WO2012108847A1 - Method and system enabling making secure transaction over the internet by using real transaction card - Google Patents

Method and system enabling making secure transaction over the internet by using real transaction card Download PDF

Info

Publication number
WO2012108847A1
WO2012108847A1 PCT/TR2011/000046 TR2011000046W WO2012108847A1 WO 2012108847 A1 WO2012108847 A1 WO 2012108847A1 TR 2011000046 W TR2011000046 W TR 2011000046W WO 2012108847 A1 WO2012108847 A1 WO 2012108847A1
Authority
WO
WIPO (PCT)
Prior art keywords
card
transaction
host
internet
parameters
Prior art date
Application number
PCT/TR2011/000046
Other languages
French (fr)
Inventor
Julide BIROL
Original Assignee
Kartek Kart Ve Bilisim Teknolojileri Ticaret Limited Sirketi
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Kartek Kart Ve Bilisim Teknolojileri Ticaret Limited Sirketi filed Critical Kartek Kart Ve Bilisim Teknolojileri Ticaret Limited Sirketi
Priority to PCT/TR2011/000046 priority Critical patent/WO2012108847A1/en
Priority to TR2013/08027A priority patent/TR201308027A1/en
Publication of WO2012108847A1 publication Critical patent/WO2012108847A1/en

Links

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06QINFORMATION AND COMMUNICATION TECHNOLOGY [ICT] SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES; SYSTEMS OR METHODS SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES, NOT OTHERWISE PROVIDED FOR
    • G06Q20/00Payment architectures, schemes or protocols
    • G06Q20/38Payment protocols; Details thereof
    • G06Q20/42Confirmation, e.g. check or permission by the legal debtor of payment
    • GPHYSICS
    • G07CHECKING-DEVICES
    • G07FCOIN-FREED OR LIKE APPARATUS
    • G07F7/00Mechanisms actuated by objects other than coins to free or to actuate vending, hiring, coin or paper currency dispensing or refunding apparatus
    • G07F7/08Mechanisms actuated by objects other than coins to free or to actuate vending, hiring, coin or paper currency dispensing or refunding apparatus by coded identity card or credit card or other personal identification means
    • G07F7/0873Details of the card reader

Definitions

  • the invention relates to the method and the system enabling making secure transaction over the internet by using a real transaction card such as credit card, debit card or etc.
  • the invention particularly relates to the system and method, which forms secure channel between at least one system host and at least one personal card reader connected to at least one internet access device, and which enables making secure transaction over the internet via using these.
  • Magnetic and IC (Integrated Circuit) card systems which have been taking the place of cash payment for a long time, have achieved a quite common area of usage.
  • These transaction cards are EMV based systems in the prior art.
  • the acronym EMV is formed of the words: Europay®, MasterCard®, and VISA® and it states a global standard providing usage of smartcards.
  • POS Point Of Sale
  • the magnetic band of the card can be passed through the device or the information found inside the chip can be read by the device if the card has a chip.
  • the amount of money to be taken from the card is also entered on the device.
  • the read information and the taken data are sent over the internet to the main card information center to which the POS device is connected. If the sent information is confirmed, the POS device prints out a record stating the transaction information for the seller and the customer.
  • smartcard before sending data to the main information center by the card, the card owner is wanted to enter personal password. After entrance of the password, it is immediately compared with the password recorded in the present chip. If the password is correct, all of the information is sent to the main card information center for confirmation. Otherwise, information is not sent to the center or the transaction is not confirmed even if the information is sent.
  • the invention is formed by being inspired from the prior art and aims to solve the above said problems.
  • Primary purpose of the invention is to enable performing the present card payment transactions on a web based medium by using EMV kernel standard besides the CAP/DPA standards. For said transactions, identity authentication is made via a real card, personal card reader (PRC), and code number.
  • EMV kernel standard besides the CAP/DPA standards.
  • identity authentication is made via a real card, personal card reader (PRC), and code number.
  • the purpose of the invention is to form the connection between the card/internet access device of the user and the issuer through a secure channel and form a completely secure channel in addition to the present trusted area by preventing access to the card data even in the device of the user and/or the internet medium. In this way, the purpose is to prevent fraud attacks.
  • a purpose of the invention is to present the data about the transactions to the user and let the user be able to confirm only after controlling them.
  • Another purpose of the invention is to enable making all kinds of transaction which can be made by the POS devices and/or cash dispensers of the prior art, since it operates by using real (physical) card with full security.
  • Another purpose of the invention is to provide necessary solutions for the auction companies, which desire to have web interface structure, by letting them enable their customers attend auctions in time over the internet and also make payment over the internet.
  • card owners can simultaneously attend auctions from anywhere around the world and make their payment transactions at the same time.
  • Figure -1 shows the representative diagram of the system, which is the subject of the invention.
  • the invention is the method enabling making secure transaction over the internet personally by using a real transaction card (10) such as credit card, debit card etc. and relates to the system facilitating this method.
  • a real transaction card 10 such as credit card, debit card etc.
  • the invention is characterized in that;
  • the special card application of the system checks whether at least one personal card reader (40) is connected to the internet access device (30) and at least one transaction card
  • transaction card (10) is inserted into said card reader (40) or not, • if transaction card (10) is inserted into or read by at least one personal card reader (40) which is connected to the internet access device (30), then transaction parameters are transmitted to the internet host (50),
  • system host (60) sends the transaction parameters coming from the internet host (50) to the card reader (40) through the secure channel formed and makes the parameters available for confirmation of the user,

