I think I'm missing something obvious... Why not just encode the information into a magnetic stripe and pay like a normal credit card? What advantage to the thief does it have to force a barcode scan?

This might have something to do with it:

> When the transaction goes through, it’s recorded as card-not-present purchase.

> As a result of this emerging trend, instead of finding a large number of re-encoded credit cards during a search, a subject may only possess stickers or cards with barcodes that contain stolen card data,” the alert continues. “Additionally, the barcodes could be stored on the subject’s cell phone. If barcodes are discovered in the field, it could be beneficial to utilize a barcode scanning app to check the barcode for credit card data."

So, it sounds like the advantage is in doing something novel to avoid detection and hide proof better.

Some card types will force usage of the EMV chip when used in a card present transaction.

By instructing the cashier to manually key in a card (albiet using a barcode to expedite the process), they bypass the need for EMV.

Why didn't they embed the CVV and expiry date into the barcode? Maybe they can't embed a '\r' into the barcode, or the characters after the CR would be entered before the POS was ready to accept them?

because they probably didn't know you could jump fields.

But also because in an IBM POS the cashier has to physically press the enter key and wait (with delay) for the month/date and CVV.