NL2025889B1 - Systems, methods, computer program product and interfaces for controlling authorizations to access and/or use a physical space by a person, and spaces controlled thereby - Google Patents
Systems, methods, computer program product and interfaces for controlling authorizations to access and/or use a physical space by a person, and spaces controlled thereby Download PDFInfo
- Publication number
- NL2025889B1 NL2025889B1 NL2025889A NL2025889A NL2025889B1 NL 2025889 B1 NL2025889 B1 NL 2025889B1 NL 2025889 A NL2025889 A NL 2025889A NL 2025889 A NL2025889 A NL 2025889A NL 2025889 B1 NL2025889 B1 NL 2025889B1
- Authority
- NL
- Netherlands
- Prior art keywords
- data
- selection
- person
- authorization
- physical space
- Prior art date
Links
Classifications
-
- G—PHYSICS
- G07—CHECKING-DEVICES
- G07C—TIME OR ATTENDANCE REGISTERS; REGISTERING OR INDICATING THE WORKING OF MACHINES; GENERATING RANDOM NUMBERS; VOTING OR LOTTERY APPARATUS; ARRANGEMENTS, SYSTEMS OR APPARATUS FOR CHECKING NOT PROVIDED FOR ELSEWHERE
- G07C9/00—Individual registration on entry or exit
- G07C9/00174—Electronically operated locks; Circuits therefor; Nonmechanical keys therefor, e.g. passive or active electrical keys or other data carriers without mechanical keys
- G07C9/00896—Electronically operated locks; Circuits therefor; Nonmechanical keys therefor, e.g. passive or active electrical keys or other data carriers without mechanical keys specially adapted for particular uses
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06Q—INFORMATION AND COMMUNICATION TECHNOLOGY [ICT] SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES; SYSTEMS OR METHODS SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES, NOT OTHERWISE PROVIDED FOR
- G06Q20/00—Payment architectures, schemes or protocols
- G06Q20/30—Payment architectures, schemes or protocols characterised by the use of specific devices or networks
- G06Q20/32—Payment architectures, schemes or protocols characterised by the use of specific devices or networks using wireless devices
- G06Q20/327—Short range or proximity payments by means of M-devices
- G06Q20/3278—RFID or NFC payments by means of M-devices
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06Q—INFORMATION AND COMMUNICATION TECHNOLOGY [ICT] SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES; SYSTEMS OR METHODS SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES, NOT OTHERWISE PROVIDED FOR
- G06Q30/00—Commerce
- G06Q30/018—Certifying business or products
- G06Q30/0185—Product, service or business identity fraud
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06Q—INFORMATION AND COMMUNICATION TECHNOLOGY [ICT] SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES; SYSTEMS OR METHODS SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES, NOT OTHERWISE PROVIDED FOR
- G06Q30/00—Commerce
- G06Q30/06—Buying, selling or leasing transactions
- G06Q30/0601—Electronic shopping [e-shopping]
-
- G—PHYSICS
- G07—CHECKING-DEVICES
- G07C—TIME OR ATTENDANCE REGISTERS; REGISTERING OR INDICATING THE WORKING OF MACHINES; GENERATING RANDOM NUMBERS; VOTING OR LOTTERY APPARATUS; ARRANGEMENTS, SYSTEMS OR APPARATUS FOR CHECKING NOT PROVIDED FOR ELSEWHERE
- G07C9/00—Individual registration on entry or exit
- G07C9/20—Individual registration on entry or exit involving the use of a pass
- G07C9/22—Individual registration on entry or exit involving the use of a pass in combination with an identity check of the pass holder
- G07C9/23—Individual registration on entry or exit involving the use of a pass in combination with an identity check of the pass holder by means of a password
-
- G—PHYSICS
- G07—CHECKING-DEVICES
- G07G—REGISTERING THE RECEIPT OF CASH, VALUABLES, OR TOKENS
- G07G1/00—Cash registers
- G07G1/0036—Checkout procedures
-
- G—PHYSICS
- G07—CHECKING-DEVICES
- G07G—REGISTERING THE RECEIPT OF CASH, VALUABLES, OR TOKENS
- G07G1/00—Cash registers
- G07G1/0036—Checkout procedures
- G07G1/0045—Checkout procedures with a code reader for reading of an identifying code of the article to be registered, e.g. barcode reader or radio-frequency identity [RFID] reader
- G07G1/009—Checkout procedures with a code reader for reading of an identifying code of the article to be registered, e.g. barcode reader or radio-frequency identity [RFID] reader the reader being an RFID reader
-
- G—PHYSICS
- G07—CHECKING-DEVICES
- G07G—REGISTERING THE RECEIPT OF CASH, VALUABLES, OR TOKENS
- G07G1/00—Cash registers
- G07G1/12—Cash registers electronically operated
-
- G—PHYSICS
- G07—CHECKING-DEVICES
- G07G—REGISTERING THE RECEIPT OF CASH, VALUABLES, OR TOKENS
- G07G1/00—Cash registers
- G07G1/12—Cash registers electronically operated
- G07G1/14—Systems including one or more distant stations co-operating with a central processing unit
Landscapes
- General Physics & Mathematics (AREA)
- Physics & Mathematics (AREA)
- Business, Economics & Management (AREA)
- Engineering & Computer Science (AREA)
- Accounting & Taxation (AREA)
- Finance (AREA)
- Strategic Management (AREA)
- General Business, Economics & Management (AREA)
- Theoretical Computer Science (AREA)
- Computer Networks & Wireless Communication (AREA)
- Development Economics (AREA)
- Economics (AREA)
- Marketing (AREA)
- Entrepreneurship & Innovation (AREA)
- Time Recorders, Dirve Recorders, Access Control (AREA)
Abstract
A system for controlling authorizations to access and/or use a physical space has an object reader for detecting a presence of a, tangible, identification object assigned to an individual. The identification object has data unique for the identification object which is coupled to authentication data of the individual. A human-machine selection interface allows inputting by the person selection(s) of acts subject to authorization from the system, of access or use of the physical space. The human-machine selection interface is arranged to generate in response to the input selection data representing the selected act and send the selection data. A data processing system is connected to the object reader and the selection interface. The data processing system is arranged to verify a validity of the identification object and assign an identifier to the identification object if the identification object is determined to be valid. The data processing system can further couple the selection data to the identifier and maintains a selection record coupled to the identifier containing information about the selected acts derived from the selection data. The data processing system is arranged to assemble, after a final selection by the person, request data from the selection record, and to submit the request data to an authorization process in which the data processing system determines based on a set of predetermined criteria whether an authorization to perform the selected acts is granted or refused based on at least the unique data and the request data.
Description
-1- Title: Systems, methods, computer program product and interfaces for controlling authorizations to access and/or use a physical space by a person, and spaces controlled thereby. Description Field of the invention This invention relates to systems, and methods for controlling authorizations to access and/or use a physical space by a person. In addition, the invention relates to computer program product for such systems, and physical spaces controlled with such systems.
Although not limited thereto, the invention relates in particular to systems for controlling storage spaces and the removal of physical items from the inventory stored in the storage space out of the storage space.
Background of the invention This background is merely to provide context to the present invention and shall not be held as a statement by the applicant or the inventors that anything described herein is prior art to the present invention, unless explicitly identified by terms “known” or “prior art” or the like as belonging to the prior art.
Systems for controlling authorizations of access to or use of a physical space, e.g. warehouses, physical shops, stadiums, concert halls, etc, etc., by a person are widely known. However, the prior art systems are disadvantageous because they only control authorizations for a single aspect of the access or use, such as the entrance to the physical space, the exit from the physical space or the removal of goods out of the physical space. As an example, a person has to obtain from an access control system an authorization to access the physical space, whereas the authorization to remove goods from the physical space will have to be obtained from a separate inventory tracking system, for instance. Thus, with the prior art systems, multiple systems are required to control authorizations for various aspects, or to control more than just the authorizations themselves.
The present inventors realized that on the one hand one could link several systems to each other but that this would lead to the security level of the system with the most stringent requirements being imposed on all the linked systems. The present inventors further realized that on the other hand the systems could be linked with strict security and protection implemented at the interfaces between the linked systems to keep a separation between the parts with separate security levels, but in such a case the linked systems remain effectively separated. Interoperability and exchange of data will be limited due to the mismatch in security levels, and, as a consequence, the person in question would still have to interact for each aspect with the individual system controlling that aspect as if it was a separate system dedicated to that aspect.
Various categories of authorization control systems are known. For example, a first category of prior art systems are the systems used to control authorizations for acts performed by a person present in a physical space, e.g. in warehouses, physical shops and other storage spaces. This first category of control
-2- systems can, for example, control the removal of goods out of the physical space or the use of objects in the physical space, such as of attractions in an amusement park or the use of certain equipment in the physical space, A second category of prior art authorization control systems are the systems use to control authorizations of access to restricted areas, i.e. entrance and/or exit, such as to warehouses where goods are stored, to datacenters with sensitive information, to stadiums, to concert halls, etc, just to give some examples. In these restricted areas, an authorization is required to enter and/or to leave and persons are people are only allowed to do so upon presentation of a proof of this authorization.
In the prior art authorization control systems of both the first category and the second category, the authorization process is triggered by the person authenticating his or her identity by presenting a tangible identification object coupled to an identity, and a predetermined proof of identity. In case of a match between the identity and the proof, the system determines that the person has the identity coupled to the identification object and subsequently determines whether or not the person is authorized to perform an act, such as to take goods out of a shop or to watch a movie in the cinema, and if so issues an authorisation and often a proof of authorization e.g. in the form of a payment receipt and/or a ticket to the person. The system determines the authorization based on a predetermined set of rules and on data in an authorization request entered into the authorization control system.
In the prior art authorization control systems of the first category, the authorization process is triggered when the person is present in the physical space. For example, a person in the shop requests authorization to take selected goods out of the shop as follows. In a typical process, accounting data, i.e. a transaction amount, is generated and inputted at a payment terminal system, e.g. by a cash register into which a cashier enters a list of the goods and which calculates a total amount to be paid. At the payment terminal, the person identifies him or herself with a banking card or a mobile phone with an enabled payment module, and if the transaction amount exceeds a certain threshold a predetermined proof of identity is requested by the authorization control system to authenticate the identity, e.g. by entering a personal identification number {PIN} into the terminal. The authorization control system then verifies whether or not the person is authorized to remove the goods from the physical space based on the, optionally authenticated, identity, the accounting data and accounting records. More specifically, the person only gets the authorization if a transaction for the total amount is allowed by the payment system without violation of one or more predetermined accounting rules.
