"Wish I could remember where I read the details, but the point of attack was the interface between two sets of exchanges. Both individual links were secure end to end, and they thought the transfer between the two was good as well. It sounded like the breach was both novel and clever. Although this is the first article I've seen confirming it was the POS system and not the back end db that was cracked. I was suspicious about that because of the too careful wording they were using to describe the breach and the ranged time period."
If the exploit was made in the POS system, then that smacks of an inside job of some sophistication. Based on what I know of modern retail POS systems, they're (a) trade secrets with tons of secret sauce, (b) rolled out in very controlled and restricted ways to minimize disruptions, and (c) deployed on a closed intranet.
Therefore, to get an exploit onto a modern POS system would involve (a) Tampering with a very secret program code (How many people have code access for the POS system?) (b) Slipping the exploit into a scheduled software rollout, passing any testing that would've occurred before then, and (c) Either bridge the intranet with the Internet or extract the siphoned details locally in some other manner.
I don't think any outsider could achieve a feat of the scale we're talking about.
I suspect PCI will have to look into reducing the trust level of the POS system as a result of this. Based on what I've read, the standards as they are mean the POS can obtain the card data unencrypted, and that may have to change. Newer equipment may mandate the use of encrypting magstripe readers and the use of PKI where not even the store knows the decryption key (IOW, only the payment processor would be able to receive the magstripe data). This may also be considered as Chip-and-PIN is considered for American rollout (because despite its increased security, it has been shown to have holes that can be exploited at the POS level as well).