RU2555233C2 - Method for bank card holder to control authorised transactions in payment system using bank card restricting fraudulent transactions in case of compromise of card - Google Patents

Abstract

FIELD: physics, computer engineering.

SUBSTANCE: invention relates to providing secure transactions in payment systems using bank cards. The technical result is the low risk of card transactions that are unauthorised by the card holder when the card is compromised. In the method of conducting authorised card transactions, the card holder changes said card parameters in advance to permitting parameters by sending an authenticated request to a processing centre of the issuer, thereby permitting one or more authorised transactions; an authorised transaction can be approved by the processing centre of the issuer only if card parameters permitting said transaction were established by an authentication request by the card holder.

EFFECT: present solution minimises the risk of transactions that are unauthorised by a card holder in any environment of using cards and is distinguished by the capability for use in existing systems for controlling authorised transactions.

3 cl, 5 dwg

Description

FIELD OF THE INVENTION

The present invention generally relates to bank payment systems, and more particularly to ensuring the security of transactions in payment systems using bank cards.

State of the art

Currently, the use of bank cards for financial transactions has become a commonplace in our everyday lives. Bank cards are used to withdraw cash from ATMs, transfer funds, cashless payments for goods and services both in stores through POS-terminals and on the Internet.

The above-mentioned and similar operations transparent for cardholders are based on the most complex software and hardware complexes of payment card systems, which, in general, are distributed and interconnected with the ability to exchange data and whose functioning complies with numerous technical specifications and protocols and is regulated by applicable laws , by-laws and departmental acts, international treaties, which is described in detail, in particular, in the books “Plastic Cards”, L. Bystrov et al., 5th ed., Moscow: “BDC-press”, 623 pp., 2005 [D1] and “Plastic cards. Practical Encyclopedia ”, Andreev A.A. et al., Moscow: Banking Business Center concern, 310 pp., 2nd ed., 1998 [D2]. A description of widely known (in particular, from [D1], [D2]) aspects of payment card systems is not given in the present description, so as not to obscure its essence.

Due to the widespread use of bank cards and the expansion of methods for their use, as well as the increase in the number of environments in which transactions are carried out, the issue of their protection against the possibility of fraudulent use is becoming more and more urgent every year. Fraudsters actively use the details of compromised cards both for the manufacture of counterfeit cards and for the direct use of these details in environments that do not require physical presentation of the card, in particular for payment transactions in trade and service enterprises via the Internet.

International payment systems are constantly improving methods of protection against fraudulent transactions, the most radical method at the moment can be considered the use of chip technologies (bank smart cards EMV-standard), the main disadvantage of which can be considered the cost of introducing the technology by issuers and acquirers, requiring the use of appropriate chip cards and equipment (ATMs, POS-terminals) supporting the possibility of their maintenance.

Especially for the Internet, the international payment system Visa has proposed the 3-D Secure security protocol. Visa 3-D Secure protocol specifications were published by Visa in 2001. It is designed to ensure the security of payments using bank cards in the Internet environment due to the authentication by the issuer of cardholders during an online purchase. This protocol is otherwise referred to as Verified by Visa in Visa terminology and SecureCode in MasterCard terminology. The introduction of this security protocol for payments via bank cards online has significantly reduced the risk of fraudulent transactions. The disadvantages limiting the use of the security method using the 3-D Secure security protocol are the rather high cost of its implementation and the fact that the method provides protection only for transactions carried out on the Internet without protecting the cards from fraudulent use in other environments.

Also known from the prior art is a method for monitoring the activity of using a card - US patent US 7389275 B2 (System for personal authorization control for card transactions). The system provides for the possibility of applying various types of restrictions (limits) on transactions with the card. The card holder has the ability to independently set restrictions on the types of operations, amounts, number of operations, categories of outlets and their geographical location, etc. Due to the flexibility of the provided options for setting parameters, this kind of setting by the cardholder of the profile of the allowed activity of the card allows you to limit the possibility of unauthorized (fraudulent) use of the card within the limits and limits set by the holder. The disadvantage of this method can be considered that within the established limits and restrictions, transactions can be conducted both initiated by the cardholder himself or fraudulent operations unauthorized by him. Thus, such a method and system also do not provide complete protection against the use of card details in case of compromise.

SUMMARY OF THE INVENTION

The existing ideology of using the card suggests that conducting authorized transactions on it is possible at any time in 24 × 7 mode. In fact, this leads to the fact that even when the card holder does not intend to use it, the card itself is in an activated state and is a kind of open wallet that anyone can look into. Continuing to draw the analogy of cash and a wallet, it seems rather strange to walk down the street, holding a previously opened wallet with money in its hands, explaining to it that it is open because “you suddenly want to buy something.” How often does the cardholder use the card during the day? One, two, but it is quite possible that he does not use it at all. But at the same time, the “wallet” card is open all day.

