WO2005073934A1 - Procede et systeme pour l'authentification de transactions de carte de credit - Google Patents

Procede et systeme pour l'authentification de transactions de carte de credit Download PDF

Info

Publication number
WO2005073934A1
WO2005073934A1 PCT/IL2005/000096 IL2005000096W WO2005073934A1 WO 2005073934 A1 WO2005073934 A1 WO 2005073934A1 IL 2005000096 W IL2005000096 W IL 2005000096W WO 2005073934 A1 WO2005073934 A1 WO 2005073934A1
Authority
WO
WIPO (PCT)
Prior art keywords
transaction
sale
point
personal
card
Prior art date
Application number
PCT/IL2005/000096
Other languages
English (en)
Inventor
Aron Matalon
Original Assignee
Aron Matalon
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Aron Matalon filed Critical Aron Matalon
Publication of WO2005073934A1 publication Critical patent/WO2005073934A1/fr

Links

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06QINFORMATION AND COMMUNICATION TECHNOLOGY [ICT] SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES; SYSTEMS OR METHODS SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES, NOT OTHERWISE PROVIDED FOR
    • G06Q20/00Payment architectures, schemes or protocols
    • G06Q20/08Payment architectures
    • G06Q20/20Point-of-sale [POS] network systems
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06QINFORMATION AND COMMUNICATION TECHNOLOGY [ICT] SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES; SYSTEMS OR METHODS SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES, NOT OTHERWISE PROVIDED FOR
    • G06Q20/00Payment architectures, schemes or protocols
    • G06Q20/30Payment architectures, schemes or protocols characterised by the use of specific devices or networks
    • G06Q20/32Payment architectures, schemes or protocols characterised by the use of specific devices or networks using wireless devices
    • G06Q20/322Aspects of commerce using mobile devices [M-devices]
    • G06Q20/3224Transactions dependent on location of M-devices
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06QINFORMATION AND COMMUNICATION TECHNOLOGY [ICT] SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES; SYSTEMS OR METHODS SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES, NOT OTHERWISE PROVIDED FOR
    • G06Q20/00Payment architectures, schemes or protocols
    • G06Q20/38Payment protocols; Details thereof
    • G06Q20/42Confirmation, e.g. check or permission by the legal debtor of payment
    • G06Q20/425Confirmation, e.g. check or permission by the legal debtor of payment using two different networks, one for transaction and one for security confirmation

