WO2021251889A1 - Real-time digital proximity payments by proxy - Google Patents

Abstract

Disclosed is a method for performing a digital payment transaction that involves a payee communication device (PD1), a payer communication device (PD2) and cloud-based digital payment service functionality (DPSF). A first device (31) among the payee communication device (PD1) and payer communication device (PD2) communicates with the digital payment service functionality (DPSF) directly by wide-area network (WAN) communication, whereas a second device (32) among the payee communication device (PD1) and payer communication device (PD2) communicates with the digital payment service functionality (DPSF) via a secure logical connection (SLC) with the digital payment service functionality (DPSF). The secure logical connection (SLC) is effectuated physically via short-range wireless data communication (SRWDC) with the first device (31). The first device (31) thus relays communication between the second device (32) and the digital payment service functionality (DPSF) via the secure logical connection (SLC) without access to information contained in the communication.

Description

REAL-TIME DIGITAL PROXIMITY PAYMENTS BY PROXY

TECHNICAL FIELD

The present invention generally relates to the fields of short-range wireless communication devices and real-time digital proximity payments. More particularly, the present invention relates to a method for performing a digital payment transaction that involves a payee communication device, a payer communication device and cloud- based digital payment service functionality. The present invention also relates to communication system for real-time digital proximity payments, comprising a payee communication device, a payer communication device, and digital payment service functionality which is accessible by wide-area network communication. Moreover, the invention relates to associated communication devices, computer program products and computer readable media.

BACKGROUND

As everybody knows, there has been an overwhelming market penetration for mobile communication devices such as smart phones and tablets at least during the last decade. Long gone are the days when mobile communication devices were primarily used for voice calls. Typically, mobile communication devices are enabled for wide- area network, WAN, communication (broadband RF communication) with remote entities, for instance via cellular radio systems like 5G, UMTS or GSM, or via wireless local area network, WLAN, access for routing IP traffic to and from such remote entities. In addition, mobile communication devices are often enabled for short-range wireless data communication, such as Bluetooth, with other devices nearby. Such a nearby device may for instance be an accessory or peripheral device, like a wireless headset or wireless speakers.

Thanks to their ability for WAN communication, users of mobile communication devices may enjoy a plethora of digital services that involve communication with cloud-based resources. A very popular type of such digital services is digital payments. A special kind of digital payments is the real-time digital proximity payment that allows a user of a mobile communication device to make a digital payment when being physically proximate to another entity at a physical place such as, for instance, a shop, restaurant, theatre, sport arena, workshop, or basically any place where a human may want to perform a digital payment. The other entity may be another communication device which is controlled by a human user (such as a smart phone, tablet, service terminal, checkout counter, etc.), or another communication device that operates more autonomously (such as a service terminal, vending machine, ticket machine, access control system, etc.).

Throughout this document, the term “digital payment” is to be construed broadly to embrace any kind of transfer of economic value in digital form on behalf of or between people of any types, roles etc.

A communication system 1 for performing real-time digital proximity payments according to the prior art is presented in Figure 1. The communication system 1 comprises a payee communication device PD1, a payer communication device PD2, and digital payment service functionality DPSF which is accessible by WAN communication (i.e., a cloud-based digital payment service functionality). A payer user P2 wishes to make a digital payment to a payee user PI, for instance in order to buy a product, enjoy a service, settle a debt, or gain access to something protected by the payee user PI . As can be seen at 2 in Figure 1, it is assumed that the payer user P2 brings the payer communication device PD2 in proximity of the payee communication device PD1, or alternatively the other way around. The payee communication device PD1 and the payer communication device PD2 can, for instance, be of any of the exemplary types mentioned above.

The role of the digital payment service functionality DPSF is to assist the payee communication device PD1 and payer communication device PD2 to perform a digital payment transaction which transfers an economic value from an account associated with the payer user P2 (or with another entity represented by the payer user P2) to an account associated with the payee user PI (or with another entity represented by the payee user PI, such as a merchant, shop owner, service provider, etc.). The accounts can be managed by the digital payment service functionality DPSF itself or alternatively by other entities, such as banks or other financial institutes. The payee communication device PD1 and payer communication device PD2 participate by making payee-related communications 12 and payer-related communications 22 directly with the digital payment service functionality DPSF by wide-area network, WAN, communication 10 and 20, respectively.

Figure 4 is a flowchart diagram of one implementation of the prior art functionality for performing real-time digital proximity payments as seen in Figure 1. Here, the digital payment service functionality DPSF comprises two parts: a payment service part (Payment Service Cloud) which is a front-end towards the payee communication device PD1 and payer communication device PD2, and a payment settlement part (RTP Cloud) which is a back-end that is operative to settle the digital payment transaction, if needed by communication with external entities (such as banks).

As can be seen in Figure 4, the payee communication device PD1 executes a proceed-to-payment step 402 and a real-time payment initiation step 404. The payee communication device PD1 makes a transaction identifier request 410 to the payment service part of the digital payment service functionality DPSF, and in response receives a transaction identifier ID in step 412.

The payee communication device PD1 then proceeds to make some payment details 422 available to the payer communication device PD2. This can also be seen at 3 and 4 in Figure 1. The payment details 422 will typically comprise an amount to be paid, the transaction identifier ID and/or an identifier PID 1 associated with the payee communication device PD1 (or payee user PI), and possibly a resource locator that allows the payer communication device PD2 to communicate with the digital payment service functionality DPSF over WAN (unless such information is already hard-coded in software or hardware in the payer communication device PD2). The payee communication device PD1 generates a QR code 4 in step 420 and presents it on a display, so that the QR code 4 can be scanned at 430 by the payer communication device PD2.

The payer communication device PD2 extracts the payment details 422 (QR data) from the QR code 4 and begins to participate in the digital payment transaction at 440. As seen at 470, the payer communication device PD2 sends a payment request to the digital payment service functionality DPSF over WAN. The payment request includes the payment details 422 (QR data) as well as an identifier PID 2 associated with the payer communication device PD2 (or payer user P2).

In response, the digital payment service functionality DPSF processes the payment request at 472, and encourages in step 480 the payer communication device PD2 to obtain an authentication (approval) of the digital payment by the payer user P2, for instance in the form of a passcode or biometric authentication. Once the payer user P2 has authenticated the digital payment in step 482, the payer communication device PD2 sends a payment commit in step 490 to the digital payment service functionality DPSF. The digital payment service functionality DPSF executes the payment in step 492.

