GB2373616A - Remote cardholder verification process - Google Patents
Remote cardholder verification process Download PDFInfo
- Publication number
- GB2373616A GB2373616A GB0107431A GB0107431A GB2373616A GB 2373616 A GB2373616 A GB 2373616A GB 0107431 A GB0107431 A GB 0107431A GB 0107431 A GB0107431 A GB 0107431A GB 2373616 A GB2373616 A GB 2373616A
- Authority
- GB
- United Kingdom
- Prior art keywords
- remote
- verification process
- cardholder
- cardholder verification
- card
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Withdrawn
Links
Classifications
-
- G—PHYSICS
- G07—CHECKING-DEVICES
- G07F—COIN-FREED OR LIKE APPARATUS
- G07F7/00—Mechanisms actuated by objects other than coins to free or to actuate vending, hiring, coin or paper currency dispensing or refunding apparatus
- G07F7/08—Mechanisms actuated by objects other than coins to free or to actuate vending, hiring, coin or paper currency dispensing or refunding apparatus by coded identity card or credit card or other personal identification means
- G07F7/10—Mechanisms actuated by objects other than coins to free or to actuate vending, hiring, coin or paper currency dispensing or refunding apparatus by coded identity card or credit card or other personal identification means together with a coded signal, e.g. in the form of personal identification information, like personal identification number [PIN] or biometric data
- G07F7/1008—Active credit-cards provided with means to personalise their use, e.g. with PIN-introduction/comparison system
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/30—Authentication, i.e. establishing the identity or authorisation of security principals
- G06F21/31—User authentication
- G06F21/42—User authentication using separate channels for security data
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06Q—INFORMATION AND COMMUNICATION TECHNOLOGY [ICT] SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES; SYSTEMS OR METHODS SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES, NOT OTHERWISE PROVIDED FOR
- G06Q20/00—Payment architectures, schemes or protocols
- G06Q20/30—Payment architectures, schemes or protocols characterised by the use of specific devices or networks
- G06Q20/34—Payment architectures, schemes or protocols characterised by the use of specific devices or networks using cards, e.g. integrated circuit [IC] cards or magnetic cards
- G06Q20/341—Active cards, i.e. cards including their own processing means, e.g. including an IC or chip
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06Q—INFORMATION AND COMMUNICATION TECHNOLOGY [ICT] SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES; SYSTEMS OR METHODS SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES, NOT OTHERWISE PROVIDED FOR
- G06Q20/00—Payment architectures, schemes or protocols
- G06Q20/38—Payment protocols; Details thereof
- G06Q20/40—Authorisation, e.g. identification of payer or payee, verification of customer or shop credentials; Review and approval of payers, e.g. check credit lines or negative lists
- G06Q20/409—Device specific authentication in transaction processing
- G06Q20/4097—Device specific authentication in transaction processing using mutual authentication between devices and transaction partners
- G06Q20/40975—Device specific authentication in transaction processing using mutual authentication between devices and transaction partners using encryption therefor
-
- G—PHYSICS
- G07—CHECKING-DEVICES
- G07C—TIME OR ATTENDANCE REGISTERS; REGISTERING OR INDICATING THE WORKING OF MACHINES; GENERATING RANDOM NUMBERS; VOTING OR LOTTERY APPARATUS; ARRANGEMENTS, SYSTEMS OR APPARATUS FOR CHECKING NOT PROVIDED FOR ELSEWHERE
- G07C9/00—Individual registration on entry or exit
- G07C9/20—Individual registration on entry or exit involving the use of a pass
- G07C9/22—Individual registration on entry or exit involving the use of a pass in combination with an identity check of the pass holder
- G07C9/23—Individual registration on entry or exit involving the use of a pass in combination with an identity check of the pass holder by means of a password
Landscapes
- Engineering & Computer Science (AREA)
- General Physics & Mathematics (AREA)
- Physics & Mathematics (AREA)
- Business, Economics & Management (AREA)
- Theoretical Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Accounting & Taxation (AREA)
- Strategic Management (AREA)
- General Business, Economics & Management (AREA)
- Computer Networks & Wireless Communication (AREA)
- Microelectronics & Electronic Packaging (AREA)
- Finance (AREA)
- Computer Hardware Design (AREA)
- Software Systems (AREA)
- General Engineering & Computer Science (AREA)
- Financial Or Insurance-Related Operations Such As Payment And Settlement (AREA)
Abstract
Securely and verifiably authenticating the holder of a chip card 1 and associating the verification with the underlying transaction between the cardholder 3 and remote host system 5, using a simple card reader 2 interacting indirectly with the remote host system 6 via a communications device 4, e.g. mobile phone. Chip card 1, e.g. bank payment card, is inserted in chip reading device 2, whereupon routine card authentication 6 and cardholder verification procedures 8 are performed. The user 3 inputs a random/unpredictable input, sent by host system 5 to communications device 4, into chip reading device 2 (9). Device 2 signs the outcome of the authentication and verification process, transaction details, and random input, and displays minimum data to the user who keys this into the communications device for verification by the operator host, 10. Thus the process does not rely on the exchange of secret information over open communications. To minimise data exchange for any single transaction, routine data may be pre-registered with the host system.
