Card data isn’t the only data that is covered by PCI SSC standards.
Card holder PII is also covered and is even considered more important these days since CC numbers are easy to rotate but your identify isn’t.
Also even if the PoS doesn’t sees the card details it is part of the payment acceptance process and if it’s compromised the payment process can be affected even with P2PE devices.
If the PED is complete separated from the payment process e.g. those in which the vendor has to type in the amount separately and the PoS doesn’t take any any any customer PII ever you may be able to get away with using something like ReactOS on it.
If the pos is system is regarded similarly as a cc accepting website that proxies cc data to an endpoint, then the os shouldn't be a variable of pci compliance
Most (European) terminals don't even proxy to computer, they're completely independent devices connected to wifi that communicate directly with bank. The connection to computer is used only for "1 EUR" and "OK"/"FAIL" kind of messages and are completely optional.
Even on P2PE terminals the PoS is in scope of the PCI-DSS if not the PA-DSS certification (alright I’m not sure how any PoS vendor will fly without PA) as they do (or can) pass some CHD through it even if it’s not the card numbers or the track data.
CHD under the PCI standards also covers PII card holder information which does reaches the PoS for handling refunds, managing promotions, club membership etc.
Even vPOS applications like those tiny card readers that hook to an iPAD as the PoS do a lot of leg work despite of them being P2PE.
They check for root, they check for iOS version (security update) they check for proxy etc. That’s all part of the PA-DSS certification for the application developer.
While it’s possible that a retailer who’s big enough so VISA can’t say we won’t gonna allow you to take payments with our cards, and the fines are smaller than the cost of adopting compliance to use these.
I wouldn’t imagine any PoS vendor even going with that since it would essentially put them at huge risk from both the PCI standpoint and general reputation damage.
As for certifying these there isn’t a single PA or PCI-DSS QSA out there that would accept ReactOS as a useable operating system because if something goes wrong the QSA is liable if they certified something they shouldn’t have.
No, you don't understand me. The terminals I'm talking about are completely independent, a computer is a peripheral to them, not the other way around (that's how it is with the ones you're talking about).
These are specifically marketed by banks as not requiring any certifications of the PoS.