CA2309013A1 - Secure online transaction method - Google Patents

Secure online transaction method

Info

Publication number
CA2309013A1
CA2309013A1 CA 2309013 CA2309013A CA2309013A1 CA 2309013 A1 CA2309013 A1 CA 2309013A1 CA 2309013 CA2309013 CA 2309013 CA 2309013 A CA2309013 A CA 2309013A CA 2309013 A1 CA2309013 A1 CA 2309013A1
Authority
CA
Grant status
Application
Patent type
Prior art keywords
eccn
credit card
customer
merchant
system
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Abandoned
Application number
CA 2309013
Other languages
French (fr)
Inventor
Jean Bergeron
Srecko Briek
Richard Mallette
Original Assignee
TWINGATE SYSTEM INC.
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/04Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
    • H04L63/0428Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload
    • GPHYSICS
    • G06COMPUTING; CALCULATING; COUNTING
    • G06QDATA PROCESSING SYSTEMS OR METHODS, SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL, SUPERVISORY OR FORECASTING PURPOSES; SYSTEMS OR METHODS SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL, SUPERVISORY OR FORECASTING PURPOSES, NOT OTHERWISE PROVIDED FOR
    • G06Q20/00Payment architectures, schemes or protocols
    • G06Q20/08Payment architectures
    • G06Q20/12Payment architectures specially adapted for electronic shopping systems
    • GPHYSICS
    • G06COMPUTING; CALCULATING; COUNTING
    • G06QDATA PROCESSING SYSTEMS OR METHODS, SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL, SUPERVISORY OR FORECASTING PURPOSES; SYSTEMS OR METHODS SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL, SUPERVISORY OR FORECASTING PURPOSES, NOT OTHERWISE PROVIDED FOR
    • G06Q20/00Payment architectures, schemes or protocols
    • G06Q20/22Payment schemes or models
    • G06Q20/24Credit schemes, i.e. "pay after"
    • GPHYSICS
    • G06COMPUTING; CALCULATING; COUNTING
    • G06QDATA PROCESSING SYSTEMS OR METHODS, SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL, SUPERVISORY OR FORECASTING PURPOSES; SYSTEMS OR METHODS SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL, SUPERVISORY OR FORECASTING PURPOSES, NOT OTHERWISE PROVIDED FOR
    • G06Q20/00Payment architectures, schemes or protocols
    • G06Q20/38Payment protocols; Details thereof
    • G06Q20/385Use of an alias or a single-use code
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/10Network architectures or network communication protocols for network security for controlling access to network resources
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L2463/00Additional details relating to network architectures or network communication protocols for network security covered by H04L63/00
    • H04L2463/102Additional details relating to network architectures or network communication protocols for network security covered by H04L63/00 applying security measure for e-commerce

Abstract

A method for secure payment in an open electronic public system, such as the Internet, that uses existing credit card accounts but eliminates the need to transmit the actual number of the said account in order to complete and process a transaction. Credit card company or financial institution (Issuer) to issue a computer agent (user's software) to all cardholders (customer(s)) capable of establishing an encrypted secure session between them. After an intent of purchase is expressed, computer agent automatically obtains an Ephemeral TM Credit Card Number (ECCN) from the system's server, through encrypted communication. Computer agent sends such ECCN to the merchant which will process it as a standard and valid credit card number, to obtain the usual authorization number from the Issuer's system and/or agent. In preferred embodiment, ECCN, that consist of the familiar sequence of number and expiry date of a given credit card issuer, is complemented with the required coded information and time stamp to make it purchase, merchant and user specific. Once the order is processed and transaction is completed, such ECCN becomes void and useless.