In authorization control systems of the second category, the authorization process can be performed prior to the person entering in the physical space. For example, in case of e.g. cinemas and theaters, the authorization has to be obtained prior to entering the cinema or theater. Upon entering or leaving, the person then has to present a proof of authorization, e.g. to an access control system or a security guard or a theatre employee.
These authorization control systems though require high-levels of security to prevent fraud. For payments, for example, the person has to present a highly secured identification object, such as a banking card or a mobile phone to an, equally highly secured, payment terminal, and has to authenticate the identity
-3- stored on the card or phone, e.g. by entering the PIN to the man-machine interface of the payment terminal or other single or multi-factor authentication. Likewise, the communication between the payment terminal, or other man-machine interfaces, and the servers in the system has to be highly secured and cryptographically protected to protect the sensitive data.
In addition, systems are known which do not control authorizations, but which are used to track acts of a person present in a space and/or to establish a selection to be submitted for authorization. For example, self-scanning systems are known for shops and other storage spaces. These self-scanning systems comprise handheld barcode-readers which the person can use to identify to the self-scanning system the goods the person would like to take out of the storage space and to establish a list of goods. The self-scanning system itself does not control or grant authorization to take the goods out of the physical space. Instead, the self- scanning system is used to prepare a list of goods. When the person has finalized the selection, this list is then used to prepare and send a request for authorization into the payment system, more specifically to determine a total amount to be paid and to send this to the payment system.
However, due to the stringent security levels imposed on the payment system, the two systems are strictly separated. The only data the self-scanning system can handover to the payment system is the accounting data, such as a total amount to be paid to another system. Vice-versa, the payment system does not provide any data to the self-scanning system, other than in certain systems the outcome of the authorization process, e.g. like “payment successful” or “refused”. The self-scanning system has in particular no access to the authentication data and other sensitive data of the payment system.
As a consequence of this separation, the person has to access the payment system and the self- scanning system separately. For example, the known self-scanning systems require a user to present to a card reader of the system a card specific to the self-scanning system prior to taking a barcode reader, but do not require the user to authenticate his or her identity. To obtain authorization from the payment system though, the user has to present to the payment system another identification object linked to a user identity, which is specific to the payment system and highly secured, such as a bankcard or a mobile phone with an activated and compatible payment interface. At least periodically, the user has to authenticate his or her identity by providing the predetermined proof of identity. Both the identification object and the payment system are highly secured and subject to stringent tampering protection requirements.
This problem is further increased if the physical space is provided with further control systems of other categories. For example, an access control system may be present which controls access to restricted areas, i.e. entrance and/or exit, such as to storage spaces where goods are stored, e.g. warehouses or shops, to stadiums, to concert halls, etc., just to give some examples. In these systems, the access control system contrals the access to the physical space to ensure that unauthorized persons do not enter the physical space or to prevent persons from leaving the physical space, e.g. with goods they are not authorized to take with them.
In these restricted areas, people are only allowed to have access or to leave when they present a proper proof of authorization issued by a predetermined authorization control system. The proof of
-4- authorization is a predetermined unique, tangible or untangible, object, such as a stadium or concert ticket of a payment receipt, evidencing of the authorization. In higher security access contro! systems, the proof of authorization requires the person identifying him- or herself with a tangible identification object, such as a personnel badge, and depending on the level of security applicable, authenticating the identity coupled to the identification object as his {or hers} identity by presenting a predetermined proof of identity, such as a security code, fingerprint or iris-scan.
In both lower and higher security access control systems though, the access control system is strictly separated from the authorization control system, and not connected thereto. As a consequence, the person has to present yet another object in addition to e.g. the card for the self-scanning system and the banking card. As an example, a person shopping in a supermarket and using a cashierless cash register currently has to first present a card to the self-scanning system to use a handheld scanner, then upon payment present a bankcard or other payment means to the payment system, and afterwards present a paper printed payment receipt at the exit turnstile to be allowed to leave the supermarket.
Recently, systems with computer-vision and sensor fusion have been deployed in cashierless physical shops, which integrate some of the systems above. The visual and other sensors observe a person present in the shop. Based on the movements of the person detected by the sensors the system determines the goods to be taken out. For example, when detecting that the person places goods in a basket, the system determines for instance the types and quantity of the goods and adds them to a selection. These systems do not require the person to authenticate in the shop his identity to a payment system or to present in the shop a token to a monitoring system.
However, these recent, prior art, systems in cashierless physical shops are still cumbersome because they do require the person wanting to use this system to have, separately and prior to entering the shop, subscribed to the cashierless system, and to have pre-authorized the operator of the system to deduct payments from the persons bank account. This pre-authorization is equally subject to the stringent security requirements, and, as for any other payment system, the person has to separately identify and authenticate him- or herself to the payment system. Instead of this happening when the person is in the physical shop, the identification and authentication are performed when the person subscribes to the cashiìerless system. In addition, to prevent theft and shoplifting, the cashierless shop has an entrance control to which the person has to present a key displayed on the screen of his mobile phone. The key is generated by an application on the mobile phone and has to be presented to a reader communicating with the video-monitoring system to receive authorization to enter the store. Thus, at the entrance the person has to present a key generated by yet another system. Such monitoring systems for cashierless shops are therefore equally cumbersome, and equally require the person to separately access and/or interact with several different systems, which from the users perspective are still unconnected.
5. Summary of the invention The present invention provides systems, methods, computer program products physical spaces and interfaces as described in the accompanying claims. Specific embodiments of the invention are set forth in the dependent claims. These and other aspects of the invention will be apparent from and elucidated with reference to the embodiments described hereinafter. Brief description of the drawings Further details, aspects and embodiments of the invention will be described, by way of example only, with reference to the drawings. In the drawings, like reference numbers are used to identify like or functionally similar elements. Elements in the figures are illustrated for simplicity and clarity and have not necessarily been drawn to scale. FIG. 1 schematically shows a side view of an example of a physical space, in this example a storage space, with an example of a system for controlling authorizations to access and/or use a physical space by a person. FIG. 2 schematically shows a block diagram of the system of FIG. 1. FIGs. 3A-B schematically shows a message diagram suitable for the example of FIG. 2. FIG. 4 schematically shows a side view of an example of a physical space, in this example a storage space, with a second example of a system for controlling authorizations to access and/or use a physical space by a person. FIG. 5 schematically shows a block diagram of the system of FIG. 4. FIG. 6A-C schematically shows a message diagram suitable for the example of FIG. 5. FIG. 7 schematically illustrates a third example a system for controlling authorizations. FIG. 8A-C schematically shows a message diagram suitable for the example of FIG. 7.
Detailed description of the preferred embodiments Because the illustrated embodiments of the present invention may for the most part, be implemented using programmable components, software and devices known to those skilled in the art, details will not be explained in any greater extent than considered necessary as illustrated for the understanding and appreciation of the underlying concepts of the present invention and in order not to obfuscate or distract from the teachings of the present invention. Referring to FIG. 1, an example of a physical space 1 provided with a system 7 for controlling authorizations to access and/or use the physical space by a person 5, as is explained below in more detail with reference to FIG. 2 is shown therein. FIG. 1 illustrates three successive phases III of the access and/or use by the person 5 of the physical space 1. In a first phase 1, the person 5 performs an identification process. In a second phase Il, the person selects acts subject to authorization. In the third phase lil, the person inputs
-6- data corresponding to the selected acts to the authorization control system 7 to have an authorization process performed and, once the person has obtained the authorization from the authorization control system 7, the person 5 performs the selected acts.
As will be apparent from the below, the authorization control system 7 has an increased ease of use because the person 5 accesses only a single system and can interact with the system using only a single identification object, both for the selection of the acts and for the authorization process. In addition, the same system can be used for both the selection and the authorization without all components of the system requiring a high level of {cryptographic) security and tamper protection. More specifically, the data processing system 10 verifies that the identification object is a valid identification object but does not need to use authentication data or other sensitive data when the person makes the selection. The components involved in the selection, such as the selection interface 9, do not need to be subject to the same stringent security requirements as the components of the authorization control system 7 involved in the authorization process, such as the authentication interface 11. In FIG. 1, the example of a physical space 1 is a storage space for tangible items, such as a warehouse or a shop. Inside the physical space 1 inventory or other tangible items 12 are present. The tangible items 12 can be goods which are stored in the physical space, in this example on shelves 13. The person 5 can take selected items 12 out of the physical space 1 after having obtained a corresponding authorisation from the authorization control system 7. However, depending on the specific implementation and the type of physical space 1, alternatively or additionally, other acts may be subject to an authorization such as one or more acts of the group consisting of: accessing the physical space, using tangible items in the physical space, removing tangible items from the physical space, leaving the physical space.
As shown, the physical space 1 has an entrance 2 and an exit 3 through which the person 5 can enter and leave the physical space 1. In this example, the physical space 1 is delimited by walls 4 of a building. As in this example, the entrance 2 and exit 3 may be separate passages in the walls 4 but in an alternative implementation the entrance 2 and exit 3 may be the same passage. As shown, the passage can be closed- off by doors. The doors are controlled to selectively allow or inhibit a person passing through the respective passage, to enter or exit the physical space. The physical space 1 may be delimited in another manner and/or the entrance 2 and/or exit 3 of another type. For example, the physical space can be defined and delimited by a fence, hedge, trench, ditch or by another type of fenced off perimeter. The entrance and/or the exit can be a gate in the fenced-off perimeter via which the person can enter or leave the physical space, such as waist turnstile, an optical turnstile or other type of gate. Alternatively, the entrance and/or exit can be without barrier, e.g. in case of an unrestricted access space.
As shown in FIG. 1, the authorization control system 7 comprises an object reader 8 at which the person can present in the first phase | a tangible identification object 6. Although the identification object 6 can be any suitable identification object, in the following as an example, an EMV card or a mobile device with an active payment module, such as a contactless mobile payment application running on the mobile device,
-7- is used. The identification object 6 is assigned to an individual, and on the identification object 6 unique data 60, unique to the identification object, is stored. The unique data can for example be a card number or a token for the card number, such as those used in and by electronic payment systems. The identification object may be provided with a non-volatile, modifiable or unmodifiable, memory in which data representing the card number or the token is stored, and which can be read by the object reader 8. For example, the unique data may be stored in a cryptographically secured memory of the object, such as in a secure element. To read the unique data, the object reader 8 may e.g. comprise a near-field-communication reader capable of communication with a contactless payment module on the card or mobile device or other suitable reader like a contact smart card reader which makes an electrical connection with a chip on a card containing the data. In this example, the object reader 8 is a card reader connected to a secured system 100 of the data processing system 10, in this to a payment terminal, also referred to as a point-of-sale-terminal. Alternatively, as explained e.g. with reference to the example of FGis. 4-6, the object reader 8 can be a separate reader connected to another system 101 which does not have access to the sensitive data stored in the secured system 100.