Definitions

  • the present invention relates to the authentication of credit-card payments. More particularly, the invention relates to a method and system for authenticating cardholders while carrying out credit card transactions.
  • FIG. 1 is a block diagram illustrating a typical process of credit-card transaction.
  • the card-acceptor e.g., merchant
  • POS 18 terminal the Point-of-Sale (POS) 18 terminal.
  • the POS 18 communicates (e.g., via a modem) to the Acquirer 15, that checks the validity of the transaction (e.g. merchant ID) and of the credit- card, utilizing the details read from its magnetic stripe (e.g., card number, expiration date, etc.).
  • Acquirers are organizations that collect credit-authentication requests and data relating to the transactions being carried out, provide the merchants with a payment guarantee and initiate an interchange system.
  • the records of the Acquirer are updated with the credit-card details provided by the card Issuers. Once the cardholder's credit is verified the payment money is transferred to the bank account (16) of the card-acceptor and the card Issuer 17 is updated with the transaction details.
  • the Acquirer 15 confirms the transaction, it is completed by the cardholder signing a receipt containing the transaction details.
  • the card- acceptor may attempt to verify the cardholder's identity, for example, by comparing the cardholder's signature to the signature appearing on the credit card, as required by some of the Issuers, or possibly by inspecting an identification certificate (e.g., identity card) of the cardholder to verify that it matches the cardholder's details appearing on the credit-card.
  • an identification certificate e.g., identity card
  • PSTN Public Switched Telephone Networks
  • wireless telephony e.g., cellular phones
  • Internet-based e-commerce implementations In such transactions the cardholder and the merchant are not in any direct contact and it is therefore almost impossible to authenticate the identity of the parties involved.
  • Acquirer financial organization which acquires from the card-acceptor the data relating to the transaction, authenticates the cardholder credit, and initiates that data into an interchange system.
  • Cardholder the individual or entity wishing to carry out a business transaction utilizing a credit-card.
  • Issuer financial organization such as banks which issue their customers credit-cards.
  • Card-acceptor the entity receiving the payment in a credit-card transaction.
  • the present invention is directed to the authentication of credit- card transactions carried out at a Point-of-Sale.
  • the method comprises providing cardholders with Personal-Units including means for storing a unique identifier and means for transmitting the identifier upon receipt of a unique Triggering-Signal, providing the Point-of-Sale with a Personal-Unit- Detector including means for transmitting the unique Triggering-Signal, receiving a corresponding transmission from a Personal-Unit and extracting the identifier carried therein, obtaining credit-card information, and transmitting a unique Triggering-Signal associated with the credit-card.
  • the authentication may further comprise authenticating the credit of the credit-card.
  • the Personal-Unit may be equipped with a Keypad including one or more keys for confirming transactions by cardholders by typing a key or a unique sequence of keys.
  • the transmittal of the unique identifier is conditioned by the typing of a certain key or a sequence of keys.
  • the authentication can be performed by the Personal-Unit-Detector, by the Point-of-Sale, or by an Acquirer linked to the Point-of-Sale via a communication channel.
  • the communication between the Point-of-Sale and the Acquirer, and/or between the Personal-Unit-Detector and the Personal-Unit, is preferably carried out over a secured channel.
  • information is transferred in a concealed form.
  • credit-card information is stored in the Personal-Units and transmitted upon receipt of the unique Triggering-Signal for carrying out the authentication (off-line authentication).
  • the transmission from the Personal- Unit-Detector to the Personal-Unit may further include instructions to the Personal-Unit to erase the credit-card information stored therein (change into on-line authentication mode).
  • the authentication of the transactions may further comprise the confirmation of a matching Transaction Code received with the Personal-Unit transmission.
  • the Personal-Unit is provided with a new Transaction Code for the next transaction whenever a transaction is confirmed.
  • the authentication of the credit-card transactions is carried out utilizing cardholders' cellular communication means (e.g., cellular phone).
  • Credit-card and Point-of-Sale information are used for obtaining information concerning the cellular communication means of the cardholder and the location of the Point-of-Sale.
  • the respective Cellular Network is then enquired for the location of the cardholder's communication means. If it is determined that the cardholder's communication means is located in the vicinity of the Point-of- Sale the transaction is confirmed, otherwise it is aborted. This may be carried out by checking if the Pont-of-Sale and the cardholder's communication means are locate within the same cellular cell.
  • the cardholder's communication means are provided with a GPS, and in such implementation the confirmation of transactions is preferably carried out by determining if the cellular communication means is located in the vicinity of the Point-of-Sale by checking if it resides within a circular area defined by the location of the Point-of-Sale and a predefined radius. One or more locations may be defined for the Point-of-Sale in order to confirm transactions carried out via wired and or wireless communication means.
  • Further confirmation of transactions may be carried out via the cellular communication means by transmitting a predetermined pressed key, or a sequence of pressed keys, which may be transmitted via a SMS.
  • the authentication of the transactions may further comprise the confirmation of a Transaction Code transmitted by the cellular communication means upon receipt of a request for the same.
  • the cellular communication means are provided with a new Transaction Code for the next transaction whenever a transaction is confirmed.
  • the preferred embodiment of the invention may utilize a predefined radius for confirming transaction by determining if the cellular communication means is located in the vicinity of the Point-of-Sale by checking if it resides within a radii defined by the location of the Point-of-Sale and said predefined radius.
  • the Point-of-Sale may be a computer terminal linked to a data network, or alternatively it may be a regular wired telephone or a cellular phone.
  • Point-of-Sale can be used for confirming transactions.
  • Fig. 1 is a block diagram illustrating a typical process of credit-card transaction
  • Fig. 2 is a block diagram illustrating a credit-card transaction according to a preferred embodiment of the invention
  • Fig. 3 is a flowchart illustrating the authentication process according to the preferred embodiment of the invention
  • Figs. 4A and 4B are block diagrams illustrating preferred embodiments of the PU and PUD of the invention
  • Fig, 5 is a block diagram illustrating a preferred embodiment of the invention based on cellular telephony
  • Fig. 6 is a flowchart illustrating a process for conforming credit-card transaction utilizing cellular telephony.
  • the present invention is directed to the authentication of credit-card payments.
  • the invention provides means for authenticating the identity of cardholders and thereby provides cardholders increased protection from being impersonated by others who may have access to their credit-cards.
  • the authentication of cardholders will of course also add protection to merchants from fraudulent transactions, assist in guaranteeing the payment for merchants and services charged via credit-card, and improve detection of fraudulent credit-card transactions.
