The best card machines are the ones which do encryption in the pinpad, because in this instance all cardholder data is encrypted in the device when the card is inserted and PIN entered. Here no cleartext cardholder data propagates through the network and it does not even enter the POS memory (where memory scrapers have been known to exfiltrate that data).
Look at solutions namely P2PE... That said it is very common to see organisations where cleartext cardholder data is transmitted from the pinpad into the POS (windows XP or Windows 7 typically), out into the network, to a backend store server, over an MPLS link to a server of some-kind (sometimes windows server 2003 despite this being a critical vulnerability), and then onto the payment acquirer. Where windows server 2003 or XP is used, as part of PCI-DSS that is flagged as a major vulnerability and the company has to take a decision whether they accept the risk or not. We will always flag it and the risk is made very clear.
Reasons for accepting the risk could be the vendor who installed the POS worldwide in year 2002 is no longer in business, so new POS systems, new pinpads, new backend store servers etc all need to be sourced etc which could be multi-million pounds. Here we commonly see companies trying to upgrade to Windows 7 on POS, and they will try to run the old vendor software, but when it fails and the vendor no longer exists, there is little option but to go back to XP until they can get budget to effectively scrap the whole solution.
Luckily we are seeing so many large firms moving to end to end encryption.
A lot of this stuff seems elementary, but doing the basics such as changing default passwords for webcams, switches, routers etc and any server software running (ie Apache Tomcat etc) helps enormously, as does keeping the latest OS patches installed.
Edited by ukhardy07 (Mon 12-Dec-16 00:09:00)