EP3095081A1 - Procédé et système d'authentification - Google Patents

Procédé et système d'authentification

Info

Publication number
EP3095081A1
EP3095081A1 EP15706498.1A EP15706498A EP3095081A1 EP 3095081 A1 EP3095081 A1 EP 3095081A1 EP 15706498 A EP15706498 A EP 15706498A EP 3095081 A1 EP3095081 A1 EP 3095081A1
Authority
EP
European Patent Office
Prior art keywords
code
payment card
mobile device
card
transaction
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Withdrawn
Application number
EP15706498.1A
Other languages
German (de)
English (en)
Inventor
Risto Savolainen
Stéphane JAYET
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Iaxept Ltd
Original Assignee
Iaxept Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Iaxept Ltd filed Critical Iaxept Ltd
Publication of EP3095081A1 publication Critical patent/EP3095081A1/fr
Withdrawn legal-status Critical Current

Links

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06QINFORMATION AND COMMUNICATION TECHNOLOGY [ICT] SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES; SYSTEMS OR METHODS SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES, NOT OTHERWISE PROVIDED FOR
    • G06Q20/00Payment architectures, schemes or protocols
    • G06Q20/30Payment architectures, schemes or protocols characterised by the use of specific devices or networks
    • G06Q20/32Payment architectures, schemes or protocols characterised by the use of specific devices or networks using wireless devices
    • G06Q20/322Aspects of commerce using mobile devices [M-devices]
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06QINFORMATION AND COMMUNICATION TECHNOLOGY [ICT] SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES; SYSTEMS OR METHODS SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES, NOT OTHERWISE PROVIDED FOR
    • G06Q20/00Payment architectures, schemes or protocols
    • G06Q20/30Payment architectures, schemes or protocols characterised by the use of specific devices or networks
    • G06Q20/34Payment architectures, schemes or protocols characterised by the use of specific devices or networks using cards, e.g. integrated circuit [IC] cards or magnetic cards
    • G06Q20/352Contactless payments by cards
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06QINFORMATION AND COMMUNICATION TECHNOLOGY [ICT] SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES; SYSTEMS OR METHODS SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES, NOT OTHERWISE PROVIDED FOR
    • G06Q20/00Payment architectures, schemes or protocols
    • G06Q20/38Payment protocols; Details thereof
    • G06Q20/40Authorisation, e.g. identification of payer or payee, verification of customer or shop credentials; Review and approval of payers, e.g. check credit lines or negative lists
    • G06Q20/401Transaction verification
    • G06Q20/4012Verifying personal identification numbers [PIN]

