Many security and privacy protocols for RFID systems have been proposed [8, 13, 19, 20]. In most cases these protocols are evaluated in terms of security based on some model. Often the model was introduced by the creator of the protocol, in some cases borrowing parameters from the protocol for model parameters. Moreover, the models that are discussed may represent only one aspect of the necessary security services that are needed in an RFID system. Here we describe several of the security requirements that are needed in an RFID system. Further, we model these requirements. These models incorporate security requirements that include privacy of tag data, privacy of ownership, and availability of tag identity. We also construct less restrictive versions of many of these models to reflect the security needed for some less security-intensive RFID applications. Finally, we compare our model to Juels' models [13], Avoine's models [4] and Ohkubo et al.'s models [20].