Description

Tlt~e METHOD FOR SECURE PAYMENT WITH STANDARD CREDIT
CARDS IN ELECTRONIC COMMERCE SYSTEM
~ Field of the invention This invention relates to electronic commerce and, more particularly, to a system and method for credit card related transactions an open electronic public system such as the Internet.
~ Background of the invention With the rapid growth of Internet sites along with the advent of flat rate pricing, millions of Internet users now rely on multiple sites for e-mail, chat, news, and many other products and services involving transaction.
Presently there are over 1 SO million Internet users, each of whom must use a browser to "surf' the Internet. By 2001, it is estimated that there will be over 700 million worldwide Internet users.
And, in the next five years, conservative forecasted volume of transaction on the web will exceed 57 billion of dollars.
This invention significantly improves the level of confidence and the actual security of payment transactions on the web.
While most major banks are currently using a form or another of high security encryption for at home banking and investment, which appears to satisfy sophisticated and learned users, none of those systems have yet provide the level of comfort and comprehension needed for the average user.
Businesses of all sizes are struggling to take advantage of the relatively new electronic marketplace. But the development of systems for executing secure credit card transactions across electronic networks hasn't follow course. Most existing or proposed schemes are essentially existing credit card systems adapted for operation over the Internet.
I

The biggest challenge appears to securely obtain or transmit a customer's credit card information in a way that simulate what happens in bricks-and-mortar stores. Traditionally, a customer would give his credit card information on a paper imprint or via a magnetic reader, a payment amount would be associated with it, the information would or would not be scrambled to verify card validity and obtain an authorization number from the issuer. Since credit electronic payment systems are built around the conventional, bundled service credit card transaction processing systems, the same basic architecture has been applied to web sites ~in order to avoid replacing existing equipment and protocols at the merchant's end. The merchant still acts as the main transaction hub. It is the merchant's responsibility to verify the cardholder's legitimacy and to obtain clearance from the issuer.
Merchants have access to the standard customer information. Even if some of the systems provide authentication using digital signatures or the added security of smart cards through peripheral computer apparatuses, hackers or fraudulent employees may still have access to stored data. It is worth to note that one of the major sources of fraud is not illegal transaction as much as pirating legitimate cardholders' data to manufacture counterfeited plastic cards.
Other desirable aspects of a standard credit card secure system is that it would allows all cardholders to make transaction on the Internet with existing and familiar credit account, while giving the credit card company a significantly increased level of security against fraud, that in turn may help merchants to deal with charge-back problems.
Brief description of the drawings In the appended drawings:
Figure 1 is a block diagram illustrating an actual transaction according to the prior art;
Figure 2 is a block diagram illustrating a first embodiment of the data flow of the method of the present invention;
Figure 3 is a block diagram illustrating a second embodiment of the data flow of the method of the present invention;

Figure 4 is a diagram illustrating the external specifications of the presentinvention;
Figure 5 is a block diagram illustrating the architecture of a system embodying the method of the present invention; and Figure 6 is a diagram illustrating the internal specifications of the presentinvention.
~ Summary of the invention This invention relates to an electronic commerce and transaction system, its components and methods for their use.
This invention accessibility and simplicity allows everyone to understand why they can now safely use their existing credit or payment card account for any type of transaction on the Internet.
In this invention's system, vital information that appears on credit cards and are stored in financial institutions' current and well-protected internal system will remain securely there. They will never be transferred to a third party on the Internet (or via any other means).
The sensitive information that will eventually be transmitted on the Internet to merchants, service providers or anyone accepting credit card payment, is an EphemeralTM Credit Card Numbers (ECCN) that is virtually useless to any other party but the legitimate users.
In one aspect, the invention is a method of credit card payment in an electronic commerce environment wherein customers have existing accounts with a Bank and where each customer shares a respective secret with that same Bank. This secret is set up prior to any actual transaction and, in preferred embodiments, is a dynamic secret. This secret is used to uniquely identify a customer in the encrypted communication established to obtain an ECCN.
In some embodiments, the shared secret is a private key (PHI) stored in the user's computer andlor a computer agent's software access password known only by the user.

