EP0992026A1 - Payment process and system - Google Patents

Payment process and system

Info

Publication number
EP0992026A1
EP0992026A1 EP98930951A EP98930951A EP0992026A1 EP 0992026 A1 EP0992026 A1 EP 0992026A1 EP 98930951 A EP98930951 A EP 98930951A EP 98930951 A EP98930951 A EP 98930951A EP 0992026 A1 EP0992026 A1 EP 0992026A1
Authority
EP
European Patent Office
Prior art keywords
card
cryptogram
transaction
pin
financial institution
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Withdrawn
Application number
EP98930951A
Other languages
German (de)
French (fr)
Inventor
John Charles Viner
David Barrington Everett
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
National Westminster Bank PLC
Original Assignee
National Westminster Bank PLC
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by National Westminster Bank PLC filed Critical National Westminster Bank PLC
Publication of EP0992026A1 publication Critical patent/EP0992026A1/en
Withdrawn legal-status Critical Current

Links

Classifications

    • GPHYSICS
    • G07CHECKING-DEVICES
    • G07FCOIN-FREED OR LIKE APPARATUS
    • G07F7/00Mechanisms actuated by objects other than coins to free or to actuate vending, hiring, coin or paper currency dispensing or refunding apparatus
    • G07F7/08Mechanisms actuated by objects other than coins to free or to actuate vending, hiring, coin or paper currency dispensing or refunding apparatus by coded identity card or credit card or other personal identification means
    • G07F7/10Mechanisms actuated by objects other than coins to free or to actuate vending, hiring, coin or paper currency dispensing or refunding apparatus by coded identity card or credit card or other personal identification means together with a coded signal, e.g. in the form of personal identification information, like personal identification number [PIN] or biometric data
    • G07F7/1008Active credit-cards provided with means to personalise their use, e.g. with PIN-introduction/comparison system
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/60Protecting data
    • G06F21/606Protecting data by securing the transmission between two devices or processes
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06QINFORMATION AND COMMUNICATION TECHNOLOGY [ICT] SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES; SYSTEMS OR METHODS SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES, NOT OTHERWISE PROVIDED FOR
    • G06Q20/00Payment architectures, schemes or protocols
    • G06Q20/30Payment architectures, schemes or protocols characterised by the use of specific devices or networks
    • G06Q20/34Payment architectures, schemes or protocols characterised by the use of specific devices or networks using cards, e.g. integrated circuit [IC] cards or magnetic cards
    • G06Q20/341Active cards, i.e. cards including their own processing means, e.g. including an IC or chip
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06QINFORMATION AND COMMUNICATION TECHNOLOGY [ICT] SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES; SYSTEMS OR METHODS SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES, NOT OTHERWISE PROVIDED FOR
    • G06Q20/00Payment architectures, schemes or protocols
    • G06Q20/38Payment protocols; Details thereof
    • G06Q20/40Authorisation, e.g. identification of payer or payee, verification of customer or shop credentials; Review and approval of payers, e.g. check credit lines or negative lists
    • G06Q20/401Transaction verification
    • G06Q20/4012Verifying personal identification numbers [PIN]
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06QINFORMATION AND COMMUNICATION TECHNOLOGY [ICT] SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES; SYSTEMS OR METHODS SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES, NOT OTHERWISE PROVIDED FOR
    • G06Q20/00Payment architectures, schemes or protocols
    • G06Q20/38Payment protocols; Details thereof
    • G06Q20/40Authorisation, e.g. identification of payer or payee, verification of customer or shop credentials; Review and approval of payers, e.g. check credit lines or negative lists
    • G06Q20/409Device specific authentication in transaction processing
    • G06Q20/4093Monitoring of device authentication
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06QINFORMATION AND COMMUNICATION TECHNOLOGY [ICT] SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES; SYSTEMS OR METHODS SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES, NOT OTHERWISE PROVIDED FOR
    • G06Q20/00Payment architectures, schemes or protocols
    • G06Q20/38Payment protocols; Details thereof
    • G06Q20/40Authorisation, e.g. identification of payer or payee, verification of customer or shop credentials; Review and approval of payers, e.g. check credit lines or negative lists
    • G06Q20/409Device specific authentication in transaction processing
    • G06Q20/4097Device specific authentication in transaction processing using mutual authentication between devices and transaction partners
    • G06Q20/40975Device specific authentication in transaction processing using mutual authentication between devices and transaction partners using encryption therefor