Landscapes

  • Business, Economics & Management (AREA)
  • Accounting & Taxation (AREA)
  • Physics & Mathematics (AREA)
  • General Physics & Mathematics (AREA)
  • Finance (AREA)
  • Strategic Management (AREA)
  • General Business, Economics & Management (AREA)
  • Engineering & Computer Science (AREA)
  • Theoretical Computer Science (AREA)
  • Financial Or Insurance-Related Operations Such As Payment And Settlement (AREA)

Abstract

The invention relates to the method and the system facilitating this method, which enables making secure transaction over the internet personally by using a real transaction card (10) such as credit card, debit card or etc., and which comprises at least one transaction card (10), at least one internet access device (30), at least one personal card reader (40), at least one internet host (50), at least one system host (60), and at least one issuer host (70).

Description

DESCRIPTION
METHOD AND SYSTEM ENABLING MAKING SECURE TRANSACTION OVER THE INTERNET BY USING REAL TRANSACTION CARD
The Related Art
The invention relates to the method and the system enabling making secure transaction over the internet by using a real transaction card such as credit card, debit card or etc.
The invention particularly relates to the system and method, which forms secure channel between at least one system host and at least one personal card reader connected to at least one internet access device, and which enables making secure transaction over the internet via using these.
The Prior Art
Magnetic and IC (Integrated Circuit) card systems, which have been taking the place of cash payment for a long time, have achieved a quite common area of usage. These transaction cards are EMV based systems in the prior art. The acronym EMV is formed of the words: Europay®, MasterCard®, and VISA® and it states a global standard providing usage of smartcards.
These cards are introduced to the devices named as POS (Point Of Sale) and found at the points of sale. In order to perform this introduction, the magnetic band of the card can be passed through the device or the information found inside the chip can be read by the device if the card has a chip. In addition to this information, the amount of money to be taken from the card is also entered on the device. The read information and the taken data are sent over the internet to the main card information center to which the POS device is connected. If the sent information is confirmed, the POS device prints out a record stating the transaction information for the seller and the customer. If smartcard is used, before sending data to the main information center by the card, the card owner is wanted to enter personal password. After entrance of the password, it is immediately compared with the password recorded in the present chip. If the password is correct, all of the information is sent to the main card information center for confirmation. Otherwise, information is not sent to the center or the transaction is not confirmed even if the information is sent.
Especially after the 2000's, internet shopping and usage of said credit cards and debit cards in these types of shopping have been increasing. However, this situation leads to security problems. It is a possible risk for the credit card and account information to fall into the hands of third persons. In these types of systems, a form found on the internet browser is filled and the most critical information is entered into this form. People who stealed the card information leave the owners of these cards in a difficult situation by spending as much as the limits of the credit cards. And when they acquire account information, they make a kind of virtual robbery by transferring the money found in the account into other accounts.
In the prior systems, it is almost impossible to transmit the card information to the bank etc. institution providing the card in a secure manner via hiding them from the general media of the internet and without contacting the seller, from which the product or service is bought over the internet. Because, the prior systems only form a trusted area between the seller/service provider and the issuer. Therefore, said security problem continues.
Besides, when the people owning said cards want to make transaction in relation with their cards or accounts, they have to be contented with the internet banking system provide by the relevant banks. Most of these systems do not or can not permit making the transactions which can be made at the banks or at the cash dispenser machines, which are called ATMs (Automated Teller Machine).
As a result, the above said drawbacks and the inadequacy of the prior solutions about the subject have necessitated improvement in the related technical field.
Brief Description of the Invention
The invention is formed by being inspired from the prior art and aims to solve the above said problems.
Primary purpose of the invention is to enable performing the present card payment transactions on a web based medium by using EMV kernel standard besides the CAP/DPA standards. For said transactions, identity authentication is made via a real card, personal card reader (PRC), and code number.
It is one of the purposes of the invention to enable payment over the internet, e-commerce, changing personal identity number, adding units to account, and remote data management etc. various types of usage for various services.
The purpose of the invention is to form the connection between the card/internet access device of the user and the issuer through a secure channel and form a completely secure channel in addition to the present trusted area by preventing access to the card data even in the device of the user and/or the internet medium. In this way, the purpose is to prevent fraud attacks.
