KR102468785B1 - Payment service providing apparatus and method for supporting transaction verification based on web, system and computer readable medium having computer program recorded thereon - Google Patents

Abstract

The present invention relates to an apparatus and method for providing a payment service supporting web-based transaction verification, and a recording medium on which a system and a computer program are recorded, and more particularly, to a web-based simple payment configured to enable non-face-to-face payment and settlement in a web standard environment. A payment service providing device and method that supports web-based transaction verification that safely protects payment information and supports secure payment only for payments that have actually occurred when payment information is received, and a recording medium on which the system and computer program are recorded it's about

Description

Payment service providing apparatus and method for supporting web-based transaction verification, and recording medium on which system and computer program are recorded

The present invention relates to an apparatus and method for providing a payment service supporting web-based transaction verification, and a recording medium on which a system and a computer program are recorded, and more particularly, to a web-based simple payment configured to enable non-face-to-face payment and settlement in a web standard environment. A payment service providing device and method that supports web-based transaction verification that safely protects payment information and supports secure payment only for payments that have actually occurred when payment information is received, and a recording medium on which the system and computer program are recorded it's about

With the development of mobile communication technology, the use of wireless devices such as mobile phones and personal digital assistants (PDAs) has increased rapidly, and services performed in wired Internet are gradually moving to wireless Internet-based services.

With the activation of wireless networks, various services using many wired and wireless networks are being provided in commercial and service fields. For example, mobile electronic commerce (M-commerce) is an example of a wireless network-based commerce service.

In order to conduct non-face-to-face commercial transactions, a procedure for payment through authentication and payment procedures is required. The online payment method through the existing authentication and payment process is a method of making payment through individual authentication methods such as credit card number and phone bill. In the existing payment method, the payment server cannot store payment information such as credit card or account transfer, so you can use the safe click, ISP credit card payment, or, in the case of simple payment, payment based on a virtual card in consultation with the credit card/account transfer company. was the way to proceed. Simple payment methods are also mainly provided based on apps. A common standard method for online commerce is not provided.

On the other hand, in general, existing payment methods proceed with payment only with the user's PIN without verifying whether or not an actual transaction has occurred upon receipt of payment information. Therefore, there is a case where the payment-related server hacks the user's PIN and proceeds with the payment based on this. may occur, and accordingly, there is a problem that it is difficult to guarantee reliability and security of the payment related system.

Korean Patent Publication No. 10-2013-0008123 [Title of Invention: Method and system for operating payment using dynamically determined authentication number and wireless terminal therefor]

An object of the present invention is to provide a web-based authentication payment method for non-face-to-face payment and settlement in a web standard environment, to determine forgery in payment based on a plurality of divided information blocks, and to make payment based on the user's PIN The purpose is to ensure the stability and security of the payment by verifying whether the transaction corresponding to the payment actually occurred during the process.

In addition, another object of the present invention is to provide security against various types of infringements that occur during payment in a user device.

An apparatus for providing a payment service supporting web-based transaction verification according to an embodiment of the present invention encrypts and stores a credit card number, encrypts a credit card authentication value, and divides it into information block 1 and information block 2, wherein information block 1 is information receiving payment PIN (personal identification number) information from a user device and a credit card authorization request device configured to be used for decryption of block 2, transmit information block 1 to a user authentication device and delete information block 1; Payment to store the encrypted information block 1 by encrypting it based on the payment PIN information, and to generate the information block 1 with the user device when payment information including payment details is received from the web-based commerce device where the commerce transaction by the user occurred A user authentication device requesting PIN information and transmitting an information block 1 obtained by decrypting an information block 1 encrypted based on payment PIN information received from a user device to a credit card authorization requesting device, wherein the credit card authorization requesting device comprises a web Receive transaction confirmation information from the based commerce device, including the payment unique code and transaction date and time corresponding to the transaction, and receive transaction validation information issued from the web-based commerce device from the user device, compare with the transaction confirmation information, and then match each other Information It may be characterized in that payment processing is performed according to payment information based on block 1 and information block 2.

As an example related to the present invention, the credit card authorization request device decrypts information block 2 based on information block 1, decrypts an encrypted credit card authentication value based on information block 1 and information block 2, and decrypts the encrypted credit card number It may be characterized in that it is implemented to decrypt, generate an approval full text to be transmitted to the credit card company based on the credit card authentication value and the credit card number, and transmit the approved full text to the credit card company.

As an example related to the present invention, encryption of a credit card number is performed based on a hardware security module (HSM) and hash, encryption of a credit card authentication value is performed based on the HSM, and information block 1 is user authentication. It may be characterized in that it is encrypted through advanced encryption standard (AES) based on the payment PIN information in the device.

As an example related to the present invention, the credit card permission request device may receive a credit card number and a credit card authentication value from the user device through a member registration procedure.

In the payment service providing method supporting web-based transaction verification according to an embodiment of the present invention, a credit card authorization request device encrypts and stores a credit card number, encrypts a credit card authentication value, and divides it into information block 1 and information block 2. After that, information block 1 is transmitted to the user authentication device and information block 1 is deleted. Information block 1 is used to decrypt information block 2, and the user authentication device receives payment PIN (personal identification number) information from the user device. and storing the encrypted information block 1 by encrypting the information block 1 based on the payment PIN information, when the user authentication device receives payment information including payment details from the web-based commerce device where the user's commerce transaction occurred. requesting payment PIN information for generating the information block 1 to the device and transmitting the information block 1 obtained by decrypting the encrypted information block 1 based on the payment PIN information received from the user device to the credit card approval requesting device; Receiving, by the approval requesting device, transaction confirmation information from the web-based commerce device, including the payment unique code corresponding to the transaction and transaction date and time, and the credit card approval requesting device receiving the transaction verification information issued from the web-based commerce device from the user device and performing payment processing according to the payment information based on the information block 1 and the information block 2 when they are identical after comparing with the transaction confirmation information.

As an example related to the present invention, in the above-described method for providing a payment service supporting web-based transaction verification, a credit card authorization request device decrypts information block 2 based on information block 1, and based on information block 1 and information block 2, Decrypting the encrypted credit card authentication value and decrypting the encrypted credit card number, and the credit card authorization requesting device generates an authorization text to be transmitted to the credit card company based on the decrypted credit card authentication value and credit card number, and the approval A step of transmitting the full text to a credit card company may be further included.

The recording medium according to an embodiment of the present invention may store a computer program for performing the above-described payment service providing method supporting web-based transaction verification.

A payment service providing system supporting web-based transaction verification according to an embodiment of the present invention includes a user device that transmits a credit card number and a credit card authentication value through a membership registration procedure and transmits payment PIN (personal identification number) information; When a commercial transaction occurs through a user device, transaction confirmation information including payment information for payment details, payment unique code corresponding to the commercial transaction, and transaction date and time is transmitted, and transaction verification information for the payment unique code and transaction date and time to the user device A web-based commerce device that issues and transmits, encrypts and stores credit card numbers, encrypts credit card authentication values, and divides them into information block 1 and information block 2, information block 1 is used to decrypt information block 2, information The information block 1 is encrypted based on the payment PIN information received from the credit card authorization request device and the user device implemented to transmit block 1 to the user authentication device and delete information block 1, and store the encrypted information block 1, When payment information is received from the based commerce device, a user authentication device for transmitting the information block 1 obtained by decrypting the encrypted information block 1 based on the payment PIN information received from the user device to the credit card approval request device, credit card authorization request The device compares the transaction confirmation information received from the web-based commerce device and the transaction validation information received from the user device, and performs payment processing according to the payment information based on information block 1 and information block 2 when they match each other. can do.

