GB2373616A - Remote cardholder verification process - Google Patents

Remote cardholder verification process Download PDF

Info

Publication number
GB2373616A
GB2373616A GB0107431A GB0107431A GB2373616A GB 2373616 A GB2373616 A GB 2373616A GB 0107431 A GB0107431 A GB 0107431A GB 0107431 A GB0107431 A GB 0107431A GB 2373616 A GB2373616 A GB 2373616A
Authority
GB
United Kingdom
Prior art keywords
remote
verification process
cardholder
cardholder verification
card
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Withdrawn
Application number
GB0107431A
Other versions
GB0107431D0 (en
Inventor
Clive Leader
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
MERLIN ANALYSIS Ltd
Original Assignee
MERLIN ANALYSIS Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by MERLIN ANALYSIS Ltd filed Critical MERLIN ANALYSIS Ltd
Priority to GB0107431A priority Critical patent/GB2373616A/en
Publication of GB0107431D0 publication Critical patent/GB0107431D0/en
Publication of GB2373616A publication Critical patent/GB2373616A/en
Withdrawn legal-status Critical Current

Links

Classifications

    • GPHYSICS
    • G07CHECKING-DEVICES
    • G07FCOIN-FREED OR LIKE APPARATUS
    • G07F7/00Mechanisms actuated by objects other than coins to free or to actuate vending, hiring, coin or paper currency dispensing or refunding apparatus
    • G07F7/08Mechanisms actuated by objects other than coins to free or to actuate vending, hiring, coin or paper currency dispensing or refunding apparatus by coded identity card or credit card or other personal identification means
    • G07F7/10Mechanisms actuated by objects other than coins to free or to actuate vending, hiring, coin or paper currency dispensing or refunding apparatus by coded identity card or credit card or other personal identification means together with a coded signal, e.g. in the form of personal identification information, like personal identification number [PIN] or biometric data
    • G07F7/1008Active credit-cards provided with means to personalise their use, e.g. with PIN-introduction/comparison system
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/30Authentication, i.e. establishing the identity or authorisation of security principals
    • G06F21/31User authentication
    • G06F21/42User authentication using separate channels for security data
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06QINFORMATION AND COMMUNICATION TECHNOLOGY [ICT] SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES; SYSTEMS OR METHODS SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES, NOT OTHERWISE PROVIDED FOR
    • G06Q20/00Payment architectures, schemes or protocols
    • G06Q20/30Payment architectures, schemes or protocols characterised by the use of specific devices or networks
    • G06Q20/34Payment architectures, schemes or protocols characterised by the use of specific devices or networks using cards, e.g. integrated circuit [IC] cards or magnetic cards
    • G06Q20/341Active cards, i.e. cards including their own processing means, e.g. including an IC or chip
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06QINFORMATION AND COMMUNICATION TECHNOLOGY [ICT] SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES; SYSTEMS OR METHODS SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES, NOT OTHERWISE PROVIDED FOR
    • G06Q20/00Payment architectures, schemes or protocols
    • G06Q20/38Payment protocols; Details thereof
    • G06Q20/40Authorisation, e.g. identification of payer or payee, verification of customer or shop credentials; Review and approval of payers, e.g. check credit lines or negative lists
    • G06Q20/409Device specific authentication in transaction processing
    • G06Q20/4097Device specific authentication in transaction processing using mutual authentication between devices and transaction partners
    • G06Q20/40975Device specific authentication in transaction processing using mutual authentication between devices and transaction partners using encryption therefor
    • GPHYSICS
    • G07CHECKING-DEVICES
    • G07CTIME OR ATTENDANCE REGISTERS; REGISTERING OR INDICATING THE WORKING OF MACHINES; GENERATING RANDOM NUMBERS; VOTING OR LOTTERY APPARATUS; ARRANGEMENTS, SYSTEMS OR APPARATUS FOR CHECKING NOT PROVIDED FOR ELSEWHERE
    • G07C9/00Individual registration on entry or exit
    • G07C9/20Individual registration on entry or exit involving the use of a pass
    • G07C9/22Individual registration on entry or exit involving the use of a pass in combination with an identity check of the pass holder
    • G07C9/23Individual registration on entry or exit involving the use of a pass in combination with an identity check of the pass holder by means of a password

