JP2003271885A - Information leakage prevention system in credit card settlement - Google Patents

Abstract

<P>PROBLEM TO BE SOLVED: To provide an information leakage prevention system making a card hard to be abused and preventing information needed for trade from being known by a third person. <P>SOLUTION: A card 4 is provided having only a card key stored therein without storing therein or stating thereon a card number, the term of validity, or the like, while making the card key and the card number and password peculiar to a customer correspond to each other, are stored in a database 7 of an independent host computer 2. In trading, a card key read from the card 4 via a card data reader 5 and a password inputted by a customer are transferred to the computer 2, it is judged whether the card 4 and the customer are real or false by means of processing on the computer 2 side, and only the judgement result is fed back to a terminal 1 for an outlet to determine whether credit settlement can be carried out or not. Since the card 4 has no storage or statement of the card number, the term of validity, or the like, even if the customer loses the card 4 or has it stolen, a third person can not appropriate information such as a card number, term of validity, or the like, from the card 4. <P>COPYRIGHT: (C)2003,JPO

Description

Detailed Description of the Invention

[0001]

BACKGROUND OF THE INVENTION 1. Field of the Invention The present invention relates to an improvement of an information leakage prevention system in credit card settlement, particularly to prevention of illegal use of a card which may occur due to the theft or loss of the card, and further to a store side. The present invention relates to improvements for preventing unauthorized reading of card-related data by employees.

[0002]

2. Description of the Related Art In the case of shopping at a store, the authenticity judgment when using a credit card is to judge the authenticity of the customer by the handwriting of the signature, or the correspondence between the card number and the personal identification number is determined by the store terminal. It is general that the automatic determination is carried out by confirming. However, in the case of transactions on the Internet, it is practically impossible to check the handwriting, and the act of entering a personal identification number is often shunned due to security issues. No credit card name, card number,
By entering data such as the card's validity period and name, a program is set up so that a contract is automatically established.

[0003]

A security measure for improving the safety of a credit card against fraudulent acts carried out by a store is disclosed in, for example, Japanese Patent Laid-Open No. 2001-117873. As described above, after requesting the user to input the identification ID prior to inputting the personal identification number to the terminal, the server transmits the unique information stored in the server and associated with the identification ID and known only to the user to the terminal. It is known that the terminal is displayed and the user is allowed to confirm whether or not the terminal is proper, and then input of important information such as a personal identification number is started.

Separately from this, as a technique for preventing unauthorized use of a card, for example, Japanese Patent Application Laid-Open No. 60-10.
As disclosed in No. 5071, a sub-personal identification number is generated by performing arithmetic processing by the store terminal based on the main personal identification number and other information stored in the card, and the user inputs a key to the store terminal. A system has been proposed in which the validity of the card is confirmed by comparing the coincidence and non-coincidence between the generated number and the sub-password.

However, in the technique disclosed in Japanese Patent Laid-Open No. 2001-117873, the user can only confirm the authenticity of the terminal, and does not take any measures against the unauthorized use of the card caused by the theft or loss of the card. In other words, a third party who acquires a stolen or lost card can still improperly use the card by imitating the handwriting written on the card, and the credit company name and card number written on the card surface. It is possible to make a transaction on the Internet by entering data such as the validity period of the card and name.

The technique of Japanese Patent Laid-Open No. 60-105071 has the same problem as described above, and in the case where an employee or the like on the store side operates the store terminal with malicious intent, the main security code is used. There is no guarantee that the sub-password, which is the calculation result, will not be illegally read from the card or the shop terminal.

[0007]

SUMMARY OF THE INVENTION Therefore, an object of the present invention is to solve the above-mentioned drawbacks of the prior art, to make it difficult to illegally use a lost or stolen card, and to provide the information itself necessary for the transaction to a third party. It is to provide an information leakage prevention system in credit card settlement that is unknown to the public.

[0008]

In order to achieve the above object, the present invention provides a store terminal equipped with a card data reading device and a manual data input device, a customer-specific card number and a personal identification number, and the card number. A host computer installed independently from a retail store, which includes a database in which customer specific data having no correlation is associated and stored, and a communication line for communicatively connecting the store terminal and the host computer. An information leakage prevention system in a credit card payment, which is formed by a card lent to a customer by storing only customer specific data without describing a card number and an expiration date. The customer-specific data read by the device is sent to the host computer via the communication line and Card data availability judgment means for judging whether the card can be used based on the authenticity judgment result of the card transmitted from the computer, and manual data input only when the card usage is permitted by the card usage availability judgment means. A credit settlement approval / disapproval determining means for transmitting the personal identification number input by the device to the host computer through the communication line to the host computer, and determining whether the credit settlement is possible based on the authenticity determination result of the customer transmitted from the host computer; Only when the credit settlement is permitted by the credit settlement propriety judging means, store side credit settlement executing means for transmitting and receiving data to and from the host computer via the communication line to execute the credit settlement processing is provided, The host computer is provided with a reference sent from the store terminal. A card authenticity determination that receives specific data, determines the authenticity of the card based on whether or not the customer specific data is stored in the database, and transmits the card authenticity determination result to the store terminal via the communication line. Means for receiving the personal identification number transmitted from the store terminal, and judging the authenticity of the customer based on whether or not the personal identification number is stored in the database corresponding to the customer identification data, and the communication line The customer authenticity determination means for transmitting the customer authenticity determination result to the store terminal via the store terminal and the store terminal via the communication line only when the customer authenticity is confirmed by the customer authenticity determination means. Host-side credit settlement execution means for transmitting / receiving data to / from the host to execute credit settlement processing based on the card number corresponding to the customer identification data. It has a configuration characterized by that.

