I am a senior developer at a POS software company, but not the one related to this story.
My take from TFA is that the criminals impersonated support folks from the POS vendor, but didn't actually compromise the vendor's network.
The PCI DSS has all sorts of requirements for merchants to follow that would have prevented this. For example, the merchants should not let computers in their cardholder data environment have unfettered access to the Internet, all remote access to the CDE must be multi-factor authenticated, and vendor accounts have to be enabled on an as-needed-only basis.
This is probably a case of a criminal calling CiCi's store 2348, getting a franchisee-trained manager on the phone, and telling her "Hi, I'm from ACME POS, your POS vendor. We are calling to install updates to make the chip readers you aren't using yet work later on... and we need access to the workstation in the back of the store. Can you please open a browser and go to www.getmein.com?...". I doubt the defacing of the POS vendor's website has squat to do with it.
Of course, the franchisee is running a consumer-grade router with no outbound filtering on it whatsoever... because they are in a low-margin business and they needed something cheap. The computer died in the back about 6 months ago, so they dropped in a replacement PC from Wal-Mart and promptly disabled UAC, etc.
The manager isn't knowledgeable enough to notice that the domain he is being asked to go to is wrong, the caller ID is wrong, etc. He or she needs to worry about the 73 kids in the restaurant who are dropping pizza on the floor that the new guy isn't cleaning fast enough, the 8 pizzas on the stuck upper belt in the oven, and the bathroom with the overflowing commode. Not to mention the health inspector waiting up front. Trough-style kid's restaurants are a nightmare.
I wish POS software could be handled completely as a service and reside in a VPC managed by the POS vendor. In reality though, the Internet is just not reliable enough for that in many (most) most places, and controlling POS peripherals from a cloud app is not really feasible.