Landscapes

  • Engineering & Computer Science (AREA)
  • General Physics & Mathematics (AREA)
  • Physics & Mathematics (AREA)
  • Business, Economics & Management (AREA)
  • Theoretical Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Accounting & Taxation (AREA)
  • Strategic Management (AREA)
  • General Business, Economics & Management (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Microelectronics & Electronic Packaging (AREA)
  • Finance (AREA)
  • Computer Hardware Design (AREA)
  • Software Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Financial Or Insurance-Related Operations Such As Payment And Settlement (AREA)

Abstract

Securely and verifiably authenticating the holder of a chip card 1 and associating the verification with the underlying transaction between the cardholder 3 and remote host system 5, using a simple card reader 2 interacting indirectly with the remote host system 6 via a communications device 4, e.g. mobile phone. Chip card 1, e.g. bank payment card, is inserted in chip reading device 2, whereupon routine card authentication 6 and cardholder verification procedures 8 are performed. The user 3 inputs a random/unpredictable input, sent by host system 5 to communications device 4, into chip reading device 2 (9). Device 2 signs the outcome of the authentication and verification process, transaction details, and random input, and displays minimum data to the user who keys this into the communications device for verification by the operator host, 10. Thus the process does not rely on the exchange of secret information over open communications. To minimise data exchange for any single transaction, routine data may be pre-registered with the host system.