Definitions

  • the present invention relates to a method and system that are particularly applicable for use in authentication of transactions using contactless chip payment cards, and secure Personal Identification Number (PIN) code entry using contactless chip payment cards.
  • PIN Personal Identification Number
  • Mobile devices such mobile phones, smart phones, personal computers, set top boxes, automotive dashboard computers and tablet computers can be used for financial transactions, such as credit card payments.
  • This functionality is known generally as Mobile Payment or Mobile Commerce.
  • a mobile device can run several software applications in the same fashion as computers, and there is a risk that some of the applications the users are downloading from the Internet may contain unwanted code or hidden functionality (“Malware”) which could detect, record, and misuse private and sensitive information, such as credit card numbers and PIN codes.
  • Malware unwanted code or hidden functionality
  • POS contactless mobile Point of Sale
  • SIM Subscriber Identity Module
  • WLAN wireless Local area Network
  • the mobile POS terminal can use the phone as a card reader for Near Field Communication (NFC) and other contactless cards, as well as a display and a keypad for user input and as a modem to connect to a payment processing system.
  • NFC Near Field Communication
  • UICC Universal Integrated Circuit Card
  • SIM cards used in mobile devices are tamper evident and designed to meet high security standards fulfilling the criteria for financial transactions.
  • Malware software could monitor and record the keystrokes or touch screen activity when the user is typing the PIN code, copying a user's on-screen signature, recording voice commands or generally capturing any activity the user may do to interact with the device and its operating system.
  • the cardholder verification PIN code used for card payments can be captured by a software application running in the phone before it reaches the POS application. Therefore, the mobile phone cannot be trusted as a PIN entry device.
  • Contactless payment cards are available, such as Contactless EMV cards with an NFC interface, which allow the contactless payment card to interact with a contactless card reader without a physical contact. This feature enables very fast and convenient payment transactions. In some instances, card issuers accept that contactless payments below a certain threshold value can be allowed without the user verification PIN code. However, this may lead to a situation where a stolen contactless card could be used multiple times at or below the threshold level without ever needing to know or enter the secret PIN code.
  • the Contactless EMV cards have implemented a counter, which forces the user to enter the PIN code after a certain number of repeated contactless transactions occur without using the PIN code.
  • the cardholder then needs to use a POS terminal with a traditional chip card reader (ISO contacts) and insert the card in the card reader to complete the transaction with the PIN code to reset the non-PIN transaction counter. If the POS terminal does not have a certified PIN entry pad or a contact card reader, this could lead to a dead-lock situation where the contactless card requires the PIN code to continue operational, but the POS terminal is not capable of handling the PIN entry.
  • the embodiment(s) relate to contactless chip payment cards and secure PIN code entry with a POS terminal application running on an Embedded Secure Element ("ESE") of a mobile device or on a UICC/SIM card (“UICC Card”) or similar inserted in a mobile device, which supports a short distance communication method, such as NFC.
  • ESE Embedded Secure Element
  • UICC/SIM card UICC/SIM card
  • the present embodiment(s) creates a secured PIN code (a pseudo PIN code - PIN2) combined with an actual credit card PIN code (true PIN code), a credit card number, and a mobile phone number, and securely delivers the data to and stores it in the UICC (SIM) card in a mobile device. Furthermore, the present embodiment(s) enables the cardholder to conduct a contactless credit card transaction requiring a PIN code, and instead of the actual PIN code, enter the pseudo code (PIN2) on the mobile device and to the POS software residing on, e.g., the UICC card.
  • the POS software will verify whether the user-provided pseudo PIN code (PIN2) matches the stored PIN code (PIN2) for the used credit card, it will, if required, encipher the actual PIN code and send it to the contactless credit card or to a payment processing system as a cardholder verification.
  • PIN2 pseudo PIN code
  • PIN2 stored PIN code
  • a method for authenticating a user conducting a payment card transaction using a payment card includes comparing, in one or more of a secure element containing secured data including at least one first code and at least one first payment card information associated with the first code, and a mobile device to which the secure element is connected, the first code with a second code provided as an entry at the mobile device to determine whether or not there is a match between the first code and the second code, and comparing the first payment card information with second payment card information of the payment card read from the payment card via a card reader of the mobile device to determine whether or not there is a match between the first payment card information and the second payment card information when the payment card is in the vicinity of the card reader of the mobile device.
  • the method also includes transmitting, by a transmission device from the mobile device, user authentication information for conducting the payment card transaction when it is determined that there is a match between the first code and the second code and it is determined that there is a match between the first payment card information and the second payment card information.
  • a method of enabling a user to conduct a payment card transaction includes receiving an entry of a pseudo personal identification number (PIN) code in connection with a payment card, at a secure element connected with a mobile device, and obtaining user authentication information including a true PIN code associated with the pseudo PIN code.
  • the method also includes transmitting, via a transmission device, the user authentication information confirming user authentication to authorize use of the payment card in a payment transaction, to the payment card or to an external authorization service or system.
