Although, regulations bind the payment card industry to secure transmitted, received or stored sensitive data through end-to-end encryption, data is still being decrypted in the PoS’s RAM for processing, and the RAM is where the scraper strikes. Using regular expression searches, they harvest the clear-text payment data and send that information to rogue call-home servers.
Read more here – http://nakedsecurity.sophos.com/2013/07/16/a-look-at-point-of-sale-ram-scraper-malware-and-how-it-works/