Second-hand POS systems on eBay, for example, may offer a cheaper alternative to new equipment, but pose a risk of acquiring out-of-date software or systems with longstanding security weaknesses.
Even deep-pocketed companies are finding it increasingly difficult to keep hackers out of their POS systems.
Target's breach, in which it lost details of 40 million payments cards and 70 million other personal records, was attributed in part to malicious software called a "RAM scraper." The malware collects unencrypted card details from a computer's memory just after a card is swiped.
POS systems have long been a mysterious area for security researchers due to their pricey hardware and software, Oh said.
From the system he bought on eBay, Oh analyzed an application called "Aloha Table Service 5.3.24," which bore a copyright notice of Radiant Systems from the 1990s.
The software ran on a slimmed down version of Microsoft's Windows XP operating system for "embedded" devices such as POS terminals. The last time Windows security updates were applied was around March 2007.
Oh said a business was using the Aloha device "less than a few months ago" even though it is years old.
He also found a memory-related problem known as a "heap overflow" within a component called the Aloha Durable Messaging Service, which shuttles information between front-end and back-end systems.
If exploited, the heap overflow "could provide an attacker with full system level control of the target system," he wrote via email.
POS systems are generally supposed to be segregated from the Internet. But restaurants often make configuration errors, such as not properly isolating them from the free guest Wi-Fi, providing a possible point of entry into the network.
That would "present a big problem — a vulnerable XP machine waiting for remote attack," Oh wrote.
NCR public relations officials did not respond to repeated requests for comment. But Snell said NCR appears to have made great effort shoring up security since it bought Radiant.
Snell said Viableware demonstrated its Rail Pay system around the end of 2011 to P.F. Chang's China Bistro, a restaurant chain that disclosed a credit and debit card breach last month.
The company used the Aloha software, Snell said, but a P.F. Chang's spokeswoman declined to confirm it.
However, P.F. Chang's was listed as a customer of Radiant Systems in an SEC filing in March 2011, a few months before Radiant's acquisition by NCR.
Snell said his conversations with senior executives at P.F. Chang's gave him the impression the company was technically competent when it came to POS security.
Sign up for Computerworld eNewsletters.