A natural continuation of this thought is the desire to provide the cardholder with the opportunity to keep this “wallet” closed and open it only when he really has a desire to pay off the money in it.

The objective of the present invention is to provide a method for a bank card holder to control the possibility of authorization transactions in a payment system using a bank card, limiting the possibility of fraudulent transactions in the event of a card being compromised, providing cardholders with a mechanism to control the authorization / prohibition of authorized transactions on the card and generally minimizing risk of unauthorized use of the card.

The second objective of the present invention is to provide a method for a bank card holder to control the possibility of authorization transactions in a payment system using a bank card, limiting the possibility of fraudulent transactions in the event of a card being compromised, which can be implemented and used in an existing technology for controlling authorization operations.

An additional objective of the present invention is to provide ease of control operations while creating minimal inconvenience to cardholders during the usual operations with cards.

The technical result from the use of the claimed invention is to reduce the risk of unauthorized cardholder (fraudulent) card transactions in case of compromise. At the same time, the claimed invention allows to minimize the risk of carrying out operations unauthorized by the cardholder in any card use environment.

The technical result from the use of the claimed invention is also that its use is possible already on the basis of existing technologies for monitoring the conduct of authorized operations, in particular with the use of existing SMS-information systems for transactions and especially active SMS services on the card.

The tasks with the achievement of the specified technical result are solved due to the following:

the first essential sign is that initially (in a normal, constant state for the card) any authorized operations on the card are prohibited. This is determined by the parameters of the card in the issuer's customer service center, for example, the status of the card “do not serve” or the limits for transactions that prohibit authorization, for example, the zero limit on the number of operations per day;

the second essential feature is the ability of the card holder to change the above card parameters to allowable ones by submitting an authenticated request to the issuer's customer center, for example, using non-voice SMS messages in a mobile communication environment from a mobile phone number registered in the issuer's personal computer in advance;

the third significant sign is that an authenticated request to change the above card parameters that allow or prohibit operations, the card holder may pre-authorize one, several or unlimited number of operations, including for a specified period of time, for example, allow operations to be performed for 30 minutes

the fourth significant sign is that the authorized operation can be approved by the issuer's HRC only if the cardholder has set up the card with parameters pre-authenticated by the card allowing it to be carried out, for example, the cardholder is allowed to carry out one operation, in which case one authorization request will pass standard (standard) authorization procedure, all subsequent requests will be rejected.

Brief Description of the Drawings

The invention is illustrated by diagrams.

1 is a flowchart of a preferred embodiment of a method according to the present invention.

Figure 2 is a diagram illustrating the features of authorization in a preferred embodiment of the method according to the present invention.

Figure 3 is a diagram illustrating the features of authorization and denial of authorization in a preferred embodiment of the method according to the present invention.

In figure 1 and 2 there are the following notation:

The Issuer's HRC and the Acquirer's HRC are the issuer's processing center (GTC) and the acquirer's processing center, respectively.

The HRC, generally speaking, is a holistic system, which is a set of interconnected software and hardware solutions that provides the life cycle of banking products based on bank cards and, accordingly, is responsible for conducting related operations and managing them. The PC includes a number of subsystems, in particular the front office.

Front-office is the front-office of the processing center, which performs, inter alia, authorization functions.

Authorization PS - an authorization subsystem that is part of the front office that directly performs authorization functions (refusal / confirmation of operation authorization).

CA with SMS interface - authentication server with SMS interface.

PAIPAK - a subsystem of authenticated changes in the card activity parameters.

PA database - database of activity parameters for maps.

FIGS. 4 and 5 illustrate a possible embodiment of a telephone / smartphone software interface providing for the generation and sending of a request for changing card activity parameters.

Description of a preferred embodiment of the invention

Next, with reference to FIGS. 1, 2, 3, 4, 5, the structure and principles of the operation of the present invention are outlined, with the description of widely known (in particular, from [D1], [D2]) aspects of payment card systems not provided so as not to obscure its essence.

Previously, for identification of the card holder, the card holder’s mobile phone number is registered in the processing center of the card issuer.

It is assumed that with new tools or customization of existing hardware and software in the issuer's PC, functions are implemented that provide the ability to provide the following functionality:

- authentication of incoming requests in the form of SMS messages to change the activity parameters of cards (CA with SMS interface - authentication server with SMS interface);

- authenticated change of card activity parameters for incoming requests from card holders via a CA with an SMS interface, as well as analysis of incoming authorization transactions with permission to conduct a standard authorization procedure, as well as adjustment of card activity parameters when authorization is successful (PAIPAK - authenticated change subsystem card activity parameters);

- storage of registered mobile phone numbers of cardholders and card activity parameters (PA database - database of card activity parameters).