Finally, if everything has gone well and the digital transaction was successfully performed, the digital payment service functionality DPSF sends a payment confirmation for the transaction identifier ID to the payee communication device PD1 in step 494. Upon receipt thereof, the payee communication device PD1 or the payee user PI can release the product to be purchased, perform the ordered service, grant the desired access, etc., to the payer user P2.

As the skilled reader will notice, the functionality for performing real-time digital proximity payments in Figures 1 and 4 heavily relies on WAN communication between the payee communication device PD1 and the digital payment service functionality DPSF, as well as between the payer communication device PD2 and the digital payment service functionality DPSF, being fully operational. However, WAN communication for mobile communication devices is far from always reliable and may be subject to variations in accessibility due to cellular network capacity or coverage, radio signal interference and fading, etc. This may pose quite undesired limitations on the usability and credibility of the real-time digital proximity payments according to the prior art.

The present inventors have accordingly realized that there is room for improvements in this regard. Hence, the present inventors have identified both the need for and the benefits of a novel and inventive manner of performing real-time digital proximity payments of the general kind described above. SUMMARY

It is accordingly an object of the invention to solve, eliminate, alleviate, mitigate or reduce at least some of the problems and shortcomings referred to above.

A first aspect of the present invention is method for performing a digital payment transaction that involves a payee communication device, a payer communication device and cloud-based digital payment service functionality, wherein a first device among the payee communication device and payer communication device communicates with the digital payment service functionality directly by wide-area network communication whereas a second device among the payee communication device and payer communication device communicates with the digital payment service functionality via a secure logical connection with the digital payment service functionality, the secure logical connection being effectuated physically via short-range wireless data communication with the first device, the first device thus relaying communication between the second device and the digital payment service functionality via the secure logical connection without access to information contained in the communication.

Advantageously, therefore, when the payee communication device is acting as said first device, it makes payee-related communications of the digital payment transaction directly with the digital payment service functionality by wide-area network communication and relays payer-related communications of the digital payment transaction from the payer communication device to the digital payment service functionality by wide-area network communication. Conversely, when the payer communication device is acting as said first device, it makes payer-related communications of the digital payment transaction directly with the digital payment service functionality by wide-area network communication and relays payee-related communications of the digital payment transaction from the payee communication device to the digital payment service functionality by wide-area network communication.

This is beneficial since it allows a digital payment transaction to be performed even in situations where one of a payee communication device and a payer communi cation device lacks momentary (or even permanent) ability for wide-area network, WAN, communication with a cloud-based digital payment service functionality. Pursuant to the invention, the other one of the payee communication device and payer communication device, that actually has ability for wide-area network communication with the cloud-based digital payment service functionality, will act as a proxy for the one device that momentarily (or even permanently) lacks such ability. Hence, the performance of digital payment transactions of the type discussed in the Background section will no longer be limited to an ideal situation where both the payee com munication device and the payer communication device can communicate with the cloud-based digital payment service functionality by wide-area network communi cation.

The payee communication device, payer communication device and digital payment service functionality may be configured for performing any of the functionalities recited in any of the dependent method claims as filed herewith.

A second aspect of the present invention is a communication system for real time digital proximity payments. The communication system comprises a payee communication device, a payer communication device, and digital payment service functionality which is accessible by wide-area network, WAN, communication.

The payee communication device is configured, when it has a current ability to communicate with the digital payment service functionality by wide-area network communication, to make payee-related communications directly with the digital payment service functionality by such wide-area network communication, and to act as a proxy for the payer communication device to relay payer-related communications over a secure logical connection between the payer communication device and the digital payment service functionality by short-range wireless data communication with the payer communication device and wide-area network communication with the digital payment service functionality.

Advantageously, the payer communication device is correspondingly configured, when it has a current ability to communicate with the digital payment service functionality by wide-area network, WAN, communication, to make payer- related communications directly with the digital payment service functionality by such wide-area network communication, and to act as a proxy for the payee communication device to relay payee-related communications over a secure logical connection between the payee communication device and the digital payment service functionality by short- range wireless data communication with the payee communication device and wide-area network communication with the digital payment service functionality.

Hence, the communication system is beneficially such that both of the payee communication device and payer communication device have the capability to act as a proxy for the other device in situations where the other device lacks ability to communicate with the digital payment service functionality by wide-area network communication. However, alternative embodiments are envisaged where only the payee communication device has such ability to act as a proxy for the payer communication device. In such cases, the payer communication device may be a mobile communication device of a less sophisticated design, such as a feature phone (i.e., a mobile phone which is not a smart phone), that even lacks an interface for wide-area network communication but can use short-range wireless data communication with the payee communication device and let the latter device act as a proxy for it in the payer-related communications with the cloud-based digital payment service functionality.

The payee communication device, payer communication device and digital payment service functionality may be configured for performing any of the functionalities referred to in this document for the first aspect of the invention.

A third aspect of the present invention is a communication device configured for performing the functionality of the payee communication device referred to in this document for the first aspect above.

A fourth aspect of the present invention is a communication device configured for performing the functionality of the payer communication device referred to in this document for the first aspect above.

A fifth aspect of the present invention is a computer program product comprising computer code for performing the functionality of the payee communication device in the method according to the first aspect when the computer program code is executed by a processing device.

A sixth aspect of the present invention is a computer program product comprising computer code for performing the functionality of the payer communication device in the method according to the first aspect when the computer program code is executed by a processing device.

A seventh aspect of the present invention is a computer program product comprising computer code for performing the functionality of the digital payment service functionality in the method according to the first aspect when the computer program code is executed by a processing device.

An eight aspect of the present invention is a computer readable medium having stored thereon a computer program comprising computer program code for performing the functionality of the payee communication device in the method according to the first aspect when the computer program code is executed by a processing device.

A ninth aspect of the present invention is a computer readable medium having stored thereon a computer program comprising computer program code for performing the functionality of the payer communication device in the method according to the first aspect when the computer program code is executed by a processing device.

A tenth aspect of the present invention is a computer readable medium having stored thereon a computer program comprising computer program code for performing the functionality of the digital payment service functionality in the method according to the first aspect when the computer program code is executed by a processing device.

As used in this document, the term “short-range wireless data communication” includes any form of proximity-based device-to-device communication. This includes radio-based short-range wireless data communication such as, for instance, Bluetooth, BLE (Bluetooth Low Energy), RFID, WLAN, WiFi, mesh communication or LTE Direct, without limitation. It also includes non-radio-based short-range wireless data communication such as, for instance, magnetic communication (such as NFC), (ultra)sound communication, or optical communication (such as IrDA).

