WO2014051468A1

WO2014051468A1 - Payment confirmation method

Info

Publication number: WO2014051468A1
Application number: PCT/RU2013/000837
Authority: WO
Inventors: Петр Федорович КУТИС; Роман Рафикович ХАФИЗОВ
Original assignee: Пэйче Лтд
Priority date: 2012-09-26
Filing date: 2013-09-26
Publication date: 2014-04-03
Also published as: RU2509359C1

Abstract

The invention relates to the art of acquiring. The remote payment confirmation method is characterized in that when making a payment, a payment card holder inputs payment amount information into a web page together with payment card data in the form of a part of the payment card bank identification number, and transmits this information in an online request to an acquirer hardware-software system, in which a database check of the payment card bank identification number data is carried out and at least one list of the parameter values of the card in question is generated including actual and false parameter values of the card in question, which are transmitted in the form of a text message to a receiving device of the card holder during an initiated session with a browser or with a payment card holder application with a request to select the correct values from among those proposed; in the event that the correct answers are given, the acquirer hardware-software system executes a payment with the given parameters.

Description

Payment Verification Method

The invention relates to the field of acquiring, and in particular to the field of security of cashless payments using payment cards of international payment systems, such as Visa, MasterCard, JCB International, AmericanExpress and others (hereinafter - MPS).

The invention can be applied to further verify the intention to make a payment (debiting funds from a payment card) by a buyer when he makes a payment remotely, without personal presence. In this case, we mean recent online payments on the websites of stores and payment systems, or payments when ordering a service or product by phone or mail.

It is known that remote acceptance of cards for payment is carried out by the payer transferring the main parameters of the cards to the acquirer (Hereinafter, the acquirer refers to a bank providing acquiring services, as well as other third parties providing intermediary services to the acquiring bank as part of the latter's provision of acquiring services) through trade and service company (hereinafter - TSP), an intermediary or directly. Card parameters are displayed (in some cases embossed) on the card itself, namely: card number, card expiration date, special verification code, and sometimes the name of the card holder. To make a payment, it is enough to know the card number, its validity period and verification code. This makes it easy to apply various fraud schemes when the payer is not the card holder but knows its parameters (peeping, rewriting, eavesdropping on the data transfer channel or just temporarily holding the card). Along with the spread of online payments using bank cards, the fight against fraud is becoming increasingly widespread.

To prevent fraud, various schemes and methods are applied, which basically come down either to complicating the theft of cards and their data, or to additional checks of the payer that he is a card holder, otherwise - that it is the card holder who makes the payment. Currently, there is a known practice when a special person-operator of a TSP or an acquirer manually tries to contact the card holder either by phone or by e-mail to personally confirm the latter's desire to make a payment. There are also verification methods by indicating an additional one-time password or one-time secret code received via a communication channel other than the communication channel through which payment information is exchanged. However, for such verification, it is necessary to provide the user with an additional communication channel, authorize it in it, and also maintain the operability and availability of this communication channel (for example: mobile communications, a table of one-time keys, remote access to a bank account).

The existing practice of verifying the intention of a cardholder to make a payment has crucial drawbacks:

1. A TSP or an acquirer may not always know in advance the true contacts of the card holder and thus cannot be guaranteed to contact the latter.

2. The creation and use of an additional communication channel requires preliminary guaranteed authentication of the card holder for its subsequent authorization.

3. Additional verification of the card holder takes a long time and does not allow verification in real time. Those. the payment must either be made and then the card holder is checked, or the payment is rejected and after checking the holder the latter is invited to make the payment again.

4. Verification is possible only in selective cases, because contacting the cardholder when making each payment is actually wasteful. To do this, several operators must work continuously in the TSP around the clock, which introduces an insurmountable burden on the business. As a way out, it is necessary to introduce selectivity and classify operations by risks. This approach forces additional analytics, which again leads to costs and the inability to conduct checks in real time. Currently, the IPU is actively imposing an additional measure of protection against fraud. This is a 3-D Secure authentication model that allows authentication of the payer on the issuer's secure site. 3-D Secure is an XML protocol that is used as an additional level of security for online credit and debit cards, two-factor user authentication. It was developed by Visa IPU to improve the security of Internet payments. Based on it, Visa offered its customers the Verified by Visa (VbV) service. Services based on this protocol have also been adopted by MasterCard, under the name MasterCard SecureCode (MCC), and JCB International, as J / Secure.

The detailed protocol procedure is described in the document “3-D Secure system overview”, posted on a public Internet resource at

https://partnernetwork.visa.com/vpn/global/retrieve_docurnent.do7documentRetrie valld = 119. The essence of the 3-D Secure protocol is to authenticate the cardholder with the issuer, for which the issuer needs to take a number of additional measures to bring its hardware and software infrastructure in line with the capabilities of using the 3-D Secure protocol.

