WO2014081075A1 - 다이나믹 팬을 이용한 트랜잭션 처리방법 - Google Patents
다이나믹 팬을 이용한 트랜잭션 처리방법 Download PDFInfo
- Publication number
- WO2014081075A1 WO2014081075A1 PCT/KR2012/011693 KR2012011693W WO2014081075A1 WO 2014081075 A1 WO2014081075 A1 WO 2014081075A1 KR 2012011693 W KR2012011693 W KR 2012011693W WO 2014081075 A1 WO2014081075 A1 WO 2014081075A1
- Authority
- WO
- WIPO (PCT)
- Prior art keywords
- area
- information
- dynamic
- pan
- card
- Prior art date
Links
Images
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06Q—INFORMATION AND COMMUNICATION TECHNOLOGY [ICT] SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES; SYSTEMS OR METHODS SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES, NOT OTHERWISE PROVIDED FOR
- G06Q20/00—Payment architectures, schemes or protocols
- G06Q20/22—Payment schemes or models
- G06Q20/24—Credit schemes, i.e. "pay after"
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06Q—INFORMATION AND COMMUNICATION TECHNOLOGY [ICT] SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES; SYSTEMS OR METHODS SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES, NOT OTHERWISE PROVIDED FOR
- G06Q20/00—Payment architectures, schemes or protocols
- G06Q20/38—Payment protocols; Details thereof
- G06Q20/382—Payment protocols; Details thereof insuring higher security of transaction
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06Q—INFORMATION AND COMMUNICATION TECHNOLOGY [ICT] SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES; SYSTEMS OR METHODS SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES, NOT OTHERWISE PROVIDED FOR
- G06Q20/00—Payment architectures, schemes or protocols
- G06Q20/22—Payment schemes or models
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06Q—INFORMATION AND COMMUNICATION TECHNOLOGY [ICT] SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES; SYSTEMS OR METHODS SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES, NOT OTHERWISE PROVIDED FOR
- G06Q20/00—Payment architectures, schemes or protocols
- G06Q20/22—Payment schemes or models
- G06Q20/227—Payment schemes or models characterised in that multiple accounts are available, e.g. to the payer
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06Q—INFORMATION AND COMMUNICATION TECHNOLOGY [ICT] SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES; SYSTEMS OR METHODS SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES, NOT OTHERWISE PROVIDED FOR
- G06Q20/00—Payment architectures, schemes or protocols
- G06Q20/38—Payment protocols; Details thereof
- G06Q20/385—Payment protocols; Details thereof using an alias or single-use codes
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06Q—INFORMATION AND COMMUNICATION TECHNOLOGY [ICT] SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES; SYSTEMS OR METHODS SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES, NOT OTHERWISE PROVIDED FOR
- G06Q20/00—Payment architectures, schemes or protocols
- G06Q20/38—Payment protocols; Details thereof
- G06Q20/40—Authorisation, e.g. identification of payer or payee, verification of customer or shop credentials; Review and approval of payers, e.g. check credit lines or negative lists
Definitions
- the present invention relates to a transaction processing method, and more particularly, to a transaction processing method using a dynamic fan that can be dynamically changed to improve security while using a conventional card reader and relay server.
- Magnetic credit cards contain track 2 information of the International Standardization Organization (ISO) standard on a magnetic strip.
- ISO International Standardization Organization
- the card reader is connected to the magnetic strip (MS). It reads the recorded track 2 information and provides it to a financial institution server such as a value added network (VAN) server or a card company server to process transactions for credit cards.
- VAN value added network
- the track 2 information included in the magnetic strip MS includes a primary account number (PAN) area for card identification, and the PAN area includes information of a financial company server to process a credit card transaction.
- PAN primary account number
- the track 2 information includes a primary account number (PAN) area, an expiration data (ED) area, a service code (SC) area, and a discretionary data (DD) area.
- PAN primary account number
- ED expiration data
- SC service code
- DD discretionary data
- the PAN area includes bank information for banking company identification. Number).
- the BIN may be used by the VAN server or the card company server to determine a target to process a credit card transaction using the BIN.
- an electronic credit card having an integrated circuit has been proposed.
- the electronic credit card can generate a dynamic password value using the built-in IC.However, in order to generate a dynamic password value, an electronic credit card having an IC and a card reader that acquires track 2 information from the electronic credit card can be used. It should be able to perform the encryption function. This is because current transaction processing is performed in an infrastructure prepared for credit card payment including a magnetic strip (MS), and it may be expensive to change and add an existing infrastructure.
- MS magnetic strip
- WO 2003/081832 filed with the PCT for such a problem is located in the DD area of the primary account number (PAN) area, expiration data (ED) area, service code (SC) area, and discretionary data (DD) area constituting track 2 information.
- PAN primary account number
- ED expiration data
- SC service code
- DD discretionary data
- FIG. 1 is a conceptual diagram illustrating a transaction processing method of WO 2003/081832.
- track 2 information is provided from a proximity device 10 to a reader 20, wherein the proximity device 10 is provided. May generate a first authentication value in a DD region (arbitrary region) from the track 2 information provided to the reader 20.
- DD region arbitrary region
- the first authentication value referred to in WO 2003/081832 represents any authentication value recorded in the Discretionary Data (DD) area
- the second authentication value mentioned in WO 2003/081832 may refer to some of the credit card numbers listed on the back of the credit card.
- the reader 20 provides the credit card issuer 30 with the first authentication value provided by the proximity device 10, and the credit card issuer derives the second authentication value based on the first authentication value.
- the value is compared with the second authentication value, and if both match, authentication is completed, otherwise authentication is determined to have failed.
