I used to deal with a lot of Indian outsourced IT groups, and the only way to handle this is to either follow up the "Yes, we have a backout plan" response with "Tell me what your backout plan is" or just to skip straight to that without bothering to ask the "Do you have a plan?" question.
Things still got screwed up, but after the first occurrence we completely cut their access to the servers and re-enabled them on demand, so we forced their people to update a specific server first to show that they could do it on a system which is not mission-critical.
However, that approach really only works when the client does not turn into a whining tub of lard when the vendor starts putting pressure on.

If the POS (point of sale... although if the vendor are as lax about their quality assurance as they are about network security, that might just also stand for "piece of shit") and the back office PC are completely isolated from the internet, then I would agree there is no need for a firewall. However, retail POS systems almost always now come with a built-in credit card payment system instead of having separate terminals for that... so the POS cannot be guaranteed an airgap out to the internet unless the POS vendor is also supplying a separate credit card payment system with separate hardware that will reside on a completely separate network from the POS and back office system.

My advice to the OP would be to register their extreme dis-satisfaction with the setup verbally with the client, and in writing/email to the client and vendor, detailing the concerns about data security. That way, it at least limits OPs liability for the inevitable fuck-up and loss of customer credit card data to the time and effort involved in hiring a lawyer and producing said documentation when the shit hits the fan and law suits alleging incompetence start flying.

From experience, I know that as the 3rd party implementation consultant, you are nothing more than an annoying buzzing sound to the vendor unless you get the client on board, and even then it will still not work unless there are break clauses around client satisfaction built into the vendor-client contract. All OP can really do is cover his/her own ass, do their best to educate the client about the dangers involved, and leave it at that.

No firewall is probably because the vendor is too lazy to figure out how to configure the POS firewall so that they can still connect to it for remote support/maintenance tasks.

There is an article on /. every few months, about how Linus Torvalds was abrasively to-the-point about something, or about how a kernel developer responded to a Linus abrasive episode with a "dude, not helpful, be nice..." reasoned argument.
From my recollection, Torvalds does not often get involved beyond the initial message, but when he does I seem to recall that his response is "My sand pit, my rules. You don't like it, go make your own."
While the GCC compiler may not be a part of his Linux sand pit, it does go a long way toward defining the quality of the executable it produces, so even if the code is perfect a shit compiler will still produce a shit executable, in the same way that a perfect compiler will produce a shit executable from shit code. The difference is that a shit compiler cannot produce a good executable, whereas the shit code can be improved to good code with time and effort, and if a coder whose executable ends up being shit tries to turn around and blame the compiler, everyone else is going to respond with "bad workman always blames his tools, therefore the code is shit".

99 times out of 100, the code is shit, because generally the compiler devs are much better coders [citation needed] than the rest of us mortals, so we probably assume that executable errors are introduced in our code (or is it just that I am a crap programmer??).

So many negative comments here... as if people think that a unified OS must also mean a unified UI.
A single core codebase for the OS will have a few problems with performance on different hardware, but that is a separate discussion... and who expects Microsoft stuff to run quickly anyway?
However, incorporating a different UI for each target device means that you should not need to see the craptastic Metro UI on a desktop system or workstation, while touchscreen and small screen systems are not compromised by a need to develop elements for discrete keyboard and mouse input.

Securing the technology is one thing - that in itself will be a huge job, because depending on how far you want to take it, you can end up needing to sandbox each application and harden each layer of the communication stack.
You might need a complete new protocol ecosystem based on only systems which are open source (not just because I like open source, but so that everything can be audited and peer-reviewed at the code level), built with compilers which themselves are not only trusted but also auditable as matching their published source code, and using communication protocols which are themselves open source and audited.

Put all of that together, and you still have the biggest security/privacy threat to deal with - the ID-10-T (aka the user sitting at the computer). Until users of a computer system are educated - not necessarily to the extent that they can themselves audit source code, but at least to the point where they can recognize compromised behaviour of a computer system - then they will always be the weak link in a security/privacy model for IT systems. Getting away from the Windows/local admin culture would be a huge step, but until the most idiotic and incompetent user of a given computer system is either isolated from the ability to do anything or educated to prevent them doing dumb stuff, the computer they use must be considered compromised and all users of that computer must be considered at risk.

