CA2237223A1 - Secure electronic transaction system - Google Patents
Secure electronic transaction system Download PDFInfo
- Publication number
- CA2237223A1 CA2237223A1 CA 2237223 CA2237223A CA2237223A1 CA 2237223 A1 CA2237223 A1 CA 2237223A1 CA 2237223 CA2237223 CA 2237223 CA 2237223 A CA2237223 A CA 2237223A CA 2237223 A1 CA2237223 A1 CA 2237223A1
- Authority
- CA
- Canada
- Prior art keywords
- transaction
- information
- payment institution
- card
- terminal
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Abandoned
Links
Classifications
-
- G—PHYSICS
- G07—CHECKING-DEVICES
- G07F—COIN-FREED OR LIKE APPARATUS
- G07F7/00—Mechanisms actuated by objects other than coins to free or to actuate vending, hiring, coin or paper currency dispensing or refunding apparatus
- G07F7/08—Mechanisms actuated by objects other than coins to free or to actuate vending, hiring, coin or paper currency dispensing or refunding apparatus by coded identity card or credit card or other personal identification means
- G07F7/10—Mechanisms actuated by objects other than coins to free or to actuate vending, hiring, coin or paper currency dispensing or refunding apparatus by coded identity card or credit card or other personal identification means together with a coded signal, e.g. in the form of personal identification information, like personal identification number [PIN] or biometric data
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06Q—INFORMATION AND COMMUNICATION TECHNOLOGY [ICT] SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES; SYSTEMS OR METHODS SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES, NOT OTHERWISE PROVIDED FOR
- G06Q20/00—Payment architectures, schemes or protocols
- G06Q20/04—Payment circuits
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06Q—INFORMATION AND COMMUNICATION TECHNOLOGY [ICT] SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES; SYSTEMS OR METHODS SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES, NOT OTHERWISE PROVIDED FOR
- G06Q20/00—Payment architectures, schemes or protocols
- G06Q20/08—Payment architectures
- G06Q20/12—Payment architectures specially adapted for electronic shopping systems
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06Q—INFORMATION AND COMMUNICATION TECHNOLOGY [ICT] SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES; SYSTEMS OR METHODS SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES, NOT OTHERWISE PROVIDED FOR
- G06Q20/00—Payment architectures, schemes or protocols
- G06Q20/30—Payment architectures, schemes or protocols characterised by the use of specific devices or networks
- G06Q20/34—Payment architectures, schemes or protocols characterised by the use of specific devices or networks using cards, e.g. integrated circuit [IC] cards or magnetic cards
- G06Q20/347—Passive cards
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06Q—INFORMATION AND COMMUNICATION TECHNOLOGY [ICT] SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES; SYSTEMS OR METHODS SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES, NOT OTHERWISE PROVIDED FOR
- G06Q30/00—Commerce
- G06Q30/06—Buying, selling or leasing transactions
-
- G—PHYSICS
- G07—CHECKING-DEVICES
- G07F—COIN-FREED OR LIKE APPARATUS
- G07F7/00—Mechanisms actuated by objects other than coins to free or to actuate vending, hiring, coin or paper currency dispensing or refunding apparatus
- G07F7/08—Mechanisms actuated by objects other than coins to free or to actuate vending, hiring, coin or paper currency dispensing or refunding apparatus by coded identity card or credit card or other personal identification means
- G07F7/10—Mechanisms actuated by objects other than coins to free or to actuate vending, hiring, coin or paper currency dispensing or refunding apparatus by coded identity card or credit card or other personal identification means together with a coded signal, e.g. in the form of personal identification information, like personal identification number [PIN] or biometric data
- G07F7/1025—Identification of user by a PIN code
- G07F7/1075—PIN is checked remotely
Abstract
This invention provides a transaction system for performing secure online electronic transactions comprising: a card including user verification information and a card issuer identification information; a terminal for reading certificate information and operable for connection via a communication network to a payment institution and establishing a persistent secure: thread therewith; the terminal also operable for connection to a merchant via a communication network; a payment institution selector for routing a transaction information from said merchant in response to a payment institution identification received from said user to a relevant payment institution whereby said consumer has established a secure persistent thread with said payment institution and said selected payment institution providing an authorization of said transaction.
