WO2012070923A1 - Procédé et système destinés à garantir une transaction en ligne sécurisée avec une carte de débit - Google Patents

Procédé et système destinés à garantir une transaction en ligne sécurisée avec une carte de débit Download PDF

Info

Publication number
WO2012070923A1
WO2012070923A1 PCT/MY2011/000070 MY2011000070W WO2012070923A1 WO 2012070923 A1 WO2012070923 A1 WO 2012070923A1 MY 2011000070 W MY2011000070 W MY 2011000070W WO 2012070923 A1 WO2012070923 A1 WO 2012070923A1
Authority
WO
WIPO (PCT)
Prior art keywords
merchant
entity
user
debit card
package
Prior art date
Application number
PCT/MY2011/000070
Other languages
English (en)
Inventor
Fui Bee Tan
Chong Seak See
Kang Siong Ng
Rashidah Binti Haron Galoh
Original Assignee
Mimos Berhad
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Mimos Berhad filed Critical Mimos Berhad
Publication of WO2012070923A1 publication Critical patent/WO2012070923A1/fr

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/321Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving a third party or a trusted authority
    • H04L9/3213Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving a third party or a trusted authority using tickets or tokens, e.g. Kerberos
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06QINFORMATION AND COMMUNICATION TECHNOLOGY [ICT] SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES; SYSTEMS OR METHODS SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES, NOT OTHERWISE PROVIDED FOR
    • G06Q20/00Payment architectures, schemes or protocols
    • G06Q20/08Payment architectures
    • G06Q20/12Payment architectures specially adapted for electronic shopping systems
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06QINFORMATION AND COMMUNICATION TECHNOLOGY [ICT] SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES; SYSTEMS OR METHODS SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES, NOT OTHERWISE PROVIDED FOR
    • G06Q20/00Payment architectures, schemes or protocols
    • G06Q20/38Payment protocols; Details thereof
    • G06Q20/382Payment protocols; Details thereof insuring higher security of transaction
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/006Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols involving public key infrastructure [PKI] trust models
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/3234Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving additional secure or trusted devices, e.g. TPM, smartcard, USB or software token
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L2209/00Additional information or applications relating to cryptographic mechanisms or cryptographic arrangements for secret or secure communication H04L9/00
    • H04L2209/56Financial cryptography, e.g. electronic payment or e-cash

