EP2959441A1 - Apparatus and method for purchasing a product using an electronic device - Google Patents
Apparatus and method for purchasing a product using an electronic deviceInfo
- Publication number
- EP2959441A1 EP2959441A1 EP14705373.0A EP14705373A EP2959441A1 EP 2959441 A1 EP2959441 A1 EP 2959441A1 EP 14705373 A EP14705373 A EP 14705373A EP 2959441 A1 EP2959441 A1 EP 2959441A1
- Authority
- EP
- European Patent Office
- Prior art keywords
- transaction
- consumer
- merchant
- server
- information
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Ceased
Links
- 238000000034 method Methods 0.000 title claims abstract description 50
- 238000012545 processing Methods 0.000 claims abstract description 34
- 238000012546 transfer Methods 0.000 claims description 112
- 238000012790 confirmation Methods 0.000 claims description 41
- 230000005540 biological transmission Effects 0.000 claims description 14
- 230000004044 response Effects 0.000 claims description 6
- 230000003993 interaction Effects 0.000 claims description 2
- 238000013475 authorization Methods 0.000 claims 3
- 238000004891 communication Methods 0.000 description 58
- 230000008569 process Effects 0.000 description 24
- 238000010586 diagram Methods 0.000 description 7
- 238000012795 verification Methods 0.000 description 6
- 238000012552 review Methods 0.000 description 5
- 230000001010 compromised effect Effects 0.000 description 2
- 208000001613 Gambling Diseases 0.000 description 1
- 230000008901 benefit Effects 0.000 description 1
- 238000013479 data entry Methods 0.000 description 1
- 238000000354 decomposition reaction Methods 0.000 description 1
- 230000006870 function Effects 0.000 description 1
- 238000003384 imaging method Methods 0.000 description 1
- 230000006872 improvement Effects 0.000 description 1
- 230000000977 initiatory effect Effects 0.000 description 1
- 230000007246 mechanism Effects 0.000 description 1
- 238000012986 modification Methods 0.000 description 1
- 230000004048 modification Effects 0.000 description 1
- 238000012544 monitoring process Methods 0.000 description 1
- 238000003825 pressing Methods 0.000 description 1
- 230000009467 reduction Effects 0.000 description 1
- 230000003068 static effect Effects 0.000 description 1
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06Q—INFORMATION AND COMMUNICATION TECHNOLOGY [ICT] SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES; SYSTEMS OR METHODS SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES, NOT OTHERWISE PROVIDED FOR
- G06Q20/00—Payment architectures, schemes or protocols
- G06Q20/30—Payment architectures, schemes or protocols characterised by the use of specific devices or networks
- G06Q20/32—Payment architectures, schemes or protocols characterised by the use of specific devices or networks using wireless devices
- G06Q20/322—Aspects of commerce using mobile devices [M-devices]
- G06Q20/3223—Realising banking transactions through M-devices
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06Q—INFORMATION AND COMMUNICATION TECHNOLOGY [ICT] SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES; SYSTEMS OR METHODS SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES, NOT OTHERWISE PROVIDED FOR
- G06Q20/00—Payment architectures, schemes or protocols
- G06Q20/08—Payment architectures
- G06Q20/12—Payment architectures specially adapted for electronic shopping systems
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06Q—INFORMATION AND COMMUNICATION TECHNOLOGY [ICT] SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES; SYSTEMS OR METHODS SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES, NOT OTHERWISE PROVIDED FOR
- G06Q20/00—Payment architectures, schemes or protocols
- G06Q20/30—Payment architectures, schemes or protocols characterised by the use of specific devices or networks
- G06Q20/32—Payment architectures, schemes or protocols characterised by the use of specific devices or networks using wireless devices
- G06Q20/327—Short range or proximity payments by means of M-devices
- G06Q20/3276—Short range or proximity payments by means of M-devices using a pictured code, e.g. barcode or QR-code, being read by the M-device
Definitions
- the present disclosure relates to an apparatus and method for purchasing a product using an electronic device.
- a consumer When purchasing a product, or products, from a merchant's website using an electronic device, such as a desktop computer or a tablet computer, a consumer will usually put the product (s) in the website's 'shopping basket' and then proceed to the 'checkout' to purchase the product. In order to purchase the product, the consumer will need to submit to the merchant their payment details and any other personal details that the merchant may require, for example delivery address and, if they are purchasing an age restricted product, their date of birth.
- sharing the detai Is with a merchant may represent a security risk. Firstly, the consumer may not trust a particular merchant with their details, or that what the consumer thought was the merchant's website is in fact a third party's website imitating the merchant's website, in which case their details will have been shared with a 3 rd party. Even when their details are shared with a
- the consumer may store their details with the merchant so that each time they purchase a product from the merchant, the consumer details may be auto- completed on the website. However, this means that the consumer's payment details will be stored with every
- handling of transaction details and personal details may represent an additional burden on the merchant, not only because they will need to take steps to complete the transaction, but also because of the additional data security requirements that they should meet when handling such information.
- a server for use in the purchase of a product from a merchant by a consumer using an electronic device, the server being configured to: store in a database an
- the consumer can use the transaction identifier to check the transaction details are correct before confirming the transaction, thus improving security for the consumer.
- the transaction identifier may be generated by the server on the basis of the merchant identifier and transaction amount that it has received from a merchant server.
- the merchant identifier and transaction amount received may be in an encrypted form and/or use integrity controls.
- a symmetric key technique such as keyed-hash message authentication code (HMAC)
- HMAC keyed-hash message authentication code
- the transaction identifier may be transmitted to the first terminal for display on a browser of the first terminal in a graphical form, for example a QR code.
