GB2438651A - Secure financial transactions - Google Patents
Secure financial transactions Download PDFInfo
- Publication number
- GB2438651A GB2438651A GB0610872A GB0610872A GB2438651A GB 2438651 A GB2438651 A GB 2438651A GB 0610872 A GB0610872 A GB 0610872A GB 0610872 A GB0610872 A GB 0610872A GB 2438651 A GB2438651 A GB 2438651A
- Authority
- GB
- United Kingdom
- Prior art keywords
- customer
- trusted authority
- vendor
- identity
- transaction
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Withdrawn
Links
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06Q—INFORMATION AND COMMUNICATION TECHNOLOGY [ICT] SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES; SYSTEMS OR METHODS SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES, NOT OTHERWISE PROVIDED FOR
- G06Q20/00—Payment architectures, schemes or protocols
- G06Q20/08—Payment architectures
- G06Q20/12—Payment architectures specially adapted for electronic shopping systems
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06Q—INFORMATION AND COMMUNICATION TECHNOLOGY [ICT] SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES; SYSTEMS OR METHODS SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES, NOT OTHERWISE PROVIDED FOR
- G06Q20/00—Payment architectures, schemes or protocols
- G06Q20/02—Payment architectures, schemes or protocols involving a neutral party, e.g. certification authority, notary or trusted third party [TTP]
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06Q—INFORMATION AND COMMUNICATION TECHNOLOGY [ICT] SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES; SYSTEMS OR METHODS SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES, NOT OTHERWISE PROVIDED FOR
- G06Q20/00—Payment architectures, schemes or protocols
- G06Q20/30—Payment architectures, schemes or protocols characterised by the use of specific devices or networks
- G06Q20/32—Payment architectures, schemes or protocols characterised by the use of specific devices or networks using wireless devices
- G06Q20/325—Payment architectures, schemes or protocols characterised by the use of specific devices or networks using wireless devices using wireless networks
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06Q—INFORMATION AND COMMUNICATION TECHNOLOGY [ICT] SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES; SYSTEMS OR METHODS SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES, NOT OTHERWISE PROVIDED FOR
- G06Q20/00—Payment architectures, schemes or protocols
- G06Q20/38—Payment protocols; Details thereof
- G06Q20/40—Authorisation, e.g. identification of payer or payee, verification of customer or shop credentials; Review and approval of payers, e.g. check credit lines or negative lists
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06Q—INFORMATION AND COMMUNICATION TECHNOLOGY [ICT] SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES; SYSTEMS OR METHODS SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES, NOT OTHERWISE PROVIDED FOR
- G06Q20/00—Payment architectures, schemes or protocols
- G06Q20/38—Payment protocols; Details thereof
- G06Q20/40—Authorisation, e.g. identification of payer or payee, verification of customer or shop credentials; Review and approval of payers, e.g. check credit lines or negative lists
- G06Q20/401—Transaction verification
- G06Q20/4014—Identity check for transactions
Abstract
A method of facilitating a financial transaction, comprising the steps of: a customer requesting to purchase an item from an online vendor; the vendor seeking to validate the identity of the customer from a trusted authority by providing the trusted authority with information capable of uniquely identifying the customer; the trusted authority validating the identity of the purchaser by comparing the information supplied by the vendor with information pre-supplied by the customer; if the customer's identity is validated, the trusted authority transmitting a message to the customer seeking approval to complete the transaction; if the customer wishes to complete the transaction, transmitting to the trusted authority certain information known only to, and/or particular to, the customer; and the trusted authority approving payment to the vendor and transmitting confirmation messages to the vendor and the customer.
