KR20150144362A - Method for Processing Payment at Affiliate by using End-To-End Medium Ownership Authentication and One Time Code Authentication - Google Patents

Abstract

The present invention relates to an affiliated store payment processing method using end-to-end medium possession based authentication and one-time code authentication. The affiliated store payment processing method using end-to-end medium possession based authentication and one-time code authentication according to the present invention is an affiliated store payment processing method performed by a server communicating with a terminal of a user interfaced with a chip of a non-contact medium possessed by the user. The payment processing method comprises: a first step of receiving, at the time of confirming a payment request from an affiliated store terminal, encryption data (c) generated by encrypting data (c) configured in a chip of a non-contact medium interfaced with a terminal of a user in the chip of the non-contact medium, from the terminal interfaced with the chip of the non-contact medium; a second step of confirming a dynamic code dynamically generated to be provided to the chip of the non-contact medium on the basis of a validity confirmation result of the data (c) obtained by decoding the encryption data (c); a third step of providing encryption data (s) obtained by encrypting data (s) including the dynamic code to the chip of the non-contact medium through the terminal interfaced with the chip of the non-contact medium; a fourth step of receiving a one-time authentication code corresponding to a dynamic code confirmed by decoding the encryption data (s) in the chip of the non-contact medium from the terminal interfaced with the chip of the non-contact medium; and a fifth step of performing, when validity of the authentication code is authenticated, a payment procedure requested from the affiliated store terminal by using a payment means of a user registered in advance.

Description

[0001] The present invention relates to a payment method for merchant payment using an end-to-end medium-ownership authentication and a one-

The present invention relates to an end-to-end medium-ownership authentication and a disposable authentication code authentication using a communication channel formed between a chip of a noncontact medium interfaced with a terminal used by a user and a server side at the time of confirming a payment request using an affiliate terminal provided at an offline merchant And automatically identifies the payment means of the user on the basis of the authentication result obtained by the dual binding, and processes the requested payment procedure from the merchant terminal.

In the conventional merchant payment, when a user holds a payment card and visits the merchant to present his / her payment card, the user has to read the payment card through the merchant terminal and request payment.

However, the card information of the payment card read through the merchant terminal can be stored in the merchant terminal as much as possible, and even if it is prevented by law, when the payment card is read using the dummy terminal, the card information of the payment card can be stored at any time, It has a problem.

In recent years, attempts have been made to make payment cards into IC cards to prevent the risk of such card information exposure. However, even in the case of an IC card, it is only to safely protect the card information stored in the IC chip, and it is possible to store and exploit any amount of card information read from the IC card in accordance with a proper procedure.

In order to solve the problem of the merchant payment, it is necessary to make payment by using a separate identification means without reading the card information from the card held by the customer. However, merely adding a new identification means, Most of the identification means proposed in the past (for example, a telephone number for identifying a card number, etc.) is in the form of a fixed value for identifying an individual not merely card information, The risk of hacking or financial accidents is contained only by the exposure of the user. Especially, if the identification means has a fixed value type in which the key can be inputted, it is possible to reuse and abuse it by anyone.

In order to solve the above problems, it is an object of the present invention to provide a merchant terminal, which uses a communication channel-based one-time authentication code authentication using a user's terminal in addition to a payment channel used by the merchant terminal, Notifying the payment requested by the user and identifying the payment means of the user, adding the noncontact medium owned by the user, which is interfaced with the terminal of the user, as an authentication factor of authentication / identification during the disposable authentication code authentication process, As a necessary pre-authentication condition for performing the authentication code authentication procedure, the non-contact medium interfaced with the terminal of the user and the end-to-end medium ownership authentication procedure on the server must be performed, and the disposable authentication code authentication is performed based on the result , A payment request using the merchant terminal The present invention provides a merchant payment processing method using end-to-end medium-ownership authentication and one-time authentication code authentication.

The merchant payment processing method using the end-to-end medium-ownership authentication and the one-time authentication code authentication according to the present invention is a merchant payment processing method executed by a server that communicates with a user terminal that is interfaced with a chip of a non- (C) generated in the chip of the noncontact medium by encrypting data (c) composed in the chip of the noncontact medium interfaced with the terminal of the user at the time of confirming the payment request from the merchant terminal, And a second step of receiving from the interfaced terminal a dynamic code generated to provide a dynamic code to be provided to the chip of the noncontact medium based on the result of the validation of the data (c) decrypted by the encrypted data (c) Contact medium with a chip of the noncontact medium through a terminal interfaced with the chip of the noncontact medium, (S) encrypted with data (s) including a code, and a third step of decrypting the encrypted data (s) within the chip of the noncontact medium from a terminal interfaced with the chip of the noncontact medium A fourth step of receiving a disposable authentication code corresponding to the identified dynamic code; and a fourth step of receiving a disposable authentication code corresponding to the identified dynamic code, and a fourth step of, when the validity of the authentication code is authenticated, And a fifth step of processing.

According to the present invention, the merchant payment processing method may further include a step of registering the payment means of the user and registering the registered payment means in a designated storage medium.

According to the present invention, the merchant payment processing method may further include registering and storing a unique code recorded on a chip of the noncontact medium of the user.

According to the present invention, the merchant payment processing method may further include registering and storing the key value (s) corresponding to the key value (c) recorded on the chip of the noncontact medium of the user.

According to the present invention, the merchant payment processing method may further include a step of mapping registration of the user's payment means and the noncontact media of the user.

According to the present invention, the merchant payment processing method may further include a step of mapping registration of the user's payment means and the terminal of the user.

According to the present invention, the merchant payment processing method may further include performing a process of mapping registration of the payment means of the user and a program provided in the terminal of the user.

According to the present invention, the merchant payment processing method may further include, when confirming the payment request from the merchant terminal, confirming the user terminal capable of interfacing with the chip of the noncontact medium held by the user in a non-contact manner. Meanwhile, the merchant payment processing method may further include a step of requesting the terminal of the identified user to interface with the contactless medium.

According to the present invention, the data (c) may include a unique code recorded on a chip of the noncontact medium.

According to the present invention, the data (c) may include an input value input to the chip of the noncontact medium through the terminal of the user. The input value may include at least one of a time value obtained through a timer of the terminal, an eigenvalue uniquely assigned / assigned to the terminal, a received value received from the outside of the terminal, and a generated value generated in the terminal Or two or more.

According to the present invention, the data (c) may include a random number c generated in the chip of the noncontact medium.

According to the present invention, the encrypted data (c) includes an authentication module having a key value (s) corresponding to the key value (c) using the key value (c) recorded on the chip of the noncontact medium as an encryption key It can be decrypted only in the chip of the noncontact medium.

According to the present invention, the merchant payment processing method includes the steps of: decrypting the received encrypted data (c) through a key value (s) corresponding to a key value (c) recorded on a chip of the noncontact medium, A step (1-1) of confirming the data (c) constituted by the chip, and a step (1-2) of authenticating the validity of the decrypted data (c). Meanwhile, the step 1-2 may include a step of comparing and authenticating a unique code registered in the registration process of the contactless medium with a unique code included in the data (c).

According to the present invention, the dynamic code can be dynamically generated in the form of a random value of a designated size through a specified random number algorithm.

According to the present invention, the dynamic code can be dynamically generated by applying one or more seeds to a specified code generation algorithm. Meanwhile, the seed may include at least one value included in the data (c).

According to the present invention, the merchant payment processing method further includes generating a session key using the random number c included in the data (c), wherein the encrypted data (s) Can be decrypted only through the chip of the noncontact medium. Meanwhile, the merchant payment processing method may further include generating a MAC (Message Authentication Code) for verifying the validity of the dynamic code using the random number c included in the data (c) and the session key , And the data (s) may include the dynamic code and the MAC.

According to the present invention, the encrypted data (s) can be decrypted through a session key generated using a random number value (c) included in the data (c) in the chip of the noncontact media.

According to the present invention, the disposable authentication code may include a dynamic code included in the data (s).

According to the present invention, the disposable authentication code may include some of the dynamic codes included in the data (s).

According to the present invention, the disposable authentication code may include a code generated using the dynamic code included in the data (s).

According to the present invention, the disposable authentication code can be a combination of the dynamic code (or a part of the dynamic code) included in the data (s) and the code generated on the chip of the noncontact medium.

According to the present invention, the disposable authentication code may be in the form of at least one of a disposable number of a designated digit, a disposable string of a specified size, a disposable card number of a card number system, and a disposable account number of an account number system.

According to the present invention, at the time of payment request using the merchant terminal, the payment requested through the merchant terminal is authenticated using the one-time authentication code authentication based on the communication channel using the user's terminal in addition to the payment channel used by the merchant terminal The method comprising: adding a noncontact medium owned by a user, which is interfaced with a user terminal, as an authentication factor for authentication / identification in the disposable authentication code authentication process of identifying a user's payment means, End media authentication procedure for the contactless medium interfaced with the terminal of the user and the end-to-end media ownership authentication procedure on the server is performed as the pre-authentication condition, and the disposable authentication code authentication is performed based on the result, To his terminal Possessing one has the advantage of blocking the source of the risk of non-contact media, the simple act exposed card information or hacking / financial crash only by means of tagging provides a convenient and secure payment merchant.

1 is a diagram showing a configuration of a settlement processing system for processing a merchant settlement using an authentication that combines an end-to-end medium ownership authentication using a non-contact medium and a disposable authentication code authentication according to an embodiment of the present invention.
FIG. 2 is a diagram showing a configuration of a system for processing a merchant payment using an authentication that combines end-to-end medium-ownership authentication using a non-contact medium and disposable authentication code authentication according to an embodiment of the present invention.
3 is a diagram illustrating an operation of a payment processing module according to an embodiment of the present invention and a process of requesting a merchant payment.
FIG. 4 illustrates an end-to-end media owning authentication process between a chip and a server side of a noncontact medium according to an embodiment of the present invention.
FIG. 5 is a diagram illustrating a process for providing an end-to-end medium-ownership authentication and a disposable authentication code between a chip and a server side of a noncontact medium according to an embodiment of the present invention.
FIG. 6 illustrates a process of providing a disposable authentication code authentication and settlement procedure according to an embodiment of the present invention.

The operation principle of the preferred embodiment of the present invention will be described in detail with reference to the accompanying drawings and description. It should be understood, however, that the drawings and the following detailed description are exemplary and explanatory and are intended to provide further explanation of the invention, and are not to be construed as limiting the present invention.