The unique data 60 is coupled to authentication data 61 of the individual, e.g. contained in records stored in the authorization control system 7 which link the unique data 60 to authentication data 61, such as to the identity of the individual and a personal identification number. The authentication data 61 can be data representing any suitable factor of single or multifactor, such as two or three factor, authentication processes and/or of a single or multistep authentication process, such as two or three step authentication process, additional to the factor of possession of the tangible identification object which the person evidences by presenting the object with reading range of the object reader 8. The authentication data 61 can for example be data representing a knowledge factor, such as a numeric code, an inherent factor such as biometric data of the individual to which an identification object is assigned, or a possession factor, such as a disconnected token or a connected token. The authentication data 61 can for example be authentication data for a cardholder verification method of an electronic payment system. This authentication data 61 can e.g. be stored on a memory of the authorization control system 7, e.g. for online authentication, or on the identification object 6, e.g. for off-line authentication. In the latter case, the authentication data 61 can e.g. be stored in a secure element on the identification object 6, such as plain text or enciphered PIN verification.
In this example, the object reader 8 is located at the entrance 2 and after the identification object 6 has been presented, in phase |, and the person 5 has obtained access to the physical space 1, the person 5 makes a selection of one or more acts, in phase ll. Alternatively, the object reader 8 can e.g. be located in the physical space and presentation of the identification object not be needed to be allowed entrance to the physical space 1 but still be required to be able to start the selection.
As further illustrated, a data processing system 10 is connected to the object reader 8. The data processing system 10 receives the unique data, either as stored on the identification object 6 or in a processed form such as a token calculated from the unique data stored on the identification object 6. The data processing system 10 is arranged to verify a validity of the identification object 6 in reaction to reception of
-8- the unique data 60. In the example of FIG. 1 and 2, the object reader is connected to the secured system 100, implemented herein as a payment terminal, and accordingly the validity of the identification object 6 can be verified using the sensitive data in the secured system 100, such as whether the unique data read from the identification object 6 is coupled to a record with authentication data in the secured system 100, for example. The secured system 100 may apply additional criteria as well such. For example, the secured system 100 may request evidence of the authentication factor(s) and compare this with the authentication data or verify whether an accounting record belonging to the authenticated identity allows consumption of resources, More specifically, that is if the accounting data allow the accounting record to be updated without violation of one or more predetermined accounting rules, for example. As explained more in detail, the other parts of the data processing system 10 receive only an outcome of the validity check, and accordingly do not receive the sensitive data. Thus, the security requirements on the other parts can be light compared to those of the secured system 100.
However, alternatively and as explained with reference to the example of FIGs. 4-6, the data processing system 10 can verify the validity without using the authentication data 61, and optionally this can be performed by another part of the data processing system 100 than the secured system 100. For example, the data processing system 10 may determine whether identification object 6 is of a valid type, or whether a card number or a token is a valid card number or token. In this respect, the data processing system 10 may e.g. determine the validity of the identification object based on one or more criteria related to the structure of the unique data 60, such as whether a checksum in the data is a correct one or the unique data meets one or more structuring criteria, or on criteria using the content of the unique data 60. Accordingly, the person does not need to present evidence of the authentication factor(s) to the data processing system 10 and the data processing system 10 does not need to receive the authentication data 61, if stored on the identification object 6, nor to access the authentication data 61, if stored in a memory of the data processing system 10. Thus, even though the unique data stored on the identification object 6 can be used later on in an authorization process that is subject to stringent security requirements and protection measures, in this phase | the security and protection can be relatively light if no sensitive data is used.
If the identification object 6 is determined to be a valid identification object, the data processing system 10 assigns an identifier “ID” to the identification object 6. Preferably, the identifier is a unique identifier, that is the data processing system 10 maintains for all identification objects 6 presented and validated an identifier unique for the identification object 6. To reduce the memory load on the system 10, though, the identifier may be removed, e.g. in the third phase iil, when the person 5 leaves the physical space 1 for example without making any selection, or when an authorization process has been completed. In such a case, the identifier does not need to be unique over time, and for example the identifier may be reused later on for another identification object 6.
The authorization control system 7 further comprises a human-machine selection interface 9 for inputting (in the second phase Il) by the person 5 of a selection of one or more acts of access to, or use of, the physical space 1 which are subject to authorization from the authorization control system 7. In this
-9- example, for instance, the acts are the removal of selected items 12 from the shelves 13 and taking them out of the physical space 1 through the exit, but depending on the type of space 1 and the application thereof, the interface 9 may be arranged to enter a selection of other acts, e.g. like use of equipment in a physical space 1, such as of a printing machine in a printshop, rides in a theme park or games in a gaming arcade, or the presence in the physical space itself, or in a sub-space thereof {e.g. in case of attendance of an event like a sports match, a concert or a movie). In response to entering the selection, selection data representing the selected act is generated, as is explained in more detail with reference to FIGs. 2-3.
Although the human-machine selection interface 9 can generally be any suitable type of interface via which a person can input a selection into the system 7, such as a touch -screen, a key-pad with screen or other graphical user interface, an audio interface with voice recognition or otherwise, in this example the human-machine selection interface 9 is a gesture-based interface, which comprises sensors for detecting gestures of the person, such as a video-monitoring system 17 with cameras. As input the gesture-based interface 9 detects gestures by the person 5 in the physical space meeting predetermined criteria. In this example, if the gesture is a picking up of a tangible item 12 from the shelve 13 or another predetermined type of manipulation of the tangible item 12, the gesture is determined to be a selection. Thus, upon detection by the gesture-based interface 9 of the person 5 picking up an item 12, selection data is generated and sent to the data processing system 10 to be processed as is described below with reference to FIG. 2 and
3. Depending on the specific implementation, other gestures may be qualified as a selection as well by the system, and additional information may obtained with additional sensors and fed into the system, such as the type and quantity of tangible items selected.
In this example, the human-machine selection interface 9 comprises a monitoring system 17 which monitors at least the area of the physical space 1 where the tangible items are stored and where a selection is made, and the person 5 is not required to specifically and consciously input a selection. However, the human-machine selection interface 9 may be present at specific locations, e.g. in the physical space, and require the person 5 to specifically and consciously input a selection thereat, as in the examples of FIGs.4-6 and of FIGs. 7-8.
The movements of the person 5 are monitored by the monitoring system 17 and from the behaviour of the person 5 the selection is detected. The monitoring can be performed coupled to the identifier, in which case the monitoring system does not require access to sensitive data. In this respect, the human-machine selection interface 9 may be implemented such that the tracking of the movements of the person 5 starts upon presentation of the identification object 6 to the reader 8, and thus such that the selection data can be linked to a specific identification object. For example, upon assigning of the identifier, the displacements of the person in the physical space 1 may be tracked as displacements of the identifier or another manner of coupling the displacement to the identifier, such as recording the displacements in a record with the identifier in a field of the record. The selection data may be stored in the data processing system 10 coupled to the identifier assigned to that specific identification object. Accordingly, not only is no access to sensitive data
-10- required but the person does not have to explicitly provide input to the system either upon making a selection.
A selection is in this example input into the data processing system 10 by detection of a predetermined type of habitual manipulation of tangible objects by the person 5, for example a displacement thereof, such as picking-up the tangible object and/or putting the tangible object in a basket or chariot. Thus, the person 5 does not have to be distracted by having to provide a system-specific atypical gesture to the system to the selection interface 9, and accordingly does not have to learn e.g. dedicated gestures. Although as an example of the monitoring system 17 a video-monitoring system is shown, it will be apparent that additionally or alternatively other sensors may be present, such as shelf-weight sensors, acoustic sensors, vibration sensors, thermal sensors or otherwise, to monitor the area and detect changes therein to determine that a selection is made.
In FIG. 1 the monitoring system 17 comprises for example a video-monitoring system with a camera 170, such as a surveillance camera, and a sensor connection 171 to one or more sensors in the physical space 1, such as shelf-weight sensors for example. The human-machine selection interface 9 may further automatically detect the type and quantity of the selected item, e.g. based on weight changes of the shelve 13 and data obtained from a computer-vision interface, represented in FIG. 1 by a camera system 17. A suitable interface is for example available under the name “Autonomous Store Platform technology” from AiFi, Inc of Santa Clara, California, United States of America.
As shown in FIG. 1, the data processing system 10 is connected to the human-machine selection interface 9 to receive the selection data. Upon reception of the selection data, the data processing system 10 updates a selection record coupled to the identifier with the selected acts. Thus, for example, the person 5 can in the second phase il select multiple physical items 12 to be taken out of the physical space, and the data processing system 10 maintains a record in which the selection is coupled to the identifier (which was generated when the person 5 presented the identification object 6 to the data reader 8) and updates this record with the selections made by the person 5. Since the record is coupled to the identifier, the data processing system 10 does not require the use of the unique data, nor of other sensitive data, and accordingly the security requirements can be lowered for the parts of the system involved in the selection compared to the part performing the authorization process. In addition, the person in the physical space can interact with the data processing system as a single system, without need for separate authentication factors, and associated identification objects for e.g. the selection and the authorization process.
The data processing system 10 is arranged to assemble, after a final selection by the person, request data from the selection record, and to submit the request data to an authorization process in which the data processing system 10 determines based on a set of at least one predetermined rule whether an authorization to perform the selected acts is granted or refused based on at least the unique data and the request data, and optionally on other data, such as the authentication data and/or accounting data. More specifically, in the authorization process the request data and the unique data, either in its original form or e.g. as a token
-11- derived therefrom are evaluated against a set of predetermined criteria and if they meet the criteria the authorization is granted.
In the shown example, the data processing system is arranged to start the authorization process a humanly noticeable period time, during which in this example the selection is made by the person 5, after the identification object has been presented by the person to the object reader. This in contrast to existing systems where almost immediately after identification with a tangible identification object, e.g. by presenting a banking card to a point-of-sale terminal, an authorization process is started, thus requiring a pre-prepared selection to be ready upon identification, and therefore a separate system to prepare the selection. With the shown example on the other hand, the person 5 can prepare a selection and input the selection into the authorization control system 7, via the selection interface 9 in the time-interval between the point in time the identification object is read to obtain the unique data and the point in time the authorization process is started. More specifically, the person 5 can determine the selection and input the selection and the request data can be prepared with the same identification object as which is used for the authorization process. In this example, the identification object needs to be presented only once to start the selection. Alternatively, during the selection, the identification object may be used e.g. to indicate a selection of an act by the person, as is explained in the example of FIGs. 4-6.
