TWI668646B - Data processing system and method for multiple POS terminals - Google Patents

Data processing system and method for multiple POS terminals Download PDF

Info

Publication number
TWI668646B
TWI668646B TW106123694A TW106123694A TWI668646B TW I668646 B TWI668646 B TW I668646B TW 106123694 A TW106123694 A TW 106123694A TW 106123694 A TW106123694 A TW 106123694A TW I668646 B TWI668646 B TW I668646B
Authority
TW
Taiwan
Prior art keywords
data processing
key
application client
pos terminals
pos
Prior art date
Application number
TW106123694A
Other languages
Chinese (zh)
Other versions
TW201804382A (en
Inventor
王琪
劉國寶
張少飛
Original Assignee
中國銀聯股份有限公司
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 中國銀聯股份有限公司 filed Critical 中國銀聯股份有限公司
Publication of TW201804382A publication Critical patent/TW201804382A/en
Application granted granted Critical
Publication of TWI668646B publication Critical patent/TWI668646B/en

Links

Classifications

    • GPHYSICS
    • G07CHECKING-DEVICES
    • G07GREGISTERING THE RECEIPT OF CASH, VALUABLES, OR TOKENS
    • G07G1/00Cash registers
    • G07G1/12Cash registers electronically operated
    • G07G1/14Systems including one or more distant stations co-operating with a central processing unit
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • H04L9/0816Key establishment, i.e. cryptographic processes or cryptographic protocols whereby a shared secret becomes available to two or more parties, for subsequent use

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Physics & Mathematics (AREA)
  • General Physics & Mathematics (AREA)
  • Computer Security & Cryptography (AREA)
  • Signal Processing (AREA)
  • Cash Registers Or Receiving Machines (AREA)
  • Management, Administration, Business Operations System, And Electronic Commerce (AREA)

Abstract

本發明一般涉及資料處理,並且特別涉及用於多個POS終端的資料處理系統和方法。在按照本發明一個實施例的用於多個POS終端的資料處理系統中,該多個POS終端被分配各自唯一的第一主金鑰,對於一個能夠在該多個POS終端上運行的應用用戶端,其被分配共同的第二主金鑰,並且所述資料處理系統包括:通信單元,其配置為與多個POS終端通信;以及與所述通信單元耦合的處理單元,其被配置為執行與所述應用用戶端相關聯的操作,所述操作包括簽到處理、連線交易處理和批結算交易處理,其中,連線交易處理涉及的資料在所述POS終端處基於由所述第一主金鑰加密的第一工作金鑰來處理而在所述處理單元處基於由所述第二主金鑰加密的第二工作金鑰來處理。 The present invention relates generally to data processing and, more particularly, to a data processing system and method for a plurality of POS terminals. In a data processing system for a plurality of POS terminals according to an embodiment of the present invention, the plurality of POS terminals are assigned respective unique first master keys for an application user capable of running on the plurality of POS terminals End, which is assigned a common second master key, and the data processing system includes: a communication unit configured to communicate with the plurality of POS terminals; and a processing unit coupled to the communication unit configured to execute An operation associated with the application client, the operation including a check-in process, a connection transaction process, and a batch settlement transaction process, wherein the data involved in the connection transaction processing is based at the POS terminal by the first master The first working key of the key encryption is processed and processed at the processing unit based on the second work key encrypted by the second primary key.

Description

用於多個POS終端的資料處理系統和方法 Data processing system and method for multiple POS terminals

本發明一般涉及資料處理,並且特別涉及用於多個POS(Point of Sale,銷售點)終端的資料處理系統和方法。 The present invention relates generally to data processing and, more particularly, to a data processing system and method for a plurality of POS (Point of Sale) terminals.

在傳統的POS行業中,終端在布放到商戶之前,POS終端專業化服務機構或收單機構需手動使用母POS往POS終端的密碼鍵盤灌入終端主金鑰,其中,終端主金鑰(TMK)對於每台POS終端是唯一的。每台POS終端與連線交易系統之間共用唯一的終端主金鑰,連線交易系統調用加密機隨機生成PIK(Personal Identification Number Key,個人識別密碼金鑰)碼和MAK(Media Access Control Key,媒體存取控制金鑰)碼,其中,PIK碼和MAK碼都以TMK加密。PIK碼被保存在密碼鍵盤(PIN PAD)中,用於對諸如個人識別碼(PIN)之類的用戶密碼進行加密,MAK碼被用於報文鑒別(MAC)。連線交易過程中,為防止PIN洩露或被破解,要求從終端到髮卡行整個資訊交互過程中,全程對PIN進行安全加密保護,不允許PIN在電腦和網路系統中的任何環節以明文形式出現。 In the traditional POS industry, before the terminal is placed in the merchant, the POS terminal specialization service or the acquiring institution needs to manually use the parent POS to the PIN terminal of the POS terminal to fill in the terminal master key, wherein the terminal master key ( TMK) is unique to each POS terminal. Each POS terminal and the connection transaction system share a unique terminal master key, and the connection transaction system calls the encryption machine to randomly generate a PIK (Personal Identification Number Key) code and a MAK (Media Access Control Key). A media access control key) code in which both the PIK code and the MAK code are encrypted in TMK. The PIK code is stored in a PIN pad (PIN PAD) for encrypting a user password such as a personal identification number (PIN), which is used for message authentication (MAC). In the process of connecting transactions, in order to prevent the PIN from being leaked or cracked, it is required to securely encrypt the PIN during the entire information interaction process from the terminal to the issuing bank, and the PIN is not allowed to be in any part of the computer and the network system. The form appears.

隨著商業的日趨繁榮和發達,POS終端得到愈來愈廣泛的應用。但是現有技術的POS終端存在如下缺點: As businesses become more prosperous and developed, POS terminals are becoming more widely used. However, the prior art POS terminal has the following disadvantages:

(1)硬體維護成本高。通常一家商戶的櫃檯需要配備多台POS終端以及相應的密碼鍵盤,這造成硬體資源和維護成本的浪費。 (1) Hardware maintenance costs are high. Usually, a merchant's counter needs to be equipped with multiple POS terminals and corresponding password keyboards, which wastes hardware resources and maintenance costs.

