We experimentally investigate the security of several smartphone point-of-sale (POS) systems that consist of a software application combined with an audio-jack magnetic stripe reader (AMSR). The latter is a small hardware dongle that reads magnetic stripes on payment cards, (sometimes) encrypts the sensitive card data, and transmits the result to the application. Our main technical result is a complete break of a feature-rich AMSR with encryption support. We show how an arbitrary application running on the phone can permanently disable the AMSR, extract the cryptographic keys it uses to protect cardholder data, or gain the privileged access needed to upload new rmware to it.