In the example of FIGs. 1-3, the selection comprises a selection by the person 5 of tangible objects, selected out of the tangible items 12, to be taken out of the storage space, and the authorization process determines whether or not an authorization to remove the selected tangible object from the storage space is granted or refused.
The data processing system 10 is arranged to wait after the final selection with starting the authorization process until a trigger to start the process has been received from the person. In the shown example, for instance, the request data is assembled and submitted when the data processing system 10 receives from person 5 a predetermined expression of the intent to leave the physical space 1 with the selected items. More specifically, in this example, when the person 5 presents himself at the exit 3, the video- monitoring system 17 detects this and triggers the assembling and submission of the request data by the data processing system. This in turn starts the authorization process. However, alternative expressions may likewise be suitable, and for example the data processing system be triggered to start the process by the person presenting {after the final selection) the identification object to a reader, as in the examples of FIG.4- 6, or placing e.g. a barcode reader of a self-scanning system back into a holder, such as in the example of FIGs. 7-8.
Although the authorization process may be implemented in any manner suitable for the specific implementation, in the shown example, the authorization process is performed as explained in more detail with reference to FIGs. 2 and 3. Summarizing, in this example, the request data comprises accounting data, more specifically data representing a measure of resources consumed by the selected act. Although the measure may be a financial measure, e.g. a monetary amount, such as a total monetary value of the selected items or acts. it will be apparent that in other system the accounting data may e.g. be a number of goods, a
-12- volume or weight of goods, a time spend or other suitable measure of consumption of resources. The authorization process comprises determining from the accounting data whether or not the act is authorised based one or more accounting criteria.
In this respect, the authorization process may be performed by the data processing system 7 as part of an authentication, authorization, and accounting protocol. The authorization criteria and process may depend on the accounting data. For example, when the resources consumed are below a predetermined threshold, the authorization process may be performed off-line without authentication, and when they exceed the threshold, or some other authentication criterion is met, authentication may be required. Optionally, the authentication may be combined with a determination whether the resources consumed are allowed to be consumed for an accounting record coupled to the identity or alternatively the authorization process may verify and update the accounting record after the authorization process has been completed (e.g. when the resources are below a predetermined threshold). In the sequence diagrams of FIGs. 3,6 and 8, for example, in the authorization process illustrated with block 210 in those figures, the resources consumed are assumed to be below a predetermined threshold and an off-line authorization is performed without requiring authentication. However, in case the resources consumed would be above the threshold, the authorization process would involve requesting from the person the authentication factors of the specific multi-factor authorization process, such as the PIN-code. In addition, this could involve sending by the secured system 100 a message so a remote, not shown, transaction handling system in response to which the transaction handling system determines whether the accounting record to the identity and accounting rules coupled to the accounting record allow the resources to be consumed.
The accounting data can e.g. be generated based on the record of selected acts. For example, each selected act may be coupled to a consumption value and a total consumption value may be determined by adding the individual consumption values. In the request, the total consumption value is coupled in the request to the unique data. In the shown examples, the authorization request does not contain the identifier and the authorization process does not use the identifier. Accordingly, a separation between the authorization process, which involves sensitive data, and the other operations which can be, and in the examples are, performed without the sensitive data can be maintained while the authorization process and the other operations all rely on the same identification object.
In the authorization process, a verification is made whether or not the person is authorized to remove the goods from the physical space based on (at least or solely) the unique data and request data. In alternative implementations, for instance authentication factors and/or, the accounting data and/or accounting records in a memory of the control system which belong to the authenticated identity may be used as well.
After the authorization process, the outcome thereof may be presented in a humanly perceptible form, such as a “transaction completed” or “transaction denied” message, e.g. at interface 11. In this example, the interface 11 is located in the neighbourhood of the exit 3, and the person 5 thus receives this message prior to leaving the physical space 1. In this example, the interface 11 further comprises a graphical user interface, at which data about the request data and/or the status of the authorization process can be
-13- presented to the person 5 in a human-perceptible form. For example, initially (that is after the final selection and prior to, or upon initiation of, the authorization process) an overview of the selection data can be presented. Additionally, for instance, a confirmation or a request can be presented at the interface 11, such as the text “confirmed” or “submit for payment” or other suitable message to obtain input or provide output, e.g. status information, from the person, e.g. to start or during the authorization process.
Although not required, and not shown in the sequence diagrams of FIGs. 3,6 and 8, the data processing system 10 may, e.g. periodically or when the value of goods in the accounting data exceeds a predetermined threshold, present a request to the person 5 to enter a proof of identity. In this example, the person 5 can enter a proof of identity 62 at the interface 11, which serves as an authentication interface 11 of the authorization control system 7. The authentication interface 11 is connected to the system 10 to transmit the proof to the data processing system 10, which in response verifies whether or not the proof of identity 62 entered by the person 5 corresponds to the stored authentication data 61, and thus that the identity of the person has been authenticated. In case the proof does not match the authentication data the authorization can e.g. be refused by the data processing system 10.
The example of FIG. 1 further comprises an access control system, in this example part of a local system 18 which amongst others is arranged to perform exit control. The access control system is arranged to put the exit 3 in an allowed state when the authorization is granted and in a disallowed state when the authorization is refused. The access control system controls the exit 3 of the physical space 1, through which the person is to exit the physical space after performing the selected acts. More specifically, in this example and as indicated with the double arrow, the access control system is communicatively connected to the data processing system 10. As illustrated, in this example the person 5 carries the physical items 12 to be taken out of the physical space 1 and presents himself at the exit 3 with the carried physical items 12. In response to the presentation at the exit 3, the access control system requests from the data processing system 10 authorization status information, which indicates whether or not the authorization to take the carried physical item 12 out has been granted or not. If the status information indicates that the authorization has been granted, the access control system allows the exit to be opened and the person 5 to leave the physical space 1. When the status information indicates no authorization has been granted, the exit remains blocked and e.g. the person has to put the physical items back on the shelves 13 or otherwise undo the selection. In this example, the person can then undo the entire selection and leave the physical space 1 without further authorization and without performing any act, but alternatively, e.g. the selection can be partly or completely undone, and a new authorization process be performed to allow the person to leave the physical space with performance of authorized acts.
Referring now to FIG. 2, as illustrated, the example of a system 7 comprises a data processing system 10 which is connected to an object reader 8. The data processing system 10 can receive from the object reader the unique data 60. As shown, the data processing system 10 comprises a memory with a database of one or more records in which data about valid identification objects, such as the unique data 60, is stored, in
-14 - this example in a secured system 100 in the data processing system. The database further contains the authentication data 61 explained above, coupled to the unique data 60 which can be used to authenticate the identity of the person using the identification object 6.
In this example, the data processing system 10 comprises in in addition to the secured system 100, a second system 101 and an interface between the sub-systems. The secured system 100 is arranged to perform the authorization process, whereas the second system 101 is connected to the human-machine selection interface 9. This allows to separate the data processing system in high security level components, in the secured system 100, and lower security level components, in the second system 101. As shown, in this example the object reader is connected to the secured system 100 and the secured system can use the data read from the identification object 6 to compare with sensitive data stored in the secured system 100. Alternatively, the object reader 8 can be connected to the second system 101. In such a case, the object reader can be arranged or be allowed to only to read non-sensitive data from the identification object, and the second system 101 be arranged to perform a validity check using the non-sensitive data only (that is without using sensitive data stored on the identification object 6 or in the secured system 100). Thereby, the reader 8 and the selection interface 9 can be relatively low security components as well.
As illustrated in FIG. 2, the data processing system 10 is arranged to generate, in response to receiving the unique data 60, an identifier “ID” which is assigned to the identification object without receiving a proof of identity or the authentication data 61 from the object reader 8. Thus, the data processing system 10 does in this phase not authenticate the identity of the person 5, which obviates the need to implement high security measures, such as highly cryptographically secured communication or tamper protection for the parts involved.
In this example, the secured system 100 receives at least the unique data, and optionally other data read by the object reader 8 from the identification object 6. The second system 101 is arranged to receive the unique data 60 and assign the identifier ID in response thereto. In this example for instance, the second system determines the validity of the identification object from at least the unique data, and optionally other data received from the secured system 100. If the object is valid, the second system generates the identifier ID. Alternatively, for instance, the secured system 100 may send to the second system 101 an ID generation request, in response to and after validating the validity. The second system 101 may, in response to the ID generation request, generate an ID and reply to the secured system with a message which contains the ID, for instance.
In this example, the selection interface 9 is connected to the local system 18. The local system 18 receives from the selection interface 9 data representing the acts selected by the person 5, i.e. in this example which physical item 12 has been selected by the person 5. The local system 18 contains other data, such as consumption values of different types of physical items 12 and determines from the data representing the selected acts and the other data the selection data. The local system 18 is arranged to send to the data processing system 10, more specifically to the second system 101, the selection data coupled to the identifier.
-15- Alternatively, the data processing system 10 can be directly connected to the selection interface 9 to receive the data representing the acts. The data processing system 10 is arranged to maintain and update a record of selection data (item 1, item 2, item 3) coupled to the identifier ID #. Although not shown in FIG. 2, the data processing system may couple additional information to the identifier ID. For example, accounting data may be coupled and the data processing system 10 thus maintain, for as long as the identifier ID is active, a record with the selection and the additional information coupled to the identifier ID.
In FIG. 2, the second subsystem 101 is e.g. arranged to couple the selection data to the identifier ID and to assemble request data. Via the interface with the secured system 100, the second system 101 can send the request data to the secured system and the secured system 100 receive that data from the second system. In the example of FIG. 2, only a total accounting value “Tot” and the unique data 60 are shown to be sent. However, alternatively, for example the request may contain a list of individual acts for which authorization is requested or other information about the acts, for instance. The secured system 100 can in this example output to the second system 101 a result of the authorization process. Thus, the secured system 100 can maintain sensitive information confidential and only output an outcome of the authorization process.
