Re: "... easy to overlook..."
In my experience (particularly in local government) individual services may buy a POS terminal and install independently. Often the first that IT hears of it is when a firewall rule request is submitted to change control, and in some cases I've encountered, the request didn't even mention that it was for a POS terminal (despite of course modifying the PCI DSS CDE scope).
But this is not unique to POS terminals or local government - it probably goes on in any large and evolving organisation. Indeed I've encountered physical servers that IT knew nothing about until they were asked for emergency support.
Biting the hand that feeds IT