As used in this document, the term “wide-area network communication” includes any form of data network communication with a party which may be remote (e.g. cloud-based), including cellular radio communication like W-CDMA, GSM, UTRAN, HSPA, LTE or LTE Advanced, possibly communicated as TCP/IP traffic, or via a WLAN (WiFi) access point, without limitation. As used in this document, the term “communication device” includes a mobile communication device, a mobile phone, a smart phone, a tablet computer, a personal digital assistant, a portable computer, smart glasses, a smart watch, a smart bracelet, a service terminal, a point-of-sales terminal, a checkout counter, a delivery pickup point, a vending machine, a ticket machine, a dispensing machine and an access control system, without limitation.

One additional aspect of the present invention is a method for providing a service by a service providing machine to a user subject to payment by said user for said service, the user being provided with a mobile communication device. In the method, the mobile communication device communicates with cloud-based digital payment service functionality by wide-area network communication to perform a digital payment for the service provided by the service providing machine. The service providing machine communicates with the digital payment service functionality via a secure logical connection to obtain a payment confirmation of successful performance of the digital payment. The secure logical connection is effectuated physically via short-range wireless data communication with the mobile communication device, the mobile communication device thus relaying communication between the service providing machine and the digital payment service functionality via the secure logical connection without access to information contained in the communication. The service providing machine then provides the service to the user upon obtained payment confirmation.

Another additional aspect of the present invention is a service providing machine that comprises a service module for providing a service to a user subject to payment by said user for said service. The service providing machine further comprises a controller and a short-range wireless data communication module. The controller is configured for causing the short-range wireless data communication module to communicate with a cloud-based digital payment service functionality via a secure logical connection to obtain a payment confirmation of a successful performance of a digital payment performed by said user operating a mobile communication device. The secure logical connection is effectuated physically via short-range wireless data communication with the mobile communication device. The mobile communication device is thus being used as a relay of communication between the service providing machine and the digital payment service functionality via the secure logical connection without having access to information contained in the communication. The controller is configured for causing the service module to provide the service to the user upon obtained payment confirmation.

The service providing machine may typically be a vending machine, a ticket machine, a dispensing machine, an access control system or device, a service terminal, a point-of-sales terminal, a checkout counter, or a delivery pickup point.

Other aspects, objectives, features and advantages of the disclosed embodi ments will appear from the following detailed disclosure, from the attached dependent claims as well as from the drawings. Generally, all terms used in the claims are to be interpreted according to their ordinary meaning in the technical field, unless explicitly defined otherwise herein.

All references to "a/an/the [element, device, component, means, step, etc.]" are to be interpreted openly as referring to at least one instance of the element, device, component, means, step, etc., unless explicitly stated otherwise. The steps of any method disclosed herein do not have to be performed in the exact order disclosed, unless explicitly stated.

BRIEF DESCRIPTION OF THE DRAWINGS

Figure 1 is a schematic diagram of a communication system for real-time digital proximity payments according to the prior art.

Figure 2 is a schematic diagram of a communication system for real-time digital proximity payments in which a payee communication device acts as a proxy of a payer communication device for its payer-related communications with cloud-based digital payment service functionality pursuant to the present invention.

Figure 3 is a schematic diagram of a communication system for real-time digital proximity payments in which a payer communication device acts as a proxy of a payee communication device for its payee-related communications with cloud-based digital payment service functionality pursuant to the present invention.

Figure 4 is a flowchart diagram of one implementation of the prior art functionality shown in Figure 1. Figure 5 is a flowchart diagram of an embodiment of the proxy-assisted real time digital proximity payments functionality shown in Figure 2.

Figure 6 is a flowchart diagram of an embodiment of the proxy-assisted real time digital proximity payments functionality shown in Figure 3.

Figure 7 is a schematic block diagram of a communication device in embodiments of the present invention.

Figure 8 is a schematic illustration of a computer-readable medium in one exemplary embodiment, capable of storing a computer program product.

Figure 9 is a schematic illustration of a service providing machine according to the prior art for providing a service to a user, subject to cash payment by the user for the service.

Figure 10 is a schematic illustration of a service providing machine according to aspects of the present invention for providing a service to a user, subject to cloud- based digital payment by the user for the service.

Figure 11 is a schematic diagram of a communication system according to aspects of the present invention that enables a service providing machine to provide a service to a user, subject to digital payment by the user by means of a mobile communication device that at the same time acts as a proxy of the service providing machine to obtain a payment confirmation from a cloud-based digital payment service functionality.

DETAILED DESCRIPTION

The disclosed embodiments will now be described more fully hereinafter with reference to the accompanying drawings, in which certain embodiments of the invention are shown. This invention may, however, be embodied in many different forms and should not be construed as limited to the embodiments set forth herein; rather, these embodiments are provided by way of example so that this disclosure will be thorough and complete, and will fully convey the scope of the invention to those skilled in the art. Like drawings references refer to like elements throughout, particularly such that an element being referred to as “ynn” in a second drawing is to be understood as the same as or the equivalent of an element being referred to as “xnn” in a first drawing, where x and y are single-digit numbers and nn is a double-digit number. When the same drawings reference is used for an element that appears in multiple drawings, such element is to be understood as being the same or at least equivalent throughout such multiple drawings. Elements illustrated as hatched boxes are generally to be seen as optional in the particular drawing in which they appear.

With reference first to Figure 2, it is recalled that one aspect of the present invention is a method for performing a digital payment transaction that involves a payee communication device PD1, a payer communication device PD2 and cloud-based digital payment service functionality DPSF. In the method, a first device 31 among the payee communication device PD1 and payer communication device PD2 communicates with the digital payment service functionality DPSF directly by wide-area network, WAN, communication. This can be seen at 10 and 12 in Figure 2, with the first device 31 being the payee communication device PD1. In the method, a second device 32 among the payee communication device PD1 and payer communication device PD2 communicates with the digital payment service functionality DPSF via a secure logical connection SLC with the digital payment service functionality DPSF. The secure logical connection SLC is effectuated physically via short-range wireless data communication SRWDC with the first device 31. This can be seen at 22a in Figure 2 with the second device 32 being the payer communication device PD2. The first device 31 (i.e. the payee communication device PD1) thus relays communication between the second device 32 (i.e. the payer communication device PD2) and the digital payment service functionality DPSF via the secure logical connection SLC without access to information contained in the communication.