- WO 2003/081832 basically tends to determine a higher degree of confidence in the security of the proximity device 10 than the reader 20 that obtains track 2 information from the credit card, which the proximity device 10 is subject to first authentication. There is a tendency to have hardware and software structures that generate values.
- WO 2003/081832 has the advantage of utilizing a transaction system using magnetic strips in terms of recording dynamic authentication values in a user-defined DD area and processing transactions using the recorded dynamic authentication values.
- the dynamic authentication value proposed in WO 2003/081832 is required for the VAN server to decrypt the card number in a Korean transaction processing system using a value added network (VAN) server. It has a problem of repair and should have an encryption key for decrypting a dynamically encrypted card number.
- VAN value added network
- the encryption key should be provided from the card company server to the VAN server, and it may not be advantageous in security to manage the encryption key from two or more servers (VAN server and card company server).
- An object of the present invention is to provide a transaction processing method using a dynamic fan that improves security at the time of credit card payment, minimizes the exposure of financial information, and makes the most of the existing payment system.
- the above object is performed by a payment device that provides track 2 information of ISO (International Standardization Organization) standard to a card reader according to the present invention, and the PAN (Primary Account) of the track 2 information.
- a payment device that provides track 2 information of ISO (International Standardization Organization) standard to a card reader according to the present invention, and the PAN (Primary Account) of the track 2 information.
- BIN bank information number
- transaction security of payment devices such as magnetic strip cards, IC cards and portable terminals can be improved while minimizing changes to existing infrastructure such as card readers, VAN servers, and card company servers.
- FIG. 1 shows a conceptual diagram of a transaction processing method of WO 2003/081832.
- FIG. 2 is a conceptual diagram illustrating a transaction processing method using a dynamic PAN according to an embodiment of the present invention.
- FIG. 3 illustrates a reference view of a structure of a dynamic PAN according to the present invention.
- FIG. 4 illustrates a reference view for a method of forming a second region in a PAN region.
- FIG. 5 illustrates a reference view for an example of processing a transaction of a payment device by a first region.
- FIG. 6 shows a reference diagram for the structure of track 2 information according to the present invention.
- FIG. 7 is a flowchart illustrating a transaction processing method using a dynamic PAN according to an embodiment of the present invention.
- FIG. 8 is a flowchart illustrating a transaction processing method using the dynamic PAN generated in FIG. 7.
- FIG 9 illustrates a block diagram according to an embodiment of a card company server.
- the "payment device” referred to herein includes track 2 information and may be any one of an electronic credit card with an IC chip and a portable terminal having a Universal Subscriber Identity Module (USIM) chip.
- USIM Universal Subscriber Identity Module
- the payment device may approach or contact the card reader.
- the track 2 information may mean information according to the ISO / IEC 7813 standard.
- the track 2 information according to the ISO / IEC 7813 standard may include a primary account number (PAN) region, an expiration data (ED) region, a service code (SC) region, and a DD (discretionary data) region.
- PAN primary account number
- ED expiration data
- SC service code
- DD discretretionary data
- card reader may refer to a device capable of transaction processing by acquiring track 2 information from an electronic credit card having an IC and a portable terminal having a USIM chip.
- the device may be in contact with a magnetic credit card having a magnetic strip to obtain track 2 information.
- the card reader may be capable of transaction processing only with any one of a magnetic credit card, an electronic credit card, and a mobile terminal, or may be capable of transaction processing with both or three. It is not limited.
- NFC which is referred to herein, is an abbreviation of Near Field Communication, and may be embedded in a smart phone or a mobile phone, and may be embedded separately from the USIM chip or integrally formed with the USIM chip.
- a portable terminal is described and described with reference to a smart phone and a mobile phone.
- any device that is portable and has a built-in USIM chip and is capable of transmitting track 2 information to a card reader using an NFC function may be referred to as a mobile terminal even if not mentioned otherwise.
- Some (or all) of the information of the PAN area referred to in this specification may refer to a form of a string embossed or engraved on the surface of a magnetic credit card or an electronic credit card.
- the information about the BIN and the card number in the PAN area is composed of a 16-digit numeric string.
- the upper 8 digits correspond to the BIN
- the lower 8 digits correspond to the card number.
- the relay server referred to in the present specification when transmitting payment data from the card reader to the card company server, collects and manages sales slips for each card company, and grabs the card company information from the payment data transmitted from the card reader to correspond to the payment data. It may be a value added network (VAN) server provided to a card company server.
- VAN value added network
- FIG. 2 is a conceptual diagram illustrating a transaction processing method using a dynamic PAN according to an embodiment of the present invention.
- the card reader 20 tracks the track. 2
- the security is improved and a transaction processing method that can use the existing infrastructure is implemented.
- the payment device 50 may provide track 2 information when the payment device 50 approaches (or contacts) the card reader 20.
- the card reader 20 When the payment device 50 approaches (or contacts) the card reader 20, the card reader 20 generates a track 2 information read command, and transmits to the payment device 50 to request and obtain track 2 information. can do.
- the card reader 20 may divide the PAN area of the track 2 information acquired by the payment device 50 into a first area including a bank information number (BIN) and a second area not including a BIN.
- BIN bank information number
- the card reader 20 may obtain track 2 information by contacting or proximity with various types of payment devices.
- the card reader 20 may contact the one of the electronic credit card 52 and the mobile terminal 53 to obtain track 2 information or wirelessly obtain track 2 information in a proximity state.
- the card reader 20 may acquire track 2 information by performing near field communication with the IC chip 52a embedded in the electronic credit card 52.
- the card reader 20 performs data communication with the USIM chip 53a embedded in the mobile terminal 53 through NFC (Near Field Communication) communication, and acquires track 2 information through the USIM chip 53a. It may be.
- the card reader 20 should be provided with an NFC communication function for short-range wireless communication with the mobile terminal 53.
