UA148228U - Method of making electronic transactions or money transfers using contactless electronic device - Google Patents

Abstract

The method of electronic transactions and money transfers is to authenticate by reading the personal data of the owner of the contactless secure electronic media, which complies with the legislation of Ukraine and international standards in the field of technical and cryptographic protection of information. Access to secure personal data is through certified ISO 8583 TITP devices that use payment systems (POS, BASS, ATM, NFC Readers) or an electronic wallet. Such devices have a module for implementing low-frequency wireless high-frequency communication technology, such as: NFC.

Description

The utility model belongs to devices and methods of data processing, intended for administrative and commercial use of electronic calculations in certified devices of IZO 8583 TITR, which use payment systems (ROB, BA5B5,

ATM, MES eadeg5) or electronic wallet, with the help of automated banking systems and databases, and can be used for settlement organizations in electronic commerce networks - e-sottegse of a terrestrial or Internet channel, namely the main ones: C2C, B2B,

B2C, E2E, 120.

Modern means of e-commerce use and allow to carry out cashless payments for goods and services remotely by involving payment systems using bank card technology in the format of a financial message.

The Miza payment system developed the Secure Electronic Transaction standard and rules, according to which the CMP protocol was built, on the basis of which the 30-5esyge protocol works, which is an analogue of the Maziegsaga 5esygeSode payment system.

Such protocols are used as an additional level of security for online credit and debit cards, two-factor user authentication, but do not guarantee the security of funds on the card. The payment system makes payments based on the card's public data: card number, card validity period, amount code, and sometimes the name of the cardholder.

The payment system cannot guarantee that the payment is made by the legitimate cardholder, and two-factor authentication has ceased to be a security panacea.

The cardholder can independently disable authorization by RIM code. Thus, if the card is lost or stolen, the owner may lose money if the fraudster makes a purchase.

Conducting a transaction without an additional step of authentication indicates that the transfer of responsibility is possible for such a transaction, that is, the issuing bank can dispute the transaction and return the money to the cardholder. This course of events carries risks for e-commerce itself as a whole.

Card technology binds the consumer to a specific financial institution, and an additional legal entity - the processing center monopolizes the presence of payment systems on the market.

Thus, accepting payment cards for payment is profitable for settlement participants, starting with transactions with a volume of at least 10-15 euros.

З A known method of performing electronic transactions with remote execution of non-cash financial transactions (US patent Mo 4823264, IPC СОбРЕ15/30, publ. 18.04.1989), in which a client of a financial institution communicates with the bank using a modem and a personal electronic computer, indicates his individual number to identify the client's identity and gives an instruction to transfer a certain amount of funds from his account to the recipient's account. The disadvantage of the known method is a weak system and the complexity of fully identifying a client of a financial institution, which reduces the overall level of security of financial transaction execution as a whole.

Another known method of performing electronic transactions (US patent No. 5475740, IPC

НО4М11/00, publ., 12.12.1995), which describes the system of obtaining access to various paid services. The specified method allows paying for services using the user's telephone device, which contains a device for a credit card. After ordering the specified service, the client places a credit card in his phone and, after withdrawing funds from his account, gets access to the specified service. The disadvantage of such a technical solution is the need to advance payment for the service, that is, an authentication session is conducted in this way.

The next known method of improved authentication is the 30O-Zesyge protocol based on (patent of Ukraine Mo 74105, 507E19/00, publ. 10.17.2005, bulletin Mo 10), the so-called two-factor authentication. The basis of this method is the registration of a mobile cellular number in the account system in the bank for the purpose of identification of the subject, and the subsequent generation of the code by the bank after registration in the account system. The code is sent to the registered phone number via SMS. The disadvantage of using such a scheme is that the payment system cannot guarantee that the payment is made by the legitimate cardholder, and two-factor authentication is already outdated due to the development of technology.

Card technology ties the consumer to a certain financial institution, but there is still an intermediary in this chain of relations - a processing center that processes this payment and monopolizes the presence of payment systems on the market. In addition, accepting payment cards for payment is profitable for settlement participants, starting with transactions with a volume of at least 10-15 euros.

