Secure start-up of encryption services in a typical retail POS configuration can be provided by implementing the following (very general) best practices:

Each Local Security (Encryption) Service should be locked upon start-up. While locked, all sensitive data is encrypted and presumably safely stored. During the Local Security Service start-up procedure the application is unlocked so that it can get on with its business processing functions. Unlocking can occur through an automated or manual process – the latter is invoked in situations where the retail WAN connectivity is unavailable for some reason (if WAN connectivity is used).

The security of this process depends on the secrecy of the unlock keys, which are unique to each retail site and should only be used once. Under the automatic unlocking process, the unlock key is discarded after use (and presumably wiped from memory) and then a new unlock key is automatically rotated in via the Security Administration Service, thereby greatly reducing the exposure of the unlock key.

The manual unlock process, on the other hand, exposes a valid unlock key to at least two people – a central help-desk support person and a system administrator at the respective retail site (or similar). Although the key is rotated after use, a maliciously cloned Local Security Service environment could still be unlocked using that unlock key if the cloned system remains off-line. This could enable an attacker to invoke and unlock a cloned Local Security Service in a safe environment and potentially use the data and processes on the Local Security Service to decrypt cached/archived credit card data. The impact of a successful breach of this process could be extreme. Customer data for several years could be compromised, resulting in customer identity theft, retail reputation tarnishing, etc.