- the card reader 20 is capable of data communication with one or two of the electronic credit card 52 and the mobile terminal 53, or of a type capable of data communication with both the electronic credit card 52 and the mobile terminal 53. It may be a device. It is not limited.
- the card reader 20 may select a primary account number (PAN) area from the track 2 information obtained from the payment devices 51, 52, and 53, and divide the PAN area into a first area and a second area.
- PAN primary account number
- the BIN is located in the first area partitioned by the card reader 20.
- the BIN is a string of numbers consisting of 4 to 10 digits and is used to refer to a financial company such as a card company or a bank. Table 1 below shows an example in which the number string constituting the BIN refers to a financial company in Korea.
- BINs are used to distinguish credit card companies using 4 bytes in Korea, and the latter two bytes may or may not be used if necessary.
- the relay server 150 or the card company server 100 issues a country where a credit card (or a financial chip equivalent to a credit card) is issued to a payment device having a BIN.
- the type of financial company and credit card can be determined.
- the BIN may indicate a payment method as to whether the payment device makes a prepaid payment, a postpaid payment, or a check card when processing a transaction of the payment device.
- the first area including the BIN value is not encrypted or modulated.
- the payment device 50 approaches (or contacts) the card reader 20 by not encrypting or modulating the first area
- the form of the BIN of the track 2 information provided to the card reader 20 is maintained. Maintaining the BIN form provides the BIN to the relay server 150 or the card company server 100 without modification, and the relay server 150 or the card company server 100 provides the BIN provided by the card reader 20.
- the relay server 150 does not require decryption of the first area in order to determine a payment target, which does not require a separate encryption key provided by the relay server 150 to the card company server 100. Means.
- the relay server 150 which is one of the existing transaction processing infrastructures, does not have to decrypt the dynamic PAN, the system does not require a change to the relay server 150.
- the relay server 150 has an advantage that does not need to perform a separate decoding process for extracting the BIN.
- This advantage is that even if the PAN area of the payment device 50 is dynamically changed, the burden of finding a card company server to process a transaction by decrypting the PAN area in which the relay server 150 or the card company server 100 is dynamically changed is not incurred. Stands out.
- relay server 150 does not need to develop and maintain a separate system to decrypt the PAN area.
- the second area that does not include a BIN may be encrypted or modulated by the card reader 20 to a dynamic value.
- the card reader 20 uses the random number generated randomly according to the time when the payment device 50 requests the transaction processing and the information of the second area using the transaction request sequence (ATC: Application Transaction Count) of the payment device 50. During each transaction, it can be encrypted or tampered with with a dynamically changing value.
- ATC Application Transaction Count
- the second area may be based on any one of encryption methods according to AES (Advanced Encryption Standard), RSA (Rivest, Shamir, Adleman), DES (Data Encryption Standard), TDES (Triple DES), and ARIA (Academy Research Institute Agency) algorithm. Can be encrypted. In the present specification, unless an encryption method is separately described, it means that one of the AES, RSA, DES, TDES, and ARIA algorithms may be applied.
- the second area may use time information, a second area information, and an ATC (Application Transaction Count) value, which causes the payment device 50 to make a transaction, and may use the ED area, the SC area, and the DD area. It can be encrypted with the value of.
- the information in the PAN area only exposes information on the card company that will process the transaction, and the remaining information has an encrypted (or modulated) state. Accordingly, the credit card account of the credit card embedded in the payment device 50 is encrypted except for a BIN indicating information on the card company by an encryption algorithm, and the second area is stored in the card company server 100.
- the encryption method for the second area is a DES or TDES encryption method
- the card company server 100 may be encrypted by driving a hash function using a master key for decryption. The second region can be decrypted.
- the encrypted second area may not be exposed to others except the card company server 100.
- FIG. 3 illustrates a reference view of a structure of a dynamic PAN according to the present invention.
- the dynamic PAN includes a first area BIN and a second area PAN in the track 2 information of ISO / IEC 7813 standard including the PAN area, the ED area, the SC area, and the DD area.
- the first area BIN is an area including a BIN defining a card company, and may have a length of 4 bytes to 10 bytes.
- the second area (PAN-BIN) is composed of the remaining areas of the PAN area except for the BIN, and may include account information of the credit card assigned to the card reader 20.
- the account information of the credit card may be a card number of the credit card.
- the first region BIN of the PAN region is a static value.
- the first region BIN may refer to the first eight digits of the 16 digits of the card number embossed or engraved on the credit card.
- the 16-digit card number may be stamped on the surface of the credit card or recorded in the form of data on a chip embedded in the electronic credit card.
- a card number consisting of a 16-digit string may be stored in the USIM chip.
- the second area PAN-BIN of the PAN area is a static value.
- the second area PAN-BIN may be converted into a dynamic value by an encryption algorithm driven by the payment device 50.
- the encryption algorithm that is driven in the payment device 50 is one of the algorithm of the AES, RSA, DES, TDES, ARIA algorithm, and will be omitted below.
- the dynamic PAN has a form in which the first region BIN, which is a fixed value, and the second region PAN-BIN, which are encrypted by the encryption algorithm, are combined, and as shown in FIG. 3, the second region PAN-BIN.
- the correct value may be calculated by a decryption function for decrypting the second area PAN-BIN using a master key provided in the card company server 100 and a master key.
- the correct value may be calculated only through a hash function that requires a master key value.
- the master key value may be provided in the card company server 100.
- the card company server 100 Decryption cannot be performed without a master key provided at the card, and unless the card company server 100 knows the same algorithm as the algorithm (TDES algorithm) for decrypting using the master key, the second area (PAN) is opened by an outsider. -BIN) is not decrypted.
- TDES algorithm the algorithm for decrypting using the master key
- FIG. 4 illustrates a reference view for a method of forming a second region in a PAN region.
