JP2014127138A - Authentication server providing on-line settlement, authentication system and authentication method - Google Patents

Abstract

PROBLEM TO BE SOLVED: To provide a safe on-line settlement with high security that securely performs authentication using positional information with no possibility of alteration of a place where a card is used.SOLUTION: A database associating card information and portable terminal information is stored in advance. An authentication server 1 retrieves both a piece of positional information of a card 4 which is queried of its availability of online settlement and a piece of positional information of a portable terminal 5 associated to the card, and compares the two pieces of positional information. The availability of the settlement is determined according to whether it can be confirmed that the two pieces of positional information are close, in other words, that the card and the portable terminal of a user exist in approximately the same location.

Description

  The present invention relates to an electronic payment technique using a credit card in online shopping using the Internet or the like.

  In recent years, shopping for clothes, daily necessities, furniture, home appliances, and the like is increasingly performed online using the Internet or the like. In addition to shopping, purchases of applications and content that can be used on the terminal, membership fees such as monthly fees generated on specific sites, and billing for online games, etc., increase the number of scenes where payments are made online. ing.

  As one of online payment methods, payment by credit card is used. In online card payment, the credit card number, contractor name, expiration date, security code, etc. are entered, and the credit card company is inquired for the entered information to verify whether it is a registered card. This method is generally used.

  However, in the conventional online card payment method, there is a fear that the card itself may be abused when a third party obtains the card itself. Therefore, authentication is performed using the location information of a payment terminal such as a PC (personal computer) connected to the Internet and the location information of the mobile terminal held by the card holder, and card payment can be made only when the location information is close to each other. For example, ideas have been proposed to increase the safety of online card payments and prevent unauthorized use. Thereby, for example, even if a third party obtains the card, the card cannot be used unless the place where the card is used and the position of the owner's mobile terminal are close to each other, making unauthorized use difficult.

JP-A-2005-216210

  However, in the method using the position information of the payment terminal, there is a possibility that unauthorized use may be established by setting inappropriate position information in the payment terminal. That is, even if the place where the payment is actually made and the position of the owner's mobile terminal are separated, if it is a third party who intends to carry out unauthorized use, for example, the place where the card was obtained, It is possible to predict to some extent the owner's whereabouts = the position of the mobile terminal from information on the person (for example, address, work place, etc.). If the position of the mobile terminal can be predicted, the position information output from the payment terminal can be tampered with the position information of the mobile terminal to enable unauthorized use.

  The present invention has been made to solve the above problems, and the problem is that the location information can be reliably authenticated without falsifying the place where the card is used. To provide settlement.

  In order to solve the above-described problems, the present invention is an authentication server that determines whether online electronic payment transactions are possible, has a database that stores card information and mobile terminal information in association with each other, and Upon receiving a transaction propriety inquiry including card information from the terminal, the card position information is obtained from the means indicated by the received card information, and the card information is supported. The portable terminal information that is stored in addition is read, and the means for acquiring the portable terminal position information from the portable terminal indicated by the portable terminal information is compared with the acquired card position information and the portable terminal position information, The transaction availability information is generated by determining the transaction availability according to the degree of proximity between the location information of the card and the mobile terminal, and the transaction availability information is sent to the settlement terminal. It means for signal, is obtained by the authentication server, characterized by at least including.

  Further, in the present invention, the determination of whether or not the transaction is possible is that the transaction is permitted if the difference between the location information of the card and the mobile terminal is within a preset threshold range, and the difference between the location information is within the threshold range. If it is outside, it is set as the said authentication server characterized by determining with transaction rejection.

  Furthermore, the present invention predefines a position information method used for determining whether or not the transaction is possible, and the position information acquired from the card and the mobile terminal is position information based on a method different from the method. The above-mentioned authentication server is characterized in that the position information is compared after being converted into position information by the method defined in advance.

  Furthermore, the present invention is an authentication system for determining whether online electronic payment transactions are possible, and an authentication server, a payment terminal, a portable terminal, a card, and a database in which card information and portable terminal information are stored in association with each other. And when the authentication server receives an inquiry about whether or not the transaction including the card information is received from the payment terminal, a means for confirming the validity of the received card information, and a card from the card indicated by the received card information Means for acquiring position information, reading out the portable terminal information stored in association with the received card information, and acquiring portable terminal position information from the portable terminal indicated by the portable terminal information; and the authentication server, The degree of proximity between the position information of the card and the mobile terminal by comparing the acquired card position information and the mobile terminal position information There by to determine the transaction propriety generates transaction permission information, in which the transaction permission information to the authentication system, characterized by at least comprising means for transmitting, against the payment terminal.

