标准摘要
[中文适用范围]: 本文档定义了第三方支付 (TPP) 上下文中使用的通用术语。 其次,建立了两个逻辑结构模型,明确了所保护的资产。 最后,它根据逻辑结构模型的分析以及受威胁、组织安全策略和假设影响的资产的交互来指定安全目标。 制定这些安全目标的目的是为了应对提供支付服务的 TPPSP 的中介性质所带来的威胁,与付款人和收款人直接与其各自的账户服务支付服务提供商 (ASPSP) 交互的更简单的支付模式相比。 本文件假设以 TPP 为中心的支付依赖于 TPPSP 凭证的使用以及相应的认证流程来进行发行、分配和更新。 然而,此类进程的安全目标超出了本文档的范围。 注:本文件基于 ISO/IEC 15408 系列中指定的方法。 因此,不属于TOE的安全事项作为假设来处理,例如提供TPP服务的信息系统所需的安全性以及参与TPP业务的实体之间的通信通道的安全性。 [外文原描述]: This document defines a common terminology to be used in the context of third-party payment (TPP). Next, it establishes two logical structural models in which the assets to be protected are clarified. Finally, it specifies security objectives based on the analysis of the logical structural models and the interaction of the assets affected by threats, organizational security policies and assumptions. These security objectives are set out in order to counter the threats resulting from the intermediary nature of TPPSPs offering payment services compared with simpler payment models where the payer and the payee directly interact with their respective account servicing payment service provider (ASPSP). This document assumes that TPP-centric payments rely on the use of TPPSP credentials and the corresponding certified processes for issuance, distribution and renewal purposes. However, security objectives for such processes are out of the scope of this document. NOTE This document is based on the methodology specified in the ISO/IEC 15408 series. Therefore, the security matters that do not belong to the TOE are dealt with as assumptions, such as the security required by an information system that provides TPP services and the security of communication channels between the entities participating in a TPP business.
英文名称Security objectives of information systems of third-party payment services