  • the cardholders are provided with a Personal Unit (PU) containing information identifying the cardholder and optionally, information of one or more credit-cards of the cardholder.
  • the PU of the invention is capable of transmitting the identifying information (and optionally, credit-card information), upon receipt of a signal demanding said information.
  • the demanding signal is preferably transmitted by a Personal Unit Detector (PUD) at the Point of Sale (POS), which is also capable of receiving the PU transmission.
  • PID Personal Unit Detector
  • POS Point of Sale
  • the authentication of the cardholder is carried out by determining if the information transmitted by the PU matches the information read from the card by a card-reader at the POS. It is important that the PU be always kept in the possession of the individual to whom it is coupled, and it should not be held separately from that individual or given to another.
  • Fig. 2 is a block diagram illustrating a preferred embodiment of the invention for authenticating individuals coupled with a Personal Unit (PU) 20.
  • the PU is used for validating credit- card transactions by authenticating the cardholder identity.
  • the PU is preferably a small transceiver (e.g., radio transceiver) that is used for transmitting signals including identifying information (ID) related to the individual to whom it is coupled.
  • ID identifying information
  • the transmission of the PU can be a short range transmission that will be received by the Personal Unit Detector (PUD) 25.
  • the PU 20 may be embedded in the identity card, or driving license of the cardholder. Alternatively, it may be integrated into any other device carried by the cardholder such as a watch or mobile phone, or even carried by the cardholder as an epidermal implant. In any case, the credit-card 13 (hereinafter the card) and the PU should be kept separately to prevent the access of unauthorized personals to both the PU and the credit-card.
  • the POS 18 is linked to the PUD 25 which is preferably located in the vicinity of the card-reader 10 or possibly integrated into the POS 18.
  • the PUD 25 is a small transceiver that is used for transmitting triggering signals which are addressed to the PU 20 of the cardholder, and for retrieving PU-signals from PUs 20.
  • a preferred process for authenticating cardholders is illustrated in the flow chart of Fig. 3 which will be now discussed in conjunction with Fig. 2. The process is initiated in step 30 wherein the card 13 is swiped through the card- reader 10 at the POS 18, whereby the POS 18 obtains the Card Information (CI) from the magnetic stripe of the card 13 for authenticating the cardholder's credit.
  • CI Card Information
  • step 31 the POS 18 contacts the Acquirer 15 and provides it with the CI for authenticating the cardholder.
  • the Acquirer 15 reads from its Database (DB) the cardholder's record containing details identifying the cardholder (hereinafter cardholder-ID) and other information that is used to authenticate the cardholder's credit and for obtaining information related to the PU-Triggering- Signal of the PU to be provided to the POS 18.
  • DB Database
  • cardholder-ID details identifying the cardholder
  • each PU 20 is activated upon receipt of a unique PU-Triggering- Signal (PTS) 21, which is used by the PUD 25 for triggering the PU 20 of the cardholder.
  • PTS PU-Triggering- Signal
  • the PTS 21 is transmitted by the PUD 25 in step 32, and upon receipt of said unique PTS 21 in step 33 the PU 20 of the cardholder is activated and transmits its PU-signal 22 which carries PU Identity information (PU-ID) related to the individual carrying it.
  • PU-ID PU Identity information
  • Each PTS is associated with a particular PU which eliminates scenarios such as those in which a plurality of PU-signals 22 are transmitted concurrently by different PUs 20 being present in at the same time in the vicinity of a POS 18.
  • the PUD 25 enters a wait state for the receipt of the PU- signal 22. If PU-signal 22 is not received within a predetermined period of time, the transaction is aborted in step 35 and the POS 18 provides the card- acceptor with a corresponding indication, typically via the POS 18 display unit.
  • the PUD 25 may be optionally programmed to perform steps 32-34 for some predefined number of additional times in a loop (retry, indicated by a dashed line) until a PU-signal 22 is received or until said loop is exhausted.
  • step 34 the PUD 25 receives a PU-signal 22
  • step 36 the PUD extracts the PU-ID carried by the PU-signal 22.
  • step 37 the cardholder is authenticated by checking if there is a match between the PU-identifier (PU- ID) and the cardholder-ID details.
  • the authentication step 37 is preferably carried out by the Acquirer 15 by checking if there is a match between the PU- ID received by the PUD 25 and the cardholder-ID information maintained in the Acquirer's DB records.
  • the Acquirer's DB records may include the PU-ID of each cardholder, such that the PU-ID check can be carried out simply by comparing the cardholder's PU-ID received by the PUD 25 and the PU-ID of the corresponding DB record.
  • the cardholder-ID in the DB records may include a permutation and/or a one-way transformation (e.g., hash function) of the PU-ID, and in this case the authentication step should also include performing the required permutation and or transformation before checking if there is a match.
  • the authentication step 37 can be carried out in various ways via the PUD 25, the POS 18, or the Acquirer 15.
  • step 37 If it is determined in step 37 that the details of the cardholder-ID and the PU- ID do not match, the transaction is aborted in step 35.
  • the authentication process may include some predefined number of additional retries in a loop (retry, indicated by a dashed line) until a matching PU-ID is received or until said loop is exhausted, in order to eliminate aborting a transaction in a situation in which the PU-signal transmitted from another PU to a nearby POS was received by the PUD.
  • step 37 If it is determined in step 37 that the details of the cardholder-ID and the PU- ID do match, the transaction is confirmed in step 38 and completed by the POS 18 by issuing a receipt including the transaction details, to be signed by the cardholder.
  • the authentication step 37 is critical for the approval of each transaction, and the result of this step is used by the POS 18 and the Acquirer 15 to determine if the transaction can be carried out.
  • the authentication step 37 is performed by the Acquirer 15 by providing it with the PU-ID obtained by the POS via the PUD 25 in step 36.
  • the Acquirer 15 preferably maintains a DB including records of cardholder-IDs, PU-IDs, their matching PTS information, and possibly some additional information.
  • the communication between the POS 18 and the Acquirer 15 is preferably carried out over a secured communication channel (e.g., SSL).
  • SSL secured communication channel
  • Security may be enhanced by encrypting the secured information transferred between the Acquirer 15 and the PUD 25, for instance by utilizing public key cryptography.
  • the PTS information can be delivered from the Acquirer 15 to the PUD 25 via the POS 18 in a concealed (encrypted) form to prevent exposure to eavesdropping attempts.
  • the PU-ID transferred from the PUD 25 to the Acquirer 15 via the POS 18 may also be encrypted by the PUD 25 prior to its transfer.
  • secured communication between the PU 20 and the PUD 25 may be established by utilizing ciphered transmissions as used in encoded communication methods such as Phase Shift-Keying (PSK), spread spectrum communication (e.g., CDMA), and the like.
  • PSK Phase Shift-Keying
  • CDMA spread spectrum communication
  • the authentication step 37 may be carried out by the POS 18 or by the PUD 25.
  • the Acquirer may provide in step 31 the PUD 25 (via the POS 18) with the PTS information and the corresponding PU-ID maintained in its DB records.