In other words, the following embodiments correspond to the preferred embodiment of the preferred embodiment of the present invention. In the following embodiments, a specific configuration (or step) is omitted, or a specific configuration (or step) (Or steps), or an embodiment that incorporates functions implemented in more than one configuration (or step) into any one configuration (or step), a particular configuration (or step) It will be apparent that the present invention is not limited to the embodiments described below. In the following embodiments, a specific configuration unit implemented on the server side is implemented on the terminal side and reference is made on the server side, or conversely, in the following embodiments, a specific configuration unit implemented on the terminal side is implemented on the server side, And all of the embodiments utilizing the same are also included in the scope of the present invention. Therefore, it should be clearly stated that various embodiments corresponding to subsets or combinations based on the following embodiments can be subdivided based on the filing date of the present invention.

In the following description of the present invention, a detailed description of known functions and configurations incorporated herein will be omitted when it may make the subject matter of the present invention rather unclear. The terms used below are defined in consideration of the functions of the present invention, which may vary depending on the user, intention or custom of the operator. Therefore, the definition should be based on the contents throughout the present invention.

As a result, the technical idea of the present invention is determined by the claims, and the following embodiments are merely means for effectively explaining the technical idea of the present invention to a person having ordinary skill in the art to which the present invention belongs Only.

1 is a diagram showing a configuration of a settlement processing system for processing a merchant settlement using authentication in which an end-to-end medium ownership authentication using a noncontact medium 105 and a disposable authentication code authentication are combined according to an embodiment of the present invention.

1 shows a chip 220 and a server side 115 of a noncontact medium 105 interfaced with a terminal 110 used by a user when confirming a payment request through an merchant terminal 100 provided in an offline merchant, End medium ownership authentication between the chip 220 and the server side 115 of the noncontact medium 105 via the communication channel formed between the server side 115 and the server side 115 and the disposable authentication code using the dynamic code generated at the server side 115 And authentication is performed to perform the payment procedure requested from the merchant terminal 100. By way of example, if the person skilled in the art is familiar with the present invention, (E.g., some components may be omitted, or broken down, or combined) to refer to and / or modify the payment processing system However, the present invention is not limited to the above-described embodiments, and the technical features of the present invention are not limited only by the method shown in FIG.

The settlement processing system of the present invention is provided with an agent terminal (100) provided at an offline merchant and requesting settlement to a server side (115) by using a settlement channel, a noncontact medium (105) A terminal 110 of the user communicating with the server side 115 using a separate communication channel and a terminal 110 interfacing with the terminal 110 to perform a one-side procedure of terminal media ownership authentication and disposable authentication code authentication Contact medium 105 having a chip 220 for carrying out a transaction and a settlement procedure requested via a payment channel through the merchant terminal 100 and interlocking with the chip 220 of the contactless medium 105 Side server 115 that includes one or more servers that perform end-to-end media-proprietary authentication and other one-side procedures of one-off authentication code authentication.

The merchant terminal 100 is a collective term of a terminal provided at an offline merchant and used for settlement, and requests a settlement by communicating with the server side 115 through a payment channel. Preferably, the merchant terminal 100 includes a POS terminal and a CAT terminal included in an offline merchant, and may be connected to a wired terminal (e.g., a desktop computer, a notebook computer, etc.) , A mobile phone, a smart phone, a tablet PC, and the like). The payment channel includes a combination of a communication network and a communication protocol used for payment of the merchant terminal 100 and used by the merchant terminal 100 to communicate with the server side 115.

The terminal 110 is a collective term for terminals capable of interfacing with the chip 220 of the noncontact medium 105 carried by the user using at least one noncontact interface among the terminals used by the user and is physically separable from the payment channel (E.g., disparate disparate communications networks), or may be communicatively coupled to the server side 115 over a communications channel that is logically separable (e.g., the physical is separable through a communications protocol stack even though the communications network is the same). The terminal 110 may include a user's wireless terminal (e.g., a mobile phone, a smart phone, a tablet PC, etc.) having an interface module that interfaces with the contactless medium 105. However, the terminal 110 is not limited to a wireless terminal, and may communicate with the server side 115 through a communication channel that is physically or logically separable from the payment channel, and may communicate with the chip 220 of the noncontact medium 105 (For example, a wired terminal, various portable terminals, etc. may be included) or a device (for example, an OTP generator, a wristwatch, etc.) may be used as long as the interface can be interfaced with the terminal.

According to the embodiment of the present invention, the terminal 110 is provided with one or more interface modules for interfacing with the noncontact media 105, and an application program (not shown) linked with the noncontact medium 105 through the interface module Respectively. The program may be provided by the manufacturer of the terminal 110 or may be provided by the service provider according to the present invention. The program may include an interlock module 250 programmed to interoperate with the terminal 110 through the interface module or may include an interlock module 250 ). Hereinafter, an NFC module for interfacing with the non-contact medium 105 having an NFC function is provided in the terminal 110 for convenience, and a program including the programmed interlocking module 250 is provided. The features of the present invention are not limited to the following embodiments.

The noncontact medium 105 is a general term for a medium that interfaces with a user's terminal 110 through a contactless interface and includes a chip 220 capable of implementing a noncontact communication function and an arm / An antenna for noncontact communication is mounted (or connected to an antenna outside the noncontact medium 105). The noncontact media 105 may include an NFC medium having an NFC (Near Field Communication) function and an arm / decryption function. In this case, the noncontact interface may include an NFC interface. For example, the noncontact media 105 may include a financial IC card, an NFC card, an RF card, etc., having the chip 220 and an antenna. However, the present invention is not limited to the case where the noncontact medium 105 and the noncontact interface are the NFC, and the outer shape of the noncontact medium 105 is not limited to a card. (Eg, Bluetooth, RF communication, or the like) may be used as a medium that mounts the chip 220 and connects (or mounts) the antenna with the antenna 110, ) Are also included in the scope of the present invention. Hereinafter, the characteristics of the present invention will be described on the basis of an embodiment in which the noncontact medium 105 is an NFC medium and the noncontact interface is an NFC interface, but the features of the present invention are not limited to the following embodiments.

According to the method of the present invention, the chip 220 of the noncontact medium 105 is provided with a chip module 230 that is programmed and / or logicized to use the NFC function and the arm / decode function. The chip module 230 may be mounted on the chip 220 of the noncontact medium 105 at the time when the chip 220 of the noncontact medium 105 is manufactured or may be mounted on the chip 220 of the non- Contact medium 105 is mounted on the chip 220 of the noncontact medium 105 or at the time of secondary issuance in which information for personalizing the chip 220 of the noncontact medium 105 is recorded, Or may be mounted on the noncontact medium 105 through a post-issuance procedure for the noncontact medium 105. The chip 220 of the noncontact medium 105 may be inserted into the chip 220 of the noncontact medium 105 during the process of mounting the chip module 230 on the chip 220, One or more stored values to be used for the encryption / decryption function may be stored. The storage value may be a unique code (e.g., a card serial number or a chip serial number (CSN)) uniquely identifying the chip 220 of the noncontact medium 105 at the personalization agent of the noncontact medium 105, And may include a unique code that uniquely identifies the chip 220 of the noncontact media 105 in the end-to-end media owning authentication according to the present invention. The stored value may further include at least one key value c to be used for encryption / decryption (e.g., a master key of the chip 220 or an encryption / decryption key recorded for encryption / decryption). However, the stored value is not limited to the unique code or key value c, and various information (or values) may be stored according to the intention of the person skilled in the art (or the use of the noncontact medium 105).

The server side 115 is a collective term of a server combination for performing a payment procedure requested from the merchant terminal 100 via a payment channel and includes a server for performing a payment approval process requested from the merchant terminal 100 And at least one settlement relay server 120 (for example, a PG server, a VAN server, and the like) is included between the merchant terminal and the financial company server 130 .

According to the present invention, the server side 115 performs authentication with the chip 220 of the noncontact medium 105 through the terminal 110 to perform a server side procedure of terminal medium ownership authentication and disposable authentication code authentication Module 270 as shown in FIG.

According to the embodiment of the present invention, the authentication module 270 can be implemented in the payment relay server 120 or the financial transaction server 130, and can be implemented in the payment relay server 120 or It may be implemented on a separate operating server 125 associated with the financial company server 130. That is, the server on which the authentication module 270 of the present invention is implemented is not limited to any particular server, and may be implemented in various servers (or distributed to two or more servers depending on the partnership relationship of the participants) ), And the present invention clearly encompasses all such cases in the scope of the right.

The user receives a noncontact medium 105 from a personal data center (e.g., financial institution or service provider) of the noncontact medium 105 and transmits the data to the chip 220 of the noncontact medium 105 in the process of issuing the non- And the authentication information and / or the key value (s) including the stored value are recorded in the authentication module 270 of the server side 115. [

Also, payment means (e.g., a credit card, a check card, a debit card, a financial account, a cash card, an electronic passbook, a prepaid card, etc.) is issued from the issuing institution of the user's payment means (e.g. According to the embodiment of the present invention, the user can register the payment means of the user on the storage medium 135 of the server side 115 using the terminal 110. [ The storage medium 135 in which the payment means is registered preferably includes a storage medium 135 of the financial company server 130. However, the storage medium 135 is not limited thereto, The storage medium 135 may be used. In this case, the storage medium 135 may store a payment means identification value for uniquely identifying the payment means information of the user and / or the payment means of the user, and the payment means may include, And can be registered with the identification value. For example, if the storage medium 135 in which the payment means is registered is a storage medium 135 of a financial institution, the payment means information can be stored. If the storage medium 135 in which the payment means is registered is a financial institution, If it is not the storage medium 135, a payment means identification value for uniquely identifying the payment means issued by the financial institution may be stored in the storage medium 135 in order to prevent exposure of the payment means information.

According to an embodiment of the present invention, the payment means of the user may be registered with the non-contact medium 105 issued to the user, or may be registered with at least the non-contact medium 105 of the user, It is preferable that the authentication module 270 is mapped and registered.

According to the first payment means mapping relationship of the present invention, the payment means of the user can be mapped and registered with the non-contact medium 105 of the user. If the storage medium 135 in which the authentication information and / or the key value s of the noncontact medium 105 are registered is the same as the storage medium 135 in which the payment means is registered, May be mapped with authentication information and / or key value (s) of the medium 105. If the storage medium 135 in which the noncontact medium 105 is registered is different from the storage medium 135 in which the payment means is registered, the noncontact medium 105 and the settlement means may have a unique mapping identifier (e.g., A user identification value or an identification value generated for non-contact medium 105 and a payment means mapping, etc.).

