DE102011079317A1 - MOBILE SYSTEM FOR FINANCIAL TRANSACTIONS - Google Patents

Abstract

The present invention relates to a system S and a corresponding method for location-independent and multi-vendor initiation or execution of a transaction, for example a payment transactions from a donor to a money receiver, and in particular relates to a method for executing a provided control command. For this purpose, in particular, a corresponding protocol is provided, which can be implemented by means of conventional hardware. The present invention finds application with respect to location-independent electronic payments and cash transactions.

Description

The present invention relates to a system comprising distributed, functionally co-operating devices and a corresponding method for location-independent and multi-vendor initiation of a transaction, for example a payment transaction from a financier to a money receiver, and more particularly relates to a system and method for executing a provided control command , The invention further relates to a data memory for storing corresponding method steps, or a computer-readable medium with control commands for carrying out precisely this method.

In a variety of telecommunication technology applications, increasingly sensitive services such as the receipt, processing and provision of personal data are offered via remote interfaces. Thus, at least one user is expected to initiate control commands without that same user being able to ensure that he is communicating with a trusted authority. Accessing corresponding services can be carried out, for example, by means of mobile terminals or stationary computing units.

For this purpose, a secure connection with a service provider can be established according to conventional methods. However, it is possible that only the communication between a sender and a receiver is secured. Often, this requires further complicated mechanisms, which ensure a secure determination of the identity of the sender and the recipient. However, an implementation of such an authentication mechanism is typically cumbersome and possibly error prone. If a user wants to make use of a sensitive service from his mobile terminal, he expects a system in accordance with the intended purpose to do so with as little technical effort as possible and with simple operation. However, according to conventional methods, considerable technical effort has to be made on both the transmitter and the receiver side. For example, according to conventional methods, mobile terminals must support special, secure protocols, special software must be installable, and / or other physical hardware components must be available for authentication.

A particularly sensitive control command may be, for example, initiating a financial transaction. In this case, a donor requests, for example by means of a mobile terminal, a technical device of a payment service provider to credit an account of a money receiver a certain amount. In this case, in particular, it should be ensured that the execution of precisely this control command is both correct and uncomplicated, as well as that this can be carried out as possible by any mobile terminal, such as a mobile phone.

For handling electronic transactions, a plurality of payment systems are known which rely on retrieving money from a known account, an addressed sending of money and / or a means of payment, i. H. Prepaid, a voucher or a voucher. In particular, here are direct debit by account holder, account number and bank code, use of a credit card, billing by mobile phone bill, billing by means of an identification number in the form of a mobile phone number or a customer number, a transfer of money, a use of cash or a cash card as a payment system and further procedures known by third parties.

As another conventional method, the transaction system "Paypal" is known. This mobile payment system is based on an application, also called app, for smartphones. In doing so, it is necessary for both the creditor and the payee to register with relevant services, ie. H. submit personal information before they can carry out such transactions.

As another conventional method "Google Wallet" is known, which implements existing card systems in the form of a corresponding application. The virtual cards can communicate via the so-called "near field communication". This can replace a magnetic strip or a chip of a payment card.

CA 2 457 263 A describes a method for authorizing a purchase transaction comprising the steps of: generating a unique transaction identification code, receiving a confirmation code from a service location, and authorizing a transaction upon corresponding the received confirmation code with the unique transaction identification code.

WO 2008 083 022 A1 describes a method and system for conducting an initiation of a financial transaction by means of a mobile phone. Here, the lender initiates a transaction by sending a payment request message from a mobile phone specifying the payee and the payment amount. Here payees are identified by means of clear aliases.

EP 1 229 467 A1 describes a payment system with a mobile device, wherein payment transactions are carried out and a checkout wirelessly transmits a payment request to a mobile device of a customer who checks the payment request, if positive result generates a payment instruction, transmits it to a payment center, the payment center checks the payment instruction , if the result is positive, the payment center sends the cashier a payment confirmation, the cashier checks the payment confirmation and, if the result is positive, this is indicated or the goods to be paid are released.

EP 1 450 322 A1 describes a method of payment between a mobile subscriber and a provider, wherein the mobile subscriber has a first portable personal identification module intended for identification in a mobile network, said identification module being bound to at least one money account, at least one said money account having an expenditure limit, wherein an execution of a payment transaction for which the named spending limit is insufficient is carried out by means of a second attached money account which is bound to a second identification module.

According to other conventional methods, SIM cards are used to identify a subscriber. Under this identity several cash accounts or payment service providers can be subsumed.

Depending on the payment system, however, different problems arise. The person who is in the role of the sponsor when making a payment does not want to disclose his or her data to the recipient, if possible. Cash or voucher systems have the disadvantage that the money must first be provided in the form of the asset before it can be transferred. Furthermore, the user is bound to the medium. Internet vouchers only work on the Internet. Many systems are still tied to a provider. Thus, the ability to transfer money from donor to recipient requires that both trust and submit data to the same provider. Furthermore, the problem is that no known payment system is able to provide reliable services at all communication levels, ie online, by telephone and in personal contact. In addition, such services should function independently of a particular provider and at the same time provide sufficient data protection for the lender.