(2)新業務推廣困難。每當有新業務需要進行推廣時,需要重新燒錄POS機程式和密碼鍵盤灌裝,針對單一業務,需在全國範圍內申請多套數據,投入大,推廣進度慢。 (2) Difficulties in promoting new business. Whenever there is a new business that needs to be promoted, it is necessary to re-burn the POS program and password keyboard filling. For a single business, it is necessary to apply for multiple sets of data nationwide, and the investment is large, and the promotion progress is slow.

本發明的目的之一是提供一種用於多個POS終端的資料處理系統,其能夠以高效、低成本的方式為新業務提供良好的擴展性。 It is an object of the present invention to provide a data processing system for a plurality of POS terminals that provides good scalability for new services in an efficient, low cost manner.

在按照本發明一個實施例的用於多個POS終端的資料處理系統中,該多個POS終端被分配各自唯一的第一主金鑰,對於一個能夠在該多個POS終端上運行的應用用戶端,其被分配共同的第二主金鑰,並且所述資料處理系統包括:通信單元,其配置為與多個POS終端通信;以及與所述通信單元耦合的處理單元,其被配置為執行與所述應用用戶端相關聯的操作,所述操作包括簽到處理、連線交易處理和批結算交易處理,其中,連線交易處理涉及的資料在所述POS終端處基於由所述第一主金鑰加密的第一工作金鑰來處理而在所述處理單元處基於由所述第二主金鑰加密的第二工作金鑰來處理。 In a data processing system for a plurality of POS terminals according to an embodiment of the present invention, the plurality of POS terminals are assigned respective unique first master keys for an application user capable of running on the plurality of POS terminals End, which is assigned a common second master key, and the data processing system includes: a communication unit configured to communicate with the plurality of POS terminals; and a processing unit coupled to the communication unit configured to execute An operation associated with the application client, the operation including a check-in process, a connection transaction process, and a batch settlement transaction process, wherein the data involved in the connection transaction processing is based at the POS terminal by the first master The first working key of the key encryption is processed and processed at the processing unit based on the second work key encrypted by the second primary key.

優選地,在上述資料處理系統中,所述第一工作金鑰包含被密碼鍵盤用於加密用戶密碼的第一PIK碼和用於報文鑒別的第一MAK碼,並且所述第二工作金鑰包含被處理單元用於加密用戶密碼的第二PIK碼和用於報文鑒別的第二MAK碼。 Preferably, in the above data processing system, the first work key comprises a first PIK code used by the cryptographic keyboard to encrypt the user password and a first MAK code used for message authentication, and the second work gold The key contains a second PIK code used by the processing unit to encrypt the user password and a second MAK code for message authentication.

優選地,在上述資料處理系統中,所述處理單元包含為所述應用用戶端專門配備的應用終端以執行所述操作。 Preferably, in the above data processing system, the processing unit includes an application terminal specially equipped for the application client to perform the operation.

優選地,在上述資料處理系統中,所述處理單元按照下列方式執行簽到處理:當多個POS終端的其中一個為所述應用用戶端向資料處理系統發起簽到請求時,生成以所述第一主金鑰加密的第一工作金鑰並向發起簽到請求的POS終端返回該第一工作金鑰,以及對於所述應用用戶端的首次簽到請求,還生成以第二主金鑰加密的第二工作金鑰。 Preferably, in the above data processing system, the processing unit performs check-in processing in the following manner: when one of the plurality of POS terminals initiates a check-in request to the data processing system for the application client, the first The first work key encrypted by the primary key and returned to the POS terminal that initiated the check-in request, and the first work-entry request for the application client, and the second work encrypted by the second primary key Key.

優選地,在上述資料處理系統中,所述處理單元按照下列方式執行連線交易處理:當多個POS終端的其中一個為所述應用用戶端向資料處理系統發起連線交易處理請求時,對該連線交易處理請求進行合法性驗證,並且在合法性驗證通過之後,通過調用硬體加密機將利用第一PIK碼加密的用戶密碼轉換為利用第二PIK碼加密的用戶密碼以用於處理連線交易處理涉及的資料。 Preferably, in the above data processing system, the processing unit performs a connection transaction process in the following manner: when one of the plurality of POS terminals initiates a connection transaction processing request to the data processing system by the application client, The connection transaction processing request performs legality verification, and after the legality verification is passed, the user password encrypted by the first PIK code is converted into a user password encrypted by the second PIK code for processing by calling a hardware encryption machine. The data involved in the connection transaction processing.

優選地,在上述資料處理系統中,所述處理單元按照下列方式執行批結算交易處理: 當多個POS終端的其中一個為所述應用用戶端向資料處理系統發起批結算交易處理請求時,清空在所述處理單元內保存的第一工作金鑰和第二工作金鑰。 Preferably, in the above data processing system, the processing unit performs batch settlement transaction processing in the following manner: When one of the plurality of POS terminals initiates a batch settlement transaction processing request to the data processing system for the application client, the first work key and the second work key saved in the processing unit are cleared.

優選地,在上述資料處理系統中,每個POS終端各自具有唯一的設備識別符,所述應用用戶端具有唯一的應用識別符,所述處理單元通過將連線交易處理請求中包含的設備識別符和應用識別符與預先確定的關聯關係進行比較來執行合法性驗證。 Preferably, in the above data processing system, each POS terminal has a unique device identifier, the application client has a unique application identifier, and the processing unit identifies the device included in the connection transaction processing request by The token and the application identifier are compared to a predetermined association to perform legality verification.

本發明的另一個目的是提供一種用於多個POS終端的資料處理方法,其能夠以高效、低成本的方式為新業務提供良好的擴展性。 Another object of the present invention is to provide a data processing method for a plurality of POS terminals that can provide good scalability for new services in an efficient and low-cost manner.