Hence, what is seen in Figure 2 is a communication system G for real-time digital proximity payments, that comprises the payee communication device PD1, the payer communication device PD2, and the digital payment service functionality DPSF which is accessible by wide-area network, WAN, communication. Similar to what was described for the prior art system 1 in Figure 1, a payer user P2 wishes to make a digital payment to a payee user PI, for instance in order to buy a product, enjoy a service, settle a debt, or gain access to something protected by the payee user PI. Accordingly, the payer user P2 brings the payer communication device PD2 in proximity 2 of the payee communication device PD1 (or alternatively the other way around). The payee communication device PD1 and the payer communication device PD2 can, for instance, be of any of the exemplary types mentioned above.

As was mentioned already for Figure 1, the role of the digital payment service functionality DPSF is to assist the payee communication device PD1 and payer communication device PD2 to perform a digital payment transaction which transfers an economic value from an account associated with the payer user P2 (or with another entity represented by the payer user P2) to an account associated with the payee user PI (or with another entity represented by the payee user PI, such as a merchant, shop owner, service provider, etc.). The accounts can be managed by the digital payment service functionality DPSF itself or alternatively by other entities, such as banks or other financial institutes. Unlike Figure 1, however, the payee communication device PD1 and payer communication device PD2 do not both have to participate by making payee-related communications and payer-related communications directly with the digital payment service functionality DPSF by wide-area network, WAN, communication.

Instead, in Figure 2, the payee communication device PD1 is configured to act as a proxy for the payer communication device PD2 in this regard. While it performs its payee-related communications 12 directly with the digital payment service functionality DPSF by WAN communication 10 just like in Figure 1, it moreover acts to convey payer-related communications 22a-b between the payer communication device PD2 and the digital payment service functionality DPSF via the secure logical connection SLC. The payer-related communications thus occur in part via short-range wireless data communication SRWDC between the payer communication device PD2 and the payee communication device PD1, as is seen at 22a, and in part via WAN communication between the payee communication device PD1 and the digital payment service functionality DPSF, as is seen at 22b. The payer communication device PD2 itself lacks at least a current ability to communicate with the digital payment service functionality DPSF by WAN communication; this is indicated at 20 in Figure 2.

Hence, in the communication system V of Figure 2, the payee communication device PD1 is configured for, when it has a current ability to communicate with the digital payment service functionality DPSF by wide-area network, WAN, communi cation:

• making payee-related communications 12 of the digital payment transaction directly with the digital payment service functionality DPSF by WAN communication 10; and

• acting as a proxy for the payer communication device PD2 to relay payer- related communications of the digital payment transaction over the secure logical connection SLC between the payer communication device PD2 and the digital payment service functionality DPSF by short-range wireless data communication SRWDC 22a with the payer communication device PD2 and by WAN communication 22b with the digital payment service functionality DPSF.

The situation is the opposite in Figure 3. Here, the payee communication device PD1 lacks at least a current ability to communicate with the digital payment service functionality DPSF by WAN communication. This is indicated at 10 in Figure 3. The payer communication device PD2 in Figure 3 is configured to act as a proxy for the payee communication device PD1. While the payer communication device PD2 performs its payer-related communications 22 directly with the digital payment service functionality DPSF by WAN communication 20 just like in Figure 1, it moreover acts to convey payee-related communications 12a-b between the payee communication device PD1 and the digital payment service functionality DPSF via the secure logical connection SLC. The payee-related communications thus occur in part via short-range wireless data communication SRWDC between the payee communication device PD1 and the payer communication device PD2, as is seen at 12a, and in part via WAN communication between the payer communication device PD2 and the digital payment service functionality DPSF, as is seen at 12b.

Hence, in the communication system G of Figure 3, the payer communication device PD2 is configured for, when it has a current ability to communicate with the digital payment service functionality DPSF by wide-area network, WAN, communi cation: • making payer-related communications 22 of the digital payment transaction directly with the digital payment service functionality DPSF by WAN communication 20; and

• acting as a proxy for the payee communication device PD1 to relay payee- related communications of the digital payment transaction over the secure logical connection SLC between the payee communication device PD1 and the digital payment service functionality DPSF by short-range wireless data communication SRWDC 12a with the payee communication device PD1 and by WAN communication 12b with the digital payment service functionality DPSF.

As can be understood, in the method for performing a digital payment transaction as referred to above, the payer communication device PD2 in Figure 3 is the aforementioned first device 31, whereas the payee communication device PD1 in Figure 3 is the aforementioned second device 32.

Figure 5 is a flowchart diagram of one implementation of the inventive functionality for performing real-time digital proximity payments as described for Figure 2. Hence, the payee communication device PD1 in Figure 5 is the aforementioned first device 31 (the one device that is online, i.e. has the ability to communicate directly with the digital payment service functionality DPSF by wide-area network communication), whereas the payer communication device PD2 is the aforementioned second device 32 (the other device that is offline).

Like in Figure 1, the digital payment service functionality DPSF comprises two parts: a payment service part (Payment Service Cloud) which is a front-end towards the payee communication device PD1 and payer communication device PD2, and a payment settlement part (RTP Cloud) which is a back-end that is operative to settle the digital payment transaction, if needed by communication with external entities (such as banks).

As can be seen in Figure 5, the payee communication device PD1 executes a proceed-to-payment step 502 and a real-time payment initiation step 504. The payee communication device PD1 makes a transaction identifier request 510 to the payment service part of the digital payment service functionality DPSF, and in response receives a transaction identifier ID in step 512.

The payee communication device PD1 then proceeds to a functional block seen as “Step 1” in Figure 5 to make transaction support data TSD available to the payer communication device PD2. This can be seen also at 3’ and 4’ in Figure 2. The transaction support data TSD includes payment details 522 which, as such, may be the same as described above for Figure 1 and Figure 4. Hence, the payment details 522 will typically comprise an amount to be paid, the transaction identifier ID and/or an identifier PID 1 associated with the payee communication device PD1 (or payee user PI).

In addition to this, the transaction support data TSD in Figure 5 includes control data that is novel in the sense that is was not conceived in a prior art system 1 like in Figure 1 and Figure 4.

Hence, as seen at 523, the transaction support data TSD in Figure 5 includes the transaction identifier ID, or an indication whether it is available or not (see further below for Figure 6).

The transaction support data TSD in Figure 5 further includes an indication 524 of a current ability (or disability) of the payee communication device PD1 to communicate directly with the digital payment service functionality DPSF by wide-area network WAN communication. The indication 524 may serve to inform the payer communication device PD2 that the payee communication device PD1 has WAN access 10

The transaction support data TSD in Figure 5 further includes an indication 525 of an ability (or disability) of the payee communication device PD1 to act as aforesaid first device 31 in the aforementioned method (thereby being capable of supporting the payer communication device PD2 to act as the aforesaid second device 32), and/or to act as aforesaid second device 32 (thereby asking for support by the payer communication device PD2 acting as the aforesaid first device 31). In Figure 5, the indication 525 is set to indicate the former case.