In the above structure, first, the card data reading device of the shop terminal reads the customer specifying data from the customer's card and sends it to the host computer via the communication line. The host computer that receives the customer identification data determines the authenticity of the card based on whether or not the customer identification data is stored in the database. That is, if the customer identification data is stored in the database, the determination result by the card authenticity determination means is true, and if the customer identification data is stored in the database, the determination result is false. This determination result is transmitted to the store terminal via the communication line. The card availability determination means of the store terminal that has received the card authenticity determination result permits the card to be used if the card authenticity determination result is true, and the card authenticity is determined if the card authenticity determination result is false. Ban the use,
The process ends. Here, when the use of the card is permitted by the card availability determination means, the personal identification number input by the customer by the manual data input device is transmitted to the host computer through the communication line. The host computer which has received the personal identification number determines the authenticity of the customer based on whether or not the personal identification number is stored in the database in correspondence with the customer specifying data. That is, if the personal identification number is stored in the database in correspondence with the customer identification data, the result of the determination by the customer authenticity determination means is true, and the personal identification number is stored in the database in association with the customer identification data. If not, the judgment result is fake. This determination result is transmitted to the store terminal via the communication line, and the operation of the host side credit settlement execution means is permitted only when the customer authenticity determination means confirms the validity of the customer. On the other hand, the credit settlement approval / disapproval determination means of the store terminal that has received the customer's authenticity determination result permits the credit settlement if the customer's authenticity determination result is true, and credits the customer's authenticity determination result. Prohibit payment and end the process. Here, when the credit settlement is permitted by the credit settlement propriety judging means, the store side credit settlement executing means provided in the store terminal is activated and a communication line with the host side credit settlement executing means. The data is transmitted and received via and the credit settlement process is executed. The host-side credit settlement execution means refers to the above-mentioned database and executes the credit settlement processing based on the card number corresponding to the customer identification data. The card used here only stores customer specific data and does not store any information such as the card number and expiration date, so it is not possible to steal information such as the card number and expiration date from the card itself. . In addition, the host computer provided with the database is installed independently from the store, and only the determination result regarding whether or not the card can be used and the determination result regarding the authenticity of the customer are transmitted from the host computer to the store terminal. Since the credit settlement processing means on the host side performs the credit settlement processing based on the card number corresponding to the customer identification data by referring to the database, the employee of the store, etc., illegally operates the store terminal. It is difficult to retrieve the card number or PIN from the database of the host computer even if it is used for. Furthermore, since the card number and expiration date are not stated on the card itself and the customer specific data stored in the card has no correlation with the card number, even if the card itself is stolen or lost, It is impossible for a third party to illegally obtain data such as the credit company name, card number, and validity period of the card. Therefore, this card cannot be used to carry out illegal transactions on the shop or on the Internet.

Further, when the customer specific data is read from the card by the card data reading device and transmitted to the host computer, the store code is transmitted together, and when the host computer receives the customer specific data and the store code, A unique processing code corresponding to the customer identification data and the store code may be generated and used for communication with the store terminal.

When such a configuration is applied, a newly generated transaction can be specified by a processing code, and a store targeted for the transaction can be identified. Therefore, a single host can be used. By computer
Requests from multiple retailers and multiple customers can be processed substantially in parallel.

Here, the host computer can be installed in the facility of a credit company that manages card numbers and personal identification numbers unique to customers.

The security of the database can be ensured by installing the host computer in the facility of the credit company independent of the store.

Also, by installing a host computer in a credit company cooperation customer management facility that collectively manages data of a plurality of credit companies, the security of the database can be secured at the same level as described above.

As described above, the card number and the personal identification number unique to the customer are managed in the database based on the customer specific data. Therefore, as long as the customer specific data is not duplicated, it is issued by a large number of credit companies. The card number and personal identification number can be centrally managed by a single host computer.

[0016]

DETAILED DESCRIPTION OF THE INVENTION Embodiments of the present invention will be described in detail below with reference to the drawings. FIG. 1 is a block diagram showing an outline of an information leakage prevention system of an embodiment to which the present invention is applied.