Description
Remote Cardholder Verification Process
This invention relates to a unique and innovative process to securely and verifiably identify the holder of a chip card through a simple card reader interacting with a remote host system using minimal data input. This identification is irrefutably linked to the underlying activity or transaction.
Although various solutions have been introduced by banks and other organisations which use a chip card to verify the cardholder and authorise a transaction, these solutions require a terminal device with a predominantly online connection for the collection, exchange and control of data. This invention supports the use of the same cards but, through a special card reader and unique exchange of cryptographic data, achieves the same objective but without the need for direct connectivity between the card/device and the remote host system, making the process suitable for customer operated devices such as mobile phones, fixed line telephones, PCs, set top boxes and other communications devices.
The information required to securely authenticate the cardholder can be simply relayed from the card reader device to the communication system (such as a mobile phone) by minimal data input, for example, by the cardholder via the key pad of the phone. The process can support commonly issued chip cards, such as bank payment cards and other cards respecting known international standards.
The process does not require any pre-agreement or shared secrets/knowledge between the operator of the process and the chip card issuer. The process operator can be sure that the transaction has been initiated by the approved holder of the card and this proof is irrefutably linked to features of the current transaction (whatever this task might be).
The process uses simple cryptographic processes between the operator and the card reading device to confirm the authentication of the cardholder and to uniquely relate the authentication to the process in hand. The process does not rely on the exchange of secret information over open communications. No confidential data is exchanged between the communication device and the operator during the transaction. The solution benefits that the process is very simple for the cardholder and operates under the control of the operator. If required in particular implementations, however, critical data may be made secret through encryption.
The process may be employed for a variety of transactions that need to securely authenticate/verify the cardholder such as secure access to personal, secret or restricted information, giving instructions relating to transactions or the payment of value, instructions authorising commerce or trade or entering contractual agreements.
The invention relates to the unique operations and information flows associated with the solution, not the underlying technology of the payment transactions which are widely known and published.
Figure 1 shows a diagrammatic representation of a typical verification transaction
A chip card (1) is inserted in a chip reading device (2) which initiates a standard chip card transaction. During this transaction the device, in conjunction with the card and cardholder/user (3), performs routine card authentication (6) and cardholder verification procedures (8) as are used for normal payment transactions. Typically this requires the entry of the cardholder's Personal Identification Number, but other common verification techniques may be used. Where the underlying transaction involves the cardholder acknowledging an amount, this is displayed to the cardholder prior to verification (7).
The device is provided with random/unpredictable input (9) from the operator host system (5), communicated via the communications device (4) and entered by the user (3) into the device (2). The operator host system is able to relate this random/ unpredictable input to the underlying transaction.
The device (2) cryptographically signs the outcome of the authentication and verification process, card details, the random input and, if appropriate, the amount.
The minimum data necessary (10) is displayed to the user (3) who keys this into the communication device to be verified by the operator host.