  • PIN personal identification number
  • a system for enabling a user to conduct a payment card transaction includes a contactless payment card, a mobile device, a secure element, and a transmission device.
  • the contactless payment card is configured to communicate via short distance communication.
  • the mobile device includes one or more user interface components configured to receive an entry of a second code, and a card reader configured to read information from the payment card.
  • the secure element is configured to communicate with the mobile device.
  • the secure element receives and stores secured data including at least one first code and at least one first payment card information associated with the first code, and receives the second code from the mobile device.
  • the secure element includes one or more processors executing a transaction authorization application.
  • the transaction authorization application obtains user authentication information when the second code is compared with the stored first code that is associated with the payment card and a match is determined to be made between the first code and the second code, and when the stored first payment card information is compared with second payment card information read from the payment card via the card reader of the mobile device and a match is determined to be made between the stored first payment card information and the second payment card information read from the payment card via the card reader when the payment card is in the vicinity of the card reader of the mobile device.
  • the transmission device is configured to transmit the user authentication information to one of the payment card and a payment processing system as user verification for conducting a transaction using the payment card with the mobile device.
  • FIG. 1 is a schematic diagram of a contactless payment card, a secure element, and a mobile phone according to at least one embodiment
  • FIG. 2 is a schematic diagram of a contactless payment card, a secure element, a mobile phone, and a payment processor according to at least one embodiment
  • FIG. 3 is a schematic diagram of the contactless payment card, the mobile phone, and a payment processor according to at least one embodiment
  • FIG. 4 is a schematic illustration of a transaction flow with the contactless payment card, a POS terminal application, a PIN application, a mobile phone, and an issuer/acquirer bank according to at least one embodiment
  • FIG. 5 is a schematic illustration of a transaction flow with the contactless payment card, a POS terminal application, a PIN application, a mobile phone, and an issuer/acquirer bank according to at least one embodiment
  • FIG. 6 is a schematic illustration of a transaction flow with the contactless payment card, a POS terminal application, a PIN application, a mobile phone, and an issuer/acquirer bank according to at least one embodiment
  • FIG. 7 is a schematic diagram illustrating creation and delivery of a PIN certificate according to at least one embodiment
  • FIG. 8 is a schematic diagram illustrating creation and delivery of a PIN certificate according to at least one embodiment
  • FIG. 9 is a schematic diagram illustrating creation and delivery of a PIN certificate according to at least one embodiment
  • FIG. 10 is a schematic diagram illustrating creation and delivery of a PIN certificate according to at least one embodiment.
  • FIG. 11 is a block diagram of a UICC card according to at least one embodiment.
  • FIG. 1 is a schematic diagram illustrating a system 100 including a contactless payment card 102, a mobile device 104, and a secure element 106.
  • FIG. 1 is a schematic diagram illustrating a system 100 including a contactless payment card 102, a mobile device 104, and a secure element 106.
  • FIG. 1 is a schematic diagram illustrating a system 100 including a contactless payment card 102, a mobile device 104, and a secure element 106.
  • the mobile device 104 may include, but is not limited to, a cellular phone, a mobile tablet, a personal digital assistant, a personal communicator, a pager, a smart phone, or any other handheld computing device.
  • the mobile device 104 includes a card reader 108 configured to read the contactless payment card 102 and a transmission device 110.
  • the secure element 106 may be a Universal Integrated Circuit Card (UICC) that is connected to the mobile device 104, typically by being inserted into the mobile device 104.
  • UICC Universal Integrated Circuit Card
  • the secure element 106 may be an embedded secure element (ESE) connected with the mobile device 104 by being embedded within the mobile device 104 itself.
  • ESE embedded secure element
  • the secure element 106 contains secured data, which has obtained in a manner described in more detail below.
  • the secured data includes at least one first code, which may be a PIN code, and at least one first payment card information associated with the first code.
  • the secured data may also include another code, which is a true PIN code.
  • the user When a user wants to use the payment card 102, the user is authenticated by inputting a second code (e.g., ⁇ 2 code) to the mobile device 104.
  • the PIN code is a pseudo PIN code and is not the actual (true) PIN code associated with the contactless payment card 102.
  • the user enters the PIN code (PIN2) using a provided user interface running on the mobile device 104.
  • the user-input PIN code (PIN2) is forwarded to a PIN/authorization application or Point of Sale (POS) application running on the secure element 106.
  • PIN2 Point of Sale
  • the POS application on the secure element 106 verifies whether the user-entered PIN2 code matches the code it received as secured data, which may include enciphered PIN data.
  • the POS application at the secure element 106 also compares first payment card information stored as part of the secured data with second payment card information of the payment card 102 read from the payment card via the card reader 108 of the mobile device 104 to determine whether or not there is a match between the first payment card information and the second payment card information when the payment card 102 is in the vicinity of the card reader 108 of the mobile device 104.
  • the term "in the vicinity" corresponds with being in a readable area of the card reader 108 of the mobile device 104 such that the card reader 108 is able to read information from the payment card 102.