按照本發明一個實施例的用於多個POS終端的資料處理方法包含下列步驟:為多個POS終端分配各自唯一的第一主金鑰;為一個能夠在多個POS終端上運行的應用用戶端分配共同的第二主金鑰;執行與所述應用用戶端相關聯的操作,所述操作包括簽到處理、連線交易處理和批結算交易處理,其中,連線交易處理涉及的資料在所述POS終端處基於由所述第一主金鑰加密的第一工作金鑰來處理而在所述處理單元處基於由所述第二主金鑰加密的第二工作金鑰來處理。 A data processing method for a plurality of POS terminals according to an embodiment of the present invention includes the steps of: assigning a plurality of POS terminals with respective unique first master keys; and being an application client capable of running on a plurality of POS terminals Assigning a common second master key; performing operations associated with the application client, the operations including check-in processing, connection transaction processing, and batch settlement transaction processing, wherein the data involved in the connection transaction processing is The POS terminal is processed at the processing unit based on the first work key encrypted by the first master key and based on the second work key encrypted by the second master key.

10‧‧‧用於多個POS終端的資料處理系統 10‧‧‧Data processing system for multiple POS terminals

110‧‧‧通信單元 110‧‧‧Communication unit

120‧‧‧處理單元 120‧‧‧Processing unit

121A‧‧‧應用終端 121A‧‧‧Application terminal

121B‧‧‧應用終端 121B‧‧‧Application terminal

21‧‧‧POS終端 21‧‧‧POS terminal

A‧‧‧應用用戶端 A‧‧‧Application client

B‧‧‧應用用戶端 B‧‧‧Application client

22‧‧‧POS終端 22‧‧‧POS terminal

A‧‧‧應用用戶端 A‧‧‧Application client

B‧‧‧應用用戶端 B‧‧‧Application client

30‧‧‧收單平臺 30‧‧‧ acquiring platform

40‧‧‧硬體加密機 40‧‧‧ hardware encryption machine

S210-S530‧‧‧步驟 S210-S530‧‧‧Steps

為了能夠詳細瞭解本發明的上述特徵的方式,可參照實施例進行以上概述的對本發明的更具體描述,在附圖中示出實施例的一部分。但是要注意,附圖僅示出本發明的典型實施例,並且因此不是要被理解為限制其範圍,因為本發明可容許其他同樣有效的實施例。 A more detailed description of the present invention, which is set forth in the accompanying claims, It is to be understood, however, that the appended claims

圖1為按照本發明一個實施例的用於多個POS終端的資料處理系統的框圖。 1 is a block diagram of a data processing system for a plurality of POS terminals in accordance with one embodiment of the present invention.

圖2為按照本發明另一個實施例的用於多個POS終端的資料處理方法的流程圖。 2 is a flow chart of a data processing method for a plurality of POS terminals in accordance with another embodiment of the present invention.

圖3為按照本發明另一個實施例的涉及簽到處理操作的資料處理方法的流程圖。 3 is a flow chart of a data processing method involving a check-in processing operation in accordance with another embodiment of the present invention.

圖4為按照本發明另一個實施例的涉及簽到連線交易資料操作的資料處理方法的流程圖。 4 is a flow chart of a data processing method involving a check-in connection transaction data operation in accordance with another embodiment of the present invention.

圖5為按照本發明另一個實施例的涉及簽到批結算交易處理操作的資料處理方法的流程圖。 FIG. 5 is a flow chart of a data processing method involving a check-in lot settlement transaction processing operation according to another embodiment of the present invention.

下面參照其中圖示了本發明示意性實施例的圖式更為全面地說明本發明。但本發明可以按不同形式來實現,而不應解讀為僅限於本文給出的各實施例。給出的上述各實施例旨在使本文的披露全面完整,以將本發明的保護範圍更為全面地傳達給本領域技術人員。 The invention will now be described more fully hereinafter with reference to the accompanying drawings However, the invention may be embodied in different forms and should not be construed as limited to the various embodiments presented herein. The above-described embodiments are intended to be complete and complete to convey the scope of the present invention to those skilled in the art.

諸如“包含”和“包括”之類的用語表示除了具有在說明書和權利要求書中有直接和明確表述的單元和步驟以 外,本發明的技術方案也不排除具有未被直接或明確表述的其它單元和步驟的情形。 Terms such as "including" and "comprising" are used in addition to the elements and steps that are directly and explicitly stated in the specification and claims. In addition, the technical solutions of the present invention do not exclude the case of having other units and steps that are not directly or explicitly stated.

在本說明書中,資料處理系統指的是這樣一種系統,其可對POS終端上送的報文進行解密,同時對POS終端和應用終端的合法性、關聯關係進行驗證,其包含處理單元以實現磁條卡借貸記交易、PBOC借貸記交易、qPBOC離線交易等所需的處理操作,處理操作例如包括但不限於組織金融收單平臺報文、連接硬體加密機和計算報文MAC等。 In this specification, a data processing system refers to a system that can decrypt a message sent by a POS terminal, and simultaneously verify the legality and association relationship between the POS terminal and the application terminal, and includes a processing unit to implement The processing operations required for the magnetic stripe card loan transaction, the PBOC loan transaction, the qPBOC offline transaction, and the like include, but are not limited to, organizing a financial receipt platform message, connecting a hardware encryption machine, and calculating a message MAC.

在本說明書中,應用用戶端可以是運行在POS終端智慧作業系統上的應用程式,其配置為通過與資料處理系統的交互來完成支付功能。按照本發明的一個方面,對於運行在多個POS終端上的同一應用用戶端,其具有唯一的應用識別符並且被保存在資料處理系統中。 In this specification, the application client may be an application running on the POS terminal smart operating system configured to perform a payment function by interacting with the data processing system. According to one aspect of the invention, for the same application client running on multiple POS terminals, it has a unique application identifier and is stored in the data processing system.

在本說明書中,應用終端可以是在資料處理系統中運行的應用程式。按照本發明的另一個方面,每個應用對應唯一一個應用終端,並且應用用戶端通過應用終端完成連線交易功能。 In this specification, the application terminal may be an application running in a data processing system. According to another aspect of the present invention, each application corresponds to a single application terminal, and the application client completes the connection transaction function through the application terminal.