- the consumer may then scan the transaction identifier using a transaction provider's app on a mobile terminal, such that the app may make use of the transaction identifier and the associated transaction information to carry out the transaction.
- the consumer does not need to enter any account details into the merchant's website, which saves time, or store any details on the first terminal or on a merchant server, as all of the relevant details are securely stored by the transaction provider.
- the consumer may receive confirmation after scanning the graphical user interface.
- the consumer may confirm the payee and transaction amount prior to
- the transaction information stored in the database may also include an attribute query, for example what delivery address should be used for the product and/or what the age of the consumer is. That attribute query may be
- the server may then generate an attribute token for transmitting to the merchant, which may comprise both the requested attribute and an indicator of how reliable the attribute is (i.e. if it has been input by the consumer, in which case its reliability may be doubtful, or if it has been
- This process both saves the consumer time since they do not have to enter their attribute details for each new transaction, or for each new merchant they are purchasing from, improves security for consumers as they will not need to save their attribute details to their electronic devices and improves the
- a transaction processing server for use in the purchase of a product from a merchant by a consumer using an electronic device, the transaction processing server being configured: receive from an application on the electronic device a transaction identifier; obtain from a database merchant information and a transaction amount from
- transaction information associated with the transaction identifier on the database ; and transmit the transaction amount and merchant information to the application on the electronic device.
- Communication between the application and the transaction processing server may take place via a secure connection, such as SSL, to ensure that the communication cannot be tampered with by third parties.
- SSL secure connection
- the consumer using the application may verify that the transaction will be to the correct merchant and for the correct amount before the transaction takes place, which, as explained above, improves security .
- the transaction processing server may also transmit to the application any attribute queries that there are in the transaction information and process the attribute
- the transaction processing server can execute the transaction between the consumer and merchant on the basis of the transaction information stored in the database, for example by
- the source of funds registered with the transaction provider by the consumer and the merchant account registered with the transaction provider by the merchant may be used in the transaction. In this way, the transaction may be executed without the consumer needing to share their financial details with the merchant, or any other external parties, which improves security.
- a system comprising the server and the transaction processing server.
- an application for operation on an electronic device wherein the application is suitable for use by a consumer purchasing a product from a merchant, wherein the application comprises logic configured to: receive a transaction identifier, wherein the transaction identifier is associated on a database with transaction information, the transaction information comprising a merchant
- a method for purchasing a product from a merchant by a consumer using an electronic device the method
- association between a transaction identifier and transaction information the transaction information comprising a merchant identifier, which is associated with merchant information, and a transaction amount;
- transaction identifier to an application on an electronic device ; transmitting the transaction identifier from the application to a transaction processing server; transmitting the merchant information and the transaction amount
- transaction processing server to the application; and completing the transaction using the application on the basis of the transaction information on the database.
- Figure 1 shows a system comprising a terminal, a mobile terminal, a merchant server and a transaction server;
- Figure 2 shows a sequence diagram for the system shown in Figure 1 when the consumer is purchasing a product from the merchant ;
- Figure 3 shows a display on the terminal of Figure 1 when the consumer is purchasing a product from the merchant
- Figure 4 shows a sequence diagram for the system shown in Figure 1 for the submission of attribute information from the consumer when the consumer is purchasing a product from the merchant;
- Figure 5 shows a confirmation of transaction sequence diagram for.
- Figure 6 shows a sequence diagram for the system of Figure 1 when the consumer is purchasing a product from the merchant.
- FIG. 1 shows a system 100 comprising a terminal 110, a mobile terminal 120, a merchant server 130, a transaction server 140 and a communications gateway 150.
- the first terminal 110 which may be, for example, a static terminal such as a desktop computer, or a mobile terminal such as a tablet computer, comprises a browser 112, which is in communication with the merchant server 130.
- the mobile terminal 120 which may be, for example, a tablet computer or a smart phone, comprises a transaction application 122, referred to from hereon as an ' app ' .
- the browser 112 is capable of displaying a QR code 114 on a display means of the terminal 110, wherein the QR code 114 may be scanned by the app 122 using an imaging device on the mobile terminal 120.
- the server 140 comprises a transaction provider node 142, which is in communication with the browser 112, and a database 144, which is in communication with the app 122 via communications gateway 150.
- Figure 2 shows a sequence diagram representing the data flow that may take place as part of a transaction between a consumer using the terminal 110 and the mobile terminal 120 to buy a product from the merchant using the transaction service provided by the transaction provider.
- the term 'product' as used throughout this disclosure encompasses both goods and services (e.g. financial products) .
- the consumer may use the browser 112 to browse for a product or products on the merchant's website.
- the consumer decides to purchase the product (s), they may put the
- the merchant server 130 will be aware that a consumer wishes to purchase a particular product (s) and, if applicable, the details of the delivery type chosen by the consumer.
- the merchant server 130 may then request from the transaction provider their merchant ID, for example using a transaction provider API.
- Such an API may be provided to each merchant when signing up to the transaction service. The use of this API allows merchants to be set up without requiring extensive changes to their online stores and web sites.
- the merchant ID is a unique code that is assigned to the merchant by the transaction provider.
- the merchant ID may be assigned to the merchant when the merchant signs up to the transaction provider's service, at which time all of the merchant's details, for example the merchant name and payment details, may be verified by the transaction provider so that the merchant details associated with the merchant ID are reliable.
- the merchant server 130 may also generate a tracking
- the consumer may use data transfer 210 to indicate to the merchant server 130 that they would like to complete the transaction with the QR code transaction process offered by the transaction
- This step may be carried out by selecting an option displayed on the merchant's checkout page on the browser 112.