Finally, the transaction support data TSD in Figure 5 further includes a resource locator 526 that can be invoked by the payer communication device PD2 for communication with the digital payment service functionality DPSF when acting as the aforesaid first device 31 or the aforesaid second device 32.

The payee communication device PD1 generates a QR code 4’ to represent the transaction support data TSD in step 520 and presents the QR code on a display, so that the QR code 4’ can be scanned at 530 by the payer communication device PD2. In other words, the payee communication device PD1 makes the transaction support data TSD available 3’ to the payer communication device PD1 by generating 520 an optical code 4’ which is readable 530 by the payer communication device PD1. In other implementations, the payee communication device PD1 makes the transaction support data TSD available 3’ to the payer communication device PD1 by communicating it to the payer communication device PD1 by Bluetooth communication or any other short- range wireless data communication as referred to in this document.

The payer communication device PD2 extracts the transaction support data TSD (*QR data) from the QR code 4’ and begins to participate in the digital payment transaction at 540. In the present case, the payer communication device PD2 interprets the extracted transaction support data TSD and learns from the indication 524 that the payee communication device PD1 has WAN access 10. It also learns from the indication 525 that the payee communication device PD1 has the ability to act as the aforesaid first device 31, i.e. as a proxy to assist the payer communication device PD2 with the payer-related communications 22a-b with the digital payment service functionality DPSF. Since the payer communication device PD2 itself lacks WLAN access 20 (i.e., it is offline), this is very helpful.

Acting on the information above, the payer communication device PD2 proceeds to a functional block “Step 2” in Figure 5 to establish short-range wireless data communication SRWDC with the payee communication device PD1. This is seen at 550 in Figure 5. This may involve setting up a Bluetooth connection, or using any other short-range wireless data communication as referred to in this document.

Next, it is time to establish the secure logical link SLC. This involves the following activity which is illustrated as a functional block “Step 3” in Figure 5. The payer communication device PD2 sends a first end-to-end link request 560 by short- range wireless data communication SRWDC to the payee communication device PD1. The first end-to-end link request 560 comprises a public cryptographic key (public key 2) associated with the payer communication device PD2.

The payee communication device PD1 receives, by short-range wireless data communication SRWDC, the first end-to-end link request 560 from the payer communication device PD2. In response, the payee communication device PD1 sends (i.e. forwards), by wide-area network communication, a second end-to-end link request 562 to the digital payment service functionality DPSF. The second end-to-end link request 562 thus comprises the public cryptographic key (public key 2) as received from the payer communication device PD2.

The digital payment service functionality DPSF establishes the secure logical connection SLC with the payer communication device PD2 by making use of the public cryptographic key (public key 2) associated with the payer communication device PD2 and received in the second end-to-end link request 562. Hence, the digital payment service functionality DPSF uses the public cryptographic key (public key 2) for encrypting upcoming wide-area network communication being sent on the secure logical connection SLC to the payee communication device PD1 acting as said first device 31 but being directed at the payer communication device PD2 acting as said second device 32.

In one implementation, the establishing of the secure logical connection SLC between the digital payment service functionality DPSF and the payer communication device PD2 involves the following activity:

The digital payment service functionality DPSF generates a session key, encrypts the session key with the public cryptographic key (public key 2) associated with the payer communication device PD2 and received in the second end-to-end link request 562, and transmits 564 the encrypted session key by wide-area network communication to the payee communication device PD1. The payee communication device PD1 forwards 566 the encrypted session key to the payer communication device PD2 by short-range wireless data communication SRWDC. The payer communication device PD2 decrypts the encrypted session key using a private cryptographic key associated with the payer communication device PD2. The payer communication device PD2 and the digital payment service functionality DPSF then uses the session key as a shared secret in a cryptographic scheme, such as ECIES, for encrypting and decrypting information which is communicated between them when performing the digital payment transaction.

In an alternative implementation, the establishing of the secure logical connection SLC between the digital payment service functionality DPSF and the payer communication device PD2 involves the following activity:

The digital payment service functionality DPSF invokes a known key derivate function, KDF, to generate a session key from the public cryptographic key (public key 2) associated with the payer communication device PD2 and received in the second end- to-end link request 562, as well as from a private cryptographic key associated with the digital payment service functionality DPSF. The digital payment service functionality DPSF then transmits a public cryptographic key PS associated with the digital payment service functionality DPSF by wide-area network communication to the payee communication device PD1. The payee communication device PD1 forwards the received public cryptographic key PS associated with the digital payment service functionality DPSF to the payer communication device PD2 by short-range wireless data communication SRWDC. The payer communication device PD2 invokes the known key derivate function, KDF, to generate a session key from the received public cryptographic key PS associated with the digital payment service functionality DPSF, as well as from a private cryptographic key associated with the payer communication device PD2.

The payer communication device PD2 and the digital payment service functionality DPSF then uses the session key as a shared secret in a cryptographic scheme for encrypting and decrypting information which is communicated between them when performing the digital payment transaction.

The payer communication device PD2 and the payee communication device PD1 can now perform the actual payment transaction with respect to the digital payment service functionality DPSF in a functional block seen as “Step 4” in Figure 5. This involves the following: The payer communication device PD2 sends a payment request 570a over the secure logical connection SLC by short-range wireless data communication SRWDC to the payee communication device PD1. The payment request includes the data *QR data obtained in step 530, or at least the payment details 522 thereof, and an identifier PID 2 associated with the payer communication device PD2 (or payer user P2). The payee communication device PD1 forwards the payment request over the secure logical connection SLC at 570b to the digital payment service functionality DPSF.

In response, the digital payment service functionality DPSF processes the payment request at 572, and encourages in steps 580a-b the payer communication device PD2 over the secure logical connection SLC to obtain an authentication (approval) of the digital payment by the payer user P2, for instance in the form of a passcode or biometric authentication. This is done by sending an authentication request 580a by wide-area network communication over the secure logical connection SLC to the payee communication device PD1. The payee communication device PD1 will forward the authentication request at 580b to the payer communication device PD2 over the secure logical connection SLC by short-range wireless data communication SRWDC.

Once the payer user P2 has authenticated the digital payment in step 582, the payer communication device PD2 sends a payment commit in step 590a over the secure logical connection SLC by short-range wireless data communication SRWDC to the payee communication device PD1. The payee communication device PD1 forwards the payment commit by wide-area network communication over the secure logical connection SLC at 590b to the digital payment service functionality DPSF.