The data processing system can be arranged to deactivate the identifier and delete the selection record after performing the authorization process. For example, in response to receiving the output, the second system 101 can e.g. delete the identifier and the associated data, for example if the authorization is granted, or if the authorization is refused re-submit a request or trigger outputting of a message to the person
5. This allows to reduce the amount of memory and database resources required.
As shown, the data processing system 10 is further connected to the access control system, in the local system 18, which in this example also controls the state of the entrance 2. As shown, after generation of the identifier the data processing system 10 can transmit the identifier ID to the access control system. The access control system is arranged to put the entrance 2 in response thereto in the allowed state. Furthermore, if the authorization is granted the data processing system 10 transmits a corresponding message which contains the identifier to the access control system. The access control system is arranged to put the exit 3 in response thereto in the allowed state. Thus, the access control system operates based on the identifier and does not need to access the sensitive data to control the access, and in addition the person 5 does not need to present another object, such as an identification object or a proof of authorization. In this respect, although in this example the person 5 does not need to present the identification object 6 to the access control system to exit the physical space 1, alternatively e.g. the access control system may be arranged to allow exit only if the identification object 6 coupled to the identifier is presented as proof of authorization. It will be apparent that the entrance 2 and the exit 3 are by default in the disallowed state in this example, and accordingly the person 5 can only access or leave the physical space when the access control system transitions the entrance 2 and exit 3, respectively, into the allowed state.
The authorization control system 7 further comprises a human-machine authentication interface 11 for entering by the person, after the final selection, data representing a proof of identity 62. This human- machine authentication interface may for example be implemented as explained with reference to FIG. 1.
-16- The data processing system 7 is arranged to verify the proof of identity 62 against the authentication data 61, and e.g. to refuse the authorization if the proof of identity does not match with the authentication data.
In the example of FIG. 2, the secured system 100 is arranged to perform the authorization process, and the authorization process is an offline authorization process. However, in an alternative implementation, the authorization control system may be a separate system to which the secured system 100 is connected and to which the secured system 100 can send an authorization request message and from which the secured system 100 can receive a response message indicating whether or not the authorization has been granted.
Although the authorization process may be implemented in a different manner, in the shown example the process comprises sending authorization data to the authorisation control system for verification, in this example by the second system 101 to the secured system 100. If an acceptance message is received from the authorisation control system, e.g. by the second subsystem 100, or at the interface 11 or by the control system 18, it is determined that the authorization is granted. The authorization is in this example denied when a rejection message is received from the authorisation control system. However, alternatively or additionally it may be deemed denied when a response from the authorization control system is not received within a predetermine time-out period after the authorization request message is sent.
FIG. 3 illustrates a method of controlling authorizations to access and/or use of a physical space accessible by a person. In this figure, like in FIGs. 6 and 8, internal operations of a component or system operating as actor in the method are indicated with -— , whereas messages between actors in the method are indicated with a straight, horizontal arrow between vertical lines. The illustrated method may be performed by a system 7 as shown in FIG. 2.
In FIG. 3, the method comprises, as illustrated with “User taps card” in block 200, detecting by an object reader 8 located at an entrance 2 of the physical space 1, or located in the physical space 1, a presence of a tangible identification object 6, in this example a card, assigned to an individual, on which identification object unique data, unique for the identification object, is stored. The unique data is coupled to authentication data of the individual, such as stored on a memory of the authorization control system 7 or of the identification object 6. As illustrated in block 200, the object reader may communicate the unique data to a data processing system, more specifically in this example to a secured system 100, which in this example is a payment terminal.
As illustrated with block 204 at a human-machine selection interface a selection of one or more acts subject to authorization from the authorization control system, i.e. of access to, or use of, the physical space, can be inputted by the person. From this input, selection data representing the selected act or acts can be generated, in this example by the local server 18 which transmits the selection data to the second system 101, as illustrated with block 208.
As illustrated in blocks 200-214 with the operations performed at the system 10, the following operations are performed in the listed order by the data processing system: receiving the unique data from the object reader;
-17 - in response to said receiving of the unique data verifying a validity of the identification object in response to said receiving of the unique data, and if the identification object is determined to be valid assigning an identifier to the identification object; receiving the selection data from the human-machine selection interface; coupling the selection data to the identifier in response to receiving the selection data and maintaining a selection record, of selected acts coupled to the identifier; and assembling, after a final selection by the person, request data from the selection record, and submitting the request data to an authorization process in which the data processing system determines based on a predetermined set of authorization rules whether an authorization to perform the selected acts is granted or refused based on (at least} the unique data and the request data.
As illustrated in FIG. 3A with “user taps card” in block 200, in this example start of the method is triggered by the user tapping card 6 to the object reader 8 connected to the terminal, i.e. to the secured system 100. In response, the terminal, as illustrated with “Check Card Data” verifies that the identification object 6 is a valid one. As illustrated with “Calculate Token”, the terminal calculates a token from the unique data. The terminal 100 then, as iilustrated with the message “Send Data+ Token” transmits data representing the token and data related to the card to the authorization control system 7, in this example to the second system 101. In this example, the data related to the card comprises the unique data but does not contain sensitive data stored in the terminal 100 or on the card 6 like an account number coupled to the card, authentication factors or other sensitive data.
In response to receiving the card data, the second system 101 verifies the validity of the identification object using the data related to the card and/or the token, as illustrated with “Apply acceptance criteria”. The data processing system 10 then sends an acceptance message or refusal message to the terminal, as is illustrated with the message “Accept or Refuse”. At the terminal 100, the result of the validity verification is then displayed or outputted in another human-perceptible form, as illustrated with “Present result”.
It will be apparent that if the data processing system 10 determines that the card 6 is not a valid one, the method is halted. If the data processing system 10 determines that the card 6 is a valid card, the second system 101 assigns, as illustrated with block 202 an identifier “Session ID”. More specifically, the second system 101 generates an identifier, as illustrated “Generate Session ID” and stores session data coupled to the identifier in a memory, as illustrated with “Store Session Data (Client Token)”.
The system 101 further causes the access to the physical space 1 to be in an allowed state when the card 6 is a valid card, as illustrated with block 204. The data processing system sends a message containing the identifier to the local system 18, as illustrated with “Send Session ID”. In response, the access is put in the allowed stated, as illustrated with “Open door”. In addition, in this example the human-machine selection interface 9 is activated, in this example by the local store server. As illustrated with “Monitor”, the interface 9 may for example be a video-monitoring system as explained above with reference to FIG. 1, and accordingly selections be entered via the interface to the local store server. The local store server then maintains data coupled to the Session ID which represent the acts selected via the interface 9.
-18- In this example, the local system 18 is operated by an operator of the physical space 1, and hereinafter referred to as a “local store server”, The data processing system 10 does not have access rights to the data stored in the local system but can receive and send messages to the focal system 18 to exchange data with the local system. The local store server 18 contains data specific to the physical space 1 but does not have access to the data in the data processing system 10 and specifically does not contain the identification data or the authentication data. The data processing system 10 is operated by another entity and does not contain the data specific to the physical space 1, such as inventory data or pricing data, except for those incorporated in the record linked to the identifier and received from the local store server 18.
As illustrated with block 206, the method may further comprise determining whether the identification object belongs to a user previously registered, e.g. specifically registered as a user of the physical space 1 or as a client of the operator of the physical space 1 and subject to specific rules and criteria, such as a dedicated quality of service or having enhanced authorizations to perform certain acts, for instance. As illustrated with “Check on registered user”, thís may be performed by an external system 102, such as a central server which synchronizes with the data processing system 10 with respect to the outcome of the authorization process and contains master data for the data processing system 10 for instance. If the identification object belongs to a registered user, additional information such as a registration number and details, e.g. of the type of user, are sent to the data processing system 10 and to the focal store server, as illustrated with “Client Number + Details”.
The data processing system 10 may archive some or part of the data. As illustrated with “Send Session ID + Session Data+ token”, the external system 102 may for example receive the unique data, the identifier and other data in order to archive those, as illustrated with “Store Data”, for example for auditing purposes or in case the person after performing the acts disputes the accounting thereof, as illustrated with “Reporting, Monitoring and Dispute” for example.
As illustrated with “Check on registered”, a check may be performed as to whether the individual coupled to the identification object is a registered user of the physical space. In this example the check is performed by the external system 102 but, depending on the specific implementation, such a check may alternatively be performed inside the data processing system 10. Referring from this point on to FIG. 3B, if the individual is a registered user, the external system 102 sends a message (“Number + Details”) to the data processing system 10, more specifically to the second system 100 which contains an identifier for the user and details, such as the category of registered user or other relevant details. Preferably the message does not contain personal data of the user but e.g. a number or other identifier that does not reveal the identity of the user, e.g. the message may contain the ID previously received from the second system 101. This allows to avoid this sensitive data to be present in the data processing system 10, or at least in the second system 101 in this example, and hence reduces the risk of personal data being compromised in case of a security breach of the data processing system 10.
In case the identification object corresponds to a registered user, e.g. the authorization process may be adapted or the record with selection data be adapted. In this respect, for example, registered users may
-19- be subject to different criteria in the authorization process than non-registered users. For example, registered users may have special authorizations, or a higher level of quality of service or otherwise be subject to less stringent authorization control criteria. Furthermore, e.g. registered users may be able to make a different selection, or, for instance, the accounting data coupled to an act can be dependent on whether or not the identification object corresponds to a registered user. For example, as illustrated with the corresponding arrow between, in the data processing system 10 the message, or at least the information therein, received may e.g. be forwarded by the data processing system 10 to the local store server. In response, the local store server may update the record of selected acts, and apply the specific criteria as illustrated and for example apply a set of accounting data associated with registered users, as illustrated with “Apply”.
As mentioned, when the person selects an act, this is input in at the interface 9 and the local store server adapts its data coupled to the identifier ID accordingly. When the person has made a final selection, the data is completed as illustrated with “Session ended”, and as illustrated with the message “Send Session ID + accounting + Details” in block 208, the local store server transmits a message to the data processing system 10 which contains a part or all of the data, such as the identifier, accounting data and other details such as metadata or descriptors of the selected acts, for instance.
The authorization process is performed in this example after a last tangible object is selected, and prior to the person 5 leaving the physical space 1. More specifically in response to the final selection, and in this example triggered by the message from the local store server 18 to the second system 101, the authorization process is performed. In addition, the data processing system 10 forwards the data received from the local store server to the external system 102 in order to archive data relevant e.g. for logging or to be used by the external system 102 in data analysis such as of the behavioural patterns of persons in the physical space 1, as indicated with “Send Session ID + amount + Details”.