- the merchant server 130 transmits the transaction information, comprising the merchant ID, the tracking reference and a basket amount, which indicates the total costs of all of the products in the consumer's basket, to the transaction provider node 142.
- the transaction information may also comprise any other relevant information, for example any delivery information and/or delivery costs that the consumer may already have selected and a product description and/or product photograph for each product in the basket.
- This data transfer may take place via the browser 112, as shown in Figure 2 as data transfer 215, so that server-to-server communication between the merchant server 130 and the transaction provider node 142 does not need to be set up.
- encryption or other integrity controls may be applied.
- a symmetric key technique such as keyed-hash message authentication code (HMAC)
- HMAC keyed-hash message authentication code
- the merchant server 130 may then apply the symmetric key to the transaction information to be transferred in data transfer 215 and transmit the MAC alongside the transaction
- the transaction provider node 142 may use the merchant ID to retrieve the symmetric key associated with that merchant, for example from a hardware protected key stored (HSM) where the symmetric key may be stored and associated with the merchant ID, and use the symmetric key and MAC to verify the transaction information.
- HSM hardware protected key stored
- the symmetric key issued to the merchant may be stored by the merchant using software, or more preferably it may be stored in a hardware protected key store (HSM) for
- the transaction provider may mandate that an HSM is used.
- the transaction provider node 142 will not carry out any further steps in the process.
- An error message may be returned to the browser 112 to indicate that the transaction provider's service could not be provided on this occasion, which may also notify the consumer that there is a security issue related to the merchant website that they are using. If, however, data transfer 215 is verified (i.e. the data has not been tampered with and has come from the correct sender) , the transaction provider node 142 will generate a transaction identifier, for example a nonce, that is then transmitted to the database 144 with the transaction
- transaction information on the database 144 For each transaction, there will be a single unique transaction identifier such that each transaction identifier references a particular transaction.
- the transaction provider node 142 then transmits the
- Figure 3 shows an example of a browser display after the browser 112 has generated and displayed the QR code 114.
- a basket description 310 which details the contents of the basket as earlier selected by the consumer using the browser 112
- a basket amount 320 which shows the cost of the products selected by the
- the consumer may then use the app 122 on the mobile device 120 to scan the QR code 114 and extract the transaction identifier, thus transferring the transaction identifier from the browser 112 to the app 122 in data transfer 225. So that the consumer may confirm the details of the
- the app 122 transmits the transaction identifier to the communications gateway 150 in data transfer 230.
- the communications gateway 150 uses the transaction identifier in data transfer 235 to retrieve from the database 144 all of the relevant transaction information associated with the transaction code.
- the database 144 returns the relevant transaction information to the communications gateway 150 in data transfer 240 for forwarding on to the app 122 in data transfer 245.
- the merchant name and basket amount associated with the transaction code are retrieved, along with any other relevant information, such as the tracking reference, any delivery information and product description ( s ) and/or product photograph ( s ) that may be available.
- the received transaction information is displayed to the consumer by the app 122.
- the name of the merchant and the basket amount are displayed to the consumer so that the consumer may confirm that the merchant name is correct before completing the transaction.
- the tracking reference, as well as any delivery information and product description ( s ) and/or product photographs ( s ) that may be available may also be displayed so that these may also be confirmed by the consumer before completing the transaction .
- the consumer may select a 'confirm' button on the app 122, which transmits an instruction from the app 122 to the communications gateway 150 in data transfer 250 so that the communications gateway may execute the transaction.
- the transaction may be executed for example using a Faster Payments Service
- a source of funds of the consumer for example a bank account, credit card or payment wallet that the consumer linked to the app 122 when registering the app 122 with the transaction provider, to an account that the merchant specified when registering for the transaction service, wherein the
- the communications gateway 150 may have the capability to execute the transaction itself using that information, or to instruct a financial institution to do so, and so may alternatively be described as a transaction processing server.
- the communications gateway 150 will update the database 144 with a record of the payment status for each transaction identifier, for example payment instructed, payment
- the security of the payment details may be compromised either in transfer or whilst with the merchant.
- some consumers may choose to save their payment details either on the terminal 110, on their mobile device 120 or on the merchant server 130.
- the payment details may be stored and used at multiple locations, some of which may not be very secure.
- the consumer payment details linked to the app 122 by the consumer when registering the app may be stored in a single, secure location.
- the communications gateway 150 may itself execute the transaction for the transaction provider, there may be an improvement in security both in storage of payment details and in the transferring of payment details. It also means that payment details are not shared with the merchant, which again improves security for the consumer and reduces the data security burden placed on the merchant.
- the consumer can be sure with whom they are dealing in the transaction and, therefore, who will ultimately receive their money, which introduces two factor authentication control for the consumer. For example, if they are shopping on a 3 rd party's website which is imitating a particular merchant, the merchant ID retrieved by the 3 rd party website during the transaction steps will be the merchant ID linked to the 3 rd party, not the merchant ID for the imitated merchant because each merchant can only use their own API to retrieve the merchant ID that is verified as being
- the app 122 transmits the transaction identifier to the communications gateway 150 in data transfer 230, the
- communications gateway 150 will return the name associated to the 3 rd party merchant ID, rather than the name of the imitated merchant.
- the name of the 3 rd party will be displayed to the consumer before they complete the
- the data transfers between the app 122 and the communications gateway 150 may be secured, for example using SLL, a 3 rd party may not be able to intercept any of data transfer 230, 245 or 250 and alter the
- the app 122 and the communications gateway 150 may implement message integrity controls in order to protect their communication, and the communications gateway 150 may also ensure that only legitimately registered apps may interact with the transaction server and maintain
- the merchant may require that personal attributes of the consumer are submitted before the
- the merchant may indicate the personal attributes that they require at the same time as transmitting transaction information in data transfer 215 by including an attribute query. For example, for products that must be delivered to the
- the attribute query may be for a delivery address.