  • the POS application If the verification between the PIN codes and the payment card information is successful (i.e., there is a match between the entered code and the stored code and there is a match between the read payment card information and the stored payment card information), the POS application provides user authentication information for conducting a payment card transaction that is transmitted by the transmission device 110 from the mobile device 104.
  • the POS application retrieves data, such as a true PIN code (e.g., a third code) securely stored in a memory, enciphers the true PIN code, and provides the enciphered PIN code.
  • the true PIN code may be stored as plain text in a secured memory or as encrypted text in a non-secure memory.
  • the user authentication information may include the enciphered actual (true) PIN code (e.g., a third code).
  • the user authentication information which may include the enciphered PIN code, may be transmitted to the contactless payment card 102 for local validation (FIG. 1).
  • the user authentication information which may include the enciphered PIN code, may be transmitted to a payment processing system 202, illustrated in FIG. 2, for online validation.
  • the user authentication information may include a user verification status indicator, which may be transmitted to the payment processing system 202 (FIG. 2).
  • the true PIN code (the third PIN code) linked with an account for the payment card 102, e.g., through a primary account number ("PAN"), and the secret, second PIN code (PIN2) may be created using a security certified device or system, such as an ATM or by a bank.
  • the second PIN code (PIN2) may be signed by the issuer of the payment card 102 and encrypted.
  • the user authentication information which includes the enciphered PIN data, can contain also other information, such as counter, expiration date, payment card number, and POS UICC card identification.
  • the enciphered PIN data can be sent to the secure element 106, e.g., the POS UICC card of the mobile device 104 or the embedded secure element ("ESE") embedded in the mobile device 104, over any available network, short distance communication method, such as NFC, via the mobile device 104 or by using the card reader 108.
  • the payment card's PIN and ⁇ 2 codes are residing in the same secure element (e.g., the smart card IC on the POS UICC) as the POS terminal application.
  • the true PIN code for the payment card 102 is never outside a secured, tamper-evident device or chip card in clear text format
  • the contactless payment card 102 when used in conjunction with the mobile device 104 with a POS application on a secure element 106, such as the UICC card or the ESE, and a PIN code is required for cardholder verification, the cardholder can enter the second PIN code (PIN2) instead of the actual PIN code (third code) of the payment card 102.
  • PIN2 the second PIN code
  • the PIN2 code can be used for cardholder verification only for the registered cardholder's payment card 102 used in conjunction with the cardholder's mobile device 104 holding the secure element (e.g., the cardholder's UICC card or embedded secure element embedded in the mobile device 104.
  • the secure element e.g., the cardholder's UICC card or embedded secure element embedded in the mobile device 104.
  • capturing and stealing the PIN2 code does not allow the payment card 102 to be used, for example, at an ATM to withdraw cash from the cardholder's bank account or to allow any purchases or cash-back transactions using the card at a Point of Sale terminal.
  • the present embodiment(s) seek to guarantee that the payment card's PIN code is never outside a secured, tamper evident device or chip card in clear text format, i.e. not encrypted, and also that the user never needs to type the actual card PIN number on the mobile phone 104.
  • the present embodiment(s) seek to significantly increases the security level and decreases fraudulent use because the actual payment card PIN code is never used with the mobile phone-based POS terminal. Therefore, capturing the PIN code, for example by malware running in the mobile device 104, cannot be used in conjunction with the payment card 102 at an ATM, at a POS terminal in a shop, etc.
  • FIG. 3 is a diagram of the contactless payment card 102, the mobile phone 104, and the payment processor 202 according to at least one embodiment.
  • FIG. 3 is an example of a payment transaction in accordance with at least one embodiment.
  • FIG. 4 is a schematic illustration of a transaction flow with the contactless payment card, a POS terminal application, a PIN application, a mobile phone, and an acquirer bank according to at least one embodiment.
  • FIG. 5 is a schematic illustration of a transaction flow with the contactless payment card, a POS terminal application, a PIN application, a mobile phone, and an issuer/acquirer bank according to at least one embodiment.
  • FIG. 6 is a schematic illustration of a transaction flow with the contactless payment card, a POS terminal application, a PIN application, a mobile phone, and an issuer/acquirer bank according to at least one embodiment.
  • the payment processor (“PP") 202 may receive the cardholder's phone number and fixed payment instruction including a merchant's remote POS terminal profile from a merchant.
  • the PP 202 signs the Remote Payment Instruction with its secret key, encrypts it with a public POS Certificate key corresponding to the cardholder's phone number of the mobile phone 104, and sends it to the POS application 204 on the secure element 106, which may be a UICC card of the cardholder's mobile device 104 or an embedded secure element (ESE) embedded in the cardholder's mobile device 104, using the cardholder's phone number.
  • ESE embedded secure element
  • the POS application 204 on the secure element 106 receives the Remote Payment Instruction, decrypts it with its secret key and validates it with the PP's 202 public key.
  • the POS application 204 interacts with a User Interface application 206 on the cardholder's mobile device 104 and displays the payment information for cardholder's approval or dismissal.
  • the User Interface application 206 sends the cardholder's approval to the POS application 204.
  • the POS application 204 activates the mobile device's NFC interface and begins the payment transaction process with the cardholder's payment card 102.