According to the method of this invention, a given Bank issues a computer agent software to all customers. The software is capable of establishing an encrypted secure session that provides a unique identification of the customer. In preferred embodiments, the customer must use a private password to get access to the computer agent software application.
The customer first visits merchant website and shops as usual.
Once an intent of purchase is expressed, customer's computer agent automatically obtains from the Bank's system server an ECCN with which a credit or payment card transaction may be completed as usual.
In some embodiment, the user enters a distinct private password to confirm his purchase intent.
In preferred embodiments, segments of data obtained by cardholder at merchant site are linked to the ECCN to make it purchase, merchant and/or user specific.
The merchant obtains the ECCN and order information from the customer's computer, and processes ECCN the way standard credit card numbers are currently processed.
The ECCN is checked by the current credit card checking system/agent for credit limit and validity after which it issues the usual authorization number to the merchant.
The Bank's system server will eventually correlate the amount charged to the ECCN with the actual customer account for usual billing.
'The merchant provides the goods to the customer in response to receiving the authorization number from the credit card checking system/agent.
In preferred embodiment, the method also comprises a limited time period of validity for any given transaction, which may also be purchase, merchant and/or user specific.
Once the transaction is completed, the ECCN becomes automatically void and useless, like non-valid or stolen card numbers. In some embodiments, the ECCN may remain attached to a specific transaction for a certain period of time for refund purposes only. Yet in other embodiments, refunds are processed with complementary ECCN that replace the one used in the initial transaction.
While embodiments of the present invention have been described with particular setup and initialization procedures, other setup and/or initialization procedures can be used.
Further, while some of the system's element may have been said to be performed in a particular order, one skilled in the art would realize that other orders are possible and are considered to be within the scope of the invention.
Thus, a secure electronic credit card payment system preventing access to vital information is provided.

Introduction The purpose of this document is to present the overall architecture of Twin for secure transactions in e-business, B2B, B2C, and also C2C.
TwinGate is an Internet Portal for secure transactions implemented o~i~ a fry end server for Customers and Merchants.
TwinGate is also an information routing device. This aspect wil~~'~c~escrWd.~~n a sub-- ,~ - _:
sequent document.
TwinGate implements Profiles for Users (Merchant, Custor~ei ~' ~..__.
a Profile is a list of Services a User can access. ~-_ The features of the TwinGate system include (amoners):
No use of a holder's Credit Card number==~___ Secured Transactions with standard Dh~,S encryp>~~on -_ .n_ Scalability Document is orgA~'~ze~ as ~,~ws v Description of the acG~~l C2B system oftransactions using Credit Cards ~ Description of the form~,hsr~i used ~ Architecture of the 'I~v~yGate EGN sytem (centralized) _ : ...
- _,~ -Payment ~ C~dNo authorisation ~rC_ardNo ' Merchant _ Invoice ;~ _ ~ Customer - ~'_._~der_ ;- _ F

CA 02309013 2000-OS-23 ~ -Formal Description To achieve the validation of the systems that are proposed, the agents are vie w ,~ ~~ com-municating processes (the data at this point has no importance because it is x ~rvate information) In the sequel, the formalism chosen for describing concurrent commucatigi,~ce~s~s is the Arnold-Nivat model(2J, implemented in the tool MEC.(3~ T,_ mam f~urr~' of Model is its simplicity: it is general enough to describe many formalisms. and y~~.:,:poerful to concretely verify properties. MEC has been successfully used for ink. yn t)~~:~ification and design of a simple call-processing system (4J, as well a~_,forT~leri~' _methods for the design of a switching program ~5). The tool MEC allows s_er to ge ~-- y ormation on the behavior of a transition system. In particular, it can corri'pu ° '-- s of~s~ates (or sets of transitions) having a property expressed in some langua~s~ the :scan be used as a _..
._ model checker. -~ ~~
The communicating processes are Cutomer, Merchant, I, TwmT . They are described as transitions systems having given states and perforn-~ons.
.:.__ r_~_ --Customer The Customer is an agent that has twca..s~~~es: Active, Sleeping. It can perform actions like the following 1. SendOrder 2. GetInvoice 3. SendCCN
Merchant The Customer is an agent that has two states: Active, Sleeping. It can perform actions like the following 1. GetOrder "-'~ .
~'_~-...
e~
2. SendInvotc ".. -:::~~, -... ° _.;_=-~:_ 3. CCNRe~est _ __ 5. GetAuthori~ationNr 1. GetECCNRequest 2. SendAuthorizationNr 3. SendRefusedTrxn Synchronization . . . . .~:;-.:.;,~~::: .:: -v:.:,:..-.-Payment P°%
_ .... _ . _.....:_~~ Payment req.
-~ ECCN_ ;
~ ., _Invo~ce ; ~ ~stomer ___ '- ______.
tation, the ECCN is created by the TwinGate Server. It should be Bank} may be willing to manage these actions, leading to a different (U