Description
SECURE ELECTRONIC TRANSACTION SYSTEM
The present invention relates generally to financial transaction systems and, in particular, to a system for facilitating a secure electronic commerce.
BA(:KGROUND OF THE INVENTION
When bank transactions, such as the purchase of an item using a credit card, are originated from a point of sale (POS) terminal, a message consisting of transaction data is sent from a POS terminal to a verification service over a computer network or POS
network.
Generally, the POS terminal is the merchant's acquiring terminal and has the ability to automatically read a magnetic strip on a credit or debit card or includes a keyboard for manual input: of card information.
In a typicall credit card transaction, transaction data sent from the POS
terminal is verified by a host computer on the communication network before attempting to connect to a target host (card issuer or payment server). If the transaction is invalid, notification is sent to the POS
termiinal so the measage may be resent. If t:he transaction data is valid, the host on the communication neawork extracts routing information from the message and attempts to establish a cormection with the target host. If the connection is successful, verification of the transaction may be completed.
Typically, the target host in this case is the card issuer, which processes the transaction and provides via an interchange switching network the relevant transaction amount to the merchant's bank. The card issuer, in authorizing the transaction and forwarding the relevant amolmt to the merchant's bank, will extract a suitable percentage of a transaction as agreed upon between the card issuer and the merchant's bank.
In the above scenario, the POS network and the interchange switching network connecting the merchant's acquiring terminal, the merchant's bank and the card issuer, is norn~ally a dedical;ed secure connection. A disadvantage of this arrangement is the cost in setting up a dedicated network and its inaccessibility to remote users (eg., at home, mobile, etc.).
Furthermore, this ~~rrangement does not easily lend itself to electronic commerce using the Internet.
With the advent and the widespread use of the Internet, credit card companies have suggested the implementation of a secure electronic transaction (SET) specification or protocol for commerce on the Internet. A SET approach to cybertransactions includes a SET-enabled trap..<;action terminal, which is typically a Pl~ running SET software and connects via the Internet to a merchant's server which is also SET-enabled. An Internet payment gateway is provided from the merchan't's server to an interchan~;e switching network to the merchant's bank and a card issuer. A disadvantage of the SET protocol is that merchants who choose to accept credit card payment over the Internet will have no economic choice but to implement SET. The SET
protocol verifies merchants' and customers' identities and securely transmits purchase information using encrypted messages. The principal component of SET is a digital certificate (similar to the ones used with secure sockets layer [SSLJ) housed on merchant, consumer and banl~; hard drives, which would verify their identities to each other.
For examl>le, to buy something from a SET-enabled vendor, the user would first register their credit card v~~ith its issuing bank. Then, the user would receive a digital certificate. Once the user initiates I>urchase, the SET software on the merchant's server would get the order and request bank authorization. Upon receiving bank approval, the merchant's SET
software would notify the purcha~:er and the goods would be shipped via normal channels.
A problem with the SET protocol is that it does not verify that the person using the credit card has the right to do so, thus, chargebacks are still a problem for merchants. Furthermore, SET' only verifies the purchaser's compute:r's identity. Anyone with access to that computer can use the certificate. Additionally, merchant, have to buy the SET software and acquire a certificate, also the SET protocol does not ;allow merchants to perform periodic billing or hold customer's credit card number to simplify subsequent purchases. Each transaction has to be initiated by the customer.
As a general observation, the above; protocols require the consumer to trust the merchant.