  Furthermore, the present invention provides an authentication method for determining whether or not online electronic payment transactions are possible, and when the authentication server receives an inquiry about whether or not transactions including card information are received from a payment terminal, the received card information is validated. The step of confirming the property, the step of acquiring the card position information from the card indicated by the received card information, and the authentication server received from the database in which the card information and the portable terminal information are stored in association with each other. Reading the portable terminal information stored in association with card information, obtaining portable terminal position information from the portable terminal indicated by the portable terminal information, and the authentication server obtaining the card position information and the portable information Compare the terminal location information and determine whether or not the transaction is possible based on the degree of proximity between the location information of the card and the mobile terminal. It generates 引可 unnecessary information, in which the transaction permission information and the authentication method characterized by at least comprising the steps of: transmitting to the payment terminal.

  Since the present invention is configured as described above, the following effects can be obtained.

  That is, by adopting the configuration of the present invention, it is possible to reliably authenticate position information without providing alterations to the place where the card is used, and to provide secure online payment with high security.

It is a schematic diagram which shows one Example of the structure which provides the online payment in this invention. It is a sequence diagram which shows one Example of the flow of the online payment in this invention.

  Hereinafter, an apparatus, a system, a method, and the like for providing high security authentication in online payment according to the present invention will be described in detail with reference to the drawings.

  FIG. 1 is a schematic diagram showing an embodiment of a configuration for providing online payment. In FIG. 1, the Example comprised from the card | curd and the portable terminal, the payment terminal which comprises a card reader, and the authentication server was shown.

  The card in the present invention is a card for performing financial settlement called a credit card, a debit card or the like. In this embodiment, a case where the card is a credit card will be basically described. As will be described in detail later, an IC card equipped with a contact-type or non-contact-type IC chip is suitable for the configuration in which information can be exchanged with a card reader of a payment terminal.

  Further, the card in this embodiment has means for acquiring position information represented by a GPS function for acquiring position information from a GPS satellite or the like. This can be realized by separately providing an IC chip on which position information acquisition means such as a GPS function is mounted, or by mounting position information acquisition means on an IC chip that is originally provided in the IC card.

  The mobile terminal may be a mobile terminal having a communication function for connecting to the Internet via a mobile line or a wireless LAN, such as a mobile phone or a smartphone. However, the portable terminal in a present Example shall have position information acquisition means, such as a GPS function, like a card | curd.

  A payment terminal is a terminal on which a user performs online payment, and includes a communication function for connecting to an authentication server using a network line such as the Internet, a user input function (for example, a touch panel, a keyboard, a numeric keypad, etc.), a display screen, and the like. For example, PC (personal computer), a tablet terminal, a smart phone, a portable terminal etc. are mention | raise | lifted.

  Moreover, it is desirable that the payment terminal has a card reader. In FIG. 1, the card reader is externally attached to the payment terminal, but the payment terminal itself may have a built-in card reader function, but this is not restrictive. The card reader only needs to be capable of exchanging information with the card. For example, if the card is a contact IC card, the card reader is a card reader that performs contact communication with the IC chip, and if it is a non-contact IC card. A card reader provided with a communication antenna or the like capable of non-contact communication.

  An authentication server is a server that authenticates whether a card that has been inquired about whether or not payment is possible is an authorized card and is used by an authorized user in online card payment. It is a server operated by a card company that makes simple payments. Sellers such as online shops have established a system to connect with the authentication server through the card company's screening in advance, or connect with the card company's authentication server through the settlement agency system. Yes. When the user enters a card number, expiration date, etc. on the product purchase screen such as an online shop displayed on the payment terminal, the entered information is sent to the card company's authentication server, and the authentication server However, the authentication server in the present invention is not limited to the one on the card company side.

  In the authentication server according to the present invention, card information and portable terminal information that can uniquely identify the portable terminal are stored in association with each other with respect to cards and portable terminals held by the same user. As the mobile terminal information, the SIM ID, telephone number, mail address, etc. held by the mobile terminal can be used. In addition, when downloading and installing an application or the like for using the system of the present invention on a portable terminal and causing the user to use it, user registration is performed by downloading the application, installing it, or starting it for the first time. It is also possible to use this user ID as portable terminal information by giving a password or allowing the user to set it.

  FIG. 2 is a sequence diagram showing an embodiment of the flow of online payment according to the present invention. The sequence diagram of FIG. 2 shows the site after the user selects the item he / she wishes to purchase, the payment amount is determined, and the user selects credit card payment as the payment method at a site operated by a seller such as an online shop. This flow is shown. As described above, the website to which the payment terminal is connected at this point may be a site operated by the seller, but is operated by a payment agency that acts as an intermediary between the seller and the card company. There is also a transition to a site. Therefore, although the operation from here is actually performed on the website, it will be described as the operation of the payment terminal.