- the attribute query may include a policy decision specifying a requirement that each attribute submitted by the consumer must meet before the transaction is allowed to take place, for example a particular age range that the consumer must fall within or a particular area, such as the UK, that the delivery address must be within, and/or the attribute query may include a requirement that submission of the attribute by the consumer is compulsory or merely optional.
- the consumer may be asked to submit attribute information, for example a delivery address, and potentially also confirm that they are happy to share the information with the merchant .
- Figure 4 shows an example sequence diagram that may take place between data transfers 245 and 250. Included in the transaction information retrieved from the database 144 in data transfer 240 and forwarded to the app 122 in data transfer 245 may be any outstanding attribute queries stored in the transaction information on the database 144. Upon receipt of an attribute query, the app 122 will prompt the consumer to submit the necessary information.
- the consumer may be given the option by the app 122 to enter the required information, for example delivery address, date of birth/age or email address, into the app (or have the app 'auto-complete' the required information from information saved to the app 122 or device 120, which might require the consumer to select a particular address, for example, from a selection of addresses they have saved) , or to use the information that the user registered with the transaction provider when setting up the app 122, or to use information that may be obtained from an external source, such as a credit rating agency.
- the required information for example delivery address, date of birth/age or email address
- the merchant may specify as a policy decision in the attribute query that only the information registered with the transaction provider may satisfy the attribute query.
- the app 122 will allow the consumer only the option of confirming that they are happy to use the information registered with the transaction provider, or cancel the transaction.
- the attribute information registered by the consumer with the transaction provider may also be included in data transmission 245 so that the consumer may review the
- the registered delivery address may the transmitted, or a request for confirmation that the registered details are correct, such as Our records say that you are over 18, please confirm Yes or No' etc. If allowable according to any merchant policy
- the consumer may be given the option of editing registered attribute information and then subsequently use the edited attribute information for the transaction. They may also have the opportunity to indicate that the edited attribute information should replace the attribute
- transmission 245 may include all of the alternative
- the consumer transmits either the required attribute information or a confirmation that the required attribute information registered with the transaction provider is to be used. If necessary the communications gateway 150 will then retrieve from the transaction provider the registered attribute information associated with the app 122, which may be kept, for example, in the communications gateway 150, or the database 142, or at some other location. The attribute information may then be added to the transaction provider.
- the transaction information may be updated, for example by the database 144 or the communications gateway, to indicate that the
- the browser 112 may conduct regular polling, i.e. a pull request, of the transaction provider node 142.
- Data transfer 415 shows a polling of the transaction
- the transaction provider node 142 may request the required attribute information from the database 144 in data transfer 416 and then receive the requested information in data transfer 417 if the requested information has been added to the transaction information on the database 144, for example if the consumer has added their delivery address to the database 144 in earlier data transfers 405 and 410. Having received the requested attribute information, the transaction provider node 142 will generate an attribute confirmation token and send it to the merchant server 130 via the browser 112 in data
- the attribute confirmation token may also include an indication of how trustworthy the attribute information is, for example if it is from a verified source, such as the information that the consumer registered with the transaction provider, or an external source such as a credit rating agency, it may be marked as very trustworthy. However, if the consumer has just submitted the attribute information themselves, it may be marked as potentially untrustworthy. This allows the merchant server 130 to make policy decisions regarding whether or not to go ahead on the basis of how trustworthy the information is. Having received the requested attribute information, the merchant server 130 will return the relevant transaction information update to the transaction provider node 142 via the browser 112 in data transfer 425.
- the information update may be a delivery charge calculated based on the delivery address and any other factors determined by the merchant, for example if the consumer is a member of a VIP delivery service etc, or a basket discount based on the consumer's age, or a confirmation that transaction is allowed to proceed on the basis of the consumer attribute information, which will result in the transaction
- the transaction provider node 142 will send the information update to the database 144 in data transfer 426 so that it can be included in the transaction information .
- data transmissions 420 and 425 may be encrypted or have other integrity controls applied.
- Data transfer 430 shows a polling of the communications gateway 150, in response to which the communications gateway will request any updates in transaction information from the database 144 in data transmission 435.
- communications gateway 150 in data transfer 440 for
- the app may then update the information it displays to the consumer to reflect the current transaction information, for example so that the amount payable to the merchant includes the delivery cost. In this way, the consumer will be aware of the total amount that will be paid to the merchant before instructing completion of the transaction in data transfer 240.
- Polling by the app 122 may continue until the returned transaction information indicates that the transaction is now allowable, at which time the app 122 will offer the consumer the opportunity to confirm that the transaction should take place.
- the above transaction process may be configured to enable the use of coupons or discounts applied by the consumer and/or the merchant.
- the merchant may release a set of coupons or discounts which the consumer may obtain and submit to the transaction provider for keeping in their account with the transaction provider.
- the communications gateway 150 may also obtain any coupons and/or discounts issued by the merchant that the consumer has saved in their transaction provider account. Those coupons and/or discounts are then sent to the database 144 in data transfer 410 and the transaction information in the database 144 is updated accordingly, for example to apply a 10% discount to the basket amount, or apply a fixed amount reduction from the basket .
- the merchant may include an attribute query for coupons and/or discounts in data transfer 215, so that after receiving data transfer 245, the app 122 may prompt the consumer to enter any coupons and/or discounts that they may have. Any entered coupons and/or discounts may then be included in data transfer 405 and applied to the transaction information on the database 144.