According to the second payment means mapping relationship of the present invention, the payment means of the user is mapped to and registered with the terminal 110 that interfaces with the non-contact medium 105 of the user and / (Or linked) with the interworking module 250 provided in the terminal 110 in order to perform the mapping. For example, a communication company to which the terminal 110 is subscribed or a provider that provides the program to the terminal 110 may collect terminal identification values of the terminal 110 through the user's agreement and / An application identification value may be assigned to a program included in the terminal 110 or an application identification value assigned to the program may be collected. In this case, the payment means of the user may be mapped and registered with the terminal identification value and / or the app identification value of the terminal 110. The terminal identification value and / or the app identification value of the terminal 110 may be mapped and registered with the user identification value. If the storage medium 135 in which the terminal identification value and / or the app identification value of the terminal 110 is registered and the storage medium 135 in which the payment means is registered are the same, ) And / or an app identification value of the terminal. Meanwhile, when the storage medium 135 in which the terminal identification value and / or the app identification value of the terminal 110 is registered and the storage medium 135 in which the payment means is registered differ, the terminal identification value of the terminal 110, / Or the app identification value and the payment means are mapped using a uniquely set mapping identification value (e.g., a user identification value or a unique generated identification value) or stored in a storage medium 135 where the storage medium 135 is registered And may be mapped by registering the terminal identification value and / or the app identification value of the terminal 110.

According to the third payment means mapping relationship of the present invention, the payment means of the user is an authentication that performs a server-side procedure of terminal media ownership authentication and disposable authentication code authentication in cooperation with the chip 220 of the noncontact medium 105 of the user May be mapped and registered with the module 270. For example, the payment means of the user may be registered in the storage medium 135 of the server provided with the authentication module 270 or may be mapped with at least one identification value registered in the authentication module 270, And may be registered with the authentication module 270 by being registered in the storage medium 135.

According to the fourth payment means mapping relationship of the present invention, the user's payment means can be mapped and registered in a form of combining at least two of the first to third payment means mapping relationships, 135) or by the operator. That is, even if the payment means of the user is registered in any storage medium 135 in any form, if the previously registered payment means is used for settlement as a result of the end-medium-ownership authentication and / or the disposable authentication code authentication according to the present invention, The scope of the invention is to be clearly indicated.

According to the present invention, a user visits an offline merchant to purchase a commodity, processes a commodity purchase procedure to commence a settlement procedure for a commodity purchased during or after the commodity purchase procedure, It is possible to select an authentication-based settlement procedure in which the end-to-end medium-ownership authentication using the non-contact medium 105 and the one-time authentication code authentication are combined.

The franchisee terminal 100 transmits to the payment relay server 120 (or the operation server 125) via the terminal 110 of the franchisee terminal 100 the termination using the noncontact medium 105 according to the present invention Contact medium 105 according to the present invention through the user terminal 110 to the server having the authentication module 270 or to request the start of authentication using the non-contact medium 105 according to the present invention, (For example, a terminal identification value or a terminal identification value of the terminal 110) may be requested to initiate the authentication in which the medium medium possessing authentication and the disposable authentication code authentication are combined. ) Is a mobile phone / smart phone). The payment relay server 120 (or the operation server 125) and / or the authentication module 270, which are requested to perform authentication combining the end-to-end medium-ownership authentication using the non-contact medium 105 according to the present invention and the disposable authentication code authentication, The server having the terminal 110 can request the start of the authentication combining the end-to-end medium-owning authentication using the non-contact medium 105 held by the user and the disposable authentication code authentication with the program of the terminal 110, Messaging (e. G., Push notification, etc.) to terminal 110 may be performed. Meanwhile, the above-described authentication request procedure may be omitted, but information requesting the authentication using the user's terminal 110 through the merchant terminal 100 being used by the user may be displayed.

Based on the relationship between the chip 220 of the noncontact medium 105 held by the user and the programmed modules provided in the user terminal 110 and the server side 115, the embodiment according to the technical features of the present invention Will be described. In the embodiment of the present invention, the description of the technical features in terms of the modules is made so that the present invention is not limited by hardware devices in which the respective modules are provided.

FIG. 2 is a diagram showing a configuration of a system for processing a merchant payment by using an authentication that combines end-to-end medium-ownership authentication using a non-contact medium 105 and disposable authentication code authentication according to an embodiment of the present invention.

2 shows a chip 220 of a noncontact medium 105 carried by a user in the system configuration shown in FIG. 1, a programmed module provided in the user terminal 110 and the server side 115, It will be understood by those skilled in the art that various changes and modifications may be made thereto by referring to and / or modifying the drawings in accordance with various embodiments of the functional configuration of the system The present invention is not limited to the above-described embodiments, but may be embodied in many other specific forms without departing from the spirit or essential characteristics thereof.

The chip 220 of the noncontact medium 105 possessed by the user may be provided with the termination medium ownership authentication and the disposable authentication code authentication in order to provide authentication in which the end- The chip module 230 is programmed / logicized to perform a process on the chip 220 side of the terminal 120. At least one server provided in the server side 115 is provided with a server The terminal 110 carried by the user is linked to the chip module 230 and is linked with the authentication module 270 of the server side 115. [ Module 250, and at least one server provided on the server side 115 is provided with a settlement processing module 2 for processing settlement using the authentication combining the end-to-end medium-ownership authentication and the disposable authentication code authentication 00). The authentication module 270 and the payment processing module 200 may be implemented in the form of an integrated module on one server or in the form of modules interlinked on a separate server.

The payment processing module 200 is a module provided in a server connected to a server performing at least a part of the payment procedure requested from the merchant terminal 100 of the user or a server performing the payment procedure, (Or distributed to two or more servers) in at least one of the payment relay server 120 and the financial company server 130 according to a method. Meanwhile, the payment processing module 200 may be provided in an operation server 125 connected to at least one server of the payment relay server 120 and the financial company server 130.

Referring to FIG. 2, the payment processing module 200 of the server side 115 registers the payment means information issued to the user in the financial institution, so as to be associated with authentication combining the end-to-end medium ownership authentication and the disposable authentication code authentication And a payment means registration unit 202 for storing the payment means registration information in the designated storage medium 135.

The payment means registration unit 202 receives the payment means information and user information of the user from the terminal 110 used by the user and receives the payment information corresponding to the payment means information from the financial institution And then stores the payment means information of the authenticated user in the designated storage medium 135. [ Preferably, the payment means registration unit 202 stores the user information (or the user identification value based on the user information) and the payment means information (or the payment means identification value) of the user on the designated storage medium 135 .

According to the method of the present invention, when the non-contact medium 105 issued to the user is registered in the storage medium 135 of the authentication module 270 before the user's payment means is registered or in association with the payment means registration, The payment means registration unit 202 may register the payment means of the user and the noncontact medium 105 of the user to be mapped. On the other hand, when the noncontact medium 105 is registered after the payment means of the user is registered, the payment means registration unit 202 registers the noncontact medium 105 (which is registered in the authentication module 270) in cooperation with the authentication module 270 ) And the payment means of the registered user.

If the payment means of the user is registered through the terminal 110, the payment means registration unit 202 maps and registers the payment means of the user with the terminal 110 and / (Or linked) with a corresponding interlocking module 250. [0050] Alternatively, the payment means registration unit 202 can map the payment means of the user to the authentication module 270, and thus the present invention is not limited thereto.

Referring to FIG. 2, the payment processing module 200 of the server side 115 includes a payment request confirmation unit 204 for confirming payment requested from the merchant terminal 100 through a payment channel, A terminal confirmation unit 206 for confirming a user terminal 110 to be interfaced with the chip 220 of the noncontact medium 105 of the user based on the user's noncontact medium 105, And an authentication request unit 208 for requesting authentication in which the end-to-end medium-ownership authentication using the terminal unit 110 and the one-time authentication code authentication using the authentication unit 208 are combined. The user uses the terminal 110 based on the information displayed through the merchant terminal 100 The terminal confirmation unit 206 and the authentication request unit 208 can be omitted in a case where the authentication combining the end-to-end media-proprietary authentication and the one-time authentication code authentication can be performed.

The user visits the offline merchant to purchase the merchandise and requests the settlement using the authentication combining the end-to-end media ownership authentication and the disposable authentication code authentication according to the present invention during or after the merchandise purchase procedure to be started. Unit 204 receives settlement request information from the merchant terminal 100 through a payment channel. The payment request information includes the payment amount and merchant information, and may further include purchase product information according to the method.

The terminal confirmation unit 206 identifies the user terminal 110 to be interfaced with the chip 220 of the noncontact medium 105 based on the payment request through the payment channel. According to the method of the present invention, the information on the terminal 110 may be registered in the payment processing module 200 or received in the payment request information.

When the user terminal 110 to be interfaced with the chip 220 of the noncontact medium 105 of the user is confirmed through the terminal confirmation unit 206, the authentication request unit 208 transmits the authentication request to the user terminal 110 End medium possessing authentication using the noncontact medium 105 of the user and the disposable authentication code authentication. For example, if the user's terminal 110 is a smartphone capable of receiving a push notification, the authentication request unit 208 can process the user's terminal 110 to be notified of a push notification requesting the authentication have.

The user terminal 110 is provided with a program corresponding to (or linked with) the interlocking module 250 that interfaces with the noncontact medium 105 of the user. The program may be loaded by the manufacturer of the terminal 110, mounted by a communication company of the terminal 110, or downloaded from a designated application providing server.

2, the interworking module 250 of the terminal 110 includes an interface checking unit 252 for checking whether the chip 220 of the non-contact medium 105 is interfaced with the terminal 110, And a chip interlocking procedure unit 254 for performing a procedure for providing one or more input values designated as chips 220 of the non-contact media 105 interfaced with the non-contact media 105 and 110.

The terminal 110 includes an NFC module that interfaces with the chip 220 of the noncontact media 105 according to a specified contactless interface standard and the NFC module is connected to a chip (not shown) of the noncontact medium 105 220). ≪ / RTI >

The interface verification unit 252 interlocks with the NFC module of the terminal 110 to check whether the NFC module discovers at least one noncontact medium 105 according to the specified NFC standard. If at least one noncontact medium 105 to be interfaced with the NFC module is identified, the interface identifying unit 252 reads information (e.g., RST (ReSeT)) exchanged with the chip 220 of the noncontact medium 105, Contact medium 105 that is interfaced with the NFC module is connected to the chip module 220 according to the present invention by an ATR (Answer To Reset) And the chip 220 of the noncontact medium 105 provided with the nonvolatile memory 230.

The chip interlocking procedure unit 254 determines that the chip 220 of the noncontact medium 105 designated to the terminal 110 is interfaced with the input of the chip 220 of the noncontact medium 105 Contact medium 105 and provides the input value to the chip 220 of the interfaced non-contact medium 105 with the chip 220 of the noncontact medium 105 interfaced.