As an example related to the present invention, the credit card authorization request device decrypts information block 2 based on information block 1, decrypts an encrypted credit card authentication value based on information block 1 and information block 2, and decrypts the encrypted credit card number It may be characterized in that it is implemented to decrypt, generate an approval full text to be transmitted to the credit card company based on the credit card authentication value and the credit card number, and transmit the approved full text to the credit card company.

As an example related to the present invention, encryption of a credit card number is performed based on a hardware security module (HSM) and hash, encryption of a credit card authentication value is performed based on the HSM, and information block 1 is user authentication. It may be characterized in that it is encrypted through advanced encryption standard (AES) based on the payment PIN information in the device.

The present invention provides a web-based authentication payment method for non-face-to-face payment and settlement in a web standard environment, and at the same time, a credit card authorization request device performs transaction verification based on information received from a web-based commerce device and a user device through a one-way channel Security of the entire payment system by supporting safe payment even if the payment PIN is leaked due to hacking of the user authentication device by decrypting credit card information after confirming whether an actual transaction has occurred has the effect of reinforcing

In addition, the present invention has an effect of strengthening security by configuring a one-way channel between the credit card requesting device and other devices to minimize hacking threats to the credit card requesting device storing credit card related information.

In addition, the present invention can minimize the transmission and reception of payment information during online authentication payment by exchanging credit card related information between the payment service providing device and the card company server, and separates and manages credit card related information into a plurality of information blocks to improve security has the effect of greatly improving

1 is a configuration environment diagram of a payment service providing system supporting web-based transaction verification according to an embodiment of the present invention.
2 is a conceptual diagram illustrating the operation of a payment service providing device constituting a payment service providing system supporting web-based transaction verification according to an embodiment of the present invention.
3 is a conceptual diagram illustrating a user membership subscription procedure according to an embodiment of the present invention;
4 is a flow chart showing a user membership subscription procedure according to an embodiment of the present invention;
5 is a conceptual diagram illustrating an operation of a method of encrypting a card number and a card authentication value and a method of verifying a transaction in a credit card approval request device and a user authentication device according to an embodiment of the present invention.
6 is a flowchart illustrating a payment procedure according to input of a payment PIN of a payment service providing device according to an embodiment of the present invention when a web-based commercial transaction occurs by a user.
7 is a conceptual diagram illustrating a payment procedure according to input of a payment PIN according to an embodiment of the present invention.
8 is a conceptual diagram illustrating a payment procedure according to transaction verification according to an embodiment of the present invention.

It should be noted that technical terms used in the present invention are only used to describe specific embodiments and are not intended to limit the present invention. In addition, technical terms used in the present invention should be interpreted in terms commonly understood by those of ordinary skill in the art to which the present invention belongs, unless specifically defined otherwise in the present invention, and are excessively inclusive. It should not be interpreted in a positive sense or in an excessively reduced sense. In addition, when the technical terms used in the present invention are incorrect technical terms that do not accurately express the spirit of the present invention, they should be replaced with technical terms that those skilled in the art can correctly understand. In addition, general terms used in the present invention should be interpreted as defined in advance or according to context, and should not be interpreted in an excessively reduced sense.

Also, singular expressions used in the present invention include plural expressions unless the context clearly dictates otherwise. In the present invention, terms such as "consisting of" or "comprising" should not be construed as necessarily including all of the various elements or steps described in the invention, and some of the elements or steps are included. It should be construed that it may not be, or may further include additional components or steps.

In addition, terms including ordinal numbers such as first and second used in the present invention may be used to describe components, but components should not be limited by the terms. Terms are used only to distinguish one component from another. For example, a first element may be termed a second element, and similarly, a second element may be termed a first element, without departing from the scope of the present invention.

Hereinafter, a preferred embodiment according to the present invention will be described in detail with reference to the accompanying drawings, but the same or similar components are assigned the same reference numerals regardless of reference numerals, and redundant description thereof will be omitted.

In addition, in describing the present invention, if it is determined that a detailed description of a related known technology may obscure the gist of the present invention, the detailed description will be omitted. In addition, it should be noted that the accompanying drawings are only for easily understanding the spirit of the present invention, and should not be construed as limiting the spirit of the present invention by the accompanying drawings.

Hereinafter, preferred embodiments according to the present invention will be described in detail with reference to the accompanying drawings, but the same or similar components are given the same reference numerals regardless of reference numerals, and redundant description thereof will be omitted.

In addition, in describing the present invention, if it is determined that a detailed description of a related known technology may obscure the gist of the present invention, the detailed description will be omitted. In addition, it should be noted that the accompanying drawings are only for easily understanding the spirit of the present invention, and should not be construed as limiting the spirit of the present invention by the accompanying drawings.

In the existing network-based payment method, the payment server did not store the payment information, so there was an inconvenience of having to input the payment information every time. Even in the case of the existing simple payment, when payment companies make payments based on virtual card numbers, there are inconveniences such as the need to define payment specifications through a dedicated line connection with a separate card company and pay, and issuers such as all card companies and banks It took a lot of time to link with the service, which made it difficult to spread the service.

Hereinafter, in the embodiments of the present invention, the user's convenience and security are improved, and a payment service providing device, system, and method in line with global web standards are presented, and a user's payment PIN used for payment in a web-based payment environment is presented. Disclosed is a payment service providing device, system, and method that can enhance security by enabling payment using a payment PIN after verifying a transaction generated by a user to prevent leakage and illegal use due to external hacking. .

A web standard means an international web standard technology established for compatibility between various types of operating environments without a separate plug-in installation without remaining in a specific terminal operating environment (for example, ActiveX, Java, Adobe Air).

For example, the web standard may be a next-generation open technology such as HTML5 established by the World Wide Web Consortium (W3C).

Hereinafter, the meaning of web standards disclosed in the embodiments of the present invention is not limited to HTML5 standard technology, and may include various other web driving technologies such as DOM and JavaScript to secure compatibility between various operating environments.

Hereinafter, an apparatus, system, and method for providing a payment service supporting web-based transaction verification according to an embodiment of the present invention comply with the security required by domestic electronic financial transaction regulations to enhance customer convenience and security, while online authentication It can improve the inconvenience and risk of having to input and communicate sensitive personal and payment information each time a payment is made.

In addition, the payment service providing device, system, and method for supporting web-based transaction verification according to an embodiment of the present invention are payment services tailored to global standards, and general authentication transactions (2D certified payment) designed to global standards to enhance service competitiveness. It may be an identity authentication transaction (3D authentication payment) in which transaction stability is increased by adding identity authentication to .

In addition, an apparatus, system, and method for providing a payment service supporting web-based transaction verification according to an embodiment of the present invention are scalable and scalable to provide transaction authentication and approval services regardless of the platform or OS (operating system) of a personal terminal. A common process considering mutual compatibility can be provided.

In addition, the payment service providing apparatus, system, and method for supporting web-based transaction verification according to an embodiment of the present invention prevent cases in which a user's payment PIN used for payment in a web-based payment environment is leaked and illegally used due to external hacking. It can be prevented.

Hereinafter, an apparatus, system, and method for providing a payment service supporting web-based transaction verification according to specific embodiments of the present invention are disclosed.