In FIG.3B, the second system 101 matches the data received from the local store server with the unique data based on the identifier, as illustrated “Match Session ID with Token” and accordingly can start the authorization process. More specifically, in this example from the accounting data and other data in the message the second system 101 assembles the request data and performs the authorization process, as illustrated with block 210. In this example, the authorization process is a payment authorization process, as known in the art of electronic payments. As part of the authorization process, the second system 101 sends a message with the token (received at in block 200 from the terminal) and the request data to the terminal 100 in order to be outputted, as illustrated with “Token + Request”. At the terminal, the person 5 can then enter an acknowledgement of the request and agreement or refusal, for example by bringing the card in range of a card reader of the terminal 100. As illustrated with “Card”, the terminal 100 then performs the authorization process and as illustrated with “Result”, the outcome is transmitted from the terminal 100 to the second system 101. As illustrated with “Delete Data”, the data at the terminal may then be deleted to remove all traces of the authorization process.
-20- lt will be apparent that if the authorization request is refused the following will not be performed, and e.g. at the terminal 100 or authentication interface 11 a message can be outputted informing the person thereof.
If the authorization request is granted, in this example, the person 5 is authorized to leave the physical space 1. More specifically, as illustrated with block 212, the access control system in response put the exit in the allowed state, as illustrated with “Open exit Door”. More specifically, in this example a message is sent sends a message to the local store server, informing of the outcome of the authorization process which contains the identifier and data representing the result, as illustrated with “Session ID + Result” and in response thereto the exit 3 is put in the allowed state by the local store server 18.
Furthermore, as illustrated with block 214, the second system 101 deletes the unique data and other data specific to the identification object and the identifier Session ID, as illustrated with “Delete Data”. In this example, the second system 101 further sends a message to the external system 102 which contains the identifier and data representing the result, as illustrated with “Session ID + Result” in block 214. In response, the external system 102 archives the data, as illustrated with “Store Data”, relevant e.g. for logging or to be used by the external system 102 in data analysis such as of the behavioural patterns of persons in the physical space 1. As a conseuq3ne of the deletion “Delete Data”, in the data processing system 10 this data is not present anymore. Accordingly, the risk of sensitive data being lost in case of a breach of security of the data processing system 10 is reduced.
Referring now to the second example of FIGs. 4-6, this is similar to the first example of Figs. 1-3 and deviates therefrom as described in the following.
In the example of FIG. 1, the data processing system 10 is arranged to verify the validity of the identification object 6 before or together with a first selection of a first tangible object by the person. More specifically, the data processing system 10 is arranged to perform the identification prior to the person entering the storage space 1. However, in the example of FIG. 4, the identification is performed after the person enters the storage space and upon the first selection. More specifically, in this example, the access to the physical space 1 is by default in the allowed state, e.g. uncontrolled, and the selection is performed by presenting a tangible identification object 6 within the reach of a corresponding sensor 15 on an electronic shelf label, also referred to as ESL, 14.
Furthermore, in FIGs. 4-6, the human-machine selection interface comprises instead of a system that monitors the physical space, one or more interface points, each provided with a sensor capable of detecting the identification object 6 within a pre-set, short, distance. A selection is triggered by the identification object 6 coming within the pre-set distance, in this example the detection is a contactless detection and the distance is > 0 mm. More specifically, the physical space 1 is provided with multiple interface points in the form of electronic shelf labels 14. Each of the electronic shelf label provided with a sensor 15 capable of detecting the identification object 6 within a pre-set distance from the label.
Like the example of FIGs. 1-3, the authorization is an authorization to remove selected tangible items from the storage space. However, in FIGs. 4-6, the data processing system is arranged to couple the selection
-21- data to the identifier multiple times, each time in response to a selection by the person of a specific tangible item, and to maintain a list of selected tangible items associated with the identifier. Referring specifically to FIG. 4, as shown therein in this example the shelves 13 are provided with respective electronic shelf labels 14, as shown in more detail in FIG. 5. Each electronic shelf label 14 comprises a sensor 15, such as an NFC sensor, which can read data stored on an identification object when the identification object is within reach of the sensor 15. The electronic shelf label 14 further has an, in this example electronic, display 16 at which information about a category or type of tangible items 12 is displayed such as a description or name of the category or type, units size, price, etc.. As shown, the electronic shelf labels are communicatively connected to the data processing system 10, in this example via a wireless connection 90 to a compatible radio access point which in turn is connected via a, in this example wired, connection 91 to the data processing system 10. The sensor 15 forms in this example both the selection interface 9 and the object reader 8, and by presenting the identification object 6 within reading distance of the sensor 15 both the identification can be performed and a selection can be made, as is explained below in more detail.
As illustrated at the bottom in FIG. 4, where the arrow t represents the time, and the blocks 1,111 respectively represent the identification phase |, the selection phase ll, and in phase iil the authorization process followed by performance of the authorized acts, the person 5 can make a selection of an act. In this example the tangible item 12 to be taken out of the physical space 1 is selected. The selection is inputted by the person 5 at the interface 9 by presenting the identification object 6 sufficiently close to the sensor 15. As illustrated with items a, b and c,‚ each time a selection is made, the identification (phase 1} and the selection of a single act {phase ll) are performed. Thus, repeatedly the identification and selection phase are performed on a per-act basis, and the complete selection of all the acts is performed by a sequence of repetitions of the identification {phase 1} and the selection {phase I).
FIG. 5 shows in more detail the electronic shelf label and the connection to the data processing system
10. As shown, the data processing system 10 is connected to, or comprises, a database with records 300 which couple a specific ESL to a type or category of products. The ESL comprises a display 14 on which information identifying the type or category can be displayed, as well as other information. The ESL contains, not shown, electronic processing and communication circuitry. Upon presenting the identification object 6 to the sensor 15, the unique data stored on the identification object 6 is read and circuitry causes a message to be send from the ESL to the data processing system 10, via the connection 90. The message includes e.g. the unique data as stored on the identification object or in a processed form, such as a token calculated from the data stored on the identification object, and an identification of the specific ESL. The data processing system 10 is arranged to perform an identification verification in response to the message, and to update a record of selected acts based on the identification of the ESL and the data in the record 300 coupled to the ESL identified by the identification. In this respect it will be apparent that the ESL may be coupled to one or more acts, e.g. to a single type of tangible items, to a group of tangible items as well as to only one tangible item or to a batch of tangible items for example, and that depending on the specific implementation, in response
-22- to reading the unique data and identifying the ESL the record of selected acts may be updated with the acts coupled to the ESL in the record 300.
The data processing system 10 may further be arranged to transmit, following the verification and updating of the selection data, a message containing data to be outputted to the person 5. The message may e.g. contain one or more of a confirmation that the verification was successful or a failure indication, a confirmation that the selection record was updated or other information useful to the person 5 during the selection. The message may for example be sent to the ESL and the data be displayed at the display 15.
Referring to FIG. 6A, the example of a method shown therein may be performed by a system 7 as shown in FIG. 4. FIG. 6A illustrates with block 200 the identification, and as illustrated with block 208, this is followed by and coupled to a selection of an act.
In this example, as illustrated with block 200, the method starts with an identification. More specifically, as illustrated with “First user taps card”, the identification object 6 is brought within reading distance of the sensor 15, and the unique data stored in the identification object is read. In this example, the sensor 15 does not have access to sensitive data on the identification object 6, such as the authentication factors or the identity of the individual to whom the identification object 6 is assigned, and the ESL itself does not contain sensitive data either. As illustrated with “Check Card Data”, the system 7 then verifies whether or not the identification object 6 is valid. In this example, the ESL 14 performs this verification, but it will be apparent that e.g. the data processing system 10 may alternatively perform such verification. As illustrated with “Calculate Token”, in this example the unique data is processed, and a token calculated therefrom, which is likewise unique but from which the original unique data cannot be reconstructed. Accordingly, in the data processing system 10 the unique data is not present in the original form. As illustrated with “Token+ ESL ID” the unique data, here in the form of the token, and an identification of the specific ESL to which the identification object 6 is presented are then transmitted to the data processing system 10, more specifically to the second system 101. As illustrated with “Present result on display”, the outcome of the verification may be presented at the display 16 of the ESL 14.
As illustrated with block 202, after the first identification, the identifier (hereinafter “session ID”) may then be created by the data processing system 10. More specifically, in this example the second system 1010 has received the message “Token+ ESL ID” and in response thereto assigns an identifier “Session ID” to the token, as illustrated with “Generate Session ID”. Like in the example of FIG. 3, the data processing system 10 sends, as illustrated with “Token+session ID”, the unique data and the identifier to an external system 102.
As iilustrated with block 206, the data processing system 10 may further perform a check whether or not the token is coupled to a registered user of the physical space 1. Like in the example of FIG. 3, this is performed by sending a message to the external system 102 requesting such a check, as illustrated with “Check registered user”. As illustrated with “registered ID”, in case the unique data is coupled to a registered user, the external system 102 returns an identifier thereof, further referred to as the registered ID. It will be apparent that if there is not registered user, this will not be sent but e.g. a message informing that the unique data does not correspond can be returned to the data processing system.
-23- Referring to FIG. 6A, the second system 101 and the local store server 18 may both store the data related to the identifier, as illustrated with “Store Session Data”. A record of selected acts coupled to the Session ID is maintained, in this example at the local store server 18 but alternatively this may be stored in the data processing system 10, preferably in the second system 101 in such a case. As illustrated with block 208, in response to the first identification, this record is generated and updated with the selected act coupled to the ESL 14. In this example, the data processing system 10 does not contain all information required to update the record of selected acts, and the data processing system 10 may sends a message to the local store server, as illustrated with “session ID + ESL ID + registered ID”. This message may e.g. contain the session ID and the identification “ESL ID”of the ESL 14.
Optionally, if the registered user check was performed and has yielded that the unique data is coupled to a registered user, the message may contain the registered ID such that the local store server can retrieve data from records specific to registered users and/or maintain its own record of selected acts and associated data. In response to the message, the local store server then updates the record e.g. with the tangible items coupled to the ESL ID, accounting data etc.
Referring now to FIG. 6B, as illustrated with “Start Repeat”, the identification 200 and selection 208 are then repeated each time the person 5 presents the identification object 6 to a sensor 15 of an ESL 14 to select a tangible item. As illustrated with “Additional tap card”, “Check Card Data” and “Calculate Token” each time the person 5 makes a selection of an act by presenting the identification object 6 to the sensor 15 of the ESL 14, the unique data is read and the validity of the identification object 6 is verified, in this example by the circuitry in the ESL 14. As illustrated with “Token + ESL ID”, the unique data and the ESL identifier are transmitted to the data processing system 10 to allow the data processing system 10 to perform the selection.