按照本發明的另一個方面,為每個POS終端分配各自唯一的第一主金鑰,並且為每個能夠在多個POS終端上運行的應用用戶端或應用分配共同的第二主金鑰。由此,在POS終端處基於由第一主金鑰加密的第一工作金鑰來處理連線交易處理涉及的資料,而在連線交易系統之類的資料處理系統中基於由第二主金鑰加密的第二工作金 鑰來處理連線交易處理涉及的資料。 In accordance with another aspect of the invention, each POS terminal is assigned a respective unique first primary key and a common second primary key is assigned to each application client or application capable of running on multiple POS terminals. Thereby, the data involved in the connection transaction processing is processed at the POS terminal based on the first work key encrypted by the first master key, and in the data processing system such as the connection transaction system based on the second principal gold The second working capital of key encryption The key is used to process the data involved in the connection transaction processing.

按照本發明的另一個方面,當運行同一應用用戶端的多個POS終端的其中一個為該應用用戶端向資料處理系統發起簽到請求時,將生成以第一主金鑰加密的第一工作金鑰並向發起簽到請求的POS終端返回該第一工作金鑰,此外,如果該簽到請求是該應用用戶端的首次簽到請求,則還生成以第二主金鑰加密的第二工作金鑰。優選地,第一工作金鑰包含被密碼鍵盤用於加密用戶密碼的第一PIK碼和用於報文鑒別的第一MAK碼,並且第二工作金鑰包含被處理單元用於加密用戶密碼的第二PIK碼和用於報文鑒別的第二MAK碼。 According to another aspect of the present invention, when one of a plurality of POS terminals running the same application client initiates a check-in request to the data processing system for the application client, a first work key encrypted with the first primary key is generated. And returning the first work key to the POS terminal that initiates the sign-in request. In addition, if the check-in request is the first check-in request of the application client, a second work key encrypted with the second master key is also generated. Preferably, the first work key comprises a first PIK code used by the cryptographic keyboard to encrypt the user password and a first MAK code for message authentication, and the second work key comprises the processed unit for encrypting the user password. A second PIK code and a second MAK code for message authentication.

按照本發明的另一方面,對於每個應用用戶端或應用,在資料處理系統配備專門的應用終端來執行涉及該應用用戶端的操作,這些操作例如包括但不限於簽到處理、連線交易處理和批結算交易處理等,並且在資料處理系統中,在應用終端與標識應用用戶端的應用識別符之間建立關聯。當應用用戶端發起交易時,應用終端將來自POS終端的連線交易資料轉換為符合應用終端規範的的連線交易資料之後進行處理,如上所述,對於同一應用用戶端,其共用相同的第二主金鑰,由此可在保證支付安全性的同時,以統一的方式處理連線交易,這對於新業務的引入是有利的。 According to another aspect of the present invention, for each application client or application, the data processing system is equipped with a dedicated application terminal to perform operations involving the application client, such as, but not limited to, check-in processing, connection transaction processing, and Batch settlement transaction processing, etc., and in the data processing system, an association is established between the application terminal and the application identifier of the identification application client. When the application client initiates the transaction, the application terminal converts the connection transaction data from the POS terminal into the connection transaction data conforming to the application terminal specification, and then processes the same for the same application client. The second master key can thereby process the connection transaction in a unified manner while ensuring payment security, which is advantageous for the introduction of new services.

圖1為按照本發明一個實施例的用於多個POS終端的資料處理系統的框圖。 1 is a block diagram of a data processing system for a plurality of POS terminals in accordance with one embodiment of the present invention.

圖1所示用於多個POS終端的資料處理系統10包括通信單元110和處理單元120,其中,通信單元110配置為與多個POS終端(圖1中以標號21和22示出)以及收單平臺30和硬體加密機40通信,處理單元120與通信單元110耦合以執行與應用用戶端相關聯的操作,例如簽到處理、連線交易處理和批結算交易處理等。優選地,處理單元120包含一個或多個應用終端(圖1中以標號121A和121B示出),每個應用終端與一個應用或應用用戶端相關聯,其被配置為執行涉及相關聯的應用用戶端的操作。以圖1所示的實施例為例,POS終端21和22都包含應用用戶端A和B,應用終端121A與應用用戶端A相關聯,而應用終端121B與應用用戶端B相關聯。 The data processing system 10 for a plurality of POS terminals shown in FIG. 1 includes a communication unit 110 and a processing unit 120, wherein the communication unit 110 is configured to be associated with a plurality of POS terminals (shown by reference numerals 21 and 22 in FIG. 1) The single platform 30 is in communication with the hardware encryptor 40, and the processing unit 120 is coupled to the communication unit 110 to perform operations associated with the application client, such as check-in processing, connection transaction processing, and batch settlement transaction processing. Preferably, processing unit 120 includes one or more application terminals (shown with reference numerals 121A and 121B in FIG. 1), each application terminal being associated with an application or application client configured to execute an associated application User-side operations. Taking the embodiment shown in FIG. 1 as an example, the POS terminals 21 and 22 both include application clients A and B, the application terminal 121A is associated with the application client A, and the application terminal 121B is associated with the application client B.

圖2為按照本發明另一個實施例的用於多個POS終端的資料處理方法的流程圖。為闡述方便,本實施例的方法借助圖1所示的資料處理系統實現。但是需要指出的是,本實施例並不局限於具有特定結構的系統。 2 is a flow chart of a data processing method for a plurality of POS terminals in accordance with another embodiment of the present invention. For ease of explanation, the method of the present embodiment is implemented by means of the data processing system shown in FIG. It should be noted, however, that the present embodiment is not limited to systems having a specific structure.

按照本實施例的資料處理方法包括下列步驟:在步驟S210中,為多個POS終端分配各自唯一的第一主金鑰。隨後進入步驟S220,為一個或多個能夠在多個POS終端上運行的應用用戶端分配共同的第二主金鑰。接著進入步驟S230,資料處理系統10執行與應用用戶端相關聯的操作,操作包括簽到處理、連線交易處理和批結算交易處理等,其中,連線交易處理涉及的資料在POS終端處基於由第一主金鑰加密的第一工作金鑰來處理 而在處理單元處基於由第二主金鑰加密的第二工作金鑰來處理。 The data processing method according to the present embodiment includes the following steps: In step S210, a plurality of POS terminals are assigned respective unique first master keys. Then, proceeding to step S220, a common second master key is assigned to one or more application clients capable of running on a plurality of POS terminals. Next, proceeding to step S230, the material processing system 10 performs an operation associated with the application client, the operations including check-in processing, connection transaction processing, and batch settlement transaction processing, etc., wherein the data involved in the connection transaction processing is based on the POS terminal The first work key encrypted by the first master key is processed And processing at the processing unit based on the second work key encrypted by the second master key.