In accordance with conventional methods, it is often not possible to provide extensive functionality with little technical effort, for example that subscribers can be customers of other payment service providers, the paying subscriber is anonymous, the transaction is simple and straightforward, a purchase with little technical effort for buyers and sellers is possible, data protection is granted, an age check can be carried out, value-added services, such as an integrated receipt or an electronic household book, can be offered and / or bonus cards can be replaced by store chains.

Thus, conventional methods and apparatuses for initiating execution of a control command or for executing a control command are often associated with a high level of technical complexity, since they require the provision of suitable hardware and / or software components or, in particular with respect to execution of financial transactions, provide such insufficient functionality that With regard to a multiplicity of application scenarios, further functions also have to be implemented by providing further hardware and / or software components.

Thus, it is an object of the present invention to provide an improved apparatus and system, respectively, and an improved method for causing secure, location-independent execution of a sensitive, provided control command and also ensuring high data protection.

This object is achieved by a system for executing a provided control command, comprising the features according to claim 1 and by a method having the features according to claim 15.

Advantageous developments are defined in the dependent claims.

Accordingly, there is provided a system for executing a control command based on a provided initialization signal comprising a first authorization device, a second authorization device, and an execution device, wherein the execution device is arranged to provide an initialization signal at the request of the first authorization device, which is from the first Authorization device is passed to the second authorization device, bypassing the execution device, the second authorization device is adapted to generate a request signal and to transmit via the execution device to the first authorization device, and the execution device is set, a control command based on the request signal in Dependence on an acknowledgment of the request signal by the first authorization device to execute.

The provided system comprises a plurality of functionally cooperating components, for example the first authorization device, the second authorization device and the execution device. In this case, however, it is also possible for further components to be involved in the interaction of the system, which components are necessary, for example, for providing a communication network. In this case, various network components are known to the person skilled in the art. Corresponding devices or components are communicatively connected by means of interfaces and can exchange messages via corresponding protocols. The first authorization device and the second authorization device may, for example, be in the form of a mobile terminal, such as a mobile phone or a portable computer, or may be used as a stationary computer, i. H. a corresponding desktop computer with associated peripherals, present. The execution device may be provided as a specialized hardware component. It is also possible to integrate the execution device in a special reader or a payment component or to connect them. In particular, it may be advantageous to design the execution device as a server. However, it is also possible to provide the first authorization device, the second authorization device and the execution device in the form of control commands.

The components of the provided system can communicate with each other by means of messages or signals. In this case, messages can be constructed in accordance with specific file formats and, in addition to user data, have further metadata, such as identification data or address data. Signals include any type of electrical signal, which signals may also model messages, or cause messages to generate certain signals.

In addition, the components described may preferably be set up in such a way that they initiate the execution of further control commands and / or execute them themselves. Thus, it may be advantageous to establish a secure connection between individual components and / or perform a mutual authentication. Furthermore, it may be necessary to exchange network protocol-typical information and / or to transmit confirmations of completed transactions.

The execution device is preferably set up to provide the initialization signal upon request of the first authorization device. Thus, the first authorization device transmits a request message or a request signal to the execution device. The execution device then generates an initialization signal, which may comprise at least parts of the request message or of the request signal and / or may comprise information which is generated as a function of at least part of the request message or of the request signal. Thus, it is possible that the request message or the request signal has parameters with which at least part of the initialization signal is calculated. In this case, it is advantageous that the initialization signal is transmitted from the first authorization device to the second authorization device. Thus, it is not necessary for the execution device to communicate with the second authorization device, thereby making it possible for the second authorization device and the execution device to remain mutually anonymous. By circumventing the execution apparatus, this means that the execution apparatus need not be able to read out the contents of the initialization signal. Even if at least parts of the initialization signal can be temporarily stored physically in a memory associated with the execution device, no processing steps of precisely this information are followed by the execution device.

The second authorization device is preferably set up to generate a request signal as a function of the transmitted initialization signal and to transmit this via the execution device to the first authorization device.

The second authorization device is further preferably configured to generate a request signal and to transmit this via the execution device to the first authorization device. In this case, it is again possible to generate the request signal as a function of the transmitted initialization signal, which can be done by including at least part of the initialization signal in the request signal. Furthermore, it is possible that the second authorization device reads out data from a data memory assigned to it and generates the request signal as a function of the transmitted initialization signal and further data that has been read out. A transmission of the request signal via the execution device to the first authorization device may be a passing through of the request signal from the execution device to the first authorization device. However, it may also be a direct transfer, ie without using the execution device, of the second Authorization device to act on the first authorization device. However, it is also possible that after a transmission of the request signal from the second authorization device to the execution device, the execution device modifies at least parts of the request signal, so that only a part of the original request signal is transmitted to the first authorization device. In particular, it may be advantageous for the execution device to add further data to the request signal and thus to transmit an altered request signal to the first authorization device.