The data returned to the operator host is sufficient for the host to prove cryptographically that the necessary card procedures have been performed and relate this uniquely to the underlying transaction.
To minimise the data required to be exchanged between the card reading device and the communications device for any single transaction, wherever possible, routine data (such as card details, pre-agreed amounts, user information) is pre-registered with the operator host. This pre-registration may be performed before the device is issued or as a separate transaction, similar in principle to the verification transaction described above but different in content.
The verification transaction flow is independent of the underlying action for which user verification is sought. However, the input required to the device may vary according to the exact implementation. For example, sometimes an amount will be required if the verification is related to a payment whereas for other uses (such as providing access to confidential information) this will not be relevant.
A typical configuration of the process is described with reference to figure 1.
The process does not assume any particular cryptographic solution, although for ease of illustration the following section presumes the use of symmetric secret key cryptography, for example the DES algorithm.
Chip Card (1)
The process can use any common standards based chip card that performs cardholder verification and card authentication. The process does not require special functionality within the chip card application. The process conducts a standard transaction with the card and then the card reading device uniquely and securely links the outcome of the card authentication and cardholder verification with the details of the transaction and the random input from the operator.
Card Reading Device (2)
The card reading device comprises of a numeric key pad, display and chip card reader.
The device contains an application that: * supports the initial steps of the appropriate chip card transaction * can secretly retain details of pre-registered cards (typically one, but more if required). Information is retained by the device, authorised by encrypted messages keyed by the user received from the operator host via the communication device.
Pre-registering cards reduces the data input required to complete a single authentication in due course is capable of generating DES cryptograms (or other appropriate cryptographic processes) using fixed or derived keys, over various data-sets (different for each of the normal functions)
* will occasionally encrypt/decrypt critical or secret information * is capable of decrypting DES cryptograms (or other appropriate cryptographic processes) and using the information to store data, or authorise the use of data for this purpose * store secret keys and other semi-permanent information with various levels of authorised access
Operator (5)
The operator will require a system that will: store details relating to specific card reading devices, registered cards and other customer information (such as the mobile phone number or internet service provider identification).
* generate random challenges for each transaction verify the cryptograms received via the communications device. These will often be just a section of the cryptogram (to reduce data input) and will relate to data that is either pre-registered with the operator or is included in the transaction message * perform whatever business function is expected once the user verification has been completed. This may be providing information, making transactions or recording specific customer instructions
Communications Device (4)
The process does not rely on any specific communications device. The device must be capable of receiving information from the operator (5) and displaying this to the user (3) (eg a small display, audio instructions). The device must also be capable of taking input from the user and transmitting this to the operator (eg via a keypad, audio).
The card reading device may be uniquely associated with a particular communications device (eg associated to a mobile phone number) or to a particular customer (eg the client number of an internet service provider or home banking user). This association is not essential, but helps to limit the data that is input for each verification transaction as the operator is able to associate certain data with the customer reference.
Claims (9)
- Claims 1. a remote cardholder verification process that securely and verifiably authenticates the holder of a chip card through a simple card reader interacting with a remote host system using minimal data input. This authentication is demonstrably linked to the underlying activity or transaction.
- 2. a card reading device to be used in the process in Claim 1, to manage the interaction with the chip card and user and to sign information to be sent to the operator
- 3. a remote cardholder verification process, as claimed in Claim 1., which allows for secure authentication of the cardholder without direct connectivity between the card reading device and the communications device and operator.
- 4. a remote cardholder verification process, as claimed in Claims 1. and 3., which requires minimal data input by the user into the card reading device and communications device.