Definitions

  • This invention relates to a payment process and system particularly intended for use with financial transactions involving integrated circuit cards (ICC's), or "smart cards”.
  • ICC's integrated circuit cards
  • the card issuer or other equivalent body for authorisation of the transaction.
  • the credit card or debit card takes the form of a smart card
  • the card will hold in its memory application software which is activated to carry out the credit card or debit card function, as appropriate.
  • One card may hold both credit card and debit card applications, as well as other financial functions, such as cash cards, or even non-financial functions.
  • the present invention is concerned primarily with the use of smart cards as debit and/or credit cards.
  • the major card issuers Europay, MasterCard and Visa have jointly developed standards (known as the EMV ICC Specifications for Payment Systems) for smart card based payment systems.
  • Systems developed to these standards enable a card holder to pay for goods and services by accessing a remote account at a bank or other financial institution.
  • the card holder may authenticate himself to the financial institution by entry of a PIN (personal identification number).
  • PIN personal identification number
  • Access to the remote account is achieved via a terminal into which the user inserts his or her card, usually at the start of the transaction.
  • the terminal is coupled, or able to be coupled, in some way to the account holding institution so that messages can be exchanged between the two. It is very attractive if the terminal used for managing the transaction with the smart card can be a low cost device which would, for example be suitable for home use.
  • EMV compliant applications are not well suited to this purpose. They are intended as part of a large infrastructure based round terminals with tamper resistant encrypting PIN pads. It is thus not appropriate to use the EMV standards in a normal way to fulfil the requirements for a payment application on a smart card.
  • EMV compliant applications do have many of the required attributes, are well understood in the financial community, have been implemented, and have stable associated standards. There are significant benefits if a way can be found of using such applications, without in any way introducing non-EMV compatible commands.
  • the principle object of the present invention is thus to find a way of encrypting the PIN, without incurring the expense of a tamper resistant encrypting PIN pad at the terminal.
  • PIN encryption is not a standard EMV function, as this function is assumed to be carried out by the PIN pad at the terminal. This patent application seeks to provide a payment process and system capable of achieving the above object.
  • a payment process enabling secure communication between a smart card and a financial institution, said process comprising placing the card in a card reader forming part of a terminal in communication with said financial institution, entering details of the transaction and a PIN into a keypad, creating a cryptogram of transaction data, including said transaction details, using a first cryptographic key known to or derivable by the financial institution, thence using said cryptogram to encrypt the PIN for secure onward transmission to the financial institution.
  • the financial institution may be the card issuer, holding the account which corresponds with the card, or more likely will be an intermediary, commonly known as an acquirer, which acts as a link between the terminal and the card issuer. Very likely the acquirer will act as agent for a number of card issuers and is thus responsible for ensuring that messages originating in any one particular issuer's card are properly routed to that issuer.
  • the terminal is typically situated at a retail premises to enable the cardholder to purchase goods, using the card as a debit or credit card. To this end, the card is pre-loaded with an application program which enables it to function as required. This application is associated with a second cryptographic key, referred to herein as the card key, which card key is downloaded to the card at the same time as the original application, and is known to the financial institution.
  • the card key may be the same key as the first key, but preferably the cryptographic key used to create the cryptogram (i.e. the first key) is derived from the card key by taking a function of a transaction parameter, conveniently the transaction sequence number, encrypted by the card key.
  • the transaction sequence number is any number which uniquely identifies the transaction. Conveniently, the transaction number is stored in the card and is sequenced by 1 at the start of each new transaction. The transaction number is transmitted to the financial institution as part of the payment process so that, if necessary, the financial institution is able to derive the cryptographic key used to create the cryptogram.
  • the PIN is decrypted by the financial institution following transmission of the encrypted PIN to the institution.
  • this process is carried out by mirroring, at the financial institution, the creation of the cryptogram from the transaction data transmitted to it from the terminal.
  • the financial institution needs to know, or be able to derive the aforesaid first key.
  • the cryptogram thus created should thus be identical to that created at the card.
  • transaction data is meant data relating to the transaction and includes some information entered at the keypad, such as the amount of the transaction, and some information generated internally by the terminal, such as the transaction date (it being assumed that the terminal has a built-in calendar).
  • a cryptogram is, in effect, a digest or summary of the transaction data.
  • such cryptograms are sometimes referred to as Message Authentication Codes, or MAC'S.
  • the techniques for creating such cryptograms are known in the art. Briefly, the transaction data is divided into small units, for example of 8 bits length, and the units operated on one at a time, starting, for example, at the beginning. Each unit is thus encrypted, using the same key and the same function, with the encrypted output of each unit being added to the next prior to encryption.
  • the resultant output will be derived from all of the units; any change, accidental or otherwise, in the transaction data during transmission will result in the generation of a cryptogram which is different from the first so the fact that a change has been made can be detected.
  • the cryptogram is used, in effect, as a cryptographic key to encrypt the PIN for onward transmission.
  • several encryption methods can be used; however, this is subject to the important caveat that, whatever method is used, it is not possible for an eavesdropper to reconstruct the PIN and cryptogram separately.
  • the PIN and the cryptogram form respective inputs to an exclusive OR operation which produces code from which neither of the constituent parts can be derived without knowledge of the other.
  • the cryptogram is re-created as mentioned above and therefore, assuming no transmission faults, the PIN can be derived. Whether the PIN is correct for the account held by the issuer is still not, of course, known at this time. Once the PIN has been checked as correct, however, the transaction can proceed.
  • a payment system for enabling secure communication between a smart card and a financial institution, said system comprising a terminal having a card reader for reading said smart card, and a keypad for enabling entry of transaction details, said card being programmable to create, from transaction data including transaction details entered at the keypad, a cryptogram using a cryptographic key known to or derivable by said financial institution, said terminal further comprising means for using said cryptogram to encrypt a PIN entered at the keypad and means for transmitting the encrypted PIN to the financial institution.
  • Figure 1 is a schematic diagram of a smart card for use in a payment process and system according to the invention
  • FIG. 2 is a block diagram of a payment terminal suitable for use in the payment process and system according to the invention
  • Figure 3 is a block diagram showing a generic system for remote payments using a smart card.
  • a smart card 1 having on one surface a contact pad 2 carrying several separate electrical contacts whereby an external power source may be connected to power the card and a serial communication channel may be established to transmit messages and data to and from the card.
  • the card further comprises a microprocessor 3, a non-volatile memory 4, such as ROM (read-only memory) or EEPROM (electrically erasable programmable read-only memory), and a random access memory 5.
  • ROM read-only memory
  • EEPROM electrically erasable programmable read-only memory
  • the memory 4 holds one or more applications, which define the function of the card, and their associated cryptographic keys.