The first authorization device is preferably suitable for confirming the request signal. Confirmation may include comparing the request signal with other data, for example data read from a data store associated with the first authorization device. Thus, the first authorization device is adapted to output data from a data memory, compare it according to a provided functionality with the received request signal and to calculate a value depending on the result of the comparison. This value may provide information that allows one to determine whether at least portions of the request signal match read-out data and / or to determine a degree to which the received request signal matches a read-out value. The result of the confirmation is transmitted to the execution device, which executes the control command or not depending on an evaluation of the same result.

The execution device may preferably be set up to execute the control command itself or at least to initiate execution of this control command. Thus, the execution device does not execute the control command, but causes it to be executed by another executing unit. Depending on the evaluation of the confirmation result, or depending on the initiation and / or execution of the control command, a further message exchange can be performed. For example, it is possible to transmit status information from at least one of the above-described components to at least one further of the above-described components and / or to store a corresponding message in a data memory. Further, throughout the system's operation, it is possible to store system logs, message logs, and / or status information in a data store. Also, executing the control command may trigger further interactions between at least two of the above-described components.

In a preferred embodiment of the system according to the present invention, the first authorization device and the second authorization device each communicate with the execution device by means of a secure connection of a communication network.

This has the advantage that a message exchange between the authorization devices and the execution device is secured against eavesdropping and / or falsification of messages.

In a further embodiment of the system according to the present invention, the first authorization device and the second authorization device are preferably designed in such a way that mutual authentication with respect to the execution device is possible.

This has the advantage that both the first authorization device and the second authorization device are identified relative to the execution device such that it is ensured that only authorized devices actually participate in a message exchange.

In a further embodiment of the system according to the present invention, the initialization signal preferably has a provided value and a random value.

This has the advantage that the initialization signal can have parameters which, for example, make a process uniquely identifiable and in which the initialization signal metadata and user data can be coded.

In a further embodiment of the system according to the present invention, the initialization signal is generated exactly once within a provided period of time.

This has the advantage that the signal is uniquely identifiable and thus it can be determined whether a message or a signal is sent multiple times. Furthermore, the initialization signal can thus have a unique time stamp, on the basis of which further security mechanisms can be implemented.

In another embodiment of the system according to the present invention, for transmitting the initialization signal, at least one of a group of transmission components is provided, comprising: an air interface, a wired interface, a keyboard, a card reader, a sensor, a transmitter, a receiver , one imaging device and an image processing device.

This has the advantage that many embodiments of the proposed system are possible depending on the hardware used. In particular, according to the invention, it is possible to address different scenarios, for example in the case of the use of mobile terminals, and to accordingly use a multiplicity of conventional hardware components.

In a further embodiment of the system according to the present invention, the request signal comprises at least part of the initialization signal and / or at least one further control command signal parameter.

This has the advantage that the request signal can be unambiguously assigned to the initialization signal, parameters can be read from the initialization signal and inserted into the request signal and, in addition, further control command signal parameters, which can describe how a control command is to be executed, be provided.

In another embodiment of the system according to the present invention, at least one of a group of components is provided to confirm the request signal, the group comprising: an air interface, a wired interface, a keyboard, a card reader, a sensor, a transmitter, a receiver , an imaging device and an image processing device.

This has the advantage that many embodiments of the proposed system are possible depending on the hardware used. In particular, according to the invention, it is possible to address different scenarios, for example in the case of the use of mobile terminals, and to accordingly use a multiplicity of conventional hardware components. In particular, it is possible to use a display of a mobile terminal as an imaging device to represent corresponding signals and to detect the signals shown accordingly. Thus, for example, mobile phones can be used which communicate by means of an integrated display and by means of an integrated camera.

In a further embodiment of the system according to the present invention, the first authorization device is arranged to confirm the request signal for providing at least one information of a group of information, the group comprising: a key, a PIN, a password, a numeric string, an alphanumeric string, a biometric feature, a security feature, and confirmation information.

This has the advantage that the confirmation of the request signal can take place using a large number of data formats and, in addition, further security mechanisms can be used.

In a further embodiment of the system according to the present invention, the execution device executes a control command based on the request signal upon a positive confirmation of the request signal and / or causes it to be executed.

This has the advantage that the execution device is suitable, depending on a confirmation of a positive evaluation of the request, either to execute the control command itself and / or to initiate a processing of the control command by means of a remote method call.

In a further embodiment of the system according to the present invention, the execution device has a plurality of execution devices which are set up to exchange at least one information among a group of information, the group comprising: authentication information, confirmation information, request information, status information, a control signal , a control command, a parameter, a message, a numeric string, an alphanumeric string, a PIN and a password.

This has the advantage that a multi-stage system according to the present invention can be implemented, in which the execution device is operated by several providers, which can communicate with each other.