A purpose of the invention is to present the data about the transactions to the user and let the user be able to confirm only after controlling them. Another purpose of the invention is to enable making all kinds of transaction which can be made by the POS devices and/or cash dispensers of the prior art, since it operates by using real (physical) card with full security.
Another purpose of the invention is to provide necessary solutions for the auction companies, which desire to have web interface structure, by letting them enable their customers attend auctions in time over the internet and also make payment over the internet. With this system, card owners can simultaneously attend auctions from anywhere around the world and make their payment transactions at the same time.
The structural and characteristic features of the invention and all advantages will be understood better in detailed descriptions with the figures given below and with reference to the figures, and therefore, the assessment should be made taking into account said figures and detailed explanations.
Figures for Better Understanding of the Invention
Figure -1 shows the representative diagram of the system, which is the subject of the invention.
Description of the Parts References
10. Transaction card 50. Internet host
20. User 60. System host
30. Internet access device 70. Issuer host
40. Personal card reader Detailed Description of the Invention
The invention is the method enabling making secure transaction over the internet personally by using a real transaction card (10) such as credit card, debit card etc. and relates to the system facilitating this method. The invention is characterized in that;
• through at least one internet access device (30), preferably at least one computer, the user (20) accesses the web page, which he/she wants to make transaction, and initiates the card transaction,
• the special card application of the system checks whether at least one personal card reader (40) is connected to the internet access device (30) and at least one transaction card
(10) is inserted into said card reader (40) or not, • if transaction card (10) is inserted into or read by at least one personal card reader (40) which is connected to the internet access device (30), then transaction parameters are transmitted to the internet host (50),
• internet host (50) transmits the transaction parameters to the system host (60),
· system host (60) forms secure channel between itself and the internet access device (30) of the user,
• system host (60) sends the transaction parameters coming from the internet host (50) to the card reader (40) through the secure channel formed and makes the parameters available for confirmation of the user,
· in case the transaction parameters are not confirmed by the user, cancellation of the transaction by stating error,
• parameters formed by the card (10) after confirmation are transmitted to the system host (60),
• system host (60) transmits the parameters to the issuer host (70),
· in case of not getting confirmation from the issuer host (70), secure channel is closed and message is sent over the internet host (50) to said web page stating that the transaction is not confirmed,
• in case of getting confirmation from the issuer host (70), encrypted codes formed by the issuer are transmitted to the card (10) through the secure channel,
· response of the card is transmitted to the system host (60),
• if the last response given by the card (10) to the system host is negative, automatic cancellation transaction is sent by the system host (60) and the previously confirmed transaction becomes ineffective,
• system host (60) transmits the result of the transaction to the web page through the internet host (50) as confirmation or refusal message according to the response of the card and closes the secure channel.
Preferred embodiments and operation steps:
In this detailed description, the preferred embodiments of the system and method of safe and personal transaction with card (10) over the internet, which is the subject of the invention, will only be disclosed for better understanding of the subject, and will not form any limiting effect.
In some parts of the following text, the expression LightPos™, which is the own trademark of the system, is used for the system. The expression LightPos™ has emerged from the fact that the user can use his/her card reader (40) and computer (30) like a personal POS device. The method of the invention can be described in a detailed manner as follows: parameters about the type of transaction to be made are entered using a web based transaction page and transaction starts in this way. After starting of transaction on the web page, the application of the LightPos™ system operating on the web browser found in the computer checks whether the card reader (40) is connected with the computer and the card (10) by which the transaction would be made is inserted into the card reader (40) or not and presents the required notification/warning messages on the web page.
As a result of the check made by the application, if the reader (40) and the card (10) are understood to be connected and inserted, transaction parameters would be transmitted to the internet host (50) by the web page. Internet host (50) would provide starting of the EMV transaction by sending transaction parameters to the system host (60).