  • An application is simply a program with associated data files and may, for example, be such as to give the card the functionality of a debit card or a credit card, or both.
  • it is inserted into a card reader forming part of a payment terminal which can communicate with the card holder's account at a remote location.
  • a simplified block diagram of a suitable payment terminal 6 is illustrated in Figure 2.
  • the terminal 6 comprises a microprocessor 7 having non-volatile memory 8, such as ROM or EEPROM, random access memory 9 and, optionally, a display 10 connected via interface circuitry 11.
  • non-volatile memory 8 such as ROM or EEPROM
  • random access memory 9 and, optionally, a display 10 connected via interface circuitry 11.
  • User input is via a keypad 12 connected to the microprocessor through interface circuitry 13.
  • the aforementioned card reader is shown under reference 14 and makes contact with the card via the contact pad 2.
  • a communications circuit 15 is provided to enable the terminal to establish two-way communication with the rest of the system, either on a permanent or as-needed basis, via an input/output port 16.
  • Terminal 6 Operation of the terminal 6 is primarily under the control of the microprocessor 7 and its associated circuitry, much of which is not shown for simplicity, but which is well known to those skilled in the art.
  • the terminal forms part of a smart card payment system shown in block diagram form in Figure 3.
  • the terminal 6 is shown connected, via a two way communication channel 17, to an acquirer 18.
  • the acquirer is the body which is responsible for managing the overall payment transaction and will probably act as an agent for several card issuers.
  • the acquirer might, for example, be a bank or other financial institution.
  • the acquirer is connected via a two-way communication channel 19 to a card issuer 20 who, for the purposes of the present explanation, is assumed to be the body who issued the card 6 and who holds the card holder's account.
  • the acquirer 18 is responsible for routing messages from the terminal 6 to the appropriate card issuer for payment authorisation. However, as will be explained below, it is possible for the terminal 6 to communicate directly with the card issuer, thus bypassing the acquirer; it is even possible, in the simplest system, for there to be no acquirer at all.
  • Configuration of the card 6 is carried out by a personalisation service (Pserv) 21 which is, in effect, part of the acquirer, but could be part of the card issuer (see below).
  • Configuration of the card is realised by preparing an instance of an application - namely code, associated data, and a cryptographic key - and downloading that instance and key to the card.
  • the application and its associated cryptographic key is thence stored in the card's non-volatile memory 4, as discussed above.
  • Configuration is carried out on new cards, before they can be used, or may be carried out on existing cards in order to update or add functionality to the card.
  • the cryptographic key referred to hereafter as the card key is used with a cryptographic system to ensure secure transmission of data to and from the card.
  • a symmetric cryptographic system such as the DES system
  • This uses a secret cryptographic key, known only to the card 6 and the acquirer 18 to enable encryption and decryption of data sent between the two.
  • the card key is a function of cardholder identification data, such as account number, encrypted with the master key of the acquirer. The card key is thus unique to the card and can be derived by the acquirer from the cardholder's identity and the master key held by the acquirer.
  • the user types his PIN into the keypad on the terminal 6. If the normal type of tamper resistant encrypting PIN pad is in use, the PIN will be encrypted, using a cryptographic "terminal" key known only to the terminal and the acquirer. Meanwhile, the transaction data, including such details as the date and amount of the transaction, is passed to the card, and a cryptogram is created from this transaction data within the card itself, using a cryptographic transaction key to form a cryptogram. Once created, the cryptogram is returned to the terminal 6. In an EMV-compliant application this cryptogram would be prepared by the card upon receiving a "Generate Application Cryptogram" command which is issued by the terminal.
  • EMV command Details of this EMV command, including its operation and parameters, are given in the EMV specification referred to above.
  • the transaction data is passed as a parameter of the "Generate Application Cryptogram" command which is issued by the terminal and the cryptogram is passed back to the terminal as a return parameter of the command.
  • the transaction key used to create the cryptogram is derived in the card as a function of a transaction sequence number (which is different for each transaction) encrypted with the card key.
  • the transaction sequence number is likewise passed back to the terminal as a return parameter of the "Generate Application Cryptogram" command.
  • the cryptogram is next forwarded, together with the transaction data and encrypted PIN, to the acquirer 18.
  • the acquirer checks the transaction data against the cryptogram, decrypts the PIN and then re-encrypts the PIN for onward transmission, with the transaction data, to the appropriate issuer 20.
  • the key used to re-encrypt the PIN is one known to the authorising issuer.
  • the cryptogram is, in effect an encrypted digest of the transaction data and is such that any tampering with the data, either deliberate or accidental, can be detected by the acquirer or issuer by comparing the received transaction data with its cryptogram.
  • the transaction data will usually be quite long whereas the encrypted digest, or cryptogram, will be much shorter, typically only 8 bits.
  • the manner in which the cryptogram is prepared is well-known in the art and will not be described further.
  • the key pad in terminal 8 is not capable of encryption or, if it is, the encryption is not being used.
  • PIN encryption is performed by the terminal after receiving the cryptogram back from the card by using the cryptogram as a cryptographic key.
  • the microprocessor 7 and its associated circuitry derives a function of the PIN encrypted with the cryptogram.
  • An example of a simple logic function which will achieve this is the exclusive OR function.
  • PIN encryption is performed by creating, in the terminal circuitry, the exclusive OR of the cryptogram and PIN, and it is this data item which is transmitted to the acquirer 18, together with the transaction data, as before. At the acquirer 18 the PIN needs to be decrypted.
  • the acquirer essentially recreates the cryptogram from the transaction data which it has received from the terminal. It then uses this cryptogram to decrypt the PIN.
  • the PIN is now re-encrypted, using a key known between acquirer and issuer, and is sent to the issuer, for checking of the PIN. Reincryption can be carried out at the acquirer within the confines of a tamper resistant device so that the PIN never appears "in clear" outside the cryptographic domains established between the terminal 6 and issuer 20. If the PIN is correct, the transaction data is interrogated and the appropriate account checked. If all is well, an appropriate authorisation message is passed back to the terminal 6.
  • the PIN does not check out at the issuer, this may mean that the PIN was not correctly entered at the keypad by the cardholder, or it may mean that the transaction data was corrupted in some way in its passage to the acquirer. Either way, the transaction proceeds no further.
  • the above-described techniques enable the PIN to be encrypted without using an encrypting PIN pad and in a way which is transparent to the EMV application on the card.
  • the terminal 6 makes the payment transaction appear to the EMV-compliant application on the card as a standard EMV payment transaction.
  • the present invention makes this approach possible by providing a way of encrypting the PIN for transmission to the issuer, via the acquirer, so that its confidentiality is totally assured in transit. No existing EMV-compliant application function does this because, as mentioned above, PINs are conventionally encrypted by the terminal, not the card.
  • PServ 21 the personalisation service 21 is associated with the acquirer 18.
  • the techniques which are the subject of this patent application are equally applicable when PServ 21 is associated with the issuer 20.
  • the encrypted PIN message would pass through the acquirer without any translation. Indeed it would not be possible for the acquirer to decrypt the PIN message as only the application on the card 6 and the issuer 20 would have the requisite keying relationship.
  • a simple issuer based conversion utility could front end the issuer authorisation systems.
  • the personalisation service PServ could either be issuer specific, or could be supported by a service provider on behalf of several issuers.