In a further embodiment of the system according to the present invention, individual execution devices are designed in such a way that mutual authentication can be carried out and / or individual execution devices communicate with one another by means of a secure connection of a communication network.

This has the advantage that a distributed system according to the present invention can operate message exchange tap-proof and tamper-proof.

In a further embodiment of the system according to the present invention, at least one of the devices is configured as one of a group of devices which Group comprising: a mobile terminal, a mobile phone, a tablet, a portable computer, a cash register, a cash register system, a vending machine and a server.

This has the advantage that conventional hardware components can be used.

In a further embodiment of the system according to the present invention, the system is designed as a payment system, and / or the initialization signal is present as a payment code, and / or a value provided by the initialization signal identifies a payment service provider and / or a provider provided by the initialization signal Value identifies a transaction within a limited time period, and / or the execution device uniquely identifies the first authorization device within a limited time window based on a parameter of the initialization signal, and / or the first authorization device exists as a payment service provider technical device and / or the second authorization device is present as a technical device of a payee, and / or the execution device exists as a technical device of a payment service provider.

In a further embodiment of the system according to the present invention, the system is designed as a payment system, and / or the control command signal is present as a payment code, and / or the value provided in the control command signal identifies a payment service provider and / or the control command signal parameter has purchase information and / or the control command is present as a transaction command, and / or the first authorization device exists as a technical device of a payee, and / or the second authorization device is present as a technical device of a payee, and / or the execution device is as a technical device of a payment service provider, and / or the first authorization device is present as a control command module, and / or the second authorization device is present as a control command module, and / or the execution device is located as a Steue r command module.

This has the advantage that the proposed system can be operated as a financial transaction system and embedded in existing infrastructures.

The object is also achieved by a method for executing a control command based on a request signal based on an initialization signal, upon request of a first authorization device by means of an execution device an initialization signal is provided, which from the first authorization device, bypassing the execution device to a second Authorization device is transmitted; the second authorization device generates a request signal having at least a portion of the initialization signal and transmits it to the first authorization device via the execution device; and a provided control command is executed in response to an acknowledgment of the request signal by the first authorization device from the execution device.

The method for executing a control command based on a request signal based on an initialization signal is thus a method for executing a control command in response to a request signal and an initialization signal. Basing thus describes that the control command is executed after specification of an embodiment of a request signal and / or an initialization signal or an embodiment of a request message and / or an initialization message. Here, the default may be that the signals or messages provide parameters that influence the execution of the control command. Thus, messages or signals may be used as input parameters for such a control command. Based on this, it can also mean that the control command is executed only in the presence of at least a part of such a signal or such a message. Furthermore, it is possible to select the control command based on the message or the signal.

Furthermore, a computer-readable medium is proposed, which stores control commands for carrying out the method described above.

Thus, a method and a system are proposed, which make it possible to execute a provided control command safely or to cause the execution. Thus, a transaction system is proposed which can replace existing ones. It provides privacy to the user as the paying user remains completely anonymous to the payee. This allows, for example, the safe, anonymous spontaneous purchase of virtual goods such as music, movies, books, apps and the like. The system is designed so that service providers can implement this by means of suitable interfaces. Thus, money may be transferred from a user of a payment service provider to a user of another payment service provider using the proposed invention.

In the following, the invention will be explained in more detail with reference to exemplary embodiments with reference to the attached figures.

It shows:

1 FIG. 3 is a block diagram of a system for executing a control command according to one aspect of the present invention; FIG.

2 FIG. 3 is an activity diagram of a method for executing a control command according to an aspect of the present invention; FIG.

3 FIG. 4 is a detailed activity diagram of a method for executing a control command according to another aspect of the present invention; FIG.

4 FIG. 3 is a block diagram of a system for executing a control command according to one aspect of the present invention; FIG.

5 FIG. 4 is a detailed activity diagram of a method for executing a control command according to another aspect of the present invention; FIG. and

6 FIG. 4 is a detailed activity diagram of a method for executing a control command according to another aspect of the present invention. FIG.

In the figures, identical or functionally identical elements are provided with the same reference numerals, unless stated otherwise.

1 1 is a block diagram showing a system S for executing a control command according to an embodiment of the present invention based on a provided initialization signal, the system S having a first authorization device A, a second authorization device C, and an execution device B wherein the execution device B is set up on request the first authorization device A to provide this an initialization signal, which is transmitted from the first authorization device A, bypassing the execution device B to the second authorization device C. The second authorization device C is set up to generate a request signal and to transmit this via the execution device B to the first authorization device A; and the execution device B is configured to execute a control command based on the request signal in response to an acknowledgment of the request signal by the first authorization device A.

According to the present embodiment, a request of the first authorization device A takes place by means of the data channel AB. Providing an initialization signal is carried out according to the present embodiment of the first authorization device A to the execution device B by means of the data channel BA. The first authorization device A transmits the initialization signal, bypassing the execution device B, to the second authorization device C by means of the data channel AC. The second authorization device C generates the request signal and transmits it via the execution device B to the first authorization device A by means of the data channel CB and BA. The first authorization device transmits an acknowledgment of the request signal by means of the data channel AB. The above-described data channels can be implemented at least partially wired and / or wirelessly.

