Re: "... easy to overlook..."
In my experience (particularly in local government) individual services may buy a POS terminal and install independently. Often the first that IT hears of it is when a firewall rule request is submitted to change control, and in some cases I've encountered, the request didn't even mention that it was for a POS terminal (despite of course modifying the PCI DSS CDE scope).
But this is not unique to POS terminals or local government - it probably goes on in any large and evolving organisation. Indeed I've encountered physical servers that IT knew nothing about until they were asked for emergency support.