As shown in FIG. 1, this information leakage prevention system includes a plurality of store terminals 1 installed at each store.
And a host computer 2 installed in the facility of the credit company, and a dedicated line or a communication line 3 such as the Internet for communicatively connecting the store terminal 1 and the host computer 2, and is lent to each customer. Card 4 and As the store terminal 1 and the host computer 2, a dedicated processing device, a personal computer, a workstation, or the like can be used. As the card 4, a magnetic card that stores data in a magnetic stripe, or
An IC card or the like that stores data in the built-in IC chip can be appropriately selected and used.

Each store terminal 1 includes a card data reading device 5 for reading the information stored in the card 4 owned by the customer, a ten-key pad used when the customer inputs a personal identification number, and the like. A manual data input device 6 is connected, and the host computer 2 stores customer identification data (hereinafter referred to as a card key) that is associated with the customer's unique card number and personal identification number and has no correlation with this card number. A database 7 including a hard disk drive and the like is connected.

FIG. 2 is a conceptual diagram showing an example of data stored in the database 7. Records for each customer consisting of five fields are set in the database 7, and the customer's card number, personal identification number, and card key are fixedly stored in each record, while the processing code and store code are rewritten appropriately. It is supposed to be remembered.

In this embodiment, since it is premised that there is only one credit company, card numbers do not overlap between records. The card number here is a code for customer management. Specifically, in a conventional credit card, it is a numerical value sequence divided into 3 blocks or 4 blocks that is highlighted on the surface of the card. That is.

Since the personal identification number is normally registered by the customer's notification, the duplicated contents may be used between the records. The personal identification number here is an ID for authentication in important processing.
Is a code used as, for example, a value input to the terminal of the cash dispenser at the time of cashing in a conventional credit card.

The card key is a new component unique to this embodiment, and in the conventional credit card,
There is no code corresponding to this card key. This card key is set so that it will not be duplicated between the records and that it will not be correlated with the card number or the personal identification number. Further, in a transaction using a store or the Internet, the card key cannot be used in place of the above-mentioned confirmation of the card number.

The number of fields in each record may be increased so that the valid period of the card, the customer's address and name, etc. are fixedly stored.

On the other hand, the processing code is a code that is temporarily set in order to identify a transaction in the process of processing, and the store code indicates the store targeted for the transaction at that time. It is a temporary code needed to identify. The field that stores the processing code and the store code is initially unstored,
When the transaction in process is completed, the values of these fields are returned to the initial state again.

FIG. 3 shows an example of the appearance of the card 4. This card 4 is lent to a customer by a credit company, and the magnetic stripe or IC chip stores only the card key of the various data described above. In addition, the card number and expiry date are indicated by a magnetic stripe or I
It is an essential constituent requirement of the card 4 that it is not stored in the C chip and that it is not described in the card.

However, the card key may be described on the card 4. Further, in this embodiment, in order to facilitate the identification regarding the validity of the customer, a face photograph is attached to the card 4.

FIG. 4 is a flow chart showing an outline of processing executed by the CPU of the store terminal 1, and FIG.
3 is a flowchart showing an outline of processing executed by the CPU of the host computer 2.

Next, with reference to FIG. 4 and FIG. 5, card use availability determination means 1a and credit settlement availability determination means 1b.
The processing operations of the store terminal 1 functioning as the store-side credit settlement execution means 1c, the card authenticity determination means 2a, the customer authenticity determination means 2b, and the host computer 2 functioning as the host-side credit settlement execution means 2c will be described in detail. .

The CPU of the store terminal 1 which has started the processing upon receiving the power is turned on by the card data reading device 5 first.
It is determined whether or not the card 4 is inserted into the card (step a1), and if the insertion of the card 4 is not detected, only the determination process of step a1 is repeatedly executed as it is, and a standby state waiting for the insertion of the card 4 is entered. .

When it is detected by the judgment processing in step a1 that the card 4 is inserted into the card data reading device 5 by a customer or an employee of a store, the card functions as a part of the card usability judgment means 1a. The CPU of the store terminal 1 reads the card key stored in the magnetic stripe of the card 4 or the IC chip via the card data reading device 5 (step a2), and stores the card key in a store unique to the store. The code is transmitted to the host computer 2 via the communication line 3 (step a3), and a standby state waiting for the input of the determination result from the host computer 2 is entered (step a4).

On the other hand, the CPU of the host computer 2 which has started the processing when the power is turned on is the CP of the store terminal 1.
Processing for detecting the input of the card key and store code transmitted from U (step b1), and C of the store terminal 1
The process for detecting the input of the personal identification number transmitted from the PU (step b9) is repeatedly executed, and the card key and the store code transmitted from the CPU of the store terminal 1 are verified by the process of step b1. It is detected by the host computer 2 which functions as a part of the judging means 2a.