CCN Request L.ogin + Amount _~r__' Autfiori~i~f ~- .: _=:

ECCN ~"

with ECCN

Payment Request Authorization #

End Trxn :w Refused Trxn Remarks 1. The specificatio ven ab'"a~~es not take into account the TimeOuts, inherited from the Bank's spe~.,_ion, ani'~9 that can occur in the processes. Yhese timeouts are inherited from the ~t~~Bauk).
___:~_ ~; __...-2. It is also sume~,t when a Customer logs in he can access an administrationmodule eallowing . me admii~~strative tasks such as password changes etc..
.4_'~~ _ . '".
.:.~.~:~z_~:~- - y _-~~ In this imp . .lion, the ECCN is created by the TwinGate Server. It should be 'noted that ~ CCI(or Bank) may be willing to manage these actions. In that case the External Specification is modified accordingly: ECCN is provided by the bank with -........ the Authori,tion number.

j...' .y _.. _ _: : .- ~ ..::'- : J/
't TyvinGate Server Internal Specification ..
New ECCN
~09~ + Amount +ECCN Storage quest o9rn + Amount +E~ - _ _ _ _ _ ~':PI Z2t)On ~
Authorization # Storage Request Q _________ __ Cel Authorization #
Forward Refused rretused Trxn Refused Ttxn _:.;:',:., _ '_.. ::__. . p .
~~~T'~~~uTe 4. ~_wmGate.. .Internal S ecification.
Remarks. .:-.<_-._:-::,.:
>.;''::.:~:._j':,--_:;:. >_-:-=...:
1~. The Tim~Outs that"=ccui in the system and generated 17y the accessed CCI(Banl;) will ~cxllow the~~rocessing of etceptions_ v'~a In this impI~i~tt~ation; the ECCN is created by the ECCN Generator. In.
the case where a CC~(or Bank) manages these actions; the htterrnal Syecification is modified accordingly: I;CC~ is provided by the bank with the Authorization number. and the . ECCN_G~t%I module is rerno~red with the In and Out transitions.
t3

Claims (5)

1. A method of payment in an open electronic public system such as the Internet comprising the following elements and steps:
- each customer using a specific computer agent software to enable the sharing of a respective secret between the customer (and/or his computer) and a credit card company or financial institution (both referred to as Bank) for unique identification purposes;
- Bank having a server for secure interface with computer agent, and to randomly generate and control Ephemeral TM Credit Card Numbers (ECCN);
- automatically obtaining, by the customer's computer agent, an ECCN intended for a specific purchase from a merchant, based on a unique identification of the customer;
- sending, by the customer's computer agent, the ECCN to the merchant as a valid and standard credit card number with expiry date for usual processing;
- processing of the ECCN by the credit card checking system/agent to deliver the usual authorization number to the merchant;
- merchant providing the goods to the customer in response to receiving the usual authorization number; and - cancellation of the ECCN by the system once the transaction is completed and payment credited on merchant's account.
2. A method as in claim 1, wherein the respective secret shared between the computer agent and the Bank is, in preferred embodiments, a dynamic secret modified by elements from the last transaction recorded.
3. A method as in claim 1, wherein the payment and shipping order include, in preferred embodiments, a limited time validity.
4. A method as in claim 1, wherein the Bank, in preferred embodiments, gives to the customer the initial private key for encrypted session via an anonymous automated system that works at random and is separate from the Internet network.
5. A method as in claim 1, wherein the buyer obtains refund for returned goods using, in preferred embodiments, a complementary ECCN and is credited the usual way on his monthly statement.
CA 2309013 2000-05-23 2000-05-23 Secure online transaction method Abandoned CA2309013A1 (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CA 2309013 CA2309013A1 (en) 2000-05-23 2000-05-23 Secure online transaction method

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CA 2309013 CA2309013A1 (en) 2000-05-23 2000-05-23 Secure online transaction method

Publications (1)

Publication Number Publication Date
CA2309013A1 true true CA2309013A1 (en) 2001-11-23

Family

ID=4166206

Family Applications (1)

