[go: up one dir, main page]

GB2434014A - Transaction verification using signed data combination - Google Patents

Transaction verification using signed data combination Download PDF

Info

Publication number
GB2434014A
GB2434014A GB0600350A GB0600350A GB2434014A GB 2434014 A GB2434014 A GB 2434014A GB 0600350 A GB0600350 A GB 0600350A GB 0600350 A GB0600350 A GB 0600350A GB 2434014 A GB2434014 A GB 2434014A
Authority
GB
United Kingdom
Prior art keywords
card
pin
issuer
transaction
cardholder
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Withdrawn
Application number
GB0600350A
Other versions
GB0600350D0 (en
Inventor
Clive Leader
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Individual
Original Assignee
Individual
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Individual filed Critical Individual
Priority to GB0600350A priority Critical patent/GB2434014A/en
Publication of GB0600350D0 publication Critical patent/GB0600350D0/en
Publication of GB2434014A publication Critical patent/GB2434014A/en
Withdrawn legal-status Critical Current

Links

Classifications

    • GPHYSICS
    • G07CHECKING-DEVICES
    • G07FCOIN-FREED OR LIKE APPARATUS
    • G07F7/00Mechanisms actuated by objects other than coins to free or to actuate vending, hiring, coin or paper currency dispensing or refunding apparatus
    • G07F7/08Mechanisms actuated by objects other than coins to free or to actuate vending, hiring, coin or paper currency dispensing or refunding apparatus by coded identity card or credit card or other personal identification means
    • G07F7/10Mechanisms actuated by objects other than coins to free or to actuate vending, hiring, coin or paper currency dispensing or refunding apparatus by coded identity card or credit card or other personal identification means together with a coded signal, e.g. in the form of personal identification information, like personal identification number [PIN] or biometric data
    • G07F7/1008Active credit-cards provided with means to personalise their use, e.g. with PIN-introduction/comparison system
    • GPHYSICS
    • G06COMPUTING OR CALCULATING; COUNTING
    • G06QINFORMATION AND COMMUNICATION TECHNOLOGY [ICT] SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES; SYSTEMS OR METHODS SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES, NOT OTHERWISE PROVIDED FOR
    • G06Q20/00Payment architectures, schemes or protocols
    • G06Q20/30Payment architectures, schemes or protocols characterised by the use of specific devices or networks
    • G06Q20/34Payment architectures, schemes or protocols characterised by the use of specific devices or networks using cards, e.g. integrated circuit [IC] cards or magnetic cards
    • G06Q20/341Active cards, i.e. cards including their own processing means, e.g. including an IC or chip
    • GPHYSICS
    • G06COMPUTING OR CALCULATING; COUNTING
    • G06QINFORMATION AND COMMUNICATION TECHNOLOGY [ICT] SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES; SYSTEMS OR METHODS SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES, NOT OTHERWISE PROVIDED FOR
    • G06Q20/00Payment architectures, schemes or protocols
    • G06Q20/38Payment protocols; Details thereof
    • G06Q20/40Authorisation, e.g. identification of payer or payee, verification of customer or shop credentials; Review and approval of payers, e.g. check credit lines or negative lists
    • G06Q20/409Device specific authentication in transaction processing
    • G06Q20/4093Monitoring of device authentication
    • GPHYSICS
    • G06COMPUTING OR CALCULATING; COUNTING
    • G06QINFORMATION AND COMMUNICATION TECHNOLOGY [ICT] SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES; SYSTEMS OR METHODS SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES, NOT OTHERWISE PROVIDED FOR
    • G06Q20/00Payment architectures, schemes or protocols
    • G06Q20/38Payment protocols; Details thereof
    • G06Q20/40Authorisation, e.g. identification of payer or payee, verification of customer or shop credentials; Review and approval of payers, e.g. check credit lines or negative lists
    • G06Q20/409Device specific authentication in transaction processing
    • G06Q20/4097Device specific authentication in transaction processing using mutual authentication between devices and transaction partners
    • G06Q20/40975Device specific authentication in transaction processing using mutual authentication between devices and transaction partners using encryption therefor

Landscapes

  • Business, Economics & Management (AREA)
  • Engineering & Computer Science (AREA)
  • Accounting & Taxation (AREA)
  • Physics & Mathematics (AREA)
  • General Physics & Mathematics (AREA)
  • Strategic Management (AREA)
  • General Business, Economics & Management (AREA)
  • Theoretical Computer Science (AREA)
  • Finance (AREA)
  • Computer Security & Cryptography (AREA)
  • Microelectronics & Electronic Packaging (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Credit Cards Or The Like (AREA)

Abstract

A transaction verification system in which a PIN may be entered at a point of sale, signed by a payment card having secret keys in conjunction with other data (e.g. card details and transaction data) and the resulting cryptogram sent to a card issuer. The card details and transaction data are available to the card issuer separately, which then recalculates the cryptogram using a stored value for the cardholder's PIN, and the secret keys, also known by the card issuer. If the two cryptograms are equal, the PIN is determined to have been entered correctly and the user and transaction are validated. The PIN is not signed as an entity in isolation, and need not be stored on the card or securely transmitted in isolation.