But, but, but... regulation is the antithesis of the Capitaist way that our republican Democracy has weaned its children on since it was formed!!
I do tend to agree though - regulation of ISPs is probably the only way to deal with this.
Capitalist theory says that if an incumbent merchant/provider is too inefficient to provide a good service or if another potential merchant/provider thinks they can do a better job for a lower price, then that new provider will step in and provide said service. The threat of that is what keeps the incumbent lean and competitive, and the result is a competitive environment that is generally good for the consumer and rival providers seek to offer better deals to entice custom away from their competitors.
However, that theory assumes that there is a very low or non-existent barrier to entry into that competitive marketplace. Given the initial infrastructure setup costs and, in many cases, exclusivity contracts between providers and the municipal areas which would present the profits to drive services out into more marginal areas, the barriers to entry into the Tier 1 ISP market are prohibitive, to the point where you need to be a corporate entity the size of Google to be able to reasonably make the capital investment required.
As such, the local markets for each ISP more closely resemble non-competitive monopolies with the illusion of choice being provided by third party suppliers who typically have to by access to the resources from the incumbent monopoly - they get wholesale prices, and the consumer sees some small price reductions if the third parties can make enough money to operate by charging the consumer slightly less than the discount they got from the incumbent. But fundamentally, everything is still controlled by that original monopolistic provider, so services suck, progress is stifled because there is no incentive for change, innovation is discouraged, and the level of capacity/reliability is never going to be any more than "just barely enough so that we can maximise our profit margins".

The problem with the final objective is that Nasdaq's IT security was (and probably still is) pretty incompetent, because once the bad guys were past the outer defences, there was very little internally to audit unusual activity. The analogy used in the BusinessWeek article uses the analogy of physically breaking into a bank versus breaking into a private home - the bank will have internal security sections, cameras, password-protected doors, and so on. So when determining what was taken, you can look at what areas the bad guys had access to and where they went. In a private home, there is the external alarm - once that is down, you have no way of knowing where the guys went unless they leave a physical trail. In this case, while it might be expected that Nasdaq would be the IT security equivanelt of a bank, they apparently were the equivalent of a home owner who left the alarm deactivation code on a piece of paper taped next to the alarm console.

Let's try a few plausible options, based on the article. Determining the probable source of the hack/attack will help there.
The core of the malware used was a 0-day exploit kit that had previously been attributed to a team within the Russian FSB's electronic warfare group, suggesting that the Russians may be behind this. At the approximate time the hack took place, the Russians were combining their two domestic stock exchanges into what they planned as a single super-exchange to rival Nasdaq, NYSE, LSE in London and the Hang Seng in Hong Kong. Probably a dual-purpose reason being (a) increasing international prestige and economic diversification, and (b) preparation for pressurising large Russian companies whose stocks were listed on international exchanges to draw back and list exclusively on the new Russian exchange, thus reducing the potential leverage and influence that US and international governments would have over those Russian companies (thinking sanctions, as with the current situation in Ukraine). For the Russians therefore, a plausible action would be to hack the Nasdaq exchange servers and copy the software code that powers the exchange, so that they can use it or modify it for their own exchange - believe it or not, the code for the Nasdaq exchange is generally considered to be world-beating, so that would be a viable target.

Second, the CIA apparently found some information in the real world suggesting Chinese connections - the Chinese Peoples' Liberation Army certainly had electronic warfare capabilities, and conceivably might plant an electronic bomb in the Nasdaq systems for use at a later date if it proved convenient. Equally, with the Chinese approach to IP and industrial espionage, hacking to steal the code in a similar way to the Russian scenario is possible.

Both of those governments' beurocrats are often known to be corruptable and have links to organised crime, so there is another possible source for the attack, with the goal of either blackmailing Nasdaq or gaining access to the not-yet-public information stored on the compromised systems to give them advance knowledge of information that would move stock markets and prices (financial gain).

In determining the source of the attack, the origin of the malware used is not the greatest indicator - malware kits can be copied as easily as any other software, so either an actor within the FSB may have sold a copy to someone, or another hacker may have hacked a completely different system infected with that malware kit and downloaded the elements of the kit they could find, reverse-engineering the rest. So just because the FSB are credited with creating a previous version of this specific kit does not mean they are involved.