- the consumer may be notified of any changes made as a consequence of a coupon and/or discount in data transfer
- the merchant may be notified of any changes made as a consequence of a coupon and/or discount by polling the transaction provider node 142 with a request for the information, in an analogous manner to the merchant polling process for attribute information described above.
- the merchant may be
- Coupons and/or discounts may be applied by the merchant, for example where the merchant offers a discount to the consumer for using the transaction provider's service to carry out the transaction, or for special offers such as a discount for their 1000 th customer etc.
- Coupons and/or discounts may be applied by the merchant, for example where the merchant offers a discount to the consumer for using the transaction provider's service to carry out the transaction, or for special offers such as a discount for their 1000 th customer etc.
- Discounted discounts may be included in data transfer 215, such that the consumer will be notified of the discount and/or coupon applied when the app 122 receives data transfer 245.
- the merchant may apply coupons and/or discounts to the transaction information later during the process, for example after receiving attribute information in data transfer 420, a
- Discount /coupon may be applied in data transfer 425. If they are applied at that time, the consumer may be notified of them in data transfer 445, which updates the app 122 with the current transaction information held on the database 144.
- the above transaction process may also be configured to make use of merchant and/or consumer reputational information, which might be a score out of 10 and/or a review of the merchant /consumer and/or a credit score of the
- Reputational information may be, for example, crowd sourced from parties who previously had dealings with a consumer or merchant and have submitted a rating for them, or from outside sources such as credit ratings agencies.
- a merchant rating may be held by the transaction provider node 142 for each merchant registered with them.
- the merchant rating may come from reviews and ratings submitted by previous consumers using the transaction service for a transaction with that merchant, in which case the
- transaction provider node 142 may look up their merchant rating for the merchant ID sent to them in data transfer 215. Alternatively, after receiving data transfer 215, the transaction provider node 142 may obtain the merchant rating from an external source, for example a credit ratings agency or another service provider who has a rating for the
- the merchant rating may then be included in the transaction information in data transfer 216 so that the transaction information sent to the app 122 in data transfer 245 may include the merchant rating, thus allowing the consumer to consider the merchant rating before confirming the transaction.
- a consumer rating may similarly be held by the transaction provider node 142 for each app 122 registered with them, or it may be obtained from an external source. Again, the consumer rating might be a score out of 10 and/or a review of the consumer and/or a credit score of the consumer.
- the merchant may include in data transfer 215 an attribute query for a consumer rating and then set up a polling request for the consumer rating as part of the attribute information polling 415 and thus receive the rating in data transfer 420.
- the merchant server 130 may then make a decision whether or not the transaction should be allowed to take place, which may be included in data transfer 425 and recorded on the transaction information on the database 144.
- the attribute query may include a policy decision requiring a minimum consumer rating that must be achieved for the transaction to be allowed to take place.
- the merchant server 130 may not need to undertake polling for the consumer rating as the database 144 may automatically update, or be updated by the
- transaction provider node 142 or the communications channel 150 to indicate whether or not the transaction should be allowed to take place on the basis of the consumer rating received in data transfer 410.
- the polling request 415 may ask the
- the transaction provider node 142 for a consumer rating which the transaction provider node 142 may obtain from the transaction provider's records or from an external source by the communications gateway 150, add to the transaction information on the database 144 and return to the consumer server 130 in data transfer 420.
- the polling request 415 may also include a policy decision, in which case the merchant server 130 may not need the consumer rating to be returned, but instead trust that the transaction provider node 142 will indicate in the transaction information on the database 144 whether or not the transaction is allowed to take place on the basis of the consumer rating it obtains.
- confirmation of a successfully executed transaction may be sent to the browser 112 and the merchant server 130 so that both parties may have a receipt of the transfer and so that the merchant may perform any further required acts, for example delivery of the product to the consumer .
- a process of transaction confirmation is shown in Figure 5, which begins with the communications gateway 150 updating the database 144 in data transfer 505 to record in the transaction information a successful transaction.
- the merchant may obtain confirmation by instructing the browser 112 to poll the transaction provider node 142 in data transfer 510 for confirmation of a successful
- transaction provider node 142 may use the transaction identifier to check the current payment status on the database 144 in data transfer 515. If the current payment status indicates that the transaction has been completed successfully, the transaction provider node 142 will have returned to it in data transfer 520 a confirmation of successful transaction, which might include any relevant transaction information, for example what the transaction amount was, the tracking reference for the order, the time and date of payment and some attribute information, such as a delivery address. Using this information, the transaction provider node 142 may generate a payment confirmation token and send return that to the merchant server 130 via the browser 112 in data transfer 525. At the same time, the transaction provider node 142 may update the database 144 to record in the transaction information that the payment confirmation token has been sent to the browser 112.
- the transaction provider node 142 may return to the merchant server 130 an indication that there is no record of a successful
- the transaction provider node 142 may apply a digital signature and encryption or other integrity controls to the payment confirmation token so that the merchant server 130 can confirm who the payment confirmation token was issued by and that the payment confirmation token has not been
- any keys that are issued to the merchant server 130 and transaction provider node 142 for such purposes may be stored using software, or more preferably in a hardware protected key store (HSM) for additional security.
- HSM hardware protected key store
- the merchant server 130 may use the transaction provider API that they were provided with when signing up to the transaction service to obtain the functions and orchestration that they require to carry out authentication and/or decryption.
- the merchant server 130 Having obtained and verified and/or decrypted the payment confirmation token, the merchant server 130 will be aware that the transaction has taken place successfully and can check that the transaction amount confirmed in the token is the amount that they requested. The merchant may also go about fulfilling the product order, for example by
- the merchant server 130 may also update the browser 112 to confirm to the consumer that the transaction has taken place successfully and present the consumer with any relevant information, for example the tracking reference for the order, a confirmation of the transaction amount and an estimated delivery period.