In the case of land-based e-commerce acquisition of retail trade, mostly 60 use means and devices for reading bank cards with the help of so-called POS sales points. Such devices are equipped with technical modules for interaction with cards according to the EMM standard. This standard allows the issuing bank to verify the authenticity of the card itself with high probability. Such cards are also called smart cards.

Also known is the method of using a smart card (patent of Ukraine Mo 91198, 506099/00, publ. 12.07.2010, bulletin Mo 13), with which prepayment for electricity consumption is controlled. Access to the card is due to radio frequency identification and reading of the record of this contactless smart card in a mutual way using a digital signature and serial number of the electric meter. In this way, information is collected and it is determined whether the contactless smart card has pre-approved credit, which must be greater than zero.

The card also collects information about the number of pre-paid kWh. The disadvantage of such a technical solution is the need to advance payment for the service and identify not the user, but the device of the metering device. That is, in this way, an authentication session is conducted without access to a personal account.

The method of using an electronic wallet is known (patent OZ 2015/0339648 A1, published on 26.11.2015 and 5 9,361,619 B2, published on 07.06.2016). Payment for the service is made using a mobile phone (smartphone), in which a payment card or token is simulated with the help of software. The card-token chain is stored in the payment system (Mavkhiegsaga,

Miza and others). The operation of the electronic wallet and the transfer of transaction data to the terminal's RZ is performed through the MES.

The disadvantage of such a technical solution is that the payment system cannot guarantee that the payment is made by the legitimate owner of the card, since the card is authenticated, not its owner. Moreover, card technology ties the consumer to a specific financial institution and an intermediary - the processing center of payment systems.

According to the NBU Resolution No. 492 of 11/12/2003 and ZU Mo 361-IX of 12/06/2019, the financial institution carries out identification of the user with banking services, as a result of which bank accounts are opened already as a bank client. Having an automated accounting system in its arsenal, a financial institution develops a scheme for linking an identified bank client: a physical or legal form of activity to his personal

From the accounts of this institution. In this way, it is possible to make a request to the bank's automated system to issue a list of personal accounts registered to a person who has just been identified.

Guided by ZU Me 675-MII dated 19.04.2020 and KU Me 2755-MI dated 07.11.2020, which are directly applicable in the field of e-commerce, certified devices

IBO 8583 TITR, which use payment systems (ROZ, VAB5, ATM, MES Keadegv) or electronic wallet, must be registered in a financial institution for the person who has been identified. Device certification refers to the technical provision of secure information transmission using cryptographic protection. The latter directly fulfills the requirement of the memory

Mo 2297-MI dated 03/20/2020.

The essence of a useful model is as follows.

In order to improve the operation of e-commerce and increase the level of security and introduce positive competition in the payment market, it is proposed to carry out authentication by reading the personal data of the owner of a contactless protected electronic medium, which corresponds to the legislation of Ukraine and international standards in the field of technical and cryptographic information protection.

At the moment, in accordance with the Verkhovna Rada Resolution No. 2503-ХИЙ dated January 1, 2019, the decentralized source of personal data is the passport of a citizen of Ukraine, ID card (ISOLES 14443). But the author of the useful model notes that the list of identity cards may include: foreign passport, driver's license, acquisition of Ukrainian citizenship, student card, and others that contain personal data of a person on a secure electronic medium.

Access to the protected medium of personal data occurs using certified devices I5O 8583 TITR, which use payment systems (ROB, BA5B5,

ATM, MES Keadeg5) or electronic wallet. Such devices have a module for implementing the technology of wireless high-frequency communication of a small radius, such as: MES.

MES is based on radio frequency identification, namely: KRIOU. Thus, the MES technology allows for secure data exchange using an encryption algorithm

ZOEB/AEB/ZNA-1/EMAS for active authentication using distributed keys

ESON.

The protocol for establishing a connection between the device and the contactless medium is carried out using password authentication (RACE). ROM is used as a password.

Thus, it is possible to introduce another mechanism of access to funds of a personal bank account using a contactless electronic information carrier of an identity card into the scheme of classic e-commerce, such as: using a card. ROZ and other certified devices are not tools for carrying out a transaction, they are tools for authorizing the payer and a chain for determining the authorship of a monetary transaction.

