Understand the risks
Wow, this gets muddy.
HSTS ensures HTTPS is used and is a big deal. SSL vs TLS1.0/1.1 vs TLS1.2 is another matter.
PCI DSS applies to organizations handling credit/debit card data (basically data belonging to others). That's why the focus is mostly on merchants and processing banks, the issuing banks which hold a lot more of the risk get less focus but don't get off the hook either.
As to the POS machines being exempt fro TLS1.2, NOT TRUE. They can continue to be used but must be shown to be safe. In many cases they are because of the way the use the crypto. The attacks like POODLE that precipitated this requirement have very specific use cases and won't apply to most of these devices. The details of this are well documented.
Similarly, 3DES is near the end of its useful life. It still has a role in POS and ATM devices, in part because those use cases are safer than a general purpose use case.
And if a bank wants to let their customers use SSL3.0 to access their non-PCI accounts, that is their risk decision to make.,