- the merchant server 130 may also generate an acknowledgement of receipt of the payment confirmation token and transmit that to the transaction provider node 142 via the browser 112 in data transfer 530. In this way, the transaction provider node 142 can be sure that the merchant server 130 has safely received and processed the payment confirmation token and thus update the transaction information in data transfer 535 to the database 144 to mark that the
- transaction provider node 142 may also issue a confirmation of successful transaction to the mobile terminal 110 after receipt of the acknowledgement.
- the confirmation may be, for example, a text message, an email or a voice message.
- the app 122 may also poll the communications gateway 150 in data transfer 540 to request an update on the transaction status.
- the communications gateway 150 may check the transaction status recorded in the transaction information in the database 144 in data transfer 545 and return the transaction status and any other relevant information in data transfer 550.
- the app 122 may then have returned to it in data transfer 555 an indication of the transaction status. If the transaction status marks the transaction as successful, the app 122 will be able to display to the consumer a confirmation of successful transaction, with any other relevant returned information, for example the
- data transfer 555 will notify the app 122 accordingly so that it may continue to poll the
- confirmation process may be repeated until successful without initiating a second, duplicate transaction.
- the transaction provider node 142 issues a payment confirmation token to the merchant server in data transfer 525, it may then wait for an acknowledgement of receipt and reissue the payment confirmation token to the merchant server 130, for example with a 'push' to the merchant server 130, if no acknowledgement is received. Therefore, any failure in data transfers 525 or 530 can easily be rectified.
- the checking steps mean that the transaction may be checked by the merchant and the app 122 at any later time, since the transaction status is kept with the
- transaction information on the database 144 may be identified at any time using the transaction identifier.
- the merchant could check historical transactions at any time and receive confirmation that the transaction was successful, along with any other transaction information that they may desire.
- Figure 6 shows a complete sequence diagram for a consumer purchasing a product from a merchant using a browser on a first terminal and an app on a mobile terminal, including the confirmation process for the merchant.
- the database 144 may be co-located with the transaction provider node 142 on the server 140, or may be located remotely from the transaction provider node 142 and the server 140.
- the terminal 110 may be a personal computing device, such as a desktop computer or a mobile computing device such as a tablet computer, or it may be a computing device located in, for example, a merchant's shop. The consumer may then access the merchant's website, or an area in any relevant network location, for example the merchant's intranet page, and enter the checkout process from there. If the product can be collected in the shop and there are no attribute queries from the merchant, the transaction may be allowed to proceed without any submission of personal details from the consumer. Then, having used their mobile terminal 110 to carry out the method described above, the consumer may show their transaction receipt to a member of staff in the shop and collect their purchased product (s).
- the merchant server 130 obtains the merchant ID after data transfer 205, when the consumer enters the checkout process.
- the merchant server 130 may obtain the merchant ID after data transfer 210, where the consumer has confirmed their desire to use the transaction provider's service.
- the merchant server 130 may be configured to generate a QR code 114 for display on the browser 112.
- the QR code 114 may comprise merchant information, the basket amount and the tracking reference, as well as any attribute queries and policy decisions that there may be, so that when the app 122 scans the QR code 114, that information is imported into the app 122.
- a digital signature may also be included in the QR code 114 and/or the data in the QR code may be encrypted or have other integrity controls applied. For example, a symmetric key technique, such as keyed-hash message
- HMAC authentication code
- the app 122 may transmit all of the data to the communications gateway 150 for verification.
- the communications gateway 150 may verify the data in the same way as that described above in respect of the transaction provider node 142 verifying data transfer 215 (i.e. the communications gateway 150 will look up the symmetric key etc associated with the merchant ID and verify that the data imported into the app 122 from the QR has come from the correct merchant and has not been tampered with) . Having verified the data, the communications gateway 150 will return the transaction amount and merchant information to the app 122 in data transfer 245, as above. Furthermore, it will also store on the database 142 all of the transaction information included in the QR code and associate it with the tracking reference included in the QR code. Thus, the transaction process and confirmation process may then be executed as described above, but using the tracking reference, rather than the transaction identifier, to look up the transaction
- the merchant server 130 may submit to the database 144 the transaction information that it included in the QR code 114 that it generated .
- the app 122 may have access and/or hold the necessary tools, for example the symmetric key etc, to carry out decryption and verification of the transaction information in the QR code. If the information is verified, the app 122 may then proceed directly to data transfer 250 and execute the transaction on the basis of the information obtained from the QR code.
- the browser 112 may display the transaction identifier using any form of graphical representation of data that may be scanned using the app 122, for example a barcode, or that may be input to the app 122 by any other means, for example it may be a textual code that is manually input to the app 122 by the consumer.
- a terminal 110 with a browser 112 and a mobile terminal 120 with an app 122 there is provided a terminal 110 with a browser 112 and a mobile terminal 120 with an app 122.
- a terminal 110 with a browser 112 and a mobile terminal 120 with an app 122 there may be only a single terminal with both a browser 112 and an app 122.
- the above described process may still operate in the same way, except that rather than transmitting the transaction
- identifier to the browser 130 in data transfer 220 for display of the transaction identifier in a graphical form on the browser 130, it may be transmitted in data transfer 220 for transmittal by another means, for example via a
- the transaction reference may be transmitted in data transfer 220 in a URL that prompts the app 122 to start-up with the transaction identifier.
- the app 122 and the browser 112 may then carry out the process described above in order to execute and confirm the transaction.
- both the app 122 and the browser 112 perform polling, or pull requests, in order to obtain any required information.
- the polling may automatically be executed periodically until the
- any information required by the app 122 and the browser 112 may be transmitted by, for example, a push architecture, or by any other means.