C of the host computer 2 which has detected this
After temporarily storing this card key and store code (step b2), the PU refers to the card key field in each record of the database 7 as shown in FIG. 2 (step b3), It is determined whether the card key sent from the CPU is already stored in any record of the database 7 (step b).
4).

When the card key read in the process of step b2 is stored in any record of the database 7, this card key, that is, the card 4 currently targeted for transaction is registered. The CPU of the host computer 2 that functions as a part of the card authenticity determination means 2a,
In order to specify this transaction, a unique processing code corresponding to this card key and store code is newly generated (step b5), and a record specified by the card key in the database 7 as shown in FIG. In the store code field and the process code field, the store code read in the process of step b2 and the process code generated in the process of step b5 are temporarily stored (step b6), and the store read in the process of step b2. For the CPU of the store terminal 1 that has the code,
The authenticity determination result indicating that the card 4 is authentic and the processing code generated in the process of step b5 are transmitted via the communication line 3 (step b7).

If the processing code B4 is generated when the CPU of the store terminal 1 having the store code B5 transmits the card key B1, the card key B1 is stored in the database 7 as shown in FIG. The store code B5 is temporarily stored in the store code field of the second specified record, and the process code B4 is temporarily stored in the process code field of the same record.
Further, the CPU of the store terminal 1 having the store code B5
Then, the authenticity determination result indicating that the card 4 having the card key B1 is authentic and the processing code B4 are transmitted.

In the subsequent processing, all communication between the CPU of the host computer 2 and the CPU of the shop terminal 1 is performed based on the above-mentioned processing code, so that it becomes important transaction data. There is no need to disclose the customer's card number and personal identification number to the retailer.

If the card key read in the process of step b2 is not stored in any record of the database 7, this card key is not registered in the database 7, that is, the transaction is currently performed. The CPU of the host computer 2 that functions as a part of the card authenticity determination means 2a means that the card 4 that is the target of the counter is a counterfeit, and the store terminal that has the store code read in the process of step b2. 1 CPU
Then, the authenticity determination result indicating that the card 4 is a fake is transmitted via the communication line 3 (step b8).

For example, when the card key D1 is transmitted from the CPU of one of the store terminals 1, the card key corresponding to this D1 is not registered in the database 7, so that the store key of the store terminal 1 that transmitted the card key D1 is not registered. Card 4 for CPU
The authenticity determination result indicating that is a fake is transmitted.

On the other hand, the CPU of the store terminal 1 which has been waiting for the input of the determination result from the host computer 2 detects the input of the determination result from the host computer 2 in the process of step a4, and then the host computer 2 The transmitted authenticity determination result and the processing code are temporarily stored (step a5), and it is determined whether the authenticity determination result means authenticity or a counterfeit (step a6).

Here, if the result of the authenticity judgment means the authenticity, the CPU of the store terminal 1 functioning as a part of the card usable / unusable judging means 1a permits the use of the card 4 and manually. A standby state waiting for the input of a personal identification number from the data input device 6 is entered (step a7).

When the customer operates the manual data input device 6 and inputs the personal identification number, the CPU of the store terminal 1 which functions as a part of the credit settlement approval / disapproval judging means 1b.
Transmits the processing code temporarily stored in the processing of step a5 and the personal identification number detected in the processing of step a7 to the host computer 2 via the communication line 3 (step a
8) Then, a standby state for waiting for the input of the determination result from the host computer 2 is entered (step a9).

The processing code and the personal identification number transmitted from the CPU of the shop terminal 1 are detected by the host computer 2 functioning as a part of the customer authenticity judging means 2b by the judgment processing in step b9.

C of the host computer 2 which has detected this
The PU reads the personal identification number and the processing code transmitted from the shop terminal 1 (step b10), refers to the processing code field in each record of the database 7 as shown in FIG. 2, and executes the processing of step b10. A record temporarily storing the read processing code is obtained, and the personal identification number stored in the record specified by the card key corresponding to the processing code is compared with the personal identification number read in the processing of step b10 (step b11). ), It is determined whether the two match (step b12).

Here, if the personal identification number read in the process of step b10 matches the personal identification number of the record specified by the card key corresponding to the processing code read in the process of step b10, this personal identification number. Card 4 for which the customer who entered the number is currently the target of the transaction
Means that it is the proper owner of the card 4 having the card key specified by the processing code read in the processing of step b10. The CPU of the host computer 2 functioning as a unit is the CPU of the store terminal 1 having the store code read in the process of step b10,
The authenticity determination result indicating that the customer is the genuine owner is transmitted via the communication line 3 (step b13).