Each transaction requires the consumer to provide the merchant with the credit card number, which is then matched up with the transaction and forwarded, to the relevant payment server or card issuer. With online Internet transactions, it is very easy for merchants to spoof the consumer, since tlhe merchant is normally not authenticated by the consumer.
Furthermore, it may not always be desirable for a consumer to have the details of its purchase transaction itemized on his credit card statement. Thus, it is desirable to provide an increased level of privacy, both for regular commercial transactions and online transactions, than presently attainable.
The present invention thus seeks to provide an automated secure electronic transaction system, which mitigates at least some of the above disadvantages.
SLJIViMARY O~F THE INVENTION
The present invention seeks to provide a method and apparatus for secure electronic transactions in which financial and transaction data may be separated to provide a consumer with greater privacy, a:nd security and which is readily adaptable to use in commercial transactions performed over public networks.
In accordance with this invention, there is provided a transaction system comprising:
(a) card including user verification information and a card issuer identification information;
(b) the; terminal for reading cerl:ificate information and operable for connection via a communication network to .a payment institution and for establishing a secure persistent thread therewith;
(c) said terminal operable for connection to a merchant via a communication network;
(d) a payment institution selector for routing a transaction information from said merchant in response to a payment institution identification received from said us~:r to a relevant payment i nstitution whereby said consumer has established a secure persistent thread with said payment institution and said selected payment in~;titution providing an authorization of said transaction.
In accordance with a further embodiment of this invention, the caxd is a smart card or similar electronic card, and the user information includes an identification which is recognized by all transaction systems as valid for one of a plurality of financial institutions, but not associated directly with any users' payment system information, thus making the theft of such a number of no value.
In accordance with a further embodiment of this invention, there is provided a method of performing an electronic transaction comprising the steps of:
The present invention relates generally to financial transaction systems and, in particular, to a system for facilitating a secure electronic commerce.
BA(:KGROUND OF THE INVENTION
When bank transactions, such as the purchase of an item using a credit card, are originated from a point of sale (POS) terminal, a message consisting of transaction data is sent from a POS terminal to a verification service over a computer network or POS
network.
Generally, the POS terminal is the merchant's acquiring terminal and has the ability to automatically read a magnetic strip on a credit or debit card or includes a keyboard for manual input: of card information.
In a typicall credit card transaction, transaction data sent from the POS
terminal is verified by a host computer on the communication network before attempting to connect to a target host (card issuer or payment server). If the transaction is invalid, notification is sent to the POS
termiinal so the measage may be resent. If t:he transaction data is valid, the host on the communication neawork extracts routing information from the message and attempts to establish a cormection with the target host. If the connection is successful, verification of the transaction may be completed.
Typically, the target host in this case is the card issuer, which processes the transaction and provides via an interchange switching network the relevant transaction amount to the merchant's bank. The card issuer, in authorizing the transaction and forwarding the relevant amolmt to the merchant's bank, will extract a suitable percentage of a transaction as agreed upon between the card issuer and the merchant's bank.
In the above scenario, the POS network and the interchange switching network connecting the merchant's acquiring terminal, the merchant's bank and the card issuer, is norn~ally a dedical;ed secure connection. A disadvantage of this arrangement is the cost in setting up a dedicated network and its inaccessibility to remote users (eg., at home, mobile, etc.).
Furthermore, this ~~rrangement does not easily lend itself to electronic commerce using the Internet.
With the advent and the widespread use of the Internet, credit card companies have suggested the implementation of a secure electronic transaction (SET) specification or protocol for commerce on the Internet. A SET approach to cybertransactions includes a SET-enabled trap..<;action terminal, which is typically a Pl~ running SET software and connects via the Internet to a merchant's server which is also SET-enabled. An Internet payment gateway is provided from the merchan't's server to an interchan~;e switching network to the merchant's bank and a card issuer. A disadvantage of the SET protocol is that merchants who choose to accept credit card payment over the Internet will have no economic choice but to implement SET. The SET
protocol verifies merchants' and customers' identities and securely transmits purchase information using encrypted messages. The principal component of SET is a digital certificate (similar to the ones used with secure sockets layer [SSLJ) housed on merchant, consumer and banl~; hard drives, which would verify their identities to each other.