Description
<p>1 2438651 Method and Apparatus for Secure Financial Transactions The
present invention is concerned with a method and apparatus for providing improved security in financial transactions which are performed over the internet, using payment cards, such as debit cards or credit cards.</p>
<p>Prior arL e-commerce systems used to make purchases over the Internet (e.g. by a customer purchasing a product or service via his home computer from a remote website) require the customer to enter his payment card details, together with a range of personal information.</p>
<p>The data which is normally required includes full name, address, credit (or debit) card number, card expiry date, and Card verification Number (CVN) . With this information, an unscrupulous third party may be able to make purchases without the card-holder's permission or advance knowledge.</p>
<p>The required data is normally transmitted via a secure link, such as https, to the remote server, so that the sensitive data is encrypted for transmission.</p>
<p>However, some websites do not encrypt the data, rendering it vulnerable to interception in transit. Furthermore, once the data reaches its destination, there is no guarantee that its security will be maintained, particularly if the customer is buying from a retailer he is unfamiliar with. The more retailers that the customer deals with in this way, the greater is the risk of his personal data being misused in some way.</p>
<p>Even if the data is securely transmitted and it is not misused on arrival, many consumers are still unwilling to enter their credit or debit card details for transmission over the Internet. This is particularly true for more elderly people who are perhaps suspicious of the Internet.</p>
<p>As such, a great many people are depriving themselves of the opportunities which purchasing over the Internet can offer. Likewise, many retailers are failing to attract potential customers, because of often ungrounded fears over data security.</p>
<p>Embodiments of the present invention aim to address both the real and the perceived problems of data security, whether referred to above or not.</p>
<p>According to the present invention there is provided a method as set forth in the appended claims. Preferred features of the invention will be apparent from the dependent claims, and the description which follows.</p>
<p>Furthermore, according to another aspect of the invention, there is provided apparatus arranged to perform the method of the first aspect.</p>
<p>For a better understanding of the invention, and to show how embodiments of the same may be carried into effect, reference will now be made, by way of example, to the accompanying diagrammatic drawings in which: Figure 1 shows a system configuration in accordance with an embodiment of the invention; and Figure 2 shows a typical message transfer in accordance with an embodiment of the invention.</p>
<p>Embodiments of the present invention allow a credit or debit card holder to pre-register their card details with a trusted authority, such as a bank or other financial institution. The details held can include any or all of card number, expiry date, CVN, customer name, or address.</p>
<p>The registration process can be arranged to take place in a manner which does not place the card data in any jeopardy (either real or perceived) . For instance, the cardholder may register the required details in person at a branch of his bank or by telephone or fax. It is also technically possible to perform this task over the internet, using a suitable secure browser, but given the nature of the invention, this option is not likely to appeal to the probable target market. However, if the cardholder is satisfied that the supplied link is secure, then it may be useful to register the details in this way.</p>
<p>Just because the cardholder is generally suspicious of supplying card details over the Internet, they may be happy to provide them to a known trusted institution, so it may still be worthwhile to capture the data in such an online manner.</p>
<p>Once the cardholder's details have been registered with the trusted authority, any vendor with whom the customer later deals is able to authenticate the customer's credentials by making a query to the trusted authority.</p>
<p>Figure 1 shows an exemplary system configuration. The customer's computer 10 is connected to the Internet 400 in the usual way (e.g. dial up, broadband or wireless connection) . Also shown is the user's mobile telephone 20, details of which may be registered with the trusted authority and which may be used for messaging.</p>
<p>Also connected to the internet are a plurality of vendor's web servers 100-199. The customer's computer may access any of these in a known way using regular browsers such as Internet Explorer from Microsoft .</p>
<p>The vendors' web servers are further connected, either via the internet or dedicated lines, to one or more bank systems 300 for handling payment transactions.</p>
<p>The bank systems or transaction servers 300 are connected to a trusted authority 200, preferably by dedicated lines or a secure signalling system. The trusted authority includes a database of customer details enabling transactions to be made by said customers without needing to transmit sensitive data over a public network (e.g. the Internet 400) Communication between the bank 300 and the trusted authority 200 are deliberately very secure and not intended to be accessible to unauthorised third parties.</p>
