[go: up one dir, main page]

WO2025176302A1 - Procédé d'authentification de données de compte, programme de transaction, support de données lisible par ordinateur, dispositif informatique et système de transaction le comprenant - Google Patents

Procédé d'authentification de données de compte, programme de transaction, support de données lisible par ordinateur, dispositif informatique et système de transaction le comprenant

Info

Publication number
WO2025176302A1
WO2025176302A1 PCT/EP2024/054571 EP2024054571W WO2025176302A1 WO 2025176302 A1 WO2025176302 A1 WO 2025176302A1 EP 2024054571 W EP2024054571 W EP 2024054571W WO 2025176302 A1 WO2025176302 A1 WO 2025176302A1
Authority
WO
WIPO (PCT)
Prior art keywords
account data
vendor
transaction
data
authenticating
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
PCT/EP2024/054571
Other languages
English (en)
Inventor
Dietmar Maierhöfer
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Giesecke and Devrient ePayments GmbH
Original Assignee
Giesecke and Devrient ePayments GmbH
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Giesecke and Devrient ePayments GmbH filed Critical Giesecke and Devrient ePayments GmbH
Priority to PCT/EP2024/054571 priority Critical patent/WO2025176302A1/fr
Publication of WO2025176302A1 publication Critical patent/WO2025176302A1/fr
Pending legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Classifications

    • GPHYSICS
    • G06COMPUTING OR CALCULATING; COUNTING
    • G06QINFORMATION AND COMMUNICATION TECHNOLOGY [ICT] SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES; SYSTEMS OR METHODS SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES, NOT OTHERWISE PROVIDED FOR
    • G06Q20/00Payment architectures, schemes or protocols
    • G06Q20/38Payment protocols; Details thereof
    • G06Q20/40Authorisation, e.g. identification of payer or payee, verification of customer or shop credentials; Review and approval of payers, e.g. check credit lines or negative lists
    • GPHYSICS
    • G06COMPUTING OR CALCULATING; COUNTING
    • G06QINFORMATION AND COMMUNICATION TECHNOLOGY [ICT] SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES; SYSTEMS OR METHODS SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES, NOT OTHERWISE PROVIDED FOR
    • G06Q20/00Payment architectures, schemes or protocols
    • G06Q20/30Payment architectures, schemes or protocols characterised by the use of specific devices or networks
    • G06Q20/32Payment architectures, schemes or protocols characterised by the use of specific devices or networks using wireless devices
    • G06Q20/326Payment applications installed on the mobile devices

