These systems are usually windows machines - typically "hardened" to various degrees (lock out USB keys etc) and protected by enterprise anti-virus solutions (mcafee, etc)

The windows build is typically a single "golden image" with a known checksum that can be blasted down to machines over wan/lan during the evening.

Source: I used build and deploy the image to many thousands of POS systems at Dixons Store Groups retail chains (UK)

Doesn't DSG use their own custom made EPOS system? Eclipse? Do you have any experience with it and their security policies?

I've had quite a few experiences as a customer at PC World when they've had "till failures" - ironic for a computer store. They often blame head office for overnight updates gone wrong.

Well, didn't work as it should then.

"Enterprise anti-virus" what a joke. Put the lawyers to work

Also, they apparently forgot to firewall it to only their internal network.

In many ways this isn't surprising and has just been a matter of time. PoS systems are some of the least thoroughly engineered and least well protected yet critically important systems in existence. Hundreds of billions of dollars in transactions are processed through these often half-assed engineered systems.

Not commenting directly on your assessment of the state of PoS systems, but how does a software vendor (not OS or sys admin) protect against targeted malware that is able to get access rights to your RAM space from scanning for well known track signatures?

I agree more can and should be done, but protecting against targeted malware by a sophisticated attacker is a very difficult problem. The amount of money at stake is large, so the resources expended by the attackers is also large.

Personally I believe that the current credit card system is broken and needs a significant change, but this is a very difficult process.

Two questions:

1. How do you get 40 million cards in a day from scraping RAM? Wouldn't it be limited to live transactions? 40m seems like a huge number of transactions for one day. An average ticket of $50 would make it a 2 billion dollar day.

2. Why does the card data need to be decrypted on the POS system? Why can't it be sent to a central service and decrypted there and an authorization code is sent back?

From Target's press release, this happened between Nov. 27 and Dec. 15, so it's closer to three weeks. Dec. 15 was just the first day they confirmed the problem.

Does anybody know what kind of operating system is running on the devices?

It's likely a windows-based platform, as Windows has been almost exclusively the platform targeted by memory parser POS malware.

Target is yes as far as I know a windows shop. All the staff computers are Win7, all the PDAs and wall mounted price scanners are WinCE.

Could possibly be linux (CentOS). I know that at least Autozone's POS system is built on top of that from helping install a few of them.