The digital payment service functionality DPSF executes the payment in step 592. If the digital transaction was successfully performed, the digital payment service functionality DPSF sends a payment confirmation for the transaction identifier ID to the payee communication device PD1 in step 594. Upon receipt thereof, the payee communication device PD1 or the payee user PI can release the product to be purchased, perform the ordered service, grant the desired access, etc., to the payer user P2. Figure 6 is a flowchart diagram of one implementation of the inventive functionality for performing real-time digital proximity payments as described for Figure 3. The primary difference with respect to the flowchart in Figure 5 is that in Figure 6, the payer communication device PD2 is the aforementioned first device 31 (the one device that is online, i.e. has the ability to communicate directly with the digital payment service functionality DPSF by wide-area network communication), whereas the payee communication device PD1 is the aforementioned second device 32 (the other device that is offline).

Like in Figure 1 and Figure 5, the digital payment service functionality DPSF comprises two parts: a payment service part (Payment Service Cloud) which is a front- end towards the payee communication device PD1 and payer communication device PD2, and a payment settlement part (RTP Cloud) which is a back-end that is operative to settle the digital payment transaction, if needed by communication with external entities (such as banks).

As can be seen in Figure 6, the payee communication device PD1 executes a proceed-to-payment step 602 and a real-time payment initiation step 604.

The payee communication device PD1 then proceeds to a functional block seen as “Step 1” in Figure 6 to make transaction support data TSD available to the payer communication device PD2. This can be seen also at 3’ and 4’ in Figure 3. The transaction support data TSD includes payment details 622 which may be similar to Figure 1, Figure 4 and Figure 5. Hence, the payment details 622 will typically comprise an amount to be paid and possibly an identifier PID 1 associated with the payee communication device PD1 (or payee user PI). Please note, however, that no transaction identifier ID for the digital payment transaction is yet available, since the payee communication device PD1 is offline and cannot communicate directly with the digital payment service functionality DPSF to retrieve such an ID, like it was done in steps 510 and 512 in Figure 5.

The transaction support data TSD in Figure 6 includes the following additional control data.

As seen at 623, the transaction support data TSD in Figure 6 includes an indication that a transaction identifier ID is not available. The transaction support data TSD in Figure 6 further includes an indication 624 of a current ability (or disability) of the payee communication device PD1 to communicate directly with the digital payment service functionality DPSF by wide-area network WAN communication. In Figure 6, the indication 624 may serve to inform the payer communication device PD2 that the payee communication device PD1 has no WAN access 10.

The transaction support data TSD in Figure 6 further includes an indication 625 of an ability (or disability) of the payee communication device PD1 to act as aforesaid first device 31 in the aforementioned method (thereby being capable of supporting the payer communication device PD2 to act as aforesaid second device 32), and/or to act as aforesaid second device 32 (thereby asking for support by the payer communication device PD2 acting as aforesaid first device 31). In Figure 6, the indication 625 is set to indicate the latter case.

Finally, the transaction support data TSD in Figure 6 further includes a resource locator 626 that can be invoked by the payer communication device PD2 for communication with the digital payment service functionality DPSF when acting as the aforesaid first device 31 or the aforesaid second device 32.

The payee communication device PD1 generates a QR code 4’ to represent the transaction support data TSD in step 620 and presents the QR code on a display, so that the QR code 4’ can be scanned at 630 by the payer communication device PD2. Hence, the payee communication device PD1 makes the transaction support data TSD available 3’ to the payer communication device PD1 by generating 620 an optical code 4’ which is readable 630 by the payer communication device PD1. In other implementations, the payee communication device PD1 makes the transaction support data TSD available 3’ to the payer communication device PD1 by communicating it to the payer communi cation device PD1 by Bluetooth communication or any other short-range wireless data communication as referred to in this document.

The payer communication device PD2 extracts the transaction support data TSD (*QR data) from the QR code 4’ and begins to participate in the digital payment transaction at 640. In the case of Figure 6, the payer communication device PD2 interprets the extracted transaction support data TSD and learns from the indication 624 that the payee communication device PD1 has no WAN access 10. It also learns from the indication 625 that the payee communication device PD1 wishes to act as the aforesaid second device 32, i.e. that it wants the payer communication device PD2 to act as its proxy to assist the payee communication device PD1 with the payee-related communications 12a-b with the digital payment service functionality DPSF.

Acting on the information above, the payer communication device PD2 proceeds to a functional block “Step 2” in Figure 6 to establish short-range wireless data communication SRWDC with the payee communication device PD1. This is seen at 650 in Figure 6. This may involve setting up a Bluetooth connection, or using any other short-range wireless data communication as referred to in this document.

The establishment of the secure logical link SLC shall then be done. This involves the following activity which is illustrated as a functional block “Step 3” in Figure 6. The payee communication device PD1 sends a first end-to-end link request 660 by short-range wireless data communication SRWDC to the payer communication device PD2. The first end-to-end link request 660 comprises a public cryptographic key (public key 1) associated with the payee communication device PD1.

The payer communication device PD2 receives, by short-range wireless data communication SRWDC, the first end-to-end link request 660 from the payee communication device PDF In response, the payer communication device PD2 sends (i.e. forwards), by wide-area network communication, a second end-to-end link request 662 to the digital payment service functionality DPSF. The second end-to-end link request 662 thus comprises the public cryptographic key (public key 1) as received from the payee communication device PDF

The digital payment service functionality DPSF establishes the secure logical connection SLC with the payee communication device PD1 by making use of the public cryptographic key (public key 1) associated with the payee communication device PD1 and received in the second end-to-end link request 662. Hence, the digital payment service functionality DPSF uses the public cryptographic key (public key 1) for encrypting upcoming wide-area network communication being sent on the secure logical connection SLC to the payer communication device PD2 acting as said first device 31 but being directed at the payee communication device PD1 acting as said second device 32.

In one implementation, the establishing of the secure logical connection SLC between the digital payment service functionality DPSF and the payee communication device PD1 involves the following activity:

The digital payment service functionality DPSF generates a session key, encrypts the session key with the public cryptographic key (public key 1) associated with the payee communication device PD1 and received in the second end-to-end link request 662, and transmits 664 the encrypted session key by wide-area network communication to the payer communication device PD2. The payer communication device PD2 forwards 666 the encrypted session key to the payee communication device PD1 by short-range wireless data communication SRWDC. The payee communication device PD1 decrypts the encrypted session key using a private cryptographic key associated with the payee communication device PD1.