  • the POS application 204 reads information from the card 102, including the card number, cardholder's name, and public PIN enciphering key, etc. depending on the payment card 102.
  • a cardholder verification (authentication) PIN code is required by the POS application 204 at the secure element 106 or by the payment card 102.
  • the POS application 204 requests a PIN code verification from a PIN application, which may be included in the POS application or may be separate from the POS application.
  • the PIN application retrieves the payment card's registered PIN from its memory and requests a secret PIN code ( ⁇ 2) from the cardholder using the User Interface application 206.
  • the cardholder enters the PIN2 code on the User Interface application 206 at the mobile phone 104, and the User Interface application 206 returns the ⁇ 2 code to the PIN application running on the secure element 106.
  • the PIN application verifies the PIN2 code and the payment card number, and if the PIN2 code and the payment card number are verified successfully by matching with a stored code and payment card number, the PIN application enciphers a corresponding PIN code with the payment card's PIN enciphering key and returns the enciphered PIN code (e.g., the third code) to the POS application 204, which will forward the enciphered PIN code to the cardholder's payment card 102 for cardholder verification (FIG. 4).
  • the payment card 102 recovers and verifies the PIN code with its PIN enciphering key, and either accepts or declines the payment and sends the result to the POS application 202 for further processing.
  • the PIN application enciphers a corresponding PIN code associated with the PIN2 code and transmits the enciphered PIN code to the issuer/acquirer bank (payment processing system) 202, which provides verification to the POS application 204.
  • the PIN application may provide the POS application 204 with an indication that the user verification is satisfied.
  • the POS application 204 may transmit a user verification status indicator to the issuer/acquirer bank (payment processing system) 202.
  • POS application and the PIN application are described above as two separate applications, the POS application and the PIN application can be integrated in the same application.
  • FIGS. 7-10 illustrate the creation and delivery of the PIN certificate, which may store the secured data, including the PIN2 code.
  • the PIN certificate contains various types of information associated with the payment card 102.
  • the PIN certificate may contain, for example, a payment card number (e.g, a Primary Account Number), the true PIN code, the pseudo PIN code (PIN2), a validity period, processing restrictions (e.g., value, usage counter, error counter, currency, country, card version, POS version, host device, etc.), issuer information, the date of issuance, and the issuer's signature.
  • a payment card number e.g, a Primary Account Number
  • PIN2 pseudo PIN code
  • processing restrictions e.g., value, usage counter, error counter, currency, country, card version, POS version, host device, etc.
  • issuer information e.g., the date of issuance, and the issuer's signature.
  • the second code is provided from one or more stored secured data, each of the stored secured data being associated with a different condition associated with use of the payment card 102.
  • the different condition for a specific stored secured data includes one or more of: (1) a value limit on the transaction associated with the user authentication, (2) a threshold level of transactions using only the payment card 102, (3) the transaction involving currency that is not indicated at an authentication application as domestic currency, (4) the transaction occurring in a foreign country to a home country of the payment card 102 or a home country of the mobile device 104, (5) the transaction being a forced transaction, and (6) a single-code transaction in which the stored secured code expires after the single-code transaction occurs.
  • the secured data may be received via one or more of a mobile/cellular network (see FIG. 8), a short distance communication interface (see FIG. 9), an embedded camera in the mobile device, a microphone, another audio interface of the mobile device 104, a keypad of the mobile device 104, and a touchscreen of the mobile device 104.
  • FIG. 7 is a schematic diagram illustrating creation and delivery of a PIN certificate using the payment card 102 as the delivery media.
  • a POS Issuer installs a POS application 204 into the secure element 106 (e.g., the UICC Card) and launches POS enciphering key pair generation the secure element 106.
  • the POS Issuer receives and verifies the initial POS Certificate, updates it with the phone number of the mobile phone 104 (MSISDN) and signs the updated POS Certificate with the POS Issuer's Secret key.
  • the POS Issuer stores the POS Certificate (including MSISDN) in the POS Certificate database.
  • the cardholder inserts in a card terminal 702 the card 102 to be registered with the POS application 204, and reads the Primary Account Number, the public IC PIN enciphering key, the cardholder's name, etc.
  • the cardholder is verified by the PIN code (PIN2) entered using the keypad of the card terminal 702 and the payment card's Primary Account Number (PAN).
  • PIN2 PIN2
  • PAN Primary Account Number
  • the cardholder enters the mobile phone number of the secure element 106, e.g., the POS UICC card (MSISDN).
  • MSISDN POS UICC card
  • the card terminal 702 or the Card Issuer requests the POS certificate using the MSISDN number.
  • the card terminal 702 or the Card Issuer receives the UICC POS certificate and validates it by using the POS Issuer's public key.
  • the card terminal 702 generates an unpredictable number, encrypts the number with the public POS key and send it to the POS application 204 on the secure element 106, e.g., UICC card, using the MSISDN number.
  • the POS application 204 receives the encrypted data, decrypts the number, and presents the recovered unpredictable number on a display 704 of the mobile device 104.
  • the cardholder and owner of the mobile device 104 enters the unpredictable number on the card terminal 702 for proof of having the mobile device 104 with the UICC card corresponding with the MSISDN number.
  • Near Field communication may be used to verify the phone 104 with the POS app 204 on the secure element 106 at the card terminal 702.
  • the card terminal 702 verifies the sent and user typed unpredictable numbers, and as a result, either proceeds or declines.