When implementing the inventive method, the execution of authorized operations using bank cards consists of 2 sequentially executed phases.

Initially, the parameters of the cards in the processing center of the card issuer that determine the possibility of authorization of operations on them (for example, the status of the card or the limits of activity of the card registered in the processing center of the issuer) have values that do not allow any authorization transactions with the cards.

Phase 1

Change card parameters that determine the possibility of authorizing operations on it.

At stage 1, the card holder sends to the processing center of the card issuer a request for permission to perform operations on the card in the form of a non-voice message (SMS message) using a mobile phone or similar device from a mobile phone number previously registered with the processing center of the card issuer. The format and content of the message are determined by the PC and are previously known to the card holder. The formation and sending of messages can be carried out using specially designed software for the phone / smartphone, a possible implementation of its interface is shown in Figs. 4 and 5.

Further, in step 2, the CA with the SMS interface, which is a PAIPAC element, receives a request sent by the card holder and in step 3 authenticates the card holder by the mobile phone number from which the request was sent.

If authentication is successful (the indicated mobile phone number is registered in the processing center and, possibly, the request parameters that refer to a specific card indicate that the card belongs to the card holder with the mobile phone number registered in the processing center from which the request was sent), PAIPAK performs step 5 changing card parameters that determine the possibility of authorizing operations on it, new parameters are reflected in the PA database for the corresponding card.

Then, after reflecting the new parameters in the PA database at step 6, a non-voice response message (SMS message) is sent to the cardholder’s mobile phone number registered in the PC with the aim of notifying him of the success of the request processing.

If authentication is not passed, changing the card parameters that determine the possibility of authorizing operations on it is not performed. In this case, it is possible to send a non-voice message card holder (SMS message) to the mobile phone number registered in the PC about an unsuccessful attempt to change the card parameters.

The result of phase 1 is changing the parameters of the card, determining the possibility of authorizing operations on it in a state that allows the card holder to carry out an authorized operation (or several operations, depending on the parameters set in the request).

Phase 2

Carrying out operations on the card requiring authorization.

After performing phase 1, card operations can be performed by the holder at any time convenient for him. However, it is understood that phase 1 immediately precedes phase 2.

At step 7, the card holder uses the card, namely, it carries out a cash withdrawal operation at an ATM, in POS-Cash, pays for goods or services, presenting the card to a merchant, conducts a payment operation on the Internet, etc. The operation in step 7 is carried out in the usual way (as provided for by the terms of use of the card).

At stage 8, as a result of using the card, the authorization request for the operation is generated and transmitted to the card issuer’s processing center.

The front office of the issuer's HRC captures an authorization transaction. The authorization request received by the Authorization Substation in step 9 is verified using PAIPAC, where PAIPAC analyzes the card parameters registered in the PA database that determine the possibility of authorizing operations on it.

If it is determined at PAIPAK stage 9 that the card parameters registered in the PA database that determine the possibility of authorizing operations on it allow the operation to be performed, then step 11 is performed, at which the Authorization substation carries out the standard authorization procedure, in which the following checks are carried out, in particular admissibility of the requested operation:

- status, validity and authenticity of the card;

- sufficiency of funds for the operation;

- the validity of the type of operation;

- restrictions on a one-time or daily amount of operations or other restrictions.

Upon successful completion of the standard authorization procedure at step 12, PAIPAK adjusts the parameters of the card in the PA database that determine the possibility of authorizing operations on it taking into account the success of the last operation.

For example, if a cardholder had previously been allowed to carry out one operation, then at step 12 PAIPAK changes the card parameters that determine the possibility of authorizing operations on it to prevent any authorization transactions on the card.

If it is determined at PAIPAK stage 9 that the card parameters registered in the PA database that determine the possibility of authorizing operations on it prohibit the operation, then step 10 is performed, at which authorization is denied without the Authorization Substation using the standard authorization procedure.

Next, at step 13, the front office of the issuer’s processing center generates and sends a response to an authorization request that allows or prohibits the operation requested at step 7. Accordingly, depending on the response received at step 13, the operation at step 14 ends with the provision of the requested service (cash withdrawal, payment transaction, etc.) or refusal to carry it out.

The result of phase 2 is the permission or prohibition of the requested authorized operation, depending on the installed parameters of the card, determining the possibility of authorizing operations on it and adjusting these parameters in case of a successful operation.

