If it's money they're not expecting, no problem: they just declare and forfeit it to the tax authorities, like a bag of cocaine-drenched cash that was found in their store.
If it's money given to them in payment for goods/services, they reject it as non-legal tender. "I'm sorry, sir, we can't take that form of payment, do you have another?"
Wouldn't this open up the possibility of a DDoS-type attack performed by having millions of transactions of 1 satoshi (0.00000001 BTC) in dirty coins flung at the merchant by someone's botnet? It would force the merchant to reject each one at a computational cost, whether by giving the money back or by transferring it to the government.
Interesting problem, but I don't think it will actually be that big of an issue. The merchant could generate a new wallet for every customer, and simply "dump" any wallet under attack by said customer.
If it's money given to them in payment for goods/services, they reject it as non-legal tender. "I'm sorry, sir, we can't take that form of payment, do you have another?"
Software makes this very easy... even automatic.