The windows build is typically a single "golden image" with a known checksum that can be blasted down to machines over wan/lan during the evening.
Source: I used build and deploy the image to many thousands of POS systems at Dixons Store Groups retail chains (UK)
I've had quite a few experiences as a customer at PC World when they've had "till failures" - ironic for a computer store. They often blame head office for overnight updates gone wrong.
"Enterprise anti-virus" what a joke. Put the lawyers to work
Also, they apparently forgot to firewall it to only their internal network.
I agree more can and should be done, but protecting against targeted malware by a sophisticated attacker is a very difficult problem. The amount of money at stake is large, so the resources expended by the attackers is also large.
Personally I believe that the current credit card system is broken and needs a significant change, but this is a very difficult process.
1. How do you get 40 million cards in a day from scraping RAM? Wouldn't it be limited to live transactions? 40m seems like a huge number of transactions for one day. An average ticket of $50 would make it a 2 billion dollar day.
2. Why does the card data need to be decrypted on the POS system? Why can't it be sent to a central service and decrypted there and an authorization code is sent back?