According to an embodiment of the present invention, the input value may be a time value obtained through the timer of the terminal 110, an eigenvalue unique to the terminal 110, , A received value received from the authentication module 270, and a generated value generated in the terminal 110. [ The time value is a generic name of a value corresponding to the internal time of the terminal 110, and may preferably include a value corresponding to a time synchronized with the standard time. The eigenvalue is a generic term for identifying the terminal 110 that is interfaced with the noncontact medium 105. It is preferable that the ecliptic value is a value indicating whether the program corresponding to the programmable interlocking module 250 is loaded in the terminal 110 A value uniquely stored in a memory unit (or a USIM or the like) of the terminal 110, a value uniquely stored in a memory unit of the terminal 110 through the specified authentication procedure after the program is loaded on the terminal 110 . The received values are collectively referred to as values received via a predetermined communication network through the communication module of the terminal 110 and preferably include values received via the communication network, can do. The generated value is a generic name of a value generated through a program corresponding to the interlocking module 250 provided in the terminal 110 (or a program associated with the interlocking module 250), and is preferably generated by the terminal 110 Lt; RTI ID = 0.0 > hash < / RTI > value.

According to the method of the present invention, the input value provided to the chip 220 of the noncontact medium 105 is a value (or configuration) of the data c to be encrypted within the chip 220 of the noncontact medium 105, (Or at least one of the encryption keys) for encrypting the data c in the chip 220 of the noncontact medium 105, or may be used as the noncontact (Or at least one of the configuration values) of the data c to be encrypted and the encryption key (or at least one of the encryption keys) for encryption within the chip 220 of the medium 105 Or < / RTI >

2, the chip module 230 of the noncontact medium 105 includes an input value receiving unit 234 for receiving an input value through the terminal 110, an input value receiving unit 234 for receiving data c An encryption processing unit 236 for generating and encrypting the encrypted data c to generate encryption data c and providing the generated encryption data c to the terminal 110 that is interfaced with the encrypted data c to be transmitted to the specified authentication module 270 And a PIN authentication unit 232 having a data providing unit 238 and performing an authentication procedure for using the chip 220 of the noncontact medium 105 according to an embodiment of the present invention.

When the chip 220 of the noncontact medium 105 is interfaced with the terminal 110, the interlocking module 250 of the terminal 110 acquires one or more designated input values and transmits the chip of the noncontact medium 105 And the input value receiving unit 234 receives the input value from the interfacing terminal 110. [ The input value may be a time value obtained through the timer of the terminal 110, an eigenvalue uniquely assigned or assigned to the terminal 110, a received value received from the outside of the terminal 110, ) Of the generated values. According to another embodiment of the present invention, when the input value provided from the terminal 110 is not used to configure or encrypt the data (c), the input value receiver 234 may be omitted, The invention is not limited.

The encryption processing unit 236 encrypts the stored value stored in the chip 220 of the noncontact medium 105 using one or more of the stored values stored in the nonvolatile memory 105 and the input values received from the terminal 110, (C) corresponding to the object.

According to the first data (c) of the present invention, the data (c) may include a storage value (e.g., unique code, etc.) stored in the chip 220 of the noncontact medium 105.

According to the second data (c) of the present invention, the data (c) includes an input value received from the interfaced terminal 110 (for example, a time value obtained through a timer of the terminal 110, 110, a received value received from the outside of the terminal 110, a generated value generated in the terminal 110, and the like).

According to the third data (c) of the present invention, the data (c) includes a generated value c generated within the chip 220 of the noncontact medium 105 A random number c for session key exchange, a hash value generated by hashing at least one of the stored value and the input value, and the like).

According to a fourth data (c) embodiment of the present invention, the data (c) includes a stored value stored in the chip 220 of the noncontact medium 105, an input value received from the terminal 110, And a generated value (c) generated in the memory 220. It is to be noted that what value is included in the data (c) can be modified according to the intention of a person skilled in the art, and the present invention covers all the variant embodiments as a scope of right.

According to a preferred embodiment of the present invention, the data (c) preferably includes the storage value, the input value and the random number c to enhance the security of end-to-end media-proprietary authentication. For example, the data (c) may include a unique code stored in the chip 220 of the noncontact medium 105, a time value and an eigen value received from the interfaced terminal 110 And the random number c generated in the chip 220. In this case, the unique code is a value for authenticating the noncontact medium 105 in the authentication module 270 The time value is used as a timestamp of end-to-end media-proprietary authentication, and the eigenvalue is used as a value for authenticating the terminal 110 interfaced with the non-contact medium 105 in the authentication module 270, The value (c) may be used as a value for exchanging the session key to be used for decryption of the encrypted data (s) encrypted in the authentication module 270.

If the data c corresponding to the encryption target is configured using at least one of the first to fourth data (c) embodiments, the encryption processing unit 236 encrypts the data c to be decryptable only through the designated authentication module 270 And encrypts the data (c) to generate encrypted data (c).

According to the first cipher data (c) embodiment of the present invention, the chip 220 of the noncontact medium 105 is provided with an encryption / decryption module (e.g., an encryption / decryption module) for decrypting the encrypted data only through the designated authentication module 270, Decryption algorithm and an encryption / decryption key value (e.g., a master key) may be embedded in the encryption / decryption function of the chip 220. The encryption processing unit 236 may encrypt the data c ) To encrypt the data (c) so as to be decryptable only through the designated authentication module (270) to generate the encrypted data (c).

According to the second cipher data (c) embodiment of the present invention, the chip 220 of the noncontact medium 105 may be subjected to a secondary issuance during the process of mounting the chip module 230 or after the chip module 230 is mounted (For example, a master key of the chip 220 or an encryption / decryption key recorded for encryption / decryption) stored at the time of issuing the encryption key, and the encryption processing unit 236 includes a specified authentication module 270 (C) as an encryption key and encrypts the data (c) so that the data c can be decrypted only through the specified authentication module 270 It is possible to generate the encrypted data (c).

According to the third cipher data (c) embodiment of the present invention, the encryption processing unit 236 includes an encryption function (for example, encryption algorithm) matched with the decryption function of the specified authentication module 270, (C) by encrypting the data (c) so that it can be decrypted only through the specified authentication module 270 by using a value designated as an encryption key among the input values received through the receiver 234 as an encryption key .

According to the fourth encryption data (c) embodiment of the present invention, the encryption processing unit 236 includes an encryption key generation function (e.g., a hash algorithm) and an encryption function matched with the decryption function of the specified authentication module 270 And generates an encryption key by applying at least one of an input value received through the input value receiver 234 and a storage value stored in the chip 220 to the encryption key generating function, The encrypted data c can be generated by encrypting the data c through the designated authentication module 270 in a decryptable manner.

According to a preferred embodiment of the present invention, the cryptographic processing unit 236 includes a unique code stored in the chip 220 of the noncontact medium 105, a time value received from the interfaced terminal 110, The encrypted data c may be generated by encrypting the data c including the random number c generated in the chip 220 through the master key if the terminal 110 is not authenticated .

When the encrypted data c is generated through the encryption processing unit 236, the data providing unit 238 provides the encrypted data c generated through the encryption processing unit 236 to the interfaced terminal 110 (C) to be transmitted to the designated authentication module 270 through the terminal 110. [

Referring to FIG. 2, the interlocking module 250 of the terminal 110 reads encrypted data (hereinafter referred to as encrypted data) encrypted within the chip 220 of the noncontact medium 105 from the chip 220 of the noncontact medium 105 and a data relay unit 256 for performing a procedure for transmitting the encrypted data c to the specified authentication module 270. The authentication module 270 may be a microprocessor,

The chip interlocking procedure unit 254 encrypts the data c from the chip 220 of the noncontact medium 105 interfaced with the NFC module of the terminal 110 inside the chip 220 of the non- And receives the generated cipher data c. At this time, the encrypted data (c) can not be decrypted by the terminal 110.

The data relay unit 256 performs a procedure for transmitting the encrypted data (c) to the designated authentication module 270. The data relaying unit 256 may transmit the cipher data c to the server having the authentication module 270. The data relay unit 256 may transmit the encryption data c to the relay server associated with the server having the authentication module 270. The relay server may transmit the encryption data c to the authentication module 270 270). Alternatively, the data relay unit 256 may provide the encryption data c to a program communicating with a server having the authentication module 270 among the programs of the terminal 110, 270 to transmit the encrypted data (c).

The chip interworking procedure unit 254 transmits the data s including the dynamic code dynamically generated by the authentication module 270 to the chip 220 of the noncontact medium 105 through the chip 220 The interlocking state of the noncontact medium 105 with the chip 220 is preferably maintained until decrypted encrypted data (s) is received.

2, the authentication module 270 of the server side 115 stores authentication information for authenticating the key value (s) and / or the data (c) for decrypting the encrypted data (c) And an information storage unit 272. The key value s may include a key having a symmetric key relationship with the key value c provided in the chip 220 of the noncontact medium 105 or a key having a public key infrastructure relationship.

The information storage unit 272 checks the key value s for decrypting the encrypted password data c in the chip 220 of the noncontact medium 105 issued to the user and stores the key value s in the designated storage medium 135 do. The information storage unit 272 may store a key provided on the chip 220 of the noncontact medium 105 at least one of the first issuance, the second issuance, The key value s matching with the value c can be confirmed and stored in the designated storage medium 135. [ On the other hand, the authentication module 270 extracts / generates an encryption / decryption key to be used in the chip 220 of the noncontact medium 105 and provides the encrypted / decrypted key to the terminal 110 in the form of the received value, Decryption key is generated in the chip 220 of the authentication module 270 and the encryption / decryption key is also generated in the authentication module 270, the information storage unit 272 may not store the key value s in advance .

The information storage unit 272 confirms authentication information for authenticating the data c decrypted by the chip 220 of the noncontact medium 105 and stores the decrypted data c in the designated storage medium 135 . Preferably, when the data (c) includes a unique code stored in the chip 220 of the noncontact medium 105, the information storage unit 272 stores the primary issuance of the noncontact medium 105, The unique code included in the chip 220 of the noncontact medium 105 may be checked at least one time point of the issuance of the authentication code and the authentication information including the unique code may be stored in the designated storage medium 135. [ If the data c includes an eigenvalue unique to the terminal 110, the information storage unit 272 may transmit the data to the user terminal 110 via the interworking module 250 (or the interworking module 250) (Or a program) corresponding to the mobile terminal 250 is mounted, or after the mobile terminal 250 (or the program corresponding to the mobile terminal 250) Authentication information including the identified eigenvalues may be stored in the designated storage medium 135. [ On the other hand, the authentication module 270 extracts / generates the value included in the data (c) and provides the extracted value to the terminal 110 in the form of the received value or a rule matching the generation rule of the authentication module 270 If the generated value generated in the chip 220 of the terminal 110 or the noncontact media 105 is included in the data c, the information storage unit 272 may not store the generated value in advance.