  • the card terminal generates the pseudo code (PIN2), signs the POS PIN Certificate (MSISDN, PAN, PIN, PIN2) with a card issuer's secret key and encrypts it with a public POS key.
  • the card issuer sends the encrypted and signed POS PIN Certificate to the secure element 106, e.g., UICC card, using the MSISDN number.
  • the secure element 106 receives the encrypted POS PIN Certificate and decrypts it with its secret POS key, verifies the card issuer's signature, and stores the POS PIN Certificate in the secure element's secure memory.
  • the card issuer then sends the ⁇ 2 code by secure mail to the cardholder's correspondence address.
  • FIG. 8 is a schematic diagram illustrating creation and delivery of a PIN certificate using a network 802 as the delivery method to the to the POS application 204 on the secure element 106 (e.g., the UICC card).
  • a network 802 as the delivery method to the to the POS application 204 on the secure element 106 (e.g., the UICC card).
  • FIG. 9 is a schematic diagram illustrating creation and delivery of a PIN certificate using a NFC contactless card reader 902 as the delivery media to the POS application 204 on the secure element 106 (e.g., the UICC card).
  • a NFC contactless card reader 902 as the delivery media to the POS application 204 on the secure element 106 (e.g., the UICC card).
  • FIG. 10 is a schematic diagram illustrating creation and delivery of a PIN certificate using the payment card 102 as the delivery media with a feedback loop for proving that the mobile phone 104 is present.
  • the POS Issuer installs the POS application 204 into the secure element 106 (e.g., UICC Card) and launches POS enciphering key pair generation in the secure element 106.
  • the POS Issuer receives the public POS key, combines it with the phone number of the mobile phone 104 (MSISDN) and signs the public POS Certificate with the POS Issuer's Secret key.
  • the POS Issuer stores the POS public key certificate (including MSISDN) in the UICC POS Certificate database.
  • the cardholder inserts in the card terminal 702 the card 102 to be registered with the POS application, and reads the Primary Account Number, the public IC PIN enciphering key, the cardholder's name, etc.
  • the cardholder is verified by the PIN code (PIN2) entered using the keypad of the card terminal 702 and the payment card's Primary Account Number (PAN).
  • PIN2 PIN2
  • PAN Primary Account Number
  • the cardholder enters the mobile phone number of the secure element 106, e.g., the POS UICC card (MSISDN).
  • MSISDN POS UICC card
  • the card terminal 702 or the Card Issuer requests the POS certificate using the MSISDN number.
  • the card terminal 702 or the Card Issuer receives the UICC POS certificate and validates it by using the POS Issuer's public key.
  • the card terminal 702 generates an unpredictable number, encrypts the number with the public POS key and send it to the POS application 204 on the secure element 106, e.g., UICC card, using the MSISDN number.
  • the POS application 204 receives the encrypted data, decrypts the number, and presents the recovered unpredictable number on the display 704 of the mobile device 104.
  • the cardholder and owner of the mobile device 104 enters the unpredictable number on the card terminal 702 for proof of having the mobile device 104 with the UICC card corresponding with the MSISDN number.
  • Near Field communication may be used to verify the phone 104 with the POS app 204 on the secure element 106 at the card terminal 702.
  • the card terminal 702 verifies the sent and user typed unpredictable numbers, and as a result, either proceeds or declines.
  • the card terminal generates the pseudo code (PIN2), signs the POS PIN Certificate (MSISDN, PAN, PIN, PIN2) with a card issuer's secret key and encrypts it with a public POS key.
  • the card issuer sends the encrypted and signed POS PIN Certificate to the secure element 106, e.g., UICC card, using the MSISDN number.
  • the secure element 106 receives the encrypted POS PIN Certificate and decrypts it with its secret POS key, verifies the card issuer's signature, and stores the POS PIN Certificate in the secure element's secure memory.
  • the card issuer then sends the ⁇ 2 code by secure mail to the cardholder's correspondence address.
  • FIG. 11 is a block diagram of one potential implementation of the UICC Card with a secure POS terminal application and PIN Certificate database.
  • the transaction may be a payment transaction, such as an EMV transaction with corresponding security features, such as unpredictable numbers, transaction counters, challenge-response methods, random padding, PIN code and key enciphering as described in and required by the used transaction protocol.
  • security features such as unpredictable numbers, transaction counters, challenge-response methods, random padding, PIN code and key enciphering as described in and required by the used transaction protocol.
  • the payment card 102 can use Near Field Communication protocol or any other similar short distance radio frequency electromagnetic communication protocol, or an optical communication protocol using visible or non- visible wavelength.
  • the PIN code cardholder verification method is not limited to financial transactions or for use with only a payment card, but can be used with any type of user authentication and verification purposes, for example, physical access control or logging into a web site.
  • the PIN certificates on the secure element can be securely modified and deleted using either a remote connection or locally.
  • the PIN code for a specific payment card may be encrypted and signed by a secured system and then transmitted to the POS terminal without using the mobile device 104 as the PIN entry device, but instead using a secure data communication channel from an external secure system.
  • the secure channel can be, for example, via the NFC antenna of the mobile device, or a secure communication over a network.
  • the present embodiment(s) thus enables secure cardholder verification without entering, and potentially exposing, the actual payment card PIN code by using a non-secure device, such as a mobile phone keypad or touch screen.
  • aspects of the present embodiment(s) can also be embodied as software configured to be used with a processor to cause the processor to perform operations, or can be embodied as hardware on one or more connected or unconnected devices.
  • the software can be stored on a non-transistory computer-readable media.