For examl>le, to buy something from a SET-enabled vendor, the user would first register their credit card v~~ith its issuing bank. Then, the user would receive a digital certificate. Once the user initiates I>urchase, the SET software on the merchant's server would get the order and request bank authorization. Upon receiving bank approval, the merchant's SET
software would notify the purcha~:er and the goods would be shipped via normal channels.
A problem with the SET protocol is that it does not verify that the person using the credit card has the right to do so, thus, chargebacks are still a problem for merchants. Furthermore, SET' only verifies the purchaser's compute:r's identity. Anyone with access to that computer can use the certificate. Additionally, merchant, have to buy the SET software and acquire a certificate, also the SET protocol does not ;allow merchants to perform periodic billing or hold customer's credit card number to simplify subsequent purchases. Each transaction has to be initiated by the customer.
As a general observation, the above; protocols require the consumer to trust the merchant.
Each transaction requires the consumer to provide the merchant with the credit card number, which is then matched up with the transaction and forwarded, to the relevant payment server or card issuer. With online Internet transactions, it is very easy for merchants to spoof the consumer, since tlhe merchant is normally not authenticated by the consumer.
Furthermore, it may not always be desirable for a consumer to have the details of its purchase transaction itemized on his credit card statement. Thus, it is desirable to provide an increased level of privacy, both for regular commercial transactions and online transactions, than presently attainable.
The present invention thus seeks to provide an automated secure electronic transaction system, which mitigates at least some of the above disadvantages.
SLJIViMARY O~F THE INVENTION
The present invention seeks to provide a method and apparatus for secure electronic transactions in which financial and transaction data may be separated to provide a consumer with greater privacy, a:nd security and which is readily adaptable to use in commercial transactions performed over public networks.
In accordance with this invention, there is provided a transaction system comprising:
(a) card including user verification information and a card issuer identification information;
(b) the; terminal for reading cerl:ificate information and operable for connection via a communication network to .a payment institution and for establishing a secure persistent thread therewith;
(c) said terminal operable for connection to a merchant via a communication network;
(d) a payment institution selector for routing a transaction information from said merchant in response to a payment institution identification received from said us~:r to a relevant payment i nstitution whereby said consumer has established a secure persistent thread with said payment institution and said selected payment in~;titution providing an authorization of said transaction.
In accordance with a further embodiment of this invention, the caxd is a smart card or similar electronic card, and the user information includes an identification which is recognized by all transaction systems as valid for one of a plurality of financial institutions, but not associated directly with any users' payment system information, thus making the theft of such a number of no value.
In accordance with a further embodiment of this invention, there is provided a method of performing an electronic transaction comprising the steps of:
(a) providing a user with an electronic card, said card including user verification information and payment institution routing information;
(b) reading th~~ card user verification information by a terminal;
(c) connecting the terminal to a payment institution via a communication network and establishing a persistent secure thread therewith;
(d) connectint; said terminal to a merchant server;
(e) forwarding; the payment institution routing information to the merchant server;
(f) routing a transaction amount from the merchant server to a payment institution identified by said routing information;
(g) the payment institution identifying the user via the secure persistent thread to match said trap;>action and to said user financial information;
(h) obtaining .an authorization for said itransaction amount to complete said transaction.
BRIEF DESC~'.IPTION OF THE DF;AWINGS
These and other features of the preferred embodiments of the invention will become more app~~rent in the following detailed description in which reference is made to the appended drawings wherein:
Figure 1 is a schematic diagram of a transaction system architecture according to an embodiment of the present invention;
Figures 2 (a) and (b) are schematic flow diagrams showing the principal steps in performing an electronic transaction.