圖3為按照本發明另一個實施例的涉及簽到處理操作的資料處理方法的流程圖。為闡述方便,本實施例的方法借助圖1所示的資料處理系統實現。但是需要指出的是,本實施例並不局限於具有特定結構的系統。 3 is a flow chart of a data processing method involving a check-in processing operation in accordance with another embodiment of the present invention. For ease of explanation, the method of the present embodiment is implemented by means of the data processing system shown in FIG. It should be noted, however, that the present embodiment is not limited to systems having a specific structure.

按照本實施例的資料處理方法包括下列步驟:在步驟S310,通信單元110從多個POS終端的其中一個(例如圖1中的POS終端21)接收應用用戶端(例如圖1中的A)發送的簽到請求,該簽到請求包含POS終端21的設備識別符和對應于該應用用戶端的應用識別符。 The data processing method according to the present embodiment includes the following steps: In step S310, the communication unit 110 receives an application client (for example, A in FIG. 1) from one of a plurality of POS terminals (for example, the POS terminal 21 in FIG. 1). The sign-in request includes the device identifier of the POS terminal 21 and an application identifier corresponding to the application client.

隨後進入步驟S320,與應用識別符相關的應用終端(例如圖1中的應用終端121A)通過調用硬體加密機40生成以第一主金鑰TMK1加密的第一工作金鑰(例如第一PKI碼和第一MAK碼)並向發起簽到請求的POS終端返回該第一工作金鑰。 Then proceeding to step S320, the application terminal (for example, the application terminal 121A in FIG. 1) related to the application identifier generates a first work key (for example, the first PKI encrypted by the first master key TMK1 by calling the hardware encryption machine 40. The code and the first MAK code) and return the first work key to the POS terminal that initiated the sign-in request.

接著在步驟S330中,應用終端121A確認本次簽到請求是否為應用用戶端A的首次簽到請求,如果是,則進入步驟S340,否則進入步驟S350。 Next, in step S330, the application terminal 121A confirms whether the current sign-in request is the first sign-in request of the application client A, and if yes, proceeds to step S340, otherwise proceeds to step S350.

在步驟S340,應用終端121A通過調用硬體加密機40生成以第二主金鑰TMK2加密的第二工作金鑰(例如第一PKI碼和第一MAK碼)並進入步驟S350。 In step S340, the application terminal 121A generates a second work key (for example, the first PKI code and the first MAK code) encrypted with the second master key TMK2 by calling the hardware encryption machine 40 and proceeds to step S350.

在步驟S350,應用終端121A保存第一工作金鑰和可 能生成的第二工作金鑰。 In step S350, the application terminal 121A saves the first work key and can The second work key that can be generated.

隨後進入步驟S360,通信單元110向POS終端21發送第一PIK碼,該PIK碼被存入POS終端21的密碼鍵盤以用於加密用戶密碼PIN。 Then, proceeding to step S360, the communication unit 110 transmits a first PIK code to the POS terminal 21, which is stored in the PIN pad of the POS terminal 21 for encrypting the user password PIN.

圖4為按照本發明另一個實施例的涉及連線交易處理操作的資料處理方法的流程圖。為闡述方便,本實施例的方法借助圖1所示的資料處理系統實現。但是需要指出的是,本實施例並不局限於具有特定結構的系統。 4 is a flow chart of a data processing method involving a connection transaction processing operation in accordance with another embodiment of the present invention. For ease of explanation, the method of the present embodiment is implemented by means of the data processing system shown in FIG. It should be noted, however, that the present embodiment is not limited to systems having a specific structure.

按照本實施例的資料處理方法包括下列步驟:在步驟S410,通信單元110從多個POS終端的其中一個(例如圖1中的POS終端21)接收應用用戶端(例如圖1中的A)發送的連線交易請求,該連線交易請求包含連線交易資料(例如用第一PIK碼加密的用戶密碼PIN以及支付金額)以及POS終端21的設備識別符和與應用用戶端對應的應用識別符。 The data processing method according to the present embodiment includes the following steps: In step S410, the communication unit 110 receives an application client (for example, A in FIG. 1) from one of a plurality of POS terminals (for example, the POS terminal 21 in FIG. 1). a connection transaction request, the connection transaction request including connection transaction data (such as a user password PIN encrypted with a first PIK code and a payment amount), and a device identifier of the POS terminal 21 and an application identifier corresponding to the application client .

在步驟S420,應用終端121A對接收的連線交易處理請求進行合法性驗證,例如通過將連線交易處理請求中包含的設備識別符和應用識別符與預先確定的關聯關係進行比較來執行合法性驗證。如果合法性驗證通過,則進入步驟S430,否則則終止操作。 In step S420, the application terminal 121A performs legality verification on the received connection transaction processing request, for example, by comparing the device identifier and the application identifier included in the connection transaction processing request with a predetermined association relationship to perform legality. verification. If the legality verification is passed, the process proceeds to step S430, otherwise the operation is terminated.

在步驟S430,應用終端121A判斷與應用識別符相關聯的應用是否已經簽到,如果未簽到,則進入步驟S440,執行圖3所示的簽到處理操作,否則進入步驟S450。在執行步驟S440之後也進入步驟S450。 In step S430, the application terminal 121A determines whether the application associated with the application identifier has been checked in. If not, the process proceeds to step S440, and the check-in processing operation shown in FIG. 3 is performed, otherwise proceeds to step S450. The process also proceeds to step S450 after performing step S440.

在步驟S450,應用終端121A通過調用硬體加密機40將利用第一PIK碼加密的用戶密碼轉換為利用第二PIK碼加密的用戶密碼。 In step S450, the application terminal 121A converts the user password encrypted with the first PIK code into a user password encrypted with the second PIK code by calling the hardware encryptor 40.