System host (60) forms a secure channel between itself and the card reader (40) by implementing the EMV transaction steps. After that, all of the data to be sent and received between the reader (40) and the host (60) are transmitted in an encrypted manner through the secure channel formed. In addition to the encryption made between the internet host (50) and the computer (30) that is used as the access device to the Web, via a key shared between the card reader (40) and the system host (60), security of the complete communication between these two points is ensured.
System (LightPos™) host (60) sends the transaction parameters coming from the internet host (50) to the user (20) through the secure channel and thus provides facility for the user (20) to confirm the parameters for security reasons.
The authentication/confirmation methods of the card owner is implemented by online or offline authentication of the user via PIN (Personal Identification Number). In other words, while the PIN code of the customer can be controlled and confirmed over the network (online), it is also possible to make the PIN control without being connected to the network (offline) via the memory and processor found within the structure of the chip cards as a property of the chip cards.
If the card owner authentication step is unsuccessful, transaction is cancelled by stating error. After the card owner authentication step, the system host (60) directs the EMV transaction to the internet by using the transaction parameters. The parameters and cryptograms produced by the card (10) are carried to the system host (60) through the secure channel. System host (60) sends the transaction parameters coming from the card (10) to the issuer host (70) as a confirmation request message. Various assumptions and controls are made while forming the confirmation message. Confirmation message is formed according to the assigned criteria and then sent to the receiver system. If the response coming to the LightPos™ host (60) from the receiver system is not the confirmation code, the previously formed secure channel is closed and a message is sent to the web page over the internet host (50) stating that the transaction is not confirmed. If the received response is the confirmation code, the generated issuer authentication cryptogram and possible codes (scripts) are sent to the card (10) through the secure channel.
The decision given as a result of the evaluation by the card (10) is transmitted to the system host (60). System host (60) transmits the result of the transaction to the web page over the internet host (50) as a confirmation or refusal message according to the response of the card (10) and closes the secure channel. If the transaction is not confirmed by the card, automatic cancellation transaction is sent by the system host (60) and thus the previously confirmed transaction becomes ineffective.
LightPos™ system is a system, by which card transaction is made over the internet. Since the transaction is made over the internet media, various levels of security conditions are met. SSL connection is supported in order to provide secure data communication between the web browser and the internet host (50).
Entrance of users (20) in the web page will be ensured before making transaction if they want to use the web page. During entrance, user name and password will be asked and entry clearance will be given only after the name and password are confirmed by the internet host (50). Since the identity information of the entering user is known by the internet host (50), the information about which user (20) has made the card (10) transactions will be transmitted to the LightPos™ system. In the LightPos™ system, before starting EMV transaction, secure channel will be formed between the card reader (20) used and the system host (60). Via this secure channel, the reader (20) and the LightPos™ host (60) would communicate with each other in an encrypted and secure manner. In the card transactions made in the system, card owner authentication will be made according to EMV rules. Via the card owner authentication, usage of the card (10) by its real owner will be verified. The system supports two types of authentication. These are personal identity number (PIN) authentication and card authentication. Card (10) authentication is made in the issuer host (70) by authentication of the cryptogram generated by the card. Since EVM infrastructure is used in the card transactions performed in the system, the parameters of the transaction made would be signed by the cryptogram (ARQC - Authorization Request Cryptogram) generated by the card. By authentication of this signature by the issuer, for instance the bank, it would be understood that the card (10) is a real card and also it would be verified that the parameters used by the card during the transaction are transmitted to the bank without being corrupted.
In the card transaction made within the system, after formation of secure channel before the EMV transaction, the transaction parameters are sent to the reader (20) by the system host (60) through the secure channel in an encrypted manner during the EMV transaction. Reader (40) displays to the user the parameters coming from the server and waits for the confirmation of the user. While the content of these parameters would vary widely, they at least have to comprise the amount of transaction and the currency unit. Confirmation of the transaction parameters by the user provides an additional security level against possible Trojan attacks. Although the disclosed system may seem to provide a personal solution for domestic use, it can also be used instead of POS device especially in small scale offices/shops. In this way, POS investments would be kept at minimum level. Presence of internet connection and a computer (30), to which the reader (40) can be connected, are enough for such uses.

