I work with POS hardware at my job. The “custom firmware” is likely just some settings, screens for the POS to display (so they’re McD branded instead of the POS maker), and some per payment-processor configuration so the terminals are using the expected encryption (differs per processor and customer).
Even if it was real firmware (I doubt it), it’s likely the firmware for the POS device interface. I don’t believe that firmware has any control over the actual payment processing bits of hardware, just the software intermediary.
Since that intermediary only has access to EMV tags (which anyone in the payment path has) there is no point. The secret encryption stuff that secures passwords is not controlled from any layer an attacker could touch, outside of documented configuration parameters.
Even if it does handle delivering firmware updates to the device, I would be wholly surprised if the terminal doesn't at least do basic checks to make sure the firmware is signed (although, whether or not there are exploits to get around this is another thing).
Even if it was real firmware (I doubt it), it’s likely the firmware for the POS device interface. I don’t believe that firmware has any control over the actual payment processing bits of hardware, just the software intermediary.
Since that intermediary only has access to EMV tags (which anyone in the payment path has) there is no point. The secret encryption stuff that secures passwords is not controlled from any layer an attacker could touch, outside of documented configuration parameters.