隨後進入步驟S460,應用終端121A利用第二工作金鑰中的第二MIK碼計算MAC,並按照銷售點終端規範將對應的報文域進行補齊和填充以生成完整的報文。 Then, proceeding to step S460, the application terminal 121A calculates the MAC by using the second MIK code of the second work key, and fills and fills the corresponding message domain according to the point of sale terminal specification to generate a complete message.

接著在步驟S470中,應用終端121A將完整的報文發送至收單平臺30。 Next, in step S470, the application terminal 121A transmits the complete message to the acquiring platform 30.

隨後進入步驟S480,應用終端121A將來自收單平臺30的髮卡行處理結果返回至POS終端21。 Subsequently, the process proceeds to step S480, and the application terminal 121A returns the card issuer processing result from the acquirer platform 30 to the POS terminal 21.

圖5為按照本發明另一個實施例的涉及簽到批結算交易處理操作的資料處理方法的流程圖。為闡述方便,本實施例的方法借助圖1所示的資料處理系統實現。但是需要指出的是,本實施例並不局限於具有特定結構的系統。 FIG. 5 is a flow chart of a data processing method involving a check-in lot settlement transaction processing operation according to another embodiment of the present invention. For ease of explanation, the method of the present embodiment is implemented by means of the data processing system shown in FIG. It should be noted, however, that the present embodiment is not limited to systems having a specific structure.

按照本實施例的資料處理方法包括下列步驟:在步驟S510,通信單元110從多個POS終端的其中一個(例如圖1中的POS終端21)接收應用用戶端(例如圖1中的A)發送的批結算交易處理請求。 The data processing method according to the present embodiment includes the following steps: In step S510, the communication unit 110 receives an application client (for example, A in FIG. 1) from one of a plurality of POS terminals (for example, the POS terminal 21 in FIG. 1). Batch settlement transaction processing request.

接著進入步驟S520,應用終端121A指示POS終端21上傳相應的設備識別符和應用識別符 Next, proceeding to step S520, the application terminal 121A instructs the POS terminal 21 to upload the corresponding device identifier and application identifier.

隨後在步驟S530,應用終端121A清空其保存的與POS終端21相關的第一工作金鑰和與應用A相關的第二工作金鑰。 Subsequently, in step S530, the application terminal 121A clears its saved first work key associated with the POS terminal 21 and the second work key associated with the application A.

提供本文中提出的實施例和示例,以便最好地說明按 照本技術及其特定應用的實施例,並且由此使本領域的技術人員能夠實施和使用本發明。但是,本領域的技術人員將會知道,僅為了便於說明和舉例而提供以上描述和示例。所提出的描述不是意在涵蓋本發明的各個方面或者將本發明局限於所公開的精確形式。 The embodiments and examples presented herein are provided to best illustrate The present invention can be implemented and used by those skilled in the art in view of the embodiments of the present invention and its particular application. However, those skilled in the art will appreciate that the above description and examples are provided for ease of illustration and illustration. The descriptions are not intended to cover the various aspects of the invention or to limit the invention to the precise forms disclosed.

鑒於以上所述,本公開的範圍通過以下申請專利範圍來確定。 In view of the above, the scope of the present disclosure is determined by the scope of the following claims.

Claims (14)