1 is a configuration environment diagram of a payment service providing system supporting web-based transaction verification according to an embodiment of the present invention, and FIG. 2 is an operation of a payment service providing device constituting the payment service providing system supporting web-based transaction verification. it is a concept

As shown in FIG. 1, a payment service providing system supporting web-based transaction verification according to an embodiment of the present invention includes a user device 10, a web-based commerce device 200, and a payment service providing device connected through a communication network. (100) may be included.

Meanwhile, referring to FIG. 2 , referring to the operation process for the payment service supporting web-based transaction verification, the payment service providing device 100 may be implemented in a structure including a separate physically separated sub-device.

That is, the payment service providing device 100 may include a credit card approval request device 140 and a user authentication device 120 .

The credit card permission request unit 140 may be a server for performing an authentication transaction with a credit card company.

The user authentication device 120 may be a server responsible for user authentication. When a user subscribes from an affiliated store, the user authentication device 120 may perform identity authentication through a mobile phone identity verification service (SMS-OTP) of a mobile communication company.

Also, the user authentication device 120 may receive credit card information from a user through a web browser and receive, store, and manage a personal identification number (PIN) number.

Specifically, the user authentication device 120 may perform the following operations.

The user authentication device 120 is a mobile carrier authentication or iPin based on the user's personal information (name, date of birth, gender, nationality, mobile phone number, mobile carrier, e-mail) received through the web browser during the user's member registration process. authentication can be performed. CI (connecting information)/DI (duplication information) personal information received as a result of identity authentication may all be encrypted and stored and managed in a database of the user authentication device 120 .

When a user logs in to the user authentication device 120, the user authentication device 120 extracts credit card information (card ID) already registered by the user and encrypts it with a temporarily generated encryption key to generate a temporary virtual card number. can

In addition, the user authentication device 120 encrypts and stores the user's transaction environment information (connection IP (internet protocol), location information, user agent), transaction details (transaction details), member information, payment information, etc. in a database. have.

In addition, the user authentication device 120 obfuscates the information block 1 transmitted from the credit card permission request device 140 (the authentication value required when approving the credit card registered in the credit card permission request device 140 by the user) One information block out of two pieces of information) can be encrypted and stored based on the payment PIN entered by the member.

In addition, the user authentication device 120 may transmit the information block 1 decrypted with the payment PIN input by the member to the credit card approval request device 140 when requesting transaction approval.

Specifically, the credit card permission request device 140 may perform the following operations.

When a user registers a credit card to the service, the information required for credit card authentication (credit card number, expiration date, the first two digits of the card password, date of birth) to confirm approval with the credit card company in order to evaluate the validity of the credit card is provided to the user. It can be temporarily transmitted to the credit card authorization request device 140 using the device 10 .

When the credit card authorization request device 140 confirms the validity of the credit card as a result of the authorization, the information required for credit card authentication (for example, a credit card number) is transmitted through a hardware security module (HSM) as in a general VAN information processing procedure. It may be encrypted and a corresponding card ID may be generated and stored in the credit card permission request device 140 .

Among the information required for credit card authentication, the credit card authentication value including the expiration date, the first 2 digits of the card password, and the date of birth is obfuscated and separated into two information blocks, and each of the two information blocks is a separate HSM device. can be encrypted.

During the encryption procedure for each of the two information blocks, a value generated as a result of HSM encryption of information block 1 can be used as an encryption key for information block 2. Accordingly, chain encryption may be performed so that information block 2 cannot be accessed without information block 1.

Of the two generated information blocks, information block 1 is transmitted to the user authentication device 120, and after transmission, information block 1 may be deleted from the credit card permission request device 140.

A user device for performing the authentication payment method may perform authentication and payment procedures through a web browser. The web browser running on the user device 10 is a browser that supports web standards and receives input values (eg, PIN, phone number, etc.) necessary for payment and authentication of the user, and sends the input values through a secure channel (eg, For example, it may be transmitted to the user authentication device 120 through secure socket layer (SSL).

An authentication payment application for performing an authentication payment method may be installed in the user device 10 . For example, the authentication payment application may be a JavaScript-based web app (application) that provides security for non-face-to-face payment performed in a web browser.

In the authentication payment application, authentication payment procedures may be performed based on new member registration, login, authentication screen, and payment screen, process input information from the user, and authentication and payment procedures through the payment service providing device 100 can proceed.

Authentication payment applications can provide E2E security (protection of the section between the user and the server), virtual keyboard (protection of user input values), and page obfuscation (encryption of web page data) functions.

In the above configuration, the user authentication device 120 requests a payment PIN to be used for payment to the user device 10, and as shown, uses the payment PIN received from the user device for the separated information block 1 as an encryption key It can be encrypted based on the advanced encryption standard (AES).

Thereafter, the user authentication device 120 receives a temporary virtual card number and payment information about payment details from the web-based commerce device 200 when a transaction occurs through the web-based commerce device 200 by the user device 10 And, when payment information is received, the user device may request a payment PIN for generating information block 1.

Accordingly, the user authentication device 120 may receive the payment PIN from the user device 10, decrypt the encrypted information block 1 based on the payment PIN, and transmit the decrypted information block 1 to the credit card approval request device. .

At this time, the user authentication device 120 decrypts the temporary virtual card number included in the payment information, searches for and extracts a card ID corresponding to the decrypted temporary virtual card number, and uses the extracted card ID as the decrypted information described above. It can be transmitted to the credit card approval request device 140 together with block 1.

Meanwhile, the credit card permission request device 140 decrypts the information block 2 based on the information block 1 received from the user authentication device 120, and authenticates the encrypted credit card based on the decrypted information block 1 and the information block 2. The value may be decrypted, and the encrypted credit card number corresponding to the card ID received from the user authentication device 120 may be decrypted. At this time, the credit card permission request device may decrypt the encrypted credit card number based on the HSM used to encrypt the credit card number.

Accordingly, the credit card authorization request device 140 may generate an authorization text to be transmitted to the credit card company server based on the decrypted credit card authentication value and the credit card number, transmit the authorization text to the credit card company server, and transmit the authorization text to the credit card company server. After receiving the approval result from , it may be transmitted to the web-based commerce device 200 to complete payment processing.

At this time, the credit card approval request device 140 receives the payment information provided by the web-based commerce device 200 from the user authentication device 120, and based on the payment information, the above-described credit card authentication value, and the credit card number You can create an approval full text with . Here, payment information provided from the user authentication device 120 to the credit card approval request device 140 may include only information about payment details.

In the above configuration, there is a problem that the credit card authorization request device 140 may be incapacitated when a hacker hacks the user authentication device 120 . That is, when a hacker obtains a payment PIN through hacking of the user authentication device 120 and transmits it to the user authentication device 120, when a payment occurs and the user terminal pretends to have entered the payment PIN, the credit card is approved. Since the requesting device 140 receives the information block 1 possessed by the user authentication device 120, decrypts the information block 2 possessed by the user authentication device 120, and generates the entire payment information to approve the payment, the user authentication device ( 120), the credit card approval request device 140 automatically lowers its security.

Therefore, in order to solve this problem, the user authentication device 120 allows the credit card permission request device 140 to receive unknown information and variable information (time) to request approval requested by the user authentication device 120. to re-confirm.

For example, when web-based payment is required, the credit card approval request device 140 transmits a unique payment code and transaction corresponding to a commercial transaction generated by the user through a channel capable of communication in only one direction from the web-based commerce device 200 Transaction confirmation information including date and time may be received.

At this time, the web-based commerce device 200 may simultaneously generate payment information that transmits transaction confirmation information to the user authentication device 120 in correspondence with the corresponding payment information, and simultaneously transmits the payment information and requests credit card approval device 140.

