KR20040028831A - Electronic payment authentication and recognition method - Google Patents

Abstract

PURPOSE: A method for certifying and approving electronic payment is provided to improve a system performance through fast certification and approval speed by making a shopping mall/PG(Payment Gateway) perform the certification and the approval through a direct access to an access control server. CONSTITUTION: A card user requests settlement by inputting a card number to a settlement page(S1). A shopping mall/PG checks an access control server URL of the card user(S2). If the access control server URL of the card user is registered to a bin range server, a card number confirmation request and a response are received from the access control server URL(S3). A certification/approval request signal is transmitted to the card user based on the one-time card number received from a card company(S4). The card user requests the certification/approval to the card company with a public certificate or a password(S5). The access control server of the card company certifies/approves an account owner file and transmits a certification/approval result to the shopping mall/PG(S6).

Description

Electronic payment certification and approval method {ELECTRONIC PAYMENT AUTHENTICATION AND RECOGNITION METHOD}

The present invention relates to an electronic payment authentication and approval method, and in particular, user confirmation and payment without having a separate communication network and a system connected to a separate directory server or a van (VAN) for user confirmation and payment approval during electronic payment authentication. New forms of electronic payment authentication method that enables fast payment authentication and approval by minimizing the system required for electronic payment authentication and reducing the payment approval process because the approval can be directly done by the payment gateway (PG) and the card company. It is about.

An online payer authentication service is disclosed as a method for verifying payer identity during a conventional online transaction (Korean Patent Publication No. 2003-001931). That is, as shown in FIG. 1, after a Payer Authentication System (PAS) members are set up and a card user is registered, a payment transaction can be authenticated using PAS. As shown in Fig. 1, the card user visits the merchant's e-commerce site (1). After the card user selects the goods or services to purchase, the card user starts the calculation process, completes the calculation form, and clicks the 'buy' button. After the 'buy' button is clicked, the merchant plug-in software module is activated to verify that the card-only account is registered in the PAS (2). The verification process is divided into a case of using a directory server and a case of using an access control server.

First, the merchant plug-in software module identifies the card account number and queries the directory (server) to see if the account number is within the range of numbers associated with the issuer bank that is a PAS member. If the account number is outside the range of account numbers specified in the directory (server), the issuer and cardholder are not registered in the PAS. In this case, the merchant will be notified that the account number is not registered in the PAS, and the merchant plug-in software module returns transaction control back to the merchant front software. At this point, the merchant front software may continue the transaction, decline additional services to the cardholder, or continue with other payment methods. On the other hand, if it is determined that the account number is within the range of account numbers existing in the directory server, the second step of the verification process begins. The second phase of the verification process begins with the directory delivering an access control server that can authenticate the card number of the card user to determine if the card has been registered. If the card is not registered, if the access control server indicates that the card is registered, the access control server sends the URL internet address back to the merchant plug-in via the directory server. The merchant plug-in invokes the access control server through the card user client device and its resident browser. There can be multiple access control servers in PAS. The second way to check if a card user is registered in the PAS is for the merchant plug-in software module to query the access control server directly without first querying the directory server. The third method, as mentioned earlier, is for the merchant to have a cache memory that contains the same information that is kept in the directory server. In this way the merchant can make a preliminary check. More than one physical directory server can exist on a PAS system. If the card user is a PAS member, the access control server displays the bank brand's window to the card user. The window of the bank brand has basic payment transaction information and presents the cardholder with a prompt for the PAS password. The card user enters a password and the access control server confirms the password. If the correct password is entered immediately or the cardholder correctly answers the hint question within the allowed number of attempts, payment authentication continues. The access control server digitally signs the receipt using the service provider's key or the issuer's signature key. The receipt lists the merchant's name, card account number, payment amount, and payment date. The receipt file stores transaction data such as merchant name, merchant URL, card account number, expiration date, payment amount, payment date, issuer payment signature, and card user authentication confirmation. The access control server then redirects the card user back to the merchant plug-in via the card user browser. At this point, the access control server delivers the digitally signed receipt to the merchant and whether the card user is authenticated to the merchant. A verification server at the acquirer domain is used by the merchant plug-in to verify the digital signature used to sign the payment receipt. After verifying the digital signature, the cardholder is considered authenticated. After the card user is authenticated in step 3, step 4 initiates a process for authorizing a particular card user's account. Specifically, the merchant sends an authorization message to a payment network, such as Visanet, via a merchant plug-in software module. The payment network forwards the approval message and ECI to the issuer financial company. Authorization messages are well known in the art. The authorization message is forwarded to the issuer so that the issuer financial company can verify with the merchant that the particular account is normal and has an appropriate credit line for the requested purchase amount of the payment transaction. ECI indicates that the transaction is completed on the Internet and indicates the authentication and message security level (channel encryption (SSL)) used. In step 5 of FIG. 1, the issuer financial company will approve or reject the transaction.