As illustrated with block 208, each identification is followed by and coupled to a selection, optionally with some intermediate operation. As illustrated in this example with “Present result on display”, for instance between blocks 200 and 208, the outcome of the verification may be outputted at the display such that the person 5 receives this information and additionally receives information as to the selected acts, e.g. number, type and costs of the selected tangible items 12. As in the first time the selection 208 is performed, the data processing selects the session ID assigned to the unique data based on the information received from the ESL, and updates the data associated with the session ID. More specifically, in this example as illustrated with “session ID + ESL ID + registered ID”, the data processing system 10 sends a message to the local store server, similar to the first time the selection was made as described above but it will be apparent that the data is adapted to the specific ESL. As illustrated with “Updata Session Data” the data processing system 10 then updates the data coupled to the identifier Session ID, and the local store server updates the record of selected acts, as illustrated with “Store Session data”. As illustrated with “End Repeat”, at some point in time, the selection is terminated by a final or last selection.
Referring to FIG. 6C, as illustrated with block 210, after the final selection, an authorization process is performed. It will be apparent that identification 200 and the selection 208 may be performed any suitable number of times, and that e.g. the person 5 may elect to only perform a single selection {and thus only
-24- presenting the identification object 6 only once to a single ESL 14). In such a case, the first selection is also the final selection and the identification and selection after “Start Repeat” are omitted. Alternatively, the person 5 may elect to perform multiple selections e.g. by presenting the identification object 6 multiple times to the same ESL 14 or to different ESLs. As illustrated with “Start Process”, the authorization process can be triggered e.g. by the person 5 indicating to the data processing system 10 that the selection is finalized. For example, this may be performed by presenting the identification object 6 to the authentication interface 11. As illustrated in FIG. 6C, in such a case for example, the identification object 6 may be brought into reading distance of a compatible reader comprised in the authentication interface 11, as illustrated with “User taps card”. In this example, the authentication interface 11 is connected to or integrated in the secured system 100, which may as in this example be a payment terminal. The unique data is read from the identification object 6 at the authentication interface 11, and as illustrated with “Check Card Data” the validity of the identification object is verified. As explained above, the unique data on the identification object 6 may be processed to e.g. calculate a token, as illustrated with “Calculate Token” but alternatively in the following instead of the token the unique data may be sent as stored on the identification object.
As illustrated with “Token”, the terminal 100 may then send a message, in this example with the token, to the second system 101. In response, the second system 101 which in response causes assembling of the request data and the performance of the authorization process. As illustrated with “Checkout request (Session ID + Registered ID”}, the second system 101 requests from the local store server to determine from the record the information required from the request, in this example to calculate a total consumption value of the selected acts, as illustrated with “Calculate”. In response to the request, the local store server 18 sends this information to the second system 101, as illustrated with “Accounting”, and the second system 101 may returns this data to the terminal 100 as response to the “Token” message.
In addition, at the man-machine interface, a request for input from the person 5 may be outputted, such as a request to provide the proof of identity 62 and/or a request to confirm that the authorization process is to be performed and/or a request to confirm that the data from the selection record is correct, for instance.
The authorisation process is then performed, in this example by the terminal 100 and the outcome thereof is sent to the data processing system, as illustrated with “Result” in block 210. The authorization process can e.g. be performed an exchange of messages between the terminal 100 and the identification object 6 in accordance with a predetermined authorization protocol and an off-line authorization for a payment transaction below a floor limit be performed for example.
Alternatively, e.g. in case of an on-line processing of a payment transaction exceeding a floor limit, for example, the authorization process can be performed by an exchange of messages between the identification object 6, the terminal 100 and an external transaction processing system in accordance with a predetermined authorization protocol. The result of the authorization process is then transmitted by the terminal 100 to the second system 101, as illustrated with “Result”.
-25- As illustrated with block 212, if the selection of acts has been authorized by the data processing system 10, they can be performed. In this example, the person 5 can be authorized to take tangible items out of the physical space 1 and the exit be controlled accordingly. More specifically, as illustrated with “Session ID + Result” via the local store server 18 the access control system is informed of the outcome of the authorization process and as illustrated with “Open exit door” the exit put in the allowed state.
As illustrated with block 214, after the authentication process the data processing system 10 may perform other operations. For example, accounting or logging processes may be performed. As illustrated with “Token + Result + Registered ID” for example, the second system 101 may transmit this data to the external system 102, and as illustrated with “Store Data” the sent data stored on the external system 102.
After storing, the external system 102 may sent a confirmation to the data processing system 10. Once the confirmation is received, for instance, the data processing system can securely delete data, as illustrated with “Delete Session ID card data”.
Also, for instance, data sanitization may be performed in the data processing system 10, and for example information about the unique data and the selection record be deleted from the data processing system, as illustrated with “Delete session card data”.
Referring now to the third example of FIGs. 7-8, this is similar to the first example of Figs. 1-3 and deviates therefrom as described in the following. Referring to Fig. 7, the human-machine selection interface comprises instead of a system that monitors the physical space, one or more interface points but the local point interface may be implemented in a different manner than in the example of FIGs. 3-6 and the method differs as explained below from that of the first example. In this third example, the selection is made by a barcode scanner 20, or other type of personal shopping device, communicatively connected to the data processing system 10 which can scan a one- or two-dimensional barcode 19, positioned in the neighbourhood of a group of tangible objects 12 for example. FIGs. 8A-C illustrates a method suitable for such an interface.
In this example, the barcode scanner 20 can be taken by the person 5 and used to select acts, more specifically tangible items 12 to be taken out of the physical space 1, after being assigned by the system 10 to the person. More specifically, the system 10 assigns the barcode scanner to the identifier after presenting the identification object to the object reader 8. Although the barcode scanner 20 can be connected directly to the data processing system 10, in this example the barcode scanner 20 is communicatively connected to the local system 18.
As shown, in this example blocks 200,202 are the same as in the first example. Thus, the identification object is validated, and an identifier is generated. Like in the second example the access is not controlled and accordingly the access control in block 204 is omitted. In addition, the monitoring is omitted because the selection interface is implemented differently, and this part of block 204 is omitted as well. In the third example, block 206 differs from the other example. Referring to FIG. 8A, like in the first example and the second example, a registered user check is performed and the external system 102 used to archive data. However, referring to FIG. 8B, if and when the identification object is coupled to a registered user, the local system 18 assigns in response to receiving this information, the barcode scanner to the identifier, and sends
-26- a corresponding message to the scanner 20, as illustrated “Release Personal Shopping Device + Details”. Subsequently, the scanner system releases the personal scanner 20. As illustrated with “Start Repeat”, the person 5 can then use the personal scanner 20 to select one or more acts in the manner illustrated with block 208 in FIG. 8B. As illustrated with “Start Repeat” and “End Repeat”, the selection may be repeated one or more times, e.g. for different barcodes 19 and acts coupled thereto.
As shown, a selection is made by pointing the scanner 20 to a barcode display and reading the corresponding barcode 19 with the scanner, as illustrated with “read 19”. In response, the scanner 20 transmits the code read by the scanner to the local system 18, as illustrated with “barcode”. In response to receiving the code, the local system 18 then retrieves from a database the acts associated with the barcode, e.g. the type of product, number of items, price or other relevant details, as illustrated with “Retrieve Product Details”. The local system 18 then updates the selection record, as illustrated with “Apply” and calculates the list of acts selected, as illustrated with “Calculate Basket”. In this example, the details are transmitted to the scanner 20, as illustrated with “Basket Product Details” and the details presented to the person 5, e.g. at a display of the scanner 20, as illustrated with “Present details”.
When the person 5 has made a final selection, as illustrated with block 210 the authorization process can be performed. In this example, the person can initiate the authorization process by providing a corresponding input at the barcode scanner 20, as illustrated in FIG. 8C with “Client initiates Checkout”. For instance, a button on the barcode scanner 20 may be pushed or the barcode scanner 20 be placed in a holder which is detected. In response, the barcode scanner sends a message to the local system 18 which triggers the authorization process, as illustrated with “Request Checkout” and the local system 18 transmits in return to the second system 101 apart or all of the data in the selection record , such as the identifier, accounting data and other details such as metadata or descriptors of the selected acts, for instance, as illustrated by "Send session ID + amount + Details”. The second system 101 then the matches the data received from the local store server with the unique data based on the identifier, as illustrated “Match Session ID with Token” and accordingly can start the authorization process. As part of the authorization process, the second system 101 sends a message with the token {received at in block 200 from the terminal) and the request data to be to the terminal 100, as illustrated with “Client Token + Request”. In response, the terminal 100 performs the authorization process with the data read from the card in block 200 and the data in the message “Client Token + Request” and outputs a message with the result of the authorization process to the second system 200, as illustrated with “Result”. Thereafter, blocks 212 and 214 may be performed as indicated and described with reference to FIG. 3B, and the person 5 thus leave the physical space 1 while in the data processing system 10 the data coupled to the identifier is deleted.
The invention may also be implemented in a computer program for running on a computer system or other programmable apparatus, at least including code portions for performing some or all steps of a method according to the invention when run on the programmable apparatus or enabling the programmable apparatus to perform functions of a device or system according to the invention. For example, such the code portion may comprise instructions to perform the operations illustrated in FIG. 3 or 6, when executed by a
-27- programmable apparatus, or provide the programmable apparatus with the capabilities of the data processing system 7 illustrated in FIGs. 2 or 5.
The computer program can comprise any suitable instructions in any suitable type of code, such as a particular application program and/or an operating system. The computer program may for instance include one or more of: a subroutine, a function, a procedure, an object method, an object implementation, an executable application, an applet, a servlet, a source code, an object code, a shared library/dynamic load library and/or other sequence of instructions designed for execution on a programmable apparatus.
The computer program or software may be stored internally on computer readable storage medium or transmitted to the programmable apparatus via a computer readable transmission medium. All or some of the computer program may be provided on computer readable media permanently, removably or remotely coupled to a programmable apparatus. The computer readable media may include, for example and without limitation tangible, non-transitory data carriers and data transmission media. The tangible, non-transitory data carriers can for example be any number of the following: magnetic storage media including disk and tape storage media; optical storage media such as compact disk media (e.g., CD-ROM, CD-R, etc.) and digital video disk storage media; nonvolatile memory storage media including semiconductor-based memory units such as FLASH memory, EEPROM, EPROM, ROM; ferromagnetic digital memories; MRAM; volatile storage media including registers, buffers or caches, main memory, RAM, etc.. The data transmission media may e.g. include data-communication networks, point-to-point telecommunication equipment, and carrier wave transmission media, just to name a few.
In the foregoing specification, the invention has been described with reference to specific examples of embodiments of the invention. It will, however, be evident that various modifications and changes may be made therein without departing from the broader scope of the invention as set forth in the appended claims.