一種用於多個POS(Point of Sale,銷售點)終端的資料處理系統,該多個POS終端被分配各自唯一的第一主金鑰,其特徵在於,對於一個能夠在該多個POS終端上運行的應用用戶端,其被分配共同的第二主金鑰,並且所述資料處理系統包括:通信單元,其配置為與多個POS終端通信;以及與所述通信單元耦合的處理單元,其被配置為執行與所述應用用戶端相關聯的操作,所述操作包括簽到處理、連線交易處理和批結算交易處理,其中,連線交易處理涉及的資料在所述POS終端處基於由所述第一主金鑰加密的第一工作金鑰來處理而在所述處理單元處基於由所述第二主金鑰加密的第二工作金鑰來處理。 A data processing system for a plurality of POS (Point of Sale) terminals, the plurality of POS terminals being assigned respective unique first master keys, wherein one can be on the plurality of POS terminals a running application client that is assigned a common second master key, and the data processing system includes: a communication unit configured to communicate with the plurality of POS terminals; and a processing unit coupled to the communication unit Configuring to perform operations associated with the application client, the operations including check-in processing, connection transaction processing, and batch settlement transaction processing, wherein the data involved in the connection transaction processing is based on the location at the POS terminal The first work key encrypted by the first master key is processed and processed at the processing unit based on the second work key encrypted by the second master key. 如請求項1所述的資料處理系統,其中,所述第一工作金鑰包含被密碼鍵盤用於加密用戶密碼的第一PIK(Personal Identification Number Key,個人識別密碼金鑰)碼和用於報文鑒別的第一MAK(Media Access Control Key,媒體存取控制金鑰)碼,並且所述第二工作金鑰包含被處理單元用於加密用戶密碼的第二PIK碼和用於報文鑒別的第二MAK碼。 The data processing system of claim 1, wherein the first work key comprises a first PIK (Personal Identification Number Key) code used by the cryptographic keyboard to encrypt the user password and used for reporting a first MAK (Media Access Control Key) code for authentication, and the second work key includes a second PIK code used by the processing unit to encrypt the user password and used for message authentication. The second MAK code. 如請求項1所述的資料處理系統,其中,所述處理單元包含為所述應用用戶端專門配備的應用終端以執行所述操作。 The data processing system of claim 1, wherein the processing unit includes an application terminal specially equipped for the application client to perform the operation. 如請求項1所述的資料處理系統,其中,所述處理單元按照下列方式執行簽到處理:當多個POS終端的其中一個為所述應用用戶端向資料處理系統發起簽到請求時,生成以所述第一主金鑰加密的第一工作金鑰並向發起簽到請求的POS終端返回該第一工作金鑰,以及對於所述應用用戶端的首次簽到請求,還生成以第二主金鑰加密的第二工作金鑰。 The data processing system of claim 1, wherein the processing unit performs check-in processing in the following manner: when one of the plurality of POS terminals initiates a check-in request to the data processing system for the application client, generating Decoding the first work key of the first master key encryption and returning the first work key to the POS terminal that initiated the sign-in request, and the first check-in request for the application client, further generating the second master key encryption The second work key. 如請求項2所述的資料處理系統,其中,所述處理單元按照下列方式執行連線交易處理:當多個POS終端的其中一個為所述應用用戶端向資料處理系統發起連線交易處理請求時,對該連線交易處理請求進行合法性驗證,並且在合法性驗證通過之後,通過調用硬體加密機將利用第一PIK碼加密的用戶密碼轉換為利用第二PIK碼加密的用戶密碼以用於處理連線交易處理涉及的資料。 The data processing system of claim 2, wherein the processing unit performs a connection transaction process in a manner that one of the plurality of POS terminals initiates a connection transaction processing request to the data processing system for the application client At the time, the connection transaction processing request is verified for legality, and after the legality verification is passed, the user password encrypted by the first PIK code is converted into the user password encrypted by the second PIK code by calling the hardware encryption machine. Used to process the data involved in connection transaction processing. 如請求項1所述的資料處理系統,其中,所述處理單元按照下列方式執行批結算交易處理:當多個POS終端的其中一個為所述應用用戶端向資 料處理系統發起批結算交易處理請求時,清空在所述處理單元內保存的第一工作金鑰和第二工作金鑰。 The data processing system of claim 1, wherein the processing unit performs batch settlement transaction processing in the following manner: when one of the plurality of POS terminals is the application client When the material processing system initiates the batch settlement transaction processing request, the first work key and the second work key saved in the processing unit are cleared. 如請求項5所述的資料處理系統,其中,每個POS終端各自具有唯一的設備識別符,所述應用用戶端具有唯一的應用識別符,所述處理單元通過將連線交易處理請求中包含的設備識別符和應用識別符與預先確定的關聯關係進行比較來執行合法性驗證。 The data processing system of claim 5, wherein each POS terminal has a unique device identifier, the application client having a unique application identifier, the processing unit including by including the connection transaction processing request The device identifier and the application identifier are compared with a predetermined association to perform legality verification. 一種用於多個POS終端的資料處理方法,其特徵在於,包含下列步驟:為多個POS終端分配各自唯一的第一主金鑰;為一個能夠在多個POS終端上運行的應用用戶端分配共同的第二主金鑰;執行與所述應用用戶端相關聯的操作,所述操作包括簽到處理、連線交易處理和批結算交易處理,其中,連線交易處理涉及的資料在所述POS終端處基於由所述第一主金鑰加密的第一工作金鑰來處理而在所述處理單元處基於由所述第二主金鑰加密的第二工作金鑰來處理。 A data processing method for a plurality of POS terminals, comprising the steps of: assigning a plurality of POS terminals with respective unique first master keys; and assigning to an application client capable of running on a plurality of POS terminals a common second master key; performing an operation associated with the application client, the operations including check-in processing, connection transaction processing, and batch settlement transaction processing, wherein the data involved in the connection transaction processing is at the POS The terminal is processed at the processing unit based on the first work key encrypted by the first master key and based on the second work key encrypted by the second master key. 如請求項8所述的資料處理方法,其中,所述第一工作金鑰包含被密碼鍵盤用於加密用戶密碼的第一PIK碼和用於報文鑒別的第一MAK碼,並且所述第二工作金鑰包 含被處理單元用於加密用戶密碼的第二PIK碼和用於報文鑒別的第二MAK碼。 The data processing method of claim 8, wherein the first work key comprises a first PIK code used by the cryptographic keyboard to encrypt the user password and a first MAK code used for message authentication, and the Two work key package A second PIK code for encrypting the user password and a second MAK code for message authentication are included. 如請求項8所述的資料處理方法,其中,利用為所述應用用戶端專門配備的應用終端來執行所述操作。 The data processing method of claim 8, wherein the operation is performed using an application terminal specially provided for the application client. 如請求項8所述的資料處理方法,其中,按照下列方式執行簽到處理:當多個POS終端的其中一個為所述應用用戶端發起簽到請求時,生成以所述第一主金鑰加密的第一工作金鑰並向發起簽到請求的POS終端返回該第一工作金鑰,以及對於所述應用用戶端的首次簽到請求,還生成以第二主金鑰加密的第二工作金鑰。 The data processing method of claim 8, wherein the check-in process is performed in the following manner: when one of the plurality of POS terminals initiates a check-in request for the application client, generating the encryption with the first master key The first work key returns the first work key to the POS terminal that initiated the sign-in request, and the first work-entry request for the application client also generates a second work key encrypted with the second master key. 如請求項9所述的資料處理方法,其中,按照下列方式執行連線交易處理:當多個POS終端的其中一個為所述應用用戶端發起連線交易處理請求時,對該連線交易處理請求進行合法性驗證,並且在合法性驗證通過之後,通過調用硬體加密機將利用第一PIK碼加密的用戶密碼轉換為利用第二PIK碼加密的用戶密碼以用於處理連線交易處理涉及的資料。 The data processing method of claim 9, wherein the connection transaction processing is performed in the following manner: when one of the plurality of POS terminals initiates a connection transaction processing request for the application client, processing the connection transaction Requesting for legality verification, and after the legality verification is passed, converting the user password encrypted by the first PIK code to the user password encrypted by the second PIK code by calling the hardware encryption machine for processing the connection transaction processing data of. 如請求項8所述的資料處理方法,其中,按照下列方式執行批結算交易處理: 當多個POS終端的其中一個為所述應用用戶端發起批結算交易處理請求時,清空保存的第一工作金鑰和第二工作金鑰。 The data processing method of claim 8, wherein the batch settlement transaction processing is performed in the following manner: When one of the plurality of POS terminals initiates a batch settlement transaction processing request for the application client, the saved first work key and the second work key are cleared. 如請求項12所述的資料處理方法,其中,每個POS終端各自具有唯一的設備識別符,所述應用用戶端具有唯一的應用識別符,通過將連線交易處理請求中包含的設備識別符和應用識別符與預先確定的關聯關係進行比較來執行合法性驗證。 The data processing method of claim 12, wherein each POS terminal has a unique device identifier, and the application client has a unique application identifier by processing the device identifier included in the connection transaction processing request The validity verification is performed by comparing the application identifier with a predetermined association.
TW106123694A 2016-07-26 2017-07-14 Data processing system and method for multiple POS terminals TWI668646B (en)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
CN201610591757.1A CN106228713B (en) 2016-07-26 2016-07-26 Data processing system and method for multiple POS terminals
??201610591757.1 2016-07-26