Assuming that the personal identification number B is obtained in the processing of step b10.
Assuming that 3'and the processing code B4 are read, FIG.
As shown in FIG. 3, the secret code B3 stored in the secret code field of the second record of the database 7 corresponding to the card key B1 specified by the processing code B4.
And the personal identification number B3 'input by the customer are compared, and only when they match each other, the CPU of the store terminal 1 having the store code B5 corresponding to the processing code B4
Then, the authenticity determination result indicating that the customer is the genuine owner is transmitted.

When the determination result of step b12 becomes true in this way, the CPU of the host computer 2 functioning as the host-side credit settlement execution means 2c
Is the CPU of the store terminal 1 having the store code temporarily stored in the record corresponding to the card key specified by the process code read in the process of step b10, that is, the store read in the process of step b10 A record corresponding to the card key which is allowed to transmit and receive the payment data to and from the CPU of the store terminal 1 having the code through the communication line 3 and which is specified by the process code read in the process of step b10. In the same manner as the conventional method, the credit card settlement process is executed for the card number stored in (step b14). Further, the confirmation process regarding the expiration date of the card 4 and the like is also performed in the same manner as in the related art in the process of step b14.

Therefore, it is assumed that the personal identification number B3 'and the processing code B4 are read in the processing of step b10, and the personal identification number field of the second record of the database 7 corresponding to the card key B1 specified by the processing code B4 is entered. If the personal identification number B3 stored in the personal identification number coincides with the personal identification number B3 'input by the customer and the determination result in step b12 is true, the record corresponding to the card key B1 specified by the processing code B4 is recorded. The card key specified by the process code B4 is allowed to be transmitted and received between the CPU of the store terminal 1 having the store code B5 temporarily stored and the host computer 2 via the communication line 3. For the card number B2 stored in the record corresponding to B1, the CPU of the store terminal 1 having the store code B5 and So that the credit of the settlement process between the strike computer 2 is performed.

In this case, the authenticity determination result transmitted from the CPU of the host computer 2 in the process of step b13 is the step a executed by the CPU of the store terminal 1 having the store code read in the process of step b10.
It will be detected in the processing of 9.

After reading the determination result (step a10), the CPU of the store terminal 1 functioning as the credit settlement approval / disapproval determination means 1b means whether the result of the authentication is true or false. It is determined whether it is a thing (step a11).

Here, if the result of the authenticity judgment means authenticity, the CPU of the store terminal 1 functioning as the credit settlement approval / disapproval judging means 1b uses the card 4 by the customer who inputs the personal identification number. Allow to perform credit settlement. Then, the CPU of the store terminal 1 functioning as the store-side credit settlement execution means 1c transmits / receives the settlement data to / from the host computer 2 via the communication line 3 based on the processing code temporarily stored in the processing of step a5. Then, the credit settlement processing is executed in the same manner as in the past (step a12). As described above, in the process of step b14 on the host computer 2 side, the host functioning as the host-side credit settlement execution means 2c targets the card number stored in the record corresponding to the card key specified by this process code. The CPU of the computer 2 will perform credit settlement processing.

Then, the store side credit settlement execution means 1
When the credit settlement processing (steps a12 and b14) between the CPU of the store terminal 1 functioning as c and the CPU of the host computer 2 functioning as the host-side credit settlement execution means 2c is completed, the store terminal 1 The CPU returns to the initial standby state again and waits for another customer or an employee of the store to insert another card 4 into the card data reading device 5. In addition, the CPU of the host computer 2 completes the transaction by deleting the data of the processing code and the data of the shop code which are temporarily stored in the record of the database 7 corresponding to the processing code read in the processing of step b10. Is stored (step b16), and the process returns to the initial standby state of waiting for the input of the card key and the store code or the input of the personal identification number transmitted from the store terminal 1.

Therefore, if the processing code B4 and the shop code B5 are read in the processing of step b10, the processing code B4 and the shop code B5 are deleted from the second record of the database 7, and the card It is stored that the settlement process of the card number B2 corresponding to the key B1 is completed.

On the other hand, the personal identification number read in the processing of step b10 does not match the personal identification number of the record specified by the card key corresponding to the processing code read in the processing of step b10, and the judgment in step b12 is made. If the result is fake, it means that the user who entered this PIN is not the genuine owner of the card 4 that is currently the subject of the transaction, that is, the process read in step b10. It means that you are not the proper owner of the card 4 with the card key specified in the code,
The CPU of the host computer 2 functioning as a part of the customer authenticity determination means 2b is a fake user of this user via the communication line 3 to the CPU of the store terminal 1 having the store code read in the process of step b10. An authenticity determination result indicating that is is transmitted (step b15).

In this case, since the credit settlement process is prohibited, the CP of the store terminal 1 having the store code corresponding to the process code read in the process of step b10.
There is no need to send or receive any more data with U. Therefore, the CPU of the host computer 2 deactivates the processes of steps b13 and b14, and stores the data of the process code temporarily stored in the record of the database 7 corresponding to the process code read in the process of step b10 and the store. The code data is immediately deleted (step b16), and the initial standby state is restored.