- FIG. 4A illustrates an example in which the payment device 50 forms a second area with respect to the PAN area.
- the track 2 information includes a PAN area, an expiration date area (ED), a service code area (SC), and an arbitrary area (DD), but the payment device 50 includes a PAN area excluding a BIN.
- the second area is formed only for, and the valid period area ED, the service code area SC, and the arbitrary area DD are not divided into the second area.
- the dynamic PAN can be formed even with a 16-digit card number embossed or engraved on a conventional credit card.
- the payment device 50 divides the PAN area including the card account, the expiration date area (ED), the service code area (SC), and the random area (DD) into the second area in the track 2 information. And encrypting the second region by applying an encryption algorithm.
- the relay server 150 may use a separate decryption algorithm or a master key for decryption. no need. In addition, after receiving the payment request message provided by the card reader 20, the relay server 150 may immediately determine which card company server to send the received payment request message to by referring to the unencrypted BIN.
- FIG. 5 illustrates a reference view for an example of processing a transaction of a payment device by a first region.
- the payment device 50 when one of the electronic credit card 52 having the IC 52a and the portable terminal 53 having the USIM chip 53a is the payment device 50, the payment device If 52, 52 contacts or is in close contact with card reader 20, and card reader 20 obtains track 2 information from payment device 52, 53, card reader 20 determines the track 2 information from the acquired track 2 information.
- the PAN area is read, and the first area BIN is extracted from the PAN area.
- the dynamic PAN region includes a first region BIN and a second region PAN-BIN.
- the second area PAN-BIN is a first area PAN-BIN.
- the PAN region it means the entire region except for the first region BIN, or
- An ED region, an SC region, and a DD region may be added to the second region PAN-BIN.
- the second area PAN-BIN may mean only the credit card number area.
- the second area PAN-BIN may mean all of the remaining areas (ED area, SC area, and DD area) of the track 2 information excluding the BIN.
- the first area BIN is a static value and 4 to 10 bytes are exposed to the card reader 20. do.
- the card reader 20 may provide the first region BIN to the relay server 150.
- the relay server 150 may not be necessary for credit card payment, and the card company servers 100a to 100n and the card reader 20 may be directly connected to the network. It is not limited.
- the relay server 150 may be omitted.
- the relay server 150 is provided between the card reader 20 and the card company server 100 to match the payment devices 52 and 53 and the card company servers 100a to 100n that cause a transaction.
- the payment device 52 or 53 matches with which card company server (one of 100a to 100n shares) with reference to the transmitted BIN. If the BIN refers to the card company server 100b as a result of the determination, the remaining track 2 information excluding the first area BIN and the first area BIN provided by the card reader 20 is used. 100b can be provided.
- FIG. 6 shows a reference diagram for the structure of track 2 information according to the present invention.
- the track 2 information includes a "STX" which is the start supervisor of the track 2 information, a "PAN (Primary Account Number) area” consisting of 16 bytes, and a PAN area including a credit card account information and a BIN.
- Delimiter "FS” which distinguishes other area from other area, ED (Expire Data) area indicating expiration date information, Service Code (SC) area indicating service code, Discretionary data area DD (Discretionary Data), End supervisory character (ETX) and A Longitudinal Redundancy Check (LRC) is provided as an area allocated to a checksum for track 2 information.
- FIG. 7 is a flowchart illustrating a transaction processing method using a dynamic PAN according to an embodiment of the present invention.
- FIG. 7 The description of FIG. 7 will be described with reference to FIGS. 2 to 6, and reference numerals given to FIGS. 2 to 6 may be cited.
- the reference numeral for the payment device is to refer to the reference numeral 50 shown in Figure 2 for convenience of explanation and understanding.
- the card reader 20 is an electronic credit card. It is possible to check whether the card or the portable terminal exists in the operation field.
- the operation field is a distance at which the card reader 20 and the payment device 50 can communicate with each other, and may be a distance of several centimeters (cm) to several tens of centimeters (cm), but the card reader 20 or the payment device 50 may be used. The distance of the operation field may be further increased according to the improvement of the. Therefore, in the case of the magnetic credit card that the card reader 20 and the payment device 50 need to make contact with, the operation field may mean a contact state.
- the operation field may be several centimeters to several tens of centimeters.
- the card reader 20 when the card reader 20 is in contact with or in proximity to the payment device 50, the card reader 20 requests the track 2 information by sending a read record command to the payment device 50 ( In operation S303, the payment device 50 transmits track 2 information to the card reader 20 in response to the read record command, and the card reader 20 obtains track 2 information from the payment device 50 (S304).
- the electronic credit card provides track 2 information to the card reader 20 at a distance of several centimeters to several tens of centimeters, it can be seen that there is no risk of leaking track 2 information in the section transmitted from the payment device to the card reader 20.
- the track 2 information may be considered to leak when the card reader 20 is transmitted from the card reader 20 to the relay server 150 or the card company server 100, or from a receipt printed by the card reader 20.
- the card reader 20 extracts the PAN area from the track 2 information obtained from the payment device 50, and divides the PAN area into a first area and a second area (S305).
- the PAN area may include information on a bank information number (BIN) and a credit card account.
- the first region may include a BIN composed of 4 to 10 bytes, and the second region may include data of the remaining PAN region except for the BIN. According to this division, the card account is not exposed in the PAN information transmitted from the card reader 20 to the relay server 150 or the card company server 100.
- the payment device 50 is an electronic credit card
- the preceding eight digits of the 16-digit numeric string displayed as embossed or engraved on the surface of the electronic credit card correspond to the first area
- the remaining eight digits are made of the first credit. It may correspond to two areas.
- the leading 8 digits of the 16 digits embossed or engraved on the surface of the electronic credit card correspond to the BIN
- the remaining 8 digits contain information about the card number. can do.