- a push architecture may use websockets between the communications gateway 150 and the app 122, and between the transaction provider node 142 and the browser 112 and/or merchant server 130, and transmit the necessary information as soon as the necessary information has been added to the database 144.
- the transaction provider node 142 and the database 144 address each other directly, however, they may transfer data via an intermediary, for example the communications gateway 150.
- the only personal information that the merchant server 130 requests in an attribute query is a delivery address and a date of birth of the consumer.
- any other consumer information that the merchant requires may be requested in an attribute query and then subsequently obtained from the consumer and shared with the merchant .
- the transaction identifier may instead be anything that may be linked on a database to the transaction information.
- the transaction identifier may instead be an
- identification number such as a customer ID or item number (for example an item number for a lot in an auction) that may be provided to the transaction provider node 142 by the merchant server 130 in data transfer 215.
- server-to-server communication takes place between the merchant server 130 and the transaction provider node 142. Instead, where data is transfer between the two, it is transferred via the browser 112 (for example data transfer 215).
- server-to-server communication may be executed between the merchant server 130 and the transaction provider node 142, for example by using a mutual SSL
- the above described process may be used for purposes other than for the purchase of a product with a transfer of funds from a consumer to a merchant. It may instead be used, for example, to carry out only an
- the consumer may use the browser 112 to indicate to the merchant server 130 in data transfer 205 that they would like to do something that requires the merchant to check an attribute of the consumer, for example entering an over 18s gambling website.
- data transfer 210 the consumer may indicate to the merchant server 130 that they would like to use the transaction provider's service in order to authenticate their age.
- the transaction information sent by the merchant server 130 to the transaction provider node 142 will include the merchant ID and an attribute query.
- Data transfers 220, 225, 230, 235 and 240 may proceed as described above, but data transfer 245 will be different in that the transaction information returned to the app 122 will be a request for the consumer to confirm that they would like to confirm their age using the date of birth they registered with the transaction provider, and also
- the consumer can then confirm in data transfer 405 that they are happy to share their registered age/date of birth with the merchant, after which data transfers 505, 510, 515, 520 and 525 may proceed as described above so that the merchant server 130 can decide whether or not to grant the consumer access to their website and update the browser 130 accordingly.
- the merchant server 130 may also use data transfer 530 and 535 to update the database 144 to record their decision for future purposes.
- the process may also be used only for the purpose of applying coupons and/or discounts available through the transaction provider.
- the attributes check described above may include only a coupon/discounts
- the updated transaction information may be transmitted from the transaction provider node 142 to the browser 112 to update the browser 112. The consumer may then complete the transaction information
- the consumer registers a source of funds and attribute information with the
- a source of funds and attribute information may instead be registered and/or updated with the transaction provider and associated with the app 122 at any time after installing the app 122.
- the merchant server 130 requested the required attribute information and then updates the transaction information accordingly.
- the merchant may delegate this functionality to the transaction provider node 142 or the communications gateway 150 by providing them with a set of rules to use. For example, in order to satisfy a delivery charge attribute query in the transaction information, the transaction provider node 142 or the communications gateway 150 may use the delivery address in the transaction information and a set of delivery charges rules provided by the merchant in order to calculate a delivery charge and then update the transaction information.
- the communications gateway 150 also referred to as the transaction processing server 150, is represented as a single functional block, it can be
- the merchant server 130 could instead include only a tracking reference in the merchant ID.
- the transaction provider node 142 and/or the communications gateway 150 could use the merchant ID whenever necessary to call the merchant server 130 with the tracking reference in order to obtain the transaction amount from the merchant server 130. This may then be added to the transaction information on the database 144, or it may be kept off the database 144 and used immediately by the transaction provider node 142 (for example for transmission to the browser 112) or by the communications gateway 150 (for example, for transmission to the app 112 in data transfer 245, or to carry out the transaction) .
- the app 122 may instead give the consumer the option of either using the registered source of funds or entering a different source of funds into the app 122 and using that.
- different sources of funds may be registered with the transaction provider and data transfer 245 may include a list of all of those so that the consumer may choose which, if any, they wish to use. The consumer's choice of source of funds may be communicated to the communications gateway in data transfer 250.
- a record is maintained on the database 144 to indicate whether or not the transaction should be allowed to take place (i.e. whether or not all of the attribute queries have been satisfied etc) .
- the communications gateway 150 may maintain a note on whether or not the transaction may be allowed to take place, for example by monitoring all attribute queries and policy decisions in the transaction information until all queries are resolved and all policy decisions complied with, at which time it will allow the transaction to take place by updating the app 122 to allow the consumer to confirm the transaction.
- any one or more of the data transfers shown in the Figures may be made using open industry security tokens, such as security assertion markup language (SAML), or proprietary security tokens, in order to improve the SAML tokens.