On the other hand, the authenticity determination result transmitted from the CPU of the host computer 2 in the process of step b15 is executed by the CPU of the store terminal 1 having the store code read in the process of step b10, as described above. Will be detected in the processing of step a9.

However, in this case, since the determination result indicates that the user is a fake user, the determination result of step a11 becomes false, and in addition to the settlement processing of step b14 performed by the host computer 2, the store Terminal 1 C
The credit settlement process at step a12 in the PU is also not executed.

As described above, if it is determined from the determination result of step a11 or step a6 that the card 4 that is the object of the transaction is genuine but the user is a fake, or if the user is the object of the transaction. When the card 4 itself is found to be a fake, the CPU of the store terminal 1 displays an error message on the monitor and informs the employee of the store that there is a problem with the card 4 or the user. Notify (step a13).

Therefore, if the error message is displayed before the personal identification number is input, the cause of the abnormality is in the card 4, and if the error message is displayed after the personal identification number is input, the cause of the abnormality is present. It turns out that the user is.

Finally, the employee of the retail store stores the terminal 1 for the store.
When the reset key is operated, the CPU of the store terminal 1 detects the operation of the reset key in the process of step a14,
It will return to the initial standby state.

FIG. 6 is a schematic diagram showing a simplified data exchange among a customer, a store, and a credit company, corresponding to the above-described embodiment.

As shown in FIG. 6, the customer has to disclose only the card key stored and described in the card 4 at the time of transaction, and the data transmitted from the credit company to the dealer is also required. , Because it is only the processing code for identifying the transaction result in the process and the judgment result related to the authenticity of the card and the customer.
There is no problem that important information such as the card number and the expiration date of the card is leaked to the store side, and even if an employee of the store operates the store terminal 1 maliciously, the host computer Database 7 through 2
It is extremely difficult to steal your data.

Therefore, if the customer does not snoop on the operation of entering the personal identification number when using the card 4, the customer can surely receive important information such as the card number and the expiration date of the card from the employee of the store or another third party. I can protect.

Even if the card 4 is stolen or dropped, the person who illegally acquires the card 4 does not know the personal identification number of the card 4, so the card 4 and the shop terminal 1 are used. Unauthorized transactions cannot be made.

On the other hand, in the case of transactions using the Internet or the like, it is general that the input of the personal identification number is not required, but in that case, it is an essential requirement to input the card number and the expiration date of the card. Therefore, it is still impossible for a person who illegally acquires the card 4 to use the card 4 to carry out an illegal transaction.

Further, this card 4 may be issued redundantly with a conventional credit card in which data such as credit company name, card number, validity period of card, name, etc. is stored and described. In a highly creditworthy store or a store with a proven track record, a normal credit card is used as before, and at a store with no track record of visiting the store for the first time, a card 4 that stores and describes only the card key is used. It is also possible to selectively use such a type. Furthermore, in addition to the conventional credit card, the card 4 is issued, and in the domestic transaction using the Internet etc., the conventional credit card is used to store the data such as the credit company name, the card number, and the validity period of the card. A suitable operating method of the system of the present invention is to carry out the input while carrying out the card 4 storing only the card key when going out, which is highly likely to be lost or stolen.

Next, a brief description will be given of an embodiment in which the host computer 2 is arranged in a credit company cooperation customer management facility for centrally managing data of a plurality of credit companies.

Also in this case, the configurations of the store terminal 1, the host computer 2 and the card 4 are the same as those in the above-described embodiment, but the host computer 2 in the credit company cooperation customer management facility and the hosts of a plurality of credit companies. A point for connecting with a computer via a communication line (see FIG. 7), and a field for storing the company code of the credit company that issued each card 4 in the record of the database 7 connected to the host computer 2 It is different from the above-described embodiment in that it is provided (see FIG. 8).

FIG. 9 shows an outline of the process executed by the CPU of the store terminal 1, and FIG. 10 shows an outline of the process executed by the host computer 2 in the credit company cooperation customer management facility.
Shown in.

The processing in steps c1 to c14 is performed in steps a1 to a1 in the above-described embodiment described with reference to FIG.
This is the same as the processing in step a14, and step d
The processing of 1 to step d16 is substantially the same as the processing of step b1 to step b16 of the above-described embodiment described with reference to FIG. 5, but in the present embodiment, step d1
In the credit settlement process in step 4, the host computer 2 refers to the field of the company code in the record of the database 7 based on the card key or the process code to be processed, and the card 4 to be traded. Is specified, and the payment report data is transmitted to the corresponding credit company (see FIG. 11).