2 shows in an activity diagram a method for executing a control command according to an embodiment of the present invention. At the request of an authorization device A, this is provided by means of an execution device B an initialization signal, which is transmitted from the first authorization device A bypassing the execution device B to a second authorization device C. 100 , The second authorization device C generates a request signal which has at least a part of the initialization signal and which is transmitted via the execution device B to the first authorization device A. 101 becomes. A provided control command is executed in response to an acknowledgment of the request signal by the first authorization device A from the execution device B. 102 ,

The above-described method steps can be carried out iteratively and / or in a different order.

3 shows in a detailed activity diagram a method for executing a control command according to an embodiment of the present invention. This is on request 200 a first authorization device A thereof by means of an execution device B provided an initialization signal 201 which is transmitted from the first authorization device A bypassing the execution device B to a second authorization device C. 202 ; the second authorization device C generates 203 a request signal having at least a portion of the initialization signal, and transmitted 204 this via the execution device B to the first authorization device A. A provided control command is in response to a confirmation 205 of the request signal by the first authorization device A executed by the execution device B. 206 ,

In further optional method steps, the execution of the control command is confirmed to the first authorization device 207 and the second authorization device 208 , In addition, authentications are possible in further optional method steps.

The above-described method steps can be carried out iteratively and / or in a different order.

The present 4 shows in a block diagram two interacting components D and E as part of a system for executing a control command according to an embodiment of the present invention. According to the present embodiment, a user acquires, by means of a mobile terminal D, a good or service from a service provider E. In the present 4 this is indicated by means of a bidirectional arrow. Thus, this arrow describes only the logical communication, but it is possible that the two components D and E communicate by means of intermediary components. For example, component D may exist as a first authorization device and component E as a second authorization device. The component D may also be in the form of a mobile telephone, and the component E may be in the form of a mobile telephone, a vending machine, a website or a cash register system. Since in this embodiment, only the logical interaction is shown, shows 4 no execution device, since from the user's point of view, this only performs a transaction management in the background. Based on this scenario, the invention is explained in more detail with reference to the following sequence:
A user has shopped and wants to pay. For this purpose, he uses his mobile phone, so component D. On the device D control commands are executed according to the present invention. The user taps a "Pay" button and receives a unique payment code from his bank. This is transferred by means of a barcode scanner of a cash register system, in the present case component E. By means of the code, the cash register system E sends a payment request to a bank. This forwards the request to him. He confirms the payment with a PIN. The bank makes the payment. The cash register system E and the user of component D each receive a payment confirmation.

In a further embodiment of a method for executing a control command according to the present invention, the method proceeds as follows. A shop operates a POS system, a customer operates a smartphone. Both devices, POS system and smartphone, are registered with a bank and need to authenticate themselves. This allows the use of strong encryption. If the customer presses a "Pay" button, the device announces its willingness to pay to the bank and the bank assigns the payment code. The user transmits the payment code to the cash register system, for example by barcode. The POS system sends the payment request to the bank. The bank passes on the payment request to the customer. This confirms the payment with his PIN. The bank executes the payment and sends both partners a payment confirmation.

Within 72 hours, the payment code will be given by the bank for exactly one payment and will only be valid for a few minutes. The user thus expresses his willingness to pay, and the bill reaches the right user. The code also hides the identity of the paying user, making it anonymous. This system makes unauthorized payment requests impossible.

In a further embodiment of a method for executing a control command according to the present invention, the method proceeds as follows. The mobile phone authenticates to the bank. The user clicks on a button "pay" on his smartphone, the device announces the willingness to pay and is assigned by the bank the payment code. This code is unique, at least within a certain time unit, for example the next 72 hours. The user can display this code as a bar code for a cash register system, for example, or as a QR code, for example, he can be read with a mobile phone camera or in numbers so that he can enter it by hand when, for example, on the Internet buys. Once the user has submitted the code, the POS system sends the payment request to the bank. The bank forwards this payment request to the user. Now the user confirms the payment with a PIN. After a short wait, he receives an overview of his latest issues; It contains the payment confirmation for the payment just made.

According to the invention, in a further embodiment, a separate account, in the following Qick Money Transaction account, short QMT account, are established. QMT may also designate the system according to the invention for executing a control command. A customer has a bank account and a QMT account. The QMT account has a low credit balance. Among other things, this QMT credit determines the credit limit, for example: 100 € credit means 200 € credit limit in 10 days. The QMT service provider collects money from the customer by direct debit. The QMT service provider transfers money to the customers by bank transfer. Here is a certain inertia installed, so a time delay of providing funds to provide security to payment service providers. The payment service providers reconcile your bank accounts daily by bank transfer based on the shifts in the QMT accounts.