In addition, the web-based commerce device 200 may issue transaction verification information, which is the same information as the transaction verification information, to the user device 10 that generates a commercial transaction and transmit it to the user device 10 .

Through this, the credit card permission request device 140 may receive transaction verification information from the user device 10 through a channel capable of communication in only one direction.

Thereafter, the credit card approval request device 140 compares the transaction confirmation information received from the web-based commerce device 200 and the transaction validation information received from the user device 10, and if they match, from the user authentication device 140 It can be confirmed that the credit card authorization request corresponding to the user's commercial transaction is legitimate.

Through this, the credit card approval request device 140 decrypts the information block 2 based on the information block 1 when the transaction verification through comparison of the transaction confirmation information and the transaction verification information is found to be normal, and the information block 1 and the information block 2 Payment processing can be performed by decrypting the credit card authentication value based on , decrypting the encrypted credit card number, generating an authorization message according to the credit card authentication value, credit card number, and payment information, and transmitting it to the credit card company server. .

As such, the present invention performs transaction verification based on the information received from the web-based commerce device 200 and the user device 10 through the one-way channel by the credit card approval request device 140 to determine whether an actual transaction has occurred. By performing decryption of credit card-related information after confirmation, security of the entire payment system can be strengthened by supporting safe payment even if the payment PIN is leaked due to hacking of the user authentication device 120. .

In addition, since the credit card permission request device 140 communicates with external devices only through a one-way channel, the security of the entire system can be enhanced by minimizing the threat of hacking.

In addition, as described above, the present invention can minimize transmission and reception of payment information during online authentication payment by exchanging credit card related information between the payment service providing device and the card company server, and converting credit card related information into a plurality of information blocks. Security can be greatly improved by separating management.

Meanwhile, in the above configuration, the user device 10 includes a smart phone having a communication function, a portable terminal, a mobile terminal, a personal digital assistant (PDA), and a PMP. (Portable Multimedia Player) terminal, telematics terminal, navigation terminal, personal computer, notebook computer, slate PC, tablet PC, ultrabook, wearable Devices (including wearable devices, for example, watch-type terminals (Smartwatch), glass-type terminals (Smart Glass), HMD (Head Mounted Display), etc.), Wibro terminals, IPTV (Internet Protocol Television) terminals, smart TVs , digital broadcasting terminals, AVN (Audio Video Navigation) terminals, A/V (Audio/Video) systems, flexible terminals, and the like.

In addition, as an example of the above-described communication network, wireless LAN (WLAN), DLNA (Digital Living Network Alliance), WiBro (Wireless BroaDB (400) and: Wibro), WiMAX (World Interoperability for Microwave Access: Wimax), GSM ( Global System for Mobile communication), CDMA (Code Division Multi Access), CDMA2000 (Code Division Multi Access 2000), EV-DO (Enhanced Voice-Data Optimized or Enhanced Voice-Data Only), WCDMA (Wideband CDMA), HSDPA (High Speed Downlink Packet Access), High Speed Uplink Packet Access (HSUPA), IEEE 802.16, Long Term Evolution (LTE), Long Term Evolution-Advanced (LTE-A), broadband wireless mobile communication service (Wireless Mobile BroaDB ( 400)and Service: WMBS), Bluetooth, Radio Frequency Identification (RFID), Infrared Data Association (IrDA), Ultra Wideband (UWB), ZigBee, Near Field Communication (NFC) ), ultrasound communication (Ultra Sound Communication: USC), visible light communication (Visible Light Communication: VLC), Wi-Fi, Wi-Fi Direct (Wi-Fi Direct), etc. (Power Line Communication: PLC), USB communication, Ethernet, Siri Wired communication networks such as serial communication and optical/coaxial cables may be included.

In addition, the above-described payment service providing device 100 and the web-based commerce device 200 may be implemented in the form of various servers such as a web server, a database server, and a proxy server.

In addition, one or more of a network load balancing mechanism and various software enabling service devices to operate on the Internet or other networks may be installed in the payment service providing device 100 and the web-based commerce device 200, through which It can be implemented as a computerized system.

Also, the network can be an http network, a private line, an intranet or any other network. Furthermore, the connection between each payment service providing device and the web-based commerce devices 100 and 200 and the user device 10 may be connected through a secure network to prevent data from being attacked by any hacker or other third party. In addition, the payment service providing device and the web-based commerce devices 100 and 200 may include a plurality of database servers, and these database servers communicate with each service providing device through any type of network connection including a distributed database server architecture. It may be implemented in a separately connected manner.

Meanwhile, the user device 10 may include various components such as an input unit, a display unit, a communication unit, a storage unit, a voice output unit, and a control unit.

The input unit receives a signal according to the user's button operation or selection of an arbitrary function, or receives a command or control signal generated by a manipulation such as touching/scrolling a displayed screen, or responds to information input by the user. It receives the signal to be sent to the key pad, dome switch, touch pad (static/capacitance), touch screen, jog wheel, jog switch, jog shuttle, mouse ( A variety of devices such as a mouse, a stylus pen, and a touch pen may be used.

In addition, the display unit may display various contents such as various menu screens using a user interface and/or a graphic user interface stored in the storage unit under the control of the controller. Here, the content displayed on the display unit includes various text or image data (including various information data) and a menu screen including data such as icons, list menus, and combo boxes. Also, the display unit may be a touch screen.

In this case, a touch sensor for detecting a user's touch gesture may be included. The touch sensor may be one of various types such as a capacitive type, a resistive type, a piezoelectric type, and the like. In the case of an electrostatic touch screen, touch coordinates are calculated by detecting microelectricity excited by the user's body when a part of the user's body touches the touch screen surface using a dielectric coated on the surface of the touch screen. In the case of a resistive touch screen, two electrode plates are embedded in the touch screen, and when the user touches the screen, the upper and lower electrode plates at the touched position are contacted and current flows. This flow of current is sensed and touch coordinates are calculated.

In addition, the user device 10 may support a pen input function, and in this case, a user's gesture using an input means such as a pen, which is not part of the user's body, may be detected. For example, when the input means is a stylus pen including a coil therein, the user device 10 may include a magnetic field detection sensor for detecting a magnetic field changed by the coil inside the stylus pen. In this case, not only the user's touch gesture but also the user's proximity gesture such as hovering may be detected.

In addition, the display unit includes a liquid crystal display (LCD), a thin film transistor-liquid crystal display (TFT LCD), an organic light-emitting diode (OLED), and a flexible display. , 3D display (3D display), e-ink display (e-ink display), it can be implemented in the form of at least one of LED (Light Emitting Diode), and can include a driving circuit, a backlight unit, etc. for this together .

Also, the display unit may be configured as a 3D display unit for displaying a 3D image.

A 3D display method such as a stereoscopic method (glasses method), an auto stereoscopic method (non-glasses method), a projection method (holographic method) may be applied to the 3D display unit.

The audio output unit outputs audio information included in the signal subjected to predetermined signal processing by the control unit. Here, the audio output unit may include a receiver, a speaker, a buzzer, and the like.

In addition, the audio output unit outputs the guidance audio generated by the control unit.

The communication unit communicates with any internal component or at least one external terminal through the above-described wired/wireless communication network. At this time, any external terminal may include a network service system, a server, and the like.

The control unit executes overall control functions of the user device 10 using programs and data stored in the storage unit. The control unit may include RAM, ROM, CPU, GPU, and a bus, and the RAM, ROM, CPU, and GPU may be connected to each other through a bus. The CPU may access the storage unit, perform booting using an O/S (Operating System) stored in the storage unit, and perform various operations using various programs, contents, data, etc. stored in the storage unit. .