- the payment device 50 is driven by the radio wave provided to the card reader 20 as a power source, and may encrypt the second area (S306).
- the payment device 10 generates an encryption value by inputting an application transaction count (ATC), a time when a transaction occurs by the payment device 50, or any random number generated when the transaction occurs as a variable of an encryption algorithm.
- ATC application transaction count
- the generated encryption value may correspond to a value of the second area.
- ATC Application Transaction Count
- the encryption algorithm may receive an ATC (Application Transaction Count) and a random number as variables to encrypt the second area.
- the encryption algorithm is DES or TDES
- the master key is preferably provided only to the card company server 100, and since the other person cannot know the master key, the actual value of the second area may not be exposed to the outside.
- the card reader 20 forms a dynamic PAN (D-PAN) by combining the unencrypted first area and the second area, which is a dynamic area that is dynamically changing each time it is encrypted, into one (S307).
- the dynamic PAN may be provided to the financial company server (for example, the relay server 150 or the card company server 100) to request transaction processing.
- FIG. 8 is a flowchart illustrating a transaction processing method using the dynamic PAN generated in FIG. 7.
- the card reader 20 when the card reader 20 contacts or approaches the payment device 50, the card reader 20 transmits radio waves to the payment device 50, and the payment device 50 wirelessly.
- the electric wave can be a power-on state using the driving power supply.
- the payment device 50 extracts a PAN region from the embedded track 2 information, and applies an encryption algorithm (one of AES, RSA, DES, TDES, and ARIA algorithms) to the remaining regions except for the BIN among the extracted PAN regions. Can be encrypted.
- an encryption algorithm one of AES, RSA, DES, TDES, and ARIA algorithms
- the payment device 50 may use a time for starting data communication with the card reader 20 as a random number, or may randomly generate random numbers when starting data communication with the card reader 20.
- the payment device 50 may form the dynamic PAN by combining the encrypted second region with the first region including the BIN by encrypting the second region with the generated random number and the application transaction count (ATC) as variables. have.
- the dynamic PAN uses a random number composed of a randomly generated number or a sequence of numbers when the payment device 50 contacts the card reader 20 or after the contact, so even if the payment device 50 generates a random number generated by one payment device 50. It is difficult to generate random numbers of the same value in succession.
- the payment device 50 may prevent the same random number from being generated by regenerating the random number.
- the dynamic track 2 information is formed when the dynamic PAN is combined with the rest of the track 2 information (for example, the ED region, the SC region, and the DD region).
- the payment device 50 provides the dynamic track 2 information to the card reader 20, and the card reader 20 provides the dynamic track 2 information, the payment amount to be paid by the payment device 50, and the merchant of the card reader 20. Create an approval request message containing the information. Thereafter, the card reader 20 may provide the created approval request message to the relay server 150.
- the relay server 150 obtains the dynamic track 2 information from the authorization request message provided from the card reader 20, extracts the first region from the dynamic track 2 information, and then reads the BIN described in the first region.
- the relay server 150 determines the card company to which the authorization request message should be transmitted based on the BIN obtained in the unencrypted first area, and according to the determination result, the relay server 150 receives the authorization request message obtained from the card reader 20.
- reference numeral 100 is used.
- the relay server 150 may not know the contents of the second area, which is an encrypted dynamic area, even if the authorization request message provided from the card reader 20 to the relay server 150 is exposed to the outside, it is not recognized by others. Difficult to identify
- the card company server 100 decodes the dynamic track 2 information obtained from the relay server 150.
- the decoded dynamic track 2 information becomes track 2 information according to the original ISO / IEC 7813 standard and includes a card account. That is, the card company server 100 decodes the circular track 2 information provided from the payment device 50 to the card reader 20 by the dynamic track 2 information.
- the card company server 100 reads the card account from the decrypted track 2 information, determines whether the read card account is a valid card account for card payment, and checks whether the payment cost requested in the authorization request message does not exceed the payment limit. To judge.
- the card company server 100 sends an approval message to the relay server 150 when the determined card account is valid and the payment cost included in the approval request message is within the payment limit, and the relay server 150 transmits the card company server (
- the approval message obtained from 100 may be provided to the card reader 20.
- FIG 9 illustrates a block diagram according to an embodiment of a card company server.
- the card company server 100 may include an authorization module 110, a card account decryption module 120, and a database 130.
- the card account decryption module 120 receives the approval request message including the track 2 information of the ISO / IEC 8713 standard from the card reader 20, and the dynamic track 2 information having the ASCII value for the second area of the approval request message. Is converted to a hexadecimal hexadecimal number (HEXA) value, and can be decoded for the track 2 information converted to a hexadecimal value.
- HEXA hexadecimal hexadecimal number
- the card account decryption module 120 uses the prepared master key to drive the inverse TDES algorithm or the reverse DES algorithm. Track 2 information can be decoded.
- the database 130 has information about the card accounts of the customers.
- the card account of the customers provided in the database 130 may be provided with information on the expiration date and payment limit of each card account of the customer.
- the authorization module 110 determines whether the card account extracted by the card account decryption module 120 is a valid account, and determines whether the fee requested for payment in the authorization request message is within a payment limit that can be paid by the card account. As a result of determination, when the payment requested cost in the approval request message exceeds the payment limit, the approval module 110 transmits a message for rejecting the approval of the approval request message to the relay server 150, and the relay server 150 This may be provided to the card reader 20 to cancel the transaction for the authorization request message.
- the authorization module 110 creates an authorization message and sends it to the relay server 150.
- the relay server 150 may provide the authorization message to the card reader 20 to process the card payment request for the authorization request message.
- the present invention can improve the security of the credit card while using the existing payment infrastructure as it is.