Landscapes

  • Business, Economics & Management (AREA)
  • Engineering & Computer Science (AREA)
  • Accounting & Taxation (AREA)
  • Physics & Mathematics (AREA)
  • Strategic Management (AREA)
  • General Business, Economics & Management (AREA)
  • General Physics & Mathematics (AREA)
  • Theoretical Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Microelectronics & Electronic Packaging (AREA)
  • Computer Security & Cryptography (AREA)
  • Finance (AREA)
  • Financial Or Insurance-Related Operations Such As Payment And Settlement (AREA)

Abstract

La présente invention concerne un procédé et un système d'authentification d'un utilisateur effectuant une transaction de carte de paiement à l'aide d'une carte de paiement. Le procédé consiste à comparer, dans un élément sécurisé contenant des données sécurisées comprenant un premier code et des premières informations de carte de paiement associées au premier code, ou dans un dispositif mobile auquel l'élément sécurisé est connecté, le premier code à un second code fourni en tant qu'entrée dans le dispositif mobile, et les premières informations de carte de paiement à des secondes informations de carte de paiement de la carte de paiement lues à partir de la carte de paiement par l'intermédiaire d'un lecteur de carte du dispositif mobile lorsque la carte de paiement est à proximité du lecteur de carte du dispositif mobile. Le procédé consiste à transmettre des informations d'authentification d'utilisateur associées au premier code en vue d'effectuer la transaction de carte de paiement lorsqu'il existe une correspondance entre les premier et second codes et les premières et secondes informations de carte de paiement.
EP15706498.1A 2014-01-15 2015-01-15 Procédé et système d'authentification Withdrawn EP3095081A1 (fr)

Applications Claiming Priority (3)

Application Number Priority Date Filing Date Title
US201461927536P 2014-01-15 2014-01-15
US201461934908P 2014-02-03 2014-02-03
PCT/GB2015/050073 WO2015107346A1 (fr) 2014-01-15 2015-01-15 Procédé et système d'authentification

Publications (1)

Publication Number Publication Date
EP3095081A1 true EP3095081A1 (fr) 2016-11-23

Family

ID=52589693

Family Applications (1)

Application Number Title Priority Date Filing Date
EP15706498.1A Withdrawn EP3095081A1 (fr) 2014-01-15 2015-01-15 Procédé et système d'authentification

Country Status (2)

Country Link
EP (1) EP3095081A1 (fr)
WO (1) WO2015107346A1 (fr)

