RU2509359C1 - Payment confirmation method - Google Patents

Abstract

FIELD: information technology.

SUBSTANCE: when making a payment, a payment card holder enters the payment sum and payment card data on a web page in form of part of characters of the bank identification number of the payment card and transfers said information in an online request to the hardware and software system of the acquirer, where the received data on the bank identification number of the payment card is verified in a database and at least one list of values of parameters of that card is generated, said list including real and false values of parameters of that card which, in the mode of the initiated session with the browser or application of the payment card holder in form of a text message, is transferred to the receiving device of the holder with a request to select true values from the provided values and upon receiving correct answers, the hardware and software system of the acquirer conducts payment with said parameters.

EFFECT: safer payment operations using a card when making real-time payments.

1 dwg

Description

The invention relates to the field of acquiring, and in particular to the field of security of cashless payments using payment cards of international payment systems, such as Visa, MasterCard, JCB International, American Express and others (hereinafter - MEA).

The invention can be applied to further verify the intention to make a payment (debiting funds from a payment card) by a buyer when he makes a payment remotely, without personal presence. In this case, we mean recent online payments on the websites of stores and payment systems, or payments when ordering a service or product by phone or mail.

It is known that remote acceptance of cards for payment is carried out by the payer transferring the main parameters of the cards to the acquirer (hereinafter, the acquirer refers to a bank that provides acquiring services, as well as other third parties that provide intermediary services to the acquiring bank as part of the latter's provision of acquiring services) through trade and service company (hereinafter - TSP), an intermediary or directly. Card parameters are displayed (in some cases embossed) on the card itself, namely: card number, card expiration date, special verification code and sometimes the name of the card holder. To make a payment, it is enough to know the card number, its validity period and verification code. This makes it easy to apply various fraud schemes when the payer is not the card holder but knows its parameters (peeping, rewriting, eavesdropping on the data transfer channel or just temporarily holding the card). Along with the spread of online payments using bank cards, the fight against fraud is becoming increasingly widespread.

To prevent fraud, various schemes and methods are applied, which basically come down either to complicating the theft of cards and their data, or to additional checks of the payer that he is a card holder, otherwise - that it is the card holder who makes the payment.

Currently, there is a known practice when a special human operator of a TSP or an acquirer manually tries to contact the card holder either by phone or by e-mail to personally confirm the latter's desire to make a payment. There are also verification methods by indicating an additional one-time password or one-time secret code received via a communication channel other than the communication channel through which payment information is exchanged. However, for such a verification, it is necessary to provide the user with an additional communication channel, authorize it in it, and also maintain the availability and availability of this communication channel (for example, mobile communications, a table of one-time keys, remote access to a bank account).

The existing practice of verifying the intention of a cardholder to make a payment has crucial drawbacks:

1. A TSP or an acquirer may not always know in advance the true contacts of the card holder and, therefore, cannot be guaranteed to contact the latter.

2. The creation and use of an additional communication channel requires preliminary guaranteed authentication of the card holder for its subsequent authorization.

3. Additional verification of the card holder takes a long time and does not allow verification in real time. Those. the payment must either be made and then the card holder is checked, or the payment is rejected and after checking the holder the latter is invited to make the payment again.

4. Verification is possible only in selective cases, because contacting the cardholder when making each payment is actually wasteful. To do this, several operators must work continuously in the TSP around the clock, which introduces an insurmountable burden on the business. As a way out, it is necessary to introduce selectivity and classify operations by risks. This approach forces additional analytics, which again leads to costs and the inability to conduct checks in real time.

Currently, the IPU is actively imposing an additional measure of protection against fraud. This is a 3-D Secure authentication model that allows authentication of the payer on the issuer's secure site. 3-D Secure is an XML protocol that is used as an additional level of security for online credit and debit cards, two-factor user authentication. It was developed by Visa IPU to improve the security of Internet payments. Based on it, Visa offered its customers the Verified by Visa (VbV) service. Services based on this protocol have also been adopted by MasterCard under the name MasterCard SecureCode (MCC) and JCB International as J / Secure.

The protocol operation procedure is described in detail in the document “3-D Secure system overview”, available on a public Internet resource at the address -https: //partnernetwork.visa.com/vpn/global/retrieve_document.do? DocumentRetrievalld = 119. The essence of the 3-D Secure protocol is to authenticate the cardholder with the issuer, for which the issuer needs to take a number of additional measures to bring its hardware and software infrastructure in line with the capabilities of using the 3-D Secure protocol.