Lastly, looking at the capabilities of the payload may give some insight into the objective - a malware kit with a keylogger and dial-out facility to a C&C server is generally not going to be paired with a logic bomb to fry the infected system. So a system with a keylogger will be used for industrial espionage, while a logic bomb is an offensive, destructive weapon. The NSA's original analysis of the malware apparently indicated all sorts of interesting/terrifying capabilities. Given their extreme interest in surveillance of computer systems, if they chose to deliberately scare-monger and make this breach out to be more serious than it may otherwise have seemed, they could use that as leverage to expand their intelligence remit to be the gatekeepers of data security and cyberwarfare within the US - expanded influence, and also a much more free hand to conduct their own domestic surveillance. Plus, it is definitely conceivable that they would already have laboratory copies of the FSB malware kit that they could use when hacking Nasdaq.

So, there you have 4 other possible actors and objectives:
Russia: Domestic economic control over large businesses to reinforce geopolitical strength, and industrial espionage.
China: Industrial espionage, or the future possibility of electronic sabotage.
Organised crime: Extortion or industrial espionage for financial gain.
NSA: Empire-building.

This is not to suggest that any of those groups actually did do this, or that if they did that they did it for the reasons I have suggested. But it does indicate that there are a lot of possibilities out there, and Mike Rogers is a politician, so he is not going to start slinging mud at someone unless they give him a good quote as justification.

Being from the UK myself, I asked some of my American colleagues who also work here ("here" being Sweden... more about that in a moment).
The response from two of the Americans was that they had no idea what to call people from that region, as they had no real idea of where those countries were. The other 3 promptly came up with "Terrorist", and were apparently not joking, judging by the lack of humour in voice or demeanour.

Anyway, regarding Sweden, this country currently has a degree of nationalist racism against "Invandrare" - effectively immigrants, but used as a catch-all for those immigrants who are obviously not Swedish, have poor language skills or education, and typically who come from near/middle eastern countries or central/eastern Europe, but Asians can also be included. Broadly speaking, immigrants from other Nordic/Scandinavian countries are ok, and immigrants from the UK or USA are loved unless they are complete assholes.
Historically however, there has never been a huge problem with racism, particularly against "coloured" people - and in this sense I use the term "coloured" to refer to anyone who does not have the typical Nordic/Scandinavian/Aryan light skin/light hair/blue eyes combination, not specifically people of African descent. So up until very recently (10-20 years), it was possible to buy "negerbollar" - literally "Nigger Balls" - which are a small chocolate-based pastry typically dusted in coconut, and many people still call them negerbollar without feeling any discomfort or embarrassment. Now, though, their official name is "chokladboll" to avoid any problems.

This is the part that I have a problem with - if a Canadian judge wants to mandate that all discussions of the health benefits of eating less Maple Syrup are blocked in Canada, I have no problem with that. If I live in Canada or if I live in China, then I expect what I see on the Internet to have to comply with local laws, and while I expect censorship in both Canada and China, I expect a hell of a lot more of it in China.
The precedent it sets, though, could allow a fundamentalist Islamic cleric to order Google to not index (and therefore censor) discussions about the interpretation of Islamic Sharia law so that his interpretation is dominant, not just in his country, but around the world as well.

This instance of the problem - a couple of embittered former employees of a company selling knock-off products - is not a bad idea. While I would like to know that they used to sell these goods, if I am looking to buy said equipment, I do not need to be able to see the actual site they were using as a sales portal. But the precedent it sets is a dangerous one.
Consider (not trying to derail the topic, honestly) the recent EU ruling that establishes the "right to be forgotten". If you look at it as the right for a woman who, as a dumb teenager, posted naked pictures of herself to show off a new tattoo, who now wants to see those pictures fade into obscurity, then it is a good thing. But many of the requests Google are receiving are from people who want to hide criminal convictions or other information which can legitimately fall under the heading of "in the Public Interest to know", so while Google can use that as a way to refuse the request, it shows that "good idea" precedents are often used to justify "bad idea" changes.