The main and decisive disadvantages of the 3-D Secure protocol:

1) Currently, more than half of issuers do not participate in the 3-D secure authentication model or are not fully involved. This fact does not allow the acquirer to be guaranteed to check most cardholders, which reduces the effectiveness of the 3-D Secure protocol. Especially issuers are motivated not to participate in the model due to the transfer of responsibility for possible fraud on them in case of successful authentication of the cardholder using the 3-D Secure protocol.

2) A large load on the payer in the form of constant clicks from one web page to another. This fact reduces the trust of payers to TSPs and the desire to make payments on TSP sites. In its most general form, this fact affects TSP in such a way that in avoid customer loss TSP refuses to support the 3-D Secure protocol, taking the risk of fraud on itself. However, this situation as a whole undermines confidence in MPS products, which in turn entails a decrease in the participation of cards in non-cash payments via the Internet, which hold a significant share of payments in the world.

The prior art system of authentication of the holder of the payment card described in the application US 2010/0280946, G06Q 40/00, publ. 11/04/2010, in which an authorization request is created before the payment is made, a verification code unknown to the cardholder is included in the authorization request, an authorization request is sent to the issuer, a verification code is requested from the cardholder and the correctness of the code provided by the payment card holder is used to judge the holder’s authenticity payment card, and the verification code is transmitted in a standard authorization request, based on the fact that access to payment information of individuals in banks is strictly limited and for I access to payment information, the issuer will authenticate the account holder who is the card holder; they receive the code entered by the cardholder and, on the basis of the correspondence of the transmitted and received codes, they judge the authenticity of the payment card holder. Adopted as a prototype for all options.

However, this system has the disadvantage that the request for the code is carried out with the transfer of the card holder to the issuer's page, while the patent does not give the exact request parameter and the procedure for including the verification code in it.

The present invention is aimed at achieving a technical result, which consists in increasing the security of conducting payment transactions using a card when making payments in real time.

The specified technical result is achieved by the fact that the method of confirming the payment in the remote access mode is characterized in that when the payment is made, the payment card holder enters information on the payment amount on the web page of the trade and service company payment card data in the form of part of the digits of the bank identification number of the payment card and transmits this information in an online request to the hardware and software system of the acquirer, in which they check the database of the bank 5 identification number of the payment card and generates at least one list values of the parameters of this card, which include real and false values of the parameters of this card, which are in the HTTPS-initiated session mode with a browser or payment card holder application In the form of a text message, they transmit to the holder’s receiving device with a request to select the correct ones from the proposed values and, when the correct answers are received by the hardware and software system of the acquirer, carry out the payment with the specified parameters in the direction of the trade and service company.

The present invention is illustrated by an embodiment.

15 specific system shown in the drawings, where:

FIG. 1 - presents the procedure for authentication of the card holder.

According to the present invention, a new method for verifying the intention of a cardholder to make a payment, which is based on

20 on the interactive interaction of the acquirer with the card holder.

The invention provides a method for verifying the intent of a cardholder to make a payment in real time. Conditions (except for the conditions of making a payment through the website) for the invention: the availability of tables of bank identification numbers (BIN) of the IPS cards at the acquirer,

25 which are confidential information of the IPU, the distribution of which is strictly limited among members of the IPU.

A method of confirming a payment in remote access mode is characterized in that when a payment is made, the payment card holder enters on the web page of the merchant service information on the payment amount and payment card data as part of the digits of the bank identification number of the payment card and transfers this information to it on-line request to the hardware-software complex of the acquirer, in which they check in the database of received data on the bank identification number of the payment card and generates at least one list of parameter values for this card, which includes real and false values for the parameters of this card, which are in the HTTPS-initiated session mode with a browser or payment card holder application in They send a text message to the holder’s receiver with a request to select the correct ones from the proposed values and, if the correct answers are received, by the hardware-software complex the acquirer carry out the payment with the specified parameters in the direction of the trade and service company.

The invention involves trying to make a payment in real time to clarify the bank identification number (BIN) of the card, which is the first 6 digits of the card number. It is known that BIN is issued by international payment systems for cards with predefined characteristics, including: bank name, bank country, type of card (debit or credit), type of international payment system (for example: Visa, MasterCard, AmericanExpress), card product ( for example: virtual, classic, standard, gold, platinum, infinity, corporate). The values of these parameters can be obtained only by having in front of you a card or its scan (photo) or an agreement with the bank, which greatly complicates fraud. In this case, fraudulent use of the card is limited to the presence, as a rule, of only its number, validity period and verification code.