The payee communication device PD1 and the digital payment service functionality DPSF then uses the session key as a shared secret in a cryptographic scheme, such as ECIES, for encrypting and decrypting information which is communicated between them when performing the digital payment transaction.

In an alternative implementation, the establishing of the secure logical connection SLC between the digital payment service functionality DPSF and the payee communication device PD1 involves the following activity:

The digital payment service functionality DPSF invokes a known key derivate function, KDF, to generate a session key from the public cryptographic key (public key 1) associated with the payee communication device PD1 and received in the second end-to-end link request 662, as well as from a private cryptographic key associated with the digital payment service functionality DPSF. The digital payment service functionality DPSF then transmits a public cryptographic key PS associated with the digital payment service functionality DPSF by wide-area network communication to the payer communication device PD2. The payer communication device PD2 forwards the received public cryptographic key PS associated with the digital payment service functionality DPSF to the payee communication device PD1 by short-range wireless data communication SRWDC. The payee communication device PD1 invokes the known key derivate function, KDF, to generate a session key from the received public cryptographic key PS associated with the digital payment service functionality DPSF, as well as from a private cryptographic key associated with the payee communication device PD1.

The payee communication device PD1 and the digital payment service functionality DPSF then uses the session key as a shared secret in a cryptographic scheme for encrypting and decrypting information which is communicated between them when performing the digital payment transaction.

Now that there is an established secure logical connection SLC to the digital payment service functionality DPSF, the payee communication device PD1 makes a transaction identifier request 610a-b to the payment service part of the digital payment service functionality DPSF via short-range wireless data communication SRWDC with the payer communication device PD2. In response, the payee communication device PD1 receives a transaction identifier ID in step 612a-b from the payment service part of the digital payment service functionality DPSF, again via short-range wireless data communication SRWDC with the payer communication device PD2.

The payee communication device PD1 then informs the payer communication device PD2 of the transaction identifier ID by short-range wireless data communication SRWDC, as seen at 612c. The payer communication device PD2 completes the transaction support data TSD’ with the transaction identifier ID now obtained, as can be seen at 622b.

The payer communication device PD2 and the payee communication device PD1 can now perform the actual payment transaction with respect to the digital payment service functionality DPSF in a functional block seen as “Step 4” in Figure 6. This involves the following:

The payer communication device PD2 sends a payment request 670 by wide- area network communication to the digital payment service functionality DPSF. The payment request 670 includes the data *QR data obtained in step 630, or at least the payment details 622 thereof, and an identifier PID 2 associated with the payer communication device PD2 (or payer user P2). In response, the digital payment service functionality DPSF processes the payment request at 672, and encourages in step 680 the payer communication device PD2 to obtain an authentication (approval) of the digital payment by the payer user P2, for instance in the form of a passcode or biometric authentication. This is done by sending an authentication request 680 by wide-area network communication to the payer communication device PD2.

Once the payer user P2 has authenticated the digital payment in step 682, the payer communication device PD2 sends a payment commit in step 690 by wide-area network communication to the digital payment service functionality DPSF.

The digital payment service functionality DPSF executes the payment in step 692. If the digital transaction was successfully performed, the digital payment service functionality DPSF sends a payment confirmation for the transaction identifier ID to the payee communication device PD1 in steps 694a-b. This is done by sending the payment confirmation 694a by wide-area network communication over the secure logical connection SLC to the payer communication device PD2. The payer communication device PD2 will forward the payment confirmation as seen at 694b to the payee communication device PD1 over the secure logical connection SLC by short-range wireless data communication SRWDC.

Upon receipt of the payment confirmation, the payee communication device PD1 or the payee user PI can release the product to be purchased, perform the ordered service, grant the desired access, etc., to the payer user P2.

To sum up, one aspect of the invention is a method for performing a digital payment transaction that involves a payee communication device PD1, a payer communication device PD2 and cloud-based digital payment service functionality DPSF. A first device 31 among the payee communication device PD1 and payer communication device PD2 communicates with the digital payment service functionality DPSF directly by wide-area network, WAN, communication. A second device 32 among the payee communication device PD1 and payer communication device PD2 communicates with the digital payment service functionality DPSF via a secure logical connection SLC with the digital payment service functionality DPSF, the secure logical connection SLC being effectuated physically via short-range wireless data communication SRWDC with the first device 31. The first device 31 thus relays communication between the second device 32 and the digital payment service functionality DPSF via the secure logical connection SLC without access to information contained in the communication.

With this in mind, and considering the detailed description of Figures 2-3 and 5-6, the following should be clear:

When the payee communication device PD1 is acting as said first device 31, the requesting and receiving 510, 512 of the transaction identifier ID and the receiving 594 of the payment completion confirmation occur directly by wide-area network WAN communication with the digital payment service functionality DPSF.

When, on the other hand, the payee communication device PD1 is acting as said second device 32, the requesting and receiving 610a-b, 612a-b of the transaction identifier ID and the receiving 694a-b of the payment completion confirmation occur via the secure logical connection SLC and short-range wireless data communication SRWDC with the payer communication device PD2.

When the payer communication device PD2 is acting as said first device 31, the sending of the payment request 670 and the receiving of and responding to 680, 690 the payment commit request occur directly by wide-area network, WAN, communication with the digital payment service functionality DPSF.

When, on the other hand, the payer communication device PD2 is acting as said second device 32, the sending of the payment request 570a-b and the receiving of and responding to 580b, 590a the payment commit request occur via the secure logical connection SLC by short-range wireless data communication SRWDC with the payee communication device PD1.

Figure 7 is a schematic block diagram of a communication device 100 in embodiments of the present invention. The payee communication device PD1 may be implemented by such a communication device 100 in embodiments of the invention. Likewise, the payer communication device PD2 may be implemented by such a communication device 100 in embodiments of the invention. The communication device 100 comprises a processing device 110, a user interface 120, a short-range wireless communication transceiver 130, a WAN communication interface 140 and a memory 150.

The user interface 120 comprises an input device 122 and a presentation device 124, as is generally known. In some embodiments, the input device 122 and the presentation device 124 are constituted by one common physical device, such as for instance a touch screen (touch-sensitive display screen), implemented in for instance resistive touch technology, surface capacitive technology, projected capacitive technology, surface acoustic wave technology or infrared technology.

The short-range wireless communication transceiver 130 is configured for Bluetooth communication, or any other radio-based short-range wireless data communication such as, for instance, Bluetooth Low Energy, RFID, WLAN, WiFi, mesh communication or LTE Direct, without limitation, or any non-radio-based short- range wireless data communication such as, for instance, magnetic communication (such as NFC), (ultra)sound communication, or optical communication (such as IrDA) without limitation.