In order to carry out an age check, the following method steps can be carried out according to the invention: The money receiver sends the payment request, which contains a field "Mindendestalter". If the age of the lender is below the minimum age, the transaction will be rejected. Both users are informed about the age limit violation.

Furthermore, according to the invention, an electronic receipt can be used. The payment request contains two fields, "receipt" and "receipt validity". "Receipt" contains an HTTPS URI such as:
" https://kasse.xyz.de/zettel.php?id=n47kj34a72d4&key=0db2sqlfmsze "

By means of the URI, an XML file can be addressed, which is displayed as an HTML page in the web browser using XSLT.

5 and 6 each show in a detailed activity diagram a method for executing a control command according to an embodiment of the present invention. First, the technical components employed in the method for executing a control command according to an embodiment of the present invention will be discussed.

The payer, in short ZL, transfers the means of payment to another participant. The payee, ZE for short, receives payment from another participant. The payment service provider, ZDL for short, executes the cash transfer. The first and / or the second authorization device may be present as an end user terminal. This device end user terminal is able to establish an encrypted authenticated connection to a system of the ZDL using a defined protocol over a network. In the present exemplary embodiment, the payment-performing ZL has the first authorization device A, the payment recipient ZE has the second authorization device C, and the payment service provider ZDL has execution device B.

For the authentication of the end user terminal against the ZDL and vice versa a signature procedure is used. As concrete examples of devices constituting an end user terminal as described herein, there may be mentioned mobile phones, POS systems or vending machines, or Internet services served via a web interface.

The signature method is capable of optically displaying a defined code or transmitting it electronically to another end user terminal. It can optically detect this code, for example, by electronic means, receive by radio or receive it by a manual input.

• – kann eine ZE-Funktion und eine ZL-Funktion beinhalten;
• – kann aber auch nur eine der beiden Funktionen besitzen;
• – befindet sich im persönlichen Besitz des Benutzers;
• – im Falle einer Privatperson könnte das zum Beispiel das Mobiltelefon sein;
• – ein Kassensystem befindet sich im Besitz des Ladeninhabers; Zugang zu diesem haben nur berechtigte Angestellte, die sich über ein geeignetes Verfahren an diesem System authentifiziert haben.

Features of an end user terminal can be:

• - may include a ZE function and a ZL function;
• - but can also have only one of the two functions;
• - is in the personal possession of the user;
• - In the case of a private person, this could be, for example, the mobile phone;
• - a cash register system is in the possession of the shopkeeper; Only authorized employees who have authenticated themselves by means of a suitable procedure on this system have access to this.

The execution device may be present as a payment service provider system, in short ZDLS. The ZDL (ZDLS) system can accept an encrypted connection over a network using a defined protocol. It authenticates to the end user terminal and uniquely identifies the end user terminal. It uniquely assigns an end user terminal to a registered user and accepts requests from it. Furthermore, it is able to perform a transaction between an end user, which is coupled to the own system, and the end user of another ZDL, in that each ZDL acts as a transaction partner on behalf of its end user vis-à-vis the respective other ZDL. However, the necessary data for the execution of the transaction of the final participants are passed.

A flow of a payment transaction according to an embodiment of the method for executing a control command according to the present invention may be described as follows.

In preparatory steps are optional authentication steps 50 . 51 advantageous. In order to start a transaction, a participant, ie the ZL, for example the customer in a shop, has to announce his willingness to pay to his ZDL by means of his end-user terminal, for example his correspondingly equipped mobile phone 52 ,

The ZDL generates a code, for example the payment code, which consists of a predefined value and a random value. The predefined part of the code identifies the ZDL. The payment code is only valid for a limited period of time, for example 10 minutes. The same payment code can be issued only once within a larger time frame, for example 30 days. The system of the ZDL stores the assignment of the payment code to the end user terminal of the ZL and transmits 53 the code to the end user terminal of the ZL. The end user terminal of the ZL displays or transmits the code in human and / or machine readable form 54 This directly, for example by radio or infrared, to the end user terminal of the ZE. The end-user terminal of the ZE, for example the point-of-sale system of the store, receives the code via sensors, for example a bar code scanner, electronic transmission methods or manual input. It generates a payment request, ZA for short, from the data already available, which are entered before the transaction or transferred from another system, via the monetary claim of the payment service provider and the payment code, or ZA for short 55 this to his ZDL.

Depending on whether the ZDL of the ZE and the ZL is the same or not, the following procedure differs. If the ZDL of the ZE and the ZL is the same, the further procedure is as follows:
The system of the ZDL assigns the payment request to the end user terminal of the ZL and sends 56 this the payment request. The payment request is checked and can be changed if necessary. The ZL is informed by its end user terminal of the content of the payment request, for example by displaying it on a display. The ZL confirms the transaction by entering a secret known only to it, such as PIN or password, at its end user terminal. The confirmation of the transaction is transmitted 57 the end user terminal of the ZL to the system of his ZDL. The system of the ZDL executes the transaction 58 and send 59A . 59B one confirmation of the transaction to the end user terminals of the ZL and the ZE. The transaction is subsequently identifiable by the combination of payment code and the time stamp.

