GB2188180A - EFT-POS terminal apparatus - Google Patents

Abstract

EFT-POS terminal apparatus is constructed in two parts with a tamper-resistant EFT-POS cardholder unit (ECHU) communicating via a standard interface with a retailers unit (RU) which provides the retailing operations and also provides the necessary communication to the EFT-POS network. <IMAGE>

Description

SPECIFICATION EFT-POS terminal apparatus This invention relates to terminal apparatus for use in an electronic funds transfer at point of sale (EFT-POS) system.

In such a system in its basic mode of operation a purchaser of goods is provided with a card which carries a machine-readable code. This card is inserted into a terminal at the retailers premises and, subject to appropriate verification by signature or by personal identification number keyed into the terminal by the customer, instructs the terminal to send a message to a central computer system authorising a transfer of funds sufficient to meet the cost of the purchase. The message may be sent staightaway (on-line) or later (off-line). Several variations on this mode of operation are apparent as are described in more detail below.

The present invention is defined in the appended claims to which reference should now be made.

In a preferred embodiment of this invention we provide a terminal for an EFT-POS system which is formed of two principal components. The first retailing component has a port to provide communication with the link to the central computer system, and has means for inputting the cash amount involved, and other elements providing functions concerned with the normal retailing operation. The second component is a tamper-proof secure unit which is standard in construction notwithstanding the various types of retail outlet in which it may be used. This second EFT-POS processing component provides secure processing and communicates with the first component to receive and transmit data.

One example of the invention will now be described by way of example with reference to the drawings, in which: Figure 1 illustrates an EFT-POS configuration with a terminal embodying the invention; Figure 2 is a schematic diagram of the retailer unit (RU); and Figure 3 is a schematic diagram of the EFT-POS cardholder unit (ECHU).

The standard part of an 'EFT-POS terminal', used to generate EFT-POS transactions and solely concerned with the operation of EFT-POS is the EFT-POS Cardholder Unit (ECHU). As shown in Figure 3, it includes a PIN pad (cardholder keyboard), a security processor, a cardholder display, a clock, and components for the physical implementation of the interface to the 'Retailer Unit'. It may contain additional processor(s) for EFT-POS software, and a card reader.

The retailer unit (RU) shown in Figure 2 is the variable component of the EFT-POS terminal, with functions mainly concerned with the POS application. It may have many different physical and technical characteristics, for example it could be a special purpose device such as a petrol pump or an Electronic Cash Register. Its functions include generation of the EFT-POS transaction amount, printing the 'cardholder advice', interaction with the cashier on attended terminals and communications with the EFT-POS network.

The ECHUs and RUs may physically be separate units or integral units but will always have an identical logical interface.

An EFT-POS system is illustrated in Figure 1 and is seen to comprise terminal apparatus including the ECHU and RU and having a card reader which may be physically attached to either the ECHU or the RU. The RU provides the communication to a terminal access network, say in a local telephone exchange, which uses a telecommunications network to communicate with the main EFT-POS network. This provides the necessary communication with the card holder's account at a card issuer processor and with the retailer's account at a retailer processor.

The EFT-POS system allows a cardholder (a retailer's customer) to be able to select and pay for goods by the presentation of a plastic card. The reading of that card generates a properly authorised transaction.

A terminal connected to EFT-POS comprises the standard module called the EFT-POS Cardholder Unit (ECHU), used to generate EFT-POS transactions, attached to a variable component, the Retailer Unit (RU), which may have many different physical and technical characteristics.

EFT-POS cards comprise magnetically encoded plastic cards. The cards are based on ISO standard cards.

Track 2 of an EFT-POS card will be read as part of every EFT-POS transaction. The data will be used by the ECHU to determine the processing variants and messagse routing. Some data may also be as part of the EFT-POS security processing.

The cashier will use the cards logo or name to recognise that it is acceptable to the relevant EFT-POS terminal. The signature panel will be used for signature verification.