Abstract

A payment process and system using a smart card (1) which accesses a remote account at a card issuer (20) via an acquirer (18). The card is read in a terminal (6) which is in two-way communication (17) with the acquirer (18). As part of the payment process, a cryptogram of the transaction data is made by the smart card and used in the terminal (6) as a key to encrypt the PIN, entered by the cardholder, for transmission to the acquirer (18). The acquirer also creates a cryptogram, using the transaction data sent to it by the terminal (6), and uses this cryptogram (which should be the same as that created by the smart card) to decrypt the encrypted PIN. In this way, the use of an expensive tamper-resistant encrypting PIN pad at the terminal (6) is avoided, whilst maintaining security.

Description

"PAYMENT PROCESS AND SYSTEM"
This invention relates to a payment process and system particularly intended for use with financial transactions involving integrated circuit cards (ICC's), or "smart cards".
As part of a financial transaction involving a credit card or a debit card, it is normally necessary that details of the transaction be communicated to the card issuer or other equivalent body for authorisation of the transaction. Where the credit card or debit card takes the form of a smart card, the card will hold in its memory application software which is activated to carry out the credit card or debit card function, as appropriate. One card may hold both credit card and debit card applications, as well as other financial functions, such as cash cards, or even non-financial functions. The present invention is concerned primarily with the use of smart cards as debit and/or credit cards.
The major card issuers Europay, MasterCard and Visa have jointly developed standards (known as the EMV ICC Specifications for Payment Systems) for smart card based payment systems. Systems developed to these standards enable a card holder to pay for goods and services by accessing a remote account at a bank or other financial institution. As part of such a payment process, the card holder may authenticate himself to the financial institution by entry of a PIN (personal identification number). Where this form of card holder authentication is used then a critical aspect of the system design is ensuring the secure transport of the PIN to the account holding institution.
Access to the remote account is achieved via a terminal into which the user inserts his or her card, usually at the start of the transaction. The terminal is coupled, or able to be coupled, in some way to the account holding institution so that messages can be exchanged between the two. It is very attractive if the terminal used for managing the transaction with the smart card can be a low cost device which would, for example be suitable for home use. EMV compliant applications are not well suited to this purpose. They are intended as part of a large infrastructure based round terminals with tamper resistant encrypting PIN pads. It is thus not appropriate to use the EMV standards in a normal way to fulfil the requirements for a payment application on a smart card. Despite its unsuitability for the payment application for the purpose explained above, EMV compliant applications do have many of the required attributes, are well understood in the financial community, have been implemented, and have stable associated standards. There are significant benefits if a way can be found of using such applications, without in any way introducing non-EMV compatible commands. The principle object of the present invention is thus to find a way of encrypting the PIN, without incurring the expense of a tamper resistant encrypting PIN pad at the terminal. PIN encryption is not a standard EMV function, as this function is assumed to be carried out by the PIN pad at the terminal. This patent application seeks to provide a payment process and system capable of achieving the above object. A knowledge of the operation of the EMV standards as defined in the document "EMV'96 Integrated Circuit Card Specification for Payment Systems" Version 3.0 dated 30 June 1996 is advantageous for a full understanding of the present invention. However, although the EMV standard and EMV-compliant applications are referenced throughout, the technique is, in principle, applicable to any smart card oriented payment system with similar commands. It is intended that this patent application covers all such implementations; EMV is used, as an example only, to clarify the technique.
According to a first aspect of the invention there is provided a payment process enabling secure communication between a smart card and a financial institution, said process comprising placing the card in a card reader forming part of a terminal in communication with said financial institution, entering details of the transaction and a PIN into a keypad, creating a cryptogram of transaction data, including said transaction details, using a first cryptographic key known to or derivable by the financial institution, thence using said cryptogram to encrypt the PIN for secure onward transmission to the financial institution.
The financial institution may be the card issuer, holding the account which corresponds with the card, or more likely will be an intermediary, commonly known as an acquirer, which acts as a link between the terminal and the card issuer. Very likely the acquirer will act as agent for a number of card issuers and is thus responsible for ensuring that messages originating in any one particular issuer's card are properly routed to that issuer. The terminal is typically situated at a retail premises to enable the cardholder to purchase goods, using the card as a debit or credit card. To this end, the card is pre-loaded with an application program which enables it to function as required. This application is associated with a second cryptographic key, referred to herein as the card key, which card key is downloaded to the card at the same time as the original application, and is known to the financial institution.
The card key may be the same key as the first key, but preferably the cryptographic key used to create the cryptogram (i.e. the first key) is derived from the card key by taking a function of a transaction parameter, conveniently the transaction sequence number, encrypted by the card key. The transaction sequence number is any number which uniquely identifies the transaction. Conveniently, the transaction number is stored in the card and is sequenced by 1 at the start of each new transaction. The transaction number is transmitted to the financial institution as part of the payment process so that, if necessary, the financial institution is able to derive the cryptographic key used to create the cryptogram.
The PIN is decrypted by the financial institution following transmission of the encrypted PIN to the institution. In a preferred embodiment of the invention, this process is carried out by mirroring, at the financial institution, the creation of the cryptogram from the transaction data transmitted to it from the terminal. For this purpose, the financial institution needs to know, or be able to derive the aforesaid first key. The cryptogram thus created should thus be identical to that created at the card.