According to the drawing Fig. 1, the initiator of the financial transaction determines a certain amount of funds to pay for the service or product, then the electronic transaction is carried out by attaching a contactless electronic information carrier of the identity card |1| through the MES channel of the device (2. ROB, VAB5, ATM, MES Keadeg5 or electronic wallet, performs reading of personal data using the installation of active password authentication (RACE) using distributed keys and entering the PIN on the device.

An example of the use of RACE is known from the prior art and is described in detail in the document boss 9303 - machine-readable travel documents, Part 11, mechanisms of protection of MSPD

IBVM 978-92-9249-945-7, International Civil Aviation Organization (SA pErz /Lmmly. sao. ip/Radez/detacazrh). boss 9303 regulates the standards for processing biometric information about a person who crosses the state border. Such information is encrypted by cryptographic means and recorded in the microcircuit of a contactless protected electronic medium, for example - a foreign passport or an ID card. The device (21), in accordance with the stipulated work logic, forms a hash function, which consists of the following financial data: transaction amount, currency, personal data of the carrier |1| and transmits the hash sum to the device (1) for imposing an electronic signature by the device (11 .

Therefore, when conducting a financial transaction, the identity of the payer is authenticated.

Device 1| sends the formed cryptogram to the device (2), which in turn, according to the stipulated logic of work, forms a request packet and signs it with an electronic key provided by a financial institution. Thus, the initiation of an electronic transaction becomes unique and irrefutable.

According to the drawing Fig. 2, the device (2| directs, according to the stipulated work logic, the signed request package (23) to the bank's automated system for keeping accounts and processing personal information) for further identification of the person.

З According to the internal algorithm of the automated system |З), the bank prepares a list of personal accounts of a client of a financial institution whose personal data was sent from the device (21 in the signed request package (231.

When the bank's information security management system and automated system |Z| bank accounts are identified and the client-account link will be determined, a list of personal accounts of a client of a financial institution will be sent to the device (21), which can be seen in the drawing of Fig. 3.

Thus, the initiator of the electronic transaction will be able to select an account on the |21 device.

After the initiator of the electronic transaction determines from which account the recalculation (or transfer, or debit) of funds will be carried out, the device |(2| sends to the device (ZI) a signed request (233| of an electronic message regarding the payment transaction for conducting a financial transaction according to the management algorithm accounting of a financial institution, which can be seen in the drawing Fig. 4.

The author of the useful model notes that the list of card numbers linked to the personal accounts of the identified person can be added to the list of accounts. In the event that the device (21) is registered in a financial institution in which no accounts of the initiator of the financial transaction have been opened, then the device |2| must have a list of banks and financial institutions participating in electronic commerce that comply with the Open Banking (orep bapkKkipodo) section of the Law of Ukraine " About payment services".

With the help of АРИ Open Banking (4 financial institution acquire IZ| will be able to open a receivables account with remote identification based on personal data with a signed package |(23| of a request from the device (2). This action regarding the initiator of the financial transaction is possible thanks to open data or various unions (|5), or bureau

Credit history, which can be seen in the drawing Fig. 5.

It can be stated that the electronic transaction mentioned above provides for the possibility of assessing the probability of lending, and the bank is expanding its loan portfolio and will develop consumer lending programs. Thanks to the list on the device |2| banks and financial institutions participating in e-commerce that support Open Banking |4), the acquiring bank (I can independently issue an electronic financial message and send the specified message to the financial institution in which the transaction initiator's accounts are opened and which the transaction initiator has chosen for the device | 21.

According to the drawing Fig. b, with the help of interaction on ARI through Open Banking, automatic repayment of credit debt is possible. A financial transaction between two subjects of economic activity in the banking sphere can be performed through the Electronic Payment System of the National Bank of Ukraine (SEP) |b1I.

Automatic repayment of the loan debt occurs by receipt from the financial institution |З) through АРИ Open Banking I4| request I344| to the bank I/|Y, which forms a financial instruction for the device |b| to transfer funds from the account of the initiator of the electronic transaction G7| in favor of the bank |ZI.

