I am working part time delivering pizza. I am amazed the company I work for is still using outdated Xp based system. Most customers pay using a card and I am surprised whenever I am given a check or even cash. the people that own the stores don't seem at all concerned about properly investing in up to date software that would protect their customers. With the exploits(from what I understand) used to steal data from Home Depot and Target a few years ago I would think that business owners would learn their lesson and take basic computer security seriously. If a small business/company doesn't take basic steps such as using an OS with up to date security support then liable if customer data is stolen? I would say yes they are. I'm a Nerd but am no security expert.
Potentially they can be liable or at least may find they cannot accept credit cards if the banks withdraw their services due to security concerns.
Many small businesses sit outside of PCI DSS but that is what you should read up on if this field interests you.
EDIT: Just to add, your employer may be using a third party transaction service. This may mean their vulnerable systems don't directly handle or store sensitive personal data such as CC numbers, it all gets passed through over a secure link.
Lets not forget that the vast majority of ATMs still use Windows XP, or Windows Embedded. This is starting to change, but slowly.
Windows Embedded POSReady 2009 looks exactly like XP but has support until 2019.
Also, many companies and governments are paying Microsoft for security patches for XP.
Although most of my work is now Linux based, I still have on going maintenance contracts for several VB6 applications running on XP. More bizarrely, one of those is connected to MS SQL Server 2000 hosted on Windows 2000 Server!
Some of the big Aussie mining companies are still running XP Professional, there are valid reasons why they do this, and this has to do with losing money if these companies had to stop production to change OS systems (which they invariably would do)
After the Windows NT incidents at big factories, the industry (especially heavy industry) standard is to go for the OS that is known for stability no matter how old or unsecured and up until recently big companies haven't trusted open source. Not to mention that upgrading and updating these machines can be quite expensive, hey there are water treatment plants that still use MSDOS.
Up to 5 years ago, one of my clients ran a MSDOS Clipper application on Windows 98!
I'm not convinced there is too much if a problem with systems using embedded windows, even if they are really old. Please correct me if I'm wrong, I have no personal experience and am guessing mostly, but surly it doesn't matter is cash machines run old versions of Windows, the screen is the only way the public can access the machine and there is no way of downloading and software into it drin there, and any communicating other cab that will be offer ethernet to bank. For the networked connection surely that is protected by any network baseddefences (firewall, encryption etc.) And it doesn't matter what OS it is on for that.
I work a lot with PLCs, controllers and HMIs. The HMIs I use run off either win CE or win98 (not sure which) but all these devices are not networked in a conventional sense. They all use PROFINET protocols instead if ethernet, and are generally not connected to any external Internet. This makes them perfectly secure most of the time. The only Internet access on most of the plants I've visited are only on the operators machines, which again use PROFINET to communicate to the machinery. This will not allow any virus over the network as there are specific safety features built into it so the devices can only be programed using certain languages and machines. So apart from office/ccommercial/home use, I am not convinced there is much risk to industry machines running embedded win.
But please, if you disagree or have different experiences please feel free to correct me
My view on those kinds of scenarios is that security is less of a problem and it is down to supportability,
If your systems were installed quite a while ago, do you still have people with the ability to fix problems with them? If the OS is no longer supported by MS then you may get stuck if you want to change the devices somehow that requires additons or changes to the OS that require source code access.
In my view this is where Open Source has the advantage vs proprietry as the original source code for the OS and software will hopefully be available so a skilled developer could be hired to support the changes.
I believe the US Marine Corps recently changed the OS spec from embedded windows to Linux for these kinds of reasons for some new equipment that they are procuring - it was originalled specced (about 10 years back) to have embedded windows XP but instead will now have some form of GNU/Linux.
The aerospace industry is another area where computer systems will need to have 30 year + life spans and Microsoft etc, will simply not provide that.