Families Citing this family (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US10198595B2 (en) 2015-12-22 2019-02-05 Walmart Apollo, Llc Data breach detection system
US11587159B2 (en) * 2017-04-24 2023-02-21 Cpi Card Group—Tennessee, Inc. Bridge application for user pin selection
WO2021183073A1 (fr) 2020-03-12 2021-09-16 Kartek Kart Ve Bi̇li̇şi̇m Teknoloji̇leri̇ Ti̇caret Anoni̇m Şi̇rketi̇ Système de paiement sécurisé avec flux de transaction par carte emv et confirmation de pin sans partage d'informations de carte du téléphone mobile, ordinateur ou tablette du titulaire de carte et son procédé

Family Cites Families (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
SK50862008A3 (sk) * 2008-09-19 2010-06-07 Logomotion, S. R. O. Systém na elektronické platobné aplikácie a spôsob autorizácie platby
EP3869443A1 (fr) * 2011-05-10 2021-08-25 Dynamics Inc. Systèmes, dispositifs et procédés d'acceptation de paiement mobile, autorisations mobiles, portefeuilles mobiles et mécanismes de communication sans contact
US8763896B2 (en) * 2012-02-23 2014-07-01 XRomb Inc. System and method of loading a transaction card and processing repayment on a mobile device

Non-Patent Citations (1)

* Cited by examiner, † Cited by third party
Title
See references of WO2015107346A1 *

Also Published As

Publication number Publication date
WO2015107346A1 (fr) 2015-07-23

Similar Documents

Publication Publication Date Title
US20150199673A1 (en) Method and system for secure password entry
US10826702B2 (en) Secure authentication of user and mobile device
CN112602300B (zh) 用于非接触式卡的密码认证的系统和方法
CN113507377B (zh) 用于使用基于交易特定信息的令牌和密码的交易处理的装置和方法
RU2648944C2 (ru) Способы, устройства и системы для безопасного получения, передачи и аутентификации платежных данных
AU2020210294B2 (en) Establishment of a secure session between a card reader and a mobile device
US9251513B2 (en) Stand-alone secure PIN entry device for enabling EMV card transactions with separate card reader
CN106716916B (zh) 认证系统和方法
CN110169035B (zh) 具有协议特性的绑定密码
CN112805737A (zh) 用于令牌邻近交易的技术
EP2733654A1 (fr) Procédé de paiement électronique, système et dispositif pour échanger de manière sécurisée des informations de paiement
CN117252593A (zh) 交易授权
KR20060125835A (ko) 모바일 단말기를 이용하여 전자 트랜잭션을 수행하기 위한방법 및 시스템
JP2015513337A (ja) ハブアンドスポークpin確認
RU2741321C2 (ru) Криптографическая аутентификация и токенизированные транзакции
US20220060889A1 (en) Provisioning initiated from a contactless device
US11750368B2 (en) Provisioning method and system with message conversion
KR101804182B1 (ko) 실물카드를 이용한 온라인 금융거래 본인인증 시스템 및 방법
US20230062507A1 (en) User authentication at access control server using mobile device
WO2015107346A1 (fr) Procédé et système d'authentification
US11880840B2 (en) Method for carrying out a transaction, corresponding terminal, server and computer program
KR102348823B1 (ko) 사용자가 소지한 금융 카드 기반 본인 인증 시스템 및 방법
WO2015162276A2 (fr) Mise en œuvre d'un jeton sécurisé
CN113014400B (zh) 用户和移动装置的安全认证
CN116830532A (zh) 移动装置秘密保护系统和方法

Legal Events

Date Code Title Description
PUAI Public reference made under article 153(3) epc to a published international application that has entered the european phase

Free format text: ORIGINAL CODE: 0009012

17P Request for examination filed

Effective date: 20160815

AK Designated contracting states

Kind code of ref document: A1

Designated state(s): AL AT BE BG CH CY CZ DE DK EE ES FI FR GB GR HR HU IE IS IT LI LT LU LV MC MK MT NL NO PL PT RO RS SE SI SK SM TR

AX Request for extension of the european patent

Extension state: BA ME

DAX Request for extension of the european patent (deleted)
STAA Information on the status of an ep patent application or granted ep patent

Free format text: STATUS: REQUEST FOR EXAMINATION WAS MADE

STAA Information on the status of an ep patent application or granted ep patent

Free format text: STATUS: THE APPLICATION IS DEEMED TO BE WITHDRAWN

18D Application deemed to be withdrawn

Effective date: 20180801