In addition, the storage unit stores data and programs necessary for the user device 10 to operate.

That is, the storage unit may store a plurality of application programs (application programs or applications) running in the user device 10 , data for operating the user device 10 , and commands. At least some of these application programs may be downloaded from an external server through wireless communication. In addition, at least some of these application programs may exist on the user device 10 from the time of shipment for basic functions of the user device 10 (eg, incoming and outgoing calls, outgoing functions, message receiving, and outgoing functions). Meanwhile, the application program may be stored in the user device storage unit, installed in the user device 10, and driven by the user device control unit to perform an operation (or function) of the user device 10.

In addition, the storage unit is a flash memory type, a hard disk type, a multimedia card micro type, a card type memory (eg, SD or XD memory, etc.), a magnetic memory, a magnetic disk, an optical disk, RAM (RAM), SRAM, ROM ( ROM), EEPROM, and PROM may include at least one storage medium. In addition, the user device 10 may operate a web storage that performs a storage function of a user device storage unit on the Internet, or may operate in relation to the web storage.

In addition, the user device 10 may further include an interface unit (not shown) that serves as an interface with all external devices connected to the user device 10 .

For example, the interface unit includes a wired/wireless headset port, an external charger port, a wired/wireless data port, a memory card port, a port connecting a device having an identification module, audio I/O ( Input/Output) port, video I/O (Input/Output) port, earphone port, etc. Here, the identification module is a chip storing various information for authenticating the right to use the user device 10, and includes a user identity module (UIM), a subscriber identity module (SIM), and universal user authentication. module (Universal Subscriber Identity Module: USIM), etc. may be included. In addition, a device equipped with an identification module may be manufactured in the form of a smart card. Accordingly, the identification module may be connected to the user device 10 through the port. Such an interface unit receives data or power from an external device and transmits it to each component inside the user device 10 or transmits data inside the user device 10 to the external device.

In addition, when the user device 10 is connected to an external cradle, the interface unit becomes a passage through which power from the cradle is supplied to the corresponding user device 10, or various command signals input from the cradle by the user are transmitted to the corresponding user device. It can be a passage that is delivered to (10). Various command signals or corresponding power input from the cradle may operate as signals for recognizing that the user device 10 is correctly mounted on the cradle.

In addition, the user device 10 has an input unit for receiving a command or control signal generated by a user's manipulation of a button or selection of an arbitrary function, or a manipulation such as touching/scrolling a displayed screen ( not shown) may be further included.

Hereinafter, detailed embodiments of a payment service providing system supporting web-based transaction verification according to an embodiment of the present invention will be described with reference to the above-described configuration through the following drawings.

3 is a conceptual diagram illustrating a user membership subscription procedure according to an embodiment of the present invention.

Referring to FIG. 3 , when a user is an existing member and a web-based commerce device (or a web-based commerce server) is an ID-unlinked member device. The user can perform authentication on the web application based on the registered member ID and be redirected to an authentication data loss prevention (DLP) procedure. In the case of ID linkage between a web-based commerce device and another web-based commerce device, an authentication DLP procedure may be performed based on an interlocked ID through a member information inquiry procedure.

In the authentication DLP procedure, additional authentication (ARS (automatic response system), SMS (short message service)-OTP (one time password) and App authentication) is performed by providing a list of payment methods, entering a payment PIN, and FDS (fraud detection system). It can be.

If the user is not an existing member, he/she can proceed with the new sign-up process by agreeing to the terms and conditions, authenticating himself/herself, registering payment information, and registering a payment PIN.

When authentication is completed through the authentication DLP procedure, an approval procedure may proceed.

4 is a flow chart illustrating a user membership subscription procedure according to an embodiment of the present invention.

The user authentication device may receive an authentication payment service subscription request and member information from the user, and perform identity authentication for the user through a mobile communication company. Also, after authentication, the user may register a credit card (card number and card authentication value (CAV)) through a user authentication device and a credit card authorization request device. The validity of the credit card is confirmed and the information for payment is encrypted and stored in each of the user authentication device and the credit card permission request device.

According to an embodiment of the present invention, a member account can be registered through various authentication methods according to the member's credit card attributes. All member accounts can perform identity verification by performing both the identity verification method by the non-financial company and the identity verification method by the financial company.

Referring to FIG. 4 , a user may request a payment to a web-based commerce device (eg, a server operating a website of a representative affiliated store) (step S300).

The user may select simple payment according to the payment service method supporting web-based transaction verification according to an embodiment of the present invention as a payment method through the web-based commerce device and request simple payment.

The web-based commerce device may inquire the user's subscription details and confirm whether the user is a new member (step S305). The web-based commerce device may determine whether or not the user requesting the simple payment is already a member capable of proceeding with the simple payment procedure based on the member database. When the user's subscription details exist in the member database, it may be determined that the user's simple payment procedure is possible. Conversely, if the user's subscription details do not exist in the member database, it may be determined that the user cannot proceed with the simple payment procedure and that a new subscription to the user's simple payment procedure is required. Hereinafter, a case in which a new subscription for a user's simple payment procedure is required will be described.

The web-based commerce device may request the user authentication device to proceed with a new member registration procedure for a simple payment procedure (step S310). The user authentication device can first authenticate the validity of the web-based commerce device that has requested the new member registration procedure, and outputs a screen for agreeing to terms and conditions and a screen for inputting member information on separate web pages and transmits them to the user device.

The user device may enter agreement on the terms and conditions, member information, payment PIN, etc. on the simple payment service page and transmit the information to the user authentication device (step S315). The user device may input member information (step S320). Member information may include e-mail, service use ID/password, and subscription information of a user device (eg, a portable terminal). Subscription information of the user device may include the number, name, date of birth, gender, nationality, etc. of the user device necessary for user authentication.

The user authentication device may transmit the identity authentication information of the user device input from the user to the mobile communication company through the mobile phone identity verification service agency (credit rating agency) (step S325).

The mobile communication company may transmit an SMS authentication number to the user device based on the identity authentication information of the user device received from the identity verification service agency (step S330).

The user device may transmit the received SMS authentication number to the user authentication device (step S335).

The user authentication device may request authentication of the user by transmitting the received SMS authentication number to the mobile communication company through the identity verification service agency (step S340).

The mobile communication company may transmit the user verification result (eg, CI/DI) based on the SMS authentication number received from the user authentication device to the user authentication device through the identity verification service agency (step S345).

The user authentication device may request the user to input information about a payment method through the user device (step S350). The user authentication device may notify user environment information such as a screen keyboard and an anti-virus program notification for important information together, and request confirmation of the notification from the user.

The user device may input information about a payment method. The user device may transmit credit card information to the user authentication device (step S355). Credit card information transmitted to the user authentication device through the user device may be encrypted with an encryption key provided from the credit card approval request device before being transmitted.

The user authentication device may transmit encrypted and transmitted credit card information of the user to the credit card approval request device (step S360).

The credit card approval requesting device may decrypt the user's credit card information that has been encrypted and transmitted, and transmit an approval request message to the credit card company server (step S365).

The credit card company server may check the validity of the user's credit card information through the approval system, and transmit the approval result to the credit card approval request device (step S370).

The credit card authorization request device may encrypt the credit card number and credit card authentication value based on the credit card authorization result. For example, a credit card number may be encrypted based on HSM and stored in a credit card authorization request device. The credit card permission request device may generate and store a card ID for identification of a credit card number.