  • the PUD 25 After receiving the PTS and PU-ID information, the PUD 25 transmits the PTS 21 in step 32, and if a corresponding PU-signal 22 is received in step 34 the PUD 25 extracts the PU-ID in step 36 and performs the authentication step 37.
  • the results of the authentication step 37 are then transferred to the POS 18 and Acquirer 15 which will instruct the card- receiver to confirm or abort the transaction accordingly.
  • the PTS and PU-ID information are preferably transferred to the PUD 25 concealed in an encrypted form.
  • the authentication step 37 can be carried out by the POS 18, however in such implementation it is preferable that secured information transferred between the PUD 25 and the POS 18, and between the Acquirer 15 and the POS 18, be carried out in a concealed manner to avoid exposure of PU-ID and PTS information.
  • the acquirer provides the POS 18 with the PTS and PU-ID information in step 31.
  • the POS 18 transfers the PTS information to the PUD 25 for transmittal of the PTS 21 as shown in step 32.
  • the PUD 25 Upon receipt of a corresponding PU-signal 22 in steps 36, the PUD 25 provides the POS 18 the PU-ID obtained, which is then used for carrying out the authentication step.
  • ciphering and deciphering steps should be performed whenever secured information is transferred in a concealed form between the POS 18 and the Acquirer 15, and between the PUD 25 and the POS 18.
  • the PUD 25 of the invention may be composed from a transceiver 45 (Fig. 4B) for transmitting PTSs 21 and receiving PU-signals 22, and an Interface 47 for interfacing between the PUD 25 and the POS 18.
  • the PTS information for transmitting the PTS 21, the PU-signal 22 received by the PUD 25, and optionally any additional data, are transferred directly between the POS 18 and the PUD 25 via the Interface 47, and any further processing required for these operations is preferably carried out by the POS 18.
  • the PUD 25 also requires computational capabilities, and therefore a CPU 46 and a Memory 48 are also required as shown in Fig. 4B.
  • the interface 47 should be realized to suit the specific implementation in which the PUD 25 is utilized. For example, in Internet-based e-commerce applications the Interface 47 should provide the PUD 25 the capability to communicate with a PC (e.g., UART), and in telephony applications it should be able to communicate with the POS 18 over the communication channel that is being used (e.g., modem).
  • a PC e.g., UART
  • telephony applications it should be able to communicate with the POS 18 over the communication channel that is being used (e.g., modem).
  • Transceiver 40 is used for transmitting PTSs 21, receiving PU-signals 22, and other optional signals as will be discussed herein below.
  • the PU-ID, operation code (software), and any other information which may be required for PU 20 operation are stored in the Memory 41.
  • a small power source (not shown) is also required in the PU 20, if an external power source is not available.
  • the CPU 43 may be used for carrying out a variety of tasks including identifying PTS transmissions cryptographic operations, and authentication if the implementation so permits.
  • the POS 18 provides the PUD 25 with the PTS and PU-ID information of the cardholder, as obtained from the Acquirer, and the authentication step is performed by the PU 20 by comparing the PU-ID transmitted by the PUD 25 to the PU-ID stored in Memory 41.
  • the communication between the PUD 25 and the PU 20 can include several steps including a step of activating the PU by transmittal of the respective PTS 21, receipt of an activation signal from the PU 20 acknowledging its activation, transmittal of PU-ID and any other information which may be required by the PU 20 for carrying out the authentication step 37, and transmittal of authentication results from the PU 25.
  • Communication of secure information is preferably performed in a concealed form.
  • the PU 20 may optionally also include a Keypad 42 including one or more keys, which may be used for introducing additional conditions for completing the authentication. For instance, the cardholder may be required to enter a Personal Identification Number (PIN) for conditioning the transaction confirmation. In such an implementation the cardholder's PIN should be stored in the PU Memory 41 for carrying out this further authentication, or alternatively, the PU 20 may transmit the PIN entered by the cardholder for carrying out this further authentication at the POS 18 or at the Acquirer 15.
  • PIN Personal Identification Number
  • the security of the authentication process can be further improved by introducing a verification step in which a Transaction Code (TC) is checked for conditioning transaction confirmation.
  • the TC should be stored in the PU Memory 41 and maintained in the corresponding record of the cardholder at the Acquirer 15.
  • the TC is also transmitted by the PU Transmitter 45 after it is activated by the PTS 21.
  • the PUD 25 forwards the Acquirer 15 the TC for verification via the POS 18, and if the authentication and verification are completed successfully confirming the transaction, the Acquirer provides the PUD 25 via the POS 18 with a new TC for the next transaction. This new TC is transmitted by the PUD 25 to the PU 20 where it is stored in Memory 41.
  • the authentication step may also include additional steps for improving the security of this process.
  • the transmittal of the PU-signal may be conditioned by typing a certain key (e.g., OK button) in Keypad 42, or a certain sequence of cardholder's PIN keys.
  • the PU may include means for indicating (e.g., audible and/or visual such as a speaker and/or a LED) to the user that the PTS was received and that a keypad key, or a sequence keys, should be pressed in order to transmit the PU-signal.
  • the authentication step may include a simplified process in which the POS 18 provides the PUD 25 with identifying information read from the card 13, and said information is transmitted to the PU 20 for confirmation.
  • some or all of the information of the magnetic stripe of card 13 is also stored in the PU Memory 41.
  • This embodiment of the invention may be used to allow off-line authentication of cardholders, namely, without requiring Acquirer intervention.
  • the information stored in the PU 20 includes also CI which is transmitted to the PUD 25 for authentication.
  • the off-line authentication may be carried out by the PU 20 and in this case the PUD transmits the CI read by the card-reader 10 to the PU 20, where it is checked if it matches with the CI stored in its memory.
  • the PU 20 then issues a transmission to the PUD for confirming or aborting the transaction according to the authentication results.
  • the implementation of the off-line authentication may be based on determining the PTS for activating the PU 20 by the PUD 25.
  • the PTS of the PU is preferably generated utilizing the CI or the cardholder's identifying information, or their combination, read from the card by the card reader.
  • the PU may be programmed to erase the CI upon receipt of such instructions form a PUD during an authentication process which in response will eliminate any further off-line authentications.
  • the authentication method of the invention may be implemented in an off-line- mode in which the authentication is based on the CI, and an on-line-mode in which the authentication is based on the Acquirer's DB records.
  • These operation modes can be utilized to establish a two stage integration process which includes an initiation period, in the first step, in which the PU is mainly used in the off-line-mode, and after expiration of the initiation period, erasing the IC information stored in the PU memory 41 and performing only on-line- mode authentications.
  • the invention may be used to authenticate cardholders in various applications as will be described hereinafter.
  • the Issuer 17 may use PUDs 25 at point of service locations for authenticating the cardholders requesting different services.