By transaction data is meant data relating to the transaction and includes some information entered at the keypad, such as the amount of the transaction, and some information generated internally by the terminal, such as the transaction date (it being assumed that the terminal has a built-in calendar). A cryptogram is, in effect, a digest or summary of the transaction data. In the DES encryption system such cryptograms are sometimes referred to as Message Authentication Codes, or MAC'S. The techniques for creating such cryptograms are known in the art. Briefly, the transaction data is divided into small units, for example of 8 bits length, and the units operated on one at a time, starting, for example, at the beginning. Each unit is thus encrypted, using the same key and the same function, with the encrypted output of each unit being added to the next prior to encryption. When all the units making up the transaction data have been cycled through, the resultant output will be derived from all of the units; any change, accidental or otherwise, in the transaction data during transmission will result in the generation of a cryptogram which is different from the first so the fact that a change has been made can be detected. Preferably the cryptogram is used, in effect, as a cryptographic key to encrypt the PIN for onward transmission. In theory several encryption methods can be used; however, this is subject to the important caveat that, whatever method is used, it is not possible for an eavesdropper to reconstruct the PIN and cryptogram separately. In the preferred embodiment the PIN and the cryptogram form respective inputs to an exclusive OR operation which produces code from which neither of the constituent parts can be derived without knowledge of the other. At the financial institution the cryptogram is re-created as mentioned above and therefore, assuming no transmission faults, the PIN can be derived. Whether the PIN is correct for the account held by the issuer is still not, of course, known at this time. Once the PIN has been checked as correct, however, the transaction can proceed. According to a second aspect of the invention there is provided a payment system for enabling secure communication between a smart card and a financial institution, said system comprising a terminal having a card reader for reading said smart card, and a keypad for enabling entry of transaction details, said card being programmable to create, from transaction data including transaction details entered at the keypad, a cryptogram using a cryptographic key known to or derivable by said financial institution, said terminal further comprising means for using said cryptogram to encrypt a PIN entered at the keypad and means for transmitting the encrypted PIN to the financial institution.
In order that the invention may be better understood, an embodiment thereof will now be described by way of example only and with reference to the accompanying drawings in which:
Figure 1 is a schematic diagram of a smart card for use in a payment process and system according to the invention;
Figure 2 is a block diagram of a payment terminal suitable for use in the payment process and system according to the invention; and Figure 3 is a block diagram showing a generic system for remote payments using a smart card. Referring firstly to Figure 1 there is shown a smart card 1 having on one surface a contact pad 2 carrying several separate electrical contacts whereby an external power source may be connected to power the card and a serial communication channel may be established to transmit messages and data to and from the card. The card further comprises a microprocessor 3, a non-volatile memory 4, such as ROM (read-only memory) or EEPROM (electrically erasable programmable read-only memory), and a random access memory 5.
The memory 4 holds one or more applications, which define the function of the card, and their associated cryptographic keys. An application is simply a program with associated data files and may, for example, be such as to give the card the functionality of a debit card or a credit card, or both. In order to use the card in a payment system, it is inserted into a card reader forming part of a payment terminal which can communicate with the card holder's account at a remote location. A simplified block diagram of a suitable payment terminal 6 is illustrated in Figure 2.
Referring to Figure 2, the terminal 6 comprises a microprocessor 7 having non-volatile memory 8, such as ROM or EEPROM, random access memory 9 and, optionally, a display 10 connected via interface circuitry 11. User input is via a keypad 12 connected to the microprocessor through interface circuitry 13. The aforementioned card reader is shown under reference 14 and makes contact with the card via the contact pad 2. A communications circuit 15 is provided to enable the terminal to establish two-way communication with the rest of the system, either on a permanent or as-needed basis, via an input/output port 16.
Operation of the terminal 6 is primarily under the control of the microprocessor 7 and its associated circuitry, much of which is not shown for simplicity, but which is well known to those skilled in the art. The terminal forms part of a smart card payment system shown in block diagram form in Figure 3.
In Figure 3, the terminal 6 is shown connected, via a two way communication channel 17, to an acquirer 18. The acquirer is the body which is responsible for managing the overall payment transaction and will probably act as an agent for several card issuers. The acquirer might, for example, be a bank or other financial institution.
The acquirer is connected via a two-way communication channel 19 to a card issuer 20 who, for the purposes of the present explanation, is assumed to be the body who issued the card 6 and who holds the card holder's account. The acquirer 18 is responsible for routing messages from the terminal 6 to the appropriate card issuer for payment authorisation. However, as will be explained below, it is possible for the terminal 6 to communicate directly with the card issuer, thus bypassing the acquirer; it is even possible, in the simplest system, for there to be no acquirer at all.
