this is all true, but if you've compromised a merchant deeply, it doesn't seems impossible to run a $1 charge as a (bad) customer and then give that customer (you) a, say, $1,000 refund.
You can only void existing transactions, so the money would be returned to the same card, and the amount would be limited to the originally captured amount.
It is possible to create a "push" transaction too of course. Visa Direct, Mastercard MoneySend, etc. But that requires a separate merchant account, and should not be possible from the card reader or POS.
If you've compromised deeply enough to be in the AP system, you can create arbitrary payments, but that's well out of scope for this thread.
Then you could just complete a normal transaction on their website and introduce your account in to their system that way, no real need for a compromised terminal?
It is possible to create a "push" transaction too of course. Visa Direct, Mastercard MoneySend, etc. But that requires a separate merchant account, and should not be possible from the card reader or POS.
If you've compromised deeply enough to be in the AP system, you can create arbitrary payments, but that's well out of scope for this thread.