  • PUDs can be used in self service locations to guarantee that only cardholders who were authenticated via their PUs can enter and approach such locations and services.
  • the authentication should include swiping cards 13 in a card reader linked to a PUD.
  • PUDs may be also used to authenticate cardholders by tellers in banks or other service points, and by Automated Teller Machines (ATM).
  • ATM Automated Teller Machines
  • the invention may be also used in online (e.g., e-commerce, wireless commerce) transactions to secure transactions and allow issuers, merchants and consumers to conduct business online with security and confidence.
  • the POS 18 may be any Personal Computer (PC) linked to a PUD 25 (e.g., USB), that can be used for carrying out Internet-based e-commerce credit-card transactions once the cardholder is authenticated, while protecting the transactions from fraud.
  • PC Personal Computer
  • the invention can be used to authenticate transactions carried out via telephones in which the credit-card number is typed on the phone keypad by the cardholder.
  • the telephone should be equipped with a PUD for authenticating the cardholder.
  • the PTS, PU-ID, and any additional information which may be required are transferred between the PUD and the POS over the telephone line utilizing state of the art methods (e.g., DTMF).
  • the PU may be equipped with a transducer (e.g., piezoelectric) for transmitting over the telephone line the PU- signal in the form of a sonic or ultrasonic transmission.
  • the PUD is located at the POS and is adapted to receive such sonic or ultrasonic transmissions and extract the PU-ID included therein.
  • the PU of the invention may be used to authenticate numerous credit-cards issued by one or more issuers to the same cardholder.
  • the PU should include credit-card information, than it should include the information of each credit card that was issued to a cardholder.
  • the PUs of a group of individuals may be able to authenticate one or more cards.
  • Such definitions are preferably implemented by the Acquirerl ⁇ by associating DB records of a group of individuals with a certain card.
  • the PU and the PUD of the invention may be designed to transmit and/or receive information utilizing different transmission methods.
  • PUs belonging to a group of cardholders e.g., belonging to a specific issuer
  • PUs belonging to a group of cardholders may be designed to communicate utilizing a specific communication method (e.g., CDMA)
  • CDMA specific communication method
  • the PUD should be capable of transmitting/receiving information utilizing the various communication methods that are used.
  • the PU and the PUD of the invention may be implemented utilizing Bluetooth technology or Wi-Fi technology, and in this case the PU of the invention may be integrated into devices that are equipped with means based on such technologies (e.g., mobile phones, PDAs, laptops, and the like).
  • This embodiment of the invention simplifies the PU implementations by utilizing communication means available via such devices.
  • the integration of the PU into such devices may be realized by the addition of one or more software modules and preferably does not include the addition of hardware.
  • the PU of the invention may be embedded into a mobile phone carried by the cardholder.
  • the identifying information contained in the PU may be transferred to the Acquirer via the telephony infrastructures (e.g., cellular networks). In this way an additional layer of security may be added by confirming that the identifying information is received via the cardholder's mobile phone.
  • the operations performed by the PU and PUD is carried out utilizing cellular telephony, as shown in Figs. 5 and 6.
  • the authentication process is initiated in step 60 by the reading of the details of the credit-card 13 via the card reader 10.
  • the POS 18 contacts the Acquirer 15 (e.g., via modem) and provides the Acquirer 15 with details of the Card 13 and of the POS 18.
  • the Acquirer enquire its BD records and extracts the location of POS 18 and details pertaining to the Cardholder's cellular phone 52 (e.g., service provider, phone number).
  • step 63 The details pertaining to the Cardholder's cellular phone are used in step 63 by the Acquirer 15 to enquire at the respective Cellular Network 51 for the location of the Cardholder's cellular phone 52.
  • the Acquirer 15 checks if the phone 52 is located in the vicinity of the POS 18 at the time of the transaction. This step may be carried our, for instance, by comparing the location of the POS 18 with the location of the Cardholder's phone 52 and determines whether said POS and phone are located within the same cellular cell 53.
  • step 64 If it is determined in step 64 that the Cardholder's cellular phone 52 is not located in the vicinity of the POS 18, the transaction is aborted in step 65.
  • the Acquirer 15 may send corresponding indications to the POS 18, and also to the phone 52. If it is determined in step 64 that the Cardholder's cellular phone 52 is located in the vicinity of the POS 18, the transaction is confirmed in step 67, and the Acquirer 15 provides a corresponding indication to the POS 18, and possibly also to the phone 52.
  • the security may be further enhanced by carrying out step 66, before the transaction is confirmed, wherein the Cardholder's confirmation is requested via the cellular phone 52.
  • This step may be carried out by sending the phone 52 a message (e.g., SMS — Short Message Service) including details of the transaction to be confirmed.
  • SMS Short Message Service
  • the Cardholder is then required to press a key or a combination of keys (e.g., PIN) on the keypad of phone 52.
  • the Acquirer 15 is provided with the pressed key(s) via the Cellular Network 51 (e.g., via SMS) and completes the authentication of the cardholder accordingly. Namely, if the pressed key(s) which were received match those expected to be received from the respective Cardholder, the transaction is confirmed in step 67, otherwise it is aborted in step 65.
  • Additional security may be obtained by utilizing a TC to be transmitted to the Acquirer 15 by the phone 52 upon receipt of a request. If the TC received match the TC for the current transaction as reflected by the Cardholder's DB record at the Acquirer 15, the transaction is confirmed and the Cardholder's DB record and phone 52 (via network 51) are then updated with a new TC for the next transaction.
  • a mobile station i.e., cellular phone
  • Cellular Networks 51 is typically determined in terms of Cellular Cells 53
  • this preferred embodiment of the invention may take advantage of more precise positioning technologies available nowadays via the cellular telephony services, or even utilizing GPS techniques.
  • phone 52 is equipped with GPS poisoning, a more precise determination can be carried out by providing the Acquirer with precise location (e.g., spatial or geographic definition such as the two dimensional coordinates) of the POS and of the phone 52.
  • the confirmation in this case preferably includes a predefined radius for determining that the Cardholder's phone 52 is located in the vicinity of the POS 18, e.g., by checking if the pone 52 is located within the radii defined by said radius and the POS location.
  • the authentication step can proceed according to the cellular cell 53 in which the phone 52 is located.
  • This authentication method can be also employed in Internet-based e- commerce implementations and/or in transactions carried out via the telephone.
  • the location of the POS should be defined to be the computer terminal from which the transaction is performed, and for telephony transactions the POS location should be defined to be the location of the cardholder's telephone.
  • the cardholders' authentication according to the present invention can be implemented with the credit card systems that are currently in use. These systems should be modified by providing the POSs with a PUDs, the cardholders with PUs, and updating the Acquirers' DBs with the pertinent information for carrying out the authentication of the invention.