Definitions

  • the present disclosure relates to the field of manufacturing securing financial transactions to be carried out by customers in electronic commerce environments (e-commerce).
  • the present disclosure relates to a method for authenticating account data of a vendor in electronic commerce environments, to a transaction program, to a computer- readable data carrier, to a computing device, and to a transaction system for authenticating publicly available account data of a vendor in electronic commerce environments.
  • WO 2014/193902 A2 relates to authenticating and securing online purchases.
  • the present invention recognizes that an account holder may initiate a financial transaction from a home computer, cellular telephone, or some other electronic device or node which the account holder controls.
  • the present invention Prior to initiating an online purchase, the present invention requires the account holder to upload or provide a unique identifier associated with the node to the financial institution associated with the financial account of the user.
  • the financial account may thereafter check whether the request for an online transaction was initiated with the trusted node by comparing the unique identifier of the requesting node with the unique identifier on file for the user. If the unique identifiers match, the financial institution authenticates the financial transaction and allows it to proceed. If the unique identifiers do not match, the financial institution rejects the financial transaction.
  • US 7 716 129 B1 describes an an electronic payment method, wherein the payer transmits to an authentication agency details of a proposed payment including an identifier associated with the payer, an identifier associated with the payee, and the payment amount.
  • the authentication agency creates an authentication code relating to the payment and transmits it to a communications device associated with the payer.
  • the payer receives the authentication code on the payer's communications device and transmits it, together with a secret identification code, back to the authentication agency.
  • the authentication agency verifies the authentication code and the secret identification code and authorizes payment. Thereafter, a customer agency pays the payment amount to the payee.
  • the VPS implements a dual key transaction system, in which verified instructions must come separately and completely independently from both client and vendor before transaction completion via methods accepted by both parties.
  • the VPS allows the client, the vendor, and associated payment methods and systems to be known, with fixed quantities and pre-registered within an authorization manager.
  • the client and vendor may choose the payment method and currency used at each end of any transaction, and payment is always made within a closed system without either party having access to or knowing the details of the other's payment system.
  • Real-time audit trails for all parties concerned are implemented, in which client, vendors, and banks may trace transactions, generate reports, and initiate refunds for such secure transactions.
  • the VPS is also software and/or hardware independent, implemented by any known networking configuration for any known electronic or digital transaction, using mobile phones, palm-tops and digital television for purchases and credit/debit payment arrangements for any form of commerce using electronic transactions.
  • a transaction program comprising instructions which, when the program is executed by a computing device, cause the computing device to carry out a corresponding method.
  • a computer-readable data carrier having stored thereon a corresponding transaction program is provided.
  • a computing device configured to carry out a corresponding transaction program and/or comprising a corresponding computer-readable data-carrier is provided.
  • the proposed solution has the advantage over the prior art, that in particular visible information on the website which may be read by the user may be provided in the form of a scannable code, such as a QR-code, can be authenticated. Since, according to the prior art, an e-commerce consumer usually does not know, whether account data, e.g., an IBAN provided by an online merchant is actually matching with the online shop where the consumer is purchasing goods or services, the proposed solution allows a respective authentication/verification. This allows the user is to trust that the visible information, e.g., IBAN, is not tampered or modified by attacks and really belongs to the online merchant or contracted PSP. Therefore, the proposed solution allows for significantly enhancing security of e-commerce transactions without the need of directly involving third parties, such as payment providers, or other trusted entities, in the transaction.
  • third parties such as payment providers, or other trusted entities
  • the authentication information comprises a digital certificate.
  • the digital certificate may be issued from third parties, for example, and made us help to authenticate the account data. This further helps in avoiding any tampering with the account data and therefore further enhances security of e- commerce transactions.
  • the authentication information comprises a server certificate authenticating the vendor website.
  • Providing a server certificate from a respective server allows for securing the authentication information against unauthorised access. Thereby, any tampering with the account data and/or the certificate can be avoided, and the security of e-commerce transactions further enhanced.
  • the server certificate is used for authenticating the account data.
  • the server certificate may serve as the digital certificate.
  • no further certification processes than those already used for certifying the server certificate are necessary. This helps in efficiently securing e-commerce transactions.
  • the authentication information includes a cryptographic key for encrypting a data connection established with the vendor website.
  • the account data can be digitally signed by means of a private key of the domain hosting the vendor website.
  • an IBAN may be secured by signing it with the same certificate as being used for the domain, e.g., a certificate used in the Transport Layer Security (TLS) protocol for securing https connections and handing over the payment data the payment application which may be standardised according to the World Wide Web Consortium (W3C) standard.
  • TLS Transport Layer Security
  • W3C World Wide Web Consortium
  • the domain and associated IBAN can be validated and shown to the consumer by the payment application. This further helps in efficiently and reliably securing e-commerce transactions.
  • the cryptographic key is used for validating the authentication.
  • the private key of the domain primarily used for a secured TLS connection, is used to sign the account data of the vendor.
  • a fully automated and secure process can be provided to ensure that an e-commerce environment, such as an online shop, and account data, e.g., an IBAN, are valid and belong to each other.
  • the public key may also be used to validate the signature of the account data beside the signature of the domain. Thereby, the e-commerce environment can be efficiently and reliably secured.
  • the wherein the account data is transferred through an API (application programming interface) of the payment application.
  • the API may be a standardized, for example, according to the W3C-Standard. This further helps in providing an efficient way for securing the account data.
  • the account data includes payment information.
  • the payment information may include data regarding the purchase and/or purpose of the payment. This further helps in securing the entire transaction, since not only account data itself, e.g., an IBAN, but furthermore, associated data for the individual purchase transaction can be transferred in a secure manner.
  • the account data is accessible by the customer only after authentication.
  • the account data may be displayed to the customer after authentication. Thereby, the customer can rest assured that the account data is authenticated. This further helps in providing secure and, thus trusted e-commerce environments.
  • Fig. 1 is a schematic illustration of a transaction system for authenticating account data in line with a method according to the present invention.
  • Fig. 1 shows a schematic illustration of a transaction system 1, for example, the form of an e-commerce environment, for authenticating account data in line with a method according to the present invention.
  • the transaction system 1 involves a vendor A and a customer B.
  • the transaction system 1 may involve a certification entity C.
  • the vendor A, customer B, and/or certification entity C may each operate a computing device 2 taking part in and/or as a part of transaction system 1.
  • the vendor A and/or the certification entity C can each operate the computing device 2 to configured as a server device 3.
  • the customer B can operate the computing device 2 configured as a client device 4.
  • the server device 3 of the vendor A may provide a vendor website 5 and a payment application 6.
  • the client device 4 of the vendor B may provide a web interface 7, such as a web browser, configured to access the vendor website 5, and can run the payment application 6, either as a locally installed program being executed on the client device 4 and/or as a further part of the vendor website 5 that can be accessed via the web interface 7.
  • the server-side payment application 6 of the vendor A and the client-side payment application 6 of the customer B may communicate through an application programming interface (API) 8.
  • API application programming interface
  • the vendor A and/or certification entity C may operate a secure database 9 on the respective server 3.
  • a transaction taking place between the vendor A and a customer B may have several steps S.
  • the certification entity C may issue a certificate CA,3,5 for the vendor website 5 to the vendor B, such as an SSL certificate to establish an SSL/TLS connection.
  • This certificate is stored in the secure database 9.
  • the web interface 7 may send a session request R to the vendor website 5, particular, an Internet protocol (IP) address thereof, for establishing a secure session between the web interface 7 and the vendor website 7, i.e., between the client device 4 and server device 3, respectively.
  • IP Internet protocol
  • a third step S3 the server device 3 sends the certificate CA,3,5 back to the client device 4, possibly along with a public key Kp.
  • the client device 4 may create a session key Ks encrypted with the public key Ko.
  • the client device 4 may send the session key Ks back to the server device 3.
  • the server device 3 decrypts the session key Ks with a private key Kp.
  • a secure session P or private session, protected by SSL and/or TLS, for example, may be established between the server device 3 and the client device 4, and that any communication between them in the course of that secure session P is encrypted by the individual session key Ks.
  • the customer B may want to purchase and/or order an item offered by the vendor A.
  • the customer B may thus select the item to be purchased and/or ordered from the vendor website 5 by means of the web interface 7.
  • the customer B may send a payment request Q to the vendor A, for example, in that the customer selects a payment method to pay for the item to be purchased and/or ordered involving account data D and possibly payment information E of the vendor A to be transferred to the customer B. That account data D and possibly payment information E can be handed over from the vendor website 5 to the payment application 6 on the side of the vendor A within the respective server device 3 in a ninth step S9.
  • the vendor website 5 and the payment application 6 may be provided on different server devices 3.
  • the account data D and possibly payment information E can be transferred from the payment application 6 executed on server device 3 of the vendor A to the payment application 6 executed on client device 4 of the customer B through the API 8 in a tenth step S10.
  • the transaction T can be carried out within the transaction system 1 as disclosed herein, or may involve any parts the client device 4 accesses further transaction website of a transaction provider (not shown) and/or effects the transaction T by any other means desired or required for concluding the purchase of the item selected, for example, in that the customer B transferred is a certain amount of monetary valuables which may be specified with the payment information E, such as a respective amount of money, from a customer account to a vendor account identified by means of the account data.
  • the transaction system 1 is configured to execute a computer program 10.
  • a computer- readable data carrier 11 can have stored thereon the computer program 10 and may take the form of a computer-readable medium 12 and/or data carrier signal 13.
  • the transaction system 1 and any components thereof communicate as specified in the computer program 10. Parameters associated with and/or underlying the transaction system 1, any of the components thereof and/or any of the steps carried out thereby, can be defined in the computer program 10.
  • T transaction issue certificate send request return certificate/public key create session key return session key decrypt session key establish secure session payment request hand over data transfer data provide data initiate transaction