Definitions

  • the present invention relates to an online transaction protocol for a debit card. More particularly, the present invention relates to a method and a system to ensure a secured, online transaction for a debit card by incorporating the debit card with a Public Key Infrastructure (PKI).
  • PKI Public Key Infrastructure
  • Credit card and debit card may be used as a smart card for paperless transactions and purchases but may also be used for online shopping, achieved by keying in the number on the credit card and debit card on merchants' website. While the credit card may cause the user to incur debt, the debit card would directly deduct a spending from the available balance in a user's bank account. Debit card has gained popularity among online shoppers, specially catering to users who cannot afford or do not own a credit card.
  • One method of debit transaction is known as online debit, otherwise PIN debit.
  • the online debit cards require electronic authorization of every transaction and debits are reflected in the user's account immediately.
  • the transaction be secured by PIN authentication wherein users have to key in their PIN at the point of sale. However, if the ⁇ of the user is stolen, the debit card ma ⁇ ' be misused. Therefore the current invention incorporates the debit card with encrypted value for automated secure payment protocol using the PKI technology.
  • PKI technology provides another layer of security to the debit card in addition to the usage of a PIN. By sending an encrypted package from one side to another, the user's hiformation, purchase information or the merchant information may not be easily hacked or stolen. Further, this method allows for the identification of the user and the merchant to the financial institution for immediate debiting and crediting of accounts by using the package digitally signed by the user and the merchant.
  • US patent 5715298 disclosed a bill payment system using debit cards.
  • the prior ait. which is a telepay system, avoids the usage of a ⁇ for real-time bill payment transactions by using the ke3' ad of a telephone.
  • the prior ait requires the usage of a telephone and does not apply for online purchasing. This thus requires an interactive voice response unit which could be troublesome to the user as the payer are required to enter an access code, account number debit card number and payment amount to inform the status of the transaction. Therefore, the transaction is substantially slow.
  • US patent 6834271 on the other hand disclosed an apparatus and a method of a secure ATM debit card and credit card payment transaction via the Internet. While the system uses layers of encryption to place the card information in a public key/private key encrypted financial payment transaction data block, the parties involve which are the buyer, the merchant and the bank uses different private/public key for the encryption of the user's and the merchant's information. Therefore, only dedicated encrypted package can be decrypted by the recipient party. Information such as users information can only be seen by the merchant but not the financial institution.
  • PKI Public Key Infrastructure
  • a method and a sj'stem comprising three entities and a debit card incorporated with PKI infrastructure.
  • the system to carry out a method of ensuring a secured online transaction comprises a first entity, a second entity and a third entity.
  • the entities represent a user of the debit card, a merchant and a financial institution.
  • the user makes an online transaction (online purchase) from a merchant using the debit card provided by the financial institution.
  • the user's account will be deducted with the purchase amount while the merchant's account is credited.
  • a confirmation is sent to the merchant who directs it to the user to inform the user on the status of the transaction.
  • the user of the debit card logs into the merchant's website with their PIN and digital certificate.
  • the user's information stored in the debit card as an encrypted value is extracted and combined with the purchase information to be signed, encrypted and sent to the merchant as a first package.
  • the merchant decrypts the first package, adds the merchant information and further signs and encrypts the first package and the merchant information to form a second package.
  • the second package is sent to the financial institution for coordination of the payment upon verification of the user's and merchant's information.
  • the financial institution deducts the purchase amount from the user's account and credits the merchant's account.
  • Fig. 1 is a diagram showing the entities of the system
  • Fig. 2 is a flow chart depicting steps of processing a debit card for a secured payment protocol
  • Fig. 3 is a payment protocol of the system:
  • Fig. 4 is a flow chart illustrating the process flow of the first and the second package as it goes through the online payment transaction.
  • a online transaction using a debit card involves a first entity (110). a second entity (120) and a third entity (130) as shown in Fig. 1.
  • the entities (110.120.130) are identified herein, but it should be noted that the entities are named for the convenience of description and is interchangeable as appropriate.
  • the first entity (110) is a user of the debit card while the second entity (120) is a respondent of the user, which may be a merchant having an online business.
  • the first entity (110) initiates an online transaction with the second entity (120).
  • the first entity (110) is linked to the second entity (120) through a buyer-seller relationship.
  • the first entity (110) purchases item(s) from the second entity (120) via the debit card while the second entity (120) receives the order(s) from the first entity (110).
  • the third entity (130) of the present invention is the issuer of the debit card, preferably a financial institution that comprises a payment server to coordinate the online transaction between the first entity (110) and the second entity (120).
  • a first step (151) is when the third entity (130), otherwise the financial institution, issues a debit card to be used by the first entity (110), otherwise the user.
  • the first entity (110) is responsible for activating the debit card as represented by a second step (152).
  • Activation of the debit card is achieved by having the user keying in a preferred and confidential PIN which may be done at an Automatic Teller Machine (ATM).
  • ATM Automatic Teller Machine
  • the financial institution further extracts the user's personal information as provided by the user to the financial institution in an earlier step (not shown) and incorporates the information with the user's confidential PIN to generate an encrypted value which is stored in the debit card.
  • the debit card is usable for online transaction such as online purchase of item(s) from the merchant as shown in step three (153).
  • a payment protocol of the present invention as can be referred to in Fig. 3 begins with a first step (205) of making an online transaction.
  • the online transaction is made by purchasing item(s) off the Internet.
  • the purchase is made by the first entity (110), the user, from the second entity (120).
  • the merchant using the debit card incorporated with a Public Key Infrastructure (PKI) feature.
  • PKI Public Key Infrastructure
  • the PKI feature of the debit card allows information to be encrypted and decrypted using a combination of private and public keys used by the user, the merchant and the financial institution.
  • the user proceeds to access a merchant's server using a client certificate in the debit card.
  • the client certificate is authenticated preferably by an SSL authentication to ensure the security and privacy of the transaction as shown by a second step (210).
  • a third step (215) requires the user to log into a merchant's website using the user's digital certificate in order to proceed with an online transaction which is selecting and purchasing of items from the merchant.
  • the user Upon selection of the item(s) for purchase from the website, the user confirms the purchase amount and keys in the debit card PIN to read the pre-loaded encrypted value of the debit card as created by the financial institution.
  • the encrypted value of the debit card together with the transaction information is digitally signed using a private key from the user's debit card and encrypted using the merchant's public key as represented by a fourth step (220).
  • the signing and encryption of the information formed a first package, X as represented by the formula:
  • the purchase information may be the purchase amount and the name of the purchases.
  • the encryption by the merchant's public key may be achieved by an algorithm coded in a client plug-in module.
  • step (225) Upon confirmation of the selected purchase items, the user submits the first package to the merchant's server as shown in step (225).
  • a next step (230) is initiated when the merchant receives the first package and decrypts the first package using a private key provided to the merchant. The merchant further verifies the user's digital signature.
  • the merchant Upon verification, the merchant will form a second package by digitally signing the encrypted value, transaction information and merchant information with the private key provided to the merchant and encrypting it using a public key from the financial institution's payment server.
  • the second package, Y is represented by the formula:
  • the financial institutions' payment server with a code module receives the second package submitted by the merchant and decrypts the second package using a private key provided to the payment server and verifies the merchant's digital signature.
  • the user's information, the merchant's information together with the purchase information gathered from the second package will be used to deduct the purchase amount from the user's account at the financial institution.
  • the payment server further gathers the user's information which may be the account information and the identity of the user to perform a credit transaction(s) in which the purchase amount in the user's account is credited into the merchant's account.
  • the information of the merchant's account is obtained from the second package.
  • a confirmation code with the status of the transaction or the purchase may be sent to the merchant by the payment server as represented by the eighth step (240).
  • the merchant sends a message confirming the success of the transaction together with a receipt of confirmation to the user of the debit card.
  • the amount in the user's debit card is further updated.
  • Fig. 4. there is shown a flow chart that depicts the process flow of the first and the second package as it goes through the online payment transaction.
  • a first step (305) requires the user to key in the debit card PIN to extract the pre-loaded encrypted value which contains the user ' s information.
  • a second step (310) is to digitally sign the first package which comprises the encrypted value and the purchase information using the client's plug-in module which contains an algorithm. This is followed by a third step (315) wherein the client's plug-in module encrypts the signed first package using an algorithm also contained in the plug-in module.
  • the fourth step (320) requires the merchant's server to decrypt and verify the first package followed by a fifth step (325) of digitally signing the first package together with the merchant's information using an algorithm contained in a module within the merchant's server.
  • the sixth step (330) involves the merchant's server module encrypting the first package and the merchant's information to form the second package.
  • the second package is sent and received by the payment server which decrypts and verifies the second package as shown by seventh step (335).
  • the payment server checks for account validity as shown in the eighth step (340).
  • step (345a) If the user's account is valid, the user's checking or savings account is debited while the merchant's account is credited as shown by step (345a). Therefore, payment is achieved by transacting the money upon purchase, from the user's bank account to the merchant's bank account. If the user's account is invalid, no transaction is performed (345b). By validating the account of the user, wrongful usage of the user's debit card upon theft is avoided.
  • Step (345a) and (345b) is followed by having the payment server send a confirmation and status of transaction notification to the merchant as shown in step (350). In the last step (355), the merchant sends the confirmation on the status of the transaction which may be successful or not successful.

