I don't have details, I just happened to see a crash to desktop, but it may not have been certified - many Australian retailers will pay the fines rather than go through the effort of ensuring compliance.
I think it would be pretty rare for Australian POS machines to handle credit card details. Almost everywhere I only see these systems using a separate terminal with its own network connection to handle the card transaction. Usually there is integration (the POS system tells the terminal the price and to prompt for a card) but I don't think the card data ever touches the POS terminal itself (unlike the way they seem to work in the US).
This is a pretty good system, because the terminals are able to be updated really easily. A lot of cafes and stuff also use iPad POS software (one called 'Vend' is really popular here) and it doesn't have to be certified. This is part of the reason that it took hardly any time for almost everywhere to support contactless six or seven years ago. For example at Myer the POS systems look 15 years old but the attached card terminals are usually only a year or so old.
The iPAD solution is certified by the vendor; these employ a PCI P2PE certified terminal and a PA-DSS certified PoS software on the device.
The software enforces security controls on the device as well as performs checks such as root/jailbreak detection, iOS patch level, security/passcode settings etc. and if any of these do not match what the vendor specifies (which is what they certified) it won’t work.
As for the terminals on older PoS as long as the PED is certified and the PoS is certitied its not a problem.
Card data isn’t the only data that is covered by PCI SSC standards.
Card holder PII is also covered and is even considered more important these days since CC numbers are easy to rotate but your identify isn’t.
Also even if the PoS doesn’t sees the card details it is part of the payment acceptance process and if it’s compromised the payment process can be affected even with P2PE devices.
If the PED is complete separated from the payment process e.g. those in which the vendor has to type in the amount separately and the PoS doesn’t take any any any customer PII ever you may be able to get away with using something like ReactOS on it.
If the pos is system is regarded similarly as a cc accepting website that proxies cc data to an endpoint, then the os shouldn't be a variable of pci compliance
Most (European) terminals don't even proxy to computer, they're completely independent devices connected to wifi that communicate directly with bank. The connection to computer is used only for "1 EUR" and "OK"/"FAIL" kind of messages and are completely optional.
Even on P2PE terminals the PoS is in scope of the PCI-DSS if not the PA-DSS certification (alright I’m not sure how any PoS vendor will fly without PA) as they do (or can) pass some CHD through it even if it’s not the card numbers or the track data.
CHD under the PCI standards also covers PII card holder information which does reaches the PoS for handling refunds, managing promotions, club membership etc.
Even vPOS applications like those tiny card readers that hook to an iPAD as the PoS do a lot of leg work despite of them being P2PE.
They check for root, they check for iOS version (security update) they check for proxy etc. That’s all part of the PA-DSS certification for the application developer.
While it’s possible that a retailer who’s big enough so VISA can’t say we won’t gonna allow you to take payments with our cards, and the fines are smaller than the cost of adopting compliance to use these.
I wouldn’t imagine any PoS vendor even going with that since it would essentially put them at huge risk from both the PCI standpoint and general reputation damage.
As for certifying these there isn’t a single PA or PCI-DSS QSA out there that would accept ReactOS as a useable operating system because if something goes wrong the QSA is liable if they certified something they shouldn’t have.
No, you don't understand me. The terminals I'm talking about are completely independent, a computer is a peripheral to them, not the other way around (that's how it is with the ones you're talking about).
These are specifically marketed by banks as not requiring any certifications of the PoS.
Those are P2PE terminals which can be used in this manner but it’s not upto the banks who offer them to define that.
If the acquirer bank and the QSA accepts that your use of these terminals is sufficient then sure go a head but that means you don’t intake any PII via the PoS and you don’t use the credit cards to identify members and don’t use those terminals to scan non CC based membership cards, and you have no PII at all which means handling things like refunds and warranty is also not done via the PoS.
It's not especially common, but I do know of a couple kiosks and a PoS system that run ReactOS under the hood to avoid Windows licensing.