Landscapes

  • Business, Economics & Management (AREA)
  • Engineering & Computer Science (AREA)
  • Accounting & Taxation (AREA)
  • Strategic Management (AREA)
  • Physics & Mathematics (AREA)
  • General Business, Economics & Management (AREA)
  • General Physics & Mathematics (AREA)
  • Theoretical Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Computer Security & Cryptography (AREA)
  • Finance (AREA)
  • Financial Or Insurance-Related Operations Such As Payment And Settlement (AREA)

Abstract

L'invention concerne un procédé d'authentification de données de compte (D) d'un vendeur (A) dans des environnements de commerce électronique, un programme de transaction (10), un support de données lisible par ordinateur (11) sur lequel est stocké un programme de transaction (10), un dispositif informatique (2) configuré pour effectuer un programme de transaction (10) et/ou comprenant un support de données lisible par ordinateur, et un système de transaction correspondant (1) pour authentifier des données de compte (D) d'un vendeur (A) dans des environnements de commerce électronique, le procédé comprenant les étapes consistant à fournir les données de compte (D) sur un site Web de vendeur (5); obtenir les données de compte (D) à partir du vendeur (A) avec une application de paiement (7) accessible par le client (B); récupérer des informations d'authentification (G) à partir d'une base de données sécurisée (9) associée au site Web de vendeur (5) avec l'application de paiement ; et authentifier les données de compte (D) dans l'application de paiement (6).
PCT/EP2024/054571 2024-02-22 2024-02-22 Procédé d'authentification de données de compte, programme de transaction, support de données lisible par ordinateur, dispositif informatique et système de transaction le comprenant Pending WO2025176302A1 (fr)

Priority Applications (1)