Landscapes

  • Business, Economics & Management (AREA)
  • Engineering & Computer Science (AREA)
  • Accounting & Taxation (AREA)
  • Strategic Management (AREA)
  • Physics & Mathematics (AREA)
  • General Business, Economics & Management (AREA)
  • General Physics & Mathematics (AREA)
  • Theoretical Computer Science (AREA)
  • Finance (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Computer Security & Cryptography (AREA)
  • Financial Or Insurance-Related Operations Such As Payment And Settlement (AREA)

Abstract

L'invention concerne un procédé et un système pour l'authentification de transactions de carte de crédit effectuées à un point de vente. On fournit des unités personnelles aux détenteurs de carte. Ces unités comportent un système d'enregistrement d'identificateur unique et un système de transmission de l'identificateur au moment de la réception d'un signal de déclenchement unique. On fournit également au point de vente un détecteur d'unité personnelle qui comprend un système de transmission du signal de déclenchement unique, pour la réception d'une transmission correspondante de la part d'une unité personnelle et pour l'extraction de l'identificateur propre à cette unité. L'information de carte de crédit est alors établie et un signal de déclenchement unique associé à la carte de crédit est ensuite transmis. Si une transmission correspondante est reçue de la part d'une unité personnelle, la carte est authentifiée par vérification de l'association entre l'identificateur unique de la transmission et la carte, et si cette association est établie, la transaction est confirmée. Autrement, la transaction est interrompue. Si la transmission n'est pas reçue, la transaction est également interrompue.
PCT/IL2005/000096 2004-01-28 2005-01-27 Procede et systeme pour l'authentification de transactions de carte de credit WO2005073934A1 (fr)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
IL160107 2004-01-28
IL16010704A IL160107A0 (en) 2004-01-28 2004-01-28 Method and system for authenticating credit transactions

Publications (1)

Publication Number Publication Date
WO2005073934A1 true WO2005073934A1 (fr) 2005-08-11

Family

ID=33485456

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/IL2005/000096 WO2005073934A1 (fr) 2004-01-28 2005-01-27 Procede et systeme pour l'authentification de transactions de carte de credit

Country Status (2)

Country Link
IL (1) IL160107A0 (fr)
WO (1) WO2005073934A1 (fr)

Cited By (15)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
FR2901079A1 (fr) * 2006-05-15 2007-11-16 Gemplus Sa Procede pour securiser une transaction par carte a puce, terminal d'ecriture pour securiser une telle transaction, et carte a puce securisee
EP2070037A1 (fr) * 2006-10-27 2009-06-17 Purpose Intellectual Property Management II Crédit-bail
WO2009157003A1 (fr) * 2008-06-26 2009-12-30 Suresh Babubhai Kapadia Système et procédé pour empêcher le détournement d'une carte de crédit/carte de débit volée, perdue, reproduite, falsifiée ou contrefaite
LU91488B1 (en) * 2008-10-17 2010-04-19 Robert Carter Multifactor Authentication
EP2199966A1 (fr) * 2008-12-22 2010-06-23 Compagnie Industrielle et Financiere d'Ingenierie "Ingenico" Procédé de sécurisation de transactions, dispositif de transaction, serveur bancaire, terminal mobile, et produits programmes d'ordinateur correspondants
WO2011076438A1 (fr) * 2009-12-23 2011-06-30 Wolfram Doering Procédé de communication électronique d'ordres de banque, et système de communication pour la mise en oeuvre de ce procédé
EP2460114A1 (fr) * 2009-07-31 2012-06-06 Finsphere Corporation Vérification de message de communication mobile de transactions financières
WO2012175296A3 (fr) * 2011-06-20 2013-02-21 Siemens Aktiengesellschaft Vérification d'un jeton d'authentification en fonction du véhicule concerné
WO2014008922A1 (fr) * 2012-07-09 2014-01-16 Izettle Merchant Services Ab Procédé de vérification de pin en étoile pour cartes de crédit avec des informations de carte stockées dans une bande magnétique
DE102015012553A1 (de) 2014-10-29 2016-05-04 TruckGuard GmbH Verfahren und System zum Betanken von Fahrzeugen
US9838872B2 (en) 2007-03-16 2017-12-05 Visa International Service Association System and method for mobile identity protection for online user authentication
WO2019138086A1 (fr) * 2018-01-12 2019-07-18 Ingenico Group Procédé de détermination d'une association entre une carte bancaire et un terminal de communication, dispositif, système et programme correspondant
US10776791B2 (en) 2007-03-16 2020-09-15 Visa International Service Association System and method for identity protection using mobile device signaling network derived location pattern recognition
US10977652B1 (en) * 2016-02-02 2021-04-13 Wells Fargo Bank, N.A. Systems and methods for authentication based on personal card network
WO2022005762A1 (fr) * 2020-06-29 2022-01-06 Capital One Services, Llc Système et procédé pour traiter les rejets de cartes de point de vente