The main and decisive disadvantages of the 3-D Secure protocol:

1) Currently, more than half of the issuers do not participate in the 3-D secure authentication model or are not fully involved. This fact does not allow the acquirer to be guaranteed to check most cardholders, which reduces the effectiveness of the 3-D Secure protocol. Especially issuers are motivated not to participate in the model due to the transfer of responsibility for possible fraud on them in case of successful authentication of the card holder using the 3-D Secure protocol.

2) A large load on the payer in the form of constant clicks from one web page to another. This fact reduces the trust of payers to TSPs and the desire to make payments on TSP sites. In its most general form, this fact affects TSPs in such a way that, in order to avoid loss of customers, TSP refuses to support the 3-D Secure protocol, taking on the risks of fraud. However, this situation as a whole undermines confidence in MPS products, which in turn entails a decrease in the participation of cards in non-cash payments via the Internet, which hold a significant share of payments in the world.

The prior art system of authentication of the holder of the payment card described in the application US 2010/0280946, G06Q 40/00, publ. 11/04/2010, in which an authorization request is created before the payment is made, a verification code unknown to the cardholder is included in the authorization request, an authorization request is sent to the issuer, a verification code is requested from the cardholder and the correctness of the code provided by the payment card holder is used to judge the holder’s authenticity payment card, and the verification code is transmitted in a standard authorization request, based on the fact that access to payment information of individuals in banks is strictly limited and for I access to payment information, the issuer will authenticate the account holder who is the card holder; they receive the code entered by the cardholder and, on the basis of the correspondence of the transmitted and received codes, they judge the authenticity of the payment card holder. Adopted as a prototype for all options.

However, this system has the disadvantage that the code request is carried out with the transfer of the card holder to the issuer's page, while the patent does not give the exact request parameter and the procedure for including the verification code in it.

The present invention is aimed at achieving a technical result, which consists in increasing the security of conducting payment transactions using a card when making payments in real time.

The indicated technical result is achieved in that the method of confirming the payment in the remote access mode is characterized in that when the payment is made, the payment card holder enters on the web page of the merchant service information on the payment amount and payment card data as part of the digits of the bank identification number of the payment card and transmits this information in an online request to the hardware and software system of the acquirer, in which they check in the database of data on the bank identification number at least one list of parameter values for this card, which contains real and false values for the parameters of this card, which are transferred to the holder’s receiver in a text message in the form of a text message in the HTTPS-initiated session with a browser or application a request to choose the correct values from the proposed values and, when receiving the correct answers, the hardware and software complex of the acquirer carries out a payment with the specified parameters in the direction trade and service company.

The present invention is illustrated by an example implementation of the specific system shown in figure 1, which shows the procedure for verifying the authenticity of the card holder.

According to the present invention, a new method for verifying the intention of a cardholder to make a payment, which is based on the interactive interaction of the acquirer with the card holder, is considered. The invention provides a method for verifying the intent of a cardholder to make a payment in real time. Conditions (except for the terms of payment via the website) for the invention: the acquirer has the tables of bank identification numbers (BIN) of the IPU cards, which are confidential information of the IPU, the distribution of which is strictly limited among the members of the IPU.

The method of confirming a payment in the remote access mode is characterized by the fact that when making a payment, the payment card holder enters information on the payment amount and payment card data on the web page of the merchant as part of the digits of the bank identification number of the payment card and transfers this information to the online request to the hardware and software system of the acquirer, in which they check in the database of received data on the bank identification number of the payment card and form at least one a list of values of the parameters of this card, which includes real and false values of the parameters of this card, which are transmitted to the holder’s receiver in the form of a text message in the mode of an HTTPS-initiated session with a browser or application of the payment card holder, asking them to select the correct values from the proposed values correct answers with the hardware and software system of the acquirer carry out the payment with the specified parameters in the direction of the trade and service company.

The invention involves, when trying to make a payment in real time, to clarify the bank identification number (BIN) of the card,

consisting in the first 6 digits of the card number. It is known that BIN is issued by international payment systems for cards with predefined characteristics, including: bank name, bank country, type of card (debit or credit), type of international payment system (e.g. Visa, MasterCard, AmericanExpress), card product ( for example: virtual, classic, standard, gold, platinum, infinity, corporate). The values of these parameters can be obtained only by having in front of you a card or its scan (photo) or an agreement with the bank, which greatly complicates fraud. In this case, fraudulent use of the card is limited to the presence, as a rule, of only its number, validity period and verification code.