It will be apparent that e.g. the access control of the first example may be applied to the second example and that more generally the features present in the second example may be used in the first example and vice versa.
Furthermore, it will be apparent that the records can be implemented in any suitable type of data structure, such as a database records, separate text files etc. and that e.g. several of such data structures can be linked to form a single record. Thus, although for the purposes of processing in the data processing system they form a single record, the record can be stored as several separate but linked data structures.
For instance, in the shown examples the human-machine selection interface 9 and authentication interface 11 are both inside the physical space. However, if for example the acts are the use of objects or sub- spaces in the physical space, for example, the human-machine selection interface 9 may be located outside the physical space 1 to allow a person to select the acts for instance, and e.g. comprise a touch-screen, keypad or other terminal at which the person can enter a selection. Likewise, for example, the authentication interface 11 may e.g. be located outside the physical space 1, for example in a passage or corridor through which the person 5 has to pass after leaving the physical space 1 through the exit 3.
-28- Furthermore, where in the examples the system or a component has been described as performing a certain operation it will be apparent that the system or the component is thus arranged to be perform this operation and in use may not necessarily perform the operation when this is conditional on certain criteria being fulfilled. Accordingly, the system or the component arranged to perform, when in use, the operation is likewise within the scope of the invention when not performing the operation.
Also, the nodes in the network may be any suitable data processing device, such as mainframes, minicomputers, servers, warkstations, personal computers, mobile phones and various other wired or wireless data processing devices, commonly denoted in this application as “computer systems”. The computer system may for instance include one or more integrated circuit processor, associated memory and a number of input/output {1/0} devices. When executing the computer program, the computer system processes information according to instructions the computer program and produces resultant output information via 1/0 devices.
The boundaries between logic blocks are merely illustrative and that alternative embodiments may merge logic blocks or impose an alternate decomposition of functionality upon various logic blocks. Thus, it is to be understood that the architectures depicted herein are merely exemplary, and that in fact many other architectures can be implemented which achieve the same functionality. For example, it will be apparent that the first and second system may be implemented as separate pieces of software running on the same physical processing circuity for example, or alternatively the first and/or second system be implemented as a configuration of separate processors connected to each other and programmed to interact as the respective sub-system.
Furthermore, boundaries between the blocks in FIG. 3 and 6, are merely illustrative. The multiple operations illustrated with the blocks in those figures may be combined into a single operation, a single operation may be distributed in additional operations and operations may be executed at least partially overlapping in time. Moreover, alternative embodiments may include multiple instances of a particular operation, and the order of operations may be altered in various other embodiments.
It will be apparent that the selection can generally be inputted in any manner suitable for the specific interface, as also explained with reference to the example of FIGs. 4-6, and that e.g. alternatively or additionally, the interface 9 may comprise a barcode reader or other equipment the person 5 can keep in his or her hand to perform a selection explicitly by reading the barcode of the item, or a keypad or other input device with which the person 5 can manually enter the selection, just to name a couple of examples.
Furthermore, although in the shown examples the selected act is performed after the authorization process, in an alternative implementation the data processing system can be arranged to perform the authorization process after performance of the selected act, e.g. in case the act is the use of the physical space and the authorization process is performed upon the person 5 presenting himself at the exit 3.
Also, although in the shown example the identifier is deleted after the authorization process has been performed, the data processing system can be arranged to maintain the identifier active after performance
- 29 - of the authorization process, to verify that the selected act has been performed and/or that the person does not perform unauthorized acts. Also, in the shown examples, the acts are performed when the person 5 exits the physical space 8 with the selected physical items. Thus, although the access control system can prevent unauthorized acts from being performed, they are performed after the exit has been allowed. However, alternatively, for instance when the physical space 1 is a theatre, cinema or other space where the act to be authorized is the attendance of the person 5 in the physical space, the access control system can be arranged to allow the person to exit only if the proof of identity matches the authentication data and if the data processing system determines that the person has performed authorized acts only. This allows to e.g. ensure that attendance to events limited to specific identified people, such as in case of concerts with personalized tickets, is not performed by other people.
Also, where in the example wireless connections are shown, alternatively or additionally wired connections may be used or vice-versa. Furthermore, the system 7 can comprise other components, for example to monitor the performance of the selected acts. For instance, the system 7 can comprise a clock for measuring a period of time the person is in the physical space or uses the tangible items, and the data processing system further be arranged to register in the record time data representing the measured period of time, and the authorization process use the time data to determine the authorization.
Also, the physical space can comprise a detector for detecting the tangible items the person is carrying and the access control system can be arranged to compare, if the selected act has been authorized, the detected items with the selection data and allow exit when all detected objects have a corresponding selected tangible item in the selection data.
However, other modifications, variations and alternatives are also possible. The specifications and drawings are, accordingly, to be regarded in an illustrative rather than in a restrictive sense.
In the claims, any reference signs placed between parentheses shall not be construed as limiting the claim. The word ‘comprising’ does not exclude the presence of other elements or steps then those listed in a claim. Furthermore, the terms “a” or “an,” as used herein, are defined as one or more than one. Also, the use of introductory phrases such as “one or more” and “one or more” in the claims should not be construed to imply that the introduction of another claim element by the indefinite articles "a" or "an" limits any particular claim containing such introduced claim element to inventions containing only one such element, even when the same claim includes the introductory phrases "one or more" or “one or more" and indefinite articles such as "a" or "an." The same holds true for the use of definite articles. Unless stated otherwise, terms such as “first” and “second” are used to arbitrarily distinguish between the elements such terms describe. Thus, these terms are not necessarily intended to indicate temporal or other prioritization of such elements. The mere fact that certain measures are recited in mutually different claims does not indicate that a combination of these measures cannot be used to advantage.
-30- List of reference numbers 1 physical space 2 entrance 3 exit 4 wall 5 person 6 identification object 7 authorization control system 8 object reader 9 selection interface 10 data processing system 11 authentication interface 12 tangible items 13 shelve 14 electronic shelf label 15 sensor 16 display 17 camera system 18 local system 19 scanner code 20 personal scanner 60 unique data 61 authentication data 62 proof of identity 90 wireless connection 91 server connection 100 firs sub-system 101 second system 102 external system 110 wireless exit controller
170 camera 171 sensor connection
-31-
200 identification phase 202 session ID creation 204 entrance phase
206 registration check 208 selection phase 210 authorization process 212 exit control 214 accounting phase
300 database record
Claims (39)
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
NL2025889A NL2025889B1 (en) | 2020-06-23 | 2020-06-23 | Systems, methods, computer program product and interfaces for controlling authorizations to access and/or use a physical space by a person, and spaces controlled thereby |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
NL2025889A NL2025889B1 (en) | 2020-06-23 | 2020-06-23 | Systems, methods, computer program product and interfaces for controlling authorizations to access and/or use a physical space by a person, and spaces controlled thereby |
Publications (1)
Publication Number | Publication Date |
---|---|
NL2025889B1 true NL2025889B1 (en) | 2022-02-21 |
Family
ID=72470569
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
NL2025889A NL2025889B1 (en) | 2020-06-23 | 2020-06-23 | Systems, methods, computer program product and interfaces for controlling authorizations to access and/or use a physical space by a person, and spaces controlled thereby |
Country Status (1)
Country | Link |
---|---|
NL (1) | NL2025889B1 (en) |
Citations (4)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US20130304648A1 (en) * | 2012-05-08 | 2013-11-14 | Craig O'Connell | System and method for authentication using payment protocol |
CN107123006A (en) * | 2017-07-12 | 2017-09-01 | 杨智勇 | A kind of smart shopper system |
CN108038999A (en) * | 2018-02-05 | 2018-05-15 | 徐天宏 | Intelligent unattended antitheft system for supermarket and its control method |
US20180232796A1 (en) * | 2017-02-10 | 2018-08-16 | Grabango Co. | Dynamic customer checkout experience within an automated shopping environment |
-
2020
- 2020-06-23 NL NL2025889A patent/NL2025889B1/en active
Patent Citations (4)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US20130304648A1 (en) * | 2012-05-08 | 2013-11-14 | Craig O'Connell | System and method for authentication using payment protocol |
US20180232796A1 (en) * | 2017-02-10 | 2018-08-16 | Grabango Co. | Dynamic customer checkout experience within an automated shopping environment |
CN107123006A (en) * | 2017-07-12 | 2017-09-01 | 杨智勇 | A kind of smart shopper system |
CN108038999A (en) * | 2018-02-05 | 2018-05-15 | 徐天宏 | Intelligent unattended antitheft system for supermarket and its control method |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
KR100404872B1 (en) | Virtual card service system and method | |
US9430892B2 (en) | Locker rental system using external codes | |
US9558608B2 (en) | Electronic locker right acquisition via an external system | |
US10607211B2 (en) | Method for authenticating a user to a machine | |
US7542945B2 (en) | Authentication device, system and methods | |
KR102333347B1 (en) | System and method for relaying smart store | |
US20110313870A1 (en) | Initiating and Enabling Secure Contactless Transactions and Services with a Mobile Device | |
EP3582195A1 (en) | Multispace parking pay stations including payment improvements | |
CN101911584A (en) | A transmitter for transmitting a secure access signal | |
US20180091503A1 (en) | Networked storage system and method | |
US20160162893A1 (en) | Open, on-device cardholder verification method for mobile devices | |
US20120191491A1 (en) | Method and system for providing a public article rental service using a biometric identity card | |
US20220292411A1 (en) | Method and system for providing equipment rental service using biometric id card | |
KR100538477B1 (en) | Virtual card service system and method | |
US20230297994A1 (en) | Presence Verification for Electronic Transactions | |
KR20090000231A (en) | Security system and method for entrance and exit management | |
KR102347645B1 (en) | System for certification of access to unmanned stores, goods sales, and inventory management using smartphones | |
KR20200024438A (en) | System for automatic sales of product | |
NL2025889B1 (en) | Systems, methods, computer program product and interfaces for controlling authorizations to access and/or use a physical space by a person, and spaces controlled thereby | |
US20040103290A1 (en) | System and method for controlling the right to use an item | |
TWI837556B (en) | Imperfection detection systems, irregularity detection devices, irregularity detection methods and program products | |
US11562342B1 (en) | Systems and methods for authentication using radio frequency tags | |
KR102191676B1 (en) | Adult Certification Method of Unmanned Shop by Using Smart Terminal and System thereof | |
JP7521185B2 (en) | Payment device, control method, program, and system | |
TWM596933U (en) | System for withdrawing cash via external system |