All of this can be simplified by architecting purpose designed networks, and for a minimum of cost. You have a firewall (and possibly switch). There are 2 VLANS. On one (let's say VLAN 100) is the free Wifi, Pandora feed to the house audio, and internet connection at the workstations the managers blow time at. On the other (let's call it VLAN 222) are the network connections for the POS equipment. On VLAN 222, the firewall allows no inbound connections with the slim exception of VPN secured traffic. Outbound connections on VLAN 222 are restricted to OS/AV/POS update hosts on SSL or similar and CC auth processors. Generic internet access is banned on VLAN 222. The back office POS software runs in a VM that only has access to VLAN 222. The manager workstation runs the VM if necessary as well as has it's own access to the internet (if necessary). The POS terminals, even if they are those hip, all the rage, iPads, do not have internet access.
This is more or less (minus VMs, DSL, and iPads, and replace VPN with dedicated password protected dial-in) the way we designed POS security in the late 90's when I was doing POS. As far as I can tell, it is mostly PCI compliant.
The issues we're seeing is people getting all manner of malware (from pr0n/etc.) on the manager back office workstation, similar from the POS terminals, and using Logmein / Teamviewer with weak passwords on the back office server. We knew better 15 years ago, so anyone who is getting hit by such garbage is a lame hack.