  First, the payment terminal requests the user to input card information, specifically, card number, expiration date, contractor name, or security code, preferably a plurality of combinations. When the payment terminal is equipped with a card reader, part or all of the card information may be directly acquired from the card via the card reader, and user input and acquisition from the card reader may be performed. You may use together by the item of card information. When the payment terminal receives the input of the card information, the payment terminal transmits the input card information to the authentication server and inquires whether the transaction is possible. At this time, the card information may be encrypted and transmitted to the authentication server in order to improve security.

  The authentication server decrypts the card information received from the payment terminal if necessary if it is encrypted, and verifies whether the received card information is valid card information in a database storing the card information. If the received card information does not match any card information registered in the database, or if one or more of the card number, expiration date, contractor name, security code, etc. are different, the authentication server Is not valid card information, an authentication error response is transmitted to the payment terminal, and the payment terminal displays an authentication error message on the display screen. Here, the user may be requested to input the card information again, or by setting a counter limit on the number of errors, if an authentication error occurs more than the set number of times, the card is You may make it change to the state (discard mode) which cannot be used.

  On the other hand, if the card information received by the authentication server matches one of the card information registered in the database and the verification is successful as valid card information, the authentication server associates the card information with the received card information. The mobile terminal information that can identify the stored mobile terminal is read, and the location information is inquired to each of the card and the mobile terminal.

  First, if the payment terminal is equipped with a card reader, the inquiry of the position information to the card is to provide the position information to the IC chip having the GPS function of the card via the card reader. It is possible by request. At this time, in order to confirm that the card providing the location information is the card used for the verification of the card information, it is a part of the card information and is originally used for highly confidential information such as the IC chip itself. It is preferable to acquire the unique ID and the like at the same time, and in order to improve security, it is further desirable to generate a signature with the position information and the card information as a signature object in the card and transmit the signature to the authentication server. Alternatively, in the step of accepting card information input when collating card information, position information may be acquired in advance.

  When the mobile terminal has a reader function, the card position information and a part of the card information (for example, an IC chip) are stored in the mobile terminal stored in association with the card information from the authentication server. When the user communicates the card with the mobile terminal, the position information of the card and a part of the card information are sent to the authentication server via the mobile terminal. May be. Also in this case, it is desirable in terms of security to use a signature generated by using a part of position information and card information as a signature target.

  When the reader function of the payment terminal and the portable terminal is not used, there is a method of acquiring the position information directly from the card. For this purpose, it is necessary to use a card having a communication function such as connection using a network such as a wireless LAN, e-mail, or communication to a direct authentication server. As for the electromotive force for communication of the card, a power source may be separately provided in the card itself, or it may be generated by communication with a reader such as a card reader or a portable terminal to enable communication. .

  If the location information from the card is not acquired normally, an error is returned to the payment terminal or mobile terminal through which the location information passes, and the location information is acquired again from the card, or the transaction is cancelled. You may make it make a user select. In addition, when an error occurs continuously several times, an upper limit of the number of errors may be set so that the transaction is stopped.

  The inquiry of the position information to the portable terminal is performed by reading out information of the portable terminal stored in association with the card and requesting the portable terminal to provide the position information. As a method for requesting position information, for example, there is a method in which a dedicated application is installed in advance in a mobile terminal and the position information is acquired via this application. In this case, an alert from the application asks the user for permission to transmit the location information, or the user is permitted to display the mobile terminal's location information on the payment terminal side. You may make it interpose the step which calculates | requires.

  Another method for the authentication server to acquire the location information of the mobile terminal is to send an e-mail from the authentication server to the mobile terminal and to allow the user to access the URL written in the body of the e-mail. The location information of the portable terminal may be acquired at the access destination. However, the acquisition of the position information in the present invention is not limited to these methods regardless of the card or the mobile terminal.

  If the location information from the mobile terminal is not normally acquired, an error is returned to the mobile terminal or the settlement terminal performing the settlement procedure, and the location information is acquired again from the mobile terminal. Alternatively, the user may select whether to cancel the transaction. In addition, when an error occurs continuously several times, an upper limit of the number of errors may be set so that the transaction is stopped.

  When acquisition of the location information of both the card and the portable terminal is successful, the authentication server compares and authenticates the location information, and determines whether or not the transaction is possible based on the degree of proximity of the two location information. As a determination method, for example, it is first determined whether the acquired position information is the position information measured by various methods (protocols), and if necessary, another method using a conversion formula or a comparison table is used. It converts into a system and makes two positional information a common system. At this time, it may be possible to convert all of the location information into one method defined on the authentication server side, or if the two location information obtained from the card and the mobile terminal use the same method, that method is given priority. You may make it do. Further, a method may be used in which only the other position information is converted in accordance with either one of the position information methods, thereby obtaining a common method.