A cashier card and PIN will be used during EFT-POS terminal installation at a point of sale and may be used for cashier verification on certain terminals.

The cardholder is the person to whom a Card Issuer has issued a card. This person will need to be verified at the Point of Sale as the valid cardholder and this may be achieved by either: - PIN Verification, where the cardholder enters a personal identification number to accept the transaction and the encrypted PIN is verified or - Signature Verification, where as now, the cashier verifies the signature on the transaction receipt against the cardholders signature on the card.

Authorisation may take place either on-line at the Card Issuer Processor or off-line at the EFT-POS terminal.

The hardware at block diagram level for the EFT-POS system comprises the following items: - At the Retailers' sites ECHU including tamper resistant module, cardreader, RU, printer, communications interface to a terminal access network.

Data processing equipment enabling any relevant local processing to be carried out and enabling audit trail procedures to be followed - At an EFT-POS managed site Data processing hardware enabling routing of authorisation requests generated at the retailers' sites to the correct host Processors sites.

Data processing hardware enabling the routing of authorisation responses to the correct retailers' sites.

Data processing equipment enabling settlement procedures to be correctly carried out.

Data processing equipment enabling full security and audit trail facilities to be available.

Network management and system administration facilities.

- At the Card Issuer Processors sites Data processing equipment enabling validation of transactions, generated at a retailers site.

- At the Retailer Processors sites Data processing equipment for the receipt and handling of payment advices.

When a cardholder wishes to pay by EFT-POS, the card is passed (or wiped) through the magnetic stripe reader part of the terminal, and the amount of tha transaction is entered, either manually or from the retailers equipment.

The cardholder then enters a Personal Identification Number (PIN) on a shielded PINpad, which is part of the ECHU, or signs a cardholder advice.

Information is then encrypted and passed from the ECHU via the RU to the communications network for routing to the appropriate Card Issuer Processor.

The Card Issuer Processor replies through the EFT-POS system advising the authorisation (or otherwise) of the transaction.

The EFT-POS terminal consists of two components. They are the EFT-POS Cardholder Unit (ECHU) and the Retailer Unit (RU). The functions of the ECHU are concerned only with the operation of EFT-POS while the functions of the RU are mainly concerned with the Retailer's point of sale application. The RU will, however, contain interfaces to the communications network and to the ECHU. RUs with multiple physical ECHU interfaces may be required, but that the logical interfaces will always be one to one.

The separation of the EFT-POS and POS functions allow for the addition of an EFT-POS function to any kind of POS equipment relatively easily since the ECHU/RU interface is standard. The ECHU itself may be supplied by the same manufacturer as the RU in an integrated package or it may be supplied separately. The RU has standard interfaces to both the ECHU and the communications network. This will allow a large range of manufacturers of POS equipment to supply equipment to the EFT-POS market.

THE ECHU The ECHU provides for the interaction betweeen the EFT-POS system and the cardholder and is strictly defined in terms of hardware and software. The ECHU includes the following hardware: - PINpad (cardholder keyboard) - Security processor - Cardholder display - Clock - Additional processors as required for EFT-POS software - Components for the physical layer of the ECHU/RU interface - Card Reader (in some configurations) or components for the physical layer of the Card Reader/ECHU interface. The Card Reader may be located in the RU or even as a standalone unit.

The ECHU is secure and at least the PINpad, display and security processor housed in a tamper resistant module.

The ECHU preferably has as standard an appearance as possible within the constraints imposed by environmental issues. The operating procedure may vary for different cards and terminal types, but will be constant for a given card and terminal type.

The ECHU contains a table with entries for each card set to be supported. The data is used by the ECHU to control card processing. Each entry will contain data such as: - Card Identification.

- Routing data for Retailer Processor(s) and Card Issuer Processor(s) - Allowed cardholder verification methods.

- Security systems to be used and any required associated data.

- Recognised transaction types.

- Backup options (e.g. offline verification if required).

- Card stripe format information.

- Floor limits (the limit at which authorisation must be obtained from the card issuer).