According to the embodiment of the present invention, the key value (s) and the authentication information are used to identify a user who has been issued the noncontact medium 105, a terminal 110 to be interfaced with the noncontact medium 105 And an application identification value for identifying a terminal identification value of the terminal 110 and a program (e.g., a program corresponding to (or linked to) the interworking module 250) stored in the terminal 110 desirable.

Referring to FIG. 2, the authentication module 270 of the server side 115 receives data (c) encrypted by the chip 220 of the noncontact medium 105 interfaced with the terminal 110 A decryption processing unit 276 for decrypting the encrypted data c encrypted by the chip 220 of the noncontact medium 105 to confirm the data c; And an authentication procedure unit 278 for performing a procedure for authenticating validity. According to an embodiment of the present invention, the authentication procedure of the data (c) may be performed through a separate server. In this case, the authentication procedure unit 278 requests the authentication server to authenticate the data (c) . According to another modified embodiment of the present invention, it is possible to process the settlement using the end-to-end medium ownership authentication using the noncontact medium 105. In this case, the authentication module 270, And a result providing unit 290 for providing the authentication result of the data (c) performed through the database (278) to the designated path.

The encrypted data c transmitted from the chip 220 of the noncontact medium 105 is transmitted from the terminal 110 interfaced with the chip 220 of the noncontact medium 105 to the data receiving unit 274, (C) encrypted in the chip 220 of the contactless medium 105 interfaced with the terminal 110 via the path. The cipher data (c) according to an embodiment of the present invention can be received in association with at least one identification value.

The decryption processing unit 276 confirms the key value s corresponding to the chip 220 of the noncontact medium 105 interfaced with the terminal 110. [ The decryption processing unit 276 decrypts the encrypted data c from the chip 220 of the noncontact medium 105 using at least one identification value received from the terminal 110, The value (s) can be confirmed. The decryption processing unit 276 decrypts the encrypted data c from the chip 220 of the noncontact medium 105 using the identified key value s to confirm the data c.

When the data c includes the unique code, the authentication procedure unit 278 authenticates the validity of the unique code included in the data c using the unique code stored in the storage medium 135 Can be performed. Or if the data c includes an eigenvalue, the authentication procedure unit 278 authenticates the validity of the eigenvalues included in the data c using the eigenvalues stored in the storage medium 135 Can be performed. Alternatively, when the time value is included in the data (c), the authentication procedure unit 278 may store and manage the time value as a time stamp. Meanwhile, when the data (c) includes the value extracted / generated by the authentication module 270, the authentication procedure unit 278 reads the encrypted data c from the chip 220 of the noncontact medium 105, And generates and outputs a predetermined value to the terminal 110, and maintains the generated value. The validity of the value included in the data (c) can be verified by using the generated value.

In the case of processing settlement using the end-to-end media ownership authentication using the noncontact media 105 without combining the one-time authentication code authentication according to another modified embodiment of the present invention, And provide the authentication result of the data (c) performed through the authentication unit 278 to the designated path. Preferably, the authentication result may be provided to the result confirmation unit 210 of the payment processing module 200.

Referring to FIG. 2, the authentication module 270 of the server side 115 includes a dynamic code verification unit 280 for confirming a dynamic code generated dynamically for providing to the chip 220 of the noncontact medium 105, An encryption processing unit 282 for encrypting the generated dynamic code so as to be decryptable by the chip 220 of the noncontact medium 105 to generate encrypted data s, 110 and a data transfer unit 284 for transferring the data to the chip 220 of the noncontact medium 105.

When the encrypted data c is decrypted to confirm the data c and / or the validity of the data c is authenticated, the dynamic code verifying unit 280 determines whether or not the noncontact And identifies the dynamically generated dynamic code to be provided to the chip 220 of the medium 105. The dynamic code may be dynamically generated in the authentication module 270, or may be generated via a separate code generation server.

According to the first dynamic code generation method of the present invention, the dynamic code can be dynamically generated in a random value form of a designated size through a specified random number algorithm.

According to the second dynamic code generation method of the present invention, the dynamic code can be dynamically generated by applying one or more seeds to a specified code generation algorithm (for example, an algorithm for generating an OTP, a hash algorithm, etc.). At this time, the seed to be applied to the code generation algorithm preferably includes at least one fixed seed and a dynamic seed. Preferably, the seed includes values available in the authentication module 270, and at least one of the seeds may include a value included in the data (c). For example, a time value or a random value included in the data (c) may be used as a fixed seed, and a unique code included in the data (c) may be used as a fixed seed.

According to the embodiment of the present invention, the dynamic code verifying unit 280 maintains the generated dynamic code for a predetermined period of time (e.g., the authentication completion time of the disposable authentication code corresponding to the dynamic code) 200 to establish a mapping relationship with the payment means of the user registered through the payment method registration unit 202 for the predetermined period of time. In this case, the dynamic code may be used as a dynamic identification value that is mapped to the payment means of the user.

The encryption processing unit 282 generates / verifies an encryption key for generating encrypted data (s) so as to be decryptable through the chip 220 of the noncontact medium 105. [ Preferably, the encryption processing unit 282 can generate / verify an encryption key by generating a session key using the random number c and the key value s included in the data c. However, the encryption key is not limited to the type of the session key, and the key value (s) registered at at least one of the first issuance, the second issuance, and the post-issuance time of the noncontact medium 105 may be encrypted Or may generate an encryption key through a key generation algorithm that matches a key generation algorithm included in the chip 220 of the noncontact medium 105. [

According to an embodiment of the present invention, the encryption processing unit 282 may include a MAC (Message Authentication Code) for verifying the validity of the dynamic code to be provided to the chip 220 of the noncontact medium 105 through the encrypted data (s) Can be generated. For example, the encryption processing unit 282 may generate a MAC for verifying the validity of the dynamic code using the random number c and the session key. However, the MAC generation process is not limited to the above example, and various modifications may be made to those skilled in the art, and the present invention is not limited thereto.

The encryption processing unit 282 constitutes data s to be provided to the chip 220 of the noncontact medium 105 and encrypts the data s using the generated / s. Preferably, the data (s) includes the dynamic code, and may further include the MAC according to an implementation method.

The data transfer unit 284 transmits the encrypted data s to the terminal 110 through the designated path so that the encrypted data s is transmitted to the chip 110 of the non- (220). Preferably, the encrypted data (s) is transmitted to the terminal 110 along a reverse path of the path in which the encrypted data (c) is received, and reaches the interworking module 250. However, the path for transmitting the encrypted data (s) is not limited to the reverse path.

2, the interworking module 250 of the terminal 110 decrypts the data (s) including the dynamic code from the authentication module 270 through the chip 220 of the noncontact medium 105 A data relay unit 256 for receiving the encrypted data s as much as possible and a chip interlocking unit 256 for providing the encrypted data s to the chip 220 of the noncontact medium 105 interfaced with the terminal 110 And a procedure unit 254.

When the authentication module 270 generates and transmits the encrypted data s encrypted by decrypting the data s including the dynamic code through the chip 220 of the noncontact medium 105, (S) encrypted by encrypting the data (s) including the dynamic code via a designated path. The encrypted data (s) is not decrypted through the terminal 110.

The chip interlocking procedure unit 254 provides the cipher data s to the chip 220 of the noncontact medium 105 interfaced with the terminal 110 to thereby generate the decrypted data s ) In response to the authentication code corresponding to the dynamic code included in the authentication code.

2, the chip module 230 of the noncontact medium 105 includes a data verifying unit (not shown) for receiving the encrypted password data s from the interfaced terminal 110 via the authentication module 270 A decryption processing unit 242 for decrypting encrypted data s encrypted through the authentication module 270 to identify data s including a dynamic code, And a code providing unit (244) for identifying the disposable authentication code corresponding to the code and providing the disposable authentication code to the interfaced terminal (110).

The data verifying unit 240 decrypts the data s including the dynamic code dynamically generated in the authentication module 270 through the chip 220 of the noncontact medium 105 from the interfaced terminal 110 Possibly encrypted data (s).

The decryption processing unit 242 generates / verifies a decryption key for decrypting the encrypted data s through the authentication module 270, and decrypts the decrypted data s using the decrypted / And decodes the data s to perform a decoding procedure. The decryption of the encrypted data (s) may be performed through an encryption / decryption module corresponding to the encryption / decryption function provided in the chip 220 of the noncontact medium 105 or via the decryption processing unit 242 have. If decryption is performed through the encryption / decryption module, the decryption processing unit 242 may provide the encryption data (s) to the encryption / decryption module so as to be decrypted. Preferably, the data (s) includes the dynamic code, and may further include the MAC according to an implementation method.

When the encrypted data s is encrypted through the session key according to the embodiment of the present invention, the decryption processing unit 242 (or the encryption / decryption module) uses the random number c included in the data c, Generates and confirms a decryption key in the form of generating a session key using the key value c used to generate the decryption data c and generates the decryption key using the decryption key generated / It is possible to confirm the data s by decoding. However, the decryption key is not limited to the session key. The decryption key may be decrypted through a key generation algorithm that matches the key value c with a decryption key or a key generation algorithm included in the authentication module 270, Key can be generated. However, the decryption key is not limited to the session key. The decryption key may be decrypted through a key generation algorithm that matches the key value c with a decryption key or a key generation algorithm included in the authentication module 270, Key can be generated. Preferably, the data (s) comprises the dynamic code and may further comprise the MAC.

According to an embodiment of the present invention, the decryption processing unit 242 (or the encryption / decryption module) generates a MAC by using the same rules as the rules for generating a MAC in the authentication module 270, The validity of the dynamic code included in the data (s) can be verified in comparison with the included MAC.

When the encrypted data s is decrypted and the data s is verified and / or the MAC contained in the data s is verified, the code providing unit 244 decrypts the dynamic Check the disposable authentication code corresponding to the code.

According to the first authentication code verification method of the present invention, the code providing unit 244 can directly check the dynamic code included in the decrypted data (s) with a disposable authentication code.

According to the second authentication code verification method of the present invention, the code providing unit 244 can confirm a partial code of the dynamic code included in the decrypted data (s) with an authentication code of a specified number of digits. For example, when the dynamic code is a 16-byte code, the code providing unit 244 checks the 8-byte code of the 16-byte code with the authentication code, or writes the 6-byte code, , Or check the back seven byte code with the authentication code. Alternatively, the nibble or byte at the designated position can be selectively extracted and confirmed by the authentication code. If there is a padding area in the dynamic code, it is preferable not to include the padding area in some code corresponding to the authentication code.