However, in the online payment transaction authentication process according to the prior art as described above, there is a problem of always checking the directory server or the access control server regardless of the type of the card holder's card (for example, a domestic card or an overseas card).

For this reason, the conventional technology has a problem that the authentication speed is lowered because the cardholder authentication process must always go through a directory server or an access control server. Also, each card company having a famous brand name does not play an immediate arbitration role accordingly. Also, there was a problem of slowing down system performance and slowing down during cardholder authentication.

In addition, the conventional system has a problem that takes a lot of time for payment and approval due to the authentication and approval is made separately, as well as the cost of the installation of the equipment and the resulting cost.

An object of the present invention has been proposed to improve the problems described above, and instead of the directory server used in the prior art, the card bin range server (CBSV: Card bin range Sever) and through each card company brand integration through this Shopping malls that regularly update the UALs of the access control server by distinguishing the UELs of each card company or the card issuer's access control server (for example, by distinguishing domestic and international cards). Its purpose is to provide fast authentication and approval speed and improve system performance by having / PG connect to the appropriate access control server to perform the authentication and approval process.

According to an embodiment of the present invention for achieving the above object, in the electronic payment authentication and authorization method, the card user requests the payment by entering the card number on the payment page; Checks the access control server-URL of the card user through the K-MPI of the shopping mall / PG according to the payment request signal of the card user; If the card user's access control server UAL is registered in the empty range server, the access control server UAL receives the card number confirmation request and response; Transmitting an authentication and authorization request signal to the card user based on the one-time card number transmitted according to the response signal from the card company; The card user requests user authentication and authorization from the card company through a public certificate or a secure click password; The card company access control server authenticates and authorizes an account holder file through an issuer or a third party's identity authentication and authorization database; The card company access control server is provided with an electronic payment authentication method comprising the step of transmitting to the shopping mall / PG the authentication and authorization results with authorization data including authentication data.

Preferably, the empty range server is characterized in that periodically updating the access control server UAL in the shopping mall / PG.

1 is a conceptual diagram schematically showing a payment authentication process in a conventional payment authentication system (PAS).

2 is a schematic system block diagram of an electronic payment authentication and approval system according to the present invention.

3 is a schematic conceptual diagram illustrating a card payment flow step by step in the electronic payment authentication and approval method according to the present invention.

4 is a view illustrating a method of operating an access control server in an access control server registered in an empty range server and an unregistered access control server in the electronic payment authentication and approval method according to the present invention.

5 is a view showing detailed operation of the K-Merchant plug-in software in the electronic payment authentication and approval method according to the present invention.

6 is a view showing a specific operation flow diagram of the electronic payment authentication and approval method according to the present invention.

Explanation of symbols on the main parts of the drawings

14: access control server

28-1, 28-2, 28-3, 28-4: Card company directory server

34: K-MPI Software Module

42: Card Blank Server

Hereinafter, an electronic payment authentication and approval method according to a preferred embodiment of the present invention will be described in detail with reference to the accompanying drawings.