It should be noted that due to the presence of phase 1, the possibility of conducting unauthorized (fraudulent) operations in phase 2, illustrated in FIG. 3, is limited by the period of time in which the card parameters determining the possibility of authorizing operations on it are in the permissive state. Thus, if Phase 1 is used to permit a single operation immediately before Phase 2, the possibility of unauthorized use of the card is virtually eliminated.

Terminology used

Authorization transaction (Authorization) - a set of operations for obtaining permission or refusal provided by the issuing bank to conduct a transaction for a certain amount using a bank card, which generates the issuer's obligation to execute the operation for the said amount, the requested amount is blocked on the client’s account.

Authentication - confirmation of the authenticity of data and subjects of information interaction solely on the basis of the data received themselves (in the case of information interaction, data is received from the declared sender and is not distorted).

Cardholder - a natural person who uses the services of the issuing Bank for banking operations, has a bank account, is a user of a bank card on the basis of an agreement with the issuing bank.

Payment system - a system for the exchange of transactions and mutual settlements between the parties to the system using a combination of information technology of the parties to the parties that are subject to the general regulatory rules for the transfer of funds between banks and other credit and financial institutions, which are characterized by the presence of contractual and licensing bases, trademark, financial guarantees, internal operating rules and standards.

Payee / Merchant - a legal entity or an individual who uses the services of a bank to conduct banking operations, a trading company (trade and service company, seller) that sells goods and / or services, accepts purchase orders, accepts as a means of payment bank cards.

Transaction - a set of sequential operations initiated by the Customer or the Payee to be performed by the participants of the Payment System to serve Customers who hold bank cards (in particular, to access the account in order to obtain information about the status of the account, debit, credit the account, and carry out financial settlements using a bank card).

The Acquirer is a participating bank of the Payment System, a financial institution that has a contractual relationship with a trade and service company (Payee) for servicing in order to receive data on transactions made with bank cards, sends them to the Payment system for making settlements on these transactions.

The Issuer is a participating bank of the Payment system, a credit and financial institution that issues (issues) bank cards, receives data on transactions made by Clients, authenticates the Client and authorizes the transaction, guarantees payment of transactions made by the Clients and relates the transaction amounts to Customer accounts.

The invention has been disclosed above with reference to a specific embodiment. Other specialists may be obvious to other embodiments of the invention, without changing its essence, as it is disclosed in the present description. Accordingly, the invention should be considered limited in scope only by the following claims.

Claims (3)

1. A method for a bank card holder to control the possibility of authorization transactions in a payment system using a bank card, limiting the possibility of fraudulent transactions in the event of a card being compromised by managing the card parameters in the processing center of the card issuer that determine the possibility of authorizing operations on it, characterized in that card parameters in the processing center of the issuer that determine the possibility of authorizing operations on it, such as card status or card activity limits, have values that do not allow any authorization transactions on the card and lead to the refusal to authorize by the processing center, which contains steps that allow the card holder to perform operations using the card, in which:
the card holder, for preliminary permission to perform one, limited or unlimited number of operations, sends authenticated requests for their resolution to the issuer's processing center, preceding the execution of card transactions and changing the card parameters in the issuer's processing center, such as card status or card activity limits,
the cardholder carries out card transactions, during which the processing center of the card issuer receives authorization transactions,
the processing center of the card issuer processes incoming authorization transactions and carries out a regular authorization procedure if the set parameters of the card in the processing center of the issuer, such as card status or card activity limits, permit operations, or their rejection with denial of authorization, if the set card parameters in the processing center of the issuer, such as card status or card activity limits, prohibit operations;
characterized in that as an identifier of the card holder when changing the parameters of the card in the processing center of the issuer, determining the possibility of authorizing operations on it, a mobile phone number is used, previously registered in the processing center of the card issuer;
characterized in that, as an authentication method, when requesting a change in the card parameters in the issuer's processing center, determining the possibility of authorizing operations on it, one or two-way non-voice messages are exchanged between the card issuer’s processing center and the card holder using a card holder’s mobile phone or similar devices using a mobile phone number previously registered with the processing center of the card issuer. 2. The method according to p. 1, characterized in that the authenticated request of the cardholder to change the parameters of the card in the processing center of the issuer, determining the possibility of authorization of operations on it, may contain parameters that determine the number of operations, the amount of operations, as well as the period of time for which they are allowed. 3. The method according to p. 1, characterized in that when requesting a change in the card parameters in the issuer's processing center that determine the possibility of authorizing operations on it, the possibility of multifactor strict authentication of a bank card holder and the use of existing card issuer of remote banking systems.

Images