Secure E-commerce Protection Profile.pdfVIP

Secure E-commerce Protection Profile Anil Kumar Venkataiahgari Department of Computer Science and Software Engineering Concordia Univeristy Montreal, Quebec, Canada Mourad Debbabi Concordia Institute for Information Systems Engineering Concordia University Montreal, Quebec, Canada J. William Atwood Department of Computer Science and Software Engineering Concordia Univeristy Montreal, Quebec, Canada Abstract We present a Secure E-commerce Protection Profile (SEPP) that captures security requirements for securing sessions in the e-commerce operational environment. The SEPP is prepared in accordance with the Common Criteria (CC), Version 2.1, as specified by the ISO 15408 standard. The SEPP states the requirements that sessions must satisfy in order to respond to the needs of e-commerce. The Target of Evaluation (TOE) security environment, which is composed of threat agents, vulnerabilities, attacks and threats, is described in detail. It is followed by describing the administrative security policies that are necessary to safeguard the TOE or its operating environment. The risks to the TOE are identified. The security objectives for the TOE are stated. Keywords: Security, e-commerce, Protection Profile (PP), unicast, multicast, Common Criteria (CC) 1. Introduction Security is a significant concern for e-commerce, whether it is for unicast, multicast or broadcast services. Also, liability is a significant issue because the subscriber has to share his sensitive credentials, such as credit card information, with unknown principals, while merchants have to make sure that they are providing the services only to the authenticated and authorized customers. There are several unicast e-payment platforms and protocols such as credit card based, e-Cash based, e-Cheque based, Smartcard based and Micropayments based e- payment platforms [10, 27] and e-payment protocols, such as Secure Socket Layer/ Transport Layer Securit