Description

<p>Page 1 Title Secure Infrastructure Free PIN Verification for Payment
Cards</p>
<p>Background</p>
<p>Current cardholder verification solutions for payments and other instructions using the Personal Identification Number, as documented in industry standards for example, require either: * For hardware encryption of the secret PIN information throughout the route from the point of interaction to the issuing agent where the PIN can be verified (known as on-line PIN), or * For the PIN to be stored securely on an IC card (known as off-line PIN), meaning special effort is required to manage the PIN on the card (for example supporting PIN change or resetting the PIN Try Counter when the PIN has been entered incorrectly too many times), and effort is required to authenticate the IC card as being genuine at the time of the transaction.</p>
<p>The provision of this secure infrastructure increases the cost of deployment and limits the types of transactions and environments where PIN verification can be used.</p>
<p>Supporting PIN offline on the chip card increases the complexity of a transaction, as the card must be proved to be genuine, increases the time required to complete a transaction and takes special effort and cost to manage the PIN on the card.</p>
<p>Statement of Invention</p>
<p>This invention relates to a process to verify a payment card user without the need to provide a secure infrastructure between the card and the issuing agent -either at the time of the transaction or to manage secret data on the card after personalisation.</p>
<p>This solution requires the PIN to be presented to the IC card (chip card) by the PiN Pad / interface device. The card signs the PIN data, together with other data relating to the transaction or generated by the card or terminal, as part of a general authentication cryptogram produced. The PIN is not signed as an entity in isolation.</p>
<p>The cryptogram can be passed through the terminal, networks and intermediate processing systems in clear (without being kept confidential) as the secret data (the PIN) is not transported and cannot be deduced from the cryptogram produced.</p>
<p>The recipient issuing bank or agent uses the card details, transaction information, secret keys and the correct PIN number to recalculate the cryptogram and match this with the value received. If this matching is correct then the correct PIN number must have been entered at the time of the transaction.</p>
<p>The issuing agent can establish the correct PIN was entered for the transaction without actually receiving the PIN number that was entered.</p>
<p>The patent application relates to the unique method of having the PIN verified by the overall solution, not the underlying technology of the payment transactions which are widely known and published. The patent does not assume any specific method for communicating the PIN to the IC card, any specific hashing or cryptographic process in the card or any specific validation process by the issuing agent. The patent relates to the inclusion of the PIN within a general transaction cryptogram produced by the Page 2 IC card removing the need to securely transport the PIN to the issuing agent or manage the PIN data on the IC card itself.</p>
<p>Advantages This invention overcomes the problems of the two current predominant solutions: * As the PIN is not transmitted as part of the information sent to the issuer, there is no need to keep the data confidential. Hence the cost and technical complexity of providing secure confidentiality is eliminated * As the PIN is not maintained on the card, there is no need to manage the confidential data on the card. This simplifies the personalisation process and avoids the need to provide a secure infrastructure to manage the PIN on the card, for example to allow the customer to change their PIN or to reset the PIN try counter if this is exhausted.</p>
<p>The invention does not require for the acceptance device to validate that the card is genuine as the issuer of the card or their agent will implicitly do this as the cryptogram is validated.</p>
<p>By combining the PIN with other data to produce a single digital signature the invention: * Reduces the risk of a third party being able to deduce the PIN from a number of genuine cryptograms * Makes it easier for existing systems to transmit the cryptogram to the card issuer or their agent as it does not introduce extra data or security requirements</p>
<p>Description</p>
<p>The following describes the process flow in which the solution will be used: * A cardholder desires to make a purchase or other transaction. Any underlying standard or process may be used for the integrity of the transaction * The cardholder is invited to enter their PIN number into any suitable PiN entry device. This could be a secure PIN pad attached to a terminal or a standalone handheld card reader with key pad or another type of device * The PIN is transmitted to the chip card is a suitable manner. This may be via a contact chip interface or a contactless interface. The security of the PIN in transfer to the chip card is not part of this invention * The chip card generates a cryptogram based on secret keys in the card (these may be derived for each transaction or static) and input data from the card and / or the terminal. The PIN value entered is included within the hash value signed by the card to create the cryptogram. The PIN is only a part of the information included in the hash which should include data that is unique to the current transaction. To link the cardholder verification to the specific transaction a unique reference or the transaction amount may be included. This invention does not define a specific hash algorithm or data input, but the data must be unique or sufficiently unpredictable to make it impossible to deduce the PIN from multiple transaction details Page 3 * The cryptogram (or a portion thereof) is transmitted to the card issuer or their agent. This data does not need to be kept secret during transmission (it could, for example, be spoken, sent over the internet, entered via a mobile phone text message, written down on paper or transmitted via a standard open network) * The issuer recreates the cryptogram based on the secret keys (known to them), the reference PIN number (known to them) and card details and transaction information included with the message or deduced by the issuer. The cryptogram is then matched to the complete or part cryptogram received * This validation proves that the genuine PIN number was entered at the point of interaction</p>