Citations (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO1997045814A1 (fr) * 1996-05-24 1997-12-04 Behruz Vazvan Procede et systeme en temps reel servant a effectuer des transactions a distance de paiement de factures et d'achats et a transferer de la monnaie electronique et d'autres donnees
WO1998047116A1 (fr) * 1997-04-15 1998-10-22 Telefonaktiebolaget Lm Ericsson (Publ) Procede et appareil de paiement par telecommunications/transmission de donnees
US20020108062A1 (en) * 2000-05-15 2002-08-08 Takayuki Nakajima Authentication system and method
EP1246144A2 (fr) * 2001-03-29 2002-10-02 Telefonaktiebolaget L M Ericsson (Publ) Transaction de point de vente sans fil
WO2003036576A2 (fr) * 2001-10-20 2003-05-01 Wojciech Wojciechowski Procede et systeme de securisation supplementaire de paiements effectues par carte de paiement
US20030126017A1 (en) * 2000-08-01 2003-07-03 Rau Scott W. System and method for transponder-enabled account transactions
US20030135463A1 (en) * 2002-01-16 2003-07-17 International Business Machines Corporation Credit authorization system and method

Patent Citations (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO1997045814A1 (fr) * 1996-05-24 1997-12-04 Behruz Vazvan Procede et systeme en temps reel servant a effectuer des transactions a distance de paiement de factures et d'achats et a transferer de la monnaie electronique et d'autres donnees
WO1998047116A1 (fr) * 1997-04-15 1998-10-22 Telefonaktiebolaget Lm Ericsson (Publ) Procede et appareil de paiement par telecommunications/transmission de donnees
US20020108062A1 (en) * 2000-05-15 2002-08-08 Takayuki Nakajima Authentication system and method
US20030126017A1 (en) * 2000-08-01 2003-07-03 Rau Scott W. System and method for transponder-enabled account transactions
EP1246144A2 (fr) * 2001-03-29 2002-10-02 Telefonaktiebolaget L M Ericsson (Publ) Transaction de point de vente sans fil
WO2003036576A2 (fr) * 2001-10-20 2003-05-01 Wojciech Wojciechowski Procede et systeme de securisation supplementaire de paiements effectues par carte de paiement
US20030135463A1 (en) * 2002-01-16 2003-07-17 International Business Machines Corporation Credit authorization system and method