Application Number Title Priority Date Filing Date
CA 2309013 Abandoned CA2309013A1 (en) 2000-05-23 2000-05-23 Secure online transaction method

Country Status (1)

Country Link
CA (1) CA2309013A1 (en)

Cited By (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2004034343A2 (en) * 2002-09-13 2004-04-22 Siemens Aktiengesellschaft Method for concluding a payment transaction in electronic commerce
FR2851103A1 (en) * 2003-02-06 2004-08-13 Fto Operation security system for telecommunication network e.g. Internet, has platform to supply temporary identification code to client where platform verifies that code presented by client is not permanent identification code
EP1486924A1 (en) * 2003-06-10 2004-12-15 Kagi, Inc. Method and apparatus for verifying financial account information
US7588181B2 (en) 2005-09-07 2009-09-15 Ty Shipman Method and apparatus for verifying the legitamacy of a financial instrument

Cited By (8)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2004034343A2 (en) * 2002-09-13 2004-04-22 Siemens Aktiengesellschaft Method for concluding a payment transaction in electronic commerce
WO2004034343A3 (en) * 2002-09-13 2004-08-12 Siemens Ag Method for concluding a payment transaction in electronic commerce
FR2851103A1 (en) * 2003-02-06 2004-08-13 Fto Operation security system for telecommunication network e.g. Internet, has platform to supply temporary identification code to client where platform verifies that code presented by client is not permanent identification code
EP1486924A1 (en) * 2003-06-10 2004-12-15 Kagi, Inc. Method and apparatus for verifying financial account information
US7765153B2 (en) 2003-06-10 2010-07-27 Kagi, Inc. Method and apparatus for verifying financial account information
US8805738B2 (en) 2003-06-10 2014-08-12 Kagi, Inc. Method and apparatus for verifying financial account information
US7588181B2 (en) 2005-09-07 2009-09-15 Ty Shipman Method and apparatus for verifying the legitamacy of a financial instrument
US8131617B2 (en) 2005-09-07 2012-03-06 Kagi, Inc. Method and apparatus for verifying the legitimacy of a financial instrument

Similar Documents

Publication Publication Date Title
US5956699A (en) System for secured credit card transactions on the internet
US7430537B2 (en) System and method for verifying a financial instrument
US6749114B2 (en) Universal authorization card system and method for using same
US6681328B1 (en) System and method for global internet digital identification
US5883810A (en) Electronic online commerce card with transactionproxy number for online transactions
US20140061302A1 (en) Integration of verification tokens with portable computing devices
US20020004783A1 (en) Virtual wallet system
US20030070080A1 (en) Electronic-monetary system
EP0917120A2 (en) Virtual wallet system
US6000832A (en) Electronic online commerce card with customer generated transaction proxy number for online transactions
US6125349A (en) Method and apparatus using digital credentials and other electronic certificates for electronic transactions
US20100293382A1 (en) Verification of portable consumer devices
US5878138A (en) System and method for detecting fraudulent expenditure of electronic assets
US6286099B1 (en) Determining point of interaction device security properties and ensuring secure transactions in an open networking environment
US20100179906A1 (en) Payment authorization method and apparatus
US20080189186A1 (en) Authentication and Payment System and Method Using Mobile Communication Terminal
US5850442A (en) Secure world wide electronic commerce over an open network
US20120041881A1 (en) Securing external systems with account token substitution
US20040059952A1 (en) Authentication system
US20080288404A1 (en) Method and system for payment authorization and card presentation using pre-issued identities
US20010047343A1 (en) Facilitating a transaction in electronic commerce
US20080195499A1 (en) Method Of Providing Cash And Cash Equivalent For Electronic Transctions
US20080208759A1 (en) Processing of financial transactions using debit networks
US8281991B2 (en) Transaction secured in an untrusted environment
US20070170247A1 (en) Payment card authentication system and method

Legal Events

Date Code Title Description
FZDE Dead