When I walk into some businesses, I see them using Shopkeep on an iPad.
I don't understand how this is PCI compliant, as the iPad itself would be in scope, and it can send unconstrained traffic to the internet. Having any device running a full OS connected to the internet at large seems like a vulnerability.
Perhaps reframing my question... how can any of the systems that involve swiping a card through a device connected to a tablet be PCI compliant? This seems to violate common-sense security practices where you want to keep the attack surface as small as possible.
In case this gets closed for calling out a vendor, I actually called Shopkeep to better understand, and they could not provide a suitable answer. In fact, I was told that the iPad would not be part of the card data environment, but that's false by my reading.