According to the third authentication code verification method of the present invention, the code providing unit 244 can confirm the code generated by processing the dynamic code with the authentication code of the designated digit. For example, the authentication code may include a code that hashes the dynamic code with a specified hash algorithm. Alternatively, the authentication code may be generated by adding the dynamic code to a seed of a specified code generation rule (for example, a rule for using (possibly skipping) a hash algorithm for generating a code of a specified number of digits and at least one seed provided in the chip 220) As shown in FIG. Alternatively, the authentication code may include a code dynamically generated by using the input value as a seed of a designated code generation rule. Alternatively, the authentication code may include a dynamic generated code using the input value and the dynamic code as a seed of the designated code generation rule.

According to the fourth authentication code verification method of the present invention, the code providing unit 244 can identify N (N? 2) digit authentication codes by combining the first to third authentication code verification methods. For example, the code providing unit 244 configures a code (1? N <N) of the N-digit number of the authentication codes according to the second authentication code checking method, Nn) digits, and then the N-digit code and the (Nn) code are combined to confirm the N-digit number of the authentication code.

Meanwhile, the authentication code may have various forms or structures. According to the present invention, the authentication code is used as identification means for identifying the payment means of the user, and is used as authentication means for using the payment means of the user.

According to the first authentication code embodiment of the present invention, the authentication code may be in the form of a number of disposable numbers of a specified number of digits.

According to the second authentication code embodiment of the present invention, the authentication code may be in the form of a disposable string of a designated size formed by combining one or more of numbers, letters, symbols, and the like.

According to the third authentication code embodiment of the present invention, the authentication code may be in the form of a disposable card number or a disposable account number of a designated number system. For example, when the authentication code is in the form of a one-time card number, the dynamic code corresponds to the serial number of the card number system, combines the designated BIN to identify the one-time card number and generates the check sum digit The authentication code in the form of a disposable card number can be confirmed.

The code providing unit 244 provides the interfaced terminal 110 with a disposable authentication code identified through at least one of the first to fourth authentication code checking methods. The disposable authentication code provided to the terminal 110 may be in the form of the first to third authentication code embodiments and may be transmitted to the terminal 110 through the program of the terminal 110, Can be processed in the form of an embodiment.

According to the method of the present invention, when the disposable authentication code is transmitted to the authentication module 270 through the path specified through the interlocking module 250 of the terminal 110, the encryption processing unit 236 transmits the disposable authentication code Can be decrypted only through the authentication module 270 and transmitted. In this case, the disposable authentication code is encrypted according to the encryption method of the encryption data (c), or is encrypted by reusing the decryption key generated / confirmed to decrypt the encryption data (s) as an encryption key, May be encrypted by generating / verifying a new encryption key based on the further exchanged value in the process of receiving the data (s).

Meanwhile, the PIN authentication unit 232 of the chip 220 of the noncontact medium 105 transmits the input value via the input value receiving unit 234 to a point of time before or after the input value is received, The authentication process for using the chip 220 of the noncontact medium 105 can be performed at a specified time point before, during, or after receiving the encrypted data (s). Preferably, the authentication procedure for using the chip 220 may include a PIN authentication procedure.

Referring to FIG. 2, the interlocking module 250 of the terminal 110 reads encrypted data (s) from the chip 220 of the noncontact medium 105 inside the chip 220 of the noncontact medium 105 A chip interlocking procedure unit 254 for performing a procedure for receiving a disposable authentication code corresponding to the dynamic code contained in the decrypted data s, and a disposable authentication code transmitted to the authentication module 270 through the designated path And a code processing unit 258 for performing a procedure for performing the above-described operations.

If a disposable authentication code corresponding to the dynamic code included in the data (s) obtained by decoding the encrypted data (s) is confirmed and transmitted within the chip 220 of the noncontact medium 105, the chip interlocking procedure unit 254 receive the disposable authentication code from the chip 220 of the interfaced noncontact media 105.

According to the first authentication code processing method of the present invention, when an input area for inputting a disposable authentication code is displayed on the screen of the terminal 110, the code processing unit 258 automatically transmits the disposable authentication code to the input area And the input authentication code is transmitted to the authentication module 270 through the designated path according to the specified security procedure. Preferably, the disposable authentication code may be automatically entered into an input area of a program corresponding to (or linked to) the interlock module 250.

According to the second authentication code processing method of the present invention, the code processing unit 258 transmits the disposable authentication code to the authentication module 270 through the designated path according to the specified security procedure without displaying / Can be performed. The disposable authentication code may be transmitted through a program corresponding (or linked) to the interworking module 250.

Meanwhile, according to another embodiment of the present invention, the code processing unit 258 may perform a process of processing the disposable authentication code to be displayed on the screen of the terminal 110. In this case, the disposable authentication code May be input to the input area displayed on the merchant terminal 100 used by the user and may be transmitted to the authentication module 270 through the route designated in accordance with the security procedure set in the payment channel with the merchant terminal 100. [ The disposable authentication code can be keyed into the merchant terminal 100 after being displayed in a key inputable form. Alternatively, the disposable authentication code may be displayed in the form of a bar code (or two-dimensional bar code) image, and may be recognized through the merchant terminal 100.

2, the authentication module 270 of the server side 115 decrypts encrypted data (s) in the chip 220 of the non-contact medium 105 interfaced with the terminal 110 a code receiving unit 286 for receiving a disposable authentication code corresponding to the dynamic code included in the received authentication code through a designated path, a code authentication unit 288 for performing a procedure for authenticating the validity of the received authentication code, And a result provider 290 for providing the authentication result of the disposable authentication code performed through the code authentication unit 288 to the designated path.

The code receiving unit 286 receives the discrete authentication code corresponding to the dynamic code included in the data s decrypted by the encrypted data s and outputs the disposable authentication code to the chip 220 of the noncontact medium 105, And may receive the disposable authentication code from the terminal 110 via a specified security procedure and path.

The disposable authentication code corresponding to the dynamic code contained in the data (s) obtained by decoding the encrypted data (s) within the chip 220 of the noncontact medium 105 is transmitted to the noncontact medium 105 The code receiving unit 286 receives the disposable authentication code from the merchant's terminal 200, which is input with the disposable authentication code, And can receive the disposable authentication code from the terminal 100 through a specified security procedure and path.

The code authenticating unit 288 verifies the dynamic code verified through the dynamic code verifying unit 280 or the dynamic code provided to the terminal 110 through the data transmitting unit 284, After verifying the authentication code, it can be compared with the disposable authentication code received through the code receiving unit 286 to verify the validity. In this case, the code authentication unit 288 provides the disposable authentication code to the code authentication server, requests authentication, and receives a result of the authentication .

The result provider 290 is generated and encrypted at the server side 115 as the authentication result of the cipher data c generated in the chip 220 of the noncontact medium 105 and is transmitted to the chip of the non- The authentication result for the disposable authentication code corresponding to the dynamic code decrypted by the chip 220 of the noncontact medium 105 is provided to the authentication server 220 and the authentication result is provided through the designated path. Preferably, the authentication result may be provided to the result confirmation unit 210 of the payment processing module 200.

2, the payment processing module 200 of the server side 115 includes a result confirmation unit 210 for confirming an authentication result performed through the authentication module 270, In the case where the authentication result confirmed by the payment request registration unit 202 is successful, the payment procedure corresponding to the payment request confirmed through the payment request confirmation unit 204 is performed using the payment means of the user registered through the payment method registration unit 202 And a settlement procedure performing unit 212 for processing the settlement schedule.

The result confirming unit 210 confirms the authentication result in which the end-to-end medium-owning authentication using the non-contact medium 105 performed through the authentication module 270 is combined with the disposable authentication code authentication. According to an embodiment of the present invention, the result confirming unit 210 can confirm the end-to-end medium ownership authentication result using the non-contact medium 105 performed through the authentication module 270, and thus the present invention is not limited thereto .

The settlement procedure execution unit 212 reads the authentication result confirmed by the result confirmation unit 210 and confirms that the authentication is successful. If the end-to-medium-medium-ownership authentication result and / or the one-time-use authentication code authentication result using the noncontact medium 105 of the user is successfully authenticated, the payment procedure execution unit 212 registers And processes the user's payment means to be used for the payment request confirmed through the payment request confirmation unit 204. [

If the payment processing module 200 is provided in the financial company server 130 and the payment means of the user is registered in the storage medium 135 of the financial company, (For example, extracting the payment method information of the user mapped with the noncontact medium 105 corresponding to the authentication result, extracting the payment method information of the user mapped to the terminal 110, Extracting the payment method information of the user mapped to the program of the user 110, extracting the payment method information of the user mapped with the authentication module 270, and the like) 204 to perform the payment approval procedure for the payment request information confirmed through the payment processing unit 204. [

Or the settlement processing module 200 is provided in a server other than the financial company and the payment means information of the user is registered in the storage medium 135 of the financial company and the storage medium 135 ), The payment procedure performing unit 212 extracts the payment means identification value from the storage medium 135 of the server (e.g., extracts the payment means identification value from the noncontact medium 105 corresponding to the authentication result, Extracting the payment means identification value of the mapped user, extracting the payment means identification value of the mapped user with the terminal 110, extracting the payment means identification value of the user mapped with the program of the terminal 110, And extracts the settlement identification value of the extracted user and the settlement request information confirmed through the settlement request verification unit 204 from the financial institution server corresponding to the payment means of the user, (130) to request the payment approval procedure to be performed.

On the other hand, the payment processing module 200 may be configured so that the payment processing module 200 processes the payment procedure for the payment request using the payment means of the user registered through the payment method registration unit 202 The server and the payment means of the user can be variously modified according to the registered storage medium 135. It is clear that the present invention includes the number of all cases that can be modified depending on each server as a right range I will.

FIG. 3 is a diagram illustrating an operation of the payment processing module 200 according to an embodiment of the present invention and a process of requesting a merchant payment.

3, when the payment processing module 200 requests payment using the payment channel after the merchant terminal 100 registers the payment means of the user, the payment processing module 200 confirms the payment request 3, the operation of the payment processing module 200 and the various methods of the payment request process (refer to FIG. 3) will be described in detail with reference to FIG. 3 For example, some of the steps may be omitted or the order may be changed. However, the present invention includes all of the above-described embodiments, and the technical features of the method of FIG. It is not limited.