- the present invention can contribute to the activation of credit card companies, banks that issue and distribute credit cards, and financial services that support credit transactions in association with credit card companies or banks.
Landscapes
- Business, Economics & Management (AREA)
- Accounting & Taxation (AREA)
- Engineering & Computer Science (AREA)
- Strategic Management (AREA)
- Physics & Mathematics (AREA)
- General Business, Economics & Management (AREA)
- General Physics & Mathematics (AREA)
- Theoretical Computer Science (AREA)
- Finance (AREA)
- Computer Security & Cryptography (AREA)
- Financial Or Insurance-Related Operations Such As Payment And Settlement (AREA)
- Cash Registers Or Receiving Machines (AREA)
Abstract
Description
Claims (18)
- 카드 리더기로 ISO(International Standardization Organization) 규격의 트랙 2(track 2) 정보를 제공하는 결제 디바이스에 의해 수행되며,
상기 트랙 2(track 2) 정보의 PAN(Primary Account Number) 영역을 BIN(Bank Information Number)을 포함하는 제1영역 및 상기 BIN을 포함하지 않는 제2영역으로 구획하는 단계;
상기 제2영역을 암호화하여 동적 영역을 형성하는 단계;
상기 제1영역과 상기 동적 영역을 결합하여 하나의 다이나믹 PAN 영역을 형성하는 단계; 및
상기 다이나믹 PAN 영역을 포함하는 트랙 2 정보를 상기 카드 리더기로 제공하는 단계;를 포함하는 것을 특징으로 하는 다이나믹 팬을 이용한 트랜잭션 처리방법. - 제1항에 있어서,
상기 다이나믹 PAN 영역은,
상기 결제 디바이스가 매 결재시마다 생성하는 난수 및 ATC(Application Transaction Count) 중 어느 하나를 변수로 하여 동적으로 암호화되는 것을 특징으로 하는 다이나믹 팬을 이용한 트랜잭션 처리방법. - 제1항에 있어서,
상기 하나의 다이나믹 PAN 영역을 형성하는 단계 이후에 수행되며,
상기 다이나믹 PAN 영역을 ISO 포멧으로 변환하여 제1 포멧의 데이터를 형성하는 단계;를 더 포함하는 것을 특징으로 하는 다이나믹 팬을 이용한 트랜잭션 처리방법. - 제3항에 있어서,
상기 제1포멧의 데이터를 형성하는 단계 이후에 수행되며,
상기 제1 포멧의 데이터를 암호화하여 제2 포멧의 데이터를 형성하는 단계;를 더 포함하는 것을 특징으로 하는 다이나믹 팬을 이용한 트랜잭션 처리방법. - 제1항에 있어서,
상기 트랙 2 정보는,
상기 BIN, 유효기간 데이터(ED : Expiration Data) 영역, 서비스 코드(Service Code : SC) 영역 및 디스크리셔너리 데이터(Discretionary Data : DD) 영역을 포함하는 것을 특징으로 하는 다이나믹 팬을 이용한 트랜잭션 처리방법. - 제1항에 있어서,
상기 동적 영역은,
상기 PAN의 제2영역의 값, 상기 난수 및 ATC(Application Transaction Count) 값을 변수로 하는 암호화 알고리즘에 의해 생성되며
상기 암호화 알고리즘은,
AES(Advanced Encryption Standard), RSA(Rivest, Shamir, Adleman), DES(Data Encryption Standard), TDES(Triple DES), ARIA(Academy Research Institute Agency) 중 어느 하나의 암호화 알고리즘인 것을 특징으로 하는 다이나믹 팬을 이용한 트랜잭션 처리방법. - 제1항에 있어서,
상기 결제 디바이스는,
전자 신용카드 및 휴대단말기 중 어느 하나인 것을 특징으로 하는 다이나믹 팬을 이용한 트랜잭션 처리방법. - 제7항에 있어서,
상기 휴대단말기는,
NFC(Near Field Communication) 통신을 이용하여 상기 트랙 2 정보를 상기 카드 리더기로 제공하는 것을 특징으로 하는 다이나믹 팬을 이용한 트랜잭션 처리방법. - 제8항에 있어서,
상기 휴대단말기는,
상기 NFC 통신을 위한 NFC 칩과 일체로 형성되는 USIM 칩 및 금융 거래를 위한 금융 칩 중 어느 하나를 내장하는 것을 특징으로 하는 다이나믹 팬을 이용한 트랜잭션 처리방법. - 제1항에 있어서,
상기 제1영역은,
4 바이트 내지 10 바이트인 것을 특징으로 하는 다이나믹 팬을 이용한 트랜잭션 처리방법. - 제1항에 있어서,
상기 난수는,
상기 결제 디바이스와 상기 카드 리더기 사이에 트랜잭션이 발생할 때, 상기 결제 디바이스에서 생성되는 것을 특징으로 하는 다이나믹 팬을 이용한 트랜잭션 처리방법. - 제1항에 있어서,
상기 결제 디바이스는,
IC(Intergrated Circuit)를 내장하는 전자 신용카드인 것을 특징으로 하는 다이나믹 팬을 이용한 트랜잭션 처리방법. - 제12항에 있어서,
상기 결제 디바이스는,
금융 거래를 위한 금융 칩을 내장하는 것을 특징으로 하는 다이나믹 팬을 이용한 트랜잭션 처리방법. - 제1항에 있어서,
상기 결제 디바이스는,
USIM(Universal Subscriber Identity Module) 칩을 포함하는 휴대단말기인 것을 특징으로 하는 다이나믹 팬을 이용한 트랜잭션 처리방법. - 제14항에 있어서,
상기 USIM 칩은,
NFC(Near Field Communication) 칩과 일체로 형성되는 것을 특징으로 하는 다이나믹 팬을 이용한 트랜잭션 처리방법. - 제1항에 있어서,
상기 트랙 2 정보는,
상기 제1영역은 비 암호화되고,
상기 트랙 2 정보 중 상기 제1영역을 제외한 나머지 영역에 대해 암호화하여 형성되는 것을 특징으로 하는 다이나믹 팬을 이용한 트랜잭션 처리방법. - 제1항에 있어서,
상기 트랙 2 정보는,
상기 제2영역만 암호화되고,
상기 제2영역을 제외한 나머지 영역은 암호화되지 않는 것을 특징으로 하는 다이나믹 팬을 이용한 트랜잭션 처리방법. - 제1항에 있어서,
상기 트랙 2(track 2) 정보의 PAN(Primary Account Number) 영역은,
상기 결제 디바이스에 부여되는 카드 번호인 것을 특징으로 하는 다이나믹 팬을 이용한 트랜잭션 처리방법.