In addition, the credit card permission request device may divide the credit card authentication value (validity period, the first two digits of the card password, and date of birth) into two and separate information block 1 and information block 2. Information block 1 may be transmitted to a physically isolated user authentication device (step S375). After information block 1 is transmitted to the user authentication device, it may be deleted from the credit card permission request device. As described above, the credit card approval request device may access the information block 2 based on the information block 1 transmitted from the user authentication device.

As described above, information block 1 may be encrypted and stored based on the payment PIN input by the user in the user authentication device.

The user authentication device may request a payment PIN from the user device (step S380).

The user device may encrypt the payment PIN and transmit it to the user authentication device (step S385).

Accordingly, the user authentication device may generate encrypted information block 1 by decrypting the payment PIN and encrypting information block 1 based on the decrypted payment PIN.

At this time, the user authentication device may delete the information block 1 after the encryption is completed.

5 is a conceptual diagram illustrating a method of encrypting a credit card number and a credit card authentication value in a credit card authorization request device and a user authentication device according to an embodiment of the present invention.

Referring to FIG. 5 , a primary account number (PAN) 400 of a credit card may be encrypted based on HSM and Hash. Encrypted PAN information may be matched with a card ID and stored in a credit card authorization requesting device.

Also, the credit card approval request device transmits the card ID to the user authentication device, and the user authentication device may store the corresponding card ID.

At this time, the user authentication device may generate a temporary virtual card number by encrypting the card ID with a temporarily generated encryption key, and transmit the temporary virtual card number to the user device.

A credit card authentication value (CAV) 405 of a credit card may be divided into part 1 410 and part 2 420. CAV information corresponding to part 1 410 may be encrypted based on HSM, generated as information block 1 430, and transmitted to the user authentication device. Part 2 (420) may be generated as information block 2 (440) obtained by encrypting information block 1 (430) based on HSM using an initial encryption value.

On the other hand, when the user authentication device receives the information block 1 (430) from the credit card approval request device, the user device requests a payment PIN to be used for payment, and as shown, the information block 1 (430) separated is received from the user device. It can be encrypted based on AES (450) by using the payment PIN as an encryption key.

At this time, the user authentication device may use a block encryption key (BEK) 460 to encrypt the information block 1 430 based on AES 450. The BEK 460 may be a key generated based on a payment PIN input from the user device.

Accordingly, the user authentication device may generate and store the encrypted information block 1 by encrypting the information block 1 using the payment PIN or BEK 460 .

In the above configuration, the credit card approval requesting device matches the card ID generated in correspondence with the credit card registered by the user and the information block 1 and transmits the mutual matching to the user authentication device, and the user authentication device transmits the payment PIN received from the user device. Based on this, information block 1 may be encrypted, and the encrypted information block 1 may be matched with a corresponding card ID and stored.

Through this, the user authentication device may store a card ID corresponding to the user's credit card and an encrypted information block 1 matched with the corresponding card ID.

Thereafter, the user authentication device may receive payment information from the web-based commerce device when a commercial transaction occurs through the web-based commerce device by the user, and may request a payment PIN to be used for payment according to the payment information to the user device when the payment information is received. .

Accordingly, the user authentication device may decrypt the encrypted information block 1 based on the payment PIN received from the user device.

In addition, the user authentication device can automatically select the user's payment method by extracting the stored card ID matched with the decrypted information block 1, and transmits the extracted card ID and the decrypted information block 1 to the card approval request device. Payment information received from the web-based commerce device may be transmitted to the card approval request device so that payment processing according to payment information using an automatically selected payment method may be performed.

In the above configuration, the web-based commerce device generates transaction confirmation information for the transaction date and time and the payment unique code corresponding to the user's commerce when payment information corresponding to the commerce is generated according to the occurrence of commerce by the user, and requests credit card approval The corresponding transaction confirmation information may be transmitted to the credit card authorization requesting device by forming a one-way communication channel with the device.

In this case, the transaction confirmation information may include identification information of a user device possessed by a user corresponding to a commercial transaction. In this case, the identification information of the user device is MDN (Mobile Directory Number), mobile IP, mobile MAC, Sim (subscriber identity module) : Subscriber identification module) Card unique information, serial number, user ID, etc. may be included.

In addition, the web-based commerce device issues (generates) transaction verification information including the same information as the transaction confirmation information transmitted to the credit card authorization request device to prove the user's commerce when a commerce transaction occurs by the user, and transmits it to the user device. have.

Accordingly, the user device may also form a one-way communication channel with the credit card permission request device and transmit transaction verification information to the credit card permission request device through the corresponding communication channel.

Accordingly, the credit card approval request device receives and stores the transaction confirmation information from the web-based commerce device, and upon receiving the transaction validation information from the user device, compares the previously stored transaction confirmation information with the received transaction validation information, and if they match It can be determined that a normal transaction by the user has occurred.

Thereafter, when the credit card authorization request device determines that a normal transaction has occurred, the information block 2 440 is decrypted based on the information block 1 430 received from the user authentication device, and the decrypted information block 1 430 and the information block Decrypt credit card-related information (credit card authentication value, credit card number) based on 2 (440), and use the payment information and credit card-related information received along with information block 1 (430) from the user authentication device to decrypt the credit card company Payment processing may be performed by generating and transmitting an approval message to be transmitted to the server.

6 is a flowchart illustrating a payment procedure according to input of a payment PIN of a payment service providing device according to an embodiment of the present invention when a web-based commercial transaction occurs by a user.

Referring to FIG. 6 , when the user selects a simple payment procedure according to an embodiment of the present invention (step S500), the web-based commerce device may request payment to the user authentication device (step S505). The web-based commerce device transfers payment information including the temporary virtual card number selected by the user and payment details (item, member store name, amount, transaction date, etc.) to the user authentication device to request transaction authentication.

At this time, the web-based commerce device forms a one-way communication channel with the credit card approval request device when requesting payment, generates a payment unique code corresponding to the user's payment details, and includes the transaction date and time and payment unique code corresponding to the payment details Transaction confirmation information to be generated can be transmitted to the credit card approval request device (step S510). In this case, the transaction confirmation information may include identification information of a user device corresponding to the user.

In addition, the web-based commerce device may issue transaction verification information including the same information as the transaction verification information in correspondence with the user, and transmit the corresponding transaction verification information to the user device (step S515).

Meanwhile, the user authentication device may receive payment information according to the payment request from the user device and check whether the temporary virtual card number included in the payment information arrives within the transaction effective time. In addition, the user authentication device may obtain information on the user's card ID by inquiring information on the user's card ID based on the temporary virtual card number (step S520).

For example, the user authentication device may decrypt the temporary virtual card number and retrieve and extract information about a card ID corresponding to the decrypted temporary virtual card number.

The user authentication device may request the user device to input information on a previously set payment PIN (step S525). The user authentication device may provide a screen for requesting input of a payment PIN to the user device. On the screen for requesting input of a payment PIN, guide information on application of an on-screen keyboard and use of an antivirus vaccine program may be provided to secure the payment PIN to be input.

The user may input a payment PIN through the user device (step S530).

Accordingly, the user device may transmit the payment PIN to the user authentication device, and when the payment PIN is transmitted, a one-way communication channel is formed with the credit card authorization request device, and the transaction verification information issued from the web-based commerce device is transferred to the credit card authorization request device. It can be transmitted to (step S535).