- Offline funds guarantee limits.

The ECHU provides instructions to the cardholder via the cardholder display. The amount of the transaction is displayed on the top line of the display and a feature of this invention is that it is not overwritten by other messages.

The ECHU provides operating procedures in support of three methods of cardholder verification as follows: - PIN only, where the cardholder will be prompted for a PIN followed by "enter".

- Signature only, where the cashier will be informed that signature is allowed and will be prompted for a "proceed" when the signature has been obtained and verified by the cashier.

- PIN or signature, where the first prompt will always be for a PIN. The cardholder may then enter a PIN or refuse by pressing "enter". In the latter case the ECHU will proceed as for signature only verification.

The ECHU provides for security key storage and management including the management of transaction keys. It adds appropriate Message Authentication Codes (MACs) to messages sent to the EFT-POS network and checks the MACs of messages received from the EFT-POS network. It provides for two different methods of PIN checking, by sending the encrypted PIN to the host for checking or by checking the PIN at the ECHU using a function of the PIN provided by the host The ECHU provides, in addition to the numeric keys on the PINpad for PIN entry, support for a number of function keys, three of which have been specified and are: - Clear/Error which may be used by a cardholder to clear previously keyed data and restart data entry. This key will not be operational once data has been transmitted until a response has been obtained.

- Enter/Proceed which will be used to signify the end of a data field or an instruction to proceed and may be used to: - allow for PINs of variable length.

- give the cardholder the opportunity to clear a PIN (using the Clear/Error Key) even after the last digit has been entered.

- act as a "Proceed" key when the cardholder wishes to be verified by signature instead of PIN and this option is allowed by the card issuer.

- Cancel which may be used by the cardholder to cancel a transaction at any point prior to the display of an authorisation response.

The ECHU may limit support for voice referrals, via an authorisation response message, to the display of a message and telephone number to either the cardholder or cashier. The message may include a reference number. Such a response will be treated by the ECHU as a decline and will terminate the transaction.

Automatic voice referral via a built in hand set would be a possible alternative.

The ECHU supports Card Issuers' floor limits, providing there is no possible security exposure for other Card Issuers. For each card set the ECHU will hold at least the following information: - Current floor limit (which may be zero) - Offline funds guarantee limit - Maximum number of consecutive transactions which may be authorised by the terminal.

The Card issuer Processor is able to change these values by returning the new values as part of an authorisation response to the ECHU.

The ECHU does not seek on-line authorisation for an individual transaction if all of the following conditions apply: - The amount is not greater than the floor limit.

- The number of consecutive transactions is less than the maximum allowed for the card name.

- The cardholder verification method for the card type is signature. In this case an offline facility will be available.

The ECHU holds information relating to retailer options such as the transaction types supported.

In addition to any secure data required, other terminal related data such as: - terminal identification data - terminal configuration data - software version numbers etc.

are held by the ECHU.

The ECHU is required to hold the time of day, and although this could be loaded at log-on initialisation by the network, a timer will be required within the ECHU to cope with any functional timeouts that may be required. The ECHU may also be required to determine response times for network management purposes.

The ECHU requires a facility to accept data and software changes loaded down-line via the EFT-POS network. Such information will always be authenticated and may be encrypted for greater security. Each change will carry an "effective" date.

The ECHU has built in automatic test facilities, which execute at "power on" sequence. Other test and training facilities may be made available via a cashier card and PIN.

The ECHU contains, within a temper resistant casing: - PIN pad (Cardholder Keyboard) - Security processor - Cardholder display - Clock - ECHU/RU interface components - Backup power supply - Magnetic card reader (possibly).

The security processor, EFT-POS software and tables are overwritten in the event of physical tampering.

Primary power is expected to be drawn from the RU. The ECHU may be hand held or installed in a fixed mounting with its PIN pad shrouded.

The PINpad is part of the tamper resistant module and conforms to the relevant ISO standard in layout of the numeric keys. Some alpha keys may also be included.