The operation and effect are the same as in the first embodiment, and there is no concern that important information such as the card number and the expiration date of the card will be leaked to the store side, and the employee of the store is Store terminal 1 etc. with malicious intent
It is difficult to steal the data of the database 7 via the host computer 2 even if the
It has a feature that a person who illegally obtains the card 4 cannot use the shop terminal 1 or the Internet to carry out an illegal transaction.

In this embodiment, since the host computer 2 in the credit company cooperation customer management facility reports the result of credit settlement to the host computer of each credit company, each card 4 is issued to the record of the database 7. Although a field for storing the company code of each credit company is provided, the host computer of each credit company is the host computer 2
Since it is possible to read the credit settlement result by identifying the card number by referring to the database 7 via the database, a field for storing the company code of the credit company is provided in the record of the database 7. Is not necessarily an essential requirement. Even if the code of the credit company is not stored, it is possible to mix and handle the cards 4 issued by a plurality of credit companies as long as the card keys do not overlap in the database 7.

[0071]

The information leakage prevention system for credit card settlement according to the present invention does not store and describe the card number and the expiration date, but the customer specific data (card key).
In addition to providing a card in which only the card is stored, the customer specific data (card key), the customer's unique card number, and the personal identification number are associated and stored in the database of the host computer installed independently from the store, When making a transaction, the customer specific data (card key) read from the card via the card data reading device provided in the store terminal of the store and the personal identification number entered by the customer via the manual data input device are used. Since the authenticity of the card and the customer are judged by the processing on the host computer side after being transferred to the host computer and only the judgment result is sent back to the store terminal to decide whether or not to execute the credit settlement, the customer decides whether to execute the card payment. Even if you lost or stolen your card, the card number and expiration date To worry about important information is stolen not. Moreover, the host computer equipped with the database is installed independently of the store, and only the determination result regarding the card availability and the determination result regarding the authenticity of the customer are transmitted from the host computer to the store terminal. Since the credit settlement processing means on the host side executes the credit settlement processing based on the card number corresponding to the customer identification data (card key) by referring to the database, the employee of the retail store, etc. Even if the user terminal is used illegally, it is difficult to retrieve the card number or the personal identification number from the database of the host computer. In addition, since the card number and expiration date are not stated on the card itself, and the customer identification data (card key) stored in the card has no correlation with the card number, it is possible that the card itself is stolen or lost. Even if there is, it is impossible for a third party to illegally obtain data such as the credit company name, the card number, and the validity period of the card. Therefore, this card cannot be used to carry out illegal transactions on the shop or on the Internet.

Further, when the customer specific data (card key) is read from the card by the card data reading device and transmitted to the host computer, the store code is also transmitted, and the host computer transmits the customer specific data (card key). When the store code is received, a unique processing code corresponding to this customer specific data (card key) and store code is generated and used for communication with the store terminal, so a single The host computer can process requests from multiple resellers and multiple customers substantially in parallel. Also in this case, the only new data required is the store code and the processing code, and since neither data is related to the customer's card number or information such as expiration date, important information such as card number and expiration date. There is no worry about leaking.

In particular, the security of the database can be guaranteed by installing the host computer in the facility of the credit company that manages the card number and personal identification number unique to the customer.

Further, the safety of the database can be secured at a high level by installing a host computer in the credit company cooperation customer management facility that collectively manages the data of a plurality of credit companies, and the customer can be identified in the database. Since the customer's unique card number and PIN are managed based on the data (card key), as long as the customer specific data (card key) does not overlap,
Card numbers and personal identification numbers issued by multiple credit companies can be centrally managed by a single host computer.

[Brief description of drawings]

FIG. 1 is a block diagram showing an outline of an information leakage prevention system of an embodiment to which the present invention is applied.

FIG. 2 is a conceptual diagram showing an example of data stored in a database of a host computer.

FIG. 3 is a diagram showing an example of the appearance of a card and an outline of the processing flow among a customer, a store, and a credit company.

FIG. 4 is a flowchart showing an outline of processing performed by a CPU of a store terminal.

FIG. 5 is a flowchart showing an outline of processing executed by a CPU of a host computer.

FIG. 6 is a schematic diagram showing a simplified exchange of data among a customer, a store, and a credit company.

FIG. 7 is a diagram showing an example of the appearance of a card and an outline of the flow of processing among a customer, a store, and a credit company cooperation customer management facility.

FIG. 8 is a conceptual diagram showing an example of data stored in a database of a host computer in a credit company cooperation customer management facility.

FIG. 9 is a flowchart showing an outline of processing executed by a CPU of a store terminal when a host computer is installed in a credit company cooperation customer management facility.

FIG. 10 is a flowchart showing an outline of processing executed by a CPU of a host computer provided in a credit company cooperation customer management facility.

FIG. 11 is a schematic diagram showing a simplified exchange of data between a customer, a store, a credit company, and a customer management facility and a credit company.