On the other hand, the user authentication device can check the payment details (item, merchant name, amount, transaction date, etc.) and decrypt the encrypted information block 1 already encrypted and stored with the payment PIN received from the user device (step S540) .

In addition, the user authentication device may transmit the decrypted information block 1 to the credit card approval request device (step S575).

At this time, the user authentication device may generate a one-time transaction-linked authentication value (transaction authentication value) to prevent transaction forgery by an affiliated store before transmitting the information block 1 to the credit card approval request device (step S540).

The user authentication device may transmit the transaction-linked one-time authentication value to the web-based commerce device (step S545).

The web-based commerce device may transmit payment details, a temporary virtual card number, and a one-time authentication value associated with a transaction to the credit card approval request device to request payment approval (step S550).

Here, instead of steps S540 to S550, the user authentication device can request payment approval by directly transmitting the decrypted information block 1, the extracted card ID, and payment information to the card approval request device after successful authentication (step S555).

On the other hand, the credit card approval request device directly generates a transaction-linked one-time authentication value through payment details and member information, and compares the directly generated transaction-linked one-time authentication value with the transaction-linked one-time authentication value received from the web-based commerce device. Yes (step S560). Based on this comparison procedure, it can be verified whether forgery or alteration has occurred in the payment details received from the web-based commerce device.

The credit card approval request device may transmit a one-time authentication value associated with a transaction to the user authentication device and request information block 1 (step S565).

The user authentication device verifies the transaction-linked one-time authentication value (step S570), and when the transaction-linked one-time authentication value is verified, it may transmit information block 1 to the credit card approval request device (step S575).

In addition, the user authentication device may transmit the card ID extracted through the temporary virtual card number together with the information block 1 to the credit card approval request device.

At this time, it goes without saying that the user authentication device and the credit card approval request device may transmit and receive the information block 1 and the card ID without generating and verifying the transaction-linked one-time authentication value described above.

On the other hand, the credit card approval requesting device compares the transaction confirmation information received and stored from the web-based commerce device with the transaction validation information received from the user device to determine whether they match (step S580), and if they match, a normal transaction And after confirming that there is a transaction, information block 2 may be decrypted based on information block 1 received from the user authentication device, and an encrypted credit card authentication value may be decrypted based on the decrypted information block 1 and information block 2 ( Step S585).

Also, the credit card permission request device may decrypt the encrypted credit card number corresponding to the card ID received from the user authentication device.

Accordingly, the credit card approval requesting device may generate approval request information based on the decrypted credit card authentication value and the credit card number and transmit it to the credit card company (step S585). For example, the approval request information may be an approval message generated through a hardware encryption device (HSM) based on information block 1 and information block 2 and a credit card number.

At this time, the credit card approval request device may receive payment information provided by the web-based commerce device from the user authentication device, and the approval request information (approval full text) based on the payment information, the credit card authentication value and the credit card number described above. ) can be created.

The credit card permission request device may transmit permission request information to the credit card company server (step S590), and the credit card company server may receive the permission request information and transmit an approval result to the credit card permission request device (step S595). The credit card approval request device may transmit the approval result to the web-based commerce device (step S600).

Based on the above-described configuration, the payment service providing device according to an embodiment of the present invention can complete payment processing, and confirms that a transaction has occurred by the user based on information received from the user device and the web-based commerce device, and pays By proceeding with the procedure, even if a payment PIN disguised as a payment is input according to the leakage of the payment PIN due to hacking of the user authentication device, it is possible to easily distinguish it and prevent an abnormal transaction.

In addition, the credit card approval request device according to an embodiment of the present invention forms a one-way communication channel only for receiving information from a user device and a web-based commerce device and does not transmit internal information to the outside, thereby reducing security threats due to hacking. can be easily prevented and security can be strengthened.

7 is a conceptual diagram illustrating a payment procedure according to input of a payment PIN according to an embodiment of the present invention.

Referring to FIG. 7 , the web-based commerce device 600 transmits payment information including a temporary virtual card number selected by the user and payment details (item, affiliated store name, amount, date and time of transaction, etc.) to the user authentication device 620. transaction verification request.

The user authentication device 620 may acquire information about the user's card ID by inquiring information about the user's card ID based on the temporary virtual card number. Information about the user's card ID may be transmitted to the credit card permission request unit 640 . The credit card permission request unit 640 may search for an encrypted credit card number based on information about the card ID, decrypt the encrypted credit card number, and use the encrypted credit card number as customer's payment information.

Decryption of the credit card number encrypted by the credit card authorization request device 640 is performed based on information block 2 decrypted based on information block 1 received from the user authentication device 620 or decryption is performed based on HSM It can be.

The user authentication device 620 may request the user device to input information about a payment PIN set at the time of membership registration. The user may enter the payment PIN through the user device.

The user authentication device 620 may decrypt the encrypted information block 1 encrypted and stored at the time of membership registration through the payment PIN received from the user device.

The credit card approval request device 640 may transmit a transaction authentication value to the user authentication device 620 and request information block 1. The user authentication device 620 may verify the transaction authentication value and transmit the decrypted information block 1 to the credit card approval request device 640 when the transaction authentication value is verified.

The credit card permission request device 640 may decrypt information block 2 based on the decrypted information block 1 received from the user authentication device 620 . The credit card permission request unit 640 may generate a credit card authentication value based on the decrypted information block 1 and information block 2.

Accordingly, the credit card permission request device 640 may generate permission request information based on the credit card authentication value and the credit card number and transmit the information to the credit card company server.

At this time, the credit card approval request device 640 may receive the payment information provided by the web-based commerce device 600 from the user authentication device 620 together with the information block 1, and the corresponding payment information and the aforementioned credit card authentication Authorization request information (authorization full text) can be created based on value and credit card number.

The credit card permission request device 640 may transmit approval request information to the credit card company server, and the credit card company server may receive the permission request information and transmit an approval result to the credit card permission request device 640 . The credit card approval request device 640 may transmit the approval result to the web-based commerce device 600 .

In the above-described configuration, the payment service providing device may interwork with the web-based commerce device and the user device to verify the commerce transaction generated by the user, and then decrypt the information block 2 based on the information block 1.

Referring to the conceptual diagram shown in FIG. 8 , when a user selects a simple payment procedure according to an embodiment of the present invention, the web-based commerce device 600 may request payment from the user authentication device 620 . The web-based commerce device 600 transfers payment information including the temporary virtual card number selected by the user and payment details (item, member store name, amount, date and time of transaction, etc.) to the user authentication device 620 to request transaction authentication. can proceed

At this time, the web-based commerce device 600 forms a one-way communication channel with the credit card approval request device 640 when requesting payment, generates a unique payment code corresponding to the user's payment details, and determines the date and time of the transaction corresponding to the payment details. And transaction confirmation information including a unique payment code may be generated and transmitted to the credit card approval request device 640 . In this case, the transaction confirmation information may include identification information of a user device corresponding to the user.

In addition, the web-based commerce device 600 may issue transaction verification information including the same information as the transaction verification information in correspondence with the user, and transmit the corresponding transaction verification information to the user device.

On the other hand, the credit card approval request device 640 compares the transaction confirmation information received and stored from the web-based commerce device 600 and the transaction validation information received from the user device to determine whether they match, and determines whether they match. It can be confirmed that normal transactions and transactions exist.

Accordingly, the credit card approval request device 640 decrypts the information block 2 based on the information block 1 decrypted by the payment PIN of the user device from the user authentication device 620 when it is determined that the actual transaction is a normal transaction, Based on the decrypted information block 1 and information block 2, the encrypted credit card authentication value may be decrypted.