2 is a schematic system diagram for performing an electronic payment authentication and approval method according to the present invention. As shown here, the system configuration 100 is divided into an issuer domain 2, a co-availability domain 4, and an acquirer domain 6. The issuer domain 2 includes components mainly controlled by the issuer. For example, the issuer may be a financial company that issues payment cards to consumers. Specifically, the issuer or card issuer personalizes the new card received from the card provider and issues these cards to the customer. Individual characterization may be performed by the card supplier or by an individual characterization office. And in addition to the financial company, the issuer may be any suitable issuing entity, such as a telephone network operator, a service organization, a merchant or other organization, or even an agent of the issuer.

The acquirer domain 6 includes components controlled by the acquirer. For example, the acquirer may be a financial company that registers a merchant with a payment technique and manages a merchant account. The acquirer may also transfer information from an online merchant to the network.

Co-soluble domain 4 is supported by the Internet and utilizes components used by issuers and acquirers. Typically, the co-use domain 4 is managed by a card manager such as Visa. The co-use domain 4 may be supported by a communication network other than the Internet.

The issuer domain (2) is the registration site 8, issuer cardholder system 10, cardholder client device 22, registration server 12, access control server 14, issuer or third party identity authentication and Authorization database 16, and account holder file 18, and other receipt file 30. Additionally, issuer domain 2 may include the issuer file of the authorized cardholder. The registration server 12 is a computer that manages cardholder registration within the PAS service by presenting a series of questions through a web interface that the cardholder answers and the issuer will verify. As shown in FIG. 2, the card issuer operates the registration server 12. However, a service organization such as a visa may operate the registration server 12 on behalf of the issuer. The issuer may use an interactive 'Entity Authentication Service' provided by a third party during the registration process and operated by the web to assist the cardholder in identifying the entity. At this time, when the card user accesses the access control server without going through a separate registration site, the user who is not registered may automatically request registration and proceed. This is called auto registration. The registration site 8 is an internet website that cardholders can register to participate in the PAS.

The access control server (ACS) 14 includes a registration server 12. The access control server 14 is a computer having a database of cardholders registered for the PAS incorporating cardholder account and password information. During an online payment transaction, the access control server 14 provides the merchant with a digitally signed receipt, controls access to the PAS, and confirms the cardholder's participation in the service. And a service organization such as a card issuer or a visa can operate the access control server 14. And since the PAS does not require the use of additional cardholder software, additional cardholder software and hardware can be deployed. Cardholder software can be used to support additional authentication technologies such as digital certificates, integrated circuit cards (chipcards), and chipcard readers, and can be used to verify that the access control server is properly associated with the appropriate cardholder client device. have. The account holder file 18 is a database managed by the issuer for storing information about cardholders who have successfully registered with the PAS.

The access control server 14 according to the present invention responds after checking the VEReq message which is a message requesting authentication confirmation (check whether the cardholder is registered), and requesting a PAReq message which is a message requesting an authentication value in connection with generating an authentication value. After receiving the user authentication, it generates the signature value (PARes) and saves the authentication details in case of dispute or transmits them to Visa.In addition, all card automatic registration function (i.e. all cards) is confirmed when the card is registered. Check whether the person has the confidence set a password, click the check), and also limit the K-MPI unauthorized access to the K-MPI and visa directory server access control.

The cardholder client device 22 is used by the cardholder to join the PAS. Specifically, the cardholder client device 22 may be a device that can access the Internet, such as a personal computer, mobile phone, PDA, or interactive cable TV.

The issuer cardholder system 10 is a system controlled by the issuer that embeds information about the cardholder. This system information includes account information, information about services used by the cardholder, and the like. Some information in the issuer cardholder system 10 may be used in the process of registering the cardholder in the PAS.

The issuer or third party's identity authentication and authorization database 16 embeds the information that the issuer or third party already has in a file about the cardholder. The database 16 is used by the issuer in the process of registering the cardholder to verify the cardholder's identity. For example, the information entered by the cardholder during the PAS registration process must match the information in the file in the authentication database 16 in order for the cardholder to successfully register with the PAS.

The co-availability domain 4 includes a directory server 28. Directory server 28 forwards the authentication request from the merchant to the particular access control server. Directory server 28 is operated by a service organization like a visa. The directory server 28 may be a directory server having a brand name for each company, for example, a visa directory server 28-1, a master directory server 28-2, a diner directory server 28-. 3), the JB directory server 28-4 and the like.

