In the past there have been a mix of "off-the-shelf" memory scrapers as well as custom written targeted malware. Generally they'll get inside the network and push out an exe/dll to all of the POS machines from some compromised machine. Depending on how locked down the POS machines are, there are various methods for either getting read access to the POS application process memory or having the dll injected into its memory. From there they find a way to extricate the data, either manually or automatic, depending on how locked down the network is. Application whitelisting solutions can really help block this kind of attack, but they're not perfect either. If an attacker can figure out how to get root on the machines, game over. This is why stand alone point-to-point encrypted EMV card readers are the way to go. You can't scrape the process memory for data it doesn't have, and the card readers themselves are pretty tamper resistant (if you don't count external skimmers)