The Cardholder Display Unit, which may be shrouded to improve security, has at least two lines of 18 characters each. The display does not show any security information (e.g. PINS) but may display other private information for use by the cardholder.

A single chip 16 bit microprocessor may be employed. Interrupt control will be required to arbitrate queueing order between different priority levels (and provide the CPU with vector information) raised by the following devices: - Alarm Detection controller - Direct Memory Access controller - Timer - Data Encryption Unit - Random Number Generator - PIN entry controller - Card reader controller - RU interface controller - Other microprocessors if multi-chip processing is chosen.

The processor is required to provide the following functions: - supply and control special power requirements of alarm sensors - receive alarm sensor outputs and perform any necessary signal conditioning - latch alarm conditions - generate interrupts.

The following events are expected to always generate interrupts and therefore sensors will be required.

- Tamper detection, including pressure, light, heat and magnetism - Theft detection - RU disconnection - Card reader disconnection - Primary power loss for RU - Secondary (internal) power loss - Prolonged standby.

Most ECHU processing is expected to be peripheral bound, therefore processor overhead for programmed l/O transfer is not iikely to be a problem and in itself does not warrant a Direct Memory Access Controller (DMA). However, a DMA controller would allow for exploitation of, for example, continuous in depth test procedures.

Atimer is required to give clocking information for both Real Time Clock (RTC) and Elapsed Time Clock (ETC). The RTC is used for key generation and time stamping of transactions and an Alarm file. The ETC is required for timeout purposes and is can be maintained in software using the RTC as a start point.

The ECHU unit provides Encryption and Decryption facilities within the tamper resistant module and is expected to conform to the Data Encryption Standard (DES). The unit will also generates Message Authentication Codes (MACs). These may be some internally used RSA algorithm functions and a Random Number Generator may also be employed. The Data Encryption Unit may be a standard chip or may be software driven.

The PIN pad controller provides the following functions: - supply any special power requirement to the PINpad switches - supply any necessary signal conditioning for PIN pad switch operation (e.g. oscillator circuits and low current detection).

- Switch de-bouncing - 5 Key rollover - Interrupt raising - Routing of numerical key data to the Data Encryption Unit. (i.e. not via the ECHU microprocessor).

This unit can be a single integrated circuit providing an interface between the card reader and the CPU. It may be physically part of or attached to either the ECHU or the RU, dependent on retailer requirements.

The RU Interface controller may be a message passing protocol switch. It is able to run under asynchronous protocol providing parity with ASCII code. It should be capable of having programmable: - Baud rates - character lengths, parity and stop bits - auto recovery/retransmit states - block checksums.

The standard default may be 1 start bit, 7 data bits, even parity, 1 stop bit, 4800 baud.

The terminal is capable of being loaded with modified software to provide additional or changed functions or to overcome any software errors.

The use of Electrically Erasable Programmable Read Only Memory (EEPROM) provides power-down protection. In addition the use of Non-Volatile Random Access Memory (NVRAM) provides simiiar protection to memory. The use of battery protected Dynamic Random Access Memory (DRAM) may give a shorter life time to the whole unit. The majority of memory within the ECHU requires protection against inadvertent loss.

An ECHU is expected to perform in a variety of physical environments. Harsh winter conditions necessitates the ECHU being able to operate at temperatures of say -150C (or lower) at unattended petrol pumps.

Conversely, summer conditions in a busy store with failed airconditioning will require an operating temperature far higher than "normal" office environment.

THE RETAILER UNIT (RU) The RU is required to be capable of providing: - Initiation of an EFT-POS transaction.

- Generation of transaction amount (e.g. purchase, refund etc.).

- Transaction type selection.

- Printing of cardholder advice.

- Audittrail.

- Card reading (in some configurations).

- Interaction with the cashier (display and input of additonal data as requested by the ECHU).

- Transaction cancellation in some cases.

- Communication with the EFT-POS network, either directly or indirectly, via some other equipment such as an in-store controller.