Priority Applications (4)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
JP2015542926A JP2015536508A (ja) | 2012-11-23 | 2012-12-28 | ダイナミックpanを用いたトランザクション処理方法 |
EP12888916.9A EP2924641A4 (en) | 2012-11-23 | 2012-12-28 | METHOD FOR PROCESSING TRANSACTIONS WITH A DYNAMIC POT |
US14/646,303 US9978061B2 (en) | 2012-11-23 | 2012-12-28 | Method for processing transaction using dynamic pan |
CN201280077258.0A CN104995648A (zh) | 2012-11-23 | 2012-12-28 | 用于使用动态pan来处理交易的方法 |
Applications Claiming Priority (2)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
KR1020120133946A KR101316489B1 (ko) | 2012-11-23 | 2012-11-23 | 다이나믹 ραn 이용한 트랜잭션 처리방법 |
KR10-2012-0133946 | 2012-11-23 |
Publications (1)
Publication Number | Publication Date |
---|---|
WO2014081075A1 true WO2014081075A1 (ko) | 2014-05-30 |
Family
ID=49638058
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
PCT/KR2012/011693 WO2014081075A1 (ko) | 2012-11-23 | 2012-12-28 | 다이나믹 팬을 이용한 트랜잭션 처리방법 |
Country Status (6)
Country | Link |
---|---|
US (1) | US9978061B2 (ko) |
EP (1) | EP2924641A4 (ko) |
JP (1) | JP2015536508A (ko) |
KR (1) | KR101316489B1 (ko) |
CN (1) | CN104995648A (ko) |
WO (1) | WO2014081075A1 (ko) |
Cited By (1)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
EP3113098A1 (en) * | 2015-07-02 | 2017-01-04 | Gemalto Sa | Method, device and back-end system for authorizing a transaction |
Families Citing this family (8)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US20070262138A1 (en) * | 2005-04-01 | 2007-11-15 | Jean Somers | Dynamic encryption of payment card numbers in electronic payment transactions |
US9245267B2 (en) * | 2010-03-03 | 2016-01-26 | Visa International Service Association | Portable account number for consumer payment account |
US9022286B2 (en) | 2013-03-15 | 2015-05-05 | Virtual Electric, Inc. | Multi-functional credit card type portable electronic device |
US10902417B2 (en) * | 2014-04-29 | 2021-01-26 | Mastercard International Incorporated | Systems and methods of processing payment transactions using one-time tokens |
US20160048913A1 (en) * | 2014-08-15 | 2016-02-18 | Mastercard International Incorporated | Systems and Methods for Assigning a Variable Length Bank Identification Number |
KR101912254B1 (ko) * | 2016-07-25 | 2018-12-28 | 한국정보통신주식회사 | 거래 정보 재사용 방지를 위한 거래 정보 처리 방법 및 그 장치 |
US11080697B2 (en) * | 2017-10-05 | 2021-08-03 | Mastercard International Incorporated | Systems and methods for use in authenticating users in connection with network transactions |
US10445629B2 (en) * | 2017-11-20 | 2019-10-15 | Mastercard International Incorporated | Secure QR code service |
Citations (5)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
WO2003081832A2 (en) | 2002-03-19 | 2003-10-02 | Mastercard International Incorporated | Method and system for conducting a transaction using a proximity device |
KR20060103152A (ko) * | 2005-03-23 | 2006-09-28 | 노키아 코포레이션 | 동적 인터페이스 관리를 위한 시스템 및 방법 |
KR20070041576A (ko) * | 2004-07-15 | 2007-04-18 | 마스터카드 인터내셔날, 인코포레이티드 | 비트맵을 이용하여 비접촉식 결재 카드 트랜잭션 변수를표준화된 데이터 포맷에 통합하는 방법 및 시스템 |
KR20090036560A (ko) * | 2006-06-19 | 2009-04-14 | 비자 유에스에이 인코포레이티드 | 트랙 데이터 암호화 |
KR20090102752A (ko) * | 2006-11-16 | 2009-09-30 | 네트 1 유이피에스 테크놀로지스, 인코포레이티드 | 비밀 금융거래 |
Family Cites Families (10)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US6908030B2 (en) * | 2001-10-31 | 2005-06-21 | Arcot Systems, Inc. | One-time credit card number generator and single round-trip authentication |
US7761374B2 (en) * | 2003-08-18 | 2010-07-20 | Visa International Service Association | Method and system for generating a dynamic verification value |
US7580898B2 (en) * | 2004-03-15 | 2009-08-25 | Qsecure, Inc. | Financial transactions with dynamic personal account numbers |
US7506812B2 (en) * | 2004-09-07 | 2009-03-24 | Semtek Innovative Solutions Corporation | Transparently securing data for transmission on financial networks |
US20070262138A1 (en) * | 2005-04-01 | 2007-11-15 | Jean Somers | Dynamic encryption of payment card numbers in electronic payment transactions |
US8201747B2 (en) * | 2008-11-26 | 2012-06-19 | Qsecure, Inc. | Auto-sequencing financial payment display card |
KR20100060707A (ko) * | 2008-11-28 | 2010-06-07 | 주식회사 하렉스인포텍 | 이동통신 단말기를 이용한 구매자에 의한 결제 승인, 정산 및 멤버십가입 방법, 장치 및 시스템 |
