In the industry I am in (mostly grocery, convenience, some specialty retail), most have moved to at least POSReady 7, and some are looking at Windows 10, though there are other concerns with PCI compliance there. Most of the large retailers are pretty good about keeping these things away from the general Internet, but once an attacker is in your network, most bets are off. The most important thing to do is to look for retailers who are using the standalone pinpad devices (i.e., they don't take your card and swipe it in the keyboard or on the display). These standalone devices encrypt card data before that Windows-based point-of-sale ever sees it. You can't steal card data from a POS which never sees card data.
Domain credentials, an understanding of the IP or hostname scheme and a simple batch file could distribute something like this pretty easily, provided the proper controls aren't in place.