Configuration of the card 6 is carried out by a personalisation service (Pserv) 21 which is, in effect, part of the acquirer, but could be part of the card issuer (see below). Configuration of the card is realised by preparing an instance of an application - namely code, associated data, and a cryptographic key - and downloading that instance and key to the card. The application and its associated cryptographic key is thence stored in the card's non-volatile memory 4, as discussed above. Configuration is carried out on new cards, before they can be used, or may be carried out on existing cards in order to update or add functionality to the card. The cryptographic key, referred to hereafter as the card key is used with a cryptographic system to ensure secure transmission of data to and from the card. In payment systems of the type discussed herein, a symmetric cryptographic system, such as the DES system, is conventionally used. This uses a secret cryptographic key, known only to the card 6 and the acquirer 18 to enable encryption and decryption of data sent between the two. In practice, the card key is a function of cardholder identification data, such as account number, encrypted with the master key of the acquirer. The card key is thus unique to the card and can be derived by the acquirer from the cardholder's identity and the master key held by the acquirer.
As part of the payment transaction, the user types his PIN into the keypad on the terminal 6. If the normal type of tamper resistant encrypting PIN pad is in use, the PIN will be encrypted, using a cryptographic "terminal" key known only to the terminal and the acquirer. Meanwhile, the transaction data, including such details as the date and amount of the transaction, is passed to the card, and a cryptogram is created from this transaction data within the card itself, using a cryptographic transaction key to form a cryptogram. Once created, the cryptogram is returned to the terminal 6. In an EMV-compliant application this cryptogram would be prepared by the card upon receiving a "Generate Application Cryptogram" command which is issued by the terminal. Details of this EMV command, including its operation and parameters, are given in the EMV specification referred to above. In practice the transaction data is passed as a parameter of the "Generate Application Cryptogram" command which is issued by the terminal and the cryptogram is passed back to the terminal as a return parameter of the command.
The transaction key used to create the cryptogram is derived in the card as a function of a transaction sequence number (which is different for each transaction) encrypted with the card key. The transaction sequence number is likewise passed back to the terminal as a return parameter of the "Generate Application Cryptogram" command. The cryptogram is next forwarded, together with the transaction data and encrypted PIN, to the acquirer 18. The acquirer checks the transaction data against the cryptogram, decrypts the PIN and then re-encrypts the PIN for onward transmission, with the transaction data, to the appropriate issuer 20. The key used to re-encrypt the PIN is one known to the authorising issuer.
The cryptogram is, in effect an encrypted digest of the transaction data and is such that any tampering with the data, either deliberate or accidental, can be detected by the acquirer or issuer by comparing the received transaction data with its cryptogram. The transaction data will usually be quite long whereas the encrypted digest, or cryptogram, will be much shorter, typically only 8 bits. The manner in which the cryptogram is prepared is well-known in the art and will not be described further. Once the transaction data and re-encrypted PIN arrives at the issuer 20 the issuer checks the PIN supplied by the cardholder and, if correct, checks that the account is in funds, or that any credit limit is not exceeded, and then returns a message authorising the transaction back to the terminal 6, via the acquirer 18. For the purpose of the present invention, it is assumed that the key pad in terminal 8 is not capable of encryption or, if it is, the encryption is not being used. In accordance with an embodiment of the invention PIN encryption is performed by the terminal after receiving the cryptogram back from the card by using the cryptogram as a cryptographic key. Thus the microprocessor 7 and its associated circuitry derives a function of the PIN encrypted with the cryptogram. An example of a simple logic function which will achieve this is the exclusive OR function. In other words, PIN encryption is performed by creating, in the terminal circuitry, the exclusive OR of the cryptogram and PIN, and it is this data item which is transmitted to the acquirer 18, together with the transaction data, as before. At the acquirer 18 the PIN needs to be decrypted. To do this, the acquirer essentially recreates the cryptogram from the transaction data which it has received from the terminal. It then uses this cryptogram to decrypt the PIN. The PIN is now re-encrypted, using a key known between acquirer and issuer, and is sent to the issuer, for checking of the PIN. Reincryption can be carried out at the acquirer within the confines of a tamper resistant device so that the PIN never appears "in clear" outside the cryptographic domains established between the terminal 6 and issuer 20. If the PIN is correct, the transaction data is interrogated and the appropriate account checked. If all is well, an appropriate authorisation message is passed back to the terminal 6. If the PIN does not check out at the issuer, this may mean that the PIN was not correctly entered at the keypad by the cardholder, or it may mean that the transaction data was corrupted in some way in its passage to the acquirer. Either way, the transaction proceeds no further.
In theory several methods can be used for encrypting the PIN, using the cryptogram as a key. In practice however many possible methods are excluded because the data item which is transmitted from the terminal 6 to the acquirer 18 must not allow for an eavesdropper to reconstruct the PIN and cryptogram separately.
It will be seen that the above-described techniques enable the PIN to be encrypted without using an encrypting PIN pad and in a way which is transparent to the EMV application on the card. Thus the terminal 6 makes the payment transaction appear to the EMV-compliant application on the card as a standard EMV payment transaction. The present invention makes this approach possible by providing a way of encrypting the PIN for transmission to the issuer, via the acquirer, so that its confidentiality is totally assured in transit. No existing EMV-compliant application function does this because, as mentioned above, PINs are conventionally encrypted by the terminal, not the card.
So far it has been assumed that the personalisation service (PServ) 21 is associated with the acquirer 18. However, the techniques which are the subject of this patent application are equally applicable when PServ 21 is associated with the issuer 20. In this case the encrypted PIN message would pass through the acquirer without any translation. Indeed it would not be possible for the acquirer to decrypt the PIN message as only the application on the card 6 and the issuer 20 would have the requisite keying relationship. If it is important for current standard payment authorisation message formats to be maintained, then a simple issuer based conversion utility could front end the issuer authorisation systems. In this alternative model the personalisation service PServ could either be issuer specific, or could be supported by a service provider on behalf of several issuers.

