Security in POS systems

Allan Pedersen, Anders Hedegaard

AbstractWhen implementing a Point Of Sale (POS) system it has become increasingly common that the IT provider hosts the POS application on centralized servers not located at the point of sale. The access to the POS application is then provided via a client-server based system where the POS terminal (POS client) and the attached POS devices is continuously connected to the POS application server e.g. via the Internet. POS devices may include printers, bar code scanners, payment terminals, etc.

This thesis analyzes and defines the security requirements for such a system, using an approach based on the Common Criteria for Information Technology Security Evaluation (CC). A CC Protection Profile for a generalized POS system is developed. Furthermore, a CC Security Target for a secure interface between the POS application and payment terminal is developed. The Security Target claims conformance to the developed Protection Profile. Finally, a design example of the secure interface is described in order to show the applicability of the developed Security Target.
KeywordsCommon Criteria, Protection Profile, Security uation, Point of Sale, POS system, Payment Terminal
TypeMaster's thesis [Academic thesis]
PublisherInformatics and Mathematical Modelling, Technical University of Denmark, DTU
AddressRichard Petersens Plads, Building 321, DK-2800 Kgs. Lyngby
NoteSupervised by Prof. Robin Sharp
Electronic version(s)[pdf]
BibTeX data [bibtex]
IMM Group(s)Computer Science & Engineering