Also, the credit card permission request device 640 may decrypt the encrypted credit card number corresponding to the card ID received from the user authentication device 620 .

Accordingly, the credit card permission request device 640 may generate permission request information based on the decrypted credit card authentication value and the credit card number, transmit it to the credit card company, and proceed with the above-described payment processing procedure.

The above-described user devices, payment service providing devices, web-based commerce devices, and various servers may be implemented as hardware components, software components, and/or a combination of hardware components and software components.

In addition, the components described in the embodiments may include, for example, a processor, a controller, an arithmetic logic unit (ALU), a digital signal processor, a microcomputer, a field programmable array (FPA), and a programmable logic unit (PLU). unit, microprocessor, or any other device capable of executing and responding to instructions.

A user device, a payment service providing device, a web-based commerce device, and various servers may execute an operating system (OS) and one or more software applications executed on the operating system. In addition, user devices, payment service providing devices, web-based commerce devices, and various servers may access, store, manipulate, process, and create data in response to software execution.

For convenience of understanding, there are cases where each component is described as being used, but those skilled in the art will understand that a processing device is a plurality of processing elements and/or a plurality of types of processing. It can be seen that elements can be included.

For example, a user device, a payment service providing device, a web-based commerce device, and various servers may include a plurality of processors or one processor and one controller. Other processing configurations are also possible, such as parallel processors.

The software may include a computer program, code, instructions, or a combination of one or more of them, and operates a user device, a payment service providing device, a web-based commerce device, and various servers as desired. may be ordered independently or collectively.

Software and/or data may be interpreted by user devices, payment service providing devices, web-based commerce devices and various servers, or to provide instructions or data to user devices, payment service providing devices, web based commerce devices and various servers, may be permanently or temporarily embodied in any tangible machine, component, physical device, virtual equipment, computer storage medium or device, or signal wave being transmitted. .

Software may be distributed on networked computer systems and stored or executed in a distributed manner. Software and data may be stored on one or more computer readable media.

The payment service providing method supporting web-based transaction verification according to an embodiment of the present invention can be written as a computer program, and codes and code segments constituting the computer program can be easily inferred by a computer programmer in the related field. . In addition, the corresponding computer program is stored in computer readable media, and is read and executed by a computer or a payment service providing device, a web-based commerce device, a user device, etc. according to an embodiment of the present invention. A payment service providing method supporting web-based transaction verification may be implemented.

Information storage media include magnetic recording media, optical recording media, and carrier wave media. A computer program implementing the payment service providing method supporting web-based transaction verification according to an embodiment of the present invention may be stored and installed in a built-in memory of a payment service providing device, a web-based commerce device, or a user device. Alternatively, an external memory such as a smart card storing and installing a computer program implementing a payment service providing method supporting web-based transaction verification according to an embodiment of the present invention is interfaced with a payment service providing device, a web-based commerce device, It may also be mounted on a user device or the like.

The various devices and components described herein may be implemented by hardware circuitry (eg, CMOS-based logic circuitry), firmware, software, or combinations thereof. For example, it may be implemented using transistors, logic gates, and electronic circuits in the form of various electrical structures.

The foregoing may be modified and modified by those skilled in the art without departing from the essential characteristics of the present invention. Therefore, the embodiments disclosed in the present invention are not intended to limit the technical idea of the present invention, but to explain, and the scope of the technical idea of the present invention is not limited by these embodiments. The protection scope of the present invention should be construed according to the claims below, and all technical ideas within the equivalent range should be construed as being included in the scope of the present invention.

The present invention provides a web-based authentication payment method for non-face-to-face payment and settlement in a web standard environment, and at the same time, a credit card authorization request device conducts a transaction based on information received from a web-based commerce device and a user device through a one-way channel. After verification is performed to confirm whether an actual transaction has occurred, credit card information is decrypted to ensure that payment is made safely even if the payment PIN is leaked due to hacking of the user authentication device. As it has enhanced security, it can be widely applied to various online payment or non-face-to-face payment systems.

100: payment service providing device 120: user authentication device
140: card approval request device

Claims (10)

The credit card number is encrypted and stored, and the credit card authentication value is encrypted and divided into information block 1 and information block 2, wherein the information block 1 is used to decrypt the information block 2, and the information block 1 is used as a user authentication device. a credit card authorization request device configured to transmit and delete the information block 1; and
Receives payment PIN (personal identification number) information from the user device, encrypts the information block 1 based on the payment PIN information, stores the encrypted information block 1, and pays from the web-based commerce device where the user's transaction occurred Information block 1 in which the encrypted information block 1 is decrypted based on the payment PIN information received from the user device by requesting payment PIN information for generating the information block 1 from the user device when payment information including details is received And a user authentication device for transmitting the payment information to the credit card approval request device,
The credit card approval requesting device receives transaction confirmation information including a payment unique code and transaction date and time corresponding to the transaction from the web-based commerce device, and transaction verification information issued from the web-based commerce device from the user device. After receiving and comparing with the transaction confirmation information, if they match each other, payment processing according to the payment information is performed based on the information block 1 and the information block 2, and the information received from the user authentication device when the payment processing is performed The information block 2 is decrypted based on block 1, the credit card authentication value encrypted based on the information block 1 and the information block 2 is decrypted, the encrypted credit card number is decrypted, and the payment information and the decryption A payment service providing device supporting web-based transaction verification, characterized in that it generates an authorization message to be transmitted to a credit card company based on the credit card authentication value and the credit card number, and transmits the authorization message to the credit card company. delete ◈Claim 3 was abandoned when the registration fee was paid.◈ According to claim 1,
Encryption of the credit card number is performed based on a hardware security module (HSM) and hash,
Encryption of the credit card authentication value is performed based on the HSM,
The information block 1 is encrypted through an advanced encryption standard (AES) based on the payment PIN information in the user authentication device. delete The credit card authorization request device encrypts and stores the credit card number, encrypts the credit card authentication value, divides it into information block 1 and information block 2, transmits the information block 1 to the user authentication device, and deletes the information block 1. The step of: the information block 1 is used for decoding the information block 2;
receiving, by the user authentication device, payment PIN (personal identification number) information from the user device, encrypting the information block 1 based on the payment PIN information, and storing the encrypted information block 1;
When the user authentication device receives payment information including payment details from a web-based commerce device in which a commerce transaction by a user has occurred, the user device requests payment PIN information for generating the information block 1, and the payment received from the user device transmitting the information block 1 obtained by decrypting the encrypted information block 1 and the payment information to the credit card approval requesting device based on the PIN information;
receiving, by the credit card approval requesting device, transaction confirmation information including a unique payment code corresponding to the commercial transaction and a transaction date and time from the web-based commercial transaction device; and
The credit card approval request device receives the transaction verification information issued from the web-based commerce device from the user device, compares it with the transaction confirmation information, and if they match, the payment based on the information block 1 and the information block 2 Including the step of performing payment processing according to the information,
The step of performing the payment processing,
When the credit card approval requesting device performs the payment processing, the credit card encrypted based on the information block 1 and the information block 2 by decrypting the information block 2 based on the information block 1 received from the user authentication device. Decrypts the authentication value, decrypts the encrypted credit card number, generates an approval message to be transmitted to a credit card company based on the payment information, the decrypted credit card authentication value, and the credit card number, and sends the authorization message to the credit card company. A payment service providing method supporting web-based transaction verification, further comprising the step of transmitting to a card company. delete delete delete delete delete

Images