@MASTERSTHESIS\{IMM2005-03965,
    author       = "A. Pedersen and A. Hedegaard",
    title        = "Security in {POS} systems",
    year         = "2005",
    keywords     = "Common Criteria, Protection Profile, Security uation, Point of Sale, {POS} system, Payment Terminal",
    school       = "Informatics and Mathematical Modelling, Technical University of Denmark, {DTU}",
    address      = "Richard Petersens Plads, Building 321, {DK-}2800 Kgs. Lyngby",
    type         = "",
    note         = "Supervised by Prof. Robin Sharp",
    url          = "http://www2.compute.dtu.dk/pubdb/pubs/3965-full.html",
    abstract     = "When implementing a Point Of Sale (POS) system it has become increasingly common that the {IT} provider hosts the {POS} application on centralized servers not located at the point of sale. The access to the {POS} application is then provided via a client-server based system where the {POS} terminal ({POS} client) and the attached {POS} devices is continuously connected to the {POS} application server e.g. via the Internet. {POS} devices may include printers, bar code scanners, payment terminals, etc. 

This thesis analyzes and defines the security requirements for such a system, using an approach based on the Common Criteria for Information Technology Security Evaluation (CC). A {CC} Protection Profile for a generalized {POS} system is developed. Furthermore, a {CC} Security Target for a secure interface between the {POS} application and payment terminal is developed. The Security Target claims conformance to the developed Protection Profile. Finally, a design example of the secure interface is described in order to show the applicability of the developed Security Target."
}