US10140598B2 (en) * | 2009-05-20 | 2018-11-27 | Visa International Service Association | Device including encrypted data for expiration date and verification value creation |
CN102377783B (zh) * | 2011-11-07 | 2014-03-12 | 飞天诚信科技股份有限公司 | 一种动态口令生成及认证的方法和系统 |
US20150242853A1 (en) * | 2014-02-26 | 2015-08-27 | Mastercard International Incorporated | Payment account tokenization method |
-
2012
- 2012-11-23 KR KR1020120133946A patent/KR101316489B1/ko active IP Right Grant
- 2012-12-28 US US14/646,303 patent/US9978061B2/en active Active
- 2012-12-28 WO PCT/KR2012/011693 patent/WO2014081075A1/ko active Application Filing
- 2012-12-28 CN CN201280077258.0A patent/CN104995648A/zh active Pending
- 2012-12-28 JP JP2015542926A patent/JP2015536508A/ja active Pending
- 2012-12-28 EP EP12888916.9A patent/EP2924641A4/en not_active Withdrawn
Patent Citations (5)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
WO2003081832A2 (en) | 2002-03-19 | 2003-10-02 | Mastercard International Incorporated | Method and system for conducting a transaction using a proximity device |
KR20070041576A (ko) * | 2004-07-15 | 2007-04-18 | 마스터카드 인터내셔날, 인코포레이티드 | 비트맵을 이용하여 비접촉식 결재 카드 트랜잭션 변수를표준화된 데이터 포맷에 통합하는 방법 및 시스템 |
KR20060103152A (ko) * | 2005-03-23 | 2006-09-28 | 노키아 코포레이션 | 동적 인터페이스 관리를 위한 시스템 및 방법 |
KR20090036560A (ko) * | 2006-06-19 | 2009-04-14 | 비자 유에스에이 인코포레이티드 | 트랙 데이터 암호화 |
KR20090102752A (ko) * | 2006-11-16 | 2009-09-30 | 네트 1 유이피에스 테크놀로지스, 인코포레이티드 | 비밀 금융거래 |
Non-Patent Citations (1)
Title |
---|
See also references of EP2924641A4 |
Cited By (2)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
EP3113098A1 (en) * | 2015-07-02 | 2017-01-04 | Gemalto Sa | Method, device and back-end system for authorizing a transaction |
WO2017001587A1 (en) * | 2015-07-02 | 2017-01-05 | Gemalto Sa | Method, device and back-end system for authorizing a transaction |
Also Published As
Publication number | Publication date |
---|---|
KR101316489B1 (ko) | 2013-10-10 |
CN104995648A (zh) | 2015-10-21 |
JP2015536508A (ja) | 2015-12-21 |
EP2924641A1 (en) | 2015-09-30 |
EP2924641A4 (en) | 2016-08-03 |
US9978061B2 (en) | 2018-05-22 |
US20150317632A1 (en) | 2015-11-05 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
KR101316489B1 (ko) | 다이나믹 ραn 이용한 트랜잭션 처리방법 | |
KR101316466B1 (ko) | 다이나믹 트랙 2 정보를 이용한 모바일 결제 시스템 및 방법 | |
US9818113B2 (en) | Payment method using one-time card information | |
CA2577333C (en) | Method and system for authorizing a transaction using a dynamic authorization code | |
EP0985203B1 (en) | Key transformation unit for an ic card | |
US20220311779A1 (en) | Binding cryptogram with protocol characteristics | |
EP3591600A1 (en) | Payment system | |
KR20060125835A (ko) | 모바일 단말기를 이용하여 전자 트랜잭션을 수행하기 위한방법 및 시스템 | |
EP0985204A1 (en) | Ic card transportation key set | |
US20140289129A1 (en) | Method for secure contactless communication of a smart card and a point of sale terminal | |
US20140365366A1 (en) | System and device for receiving authentication credentials using a secure remote verification terminal | |
AU2023201327B2 (en) | Techniques for secure channel communications | |
KR20010014257A (ko) | 지불 프로세스 및 시스템 | |
KR20170004339A (ko) | 결제 시스템, 카드 리더기, 결제 단말 장치 및 그를 이용한 카드 정보 처리 방법 | |
US20200167778A1 (en) | Trusted communication in transactions | |
AU2012200393B2 (en) | Method and system for authorizing a transaction using a dynamic authorization code | |
KR20050047154A (ko) | 무선 결제 처리 방법 및 시스템 | |
KR101912254B1 (ko) | 거래 정보 재사용 방지를 위한 거래 정보 처리 방법 및 그 장치 | |
KR20080103951A (ko) | 휴대폰 | |
KR20080103952A (ko) | 알에프아이디 태그 정보를 이용한 무선 결제 처리 시스템 |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
121 | Ep: the epo has been informed by wipo that ep was designated in this application |
Ref document number: 12888916 Country of ref document: EP Kind code of ref document: A1 |
|
ENP | Entry into the national phase |
Ref document number: 2015542926 Country of ref document: JP Kind code of ref document: A |
|
WWE | Wipo information: entry into national phase |
Ref document number: 14646303 Country of ref document: US |
|
NENP | Non-entry into the national phase |
Ref country code: DE |
|
WWE | Wipo information: entry into national phase |
Ref document number: 2012888916 Country of ref document: EP |