Thus, the execution of electronic transactions and the implementation of money transfers, in which access to funds of a personal bank account is used using a contactless electronic carrier of information of an identity card, turns into a convenient acquiring of electronic commerce, with the following advantages: 1) reliable and safe authentication of the initiator of the electronic transaction at the time of the beginning of the financial transaction itself; 2) the relevance and integrity of personal data is guaranteed by the state (local self-government body and other central executive authorities), and forgery of such an information carrier is impossible, thanks to the encryption of data about the owner and the imposition of an electronic digital signature (EDS) by the relevant state service; 3) the initiation of an electronic transaction becomes unique and irrefutable; 4) service and access to financial accounts at the time of conducting an electronic transaction is possible in any bank or financial institution of your choice, since there is no Issuing Bank in this model; 5) the absence of an additional legal entity, namely the card processing center of the payment system, allows to significantly increase the profitability of maintaining a similar financial scheme of e-commerce; 6) introduces healthy economic competition in the financial market, with the help of which it is possible to improve the pricing of goods; 7) improvement of user service from the side of the development of credit programs, with the help of remote identification.

The above example is more secure and competitive for electronic transactions and money transfers.

Compliance of the claimed technical solution with such a criterion as industrial suitability is confirmed by the given example of the functioning of the method of performing electronic transactions.

Brief description of the drawings:

Fig. 1 - Scheme of reading personal data using active authentication;

Fig. 2 - Scheme of forming and sending a request for a transaction data package to the bank's automated system;

Fig. 3 - Schema of directing and displaying the list of personal accounts of a client of a financial institution;

Fig. 4 - Scheme of formation and sending of an electronic message regarding a payment transaction for the continuation of a financial transaction;

Fig. 5 - Scheme for opening a receivables account with remote identification;

Fig. 6 - Scheme of automatic debt repayment;

Fig. 7 - Algorithm operation scheme before sending a request to a financial institution or bank;

Fig. 8 - Algorithm operation scheme - request processing in a bank or financial institution;

Fig. 9 - Scheme of the algorithm - the end of the transaction.

List of abbreviations used in the text:

ROB-Roipi OG Zaie;

ВА5З5-Bapk oi asho taiyeas zeig-5egmise;

ATM-ashotagiea iePeg taspipe, ATM;

MES Veadegv5-Meag Rivii Sottipisatiop, device for non-contact data exchange.

Electronic wallet -

SMR-saga poi rzhezepi, a protocol that means "card missing";

TITR-Ttap27U/age IBO8583 Teptipai! Hornbeams; 30-5esyge - data exchange protocol;

ROME-Regizopai Idepiyisayop Mitrbeg;

EMU - International standard for transactions using bank cards with a chip; bo ZOEZ5 - Algorithm of symmetric data encryption;

AE5 - Symmetric block data encryption algorithm;

ZNA-1 - Cryptographic data encryption algorithm;

RACE-Razzmzhoga Ashnepiysaiyed Soppesiyop Eviabiyizptepi;

ARI-Arriisayop Rgodgattipa Ipiepase;

SEP - System of electronic payments of the National Bank of Ukraine;

C2S (Sopzypteg-yu-Sopvyteg") - consumer-to-consumer scheme;

B2B (Vyzipe55-yu-Vyvipev5) - business-to-business scheme;

B2C (Vyvipez5-Yuyu-Sopvyteg!) - business-consumer scheme;

E2E (Ekspapde-yu-Ekspapde) - exchange-to-exchange scheme; se (Somegptepi-yu-Spy2epv) - government-citizen scheme;

Zesyge EIesigopis Tgtapzasiyup - standard "Secure electronic transaction;

Trading point - an organization engaged in the sale of goods or services, the initiator of the acquiring connection. Pays a commission for using acquiring.

Acquiring bank - credit financial institution (bank) in which the seller's current account is opened and which provides equipment for acquiring. Such a bank must be registered in the payment system (Miza, Mavkhiesbagy or any other). Responsible for the technical side of card purchase operations, receives a commission from the seller.

Issuing bank - a financial institution that issues bank cards, payments from which are accepted by ROB and other terminals. Bears full responsibility for the correctness of calculations with the bank's client as part of the purchase procedure using a bank card.