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Business, Economics & Management (AREA)
  • Accounting & Taxation (AREA)
  • Signal Processing (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Strategic Management (AREA)
  • General Physics & Mathematics (AREA)
  • Theoretical Computer Science (AREA)
  • General Business, Economics & Management (AREA)
  • Physics & Mathematics (AREA)
  • Finance (AREA)
  • Financial Or Insurance-Related Operations Such As Payment And Settlement (AREA)
  • Cash Registers Or Receiving Machines (AREA)

Abstract

L'invention concerne un procédé et un système comprenant trois entités (110, 120, 130) ainsi qu'une carte de débit faisant partie d'une infrastructure PKI. Le système destiné à mettre en œuvre le procédé qui garantit une transaction en ligne sécurisée comporte une première entité (110), une seconde entité (120) et une troisième entité (130). De préférence, les entités (110, 120, 130) représentent un utilisateur de la carte de débit, un commerçant et un établissement financier. L'utilisateur réalise une transaction en ligne (un achat en ligne) auprès d'un commerçant à l'aide de la carte de débit fournie par l'établissement financier. Sur la base des informations concernant l'utilisateur et des informations concernant le commerçant qui ont été reçues par l'établissement financier, le montant de l'achat sera déduit du compte de l'utilisateur alors que le compte du commerçant sera crédité. Les informations échangées entre les entités (110, 120, 130) sont dotées d'une signature numérique et chiffrées afin de garantir leur confidentialité. Une confirmation est envoyée au commerçant, qui la transmet à l'utilisateur afin de l'informer de l'état de la transaction.
PCT/MY2011/000070 2010-11-26 2011-06-03 Procédé et système destinés à garantir une transaction en ligne sécurisée avec une carte de débit WO2012070923A1 (fr)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
MYPI2010005590 2010-11-26
MYPI2010005590A MY165285A (en) 2010-11-26 2010-11-26 A method and a system to ensure a secured online transaction for a debit card