DESCRIPTION OF THE PREFERRED EMBODIMENTS
Referring to figure 1, a general architecture of a secure electronic transaction system according to an embodiment of the present invention, is shown generally by numeral 10. The system comprises two general information flow paths. The first path includes a smart card-enabled terminal 12 connected via a secure; Internet connection to a financial persona server 14 whi<:h is in turn connected via a network to a payment server 16. The payment server 16 is connected via an interchange network 18 to a card issuer 20 and a merchant's bank 22. The second path of the; system comprises the card-enabled terminal connected via an Internet connection to a merchant's server 24 which in turn is connected via a banking interchange network 26 to the payment server 16. The user of this system is provided with a secure card 30 that may include a certificate readable by the card-enabled terminal. The card-enabled terminal 12 g~.nerally comprises a card reader for reading the secure card and the certificate information contained therein. The card includes verification information and issuer or financial institution information. The user verification information may include a public key certificate and the issuer or financial institution information includes an identification number to identify the card issuer bank. The terminal includes a progr~un for establishing a data connection over the Internet to the financial persona server 14 and includes software for establishing a persistent secure thread to the financial persona server 14. These are generally implemented as a Java-type applets (and are well known in the art).
Referring t:o figures 2 (a) and (b), the principal steps for processing an online transaction are shown. Generally, at system set up the user is provided with the SmartCard 30, containing a public key certificate. The public key certificates are initialized by the card issuer 20 with the corresponding identification of the user andL such like. Furthermore, the user sets up an electronic payment profile with the financial persona's server 14. The financial persona server 14 may also provide the user with an opportunity to modify. The financial persona server 14 may also provide the user with an opportunity to modify its e-commerce profile. To begin a transaction, the terminal connects to the financial persona's server 14 by running its connection software, such as s~ web browser and the like. The connection to the financial persona's server 14 e:>tablishes a persistent secure thread, which may be via a suitable Java applet. At the same time., the user connects via the Internet to >x~e merchant's server 24. A
typical example of such a server is currently located at www.amazon.com. A transaction is initiated by the user providing its c~~rd number to the merchant's server 24. The merchant's server 24 processes the card number similar to a traditional POS credit transaction. The merchant's server forwards the card number to the banking interchange network;, which recognizes the banking institution information contained within the card number. For example, the first four digits of the card number may contain the card issuer bank idlentification. It may be noted that this information is recognizable by all systems and serves to route the transaction to the appropriate payment institution. Thus, even if a card is stolen this number is of no use to the thief.
(b) reading th~~ card user verification information by a terminal;
(c) connecting the terminal to a payment institution via a communication network and establishing a persistent secure thread therewith;
(d) connectint; said terminal to a merchant server;
(e) forwarding; the payment institution routing information to the merchant server;
(f) routing a transaction amount from the merchant server to a payment institution identified by said routing information;
(g) the payment institution identifying the user via the secure persistent thread to match said trap;>action and to said user financial information;
(h) obtaining .an authorization for said itransaction amount to complete said transaction.
BRIEF DESC~'.IPTION OF THE DF;AWINGS
These and other features of the preferred embodiments of the invention will become more app~~rent in the following detailed description in which reference is made to the appended drawings wherein:
Figure 1 is a schematic diagram of a transaction system architecture according to an embodiment of the present invention;
Figures 2 (a) and (b) are schematic flow diagrams showing the principal steps in performing an electronic transaction.