<p>Also connected to the bank computers 300 is a message centre 30 which is operable to transmit and receive messages to customers by a number of means. For instance, email messages may be sent to and from 310 to the user's PC 10 and SMS messages may be sent to and from 310 to the user's telephone 20.</p>
<p>Having described the physical setup, it is instructive to examine an example transaction to demonstrate the system in operation.</p>
<p>The customer (C) visits a website for a vendor (V) and decides to purchase an item. C has previously registered his payment card details with a trusted authority (such as his bank or card provider) and decides to make use of that facility to complete purchase of the item, rather than enter his card details directly.</p>
<p>At the payment stage, C selects the appropriate payment option, instructing V's system to contact the trusted authority to authorise payment. This is preferably an automated request made to the trusted party using https or other secure link. The request would include at least the client's name and address so that he can be uniquely identified.</p>
<p>Assuming the details provided by V coincide with those registered by C, the trusted authority contacts C to seek confirmation of the payment.</p>
<p>The trusted authority may contact C in one or more ways from the following: * Email * SMS (Short Message Service) or text message to a registered telephone number.</p>
<p>* Personal telephone call to a pre-registered number.</p>
<p>* Automated telephone call a pre-registered number, possibly using Interactive Voice Response (IVR) system.</p>
<p>In order to authorise the payment, the customer must reply to the message from the trusted authority with an agreed pre-defined response in the form of a password.</p>
<p>In a particularly preferred embodiment, the message to the customer from the trusted authority is in the form of an automated voice message. The response from the customer can then be verified to ensure that the password/security code given matches the pre-agreed password/security code and voice authentication can be used to provide further confidence that it is in fact the customer giving the authorisation, rather than an impostor.</p>
<p>In case of a fault with the authentication process e.g. an incorrect password is given or the voice does not match the registered voice, then the purchase is not authorised, the customer's account is not debited and the vendor is informed accordingly.</p>
<p>The same result is obtained in the event of a time-out i.e. if a correct response is not forthcoming within a defined period of time.</p>
<p>Figure 2 shows a typical message flow according to an embodiment of the invention. The steps involved in a transaction are labelled 1 to 10.</p>
<p>The four solid vertical lines represent the customer, the vendor, the trusted authority and the transaction server.</p>
<p>In the setup exemplified in Figure 2, the trusted authority and the transaction server are physically collocated in the bank premises, although this needn't be the case and they may be physically separated but connected by a secure link. In any event, a secure firewall is provided between them.</p>
<p>At Step 1, the Customer seeks to make an online purchase from a particular vendor.</p>
<p>At Step 2, the Vendor seeks verification from the trusted authority that the customer is indeed so registered and includes sufficient information to identify the customer (name, address) and the amount of the transaction.</p>
<p>At Step 3, the trusted authority authenticates the customer's identity and card details with the payment authority at the transaction server. The payment authority may be a bank, credit or debit card provider or other financial institution (e.g. VISA, American Express) At Step 4, assuming that all the details provided are valid, the transaction server confirms the details and authenticates the customer.</p>
<p>At Step 5, the trusted authority transmits a message directly to the customer via one or more means (e.g. SMS, email or automated telephone call with or without voice recognition) At Step 6, the customer confirms the purchase by a suitable reply, possibly using a pre-defined password, PIN or other secret confirmation technique (e.g. digital certificate) . If a voice response is used, it may optionally be processed to ensure that the speaker is indeed the registered cardholder.</p>
<p>At Step 7, the trusted authority transmits an instruction to the transaction server to perform the required payment.</p>
<p>At Step 8, the transaction server responds to the trusted authority that the payment transaction has been completed successfully.</p>
<p>At Steps 9 and 10, the trusted authority transmits messages to the vendor and customer respectively informing each that the transaction has been completed successfully.</p>
<p>If at any stage in the above mentioned process, authentication is denied or the transaction is otherwise suspended, then one or more suitable messages are sent to the appropriate party to inform them of the problem.</p>
<p>Advantageously, embodiments of the invention allow customers to purchase items from remote vendors (either over the Internet or otherwise) without entering confidential data each time a purchase is made. The confidential data need only be registered once with a suitable party and then subsequent transactions can be made using public data which can be confirmed by use of a password or other secret or difficult to forge technique.</p>