Then, after receiving the BIN from the bank card number entered by the user, the user is invited to select the value of one or more card parameters from the list on the same web page. In this case, the user may be offered several incorrect options and one correct or several incorrect options and an option that reports that there is no correct option. The number of card parameters selected for verification may vary depending on the degree of suspicion of the operation in fraud by the TSP or the acquirer.

For example, a user trying to pay for a product or service with a MasterCard Gold card issued by Alfa-Bank may be asked to indicate the values of three parameters from the proposed options:

1) Choose the type of card payment system: Visa, MasterCard, AmericanExpress.

2) Select the type of card product: Classic, Virtual, Infinity. Card type is not listed.

3) Select the name of the bank that issued the card: Sberbank, Altaybank, Alfa Bank.

The results of these questions (selected answers) are analyzed by the Acquirer's APK, and if all the answers are correct, then a decision is made that the card is really present at the time of payment. This increases the likelihood that the buyer is a card holder.

This method of verifying the payment, or rather the authenticity of the card holder, has not yet been used by anyone, despite the fact that it is quite simple and fast.

The technical result of the invention is the solution of the tasks:

1. The exception is the use of cards, the data of which fraudsters took by intercepting when reading through devices, as well as transmitted via communication channels or by simply rewriting its parameters (as a rule, only the number, expiration date and verification code are rewritten). Application of the invention will allow to block this channel of receiving cards by fraudsters.

2. Verification is carried out in real time and does not require additional communication channels.

3. You can check the payments of any cards.

4. Verification is done automatically.

5. The implementation of the invention requires only the automation of checking the BIN card according to the tables of the Ministry of Railways supplied to banks.

A condition of the invention is the automation in the agro-industrial complex of the acquirer of checking the BIN tables. The invention allows real-time exchange of signals with the user's browser and, thereby, to verify that the buyer is very likely to be the holder of the card.

As a request, a message is used with a question about choosing the correct values of the map parameters from the list of options provided. As a response, a signal indicating the selected value is used.

The invention works in two steps.

Step 1. Exchange between the acquirer's APK and the buyer’s browser https messages, the result of which is the delivery of the card number to the APK of the acquirer, or rather the BIN card.

Stage 2. Exchange between the acquirer's APK and the buyer’s browser https messages, the result of which is a combination of values of the card parameters and a conclusion about the authenticity of the card holder.

The invention works in the following order:

1. The payer, when trying to make a payment, enters the card details, which are then communicated in the online payment request in the acquirer's APK.

2. The APC of the acquirer checks the BIN card value in the database, compiles lists of the card parameter values and initiates an HTTPS session with the browser or the customer’s application. As part of the session, a request is sent to the buyer’s device, including a text message asking them to select the correct one from the proposed values. The browser or application on the buyer's device automatically establishes a session and receives a signal.

3. The buyer views the message transmitted in the signal and selects the values of the card parameters. The browser or application in real time sends the response to the acquirer's APK.

4. The APK of the acquirer upon receipt of the correct answers carries out the payment with the specified parameters. Upon receipt of at least one incorrect value of the APK, the acquirer does not make a payment.

An embodiment of the invention is shown schematically in FIG. 1 for a better understanding of a card holder authentication method.

Step 1. The user enters the map data on the TSP web page in the browser. The browser transmits the data entered by the user to the acquirer in the form of a “Write-off" payment request via a secure communication channel.

Step 2. The acquirer checks the presence of the BIN card in his agribusiness. Generates lists of card parameters and their values for customer verification.

Step 3. The acquirer sends an https request to the address of the browser or application. The request contains a signal in the form of a message requiring an answer - lists of the selection of the correct values of the parameters of the entered map.

Step 4. The user selects the values and his browser or application sends a signal to the APK of the acquirer. The signal contains a response to the request with the selected parameter values.

Step 5. The acquirer, based on the result of the buyer’s response, checks the answers received and makes a decision on processing the request “Write-off of funds”.

Claims (1)

A method of confirming a payment in remote access mode, characterized in that when making a payment, the payment card holder enters information on the payment amount and payment card data on the web page of the merchant as a part of the digits of the bank identification number of the payment card and transmits this information online - a request to the hardware and software system of the acquirer, in which they check in the database of received data on the bank identification number of the payment card and form at least one in the list of parameter values of this card, which contains the real and false values of the parameters of this card, which in the mode of an initiated session with a browser or the payment card holder’s application are sent as a text message to the holder’s receiver with a request to select the correct values from the proposed values and upon receipt correct answers with the hardware and software system of the acquirer carry out the payment with the specified parameters in the direction of the trade and service company.