DE10049164A1 - Secure method for undertaking online transactions with a customer sent a cipher when his order is placed, that it then matched by his bank with a cipher furnished by the supplier before payment is cleared - Google Patents

Abstract

A customer orders a product/service via the Internet, the supplier automatically sends cipher data with the order confirmation. The purchaser transmits the cipher data with payment data using normal online banking software to his bank. A central server (4) of the bank compares the cipher information with matching data from the supplier. If the two ciphers agree payment is made and the bank sends a payment confirmation to the supplier who releases the goods.

Description

The invention relates to a method for the secure implementation of a Transaction in electronic payments, especially on the Internet, after the preamble of claim 1.

It is known to make payment orders through data transfer from the computer transferring a user to a bank. This is usually a special program used (electronic banking), which is on the computer of the User is installed, and that a payment order in a standardized form forwards a credit institution that receives the payment order and executes, if there are appropriate funds in the user's account are.

While only a few years ago electronic banking usually over the Telekom BTX system was implemented, it has become common today electronic banking via internet connections between user and bank handle. To secure the data transmission Encryption techniques used against unauthorized attacks are largely resistant.

With the spread of the Internet, many providers of goods or Services that operate a server that can be accessed by customers transferred to the customer order options for the goods offered and to offer services over the Internet. In such so-called "Shop" solutions give customers the option of using the so-called Browser of your computer presented by the provider on the Internet Call up websites. If the customer is a commodity or service wishes, he can order the desired goods or on an order page of the provider Enter the service, its quantity and, if necessary, further data in a form and provided with the customer's personal data as an order. The provider can then execute this order by delivering the goods or the service is provided. Conversely, the customer is obliged to pay the goods or service to the provider.  

During the delivery of a product or the execution of a Service is usually not a problem, securing one Payment of the ordered goods or services is still a problem remained. Many providers therefore only deliver goods against simultaneous payment from, which however presupposes that the customer is present at the time of delivery is.

Another way of paying for a product or service lies in the use of the credit card system in which the customer gives the provider must provide the relevant data to his credit card. At a However, transferring credit card information over the Internet is easy Risk of interception of credit card data by unauthorized third parties, so that a secure payments are not guaranteed. The use of a Credit card also requires customer creditworthiness.

Another system for payment of services has become known where the payment is secured by querying code numbers via a Cellular connection is established. However, this type of payment sets the simultaneous use of a cellular connection in advance. In the event of theft of the Cell phones can therefore also be misused for payment purposes become.

The invention has for its object a method for secured Conducting a transaction in electronic payments, in particular on the Internet to state that it is largely resistant to abuse Execution of a payment transaction when ordering a product or Electronic payment services, especially on the Internet, allows.

This object is achieved by the invention specified in claim 1. Advantageous developments of the invention are specified in the subclaims.

According to the invention, a method for securely carrying out a transaction in electronic payment transactions, in particular on the Internet, is specified, in which an offer of a provider that can be called up by a customer via the Internet comes to the execution of an order. According to the invention, the following process steps are carried out in an automated sequence:

• 1. By accepting an offer by the customer, means Computer of the provider generates an identification data record that a first Contains key information and is sent to the customer's computer is transmitted.
• 2. Using the identification data record, the Customer's computer an electronic transfer record well-known electronic payment system (electronic banking) generated, which together with the first key information to the A bank's computer is transmitted.
• 3. The computer of the credit institution transmits the first key information to a central server.
• 4. The server compares the first one received from the credit institution Key information with a corresponding from the computer of the provider second key information transmitted to the server.
• 5. If the key information received matches, the Server sends a confirmation signal to the provider's computer Execution of the order and an execution signal to the credit institution to complete the payment transaction.

In summary, the invention is therefore used to carry out a Payment based on an order from a customer, usually at the customer's Existing electronic banking program to display the payment-relevant data to transmit the customer's credit institution. This connection is considered secure. The only difference between the supplier's computer and the customer's computer is Order-related data transmitted, which are comparatively worthless for third parties. The key information contained therein is sent to you by the credit institution central server, which transmits a through contact with the provider Payment of the customer verified and confirmed to the provider, so that this one  Execute an order to deliver goods or perform a service can.

By means of the invention, a method which is far superior to known methods is achieved specified more secure payment system for internet transactions, that through only Computer communication can be carried out in an automated sequence without that a manipulation possibility of payment transactions by third parties, or also the customer.

To preferably ensure that the computer from the credit institution received first key information transmitted to the central server there the central server sends a confirmation signal to the computer of the credit institution.

