Available at: https://digitalcommons.calpoly.edu/theses/3002
Date of Award
6-2025
Degree Name
MS in Computer Science
Department/Program
Computer Science
College
College of Engineering
Advisor
Bruce Edward DeBruhl
Advisor Department
Computer Science
Advisor College
College of Engineering
Abstract
Securing 95% of card present transactions, accounting for billions of transactions a year, has made EMV the premier protocol for card-based payment. Created by and named after Europay, Mastercard, and Visa, the EMV protocol provides multiple solutions to resolve security concerns with the outdated, swipe-based, magnetic stripe payment. Such solutions are Chip and PIN which provides a more secure transaction at a significant time cost and EMV contactless which provides improved security to Chip and PIN at greater ease of use with its quick, tap-to-pay based payment. However, regardless of how secure the EMV protocol makes the card side of a transaction, little has been done for the Point of Sale (POS) devices involved. While the EMV protocol ensures the validity of the card and the identity of the cardholder, no such checks are made for the POS device during the transaction. All types of card-based payment, EMV or not, are simply at the mercy of how merchants choose to secure their POS devices as there is no choice but to assume a POS device is secure if a transaction is to occur. While this may seem to be a reasonable assumption, the infamy of POS malwares like PoSeidon and BlackPOS prove the danger of relying solely on merchants for POS security. Hence, this thesis presents Secure Point of Sale (SPOS) as a solution leveraging a Hardware Root of Trust (HRoT) installed in the POS device to provide attestation updates to a verification entity that will determine POS integrity. Thus, freeing POS security from being solely reliant on the merchant.