[Explanation of symbols]

Terminal for 1 store 1a Card usage determination means 1b Credit settlement approval / disapproval determination means 1c Store side credit settlement execution means 2 Host computer 2a Card authenticity determination means 2b Customer authenticity determination means 2c Host side credit settlement execution means 3 communication lines 4 cards 5 Card data reader 6 Manual data input device 7 database

─────────────────────────────────────────────────── ─── Continued Front Page (51) Int.Cl. ⁷ Identification Code FI Theme Coat (Reference) G07G 1/14 G07G 1/14

Claims (4)

[Claims] 1. A store terminal equipped with a card data reading device and a manual data input device, and a database in which a customer-specific card number and a personal identification number are associated and stored with customer-specific data that does not correlate with the card number. A host computer installed separately from the store, a communication line that connects the store terminal and the host computer so that they can communicate with each other, only the customer identification data without describing a card number and an expiration date. An information leakage prevention system in a credit card payment, which is formed by a card that stores and rents a card to a customer, wherein the store terminal has customer specific data read by the card data reading device To the host computer via and via the host computer The card use possibility determining means for determining whether the card can be used based on the authenticity determination result of the card, and the customer using the manual data input device only when the use of the card is permitted by the card use possibility determining means. A credit settlement approval / disapproval determining means for transmitting the input personal identification number to the host computer via the communication line and for determining whether or not credit settlement is possible based on a customer authenticity determination result transmitted from the host computer; Provided is a store-side credit settlement execution means for transmitting / receiving data to / from the host computer via the communication line to execute credit settlement processing only when the settlement approval / disapproval determination means permits credit settlement. Sent to the host computer from the store terminal Received customer identification data, determine the authenticity of the card based on whether or not this customer identification data is stored in the database, and at the same time send the card authenticity determination result to the store terminal via the communication line. The card authenticity determining means for transmitting and the personal identification number transmitted from the store terminal, and the authenticity of the customer based on whether or not the personal identification number is stored in the database in correspondence with the customer specifying data. And the customer authenticity determination means for transmitting the customer authenticity determination result to the store terminal through the communication line together with the determination, and only when the validity of the customer is confirmed by the customer authenticity determination means, the communication line A host side that transmits and receives data to and from the shop terminal via the credit card processing based on the card number corresponding to the customer identification data An information leakage prevention system in credit card settlement, characterized by being provided with a credit settlement processing means. 2. A store terminal equipped with a card data reading device and a manual data input device, and a database in which customer-specific card numbers and personal identification numbers are stored in association with customer-specific data that does not correlate with the card numbers. A host computer installed separately from the store, a communication line that connects the store terminal and the host computer so that they can communicate with each other, only the customer identification data without describing a card number and an expiration date. Is a system for preventing information leakage in a credit card payment, which is formed by a card that stores and lends to a customer, wherein the store terminal stores customer identification data and a store code read by the card data reading device. The data is transmitted to the host computer via the communication line and the host computer Receiving the processing code and the authenticity determination result of the card transmitted from the card, the card availability determination means for determining the availability of the card based on the authentication result of the card, and the card availability determination means of the card Only when the use is permitted, the personal identification number input by the customer by the manual data input device and the processing code are transmitted to the host computer via the communication line and the authenticity of the customer transmitted from the host computer. Data is exchanged between the host computer via the communication line only when the credit settlement is determined by the credit settlement permission determining unit that determines whether or not the credit settlement is possible based on the determination result. Store-side credit settlement actuals that send and receive Line means is provided, the host computer receives the customer identification data and the store code transmitted from the store terminal, the card based on whether the customer identification data is stored in the database The authenticity determination result of the card and the store terminal corresponding to the store code received through the communication line and the unique processing code corresponding to the customer identification data and the store code are determined. Card authenticity determination means for transmitting the generated processing code, and receiving the personal identification number and the processing code transmitted from the store terminal, the personal identification number in the customer identification data corresponding to the processing code in the database. The authenticity of the customer is determined based on whether or not it is stored correspondingly, and the store that has received it through the communication line Customer authenticity determination means for transmitting the customer authenticity determination result to the store terminal corresponding to the code, and only when the customer validity is confirmed by the customer authenticity determination means, the reception is performed via the communication line. Provided is a host-side credit settlement execution means for transmitting / receiving data to / from a store terminal corresponding to the store code and executing credit settlement processing based on a card number corresponding to the customer identification data corresponding to the processing code. Information leakage prevention system for credit card payments. 3. The information for credit card payment according to claim 1, wherein the host computer is installed in a facility of a credit company that manages a card number and a personal identification number unique to a customer. Leakage prevention system. 4. The host computer is arranged in a credit company cooperation customer management facility that integrally manages data of a plurality of credit companies, and the database includes card numbers and personal identification numbers issued by the plurality of credit companies. The information leakage prevention system for credit card payment according to claim 1 or 2, characterized in that