- 5. a remote cardholder verification process, as claimed in any proceeding claims which links the verification of the user to acceptance/acknowledgement of a value for a payment transaction
- 6. a remote cardholder verification process, as claimed in any proceeding claims which does not require secure or confidential transfer of information between the device and the operator host system for authentication to be achieved
- 7. a remote cardholder verification process, as claimed in any proceeding claims which uses the existing functionality of chip cards issued for other purposes, without the need for any modification of the chip cards
- 8. a remote cardholder verification process, as claimed in any proceeding claims which may be used across a variety of communications devices including mobile phones, set top boxes, fixed telephones or PCs linked to dedicated communications or internet
- 9. a remote cardholder verification process, as claimed in any proceeding claims which may support a variety of transactions including access to restricted, secret or confidential information, making value payments, commercial transactions or contractual commitments5. a remote cardholder verification process, as claimed in any proceeding claims which links the verification of the user to acceptance/acknowledgement of a value for a payment transaction 6. a remote cardholder verification process, as claimed in any proceeding claims which does not require secure or confidential transfer of information between the device and the operator host system for authentication to be achieved 7. a remote cardholder verification process, as claimed in any proceeding claims which uses the existing functionality of chip cards issued for other purposes, without the need for any modification of the chip cards 8. a remote cardholder verification process, as claimed in any proceeding claims which may be used across a variety of communications devices including mobile phones, set top boxes, fixed telephones or PCs linked to dedicated communications or internet 9. a remote cardholder verification process, as claimed in any proceeding claims which may support a variety of transactions including access to restricted, secret or confidential information, making value payments, commercial transactions or contractual commitments Claims1. a remote cardholder verification process that securely and verifiably authenticates the holder of a chip card, and associates the verification with the underlying activity or transaction, through a simple card reader interacting with, but not electronically connected with, a host system using a minimal exchange of data suitable to be keyed by the user.2. a card reading device to be used in the process in Claim 1, to manage the interaction with the chip card and user and to sign information to be sent to the operator 3. a remote cardholder verification process, as claimed in Claim 1., which allows for secure authentication of the cardholder without direct connectivity between the card reading device and the communications device and operator.4. a remote cardholder verification process, as claimed in Claims 1. and 3., which requires minimal data input by the user into the card reading device and communications device.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
GB0107431A GB2373616A (en) | 2001-03-24 | 2001-03-24 | Remote cardholder verification process |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
GB0107431A GB2373616A (en) | 2001-03-24 | 2001-03-24 | Remote cardholder verification process |
Publications (2)
Publication Number | Publication Date |
---|---|
GB0107431D0 GB0107431D0 (en) | 2001-05-16 |
GB2373616A true GB2373616A (en) | 2002-09-25 |
Family
ID=9911498
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
GB0107431A Withdrawn GB2373616A (en) | 2001-03-24 | 2001-03-24 | Remote cardholder verification process |
Country Status (1)
Country | Link |
---|---|
GB (1) | GB2373616A (en) |
Cited By (6)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
WO2013188599A3 (en) * | 2012-06-12 | 2014-02-27 | Square, Inc. | Securely communicating between a card reader and a mobile device |
WO2014170694A1 (en) * | 2013-04-19 | 2014-10-23 | Le Vallee Neil | Security systems and methods |
US9558491B2 (en) | 2013-09-30 | 2017-01-31 | Square, Inc. | Scrambling passcode entry interface |
US9613356B2 (en) | 2013-09-30 | 2017-04-04 | Square, Inc. | Secure passcode entry user interface |
US9773240B1 (en) | 2013-09-13 | 2017-09-26 | Square, Inc. | Fake sensor input for passcode entry security |
US9928501B1 (en) | 2013-10-09 | 2018-03-27 | Square, Inc. | Secure passcode entry docking station |