If ZL and ZE are registered with different ZDLs, for example B1 and B2, then the further procedure is as in 6 described. Process steps according to reference numerals 60 to 64 and 66 find analogous to reference numerals 50 to 55 Application. Furthermore, method steps according to reference numerals 68 . 69 . 611 . 612 and 613 analogous application to the method steps according to reference numerals 56 . 57 . 58 . 59A and 59B ,

The system of the ZDL assigns the payment request to the ZDL of the ZL. The system of the ZDL of the ZE builds on a data network, for example the Internet, leased line or telephone network, an encrypted connection to the system of the ZDL of the ZL. Authenticate when establishing a connection 65 Both systems face each other. The ZDLS of the ZE sends 67 a copy of the payment request to ZDLS of the ZL. The payment request is checked and can be changed if necessary. The ZDLS of the ZL assigns the payment request to the end user terminal of the ZL and sends it the payment request. The payment request is checked and can be changed if necessary. The ZL is informed by its end user terminal of the content of the payment request, for example by displaying it on a display. The ZL confirms 69 the transaction by entering a secret known only to him, such as PIN or password, at his end user terminal. The confirmation of the transaction is sent to the end user terminal of the ZL to the system of its ZDL. ZDL B1 sends 610 a payment confirmation to B2. The systems of ZDL execute the transaction 611 and send 612 . 613 one confirmation of the transaction to the end user terminals of the ZL or ZE.

This results in the following relationships: The ZE receives credits from his ZDL credited. The ZDL of the ZE receives the means of payment from the ZDL of the ZL. The ZDL of the ZL posts the means of payment directly from the account of the ZL. In retrospect, the transaction can be uniquely identified by the combination of the payment code and the time stamp; all postings relating to this transaction are linked to this information by the ZDLS.

In accordance with another feature of at least one embodiment of a method for executing a control command, a variety of security mechanisms are employed. Primary target platforms for the end-user terminal application are so-called smartphones. These already offer a relatively high level of security. The application software for these systems is usually obtained from so-called App Stores. The operators check all offered programs for safety. Malware has so little chance of reaching the end customer. The operating systems isolate installed applications and their data from each other, also called sandboxing. This will allow a malicious application to access only trusted data from another application if it manages to bypass the security mechanisms of the operating system.

The data of the end user terminal application are also stored in encrypted form. To encrypt and decrypt the data functions / data of the SIM card and / or another hardware component are used, which a third party can not dispose of.

The end user terminal application stores several keys. At least one serves to authenticate the system of the ZDL. At least one more will be used to authenticate the end user terminal to the ZDLS. A key is used as a one-time key for the next session, ie the connection to the ZDLS. As part of such a session, a key is always created for the next session and stored on the end user terminal. This key is stored until the end user terminal has received the key after the second. At least one key is stored as a user secret mask, for example PIN. The user secret is encrypted with the mask and checked in this form by the ZDLS. Thus, the user secret is not transmitted directly and is not stored on the device.

• – ZE und ZL sind dem ZDL stets beide bekannt.
• – Eine Transaktion muss vom ZL eingeleitet werden. Dabei kommuniziert dieser direkt und ausschließlich mit dem ZDL.
• – Eine Zahlungsanfrage kann nicht ohne einen gültigen Zahlungscode eingereicht werden. Einen solchen erfolgreich zu erraten, ohne durch Fehlversuche aufzufallen, ist höchst unwahrscheinlich, da das Verhältnis von gültigen Schlüsseln zu ungültigen Schlüsseln stets mindestens x-tausend zu eins beträgt.
• – Eine Zahlung wird nur ausgeführt, wenn diese vom ZL über sein persönliches Endbenutzerterminal mit seinem Geheimnis bestätigt worden ist. Abgelehnte Zahlungsanfragen fallen ebenfalls auf.
• – Durch den Code, der lediglich eine Transaktion ist und den ZDL des ZL identifiziert, bleibt der ZL gegenüber dem ZE anonym. Der ZE kann den ZL also weder identifizieren, noch unaufgefordert weitere Zahlungsanfrage an diesen richten.

Further security aspects arise directly from the payment procedure:

• - ZE and ZL are always known to the ZDL.
• - A transaction must be initiated by the ZL. It communicates directly and exclusively with the ZDL.
• - A payment request can not be submitted without a valid payment code. It is highly unlikely to guess one successfully without attracting attention because the ratio of valid keys to invalid keys is always at least x thousand to one.
• - A payment will only be made if it has been confirmed by the ZL through its personal end-user terminal with its secret. Rejected payment requests are also noticeable.
• - By the code, which is just a transaction and identifies the ZDL of the ZL, the ZL remains anonymous to the ZE. The ZE can neither identify the ZL, nor unsolicited further payment request addressed to this.

