Protection Profile
SecurityA document specifying security requirements for a category of products in the Common Criteria framework.
Protection Profile
A Protection ProfileProtection ProfileSecuritySecurity requirements document for CC.Click to view → (PP) is a formal document within the Common Criteria framework that specifies an implementation-independent set of security requirements for a category of IT products. In the smart card industry, Protection Profiles define the baseline security capabilities that all products of a given type — chip hardware, card operating system, payment application, or identity document — must satisfy to achieve certification.
PP Structure
A Protection Profile follows the ISO/IEC 15408 structure and contains:
| Section | Description |
|---|---|
| PP Introduction | Product type description and conformance claims |
| Security Problem Definition | Assets, threats, organizational security policies, assumptions |
| Security Objectives | What the product must achieve to counter the identified threats |
| Security Functional Requirements (SFRs) | Specific security functions (e.g., cryptographic operations, access control) |
| Security Assurance Requirements (SARs) | EAL level and any augmentations |
| Application Notes | Implementation guidance for developers |
Key Smart Card Protection Profiles
| PP ID | Name | Application | Maintained By |
|---|---|---|---|
| BSI-PP-0084 | Security IC Platform | Smart card chip hardware | BSI (Germany) |
| BSI-PP-0075 | JavaCard System | Card OS + Java runtime | BSI |
| BSI-PP-0056 | Machine Readable Travel Document | ePassport chip application | BSI |
| PP-0035 | UICC Platform | SIM card platform | GSMA / ETSI |
| ANSSI-CC-PP | eIDeIDIdentityNational ID with embedded chip.Click to view → Application | eID smart card | ANSSI (France) |
How PPs Are Used
A smart card vendor writing a Security Target (ST) for their product claims conformance to one or more Protection Profiles. The ITSEF (evaluation lab) verifies that the ST covers all requirements from the claimed PPsPPsProtocolCard-reader parameter negotiation.Click to view →. This ensures a minimum security bar across all products in the same category — every ePassport chip, regardless of manufacturer, meets the same threat model and security functional requirements.
Composite Evaluations
Smart card products are often evaluated as compositions. The chip silicon is certified against BSI-PP-0084, the operating system against BSI-PP-0075, and the application against a domain-specific PP. The final composite certificate confirms that the combination of certified components maintains the overall security level. This approach allows chip vendors and OS vendors to certify independently, reducing time-to-market for new card products.
Related Content
SIM Card Types Explained
Getting Started…to Common Criteria — typically EAL4+ against the GSMA SAS protection profile. The security boundary enforces: Authentication key (Ki)…
Common Criteria for Smart Cards
Security…eID, EMV, and banking programmes. Protection Profiles A Protection Profile (PP) is a reusable security requirements document authored…
Smart Card Cryptography
Security…implement at least AES-128 in all modes required by their protection profile . Crypto Coprocessor Architecture The crypto coprocessor…
Post-Quantum Cryptography for Smart Cards
SecurityNational eID Card Deployment
Industry Applications…for the chip and often for the CA hardware ( HSM ). The Protection Profile for electronic identity documents (BSI-CC-PP-0056 for…
Biometric Smart Cards Overview
Biometric Cards…SP 800-76 Biometric specifications for PIV ANSSI / BSI Protection Profile Biometric match security requirements Use the EAL…
Common Criteria Evaluation Process
Compliance…Targets Two key documents anchor every CC evaluation: Protection Profile (PP) : A template defining security requirements for a…
Häufig gestellte Fragen
The smart card glossary is a comprehensive reference of technical terms, acronyms, and concepts used in smart card technology. It covers protocols (APDU, T=0, T=1), security (Common Criteria, EAL, HSM), hardware (SE, EEPROM, contact pad), and applications (EMV, ePassport, eSIM). It serves developers, product managers, and engineers.
Yes. SmartCardFYI provides glossary definitions in 15 languages including English, Korean, Japanese, Chinese, Spanish, Portuguese, Hindi, Arabic, French, Russian, German, Turkish, Vietnamese, Indonesian, and Thai.