Description

Remote Cardholder Verification Process This invention relates to a unique and innovative process to securely and verifiably identify the holder of a chip card through a simple card reader interacting with a remote host system using minimal data input. This identification is irrefutably linked to the underlying activity or transaction.
Although various solutions have been introduced by banks and other organisations which use a chip card to verify the cardholder and authorise a transaction, these solutions require a terminal device with a predominantly online connection for the collection, exchange and control of data. This invention supports the use of the same cards but, through a special card reader and unique exchange of cryptographic data, achieves the same objective but without the need for direct connectivity between the card/device and the remote host system, making the process suitable for customer operated devices such as mobile phones, fixed line telephones, PCs, set top boxes and other communications devices.
The information required to securely authenticate the cardholder can be simply relayed from the card reader device to the communication system (such as a mobile phone) by minimal data input, for example, by the cardholder via the key pad of the phone. The process can support commonly issued chip cards, such as bank payment cards and other cards respecting known international standards.
The process does not require any pre-agreement or shared secrets/knowledge between the operator of the process and the chip card issuer. The process operator can be sure that the transaction has been initiated by the approved holder of the card and this proof is irrefutably linked to features of the current transaction (whatever this task might be).
The process uses simple cryptographic processes between the operator and the card reading device to confirm the authentication of the cardholder and to uniquely relate the authentication to the process in hand. The process does not rely on the exchange of secret information over open communications. No confidential data is exchanged between the communication device and the operator during the transaction. The solution benefits that the process is very simple for the cardholder and operates under the control of the operator. If required in particular implementations, however, critical data may be made secret through encryption.
The process may be employed for a variety of transactions that need to securely authenticate/verify the cardholder such as secure access to personal, secret or restricted information, giving instructions relating to transactions or the payment of value, instructions authorising commerce or trade or entering contractual agreements.
The invention relates to the unique operations and information flows associated with the solution, not the underlying technology of the payment transactions which are widely known and published.
Figure 1 shows a diagrammatic representation of a typical verification transaction A chip card (1) is inserted in a chip reading device (2) which initiates a standard chip card transaction. During this transaction the device, in conjunction with the card and cardholder/user (3), performs routine card authentication (6) and cardholder verification procedures (8) as are used for normal payment transactions. Typically this requires the entry of the cardholder's Personal Identification Number, but other common verification techniques may be used. Where the underlying transaction involves the cardholder acknowledging an amount, this is displayed to the cardholder prior to verification (7).
The device is provided with random/unpredictable input (9) from the operator host system (5), communicated via the communications device (4) and entered by the user (3) into the device (2). The operator host system is able to relate this random/ unpredictable input to the underlying transaction.
The device (2) cryptographically signs the outcome of the authentication and verification process, card details, the random input and, if appropriate, the amount.
The minimum data necessary (10) is displayed to the user (3) who keys this into the communication device to be verified by the operator host.
The data returned to the operator host is sufficient for the host to prove cryptographically that the necessary card procedures have been performed and relate this uniquely to the underlying transaction.
To minimise the data required to be exchanged between the card reading device and the communications device for any single transaction, wherever possible, routine data (such as card details, pre-agreed amounts, user information) is pre-registered with the operator host. This pre-registration may be performed before the device is issued or as a separate transaction, similar in principle to the verification transaction described above but different in content.
The verification transaction flow is independent of the underlying action for which user verification is sought. However, the input required to the device may vary according to the exact implementation. For example, sometimes an amount will be required if the verification is related to a payment whereas for other uses (such as providing access to confidential information) this will not be relevant.
A typical configuration of the process is described with reference to figure 1.
The process does not assume any particular cryptographic solution, although for ease of illustration the following section presumes the use of symmetric secret key cryptography, for example the DES algorithm.
Chip Card (1) The process can use any common standards based chip card that performs cardholder verification and card authentication. The process does not require special functionality within the chip card application. The process conducts a standard transaction with the card and then the card reading device uniquely and securely links the outcome of the card authentication and cardholder verification with the details of the transaction and the random input from the operator.
Card Reading Device (2) The card reading device comprises of a numeric key pad, display and chip card reader.
The device contains an application that: * supports the initial steps of the appropriate chip card transaction * can secretly retain details of pre-registered cards (typically one, but more if required). Information is retained by the device, authorised by encrypted messages keyed by the user received from the operator host via the communication device.
Pre-registering cards reduces the data input required to complete a single authentication in due course is capable of generating DES cryptograms (or other appropriate cryptographic processes) using fixed or derived keys, over various data-sets (different for each of the normal functions)
* will occasionally encrypt/decrypt critical or secret information * is capable of decrypting DES cryptograms (or other appropriate cryptographic processes) and using the information to store data, or authorise the use of data for this purpose * store secret keys and other semi-permanent information with various levels of authorised access Operator (5) The operator will require a system that will: store details relating to specific card reading devices, registered cards and other customer information (such as the mobile phone number or internet service provider identification).
* generate random challenges for each transaction verify the cryptograms received via the communications device. These will often be just a section of the cryptogram (to reduce data input) and will relate to data that is either pre-registered with the operator or is included in the transaction message * perform whatever business function is expected once the user verification has been completed. This may be providing information, making transactions or recording specific customer instructions Communications Device (4) The process does not rely on any specific communications device. The device must be capable of receiving information from the operator (5) and displaying this to the user (3) (eg a small display, audio instructions). The device must also be capable of taking input from the user and transmitting this to the operator (eg via a keypad, audio).
The card reading device may be uniquely associated with a particular communications device (eg associated to a mobile phone number) or to a particular customer (eg the client number of an internet service provider or home banking user). This association is not essential, but helps to limit the data that is input for each verification transaction as the operator is able to associate certain data with the customer reference.

Claims (9)