Claims (1)

USEFUL MODEL FORMULA 25 1. The method of performing electronic transactions and making money transfers, which involves the following stages: - the initiator of the financial transaction determines a certain amount of funds to pay for a service or product, and then the electronic transaction is carried out by attaching a contactless electronic information carrier of an identity card |1| through the MES channel of the device (21), which performs reading of personal data using the setting of active password authentication (APA) with the use of distributed keys and input to the RIM device; - device (2| generates a hash function and transmits to device (1) the hash sum for imposing an electronic signature by device (11; - device I1| sends the formed cryptogram to device (2), which forms a request packet and 35 signs it with an electronic key provided by a financial institution; - the device (2) sends a signed request package (23| (to the bank's automated system for keeping accounts and processing personal information) for further identification of the person; - the bank prepares a list of personal accounts of a client of a financial institution whose personal data was sent from the device ( 21 in the signed request package (231; 40 - the bank's information security management system and the bank's automated account accounting system perform identification and determine the client-account link; - the initiator of the electronic transaction can select the account on the device |21; - after determination by the initiator of the electronic transaction from which account the transfer of funds will be made, the device (2| sends to the device swarm |Z|, signed request (233) of an electronic 45 message regarding a payment transaction for carrying out a financial transaction according to the accounting algorithm of a financial institution; - with the help of ARI Open Banking (4 financial institution acquirer |I|Z| will be able to open a receivables account with remote identification based on personal data with a signed package (23) of a request from the device (21; 50 - the acquirer bank of IZI can issue an electronic financial message and send the specified message to the financial institution in which the accounts of the initiator of the transaction are opened and which was chosen by the initiator of the transaction on the device (21; - then a financial transaction can be conducted between two subjects of economic activity in the banking sphere through the Electronic Payment System of the National Bank of Ukraine ( SEP). 55 2. The method according to claim 1, which differs in that as a device I2| use ROZ, VAZ5, ATM, MES Veadegv. C. The method according to claim 1, which differs in that an electronic wallet is used as a device (2). 4. The method according to claim 1, which differs in that the device (2) forms a hash function from the following data: transaction amount, currency, payment information, personal data of the carrier |11. 5. The method according to claim 1, which differs in that the list of I32| personal accounts of a client of a financial institution is directed to the device (2). 6. The method according to claim 1, according to which the list of card numbers linked to the personal accounts of the identified person can be added to the list of the person's accounts. 7. The method according to claim 1 or item b, which differs in that in the case when the device (21) is registered in a financial institution in which no accounts of the initiator of the financial transaction have been opened, then the device (2) may contain a list of banks and financial institutions of the participants of electronic commerce, which correspond to the section Open banking (orep Bbapkipo). 