The RU is the interface between the cashier and EFT-POS. It is also the interface between the ECHU and the communications network. The provision of the communications function in the RU allows the connection of the terminal to be tailored to the individual retailer's requirements.

The communication to and from the EFT-POS network may be via an in-store network grid and/or leased lines and/or an in-house network for example.

The RU has appropriate additional functions such as, for example, cashier verification mechanism, accumulation of totals, bar code reader, integrated POS/scales, petrol forecourt pump controller, and store and forward capability.

THE ECHU/RU INTERFACE The interface between the ECHU and the RU is specified at three levels: - application (message meaning and format).

- link (error handling) - physical (interchange circuits, electrical characteristics and connectors).

The ECHU logical interface is standard and the link and physical interfaces are standard as far as is practicable (transactions will be handled within the ECHU in an identical manner). However, it is recognised that the link and physical interfaces at the RU may differ.

A subset of the V24 standard may be utilised for the transfer of data. The RU is capable of differentiating between any messages pertaining to the RU or local processing and those destined for onward transmission to the EFT-POS network.

At application level a simple set of commands and responses, together with lengths of the various messasges, may be specified. Message lengths may vary between incoming (from Host) and outgoing as follows: TO TERMINAL TO HOST (BYTES) (BYTES) -Authorisation Request 63 77 -Authorisation Response 68 68 -Payment Confirmation 67 110 plus headers.

The RU initiates an EFT-POS transaction by sending a message to the ECHU. Thereafter it responds to simple commands from the ECHU until the transaction is complete. The ECHU controls and directs the processing required for each transaction, using the RU operation as "building blocks". Thus to change the processing of a transaction or to introduce a new transaction requires only a change to the ECHU software, leaving the RU undisturbed. The RU regains control under certain circumstances, e.g. the cashier wishes to cancel, or the ECHU malfunctions.

The terminal configurations, both ECHU/RU and RU/network, and their associated perhipheral equipment may be configured in a variety of ways. An example is that a small shop with one till may have a single ECHU, a single RU and a single link to the communications network. Conversely a department store may have several ECHUs per department, one or more RUs per department and one or more communications controller, making the Local Area Network(s) management a major exercise in its own right. It follows therefore that RUs for major retail outlets are likely to have multiple ECHU interfaces and will have to act as or interface to a front end processor in order to properly handle the data. In all cases, however, the data stream form the ECHU to the EFT-POS network must appear as a transparent link.It must be stressed that whatever the physical configuration, the logical ECHU/RU configuration will be one to one.

The EFT-POS system may support two categories of transactions: - Financial transactions with a funds transfer value where EFT-POS will be responsible for ensuring the correct and secure delivery of messages, for controlling the transactions overall messsage flow, and for clearing it through the settlement, member funds transfer and reconciliation processes.

- Transactions without any funds value where EFT-POS will simply be responsible for transaction processing - ensuring the correct and secure delivery of messages and controlling the transactions overall message flow.

All transactions are known to and controlled by the EFT-POS system.

Initially there may be seven different Cardholder transactions supported by EFT-POS. A cardholder transaction is one where the cardholder is present and involved. These transactions may be done for the retailer's benefit. They are: - Standard Purchase, used by Cardholders in most situations to pay for goods and services. At the discretion of the retailer, and if allowed by the Card Issuer, cash may also be supplied with the goods or services. The transaction will, therefore, incorporate a cash withdrawal function.

- Special Purchase, which is similar to the Standard Purchase but has the ability to add larger amounts of retailers supplied information (e.g. bill payments or agency cards).

- Pre-authorisation with immediate payment, which is used at special terminals such as petrol pumps where the goods can not be repossessed if authorisation is subsequently refused. The purchase amount may be unknown when the authorisation request is made. An upper-limit request will be made. Goods may then be dispensed up to that limit and the actual amount advised to the Cardholder and included in the payment advise messages. The Cardholders card may be retained during the transaction.

- Refund, used by retailers to give refunds to Cardholders via EFT-POS. The availability of this transaction is dependent on the policies of individual retailers, but is only available at attended terminals.