DESCRIPTION OF THE PREFERRED EMBODIMENTS
Referring to figure 1, a general architecture of a secure electronic transaction system according to an embodiment of the present invention, is shown generally by numeral 10. The system comprises two general information flow paths. The first path includes a smart card-enabled terminal 12 connected via a secure; Internet connection to a financial persona server 14 whi<:h is in turn connected via a network to a payment server 16. The payment server 16 is connected via an interchange network 18 to a card issuer 20 and a merchant's bank 22. The second path of the; system comprises the card-enabled terminal connected via an Internet connection to a merchant's server 24 which in turn is connected via a banking interchange network 26 to the payment server 16. The user of this system is provided with a secure card 30 that may include a certificate readable by the card-enabled terminal. The card-enabled terminal 12 g~.nerally comprises a card reader for reading the secure card and the certificate information contained therein. The card includes verification information and issuer or financial institution information. The user verification information may include a public key certificate and the issuer or financial institution information includes an identification number to identify the card issuer bank. The terminal includes a progr~un for establishing a data connection over the Internet to the financial persona server 14 and includes software for establishing a persistent secure thread to the financial persona server 14. These are generally implemented as a Java-type applets (and are well known in the art).
Referring t:o figures 2 (a) and (b), the principal steps for processing an online transaction are shown. Generally, at system set up the user is provided with the SmartCard 30, containing a public key certificate. The public key certificates are initialized by the card issuer 20 with the corresponding identification of the user andL such like. Furthermore, the user sets up an electronic payment profile with the financial persona's server 14. The financial persona server 14 may also provide the user with an opportunity to modify. The financial persona server 14 may also provide the user with an opportunity to modify its e-commerce profile. To begin a transaction, the terminal connects to the financial persona's server 14 by running its connection software, such as s~ web browser and the like. The connection to the financial persona's server 14 e:>tablishes a persistent secure thread, which may be via a suitable Java applet. At the same time., the user connects via the Internet to >x~e merchant's server 24. A
typical example of such a server is currently located at www.amazon.com. A transaction is initiated by the user providing its c~~rd number to the merchant's server 24. The merchant's server 24 processes the card number similar to a traditional POS credit transaction. The merchant's server forwards the card number to the banking interchange network;, which recognizes the banking institution information contained within the card number. For example, the first four digits of the card number may contain the card issuer bank idlentification. It may be noted that this information is recognizable by all systems and serves to route the transaction to the appropriate payment institution. Thus, even if a card is stolen this number is of no use to the thief.
The bank interchange network then routes the transaction to the relevant bank payment server 16. The payment server then hands off the electronic transaction to the appropriate financial persona's server 14.
Next, the financial persona's server verifies the persistent secure thread and initiates a screc;n pop-up payment selection menu, which once again may be initiated by a Java applet. The user is thus presented v~rith various payment selection options.
Once the user has selected the requisite payment option, the financial persona's server hands off the transaction to the payment server 16. At this point, the payment server connected across the appropriate interchange network 18 to the selected card issuing institution 20 to verify the credit capability of the user. The notification of the credit decision is then forwarded via interchange network and the bank interchange network 26 to the acquiring institution.
Once this notification information is forwarded to the acquiring institution, a completion confirmation message is forwarded to the card issuer institution and the user.
Thus, it may be seen that the above system avoids the use of complicated SET
protocols) facilitates consumer privacy and builds on the existing infrastructure by utilizing the current credit authentication network available to tlhe card issuer 20. Furthermore, in establishing the pers istent secure thread, authentication of the card, and thus the user, avoids spoofing attacks on the transaction acquired at the merchant server, i.e., it avoids the reversal of payment due to fraudulent use. T':herefore, the merchant is guaranteed the payment in the present architecture.
Since the present architecture provides a separate path for financial transaction data and merchandise transaction data, the connection between the terminal and the financial persona's server need not be' secure. Security may be: achieved quite simply by utilizing suitable encryption software and authentication contained within the secure persistent thread applet. A
further advantage to the customer is the reduced risk of merchants spoofing in that the connection to the card issuer and the payment server is in real time as opposed to prior art batch processing systems.
While the invention has been described in connection with the specific embodiment thereof, and in a specific use, various modifications thereof will occur to those skilled in the art without departing from the spirit of the invention as set forth in the appended claims.
The terms and expressions which have been employed in this specification are used as terms of descripti~~n and not of limitations, there is no intention in the use of such terms and expressions to exclude any equivalence of the features shown and described or portions thereof, but it is recognized that various modifications are possible within the scope of the claims to the invention.