Receipt file 30 stores a signed receipt for each authenticated purchase transaction. The receipt file 30 embeds information identifying which transaction has been authenticated and provides additional information during the dispute resolution process. In the present invention, the receipt file 30 may be managed at the same time in the access control server of the financial company and the shopping mall / PG.

The acquirer domain 6 includes a merchant 32 and a verification server 36. Korea-Merchant Plug In (K-MPI) software module 34 is placed in the merchant 32 position. The K-MPI software module 34 is a PAS software module that is integrated into the merchant 32's e-commerce website. K-MPI software module 34 provides an interface between the PAS and the merchant's payment processing software. The verification server 36 verifies the digital signature of the card issuer used to sign the receipt returned to the merchant by the PAS during the payment transaction. In another embodiment of the invention, the functionality of the acknowledgment server 36 may be included in the merchant plug-in software module 34, thus eliminating the need for a separate acknowledgment server 36. The verification server 36 is operated by a merchant, acquirer, or service organization. As described below, the K-MPI software module may include an integrated part including a bin range (including a URL of an access control server) and an existing visa free range part in an existing MPI. . The integrated part plays a role of allowing UAL to access an already registered access control server, and the existing visa bin range part accesses a directory server of each brand to access an access control server of a brand name. To perform. Meanwhile, the K-MPI software module 34 is installed in a shopping mall / page gateway (PG). In addition, the card bin server 42, which is another feature of the present invention, interworks with each other by exchanging a specific message with the shopping mall / PG K-MPI 34, and performs a function of distributing an empty range among roles of an existing directory server, The K-MPI software module 34 periodically updates the URL of the access control server.

3 is a schematic conceptual diagram illustrating a card payment flow step by step in the electronic payment authentication method according to the present invention. As shown in the drawing, the card user accesses the homepage of the shopping mall / PG, completes a purchase, and inputs only a credit card number (step 1). Then, the K-MPI software module 34 of the shopping mall / PG operates to perform the corresponding operation. A card number confirmation request is made to the card company's access control server 14 (step 2), and then a confirmation response is received (step 3). Thereafter, the K-MPI software module 34 of the shopping mall / PG operates to perform authentication and authorization requests to the card user (step 4). After that, the card user selects an authorized certificate selection part or a secure click password input part on a pop-up window displayed on the screen of his terminal, such as a computer terminal, and inputs the corresponding information to request the user's authentication to the card company. Accept the result (step 5). If the user selects an accredited certificate, the card company connects to the accredited certification authority, checks the accredited certificate, and sends the authentication and approval results. Thereafter, the card user who receives the authentication and approval result transmits the authentication and approval response (including card authentication confirmation value (CAVV)) to the K-MPI software module 34 of the shopping mall / PG (step 6). Thereafter, the shopping mall / PG's K-MPI software module 34 is operated to transmit the approval result to the card user (receipt of presentation) (step 7). Meanwhile, in FIG. 3, the card blank server 42 collectively manages the UAL of the access control server of a specific card company or financial company and periodically manages the details K-of the shopping mall / PG about three times a week. Update registration is made to the MPI software module 34. Accordingly, the K-MPI software module 34 of the shopping mall / PG may directly access the card company's access control server through the updated data.

Meanwhile, FIG. 4 is a view illustrating an access control server registered in an empty range server and an unregistered access control server operating method in the electronic payment authentication and approval method according to the present invention. As shown in FIG. 3, the K-MPI software module 34 of the shopping mall / PG in FIG. 3 accesses the corresponding card company of the current card user through the UALs of the access control servers updated by the card bin server 42. By checking the control server UAL, you can access the card company's access control server. The card bin server 42 includes information on financial companies or card companies participating in the authentication and authorization policy according to the present invention, and BIN information (for example, UAL information of an access control server of the card company or financial company). Doing.