8. The method according to claim 1, which differs in that the opening of a receivables account with remote identification based on personal data with a signed package (23) of a request from the device |2| regarding the rating of financial trust to the initiator of the financial transaction, it is carried out in case of availability of data from the credit history bureau or credit union. 9. The method according to claim 1, which differs in that with the help of interaction on ARI through Open Banking, automatic repayment of credit debt is possible. 10. The method according to claim 1, which is distinguished by the fact that repayment of the loan debt occurs by receiving a request (344) to the bank |7) from the financial institution (|Z) through АРИ Open Banking (41), which forms a financial instruction for the device | b| for the transfer of funds from the account of the initiator of the electronic transaction (7| in favor of the bank |ZI. HOM and you and with Fig. 1 o Kak iiaaiinnny "h z y i Fig. 2 ONY KON VE EMO amomomonena EE OO VENU I EOM OV VE ZHE ZK PO KHE OM i I ZHE NK M MO M Y KO MO i ov SCHO MM 7 VE E Peladtsii nii i same E i i ; E and E | i iz E ih n m Po OH Pn I KU OV EOEZOO VV SIA MM MO I MO I EN PI I MY MO OKU story MY MEM, KZ N shar OO OH y y MMK OH I Ж ho; there is also E i E: in X KE z EH MENE EN MOM K ME I U KN VO ME OOKKNNNM M kosooovvovyuya 5 MO OH MO XX new MOM KOVO se ke I E 4 ; I i y I Z ch i NI K " y sya nn nn g o she x z Z Z i E; y ' x / OK rvaadaaanni kiy y MM Y m OK E ХК E y di ШЭ i Я t 1 и OKХ NN her І OO ІІ і і І OZ і ОО і і і І І wild і і і і і і і і OM і І ЕК: Хі і МОМ і і MU і і ME і і MO і OY z s GO EN VN і ON and I OO - MOM w OH W we OO OM VO ME M MA SCHE UMH to her She, M ХK M OH x MA OH y I KE ON OKH I BO y ! MY M i t ih , KO V y h u. We're on our own, I'm here, I'm here, I'm sorry. and: І У как и ша а и ; y - a and ha. now te / х сн С У и и х и A и х и З E; With h y ; Ь у ИЗ Б. у Е ч х Й i И И нн ONY Я И З arena E; IZ g (I K: IZ ! (I K: IZ (AS: IZ (AS: IZ (I z I Z nzheenny IZ s Z zvi i mo; I I Me, Z OH. s izh y tk PO I KOSO E ON IZ KK lo IZ z KHE IZ KONYA i z ON x OO Y zey MO I "B i i with MOM I 7 s PE I MAH MO is oku OO, OKO I OO ON y ; ONKO U I s SOYA i I Tl y / U sr -t o orep bapkipo; ih / - Й Me I МЕЖ t M more. M MOM M a EE OY (Z KVK ys SCHE Z VE KI z x IOAN i Z Ivavecei z IH aa i Kak gama: 3 IBK VEN V EH ha V KK UNN UNH UZA E KZ z Z xx z I xxx x x i i i E Z xxx VO docum oh p KK their IOM zhk E Z MO IMN ZE MNS EMV. V VN VIC EN: MNK E Z j KU h: I en KN E I Vesny ty ROM wa pon: her pevzhe ak Ka EV KK TE ki pe i ХВЖЕКНЕМУЮУЮЮ СКУ ККД ВМ ХХХ и Z ВХ a KU zi хх Eva TE ze ; х BIMUK TEKU з MЖХ ХУ M УК СМЖУЖЕМКХ ХХХХ СХОЖЭ ЖЖ Uh ЖЖ ЖХХ ХЕ. Z DONNA. Uh hih hu KE I I B Mu MH DOV MECCA FUT VANYA ZHE EE Z GZK x x Zhefsmkoky zosh o KK ZKaKOKI SHE KOZ soky i Kal kokvs COKO ik KOKKVK KVK z ME VEN KIV VO VEK V INK VN MEM EH KE EI HE Ponsen ZUBAK ZHEK UM DM Z VEZHU VKM ZHK M EC: DYA VEZA VM OBO IN VH i ooo MORE khz Fig. 7 t s: their I z. eh from Z boki vUu ih hukthahaheuyuy momu koka V zhy mihi Ma U he Maha E; Kive te zue tower ve Z MEN. For the same OENE E PI shk cho VU KE E zer pek nok until E DE OKKO KAK MNE E kih -- ke (their same se donyu: SCHE She oo, KO OB wk is Pk uvevi kis bank Z She Z "mo foniv AEMK KU EVYH KOKO E MAN h I ord vh I MZHK ZUK KTK TOKH NN EK VOM BABY M MNVK U vchy Z z y x : Z y Shaanya p shcha h - still g. r Her MA, g E I y ke kuki Shchi pom i DEC MEM VO KK i il ne sip kU nano towers IN ZBK ME MKK KO KOH VEK ANMM MOHU : ; -k fact Mkokochek stok: Kk n koka k A Ж OKH SE KUEMNAVH EK DOM BYK KA A ЗB nako inv for little nae avnh z and also: with EK EM POP MEM UM MILOM AH zh UK I dry UKH "uko COKO Mecca: ; DAM PENJ ICON UMO y ect kA вх х Х CHANGE ВК х у. Zhukov ket posti Movu ! I ; PEREV ECHVEO KEBKU Ma and YOU 5. scoop ka ik aka yi I ХКОВМ КА УКХ Z Khyusnuoi 5 ko . y r MK VK BU