Next, the financial persona's server verifies the persistent secure thread and initiates a screc;n pop-up payment selection menu, which once again may be initiated by a Java applet. The user is thus presented v~rith various payment selection options.
Once the user has selected the requisite payment option, the financial persona's server hands off the transaction to the payment server 16. At this point, the payment server connected across the appropriate interchange network 18 to the selected card issuing institution 20 to verify the credit capability of the user. The notification of the credit decision is then forwarded via interchange network and the bank interchange network 26 to the acquiring institution.
Once this notification information is forwarded to the acquiring institution, a completion confirmation message is forwarded to the card issuer institution and the user.
Thus, it may be seen that the above system avoids the use of complicated SET
protocols) facilitates consumer privacy and builds on the existing infrastructure by utilizing the current credit authentication network available to tlhe card issuer 20. Furthermore, in establishing the pers istent secure thread, authentication of the card, and thus the user, avoids spoofing attacks on the transaction acquired at the merchant server, i.e., it avoids the reversal of payment due to fraudulent use. T':herefore, the merchant is guaranteed the payment in the present architecture.
Since the present architecture provides a separate path for financial transaction data and merchandise transaction data, the connection between the terminal and the financial persona's server need not be' secure. Security may be: achieved quite simply by utilizing suitable encryption software and authentication contained within the secure persistent thread applet. A
further advantage to the customer is the reduced risk of merchants spoofing in that the connection to the card issuer and the payment server is in real time as opposed to prior art batch processing systems.
While the invention has been described in connection with the specific embodiment thereof, and in a specific use, various modifications thereof will occur to those skilled in the art without departing from the spirit of the invention as set forth in the appended claims.
The terms and expressions which have been employed in this specification are used as terms of descripti~~n and not of limitations, there is no intention in the use of such terms and expressions to exclude any equivalence of the features shown and described or portions thereof, but it is recognized that various modifications are possible within the scope of the claims to the invention.
Claims (4)
1. A transaction system comprising:
(a) card including user verification information and a card issuer identification information;
(b) the terminal for reading certificate information and operable for connection via a communication network to a payment institution and for establishing a secure persistent thread therewith;
(c) said terminal operable for connection to a merchant via a communication network;
(d) a payment institution selector for routing a transaction information from said merchant in response to a payment institution identification received from said user to a relevant payment institution whereby said consumer has established a secure persistent thread with said payment institution and said selected payment institution providing an authorization of said transaction.
(a) card including user verification information and a card issuer identification information;
(b) the terminal for reading certificate information and operable for connection via a communication network to a payment institution and for establishing a secure persistent thread therewith;
(c) said terminal operable for connection to a merchant via a communication network;
(d) a payment institution selector for routing a transaction information from said merchant in response to a payment institution identification received from said user to a relevant payment institution whereby said consumer has established a secure persistent thread with said payment institution and said selected payment institution providing an authorization of said transaction.
2. A method of performing an electronic transaction comprising the steps of:
(a) providing a user with an electronic card, said card including user verification information and payment institution routing; information;
(b) reading the card user verification information by a terminal;
(c) correcting the terminal to a payment institution via a communication network and .establishing a persistent secure thread therewith;
(d) connecting said terminal to a merchant server;
(e) forwarding the payment institution routing information to the merchant server;
(f) routing a transaction amount from the merchant server to a payment institution identified by said routing information;
(g) the payment institution identifying the user via the secure persistent thread to match said transaction and to said user financial information;
(h) obtaining an authorization for said transaction amount to complete said transaction.