Claims

1. A payment process enabling secure communication between a smart card and a financial institution, said process comprising placing the card in a card reader forming part of a terminal in communication with said financial institution, entering details of the transaction and a PIN into a keypad, creating a cryptogram of transaction data, including said transaction details, using a first cryptographic key known to or derivable by the financial institution, thence using said cryptogram to encrypt the PIN for secure onward transmission to the financial institution.
2. A payment process according to claim 1 wherein said card stores a second cryptographic key associated with the card and known to the financial institution, and wherein the first cryptographic key is created during the payment process by encrypting a parameter of the transaction which is unique to the payment transaction in process, using the second cryptographic key.
3. A payment process as claimed in claim 2 wherein the transaction parameter is a transaction sequence number, which is a number which identifies the transaction and is automatically sequenced between transactions.
4. A payment process as claimed in any one of claims 1 , 2 or 3 wherein the PIN is encrypted using the cryptogram as a cryptographic key.
5. A payment process as claimed in claim 4 wherein encryption of the PIN is performed by creating the exclusive OR of the cryptogram and the PIN.
6. A payment process as claimed in any one of the preceding claims wherein the cryptogram is created within the card following receipt of a command from the terminal.
7. A payment process as claimed in claim 6 wherein the transaction data is passed to the card as a parameter of the command, and the cryptogram is returned to the terminal as a return parameter of the command.
8. A payment process as claimed in either one of claims 6 or 7 wherein the smart card holds at least one application program which gives the card its functionality, and wherein said applications program is EMV-compatible.
9. A payment process as claimed in any one of the preceding claims wherein the encrypted PIN is decrypted at the financial institution by transmitting, with the encrypted PIN, said transaction data, creating in said financial institution a cryptogram of the transmitted transaction data using said first cryptographic key and decrypting the PIN using the just-created cryptogram.
10. A payment process as claimed in claims 2 and 9 wherein, prior to creation of the cryptogram in the financial institution, said first cryptographic key is derived by decrypting the transaction number using the second cryptographic key.
11. A payment system for enabling secure communication between a smart card and a financial institution, said system comprising a terminal having a card reader for reading said smart card, and a keypad for enabling entry of transaction details, said card being programmable to create, from transaction data including transaction details entered at the keypad, a cryptogram using a cryptographic key known to or derivable by said financial institution, said terminal further comprising means for using said cryptogram to encrypt a PIN entered at the keypad and means for transmitting the encrypted PIN to the financial institution.
12. A payment system as claimed in claim 11 wherein the financial institution includes means for creating a cryptogram of the transaction data, transmitted from the terminal with the encrypted PIN, using said first cryptographic key.
13. A payment system as claimed in claim 12 wherein said financial institution further comprises means for deriving said first cryptographic key by decrypting the transaction number using the second cryptographic key.
EP98930951A 1997-06-27 1998-06-26 Payment process and system Withdrawn EP0992026A1 (en)

Applications Claiming Priority (3)

Application Number Priority Date Filing Date Title
GBGB9713743.4A GB9713743D0 (en) 1997-06-27 1997-06-27 A cryptographic authentication process
GB9713743 1997-06-27
PCT/GB1998/001865 WO1999000775A1 (en) 1997-06-27 1998-06-26 Payment process and system

Publications (1)

Publication Number Publication Date
EP0992026A1 true EP0992026A1 (en) 2000-04-12

Family

ID=10815113

Family Applications (1)

Application Number Title Priority Date Filing Date
EP98930951A Withdrawn EP0992026A1 (en) 1997-06-27 1998-06-26 Payment process and system

Country Status (22)

Country Link
EP (1) EP0992026A1 (en)
JP (1) JP2002507297A (en)
KR (1) KR20010014257A (en)
CN (1) CN1260894A (en)
AU (1) AU8122598A (en)
BG (1) BG104041A (en)
BR (1) BR9810486A (en)
CA (1) CA2295032A1 (en)
EA (1) EA200000073A1 (en)
EE (1) EE9900598A (en)
GB (1) GB9713743D0 (en)
HU (1) HUP0003227A2 (en)
IS (1) IS5307A (en)
MX (1) MXPA99011836A (en)
NO (1) NO996488L (en)
NZ (1) NZ501887A (en)
PL (1) PL337533A1 (en)
SK (1) SK176199A3 (en)
TR (1) TR199903243T2 (en)
TW (1) TW411427B (en)
WO (1) WO1999000775A1 (en)
ZA (1) ZA985628B (en)

