If your web application is strictly read-only, then you can have perfect security by having the web application have only datareader
permissions on your POS database - no replication or other complicated steps will be necessary.
As for performance - even a basic (Core i3, 5200rpm HDD, 2GB RAM) server can handle a few hundred simple SQL queries per second for a modestly-sized database. Considering how modern database servers cache a lot of data in RAM it means that read queries are amazingly cheap.