Publications (1)

Publication Number Publication Date
WO2012070923A1 true WO2012070923A1 (fr) 2012-05-31

Family

ID=46146081

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/MY2011/000070 WO2012070923A1 (fr) 2010-11-26 2011-06-03 Procédé et système destinés à garantir une transaction en ligne sécurisée avec une carte de débit

Country Status (2)

Country Link
MY (1) MY165285A (fr)
WO (1) WO2012070923A1 (fr)

Cited By (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2017013672A1 (fr) 2015-07-23 2017-01-26 Natco Pharma Ltd Procédé de préparation de fumarate de diméthyle de qualité pharmaceutique
US9760738B1 (en) 2014-06-10 2017-09-12 Lockheed Martin Corporation Storing and transmitting sensitive data
US10430789B1 (en) * 2014-06-10 2019-10-01 Lockheed Martin Corporation System, method and computer program product for secure retail transactions (SRT)

Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20020095388A1 (en) * 2000-12-01 2002-07-18 Yu Hong Heather Transparent secure electronic credit card transaction protocol with content-based authentication
WO2006128215A1 (fr) * 2005-05-31 2006-12-07 Salt Group Pty Ltd Procede et systeme d'autorisation de transactions securisees

Patent Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20020095388A1 (en) * 2000-12-01 2002-07-18 Yu Hong Heather Transparent secure electronic credit card transaction protocol with content-based authentication
WO2006128215A1 (fr) * 2005-05-31 2006-12-07 Salt Group Pty Ltd Procede et systeme d'autorisation de transactions securisees

Cited By (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US9760738B1 (en) 2014-06-10 2017-09-12 Lockheed Martin Corporation Storing and transmitting sensitive data
US10430789B1 (en) * 2014-06-10 2019-10-01 Lockheed Martin Corporation System, method and computer program product for secure retail transactions (SRT)
WO2017013672A1 (fr) 2015-07-23 2017-01-26 Natco Pharma Ltd Procédé de préparation de fumarate de diméthyle de qualité pharmaceutique

Also Published As

Publication number Publication date
MY165285A (en) 2018-03-21

Similar Documents

Publication Publication Date Title
US11880815B2 (en) Device enrollment system and method
US11329822B2 (en) Unique token authentication verification value
AU2015259162B2 (en) Master applet for secure remote payment processing
US20180315043A1 (en) Dynamic primary account number (pan) and unique key per card
US10354321B2 (en) Processing transactions with an extended application ID and dynamic cryptograms
EP1245008B1 (fr) Procede et systeme pour l'execution authentifiee de paiements securises sur un reseau informatique
US20170132633A1 (en) Systems and methods providing payment transactions
CN109716373B (zh) 密码认证和令牌化的交易
US20150178730A1 (en) System and method for downloading an electronic product to a pin-pad terminal using a directly-transmitted electronic shopping basket entry
WO2018040653A1 (fr) Procédé de paiement hors ligne basé sur une nfc
WO2003065164A2 (fr) Systeme et procede de conduite de transaction de paiement securise
US20120254041A1 (en) One-time credit card numbers
CN116711267A (zh) 移动用户认证系统和方法
US10628881B2 (en) Processing transactions with an extended application ID and dynamic cryptograms
US11481766B2 (en) Method for payment authorization on offline mobile devices with irreversibility assurance
US9152957B2 (en) System and method for downloading an electronic product to a pin-pad terminal after validating an electronic shopping basket entry
WO2012070923A1 (fr) Procédé et système destinés à garantir une transaction en ligne sécurisée avec une carte de débit
CN111386545A (zh) 一种进行交易的方法和系统
Jewson E-payments: Credit Cards on the Internet

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 11842565

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 11842565

Country of ref document: EP

Kind code of ref document: A1