Families Citing this family (16)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US8108307B1 (en) * 1998-03-30 2012-01-31 Citicorp Development Center, Inc. System, method and apparatus for value exchange utilizing value-storing applications
AUPQ556600A0 (en) * 2000-02-14 2000-03-02 Ong, Yong Kin (Michael) Electronic funds transfers-zipfund
US7103575B1 (en) 2000-08-31 2006-09-05 International Business Machines Corporation Enabling use of smart cards by consumer devices for internet commerce
KR100420600B1 (en) * 2001-11-02 2004-03-02 에스케이 텔레콤주식회사 METHOD FOR PROCESSING EMV PAYMENT BY USING IrFM
GB0305806D0 (en) * 2003-03-13 2003-04-16 Ecebs Ltd Smartcard based value transfer
US8407097B2 (en) 2004-04-15 2013-03-26 Hand Held Products, Inc. Proximity transaction apparatus and methods of use thereof
US8549592B2 (en) 2005-07-12 2013-10-01 International Business Machines Corporation Establishing virtual endorsement credentials for dynamically generated endorsement keys in a trusted computing platform
GB2435951A (en) 2006-02-23 2007-09-12 Barclays Bank Plc System for PIN servicing
US7873835B2 (en) * 2006-03-31 2011-01-18 Emc Corporation Accessing data storage devices
CN102024288B (en) * 2009-09-11 2014-02-26 中国银联股份有限公司 Safe payment method and system using smart card
GB2476065A (en) * 2009-12-09 2011-06-15 Pol Nisenblat A multi-currency cash deposit and exchange method and system
CN102096968A (en) * 2009-12-09 2011-06-15 中国银联股份有限公司 Method for verifying accuracy of PIN (Personal Identification Number) in agent authorization service
EP2426652A1 (en) * 2010-09-06 2012-03-07 Gemalto SA Simplified method for customising a smart card and associated device
CN102968865B (en) * 2012-11-23 2016-08-31 易联支付有限公司 The authentication method of a kind of mobile payment and system
US10147087B2 (en) * 2015-03-06 2018-12-04 Mastercard International Incorporated Primary account number (PAN) length issuer identifier in payment account number data field of a transaction authorization request message
CN106991346A (en) * 2017-04-18 2017-07-28 东信和平科技股份有限公司 The method and device of a kind of smart card issuing

Family Cites Families (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
EP0198384A3 (en) * 1985-04-09 1988-03-23 Siemens Aktiengesellschaft Berlin Und Munchen Method and device for enciphering data
US4965568A (en) * 1989-03-01 1990-10-23 Atalla Martin M Multilevel security apparatus and method with personal key
NL1001659C2 (en) * 1995-11-15 1997-05-21 Nederland Ptt Method for writing down an electronic payment method.

Non-Patent Citations (1)

* Cited by examiner, † Cited by third party
Title
See references of WO9900775A1 *

Also Published As

Publication number Publication date
BR9810486A (en) 2000-09-12
NO996488L (en) 2000-02-28
EE9900598A (en) 2000-08-15
TW411427B (en) 2000-11-11
SK176199A3 (en) 2000-07-11
WO1999000775A1 (en) 1999-01-07
CA2295032A1 (en) 1999-01-07
HUP0003227A2 (en) 2001-02-28
CN1260894A (en) 2000-07-19
NZ501887A (en) 2001-05-25
BG104041A (en) 2000-05-31
JP2002507297A (en) 2002-03-05
IS5307A (en) 1999-12-17
NO996488D0 (en) 1999-12-27
EA200000073A1 (en) 2000-06-26
MXPA99011836A (en) 2002-04-19
GB9713743D0 (en) 1997-09-03
ZA985628B (en) 1999-01-26
AU8122598A (en) 1999-01-19
TR199903243T2 (en) 2000-04-21
PL337533A1 (en) 2000-08-28
KR20010014257A (en) 2001-02-26

Similar Documents

Publication Publication Date Title
EP0985203B1 (en) Key transformation unit for an ic card
US6230267B1 (en) IC card transportation key set
US7730311B2 (en) Key transformation unit for a tamper resistant module
CN1344396B (en) Portable electronic charge and authorization devices and methods therefor
US7917760B2 (en) Tamper resistant module having separate control of issuance and content delivery
US7516884B2 (en) Method and system for private information exchange in smart card commerce
EP0981807A2 (en) Integrated circuit card with application history list
EP0992026A1 (en) Payment process and system
WO2002063825A2 (en) An optical storage medium for storing a public key infrastructure (pki)-based private key and certificate, a method and system for issuing the same and a method for using such
KR101316489B1 (en) Method for processing transaction using variable pan
CN101329786A (en) Method and system for acquiring bank card magnetic track information or payment application for mobile terminal
KR101677803B1 (en) Card reader, terminal and method for processing payment information thereof
KR100901297B1 (en) System for Virtual Mechant Network Application
GB2373616A (en) Remote cardholder verification process
WO1998029983A1 (en) Transaction key generation system
CZ472699A3 (en) Method of payment and apparatus for making the same
KR20010006006A (en) Rollup certification in a reader

Legal Events

Date Code Title Description
PUAI Public reference made under article 153(3) epc to a published international application that has entered the european phase

Free format text: ORIGINAL CODE: 0009012

17P Request for examination filed

Effective date: 20000105

AK Designated contracting states

Kind code of ref document: A1

Designated state(s): AT BE CH CY DE DK ES FI FR GB GR IE IT LI LU MC NL PT SE

AX Request for extension of the european patent

Free format text: AL PAYMENT 20000105;LT PAYMENT 20000105;LV PAYMENT 20000105;MK PAYMENT 20000105;RO PAYMENT 20000105;SI PAYMENT 20000105

STAA Information on the status of an ep patent application or granted ep patent

Free format text: STATUS: THE APPLICATION HAS BEEN WITHDRAWN

18W Application withdrawn

Withdrawal date: 20010503