BS ISO 23195-2021 pdf download – Security objectives of information systems of third-party payment services EXAMPLE Business messages sent and received by a mobile phone are a type of TPP transmitting data;business messages via a session established between a personal computer and a TPP-BIS through a TPPgatekeeper is also a type of TPP transmitting data. 4.2.2.6Authentication data provided by ASPSP An ASPSP can provide ASPSP credentials to a payment service user.An ASPSP credential can be used toauthenticate the payment service user. EXAMPLE Passwords, tokens or private keys used by a payer for the purpose of authenticationtowards the ASPSP. There are several scenarios for the validation of authentication data. lt is a secure way that the TPPSP redirects a request to the ASPSP which has provided the ASPSP credentials.A TPPSP is probablydelegated to validate the authentication data on behalf of the ASPSP and with the agreement of the payment service user. 4.2.3 TPPSP’s TSF data 4.2.3.1General TPPSP’s TSF data are generated in order to achieve the security objectives for the TPP informationsystem.Abuse or breach of this kind of data may cause technological risks, namely the system behaviour can be changed regardless of whether the commercial business risks occur. NOTE The term “TSF data” is taken from 1SO/IEC 15408,According to the methodology outlined inISO/IEC 15408, all data can be divided into two types,namely “user data” and “TSF data “. See 3.3.10 and 3.3.11. 4.2.3.2 TPPSP’s TSF protected data Unauthorized roles may observe but shall not handle TSF protected data.Handling operations includecreating, modifying and deleting data. The disclosure of this type of data is not critical to the security of the TPP information system providedthat their integrity is guaranteed. EXAMPLE 1 Administrators and/or operators of TPP-BIS and /or TPP-AlS are generally the eligibleauthorized roles. EXAMPLE 2A hash value of a message is a typical TPPSP’s TSF protected datum.4.2.3.3 TPPSP’s TSF confidential data Unauthorized roles shall not access and handle any confidential data. NOTE Access to a TPPSP’s TSF confidential data by any unauthorized role can compromise the security ofthe TPP information system. EXAMPLE Authentication data, audit records, and the private key of a digital certificate are all TPPSP’sTSFconfidential data. 5Security problem definition 5.1General This clause describes common security problems that need to be addressed by TPP systems. The rTarchitecture underpinning TPP business comprises different components, some of which implementsecurity functions. Security functions are instantiated based on the valid implementation of SFRspresented in the...

Download Address

  • Download