- SAML security assertion markup language
- proprietary security tokens such as security assertion markup language (SAML)
Landscapes
- Business, Economics & Management (AREA)
- Engineering & Computer Science (AREA)
- Accounting & Taxation (AREA)
- Strategic Management (AREA)
- Physics & Mathematics (AREA)
- General Business, Economics & Management (AREA)
- General Physics & Mathematics (AREA)
- Theoretical Computer Science (AREA)
- Computer Networks & Wireless Communication (AREA)
- Finance (AREA)
- Management, Administration, Business Operations System, And Electronic Commerce (AREA)
Abstract
Description
Claims
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
EP14705373.0A EP2959441A1 (en) | 2013-02-20 | 2014-02-20 | Apparatus and method for purchasing a product using an electronic device |
Applications Claiming Priority (5)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
GBGB1302993.9A GB201302993D0 (en) | 2013-02-20 | 2013-02-20 | Application, method and system for purchasing a product |
PCT/EP2013/059046 WO2014127853A1 (en) | 2013-02-20 | 2013-04-30 | Application, method and system for purchasing a product |
GBGB1307970.2A GB201307970D0 (en) | 2013-02-20 | 2013-05-02 | Apparatus and Method for Purchasing a Product Using an Electronic Device |
PCT/EP2014/053366 WO2014128229A1 (en) | 2013-02-20 | 2014-02-20 | Apparatus and method for purchasing a product using an electronic device |
EP14705373.0A EP2959441A1 (en) | 2013-02-20 | 2014-02-20 | Apparatus and method for purchasing a product using an electronic device |
Publications (1)
Publication Number | Publication Date |
---|---|
EP2959441A1 true EP2959441A1 (en) | 2015-12-30 |
Family
ID=50137671
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
EP14705373.0A Ceased EP2959441A1 (en) | 2013-02-20 | 2014-02-20 | Apparatus and method for purchasing a product using an electronic device |
Country Status (1)
Country | Link |
---|---|
EP (1) | EP2959441A1 (en) |
Citations (2)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US20110251910A1 (en) * | 2010-04-13 | 2011-10-13 | James Dimmick | Mobile Phone as a Switch |
US20120284130A1 (en) * | 2011-05-05 | 2012-11-08 | Ebay, Inc. | Barcode checkout at point of sale |
-
2014
- 2014-02-20 EP EP14705373.0A patent/EP2959441A1/en not_active Ceased
Patent Citations (2)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US20110251910A1 (en) * | 2010-04-13 | 2011-10-13 | James Dimmick | Mobile Phone as a Switch |
US20120284130A1 (en) * | 2011-05-05 | 2012-11-08 | Ebay, Inc. | Barcode checkout at point of sale |
Non-Patent Citations (2)
Title |
---|
ANONYMOUS: "Transport Layer Security - Wikipedia", 17 January 2011 (2011-01-17), XP055444248, Retrieved from the Internet <URL:https://en.wikipedia.org/w/index.php?title=Transport_Layer_Security&oldid=408431665> [retrieved on 20180124] * |
See also references of WO2014128229A1 * |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
US10713630B2 (en) | Apparatus and method for purchasing a product using an electronic device | |
US11250493B2 (en) | System and method for performing social media cryptocurrency transactions | |
US10325261B2 (en) | Systems communications with non-sensitive identifiers | |
JP6446474B2 (en) | Executing transactions using virtual card values | |
US8234176B2 (en) | Identifier-based charge on delivery transaction | |
US7877297B2 (en) | Method and system for conditional transactions | |
US10242351B1 (en) | Digital wallet for groups | |
US20160247159A1 (en) | System and method for managing recipient accounts | |
US20150262137A1 (en) | Off-block chain transactions in combination with on-block chain transactions | |
US11367063B2 (en) | System and method for secure electronic payment | |
US20090063312A1 (en) | Method and System for Processing Secure Wireless Payment Transactions and for Providing a Virtual Terminal for Merchant Processing of Such Transactions | |
US20080114684A1 (en) | Termination of transactions | |
CN102349082A (en) | Payment system | |
CN104995649A (en) | Tokenized payment service registration | |
KR20040010510A (en) | System and method for third-party payment processing | |
JP2014059895A (en) | Method and system for promoting purchase between purchaser and seller | |
TW201631541A (en) | Transaction system and method | |
JP6691980B2 (en) | A secure way to provide shipping addresses during tokenized transactions | |
KR20190025802A (en) | Enterprise Business and Communication system Using Cloud-Computing | |
US20150317634A1 (en) | Secure text initiated payment processing system | |
KR20060124375A (en) | Transaction system and method of authenticating users using thereof | |
TW201415389A (en) | Communications system, computing devices and methods for securely exchanging data | |
EP2959441A1 (en) | Apparatus and method for purchasing a product using an electronic device | |
WO2014072846A1 (en) | Electronic intermediary for secured escrow service. the trustedpayer system | |
US20110184852A1 (en) | Secured acquisition process via credit card terminal |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
PUAI | Public reference made under article 153(3) epc to a published international application that has entered the european phase |
Free format text: ORIGINAL CODE: 0009012 |
|
17P | Request for examination filed |
Effective date: 20150814 |
|
AK | Designated contracting states |
Kind code of ref document: A1 Designated state(s): AL AT BE BG CH CY CZ DE DK EE ES FI FR GB GR HR HU IE IS IT LI LT LU LV MC MK MT NL NO PL PT RO RS SE SI SK SM TR |
|
AX | Request for extension of the european patent |
Extension state: BA ME |
|
DAX | Request for extension of the european patent (deleted) | ||
RAP1 | Party data changed (applicant data changed or rights of an application transferred) |
Owner name: BARCLAYS SERVICES LIMITED |
|
STAA | Information on the status of an ep patent application or granted ep patent |
Free format text: STATUS: EXAMINATION IS IN PROGRESS |
|
17Q | First examination report despatched |
Effective date: 20191015 |
|
RAP1 | Party data changed (applicant data changed or rights of an application transferred) |
Owner name: BARCLAYS EXECUTION SERVICES LIMITED |
|
STAA | Information on the status of an ep patent application or granted ep patent |
Free format text: STATUS: EXAMINATION IS IN PROGRESS |
|
REG | Reference to a national code |
Ref country code: DE Ref legal event code: R003 |
|
STAA | Information on the status of an ep patent application or granted ep patent |
Free format text: STATUS: THE APPLICATION HAS BEEN REFUSED |
|
18R | Application refused |
Effective date: 20210508 |