Citations (3)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
EP0745961A2 (en) * | 1995-05-31 | 1996-12-04 | AT&T IPM Corp. | Transaction authorization and alert system |
GB2328310A (en) * | 1996-05-15 | 1999-02-17 | Ho Keung Tse | Electronic transaction authorisation system |
GB2357618A (en) * | 1999-12-23 | 2001-06-27 | Nokia Mobile Phones Ltd | Transaction system |
-
2001
- 2001-03-24 GB GB0107431A patent/GB2373616A/en not_active Withdrawn
Patent Citations (3)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
EP0745961A2 (en) * | 1995-05-31 | 1996-12-04 | AT&T IPM Corp. | Transaction authorization and alert system |
GB2328310A (en) * | 1996-05-15 | 1999-02-17 | Ho Keung Tse | Electronic transaction authorisation system |
GB2357618A (en) * | 1999-12-23 | 2001-06-27 | Nokia Mobile Phones Ltd | Transaction system |
Cited By (13)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US10185957B2 (en) | 2012-06-12 | 2019-01-22 | Square, Inc. | Software pin entry |
US9367842B2 (en) | 2012-06-12 | 2016-06-14 | Square, Inc. | Software pin entry |
US9378499B2 (en) | 2012-06-12 | 2016-06-28 | Square, Inc. | Software PIN entry |
US10083442B1 (en) | 2012-06-12 | 2018-09-25 | Square, Inc. | Software PIN entry |
WO2013188599A3 (en) * | 2012-06-12 | 2014-02-27 | Square, Inc. | Securely communicating between a card reader and a mobile device |
US10515363B2 (en) | 2012-06-12 | 2019-12-24 | Square, Inc. | Software PIN entry |
US11823186B2 (en) | 2012-06-12 | 2023-11-21 | Block, Inc. | Secure wireless card reader |
WO2014170694A1 (en) * | 2013-04-19 | 2014-10-23 | Le Vallee Neil | Security systems and methods |
US9773240B1 (en) | 2013-09-13 | 2017-09-26 | Square, Inc. | Fake sensor input for passcode entry security |
US9558491B2 (en) | 2013-09-30 | 2017-01-31 | Square, Inc. | Scrambling passcode entry interface |
US9613356B2 (en) | 2013-09-30 | 2017-04-04 | Square, Inc. | Secure passcode entry user interface |
US10540657B2 (en) | 2013-09-30 | 2020-01-21 | Square, Inc. | Secure passcode entry user interface |
US9928501B1 (en) | 2013-10-09 | 2018-03-27 | Square, Inc. | Secure passcode entry docking station |
Also Published As
Publication number | Publication date |
---|---|
GB0107431D0 (en) | 2001-05-16 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
US12008558B2 (en) | Systems and methods for cryptographic authentication of contactless cards | |
CN112602300B (en) | System and method for password authentication of contactless cards | |
US8527427B2 (en) | Method and system for performing a transaction using a dynamic authorization code | |
AU2019355834B2 (en) | Systems and methods for cryptographic authentication of contactless cards | |
US20090281949A1 (en) | Method and system for securing a payment transaction | |
CN113168635A (en) | System and method for password authentication of contactless cards | |
RU2651245C2 (en) | Secure electronic entity for authorising transaction | |
CN102118251B (en) | Security authentication method for internet banking remote payment based on multi-interface intelligent safety card | |
US20100153273A1 (en) | Systems for performing transactions at a point-of-sale terminal using mutating identifiers | |
CN112889241B (en) | Verification service for account verification | |
EP3454274A1 (en) | Verification of portable consumer devices | |
US20190347661A1 (en) | Coordinator managed payments | |
CN101770619A (en) | Multiple-factor authentication method for online payment and authentication system | |
US20050203856A1 (en) | Method & system for accelerating financial transactions | |
CN103326862A (en) | Electronically signing method and system | |
CN104182875A (en) | Payment method and payment system | |
CN112106091A (en) | Electronic identity verification system and method | |
KR101914649B1 (en) | Radio link authentication system and methods using Devices and automation devices | |
KR101914650B1 (en) | Radio link authenticationsystem and methods using Devices and automationdevices | |
GB2373616A (en) | Remote cardholder verification process | |
CN201947283U (en) | Security certificate device of Internet banking remote payment based on multi-interface safety smart card | |
KR20090002267A (en) | Home banking terminal for processing offline payment and program recording medium | |
Nithyanand | Securing plastic money using an rfid based protocol stack | |
CN1424677A (en) | Financial transaction terminals | |
KR20160137802A (en) | Method for Authenticating Interlocked Transaction by using Server Type One Time Code based on Contactless Media Interlock |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
WAP | Application withdrawn, taken to be withdrawn or refused ** after publication under section 16(1) |