Abstract

http://ssrn.com/abstract=1104320
 


 



The Good, the Bad and the Ugly of Protecting Data in a Retail Environment


Ulf T. Mattsson


Protegrity Corp.



Abstract:     
The overall purpose of information security is to control risk by managing the impact of threats to information assets in the most cost-effective manner. This article takes a look at a typical Point-Of-Sale (POS) solution, identifying common architectural weaknesses that can lead to data compromise. Specifically, key business priorities are assessed against the POS architecture to vet the solution for potential security shortcomings that could prevent it from carrying out its business mission.

In many retail organizations, the principal business objectives are to achieve compliance to the Payment Card Industry Data Security Standard (PCI) to avoid fines and maintain proper standing in the industry, while protecting the brand name by avoiding breaches of customer credit card data. Many retail solutions have been carefully designed from both security and business goal perspectives. They may use hardening features such as PKI-driven strong mutual authentication of all system components, rigorous encryption of data in transit and at rest, secure unlock and update processes, etc. to be able to safely and reliably operate in the most hostile of networking environments. A computer containing sensitive data that is physically stolen from a retail site can represent of a significant risk.

Careful balance between business goals and security reduce the risk of a compromise that can threaten the retail organization's brand reputation and business operations. Compliance to PCI is not enough to safeguard information in a retail environment. This article will also assist in guiding security efforts in a POS environment. For example, weaknesses discussed here can prove to be effective at prioritizing testing attention and effort. In other words, the testing, design review, code review, penetration testing, etc., processes should be prioritized in order to make the most effective use of the available development resources.

Some mature security solutions are also environmentally friendly and addresses "the green security challenge" by delivering software solutions that operate on existing computing infrastructure, typically on the same server as the application or database being secured. The appropriate level of encryption key protection can be achieved by using a well balanced combination of software cryptography and selective use of small footprint standard commodity type Hardware Security Modules. This environmentally friendly approach can provide the needed balance of protection, cost, operational needs and avoid installation of a large number of appliances.

Number of Pages in PDF File: 14

Keywords: PCI, data security, retail security, encryption

working papers series





Download This Paper

Date posted: March 9, 2008  

Suggested Citation

Mattsson, Ulf T., The Good, the Bad and the Ugly of Protecting Data in a Retail Environment. Available at SSRN: http://ssrn.com/abstract=1104320 or http://dx.doi.org/10.2139/ssrn.1104320

Contact Information

Ulf T. Mattsson (Contact Author)
Protegrity Corp. ( email )
One Cantebury Green
Stamford, CT 06901
United States
HOME PAGE: http://www.ulfmattsson.com
Feedback to SSRN


Paper statistics
Abstract Views: 729
Downloads: 142
Download Rank: 121,755

© 2014 Social Science Electronic Publishing, Inc. All Rights Reserved.  FAQ   Terms of Use   Privacy Policy   Copyright   Contact Us
This page was processed by apollo7 in 0.250 seconds