- Void, which is similar to a refund but is controlled by the cashier and may produce different control totals.

- Balance/funds available enquiry, used by cardholders to obtain the balance or funds available on his account.

- Cash withdrawal, which may be used by retailers to give a cash withdrawal facility at a normal attended EFT-POS terminal.

There are three basic terminal types: - Normal attended (this is a point of sale manned by a cashier).

- Unattended enquiry.

- Special unattended (this is an unmanned point of sale, such as a special device attached to petrol pumps).

THE STANDARD PURCHASE This transaction will be used by cardholders in most situations to pay for goods or services. The transaction may incorporate a cash withdrawal function. The anticipated transaction flow is shown below:

ECHU function Message type RU function DA Determine amount Display amount AK Acknowledge ST Ask for card to be wiped DC Start purchase transaction Display supplied message CD Read card data Return card data Send "auth in progress" msg DM for cashier display AK Display supplied message Acknowledge Assemble authorisation request PR Get start of advice printed AK Print supplied data SM - Acknowledge Send authorisation request AK Forward message to EFT-POS Acknowledge Get PIN from cardholder GM Ask for authorisation response GM Wait for EFT-POS message EM Send over to ECHU Check response and PIN Dhi Display OK for retailer DM AK Display supplied message Acknowledge Display OK for cardholder PR Get rest of advice printed PR AK Print supplied data - Acknowledge Assemble confirmation and SM send to RU so AK Forward to EFT-POS Acknowledge Request response G EM Wait for EFT-POS message EOT processing ET Send over to ECHU EOT, processing T, EOT , regain control Messages fall into one or two main types, that is ECHU to RU and RU to ECHU.The message type is in accordance with the protocol rules governing the interfaces used within the EFT-POS system.

Most of the messsages will be self explanatory but a few require additional clarification.

The End Transmission message contains the Card Issuer ID, transaction type and amount to enable the RU to adjust totals accumulated on behalf of the retailer.

The Print message supplies a number of lines plus the length of each line. The maximum line length may be an initialisation request parameter to the ECHU.

The Acknowledgement is used where there is no specific response associated with a command.

The Get Message command is used to allow the ECHU to continue processing until an EFT-POS message is actually necessary.

The Send Message command supplies the routing control and data to be included as the user data field of an outgoing communications message. The ECHU does not include communications control data.

The operation of the protocol is demonstrated in the Table illustrating the message flow of a sample purchase transaction.

ECHU to RU messages: DM Display Message.

DK Display message and input from Keyboard.

DC Display message and input Card data.

PR PRint supplied data.

SM Send Message to EFT-POS network.

GM Get Message from EFT-POS network.

AK AcKowledge.

ET End Transmission.

AB ABort.

RU to ECHU messages: DA Display Amount.

ST Start transaction.

CD Transfer Card Data.

EM Transfer message from EFT-POS network.

AK Acknowledge.

CA Cancel.

Claims (7)

1. EFT-POS terminal apparatus comprising retailing operation means and EFT-POS processing means connected by a standard interface; the EFT-POS processing means comprising a tamper-resistant module containing EFT-POS security processing means; and the retailing operation means comprising means for generating a signal indicating the amount of a transaction to be processed, and means for communicating with an EFT-POS network.

2. Apparatus according to claim 1, in which the EFT-POS processing means comprises manually-operable PIN entry means.

3. Apparatus according to claim 1 or 2, in which the EFT-POS processing means comprises display means.

4. Apparatus according to claim 3, in which the display means displays the transaction amount and other information and in which the said other information does not overwrite the transaction amount.

5. Apparatus according to any preceding claim, in which the EFT-POS processing means comprises card reading means for reading data magnetically recorded on a card.

6. Apparatus according to any preceding claim, in which the retailing operation means comprises means for printing a cardholder advice of the transaction.

7. EFT-POS terminal apparatus substantially as herein described with reference to the accompanying drawings.