Claims

1. The invention is the method enabling making secure transaction over the internet personally by using a real transaction card (10) such as credit card, debit card etc. and it is characterized in that;
· through at least one internet access device (30), user (20) accesses the web page, which he/she wants to make transaction, and initiates the card transaction,
• if transaction card (10) is inserted into or read by at least one personal card reader (40) which is connected to the internet access device (30), then transaction parameters are transmitted to the internet host (50),
· internet host (50) transmits the transaction parameters to the system host (60),
• system host (60) forms secure channel between itself and the internet access device (30) of the user,
• system host (60) sends the transaction parameters coming from the internet host (50) to the card reader (40) through the secure channel formed and makes the parameters available for confirmation by the user,
• parameters formed by the card (10) after confirmation are transmitted to the system host (60),
• system host (60) transmits the parameters to the issuer host (70),
• in case of getting confirmation from the issuer host (70), encrypted codes formed by the issuer are transmitted to the card (10) through the secure channel,
• response of the card is transmitted to the system host (60), and
• system host (60) transmits the result of the transaction to the web page through the internet host (50) as confirmation or refusal message according to the response of the card and closes the secure channel.
2. Method according to Claim 1 and it is characterized in that; before transmission of the transaction parameters to the internet host (50) for the first time, the special card application of the system checks whether at least one personal card reader (40) is connected to the internet access device (30) and at least one transaction card (10) is inserted into said card reader (40) or not.
3. Method according to Claim 1 or 2 and it is characterized in that; if the transaction parameters are not confirmed by the user, transaction is cancelled by statement of error.
4. Method according to any one of the previous claims and it is characterized in that; in case of not getting confirmation from the issuer host (70), secure channel is closed and message is sent over the internet host (50) to said web page stating that the transaction is not confirmed.
5. Method according to any one of the previous claims and it is characterized in that; if the last response given by the card (10) to the system host (60) is negative, automatic cancellation transaction is sent by the system host (60) and the previously confirmed transaction becomes ineffective.
6. The invention is the system enabling making secure transaction over the internet personally by using a real transaction card (10) such as credit card, debit card etc. and it is characterized in that; it comprises at least one transaction card (10), at least one internet access device (30), at least one personal card reader (40), at least one internet host (50), at least one system host (60) and at least one issuer host (70).
7. Internet access device (30) according to any one of the previous claims and it is characterized in that; it is at least one computer.
PCT/TR2011/000046 2011-02-11 2011-02-11 Method and system enabling making secure transaction over the internet by using real transaction card WO2012108847A1 (en)

Priority Applications (2)

Application Number Priority Date Filing Date Title
PCT/TR2011/000046 WO2012108847A1 (en) 2011-02-11 2011-02-11 Method and system enabling making secure transaction over the internet by using real transaction card
TR2013/08027A TR201308027A1 (en) 2011-02-11 2011-02-11 A method and system that allows secure transactions over the Internet using a real transaction card.