(a) providing a user with an electronic card, said card including user verification information and payment institution routing; information;
(b) reading the card user verification information by a terminal;
(c) correcting the terminal to a payment institution via a communication network and .establishing a persistent secure thread therewith;
(d) connecting said terminal to a merchant server;
(e) forwarding the payment institution routing information to the merchant server;
(f) routing a transaction amount from the merchant server to a payment institution identified by said routing information;
(g) the payment institution identifying the user via the secure persistent thread to match said transaction and to said user financial information;
(h) obtaining an authorization for said transaction amount to complete said transaction.
3. A system as defined in claim 1, said card is smart card or electronic card.
4. A system as defined in claim 1, said card issuer identification information being an identification which is recognized by all transaction systems as valid for one of a plurality of financial institutions, but not associated directly with any users' payment system information, thus making the theft of such a number of no value.
Priority Applications (2)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CA 2237223 CA2237223A1 (en) | 1998-05-07 | 1998-05-07 | Secure electronic transaction system |
| CA 2263777 CA2263777A1 (en) | 1998-05-07 | 1999-03-01 | Systems and methods of paying for commercial transactions |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CA 2237223 CA2237223A1 (en) | 1998-05-07 | 1998-05-07 | Secure electronic transaction system |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CA2237223A1 true CA2237223A1 (en) | 1999-11-07 |
Family
ID=29275692
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CA 2237223 Abandoned CA2237223A1 (en) | 1998-05-07 | 1998-05-07 | Secure electronic transaction system |
Country Status (1)
| Country | Link |
|---|---|
| CA (1) | CA2237223A1 (en) |
Cited By (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20080147564A1 (en) * | 2001-06-26 | 2008-06-19 | Tara Chand Singhal | Security in use of bankcards that protects bankcard data from merchant systems in a payment card system |
-
1998
- 1998-05-07 CA CA 2237223 patent/CA2237223A1/en not_active Abandoned
Cited By (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20080147564A1 (en) * | 2001-06-26 | 2008-06-19 | Tara Chand Singhal | Security in use of bankcards that protects bankcard data from merchant systems in a payment card system |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| JP5638046B2 (en) | Method and system for authorizing purchases made on a computer network | |
| US7292996B2 (en) | Method and apparatus for performing a credit based transaction between a user of a wireless communications device and a provider of a product or service | |
| US6908030B2 (en) | One-time credit card number generator and single round-trip authentication | |
| US6749114B2 (en) | Universal authorization card system and method for using same | |
| US8281991B2 (en) | Transaction secured in an untrusted environment | |
| US20070198410A1 (en) | Credit fraud prevention systems and methods | |
| US20020128977A1 (en) | Microchip-enabled online transaction system | |
| US20070063017A1 (en) | System and method for securely making payments and deposits | |
| US20020046092A1 (en) | Method for preventing fraudulent use of credit cards and credit card information, and for preventing unauthorized access to restricted physical and virtual sites | |
| US20040248554A1 (en) | Method of paying from an account by a customer having a mobile user terminal, and a customer authenticating network | |
| US20120095917A1 (en) | System and method for performing secure credit card purchases | |
| EP1065634A1 (en) | System and method for performing secure electronic transactions over an open communication network | |
| US20040267672A1 (en) | System and method for conducting secure electronic transactions | |
| WO2002075478A2 (en) | Method for performing secure online payment transactions | |
| CA2554173A1 (en) | System and method for secure telephone and computer transactions | |
| WO2003083737A1 (en) | System and method for detecting card fraud | |
| US20050289052A1 (en) | System and method for secure telephone and computer transactions | |
| US20020032662A1 (en) | System and method for servicing secure credit/debit card transactions | |
| US20020082986A1 (en) | Method for payment in exchange | |
| US20020164031A1 (en) | Devices | |
| US7707119B2 (en) | System and method for identity protected secured purchasing | |
| CA2237223A1 (en) | Secure electronic transaction system | |
| Shankar et al. | A survey of security in online credit card payments | |
| Peters | Emerging ecommerce credit and debit card protocols | |
| WO2001065397A1 (en) | Method and system for placing a purchase order by using a credit card |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| FZDE | Dead |