Publications (2)

Publication Number Publication Date
TW201804382A TW201804382A (en) 2018-02-01
TWI668646B true TWI668646B (en) 2019-08-11

Family

ID=57534251

Family Applications (1)

Application Number Title Priority Date Filing Date
TW106123694A TWI668646B (en) 2016-07-26 2017-07-14 Data processing system and method for multiple POS terminals

Country Status (3)

Country Link
CN (1) CN106228713B (en)
TW (1) TWI668646B (en)
WO (1) WO2018019125A1 (en)

Families Citing this family (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN106228713B (en) * 2016-07-26 2018-08-10 中国银联股份有限公司 Data processing system and method for multiple POS terminals
CN110048831A (en) * 2018-12-29 2019-07-23 中国银联股份有限公司 The distribution method and diostribution device of POS terminal master key
CN111935158B (en) * 2020-08-12 2021-02-26 盐城工学院 Financial data management method of remote network consumption system

Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101593389A (en) * 2009-07-01 2009-12-02 中国建设银行股份有限公司 A kind of key management method and system that is used for the POS terminal
CN101686225A (en) * 2008-09-28 2010-03-31 中国银联股份有限公司 Methods of data encryption and key generation for on-line payment
CN101867895A (en) * 2009-09-01 2010-10-20 深圳市安捷信联科技有限公司 Consumption method based on mobile terminal and messages, mobile terminal and business system
CN102299799A (en) * 2010-06-24 2011-12-28 索尼公司 Information processing device and method, program, and information processing system
CN105743654A (en) * 2016-02-02 2016-07-06 上海动联信息技术股份有限公司 POS machine secret key remote downloading service system and secret key downloading method

Family Cites Families (9)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
EP1998279A1 (en) * 2007-05-29 2008-12-03 First Data Corporation Secure payment transaction in multi-host environment
CN102054258A (en) * 2010-12-16 2011-05-11 中国建设银行股份有限公司 Electronic bank safety certificating method and system based on mobile equipment
CN102542451B (en) * 2010-12-24 2015-02-04 北大方正集团有限公司 Electronic paying method, system and device thereof
CN102831534A (en) * 2011-06-15 2012-12-19 郑幸鲲 System and method for issuing and verifying electronic coupon
CN104348610A (en) * 2013-07-31 2015-02-11 中国银联股份有限公司 Method and system for securely transmitting transaction sensitive data based on cloud POS
JP6223811B2 (en) * 2013-12-18 2017-11-01 セコム株式会社 Communication system and communication method
CN104954123A (en) * 2014-03-28 2015-09-30 中国银联股份有限公司 Intelligent POS terminal main key updating system and updating method
EP3140796B1 (en) * 2014-05-08 2021-05-05 Square, Inc. Establishment of a secure session between a card reader and a mobile device
CN106228713B (en) * 2016-07-26 2018-08-10 中国银联股份有限公司 Data processing system and method for multiple POS terminals

Patent Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101686225A (en) * 2008-09-28 2010-03-31 中国银联股份有限公司 Methods of data encryption and key generation for on-line payment
CN101593389A (en) * 2009-07-01 2009-12-02 中国建设银行股份有限公司 A kind of key management method and system that is used for the POS terminal
CN101867895A (en) * 2009-09-01 2010-10-20 深圳市安捷信联科技有限公司 Consumption method based on mobile terminal and messages, mobile terminal and business system
CN102299799A (en) * 2010-06-24 2011-12-28 索尼公司 Information processing device and method, program, and information processing system
CN105743654A (en) * 2016-02-02 2016-07-06 上海动联信息技术股份有限公司 POS machine secret key remote downloading service system and secret key downloading method

Also Published As

Publication number Publication date
WO2018019125A1 (en) 2018-02-01
CN106228713B (en) 2018-08-10
CN106228713A (en) 2016-12-14
TW201804382A (en) 2018-02-01

Similar Documents

Publication Publication Date Title
US11182783B2 (en) Electronic payment method and electronic device using ID-based public key cryptography
EP3540671B1 (en) Systems and methods for software based encryption
CN111080295A (en) Block chain-based electronic contract processing method and equipment
CN108769010B (en) Method and device for node invited registration
US20200410494A1 (en) Systems and Methods of Electronic Identity Verification
TWI668646B (en) Data processing system and method for multiple POS terminals
CN106910063B (en) Offline payment method and system
TW201820818A (en) Method and device for configuring terminal master key
TW201516901A (en) Method and system for managing information on accounts, related account management server, and related marketing terminal
JP2015537399A (en) Application system for mobile payment and method for providing and using mobile payment means
WO2024109551A1 (en) Digital payment processing method and apparatus, and device, system and medium
WO2017092654A1 (en) Pos machine transaction processing method and system
CN114219480A (en) Multi-channel fee-control quick payment method and system
KR102333811B1 (en) System and method for processing card payment based on block-chain
TWI748630B (en) Two-dimensional bar code payment method based on mobile phone business card and its payment system, computer readable storage medium and computer equipment
CN114240547A (en) Steel trade transaction method, system, device and storage medium based on digital signature
CN113674096A (en) Supply chain finance application system and method based on block chain technology
KR20020003539A (en) Multi-authorization system and method in many electronic payment system based on smart card over network
WO2018113508A1 (en) Ciphertext-based identity verification method
CN107919960A (en) The authentication method and system of a kind of application program
CN104980276A (en) Identity authentication method for security information interaction
CN114169895A (en) Payment information processing system, method, device, medium, product and equipment
CN114331705B (en) Block chain-based telecommunication service contract consistency guarantee method
WO2015014254A1 (en) Method for secure exchange of information related to resource transfers
CN111754324B (en) Cloud ERP bank-enterprise docking processing method, system and processing ends