Application Number Priority Date Filing Date Title
PCT/EP2024/054571 WO2025176302A1 (fr) 2024-02-22 2024-02-22 Procédé d'authentification de données de compte, programme de transaction, support de données lisible par ordinateur, dispositif informatique et système de transaction le comprenant

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
PCT/EP2024/054571 WO2025176302A1 (fr) 2024-02-22 2024-02-22 Procédé d'authentification de données de compte, programme de transaction, support de données lisible par ordinateur, dispositif informatique et système de transaction le comprenant

Publications (1)

Publication Number Publication Date
WO2025176302A1 true WO2025176302A1 (fr) 2025-08-28

Family

ID=90057516

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/EP2024/054571 Pending WO2025176302A1 (fr) 2024-02-22 2024-02-22 Procédé d'authentification de données de compte, programme de transaction, support de données lisible par ordinateur, dispositif informatique et système de transaction le comprenant

Country Status (1)

Country Link
WO (1) WO2025176302A1 (fr)

Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO1999066436A1 (fr) 1998-06-19 1999-12-23 Protx Limited Systeme de paiement verifie
US7716129B1 (en) 2000-08-22 2010-05-11 Beng Teck Alvin Tan Electronic payment methods
KR101300817B1 (ko) * 2012-09-04 2013-08-26 이창주 태블릿 이동 통신기기를 이용한 카드 결제 시스템 및 방법
US20140337205A1 (en) * 2013-05-08 2014-11-13 Visa International Service Association Systems and methods to identify merchants
WO2014193902A2 (fr) 2013-05-28 2014-12-04 Gary David Zeigler Système et procédé permettant d'authentifier et de sécuriser des achats en ligne
CN113168623A (zh) * 2018-10-17 2021-07-23 美国运通旅游有关服务公司 使用信用账户进行转账

Patent Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO1999066436A1 (fr) 1998-06-19 1999-12-23 Protx Limited Systeme de paiement verifie
US7716129B1 (en) 2000-08-22 2010-05-11 Beng Teck Alvin Tan Electronic payment methods
KR101300817B1 (ko) * 2012-09-04 2013-08-26 이창주 태블릿 이동 통신기기를 이용한 카드 결제 시스템 및 방법
US20140337205A1 (en) * 2013-05-08 2014-11-13 Visa International Service Association Systems and methods to identify merchants
WO2014193902A2 (fr) 2013-05-28 2014-12-04 Gary David Zeigler Système et procédé permettant d'authentifier et de sécuriser des achats en ligne
CN113168623A (zh) * 2018-10-17 2021-07-23 美国运通旅游有关服务公司 使用信用账户进行转账

Similar Documents

Publication Publication Date Title
RU2292589C2 (ru) Аутентифицированный платеж
EP2016543B1 (fr) Authentification pour une transaction commerciale au moyen d'un module mobile
RU2438172C2 (ru) Способ и система для осуществления двухфакторной аутентификации при транзакциях, связанных с заказами по почте и телефону
JP4518942B2 (ja) セルラー式電気通信と認可基盤を使った、商品とサービスの安全な認証と請求のシステム及び方法
US20170308896A1 (en) Methods and apparatus for brokering a transaction
US20090292642A1 (en) Method and system for automatically issuing digital merchant based online payment card
US20030130958A1 (en) Electronic transactions and payments system
US20060235795A1 (en) Secure network commercial transactions
US20020032649A1 (en) High-security E-currency IDs for E-commerce transactions
WO2006113834A9 (fr) Transactions commerciales en reseau
CN101496059A (zh) 网络商业交易
RU2301449C2 (ru) Способ осуществления многофакторной строгой аутентификации держателя банковской карты с использованием мобильного телефона в среде мобильной связи при осуществлении межбанковских финансовых транзакций в международной платежной системе по протоколу спецификации 3-d secure (варианты) и реализующая его система
US20220078611A1 (en) Secure offline mobile interactions
WO2025176302A1 (fr) Procédé d'authentification de données de compte, programme de transaction, support de données lisible par ordinateur, dispositif informatique et système de transaction le comprenant
KR101596434B1 (ko) 결제정보 분리를 이용한 온라인 전자금융거래 인증방법
KR100457399B1 (ko) 클라이언트 결제 애플리케이션을 이용한 인터넷 기반 전자 상거래의 결제 서비스 제공 방법
KR101309835B1 (ko) 토탈 금융거래 시스템
KR100458526B1 (ko) 유·무선 복합 전자 결제 방법 및 시스템
WO2025101186A1 (fr) Procédé et système de traitement utilisant un historique de jetons de chaîne de blocs
KR20140119450A (ko) 보안전자결제 시스템 및 방법
Islam et al. A PKI Enabled Authentication Protocol for Secure E-Payment Framework
KR20030026172A (ko) 사용자마다 고유한 사이버신용번호를 사용한 전자 지불 방법