[cynwoody]

> Also, the hack was most likely not on the POS system but on their payment switch (software for payments routing not to be confused with a network switch). There would be one central point where all their transactions are funneled to their various payment networks.

Interesting. That strikes me as a rather dumb way to architect a system. Much better is a simple HTTPS request direct from the POS terminal to the payment processor. That way the bad guys have to hack the individual terminals. Of course, given a little automation, once they've figured out how to compromise one POS terminal, the rest are just a bunch of parallel loops away.

Ten or 12 years ago, I implemented POS interfaces to Fifth Third and Concord EFS. The POS in question was designed for use in individual retail stores, where there might be half a dozen registers.

Both Fifth Third's and Concord's interface took the form of a single HTTPS request to a designated URL. As I recall, Concord's was by far the simpler interface, requiring only the obvious data. Fifth Third's had a lot of legacy nonsense, requiring you to figure out what you really needed to provide. Both had a POS interface certification process, wherein you needed to hook up to a test system and correctly process a bunch of test transactions.

Fifth Third did have a batching function, but it did not require the establishment to store transactions client-side. Rather, the batch was accumulated on the payment processor's server. The POS system could request that a batch be closed (at the end of the business day, for instance). There was also a web login that the store manager could use to check on the status of the day's charges and some number of closed batches.