  In this way, after the position information methods are matched, the two pieces of position information are compared, and whether or not the transaction is possible is determined based on whether or not the card and the mobile terminal are located at substantially the same place. Here, a specific threshold value is set so as to allow a certain amount of error, depending on the position information standard to be adopted, and if the difference in the position information between the card and the mobile terminal is within this threshold value range. It is preferable to set the transaction permission determination so as to determine the transaction rejection if it is out of the range. This threshold value is desirably set individually because the degree of fineness and error differs depending on the position information method.

  And an authentication server transmits the transaction propriety information which is a determination result to a payment terminal. Note that it is preferable in terms of security that the encrypted transaction availability information is transmitted from the authentication server to the payment terminal. The establishment of the transaction may be established at the time when the transaction approval / disapproval information of the transaction permission is transmitted, or after the transaction approval / disapproval information of the transaction permission is transmitted to the settlement terminal, the transaction is finally established at the settlement terminal. It is good also as what makes a user select whether or not, and a transaction is materialized when a user chooses transaction establishment.

  Further, when the card stores and manages the upper limit of the transaction amount and the upper limit of the number of transactions, the authentication server preferably transmits the transaction propriety information transmitted to the settlement terminal also to the card. If the purpose is only to add the transaction amount or count up the number of transactions, it may be transmitted to the card only when the transaction is permitted, or may be transmitted even when the transaction is rejected.

  Transmission to the card may be performed via a card reader such as a payment terminal or a portable terminal, or may be directly transmitted to the card. At this time, it is preferable in terms of security that the encrypted transaction availability information is transmitted to the card without being decrypted at the settlement terminal and is decrypted on the card side. By doing so, for example, the transaction permission / prohibition information is falsified at the payment terminal, and the transaction refusal information is transmitted to the card side even though the transaction is established. By not counting up the number of transactions, it becomes possible to prevent transactions from being made indefinitely.

DESCRIPTION OF SYMBOLS 1 ... Authentication server 2 ... Payment terminal 3 ... Card reader 4 ... Card 5 ... Portable terminal

Claims (5)

An authentication server that determines whether online electronic payment transactions are possible,
It has a database that stores card information and mobile terminal information in association with each other,
Upon receiving a transaction permission inquiry including card information from the payment terminal, means for confirming the validity of the received card information;
The card position information is obtained from the card indicated by the received card information, the portable terminal information stored in association with the card information is read, and the portable terminal position information is obtained from the portable terminal indicated by the portable terminal information. Means,
Comparing the acquired card position information with the mobile terminal position information, determining whether or not the transaction is possible according to the degree of proximity between the position information of the card and the mobile terminal, and generating transaction availability information, Means for transmitting availability information to the payment terminal;
An authentication server comprising at least   The determination of whether or not the transaction is possible is a transaction permission if the difference in position information between the card and the mobile terminal is within a preset threshold range, and a transaction if the difference in position information is outside the threshold range. The authentication server according to claim 1, wherein the authentication server is determined to be rejected. Define in advance the method of location information used to determine whether the transaction is possible,
When the position information acquired from the card and the mobile terminal is position information based on a method different from the method, the position information is converted into position information based on the predefined method and the position information is compared. The authentication server according to claim 1 or 2. An authentication system for determining whether online electronic payment transactions are possible,
An authentication server, a payment terminal, a mobile terminal, a card, and a database storing card information and mobile terminal information in association with each other;
When the authentication server receives an inquiry about whether or not the transaction including the card information from the payment terminal, means for confirming the validity of the received card information;
The card position information is obtained from the card indicated by the received card information, and the portable terminal information stored in association with the received card information is read, and the portable terminal position information is read from the portable terminal indicated by the portable terminal information. Means for obtaining
The authentication server compares the acquired card position information and the mobile terminal position information, determines whether or not the transaction is possible according to the degree of proximity between the position information of the card and the mobile terminal, and determines whether or not the transaction is possible. Means for generating and transmitting the transaction propriety information to the payment terminal;
An authentication system comprising at least An authentication method for determining whether online electronic payment transactions are possible,
When the authentication server receives an inquiry about whether or not the transaction including card information is possible from the payment terminal, the step of confirming the validity of the received card information;
Obtaining card position information from the card indicated by the received card information;
The authentication server reads the mobile terminal information stored in association with the received card information from the database in which the card information and the mobile terminal information are stored in association with each other, and the mobile terminal indicated by the mobile terminal information Obtaining mobile device location information from
The authentication server compares the acquired card position information and the mobile terminal position information, determines whether or not the transaction is possible according to the degree of proximity between the position information of the card and the mobile terminal, and determines whether or not the transaction is possible. Generating and transmitting the transaction availability information to the payment terminal;
An authentication method comprising: at least.

Images