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
PCT/TR2011/000046 WO2012108847A1 (en) 2011-02-11 2011-02-11 Method and system enabling making secure transaction over the internet by using real transaction card

Publications (1)

Publication Number Publication Date
WO2012108847A1 true WO2012108847A1 (en) 2012-08-16

Family

ID=44626143

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/TR2011/000046 WO2012108847A1 (en) 2011-02-11 2011-02-11 Method and system enabling making secure transaction over the internet by using real transaction card

Country Status (2)

Country Link
TR (1) TR201308027A1 (en)
WO (1) WO2012108847A1 (en)

Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US5414835A (en) * 1986-11-19 1995-05-09 Kabushiki Kaisha Toshiba IC card processing system capable of determing send timing between an IC card and an accepting device
US20050035190A1 (en) * 2001-09-10 2005-02-17 Kazutaka Nanbu Portable card reader and card settlement system

Patent Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US5414835A (en) * 1986-11-19 1995-05-09 Kabushiki Kaisha Toshiba IC card processing system capable of determing send timing between an IC card and an accepting device
US20050035190A1 (en) * 2001-09-10 2005-02-17 Kazutaka Nanbu Portable card reader and card settlement system

Also Published As

Publication number Publication date
TR201308027A1 (en) 2014-07-21

Similar Documents

Publication Publication Date Title
US10949840B2 (en) Methods and systems for using physical payment cards in secure e-commerce transactions
TW412696B (en) A system for performing financial transactions using a smart card
US11127009B2 (en) Methods and systems for using a mobile device to effect a secure electronic transaction
US7299980B2 (en) Computer readable universal authorization card system and method for using same
US8090654B2 (en) Techniques for transaction adjustment
US20160092872A1 (en) Transaction Risk Based Token
US20170161700A1 (en) Secure internet atm
US20140156535A1 (en) System and method for requesting and processing pin data using a digit subset for subsequent pin authentication
NZ531142A (en) Virtual credit card terminal and method of transaction
CN107466409B (en) Binding process using electronic telecommunication devices
US20130138519A1 (en) Point of Sale Activation and Reload System
US20120030114A1 (en) User Positive Approval and Authentication Services (UPAAS)
JP2016076262A (en) Method of paying for product or service in commercial website via internet connection and corresponding terminal
El Madhoun et al. An overview of the emv protocol and its security vulnerabilities
US10755264B2 (en) Methods and systems for secure online payment
WO2016033513A1 (en) System and method of electronic authentication at a computer initiated via mobile
KR20000012607A (en) certification system using radio communication device
US6829597B1 (en) Method, apparatus and computer program product for processing cashless payments
US11823200B2 (en) Smart physical payment cards
WO2012108847A1 (en) Method and system enabling making secure transaction over the internet by using real transaction card
GB2475301A (en) Payment Authentication System and Processing Method
US20240212446A1 (en) SYSTEM, METHOD, AND PROGRAM USING NEAR FIELD COMMUNICATION TO FACILiTATE THE PURCHASE OF WAGERING CREDITS AT A GAMING DEVICE
Wen et al. Security Features Available on The Best E-Wallet Applications in Malaysia
Vahedi et al. Promote Mobile Banking Services by using National Smart Card Capabilities and NFC Technology
AU2002354970B2 (en) Virtual credit card terminal and method of transaction

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 11717788

Country of ref document: EP

Kind code of ref document: A1

WWE Wipo information: entry into national phase

Ref document number: 2013/08027

Country of ref document: TR

NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 11717788

Country of ref document: EP

Kind code of ref document: A1