keys in wipe-on-tamper memory, and use various key-derivation techniques to derive (and then immediately discard) per-transactions keys to protect transaction information, PINs etc.

So it's not all as bad as this. However things like ISO-8583, better described as a protocol family or meta-specification than a single protocol, probably are rife with poor implementation choices.

The official release is out now:

https://media.ccc.de/v/32c3-7368-shopshifting#video

The raw stream dump from the CCC talk is available at https://streaming.media.ccc.de/32c3/relive/7368/

You should jump to 17:45 in that video for the start of the talk.