Cited By (29)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2007131956A1 (fr) * 2006-05-15 2007-11-22 Gemplus Procede pour securiser une transaction par carte a puce, terminal d'ecriture pour securiser une telle transaction, et carte a puce securisee
FR2901079A1 (fr) * 2006-05-15 2007-11-16 Gemplus Sa Procede pour securiser une transaction par carte a puce, terminal d'ecriture pour securiser une telle transaction, et carte a puce securisee
EP2070037A4 (fr) * 2006-10-27 2010-09-01 Purpose Intellectual Property Crédit-bail
EP2070037A1 (fr) * 2006-10-27 2009-06-17 Purpose Intellectual Property Management II Crédit-bail
US9838872B2 (en) 2007-03-16 2017-12-05 Visa International Service Association System and method for mobile identity protection for online user authentication
US10776791B2 (en) 2007-03-16 2020-09-15 Visa International Service Association System and method for identity protection using mobile device signaling network derived location pattern recognition
US11405781B2 (en) 2007-03-16 2022-08-02 Visa International Service Association System and method for mobile identity protection for online user authentication
WO2009157003A1 (fr) * 2008-06-26 2009-12-30 Suresh Babubhai Kapadia Système et procédé pour empêcher le détournement d'une carte de crédit/carte de débit volée, perdue, reproduite, falsifiée ou contrefaite
WO2010043722A1 (fr) * 2008-10-17 2010-04-22 Carter Robert A Authentification multifactorielle
LU91488B1 (en) * 2008-10-17 2010-04-19 Robert Carter Multifactor Authentication
EP3107051A1 (fr) * 2008-10-17 2016-12-21 Robert A. Carter Authentification multifactorielle
FR2940567A1 (fr) * 2008-12-22 2010-06-25 Ingenico Sa Procede de securisation de transactions, dispositif de transaction, serveur bancaire, terminal mobile, et produits programmes d'ordinateur correspondants
EP2199966A1 (fr) * 2008-12-22 2010-06-23 Compagnie Industrielle et Financiere d'Ingenierie "Ingenico" Procédé de sécurisation de transactions, dispositif de transaction, serveur bancaire, terminal mobile, et produits programmes d'ordinateur correspondants
US9697511B2 (en) 2008-12-22 2017-07-04 Ingenico Group Method for securing transactions, transaction device, bank server, mobile terminal, and corresponding computer programs
US10580009B2 (en) 2009-07-31 2020-03-03 Visa International Service Association Mobile communications message verification of financial transactions
EP2460114A4 (fr) * 2009-07-31 2014-11-26 Finsphere Corp Vérification de message de communication mobile de transactions financières
US9818121B2 (en) 2009-07-31 2017-11-14 Visa International Space Association Mobile communications message verification of financial transactions
EP2460114A1 (fr) * 2009-07-31 2012-06-06 Finsphere Corporation Vérification de message de communication mobile de transactions financières
WO2011076438A1 (fr) * 2009-12-23 2011-06-30 Wolfram Doering Procédé de communication électronique d'ordres de banque, et système de communication pour la mise en oeuvre de ce procédé
WO2012175296A3 (fr) * 2011-06-20 2013-02-21 Siemens Aktiengesellschaft Vérification d'un jeton d'authentification en fonction du véhicule concerné
WO2014008922A1 (fr) * 2012-07-09 2014-01-16 Izettle Merchant Services Ab Procédé de vérification de pin en étoile pour cartes de crédit avec des informations de carte stockées dans une bande magnétique
DE102015012553A1 (de) 2014-10-29 2016-05-04 TruckGuard GmbH Verfahren und System zum Betanken von Fahrzeugen
US10977652B1 (en) * 2016-02-02 2021-04-13 Wells Fargo Bank, N.A. Systems and methods for authentication based on personal card network
US11526890B1 (en) 2016-02-02 2022-12-13 Wells Fargo Bank, N.A. Systems and methods for authentication based on personal card network
US11869010B1 (en) 2016-02-02 2024-01-09 Wells Fargo Bank, N.A. Systems and methods for authentication based on personal network
FR3076922A1 (fr) * 2018-01-12 2019-07-19 Ingenico Group Procede de determination d’une association entre une carte bancaire et un terminal de communication, dispositif, systeme et programme correspondant
WO2019138086A1 (fr) * 2018-01-12 2019-07-18 Ingenico Group Procédé de détermination d'une association entre une carte bancaire et un terminal de communication, dispositif, système et programme correspondant
US20200342461A1 (en) * 2018-01-12 2020-10-29 Banks And Acquirers International Holding Method for Determining an Association Between a Bankcard and a Communications Terminal, Device, System and Corresponding Program
WO2022005762A1 (fr) * 2020-06-29 2022-01-06 Capital One Services, Llc Système et procédé pour traiter les rejets de cartes de point de vente

Also Published As

Publication number Publication date
IL160107A0 (en) 2004-06-20

Similar Documents

Publication Publication Date Title
WO2005073934A1 (fr) Procede et systeme pour l'authentification de transactions de carte de credit
EP2332092B1 (fr) Appareil et procédé pour empêcher un accès non autorisé à une application de paiement installée dans un dispositif de paiement sans contact
US7357309B2 (en) EMV transactions in mobile terminals
RU2651245C2 (ru) Защищенный электронный блок для санкционирования транзакции
US20110103586A1 (en) System, Method and Device To Authenticate Relationships By Electronic Means
US20090307140A1 (en) Mobile device over-the-air (ota) registration and point-of-sale (pos) payment
EP3895462B1 (fr) Fourniture initiée à partir d'un dispositif sans contact
CN112889241B (zh) 用于账户验证的核实服务
CN110447213B (zh) 用于中继攻击检测的方法和系统
US11750368B2 (en) Provisioning method and system with message conversion
US12015964B2 (en) Method and system for location-based resource access
US20230062507A1 (en) User authentication at access control server using mobile device
CN116711267A (zh) 移动用户认证系统和方法
CN116232594A (zh) 令牌处理系统和方法
US20220207526A1 (en) Secure contactless credential exchange
AU2015202512B2 (en) Apparatus and method for preventing unauthorized access to application installed in mobile device
CN118076964A (zh) 高效且受保护的数据传输系统和方法
CN117981274A (zh) 远程身份交互

Legal Events

Date Code Title Description
AK Designated states

Kind code of ref document: A1

Designated state(s): AE AG AL AM AT AU AZ BA BB BG BR BW BY BZ CA CH CN CO CR CU CZ DE DK DM DZ EC EE EG ES FI GB GD GE GH GM HR HU ID IL IN IS JP KE KG KP KR KZ LC LK LR LS LT LU LV MA MD MG MK MN MW MX MZ NA NI NO NZ OM PG PH PL PT RO RU SC SD SE SG SK SL SY TJ TM TN TR TT TZ UA UG US UZ VC VN YU ZA ZM ZW

AL Designated countries for regional patents

Kind code of ref document: A1

Designated state(s): BW GH GM KE LS MW MZ NA SD SL SZ TZ UG ZM ZW AM AZ BY KG KZ MD RU TJ TM AT BE BG CH CY CZ DE DK EE ES FI FR GB GR HU IE IS IT LT LU MC NL PL PT RO SE SI SK TR BF BJ CF CG CI CM GA GN GQ GW ML MR NE SN TD TG

121 Ep: the epo has been informed by wipo that ep was designated in this application
NENP Non-entry into the national phase

Ref country code: DE

WWW Wipo information: withdrawn in national office

Country of ref document: DE

122 Ep: pct application non-entry in european phase