Should I wait for new botnets from online cash registers?

As is well known in Russia, businessmen in connection with the Federal Law-54 quickly bring their cash registers online and connect fiscal data operators via the Internet.

Some of these entrepreneurs are small businesses and service points that do not have any technical staff of IT specialists or their own knowledge in the field of IT.

Required? So we connect.

One friend asked out of the corner of his eye to see what the problems are with the newly connected online cash register. Technique braked and hung.
')
To fulfill the requirements of FZ-54, they acquired a POS terminal to which the fiscal recorder is connected. Data output went, as usual, to the operator of fiscal data via the Internet.

The settings were made, as it turned out, by the equipment supplier through the same Internet, through the wonderful remote support utility TeamViewer.

Tucked up the lace stretched by the provider. Everything worked, everyone is happy.
But something went wrong.

As it turned out, windows xp embedded is hiding inside the equipment, which began to shine with standard windows ports directly to the Internet. Immediately, a diverse viral living creature breeds at the terminal. Produced until the computing power subsided and began to hang.

As a result, an additional firewall was purchased and a special antivirus that could work on this version of XP was hired by a one-time person who made the necessary settings, the private problem of a small entrepreneur was solved.

And now the question arises? Why is that? Who should provide protection? Manufacturer or entrepreneur? Or maybe the fiscal data operator? Attempts to find requirements for the protection of client infrastructure in the transfer of tax reporting, ala PCI DSS, have failed.