If you can access things truly anonymously, start "uncancelling" some of those transactions. Eventually the person in the wrong will be found out when they can't explain the books not balancing and the security holes revealed at the same time.
I had thought of that. It is true that the POS software itself doesn't record logins or actions, but the computer still has server logs and even if the franchisee doesn't know to look at them, the police will if they become involved.
And unusual entries in the server logs linked with unusual transaction activity might lead them to the conclusion that a hacker is responsible, not an in store thief.
I had thought of a whole heap of schemes based around 'logging in and changing something' but that can only lead to more trouble for me.
I'm looking at an anonymous phone call to the store owner. He is the person who is losing money in all this.