šŸ”„šŸ”„ Donā€™t Miss Out on Our End of Autumn Sale. If you have any questions, feel free to click the bottom right corner to contact our customer service..

Concat us[email protected]
Shopping Cart

No products in the cart.

šŸ”
BS ISO 23195:2021

BS ISO 23195:2021

$189.07

Security objectives of information systems of third-party payment services

Published By Publication Date Number of Pages
BSI 2021 50
PDF Format Searchable Printable Preview Now
Guaranteed Safe Checkout
Category:

If you have any questions, feel free to reach out to our online customer service team by clicking on the bottom right corner. Weā€™re here to assist you 24/7.
Email:[email protected]

This document defines a common terminology to be used in the context of third-party payment (TPP). Next, it establishes two logical structural models in which the assets to be protected are clarified. Finally, it specifies security objectives based on the analysis of the logical structural models and the interaction of the assets affected by threats, organizational security policies and assumptions. These security objectives are set out in order to counter the threats resulting from the intermediary nature of TPPSPs offering payment services compared with simpler payment models where the payer and the payee directly interact with their respective account servicing payment service provider (ASPSP).

This document assumes that TPP-centric payments rely on the use of TPPSP credentials and the corresponding certified processes for issuance, distribution and renewal purposes. However, security objectives for such processes are out of the scope of this document.

NOTE

This document is based on the methodology specified in the ISO/IEC 15408 series. Therefore, the security matters that do not belong to the TOE are dealt with as assumptions, such as the security required by an information system that provides TPP services and the security of communication channels between the entities participating in a TPP business.

PDF Catalog

PDF Pages PDF Title
2 National foreword
6 Foreword
7 Introduction
9 1 Scope
2 Normative references
3 Terms, definitions, and abbreviated terms
3.1 TPP business
12 3.2 TPP information system
13 3.3 TPP security
15 4 TPP logical structural model in an open ecosystem
4.1 Logical structural model
4.1.1 General
16 4.1.2 Direct connection between TPP-BIS and ASPSP
17 4.1.3 Communication between TPP-BIS and ASPSP via TPP-AIS
18 4.2 Protected assets
4.2.1 General
19 4.2.2 User data
22 4.2.3 TPPSPā€™s TSF data
5 Security problem definition
5.1 General
23 5.2 Threats
5.2.1 Threats to business configuration data
5.2.2 Threats to business cumulative data
5.2.3 Threats to transaction input data
24 5.2.4 Threats to TPP transmitting data
5.2.5 Threats to authentication data provided by ASPSP
25 5.2.6 Threats to TPPSPā€™s TSF data
5.3 Organizational security policies
5.3.1 Operation authorization
26 5.3.2 Security event audit
27 5.3.3 Connection security control
5.3.4 Business management control
5.3.5 Systems management control
5.4 Assumptions
28 6 Security objectives
6.1 General
6.2 Security objectives for TPP TOE
6.2.1 Prevention of unauthorized disclosure and change of business configuration data and cumulative business data
29 6.2.2 Prevention of counterfeiting, repudiation and unauthorized changes of input data and transmitting data
6.2.3 Prevention of counterfeiting and unauthorized changes of protected data and confidential data
6.2.4 Prevention of unauthorized disclosure or usage of the authentication data provided by an ASPSP
6.2.5 Prevention of disclosure of TPPā€™s TSF confidential data
6.2.6 Generation of security logs
6.3 Security objectives for TPP TOE operating environment
30 Annex A (informative) Typical transaction scenarios on TPP logical structural model
48 Bibliography

Related products

BS ISO 23195:2021
$189.07