  1. Claims 1. a remote cardholder verification process that securely and verifiably authenticates the holder of a chip card through a simple card reader interacting with a remote host system using minimal data input. This authentication is demonstrably linked to the underlying activity or transaction.
  2. 2. a card reading device to be used in the process in Claim 1, to manage the interaction with the chip card and user and to sign information to be sent to the operator
  3. 3. a remote cardholder verification process, as claimed in Claim 1., which allows for secure authentication of the cardholder without direct connectivity between the card reading device and the communications device and operator.
  4. 4. a remote cardholder verification process, as claimed in Claims 1. and 3., which requires minimal data input by the user into the card reading device and communications device.
  5. 5. a remote cardholder verification process, as claimed in any proceeding claims which links the verification of the user to acceptance/acknowledgement of a value for a payment transaction
  6. 6. a remote cardholder verification process, as claimed in any proceeding claims which does not require secure or confidential transfer of information between the device and the operator host system for authentication to be achieved
  7. 7. a remote cardholder verification process, as claimed in any proceeding claims which uses the existing functionality of chip cards issued for other purposes, without the need for any modification of the chip cards
  8. 8. a remote cardholder verification process, as claimed in any proceeding claims which may be used across a variety of communications devices including mobile phones, set top boxes, fixed telephones or PCs linked to dedicated communications or internet
  9. 9. a remote cardholder verification process, as claimed in any proceeding claims which may support a variety of transactions including access to restricted, secret or confidential information, making value payments, commercial transactions or contractual commitments
    5. a remote cardholder verification process, as claimed in any proceeding claims which links the verification of the user to acceptance/acknowledgement of a value for a payment transaction 6. a remote cardholder verification process, as claimed in any proceeding claims which does not require secure or confidential transfer of information between the device and the operator host system for authentication to be achieved 7. a remote cardholder verification process, as claimed in any proceeding claims which uses the existing functionality of chip cards issued for other purposes, without the need for any modification of the chip cards 8. a remote cardholder verification process, as claimed in any proceeding claims which may be used across a variety of communications devices including mobile phones, set top boxes, fixed telephones or PCs linked to dedicated communications or internet 9. a remote cardholder verification process, as claimed in any proceeding claims which may support a variety of transactions including access to restricted, secret or confidential information, making value payments, commercial transactions or contractual commitments Claims
    1. a remote cardholder verification process that securely and verifiably authenticates the holder of a chip card, and associates the verification with the underlying activity or transaction, through a simple card reader interacting with, but not electronically connected with, a host system using a minimal exchange of data suitable to be keyed by the user.
    2. a card reading device to be used in the process in Claim 1, to manage the interaction with the chip card and user and to sign information to be sent to the operator 3. a remote cardholder verification process, as claimed in Claim 1., which allows for secure authentication of the cardholder without direct connectivity between the card reading device and the communications device and operator.
    4. a remote cardholder verification process, as claimed in Claims 1. and 3., which requires minimal data input by the user into the card reading device and communications device.
GB0107431A 2001-03-24 2001-03-24 Remote cardholder verification process Withdrawn GB2373616A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
GB0107431A GB2373616A (en) 2001-03-24 2001-03-24 Remote cardholder verification process

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
GB0107431A GB2373616A (en) 2001-03-24 2001-03-24 Remote cardholder verification process

Publications (2)

Publication Number Publication Date
GB0107431D0 GB0107431D0 (en) 2001-05-16
GB2373616A true GB2373616A (en) 2002-09-25

Family

ID=9911498

Family Applications (1)

Application Number Title Priority Date Filing Date
GB0107431A Withdrawn GB2373616A (en) 2001-03-24 2001-03-24 Remote cardholder verification process

Country Status (1)

Country Link
GB (1) GB2373616A (en)

Cited By (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2013188599A3 (en) * 2012-06-12 2014-02-27 Square, Inc. Securely communicating between a card reader and a mobile device
WO2014170694A1 (en) * 2013-04-19 2014-10-23 Le Vallee Neil Security systems and methods
US9558491B2 (en) 2013-09-30 2017-01-31 Square, Inc. Scrambling passcode entry interface
US9613356B2 (en) 2013-09-30 2017-04-04 Square, Inc. Secure passcode entry user interface
US9773240B1 (en) 2013-09-13 2017-09-26 Square, Inc. Fake sensor input for passcode entry security
US9928501B1 (en) 2013-10-09 2018-03-27 Square, Inc. Secure passcode entry docking station

Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
EP0745961A2 (en) * 1995-05-31 1996-12-04 AT&T IPM Corp. Transaction authorization and alert system
GB2328310A (en) * 1996-05-15 1999-02-17 Ho Keung Tse Electronic transaction authorisation system
GB2357618A (en) * 1999-12-23 2001-06-27 Nokia Mobile Phones Ltd Transaction system