Referring to FIG. 3, the payment processing module 200 registers the payment means of the user to be used in the payment procedure from the user's terminal 110 and stores the payment means in the storage medium 135 (300). If at least one identification value to be mapped to the payment means of the user is confirmed, the payment processing module 200 determines that the payment means has at least one identification value (305).

After the user visits the offline merchant, purchases the merchandise, and requests payment, the merchant terminal 100 receives payment information for requesting payment (310). If the payment information is input, the merchant terminal 100 determines whether settlement using authentication combining the end-to-end media-proprietary authentication using the non-contact medium 105 and the disposable authentication code authentication is selected (315). If the settlement using the authentication combining the end-to-end media ownership authentication using the non-contact medium 105 and the one-time authentication code authentication is not selected, the merchant terminal 100 performs the conventional settlement procedure (320). On the other hand, if settlement using authentication combining the end-to-end medium-ownership authentication using the non-contact medium 105 and the one-time authentication code authentication is selected, the merchant terminal 100 transmits the settlement processing module 200 to the payment processing module 200 via the payment channel, (325) a settlement using authentication combining the end-to-end media ownership authentication using the medium 105 and the one-time authentication code authentication.

The settlement processing module 200 confirms the settlement request using the authentication combining the end-to-end medium-ownership authentication using the noncontact medium 105 of the user and the disposable authentication code authentication from the merchant terminal 100 through the payment channel 330). Preferably, the payment processing module 200 may receive payment request information including a payment amount, merchant information, and a user identification value.

If the settlement processing module 200 requests settlement using an authentication between the end-to-end medium-ownership authentication using the user's non-contact medium 105 and the one-time authentication code authentication, End medium ownership authentication using the noncontact medium 105 of the user to the user's terminal 110 via the designated path and a one-time authentication using the noncontact medium 105 of the user through the designated path (step 335) (340).

4 illustrates an end-to-end media owning authentication process between the chip 220 and the server side 115 of the noncontact medium 105 according to an embodiment of the present invention.

4 illustrates a case where a chip module 230 provided in a chip 220 of a non-contact medium 105 interfaced with a terminal 110 generates cryptographic data c and transmits the cryptographic data c to the interlocking module 250 The authentication module 270 of the server side 115 authenticates the chip 220 of the noncontact medium 105 through the cipher data c, The process of authenticating the validity of the terminal 110 (or program) interfaced with the chip 220 of the noncontact media 105 is described. If a person skilled in the art is familiar with the present invention, (E.g., omitting some steps or changing the order) for the end-to-end media-proprietary authentication process, the present invention can be applied to all of the above- Method, and the thread shown in FIG. 4 Only the method is not limited that technical feature.

Referring to FIG. 4, the authentication module 270 determines whether the noncontact medium 105 has been issued for the first time, the second time, or after the noncontact medium 105 has been issued (S) for decrypting the encrypted data (s) generated by the chip (220) of the noncontact medium (105) at least one time and storing the key value (s) in the designated storage medium (400). In addition, the authentication module 270 determines whether the non-contact media 105 is to be inserted into the non-contact media 105 at least at one of the time of the primary issuance, the secondary issuance, The authentication information including the unique code recorded in the storage medium 135 may be checked and stored in the storage medium 135 (400). Meanwhile, the authentication module 270 determines whether or not the terminal 110 (or the program) is interfaced with the chip 220 of the noncontact medium 105 in the process of authenticating ownership of media between the endless medium and the chip 220 of the non- (Step 400). In step 400, authentication information including the unique value of the terminal 110 on which the interworking module 250 is mounted is confirmed and stored in the designated storage medium 135 in order to authenticate the validity of the terminal.

End media ownership authentication between the chip 220 and the server side 115 of the noncontact media 105 according to the present invention is performed by the chip 110 of the noncontact media 105 May be interfaced. The chip 220 of the noncontact medium 105 is connected to the terminal 110 of the user on the screen of the merchant terminal 100 in order to induce the chip 220 of the noncontact medium 105 to interface with the terminal 110 Information to guide the noncontact media 105 from the payment processing module 200 to the user's terminal 110 may be provided.

Referring to FIG. 4, the interworking module 250 provided in the user terminal 110 transmits a chip (not shown) of the noncontact medium 105 through the contactless interface of the terminal 110 according to the request / 220) is interfaced to the terminal 110 (step 405). The interlocking module 250 can confirm whether the chip 220 of the noncontact medium 105 interfaces with the NFC module of the terminal 110 through the NFC.

If it is confirmed that the chip 220 of the noncontact medium 105 is interfaced with the terminal 110, the interlocking module 250 obtains an input value to be provided to the chip 220 of the noncontact medium 105 410). The input value may be a time value obtained through the timer of the terminal 110, an eigenvalue unique to the terminal 110, ), And a generated value generated in the terminal 110, and the interworking module 250 may transmit the input value (e.g., the received value) (Or a separate receiving value providing server) in order to obtain the authentication information.

The interlocking module 250 provides the input value to the chip 220 of the interfaced noncontact medium 105 and transmits the input value to the chip module 230 provided on the chip 220 of the non- (420) the input value from the interfaced terminal (110).

The chip module 230 includes at least one of a unique code provided in the chip 220 of the noncontact medium 105 and an input value received from the terminal 110, (c) of the noncontact medium 105 (425), and at least one of the primary issuance, the secondary issuance, and the post issuance time of the noncontact medium 105 includes a key value (c) to encrypt the data (c) so as to be decryptable only through the designated authentication module 270 using the encrypted data (c) (430).

If the encrypted data c is generated, the chip module 230 provides the encrypted data c to the interfaced terminal 110 in step 435 and transmits the encrypted data c to the interfacing module 250 of the terminal 110. [ (C) from the chip 220 of the interfaced non-contact medium 105 (440).

The interlocking module 250 performs a procedure of transmitting the encrypted password data c in the chip 220 of the noncontact medium 105 to the designated authentication module 270 through the designated path 445, The authentication module 270 provided in the non-contact medium 105 receives the encrypted encrypted data c in the chip 220 of the noncontact medium 105 through the designated path (450).

The authentication module 270 checks the key value s registered at least one of the first issuance, the second issuance, and the post-issuance time of the noncontact medium 105 in order to decrypt the encrypted data (c) And decrypts the encrypted data c in the chip 220 of the noncontact medium 105 using the key value s to decrypt the encrypted data c in the chip 220 of the non- The configured data c is confirmed (460). If the time value supplied from the interlocking module 250 to the chip 220 of the noncontact medium 105 is included in the data c, the authentication module 270 determines that the time value included in the data c The corresponding time stamp can be confirmed and stored.

The authentication module 270 may store the authentication information registered in at least one of the time of the primary issuance, the secondary issuance and the post issuance of the noncontact media 105 (for example, stored in the chip 220 of the noncontact media 105) Authenticating (465) the validity of data (c) configured in the chip (220) of the noncontact media (105) and / or using the interlocking module (250) (Or cooperating) with the terminal 110 (or the interlocking module 250) at a time point either before or after being mounted on the terminal 110 that is interfaced with the noncontact media 105, (C) configured in the chip 220 of the noncontact medium 105 by using the authentication information (for example, an eigenvalue or the like uniquely provided / assigned to the terminal 110) (465).

According to the method of the present invention, the authentication of the data (c) using the authentication information registered at least one of the time of the primary issuance, the secondary issuance, and the issuance of the noncontact medium 105 is performed by the non- ) Authentication of the data (c) using the authentication information registered through the terminal 110 (or the program corresponding to (or linking with) the interworking module 250) (Or program) that is interfaced with the chip 220 of the noncontact medium 105. The end-

If the validity of the data (c) is not authenticated, the authentication module 270 generates an authentication error of the end-to-end media owning authentication and transmits it through a designated path (470) End medium-entitlement authentication authentication error (step 475).

On the other hand, if the validity of the data (c) is authenticated, the authentication module 270 checks the dynamically generated dynamic code, encrypts the encrypted dynamic code only through the chip 220 of the noncontact medium 105, Can be performed.

5 shows a process of providing end-to-end medium-ownership authentication and disposable authentication codes between the chip 220 and the server side 115 of the noncontact medium 105 according to an embodiment of the present invention.

5 shows the encrypted data c constructed and communicated in the chip 220 of the noncontact medium 105 through the process shown in FIG. 4 in the authentication module 270 of the server side 115 The encrypted dynamic code generated by the server side 115 is decrypted only through the chip 220 of the noncontact medium 105 and is transmitted to the chip 220 of the noncontact medium 105 through the terminal 110 And a disposable authentication code corresponding to the dynamic code of the server side 115 decrypted through the chip 220 of the noncontact medium 105 is provided to the terminal 110. In this example, Those skilled in the art will be able to refer and / or modify FIG. 5 to illustrate the various ways of performing the end-to-end authentication and authentication code delivery process (e.g., some steps may be omitted, Can be inferred from Would, in the present invention are made, including any exemplary way in which the inference, to which the technical feature that is not limited to the exemplary method shown in the figure 5.

Referring to FIG. 5, when the validity of the data c decrypted by the encrypted data c constituted within the chip 220 of the noncontact medium 105 is verified through the process shown in FIG. 4, Module 270 identifies dynamic generated dynamic code at server side 115 based on the authentication result of end-to-end media owning authentication (500). According to an embodiment of the present invention, the dynamic code includes at least one of a dynamically generated code value in the form of a random value of a specified size through a specified random number algorithm, a dynamic value generated by applying one or more seeds to a specified code generation algorithm .

If the dynamic code generated on the server side 115 is confirmed, the authentication module 270 decrypts the dynamic code only through the chip 220 of the noncontact medium 105 interfaced with the terminal 110 (505). &Lt; / RTI &gt; For example, the authentication module 270 may generate an encryption key in the form of a session key using the random number c and the key value s included in the data c. Meanwhile, the authentication module 270 may generate a MAC for verifying the dynamic code in the chip 220 of the non-contact medium 105 (510). The authentication module 270 includes the identified dynamic code and configures the data (s) further including the MAC according to an implementation method (515), and transmits the generated data to the noncontact medium (520) by encrypting the data (s) so as to be decryptable only through the chip (220) of the encrypted data (s).

If the encrypted data s is generated, the authentication module 270 transmits the encrypted data s through the designated path 525 and transmits the encrypted data s to the terminal 220 interfaced with the chip 220 of the non- The interworking module 250 of the terminal 110 receives the encrypted data s through the designated path (530).

The interlocking module 250 provides cryptographic data s to the chip 220 of the interfaced noncontact media 105 and transmits the cryptographic data s to the chip module 230 provided in the chip 220 of the non- Receives the encrypted data (s) from the interfaced terminal 110 (540).