Claims (6)

  1. <p>Page 4 Claims I. a cardholder verification process whereby the PIN
    number entered by the cardholder is cryptographically signed by the card, along with other transaction, terminal or card data and transmitted through any media to the issuer or their agent for verification
  2. 2. a cardholder verification process, as claimed in the proceeding claim, that enables the issuer of the card or their agent to verify that the correct PIN has been entered, without the need to transmit any confidential or secret information to the issuer or to store PIN information on the chip card
  3. 3. a cardholder verification process, as claimed in any proceeding claims, whereby the PIN number entered by the cardholder is cryptographically signed by the card, along with other transaction or card data using secret keys known to or derivable by the card issuer or their agent
  4. 4. a cardholder verification process, as claimed in any proceeding claims, which may be used across a variety of communications devices including mobile phones, set top boxes, fixed telephones or PCs linked to dedicated communications or via the internet
  5. 5. a cardholder verification process, as claimed in any proceeding claims, which does not require direct connectivity between the card reading device and the communications system to the issuer
  6. 6. a cardholder verification process, as claimed in any proceeding claims which may support a variety of transactions including access to restricted, secret or confidential information, making value payments, commercial transactions or contractual commitments</p>
GB0600350A 2006-01-10 2006-01-10 Transaction verification using signed data combination Withdrawn GB2434014A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
GB0600350A GB2434014A (en) 2006-01-10 2006-01-10 Transaction verification using signed data combination

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
GB0600350A GB2434014A (en) 2006-01-10 2006-01-10 Transaction verification using signed data combination

Publications (2)

Publication Number Publication Date
GB0600350D0 GB0600350D0 (en) 2006-02-15
GB2434014A true GB2434014A (en) 2007-07-11

Family

ID=35911588

Family Applications (1)

Application Number Title Priority Date Filing Date
GB0600350A Withdrawn GB2434014A (en) 2006-01-10 2006-01-10 Transaction verification using signed data combination

Country Status (1)

Country Link
GB (1) GB2434014A (en)

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
GB2020513A (en) * 1978-05-03 1979-11-14 Atalla Technovations Improved method and apparatus for securing data transmissions
GB2146814A (en) * 1983-09-17 1985-04-24 Ibm Electronic fund transfer systems
GB2261538A (en) * 1991-11-13 1993-05-19 Bank Of England Transaction authentication system
EP0555219A1 (en) * 1990-10-19 1993-08-18 Security Dynamics Technologies, Inc. Method and apparatus for personal identification

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
GB2020513A (en) * 1978-05-03 1979-11-14 Atalla Technovations Improved method and apparatus for securing data transmissions
GB2146814A (en) * 1983-09-17 1985-04-24 Ibm Electronic fund transfer systems
EP0555219A1 (en) * 1990-10-19 1993-08-18 Security Dynamics Technologies, Inc. Method and apparatus for personal identification
GB2261538A (en) * 1991-11-13 1993-05-19 Bank Of England Transaction authentication system

Also Published As

Publication number Publication date
GB0600350D0 (en) 2006-02-15

Similar Documents

Publication Publication Date Title
CN112805757B (en) System and method for password authentication of contactless cards
CA2691789C (en) System and method for account identifier obfuscation
KR101456551B1 (en) Encrypt track data
US9589152B2 (en) System and method for sensitive data field hashing
US7747539B2 (en) Contactless-chip-initiated transaction system
AU2009212221B2 (en) Key delivery system and method
TW476202B (en) A cryptographic system and method for electronic transactions
CN102118251B (en) Security authentication method for internet banking remote payment based on multi-interface intelligent safety card
US20150142666A1 (en) Authentication service
US20130226812A1 (en) Cloud proxy secured mobile payments
EP3008852B3 (en) System and method for encryption
US20110103586A1 (en) System, Method and Device To Authenticate Relationships By Electronic Means
CN101276448A (en) Payment system and method performing trading with identification card including IC card
WO2010135154A2 (en) Device including encrypted data for expiration date and verification value creation
US20150142667A1 (en) Payment authorization system
US20150142669A1 (en) Virtual payment chipcard service
KR20170114905A (en) Elecronic device and electronic payement method using id-based public key cryptography
CN104182875A (en) Payment method and payment system
US20100179909A1 (en) User defined udk
CN116018605A (en) A method and system for non-fiat currency transactions within a card infrastructure
El Madhoun et al. An overview of the EMV protocol and its security vulnerabilities
CN102118394A (en) Safety authentication method for remote payment through internet banking based on dual-interface safety intelligent card
CN107230074B (en) Method and system for depositing digital currency into digital currency chip card
CN115631045A (en) Electronic certificate transaction method, device, computer equipment and storage medium
GB2434014A (en) Transaction verification using signed data combination

Legal Events

Date Code Title Description
WAP Application withdrawn, taken to be withdrawn or refused ** after publication under section 16(1)