The computer of the credit institution preferably transmits after receipt of the electronic transfer data record from the customer an acknowledgment of receipt to the customer's computer and sends the customer's computer preferably a further confirmation signal to the provider's computer, before the provider's computer sends the second key information to the central server.

The execution signal preferably contains the second one Key information and the computer of the credit institution runs after receiving the second key information and comparison with the cached Transactions and confirms the electronic transfer record towards the central server, which sends the confirmation to the computer of the Provider forwards.

The key information used in the invention preferably contains the following data:

• - order identification code,
• - Bank details of the provider.

Along with other data, at least the invoice amount and contain the currency, the identification data record is formed.  

In a further embodiment of the invention, the central server contains one Database through which an assignment of the provider's computer received second key information for access data of a variety of Credit institutions.

This has the advantage that the respective provider only one Communication connection to the customer as well as to a central server have to build. A direct connection to the customer's bank is not required for the provider. For the provider there is security, that the central server and the participating credit institutions are considered legitimate can be.

The invention is explained in more detail below using an exemplary embodiment explained. The components are on the one hand in two schematic representations and connections of the payment system and a flowchart of a Transaction shown.

The name IPOB below is an abbreviation of "Internet Payment via Online Banking".

In the schematic illustration of FIG. 1, numeral 1 denotes the computer of the provider, which is loaded with a so-called IPOB software 5, which controls the creation and transmission of the key information. A communication link between provider and customer is established via an Internet connection 13 between the customer's computer and the provider's computer. The customer's computer contains a browser that makes it possible to view the provider's homepage 6 .

The client side of online banking software is also loaded on the customer's computer and is in communication connection 14 with the server side 10 of the software which is loaded in the computer 3 of the credit institution.

The server side 10 has access to the accounts 11 of the customers. The computer of the credit institution also contains a buffer 12 for IPOB transactions. The first key information is transmitted via the data connection 15 between the computer of the credit institution and a central IPOB server 4 . Finally, there is a communication link 16 between the provider's computer and the central server 4 .

The communication connections can be permanent or switched Connections that are established at the same time or at intervals or can be ended. Instead of a communication link in the area the Internet can also use other electronic communication links including wireless connections.

In order to carry out the method according to the invention, it is necessary for the customer's browser to contain an additional plug-in 7 , provided that the browser does not inherently contain a corresponding software module. The software 5 of the provider has interfaces to the plug-in 7 of the browser 8 of the customer's computer 2 .

The implementation of the method is explained below with reference to the diagram given in FIG. 2:
Via the customer's computer 2 , a communication link is first established via the Internet with the provider's homepage 6 . The customer selects the desired offer according to the supplier's specifications, the selection being made, for example, by the customer transferring the desired goods or services to a so-called shopping cart. After the selection process, the customer is directed to a page with payment modalities. The customer can enter various data there, for example delivery address, delivery date, method of payment, etc. When selecting the payment systems according to the invention, the computer 1 of the provider checks whether the customer's computer 2 has loaded the plug-in 7 via the communication link 13 . If this is not the case, the plugin can be transferred from the provider to the customer's computer 2 so that it is available for use after the transfer is complete.

If the plug-in already exists, the IPOB software 5 transmits an identification data record to the customer's computer 2 . This data record contains, for example, in addition to a first key information, which preferably consists of the order number that the provider assigns for the order and the bank details of the provider, the invoice amount and the currency. Therefore, no security-relevant customer data is transmitted or used between the provider and the customer.

The first key information, also referred to as the IPOB key, is now transmitted by the plug-in 7 of the browser of the computer 2 via an interface to the client side 9 of an online banking software. If the customer's online banking software is not yet activated, plug-in 7 can activate this software. This automatically creates a so-called form in the online banking software, which roughly corresponds to a transfer form and is pre-filled with the key information that the provider has transmitted to the customer. The entered data can be checked by the customer, provided that the form is displayed on the screen, and, if necessary, supplemented by own data. However, the key information provided by the provider cannot be changed by the customer.

The customer can now release the transaction in the banking system. The key information and the customer-specific data are thus transmitted via the communication link 14 from the customer's computer 2 to the bank's computer 3 . The transaction is assigned to customer 11 by the credit institution, but is not yet carried out, but rather is temporarily stored in 12. The computer 3 of the credit institution now transmits the key information extracted from the transfer data record via the communication link 15 to a central server, also called an IPOB server. The central server 4 transmits a confirmation signal to the computer 3 of the credit institution. Furthermore, the computer 3 of the credit institution transmits an acknowledgment signal to the customer's computer, and the latter transmits a corresponding confirmation signal to the provider's computer 1 .