The chip module 230 generates or confirms a decryption key for decrypting the encrypted encryption data s through the authentication module 270 in the chip 220. Preferably, the chip module 230 decrypts the encrypted data (s) through a matching process with a process of generating / verifying an encryption key for generating the encrypted data (s) in the authentication module 270 / RTI &gt; and / or &lt; / RTI &gt;

The chip module 230 decrypts encrypted data s through the authentication module 270 through the generated / confirmed decryption key to verify the data s. Meanwhile, if the data (s) includes a MAC, the chip module 230 can verify the MAC included in the decoded data (s) (555). If the MAC is not verified, the chip module 230 provides an authentication error to the interfaced terminal 110 in operation 560, and the interfacing module 250 of the terminal 110 transmits the interfaced non- (Step 565).

If the encrypted data s is decrypted and the data s is verified and / or the MAC contained in the data s is verified, the chip module 230 may include the decrypted data s The interworking module 250 of the terminal 110 determines whether the interfaced module 210 is interfaced with the interfaced terminal 110. The interfaced module 250 of the interfacing terminal 110 may be configured to determine The disposable authentication code is received from the chip 220 of the non-contact medium 105 (580).

The interlocking module 250 performs a procedure of providing a disposable authentication code received from the chip 220 of the noncontact medium 105 to the authentication module 270 through a designated path (585). For example, if an input area for inputting a disposable authentication code is displayed on the screen of the terminal 110, the interlocking module 250 may process the disposable authentication code to be automatically input to the input area, The input authentication code can be transmitted to the authentication module 270 via the designated path according to the specified security procedure. Alternatively, the interlocking module 250 may perform a procedure of transmitting the disposable authentication code to the authentication module 270 through a designated path according to a specified security procedure without a display / automatic entry procedure of the disposable authentication code. Meanwhile, the disposable authentication code may be transmitted to the authentication module 270 through a program corresponding (or linked) to the interlocking module 250.

FIG. 6 illustrates a process of authenticating a disposable authentication code and providing a settlement procedure according to an embodiment of the present invention.

FIG. 6 shows the details of the payment request requested through the payment channel using the payment means of the previously registered user based on the end-to-end medium ownership authentication result and / or the one-time authentication code authentication result using the non- If the person skilled in the art is familiar with the present invention, referring to and / or modifying FIG. 6, the disposable authentication code authentication and payment procedure providing process It is to be understood that the invention may be practiced otherwise than as specifically described herein, but it will be appreciated that the invention may be practiced otherwise than as specifically described herein, The technical characteristics thereof are not limited.

Referring to FIG. 6, the authentication module 270 receives a disposable authentication code corresponding to the dynamic code decrypted by the chip 220 of the noncontact medium 105 interfaced with the terminal 110 through a designated path (600 ).

If the disposable authentication code is received through the designated path, the authentication module 270 transmits the disposable authentication code to the chip 220 of the non-contact medium 105 interfaced with the user's terminal 110 through the process shown in FIG. 5 (605) the validity of the disposable authentication code received through the terminal (110) using the dynamic code.

If the validity of the received disposable authentication code is not authenticated, the authentication module 270 transmits an authentication error for the authentication code to the interworking module 250 of the terminal 110 over the designated path (610) , The terminal 110 receives and outputs the authentication error through the designated path (615).

Meanwhile, if the validity of the received disposable authentication code is authenticated, the authentication module 270 provides the authentication result including the identification value mapped to the payment means of the user to the payment processing module 200 (620) The payment processing module 200 receives the authentication result from the authentication module 270 (625).

The payment processing module 200 confirms the payment means of the user mapped with at least one identification value through the process shown in FIG. 3 based on the authentication result (630). If the payment method of the user is confirmed, the payment processing module 200 uses the payment means of the identified user to perform a payment procedure of the payment request requested from the merchant terminal 100 through the process shown in FIG. (635). Here, the authentication result is used as an identification means for identifying the payment means of the user, and can be further used as an authentication means of the payment procedure using the payment means of the user according to the method of operation.

If the settlement process using the payment means of the user is completed (or stopped), the payment processing module 200 provides the settlement processing result to the merchant terminal 100 (640).

100: Merchant terminal 105: Non-contact medium
110: terminal 115: server side
120: payment relay server 125: operational server
130: Financial institution server 200: Payment processing module
202: settlement means registration unit 204: settlement request confirmation unit
206: terminal verification unit 208: authentication request unit
210: Result confirmation unit 212:
220: chip 230: chip module
232: PIN authentication unit 234: Input value receiver
236: encryption processing unit 238: data providing unit
240: data checking unit 242: decoding processing unit
244: code providing unit 250: interlocking module
252: Interface Verification Unit 254: Chip Interoperation Procedure Unit
256: data relay unit 258: code processing unit
270: Authentication module 272: Information storage unit
274: Data reception unit 276: Decryption processing unit
278: Authentication procedure unit 280: Dynamic code verification unit
282: encryption processing unit 284:
286: Code receiving unit 288: Code authentication unit
290: Results provided

Claims (27)

A merchant payment processing method executed by a server that communicates with a terminal of a user interfaced with a chip of a noncontact medium owned by a user,
(C) generated within the chip of the noncontact medium is encrypted with the chip of the noncontact medium when the payment request is confirmed from the merchant terminal, A first step of receiving from the terminal;
A second step of confirming a dynamically generated dynamic code for providing to the chip of the noncontact medium based on a result of the validity check of the data (c) decrypted by the encrypted data (c);
A third step of providing encrypted data (s) obtained by encrypting data (s) including the dynamic code to a chip of the noncontact medium via a terminal interfaced with the chip of the noncontact medium;
A fourth step of decrypting the encrypted data (s) in a chip of the noncontact medium from a terminal interfaced with the chip of the noncontact medium and receiving a disposable authentication code corresponding to the confirmed dynamic code; And
And a fifth step of, when the validity of the authentication code is authenticated, processing the payment procedure requested by the merchant terminal using the payment means of the previously registered user, A method of payment processing for a merchant using the method.
The method according to claim 1,
Further comprising the step of registering the payment means of the user in a designated storage medium and registering the payment means in a designated storage medium.
The method according to claim 1,
Further comprising registering and storing a unique code recorded on a chip of the noncontact medium of the user, and storing the unique code recorded on the chip of the noncontact medium of the user.
The method according to claim 1,
Further comprising the step of registering and storing the key value (s) corresponding to the key value (c) recorded in the chip of the noncontact medium of the user. How to process merchant payment.
The method according to claim 1,
Further comprising the step of mapping registration of the user's payment means and the noncontact media of the user to the merchant payment processing method using the end-to-end medium accessory authentication and the disposable authentication code authentication.
The method according to claim 1,
Further comprising the step of performing a registration and mapping process of mapping the user's payment means and the terminal of the user to the merchant payment process using the end-to-end media-owned authentication and the disposable authentication code authentication.
The method according to claim 1,
Further comprising the step of mapping and registering the user's payment means and a program stored in the terminal of the user. The method of claim 1, further comprising:
The method according to claim 1,
Further comprising the step of confirming a terminal of a user capable of interfacing with the chip of the noncontact medium held by the user when the payment request is confirmed from the merchant terminal, using the end-to-end medium accessory authentication and the disposable authentication code authentication How to process merchant payment.
9. The method of claim 8,
Further comprising the step of requesting the terminal of the identified user to interface with the noncontact media. The method of claim 1, further comprising:
2. The method according to claim 1, wherein the data (c)
And a unique code recorded on a chip of the noncontact medium. The method of claim 1,
2. The method according to claim 1, wherein the data (c)
And the input value input to the chip of the noncontact medium through the terminal of the user includes the end-to-end media ownership authentication and the disposable authentication code authentication.
12. The method of claim 11,
A time value obtained through a timer of the terminal,
A unique value uniquely provided / assigned to the terminal,
A reception value received from the outside of the terminal,
And generating at least one or more than one of the generated values in the terminal.
2. The method according to claim 1, wherein the data (c)
And a random number value (c) generated in the chip of the noncontact medium.
2. The method according to claim 1, wherein the encrypted data (c)
(C) recorded in the chip of the noncontact medium is used as an encryption key to decrypt the encrypted data in the chip of the noncontact medium only through the authentication module having the key value (s) corresponding to the key value The method comprising the steps of: (a) receiving an authentication request from a merchant;
The method according to claim 1,
(C) configured to decrypt the received encrypted data (c) through a key value (s) corresponding to a key value (c) recorded on a chip of the noncontact medium to identify data (c) -Stage 1; And
(C) authenticating the validity of the decrypted data (c). The method of processing a merchant payment using end-to-end medium-ownership authentication and disposable authentication code authentication.
16. The method as claimed in claim 15,
And comparing and authenticating the inherent code registered in the registration process of the noncontact media with the inherent code contained in the data (c), wherein the merchant payment process using the one-time authentication Way.
2. The method of claim 1,
Wherein the generated random number is dynamically generated in the form of a random value of a designated size through a specified random number algorithm.
2. The method of claim 1,
Characterized in that the at least one seed is applied to the designated code generation algorithm to generate a dynamically generated end-to-end medium-ownership authentication and a disposable authentication code authentication.
19. The method of claim 18,
And the value included in the data (c) is at least one of the values included in the data (c).
The method according to claim 1,
Further comprising generating a session key using a random number c included in the data c,
Wherein the encrypted data (s) is encrypted so as to be decryptable only through a chip of the noncontact medium using the session key.
21. The method of claim 20,
Generating a MAC (Message Authentication Code) for verifying the validity of the dynamic code using the random number c included in the data c and the session key,
Wherein the data (s) includes the dynamic code and the MAC. The method of claim 1, wherein the data (s) includes the dynamic code and the MAC.
The method according to claim 1, wherein the encrypted data (s)
(C) included in the data (c) in the chip of the noncontact medium, and the session key is decrypted through the session key generated using the random number c Way.
The method of claim 1, wherein the disposable authentication code comprises:
And the dynamic code included in the data (s) is included.
The method of claim 1, wherein the disposable authentication code comprises:
And a part of the dynamic code included in the data (s) is included in the data (s).
The method of claim 1, wherein the disposable authentication code comprises:
And a code generated by using the dynamic code included in the data (s). The method of claim 1, further comprising:
The method of claim 1, wherein the disposable authentication code comprises:
And a combination of the dynamic code (or a part of the dynamic code) included in the data (s) and the code generated on the chip of the noncontact medium. How to process your payment.
The method of claim 1, wherein the disposable authentication code comprises:
A one-time use number of the specified number of digits, a disposable string of the specified size, a one-time card number of the card number system, and a one-time account number of the account number system. How to process merchant payment.

Images