Further safeguards can be implemented on the ZDL system. Here, for example, credit limits, transaction limits and algorithms for detecting irregularities can be implemented.

One of ordinary skill in the art will recognize how to apply the above-described security mechanisms in the respective embodiments of the proposed system for executing a control command and the method for executing a control command, respectively.

QUOTES INCLUDE IN THE DESCRIPTION

This list of the documents listed by the applicant has been generated automatically and is included solely for the better information of the reader. The list is not part of the German patent or utility model application. The DPMA assumes no liability for any errors or omissions.

Cited patent literature

• CA 2457263 A [0008]
• WO 2008083022 A1 [0009]
• EP 1229467 A1 [0010]
• EP 1450322 A1 [0011]

Cited non-patent literature

• https://kasse.xyz.de/zettel.php?id=n47kj34a72d4&key=0db2sqlfmsze [0081]

Claims (16)

A system (S) for executing a control command from a provided initialization signal, the system comprising a first authorization device (A), a second authorization device (C) and an execution device (B), wherein The execution device (B) is set up to provide the initialization signal at the request of the first authorization device (A), which is transmitted from the first authorization device (A) to the second authorization device (C), bypassing the execution device (B); • the second authorization device (C) is arranged to generate a request signal and to transmit it via the execution device (B) to the first authorization device (A); and • the execution device (B) is arranged to execute a control command based on the request signal in response to an acknowledgment of the request signal by the first authorization device (A). System (S) according to claim 1, wherein the first authorization device (A) and the second authorization device (C) each communicate with the execution device (B) by means of a secure connection of a communication network (AB, BA, CB, AC). System (S) according to one of the preceding claims, wherein the first authorization device (A) and the second authorization device (C) are set up such that a mutual authentication with respect to the execution device (B) is possible. The system (S) of any one of the preceding claims, wherein the initialization signal has a provided value and a random value. System (S) according to one of the preceding claims, wherein the initialization signal is generated exactly once within a provided period of time. The system (S) of any one of the preceding claims, wherein for transmitting the initialization signal at least one of a group of communication components is provided, the group comprising: an air interface, a wired interface, a keyboard, a card reader, a sensor, a transmitter, a Receiver, an imaging device and an image processing device. System (S) according to any one of the preceding claims, wherein the request signal comprises at least a part of the initialization signal and / or at least one further control error signal parameter. The system (S) of any preceding claim, wherein at least one of a group of components is provided to confirm the request signal, the group comprising: an air interface, a wired interface, a keyboard, a card reader, a sensor, a transmitter, a Receiver, an imaging device and an image processing device. The system (S) of any one of the preceding claims, wherein the first authorization device (A) is arranged to acknowledge the request signal to provide at least one information of a group of information, the group comprising: a key, a PIN, a password, a numeric string, an alphanumeric string, a biometric, a security feature, and confirmation information. System (S) according to one of the preceding claims, wherein the execution device (B) executes a control command based on the request signal in a positive confirmation of the request signal and / or causes its execution. A system (S) according to any one of the preceding claims, wherein the execution device (B) comprises a plurality of execution means (B1, B2) arranged to exchange at least one information among a group of information among each other, the group comprising: authentication information, confirmation information, request information, status information, control signal, control command, parameter, message, numeric string, alphanumeric string, PIN, and password. System (S) according to any one of the preceding claims, wherein individual execution means (B1, B2) are designed such that a mutual authentication is feasible and / or individual execution facilities (B1, B2) communicate with each other by means of a secure connection of a communication network. The system (S) of any of the preceding claims, wherein at least one of the devices (A, B, C) is configured as one of a group of devices, the group comprising: a mobile terminal, a cell phone, a tablet, a portable computer , a cash register, a cash register system, a vending machine and a server. System (S) according to one of the preceding claims, wherein the system (S) is designed as a payment system and / or the initialization signal is present as a payment code and / or a value provided with the initialization signal identifies and / or a payment service provider a value provided with the initialization signal identifies a transaction within a limited time period and / or the execution device (B) uniquely identifies the first authorization device (A) within a limited time window based on a parameter of the initialization signal and / or the first authorization device (A) is present as a technical device (D) of a payee and / or the second authorization device (C) is present as a technical device of a payee (E) and / or the execution device (B) is present as a technical device of a payment service provider Method for executing a control command in response to a request signal and an initialization signal, in particular for operating a system (S) according to one of claims 1 to 14, wherein • upon request of a first authorization device (A), this device provides the initialization signal by means of an execution device (B) which is transmitted from the first authorization device (A), bypassing the execution device (B), to a second authorization device (C) ( 100 ) becomes; The second authorization device (C) generates a request signal which has at least one element of the initialization signal and transmits it via the execution device (B) to the first authorization device (A) ( 101 ); and • the control command is executed by the execution device (B) in response to an acknowledgment of the request signal by the first authorization device (A) ( 102 ) becomes. Computer-readable medium with control commands for carrying out a method according to claim 15.

Images