From my perspective, the most interesting thing about this is not the pro-Tesla/Elon Musk choir, or the Automotive lobbying juggernaut against it, but the fact that this is happening in America (statement of the bloody obvious, I know).
America, being the home and religious temple for Capitalism - Capitalism being an economic system where, if a new supplier in the market can provide more desirable products or with a more efficient/cheaper supply chain, that new supplier can gain a foothold in the market and offer their products/services in competition with the established actors, without political interference in the process.
The capitalist approach would be for the authorities in America to say to Tesla "You think you have a product which customers will want, which they will buy, and which will not blow up in their faces? Power to your elbow, go ahead and sell to Joe Public*!"
Instead, allowing the established automotive manufacturers to try and dictate "we sell through our Dealerships, they are a 'Good Thing' so you need to do the same, so that we are all doing things the same way smacks of something. I do not want to call it Socialism, but I cannot think what else to call it, because even collectivist Keynesian Capitalism does not really cover it.

* With the caveats that applicable advertising laws and standards are met.

The car analogy would be accurate if the order was for the internet to be removed. In the Google case, it is more like "Someone is using a road to drive recklessly in Arse-end-of-nowhere, Ontario, CA. People who go to this God-forsaken place usually have a paper map made by Company X, so we are ordering Company X to remove Arse-end-of-nowhere from their maps."

Note, I am NOT suggesting that Ontario is the Arse-end-of-nowhere, but I do find it very troubling that a judge half way around the world from me thinks that my access to information on this matter should be curtailed. If the content is so objectionable, then the web host should be ordered to take the site down. As the plaintiffs in this case have named two Google entities as the non-party entities targeted for action, and the defendants as the individuals responsible for the actions that led to the case being brought, I see no action being taken to order the hosting provider to do anything.
If the rationale behind that lack of action on the hosting provider is that the hosting provider is outside Canadian jurisdiction, then the same rule must also apply to Google Inc., who are being ordered to comply with this ruling.

As a European, regarding the "right to be forgotten", I think it is a potentially good idea in some circumstances which is let down by dumb-assed execution opening the door for abuse by people and other entities looking to remove information of valid public interest.

Out of bed by 5:00, because Monday to Friday I am on-call for "the shit hits the fan" stuff at the office from 5:30. I then start doing actual work at 7:00. For weekends and vacations, I am on call from 07:00. And yes, I am paid a lot extra for being on call :) One of the benefits of unionization!

The most obvious thing I can think of that you will encounter is a road-side kerb.
The physics of the situation means that, if the impact point of your wheel on the obstacle you are trying to get over is greater than or equal to the radius of the front tyre, then you will need to take action (lifting the front end of the bike) to get over the obstacle. In practice, you will have to take action for objects that are smaller than the radius, because the force required to mount the obstacle increases dramatically, increasing beyond the tyre and rim's ability to maintain structural integrity as the height of the obstacle-tyre impact point approaches the tyre radius.
As someone who has riden city bikes with small radius wheels and also mountain bikes with 29" rims, I definitely appreciate the ride quality differences that come with tyre properties beyond the wheel radius, but the ride is much smoother anyway with the larger rims, simply because the impact height of the obstacle is so much less than the diameter of the wheel.

Personally, if I was going to inflict ads on my enemies (as opposed to, for example, repeatedly stabbing their genitalia with a fork until they fall off), I would probably go for pop-over (always on-top, of course) ads that claim to be either security alerts or flashing advice that they have won something, and all they have to do to claim their $1 million is click on the ad, which then move when you try to click on them.

ok, this is more about what programmers should "do" than what they should "read". But for anyone involved in working as part of a team or dealing with either managers or subordinates (holy crap, I have just described everyone not working completely alone), I strongly recommend going to a few Toastmasters meetings.
No matter what programming language you use, development style, methodology, or approach, programmers today spend more time communicating with other people than they ever have done before.

Toastmasters - both in terms of giving speeches and also performing leadership tasks based on running the meetings, helps to improve communication and leadership skills (dramatically, in most cases).

If you are ok with being the anti-social loner who sits in the corner churning out code, and who thinks of communication with others as "one grunt for no, two for yes", then you need not bother. But for everyone else, it is a great place to go.