However, if the URL of the access control server of the card company or financial company is not registered in advance, the corresponding directory server is accessed. For example, you can access Visa, Master, Diners Card, or J. C. Directory Servers 28-1, 28-2, 28-3, 28-4. That is, the K-MPI server may directly access the access control server of the UAL according to the UAL of the access control server updated by the empty range server, or if the update is made by the empty range server. If ULA does not exist, it can access the directory server of the brand name that provides the common-use property domain service and access to the card company's access control server, that is, ACS. This part can go directly to the access control server (ACS) according to the card bin (6 digits before the card number) registered in the card BIN server, otherwise it can access the respective directory server.

5 is a view showing the detailed operation of the K-Merchant plug-in software in the method of operating the access control server varies depending on whether or not the empty range server has a UAL in the electronic payment authentication and approval method according to the present invention. As shown in the drawing, the K-MPI software module 34 has an MPI bin range (including an access control server URL) part 34a periodically updated from the card bin server 42 and the existing 34. An empty range (e.g., a visa empty range) portion 34b.

For this reason, if the card user's card is a UAL access control server included in the existing empty range server, the contents are judged through the empty range portion 34a and immediately transmitted to the access control server 14 having the corresponding UAL. If the empty range server does not have a UAL, the existing empty range portion 34b is operated to access the card company's access control server through the directory server 28 of the brand name. If the card BIN is not registered in the empty range server, the directory server is accessed through the existing VISA BIN.

6 is a view showing a specific operation flow diagram of the electronic payment authentication and approval method according to the present invention. As shown in the figure, when a signal for requesting authentication and authorization is received from the card user, authentication and authorization are started. First, in step S1, when a card user inputs a card user's card number to a predetermined part of a payment screen provided in the shopping mall / PG and requests a payment, the K-MPI software module 34 of the shopping mall / PG operates first. It is determined whether the access control server UAL exists (step S2).

Then, if there is a UAL of the access control server of the card company or the financial company, directly access the card company's access control server to request the card number confirmation and receive a response (step S3). At this time, the card company transmits a one-time card number for the response. The K-MPI software module 34 then requests the card user to authenticate and authorize using the disposable card number (step S4). At this time, the card user inputs an authorized certificate or other secure click password based on the one-time card number received from the K-MPI software module 34 to request authentication and approval. After that, when the user registers the secure click password, the user fills in the corresponding secure click password and clicks it. If the user wants to use an authorized certificate, the user selects the corresponding content from the authentication request popup window (not shown) (step S5). The assured click password indicates a password registered in the card company. Thereafter, the card user transfers the authentication and authorization response (including card authentication confirmation value (CAVV) data) received from the card company to the K-MPI software module 34 (step S6).

The CAVV is data generated by an access control server that authenticates a cardholder, and is a unique value for a specific payment transaction and a given transaction from the card.

In step S2, if there is no UAL of the access control server, the server of the existing visa free range, that is, the card directory server is accessed (S22).

As described above, according to the electronic payment authentication and approval method of the present invention, through the directory server in the prior art to solve the problem that the speed is reduced in the authentication process has the effect of providing an authentication and approval method with improved system speed In addition, by dividing the directory server by the brand of the existing card company has the effect of achieving a fast authentication and approval speed.

In addition, according to the present invention, it is possible to reduce the time of electronic authentication and approval by allowing the authentication and approval to be performed simultaneously under the control of the access control server.

Claims (2)

In the electronic payment certification and approval method, The card user requests a payment by entering a card number on a payment page; Checks the access control server-URL of the card user through the K-MPI of the shopping mall / PG according to the payment request signal of the card user; If the card user's access control server UAL is registered in the empty range server, the access control server UAL receives the card number confirmation request and response; Transmitting an authentication and authorization request signal to the card user based on the one-time card number transmitted according to the response signal from the card company; The card user requests user authentication and authorization from the card company through a public certificate or a secure click password; The card company access control server authenticates and authorizes an account holder file through an issuer or a third party's identity authentication and authorization database; The card company access control server transmits the authentication and approval result with the authorization data including the authentication data to the shopping mall / PG; Electronic payment authentication method comprising the above steps. The method of claim 1, wherein the empty range server periodically updates the access control server UAL to the shopping mall / PG.