As soon as the confirmation signal of the customer has reached the provider, or even before, the key information is reactivated and transmitted as second key information via a communication link 16 to the central IPOB server. There, the first key information received from the credit institution is compared with the second key information now received, and if the two key information match, the key information or a simple confirmation signal is transmitted from the central server 4 to the credit institution 3 . This signal causes the computer of the credit institution to execute the cached transaction and to confirm it to the customer. Furthermore, the credit institution confirms the execution of the transaction to the central server, and the central server transmits corresponding information to the provider's computer. This completes the transaction for the provider's computer 1 and the order can be confirmed to the customer and executed in accordance with the order.

The central server contains software that controls a database, which contains the data of all participating credit institutions. About the key information an assignment to a specific bank is made. In a Alternatively, the central server could also act as a routing service act and thus a quasi-direct connection between the computer of the Produce provider and credit institution.

The key information is used only to identify one Transaction in communication in the payment system according to the invention. A Uniqueness in relation to the associated provider invoice, transfer or Bank details can be ensured, for example, that the Information key the bank sort code, account number and order number of the Provider contains.

The database stored in the central server for managing the Access data of the credit institutions preferably contains the IP addresses, if provided used over the Internet, a network address or a Line address (for a dedicated line) or a telephone number for one telephone connection.

The computers used in the system of the invention are available Execution of the transaction in communication connections, which generally do not require manual entries. This is a high level of security guaranteed against manipulation. A safeguard against manipulation by the  Customers are assured that the confirmation of a transaction is not via the customer's computer, but via a central server that is inaccessible to the customer. A possibility of manipulation by third parties This prevents the customer's security-related data from being removed via a secure connection, for example a usual online banking Software is transmitted.

The provider also does not receive any information about the customer Account number, bank or similar, because the provider via the central server only receives information that the payment has been made.  

LIST OF REFERENCE NUMBERS

1

Provider computer

2

Customer computer

3

Bank computer

4

central server

5

IPOB software

6

Homepage of the provider

7

plugin

8th

browser

9

Client side of the online banking software

10

Server side of the online banking software

11

Accounts from customer

12

IPOB transactions

13

Customer-provider data connection

14

Customer-bank data link

15

Data connection bank central server

16

Data connection from central server providers

Claims (6)

1.Procedure for securely carrying out a transaction in electronic payment transactions, in particular on the Internet, in which an offer from a provider that can be called up by a customer is executed in order to carry out the following procedural steps in an automated sequence:

• a) by accepting the customer's offer, an identification data record is generated by means of the provider's computer ( 1 ), which contains first key information and transmits it to the customer's computer ( 2 ),
• b) using the identification data record, an electronic transfer data record of a known electronic payment system (electronic banking) is generated by the customer's computer ( 2 ), which is transmitted together with the first key information to the computer ( 3 ) of a customer's credit institution,
• c) the computer ( 3 ) of the credit institution transmits the first key information to a central server ( 4 ),
• d) the central server ( 4 ) compares the first key information received from the computer of the credit institution with second key information correspondingly transmitted from the provider's computer ( 1 ) to the central server ( 4 ),
• e) if the key information contained matches, the central server ( 4 ) transmits a confirmation signal to the computer ( 1 ) of the provider for the execution of the order and an execution signal to the computer ( 3 ) of the credit institution to complete the payment transaction.

2. The method according to claim 1, characterized in that the central server ( 4 ) after receiving the first key information from the computer ( 3 ) of a credit institution transmits a confirmation signal to the computer of the credit institution. 3. The method according to claim 1 or 2, characterized in that the computer ( 3 ) of the credit institution after receipt of the electronic transfer data record transmits a reception signal to the computer ( 2 ) of the customer and the computer ( 2 ) of the customer a further confirmation signal to the computer ( 1 ) transmitted by the provider before the computer ( 1 ) of the provider transmits the second key information to the central server. 4. The method according to claim 1, 2 or 3, characterized in that the Execution signal contains the second key information, and that the Computer of the credit institution after receiving the second key information executes the electronic transfer record and against the Customer's computer confirmed. 5. The method according to any one of claims 1-4, characterized in that the key information contains a data record with at least the following data:

• a) order identification code,
• b) Bank details of the provider.

6. The method according to any one of the preceding claims, characterized in that the central server ( 4 ) contains a database via which the second key information received from the provider's computer is assigned to access data of a large number of credit institutions.