Patent Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
EP0745961A2 (en) * 1995-05-31 1996-12-04 AT&T IPM Corp. Transaction authorization and alert system
GB2328310A (en) * 1996-05-15 1999-02-17 Ho Keung Tse Electronic transaction authorisation system
GB2357618A (en) * 1999-12-23 2001-06-27 Nokia Mobile Phones Ltd Transaction system

Cited By (13)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US10185957B2 (en) 2012-06-12 2019-01-22 Square, Inc. Software pin entry
US9367842B2 (en) 2012-06-12 2016-06-14 Square, Inc. Software pin entry
US9378499B2 (en) 2012-06-12 2016-06-28 Square, Inc. Software PIN entry
US10083442B1 (en) 2012-06-12 2018-09-25 Square, Inc. Software PIN entry
WO2013188599A3 (en) * 2012-06-12 2014-02-27 Square, Inc. Securely communicating between a card reader and a mobile device
US10515363B2 (en) 2012-06-12 2019-12-24 Square, Inc. Software PIN entry
US11823186B2 (en) 2012-06-12 2023-11-21 Block, Inc. Secure wireless card reader
WO2014170694A1 (en) * 2013-04-19 2014-10-23 Le Vallee Neil Security systems and methods
US9773240B1 (en) 2013-09-13 2017-09-26 Square, Inc. Fake sensor input for passcode entry security
US9558491B2 (en) 2013-09-30 2017-01-31 Square, Inc. Scrambling passcode entry interface
US9613356B2 (en) 2013-09-30 2017-04-04 Square, Inc. Secure passcode entry user interface
US10540657B2 (en) 2013-09-30 2020-01-21 Square, Inc. Secure passcode entry user interface
US9928501B1 (en) 2013-10-09 2018-03-27 Square, Inc. Secure passcode entry docking station

Also Published As

Publication number Publication date
GB0107431D0 (en) 2001-05-16

Similar Documents

Publication Publication Date Title
US12008558B2 (en) Systems and methods for cryptographic authentication of contactless cards
CN112602300B (en) System and method for password authentication of contactless cards
US8527427B2 (en) Method and system for performing a transaction using a dynamic authorization code
AU2019355834B2 (en) Systems and methods for cryptographic authentication of contactless cards
US20090281949A1 (en) Method and system for securing a payment transaction
CN113168635A (en) System and method for password authentication of contactless cards
RU2651245C2 (en) Secure electronic entity for authorising transaction
CN102118251B (en) Security authentication method for internet banking remote payment based on multi-interface intelligent safety card
US20100153273A1 (en) Systems for performing transactions at a point-of-sale terminal using mutating identifiers
CN112889241B (en) Verification service for account verification
EP3454274A1 (en) Verification of portable consumer devices
US20190347661A1 (en) Coordinator managed payments
CN101770619A (en) Multiple-factor authentication method for online payment and authentication system
US20050203856A1 (en) Method & system for accelerating financial transactions
CN103326862A (en) Electronically signing method and system
CN104182875A (en) Payment method and payment system
CN112106091A (en) Electronic identity verification system and method
KR101914649B1 (en) Radio link authentication system and methods using Devices and automation devices
KR101914650B1 (en) Radio link authenticationsystem and methods using Devices and automationdevices
GB2373616A (en) Remote cardholder verification process
CN201947283U (en) Security certificate device of Internet banking remote payment based on multi-interface safety smart card
KR20090002267A (en) Home banking terminal for processing offline payment and program recording medium
Nithyanand Securing plastic money using an rfid based protocol stack
CN1424677A (en) Financial transaction terminals
KR20160137802A (en) Method for Authenticating Interlocked Transaction by using Server Type One Time Code based on Contactless Media Interlock

Legal Events

Date Code Title Description
WAP Application withdrawn, taken to be withdrawn or refused ** after publication under section 16(1)