<p>This handshaking ensures that rogue parties can not purchase items by knowing only certain public items of information on the customer.</p>
<p>The present invention can be implemented as computer-readable code on a computer-readable recording medium.</p>
<p>The computer-readable recording medium is any data storage device that can store data which can be thereafter read by a computer system. Examples of the computer-readable recording medium include read-only memory (ROM), random-access memory (RAM), CD-ROMs, magnetic tapes, floppy disks, optical data storage devices, and carrier waves (such as data transmission through the Internet) The computer-readable recording medium can also be distributed over network-coupled computer systems so that the computer-readable code is stored and executed in a distributed fashion.</p>
<p>Attention is directed to all papers and documents which are filed concurrently with or previous to this specification in connection with this application and which are open to public inspection with this specification, and the contents of all such papers and documents are incorporated herein by reference.</p>
<p>All of the features disclosed in this specification (including any accompanying claims, abstract and drawings), and/or all of the steps of any method or process so disclosed, may be combined in any combination, except combinations where at least some of such features and/or steps are mutually exclusive.</p>
<p>Each feature disclosed in this specification (including any accompanying claims, abstract and drawings) may be replaced by alternative features serving the same, equivalent or similar purpose, unless expressly stated otherwise. Thus, unless expressly stated otherwise, each feature disclosed is one example only of a generic series of equivalent or similar features.</p>
<p>The invention is not restricted to the details of the foregoing embodiment(s). The invention extends to any novel one, or any novel combination, of the features</p>
<p>disclosed in this specification (including any</p>
<p>accompanying claims, abstract and drawings), or to any novel one, or any novel combination, of the steps of any method or process so disclosed.</p>
Claims (1)
- <p>CLPIMS</p><p>1. A method of facilitating a financial transaction, comprising the steps of: a customer requesting to purchase an item from an online vendor; the vendor seeking to validate the identity of the customer from a trusted authority by providing the trusted authority with information capable of uniquely identifying the customer; the trusted authority validating the identity of the purchaser by comparing the information supplied by the vendor with information pre-supplied by the customer; if the customer's identity is validated, the trusted authority transmitting a message to the customer seeking approval to complete the transaction; if the customer wishes to complete the transaction, transmitting to the trusted authority certain information known only to, and/or particular to, the customer; and the trusted authority approving payment to the vendor and transmitting confirmation messages to the vendor and the customer.</p><p>2. A method as claimed in claim 1 wherein the certain information known only to, and/or particular to, the customer comprises at least one of a password, a PIN number, a security code or a signature produced from the customer's voice.</p><p>3. A method as claimed in claim 1 or 2, wherein communications between the vendor and the trusted authority are encrypted and transmitted via data lines.</p><p>4. A method as claimed in any preceding claim wherein the means of communication between the trusted authority and the customer comprises at least one of: Short Message Service (SMS) to a registered mobile device; a personal telephone call to a registered number; an automated Interactive Voice Response (IVR) message to a registered telephone number; or an email.</p><p>5. A method as claimed in any preceding claim wherein other methods of conducting a financial transaction are additionally offered and the customer opts for only one method.</p><p>6. A method as claimed in any preceding claim wherein the trusted authority is a financial institution.</p><p>7. A method as claimed in any preceding claim wherein, prior to making a purchase, the customer registers his identity with the trusted authority, along with his payment card details.</p><p>8. A method as claimed in claim 7, wherein the step of registering identity comprises the user providing a voice sample for the purpose of establishing a unique voice signature.</p><p>9. A computer-readable recording medium on which a program for executing a method according to any preceding claim is recorded.</p><p>10. A method as hereinbefore described, having particular reference to the accompanying drawings.</p>
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| GB0610872A GB2438651A (en) | 2006-06-02 | 2006-06-02 | Secure financial transactions |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| GB0610872A GB2438651A (en) | 2006-06-02 | 2006-06-02 | Secure financial transactions |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| GB0610872D0 GB0610872D0 (en) | 2006-07-12 |
| GB2438651A true GB2438651A (en) | 2007-12-05 |