Further, after receiving the BIN from the bank card number entered by the user, the user is prompted to select the value of one or more card parameters from the list on the same web page. In this case, the user may be offered several incorrect options and one correct, or several incorrect options and an option that reports that there is no true option. The number of card parameters selected for verification may vary depending on the degree of suspicion of the operation in fraud by the TSP or the acquirer. For example, a user trying to pay for a product or service with a MasterCard Gold card issued by Alfa-Bank may be asked to indicate the values of three parameters from the proposed options:

1) Choose the type of card payment system: Visa, MasterCard, AmericanExpress.

2) Select the type of card product: Classic, Virtual, Infinity, The type of card is not listed.

3) Select the name of the bank that issued the card: Sberbank, Altaybank, Alfa Bank.

The results of these questions (selected answers) are analyzed by the Acquirer's APK and if all the answers are correct, then a decision is made that the card is really present at the time of payment. This increases the likelihood that the buyer is a card holder.

This method of verifying the payment, or rather the authenticity of the card holder, has not yet been used by anyone, despite the fact that it is quite simple and fast.

The technical result of the invention, the solution of tasks:

1. The exception is the use of cards, the data of which fraudsters took by intercepting when reading through devices, as well as transmitted via communication channels or by simply rewriting its parameters (as a rule, only the number, expiration date and verification code are rewritten). Application of the invention will allow to block this channel of receiving cards by fraudsters.

2. Verification is carried out in real time and does not require additional communication channels.

3. You can check the payments of any cards.

4. Verification is done automatically.

5. The implementation of the invention requires only the automation of checking the BIN card according to the tables of the Ministry of Railways supplied to banks.

A condition of the invention is the automation in the agro-industrial complex of the acquirer of checking the BIN tables. The invention allows in real time to exchange signals with the user's browser and, thereby, verify that the buyer is very likely to be the cardholder.

As a request, a message is used with a question about choosing the correct values of the map parameters from the list of options provided. As a response, a signal indicating the selected value is used.

The invention works in two steps.

Step 1. Exchange between the APK of the acquirer and the buyer's browser https messages, the result of which is the delivery of the card number to the APK of the acquirer, or rather the BIN card.

Stage 2. Exchange between the acquirer's APK and the buyer’s browser https messages, the result of which is a combination of values of the card parameters and a conclusion about the authenticity of the card holder.

The invention works in the following order:

1. The payer, when trying to make a payment, enters the card details, which are then reported in the online payment request in the acquiring APK.

2. The APC of the acquirer checks the BIN card value in the database, compiles lists of the card parameter values and initiates an HTTPS session with the browser or the customer’s application. As part of the session, a request is sent to the buyer’s device, including a text message with a request to select the correct one from the proposed values. The browser or application on the buyer's device automatically establishes a session and receives a signal.

3. The buyer views the message transmitted in the signal and selects the values of the card parameters. The browser or application in real time sends the response to the acquirer's APK.

4. The APK of the acquirer, upon receipt of the correct answers, carries out the payment with the specified parameters. Upon receipt of at least one incorrect value of the APK, the acquirer does not make a payment.

An embodiment of the invention is shown schematically in FIG. 1 is a diagram showing a method of authenticating a card holder. Step 1. The user enters the map data on the TSP web page in the browser. The browser transmits the data entered by the user to the acquirer in the form of a "Write-off" payment request via a secure communication channel.

Step 2. The acquirer checks the presence of the BIN card in his agribusiness. Generates lists of card parameters and their values for customer verification.

Step 3. The acquirer sends an https request to the address of the browser or application. The request contains a signal in the form of a message requiring a response - lists selects the correct values for the parameters of the entered map.

Step 4. The user selects the values and his browser or application sends a signal to the APK of the acquirer. The signal contains a response to the request with the selected parameter values.

Step B. The acquirer, based on the result of the buyer's response, checks the answers received and makes a decision on processing the request “Write-off of funds”.

Claims

Claim

A method of confirming a payment in the remote access mode, characterized in that when the payment is made, the payment card holder enters information on the payment amount and payment card data on the web page of the merchant as a part of the digits of the bank identification number of the payment card and transfers this information to on-line request to the hardware and software system of the acquirer, in which they check in the database of received data on the bank identification number of the payment card and generate at least one in the list of parameter values of this card, which includes real and false values of the parameters of this card, which are transferred to the holder’s receiver with a request to select the correct values from the proposed values in the mode of an initiated session with a browser or the payment card holder’s application correct answers with the hardware and software system of the acquirer carry out the payment with the specified parameters in the direction of the trade and service company.