Family
ID=36694799
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| GB0610872A Withdrawn GB2438651A (en) | 2006-06-02 | 2006-06-02 | Secure financial transactions |
Country Status (1)
| Country | Link |
|---|---|
| GB (1) | GB2438651A (en) |
Cited By (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| WO2009157003A1 (en) * | 2008-06-26 | 2009-12-30 | Suresh Babubhai Kapadia | A system and method for preventing misuse of stolen, lost, duplicated, forged and counterfeited credit card/debit card |
| GB2475301A (en) * | 2009-11-13 | 2011-05-18 | Secure Electrans Ltd | Payment Authentication System and Processing Method |
| CN108269187A (en) * | 2018-01-29 | 2018-07-10 | 深圳壹账通智能科技有限公司 | Verification method, device, equipment and the computer storage media of financial business |
Citations (6)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| EP0745961A2 (en) * | 1995-05-31 | 1996-12-04 | AT&T IPM Corp. | Transaction authorization and alert system |
| GB2328310A (en) * | 1996-05-15 | 1999-02-17 | Ho Keung Tse | Electronic transaction authorisation system |
| WO1999014711A2 (en) * | 1997-09-17 | 1999-03-25 | Andrasev Akos | Method for checking rightful use of a debit card or similar means giving right of disposing of a bank account |
| US5903721A (en) * | 1997-03-13 | 1999-05-11 | cha|Technologies Services, Inc. | Method and system for secure online transaction processing |
| WO2001039085A1 (en) * | 1999-11-22 | 2001-05-31 | Harry Thomas Kloor | Dual transaction authorization system and method |
| WO2001069549A1 (en) * | 2000-03-17 | 2001-09-20 | Tradesafely.Com Limited | Payment authorisation method and apparatus |
-
2006
- 2006-06-02 GB GB0610872A patent/GB2438651A/en not_active Withdrawn
Patent Citations (6)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| EP0745961A2 (en) * | 1995-05-31 | 1996-12-04 | AT&T IPM Corp. | Transaction authorization and alert system |
| GB2328310A (en) * | 1996-05-15 | 1999-02-17 | Ho Keung Tse | Electronic transaction authorisation system |
| US5903721A (en) * | 1997-03-13 | 1999-05-11 | cha|Technologies Services, Inc. | Method and system for secure online transaction processing |
| WO1999014711A2 (en) * | 1997-09-17 | 1999-03-25 | Andrasev Akos | Method for checking rightful use of a debit card or similar means giving right of disposing of a bank account |
| WO2001039085A1 (en) * | 1999-11-22 | 2001-05-31 | Harry Thomas Kloor | Dual transaction authorization system and method |
| WO2001069549A1 (en) * | 2000-03-17 | 2001-09-20 | Tradesafely.Com Limited | Payment authorisation method and apparatus |
Cited By (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| WO2009157003A1 (en) * | 2008-06-26 | 2009-12-30 | Suresh Babubhai Kapadia | A system and method for preventing misuse of stolen, lost, duplicated, forged and counterfeited credit card/debit card |
| GB2475301A (en) * | 2009-11-13 | 2011-05-18 | Secure Electrans Ltd | Payment Authentication System and Processing Method |
| CN108269187A (en) * | 2018-01-29 | 2018-07-10 | 深圳壹账通智能科技有限公司 | Verification method, device, equipment and the computer storage media of financial business |
Also Published As
| Publication number | Publication date |
|---|---|
| GB0610872D0 (en) | 2006-07-12 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US11574312B2 (en) | Secure authentication system and method | |
| US10049360B2 (en) | Secure communication of payment information to merchants using a verification token | |
| US9904919B2 (en) | Verification of portable consumer devices | |
| CA2849324C (en) | Systems and methods for contactless transaction processing | |
| RU2518680C2 (en) | Verification of portable consumer devices | |
| US20130226813A1 (en) | Cyberspace Identification Trust Authority (CITA) System and Method | |
| JP5216594B2 (en) | Authentication method for service server on wireless internet and settlement method using the same | |
| US20150302409A1 (en) | System and method for location-based financial transaction authentication | |
| US20110119155A1 (en) | Verification of portable consumer devices for 3-d secure services | |
| US20060173776A1 (en) | A Method of Authentication | |
| US20150371221A1 (en) | Two factor authentication for invoicing payments | |
| EP2569692A1 (en) | One-time use password systems and methods | |
| CN101675616A (en) | methods and systems for delivering sponsored out-of-band passwords | |
| US10489565B2 (en) | Compromise alert and reissuance | |
| WO2016118087A1 (en) | System and method for secure online payment using integrated circuit card | |
| JP2002298054A (en) | User authentication method, settlement method, information processing method for user authentication, information processing method for settlement, information processing system for user authentication, information processing system for settlement, and program | |
| KR20070029537A (en) | Authentication system and method using individual unique code linked with wireless terminal | |
| GB2438651A (en) | Secure financial transactions | |
| WO2020069262A1 (en) | System, method, and computer program product for secure, remote transaction authentication and settlement | |
| KR101596434B1 (en) | Method for authenticating electronic financial transaction using payment informaion seperation |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| WAP | Application withdrawn, taken to be withdrawn or refused ** after publication under section 16(1) |