The WAN communication interface 140 is configured for wide area network communication compliant with, for instance, one or more of W-CDMA, GSM,

UTRAN, HSPA, LTE, LTE Advanced, and TCP/IP, and/or WLAN (WiFi), without limitation.

The processing device 110 may be implemented in any known controller technology, including but not limited to microcontroller, processor (e.g. PLC, CPU, DSP), FPGA, ASIC or any other suitable digital and/or analog circuitry capable of performing the intended functionality.

The memory 150 may be implemented in any known memory technology, including but not limited to ROM, RAM, SRAM, DRAM, CMOS, FLASH, DDR, SDRAM or some other memory technology. In some embodiments, the memory or parts thereof may be integrated with or internal to the processing device 110. The memory may store program instruction for execution by the processing device 110 (also see the description of Figure 8 below), as well as temporary and permanent data for use by the processing device 110. Figure 8 is a schematic illustration of a computer-readable medium 800 in one exemplary embodiment, capable of storing a computer program product 810. The computer-readable medium 800 in the disclosed embodiment is a memory stick, such as a Universal Serial Bus (USB) stick; the computer-readable medium 800 may however be embodied in various other ways instead, as is well-known per se to the skilled person. The USB stick 800 comprises a housing 830 having an interface, such as a connector 840, and a memory chip 820. In the disclosed embodiment, the memory chip 820 is a flash memory, i.e. a non-volatile data storage that can be electrically erased and re-programmed. The memory chip 820 stores the computer program product 810 which is programmed with computer program code (instructions) that when loaded into a processing device, such as a CPU, will perform a method for performing a digital payment transaction according to any or all of the embodiments disclosed above. The processing device may, for instance, be the aforementioned processing device 110. The USB stick 800 is arranged to be connected to and read by a reading device for loading the instructions into the processing device. It should be noted that a computer-readable medium can also be other mediums such as compact discs, digital video discs, hard drives or other memory technologies commonly used. The computer program code (instructions) can also be downloaded from the computer-readable medium via a wireless interface to be loaded into the processing device.

Advantageously, the embodiments/implementations in Figures 2 and 5 are combined with those in Figures 3 and 6. This gives a very powerful and flexible communication system U, where both payee communication devices PD1 and payer communication devices PD2 can act interchangeably as proxies for each other, to assist the other device that happens to lacks momentary ability for WAN communication in participating in a digital payment transaction.

Alternatively, and still beneficially, however, the invention may be used in scenarios where one of the devices, typically the payer communication device PD2, lacks ability for WAN communication on a more permanent basis - for instance because it is a less sophisticated mobile communication device, such as a feature phone, that may lack a WAN communication interface altogether. In fact, such mobile a communication device may even lack the ability for radio-based short-range wireless data communication (e.g., lack a Bluetooth transceiver), and still make use of the inventive functionality by acting as said second device 32 and use the payee communication device PD1 as a proxy by non-radio-based short-range wireless data communication, such as for instance magnetic communication (such as NFC), (ultra)sound communication, or optical communication (such as IrDA).

Embodiments of the invention are directed at facilitating for a user to enjoy a service provided by a service providing machine, subject to payment by the user for the service. The service providing machine may, for instance, be a vending machine at which the user can pay for and retrieve food, drinks, snacks, sweets, newspapers, articles of manufacture, etc. The service providing machine may alternatively be a ticket machine from which the user may buy a ticket for public transportation, a theatre show, a concert, a movie, a sports event, etc. As yet an alternative, the service providing machine may be a dispensing machine from which the user may buy a certain volume or amount of liquid or solid material, such as gasoline, diesel oil, washer fluid, fertilizer, soil, kernels, seeds, etc. Further alternatives involve the service providing machine being an access control system or device (such as, for instance, a locker), a service terminal, a point-of-sales terminal, a checkout counter or a delivery pickup point, without limitation.

For reference, please first see Figure 9 that schematically illustrates a service providing machine SPM according to the prior art. The service providing machine SPM provides a service to the user U, subject to payment by the user U for the service. To this end, the service providing machine SPM comprises a payment module 930, a controller 940 and a service module 950. As seen at 1010, the user U pays a certain cash amount (e.g. coins or bank notes) which is received and checked by the payment module 930. As seen at 1020, if sufficient and valid payment has been made, the controller 940 causes the service module 950 to provide the service that has been duly paid for to the user U, e.g. by releasing an article in a vending machine, printing a ticket, dispensing a fluid volume, etc.

Figure 10 is a schematic illustration of how a service providing machine SPM can support cloud-based digital payments by the user U, rather than having to resort to cash payments. To this end, the service providing machine SPM comprises a service module 1050 for providing a service to the user U subject to payment by the user for the service, and a controller 1040. The service providing machine SPM in Figure 10 further comprises a short-range wireless data communication module 1030 that contains, for instance, a Bluetooth transceiver chip, or is otherwise enabled for short-range wireless data communication in any of the manners previously described in this document.

As seen at 1010 in Figure 10, the user U operates a mobile communication device MCD to communicate with cloud-based digital payment service functionality DPSF by wide-area network WAN communication so as to perform a digital payment for the service provided by the service providing machine SPM.

The controller 1040 of the service providing machine SPM is configured for causing the short-range wireless data communication module 1030 to communicate with the digital payment service functionality DPSF via a secure logical connection SLC to obtain a payment confirmation of successful performance of the digital payment performed by the user U operating the mobile communication device MCD. This is seen at 1015 in Figure 10. As previously described in this document, the secure logical connection SLC is effectuated physically via short-range wireless data communication SRWDC with the mobile communication device MCD. The mobile communication device MCD is thus being used as a relay of communication between the service providing machine SPM and the digital payment service functionality DPSF via the secure logical connection (SLC) without having access to information contained in the communication.

As seen at 1020 in Figure 10, the controller 1040 of the service providing machine SPM is configured for causing the service module 1050 to provide the service to the user U upon obtained payment confirmation.

The service providing machine SPM, mobile communication device MCD and digital payment service functionality DPSF in Figure 10 thus constitute a communi cation system 1001 in which a method can be performed for providing a service by the service providing machine SPM to the user U, subject to payment by the user for the service. As can be understood from the foregoing description, this method involves the mobile communication device MCD communicating 1010 with the cloud-based digital payment service functionality DPSF by wide-area network WAN communication to perform a digital payment for the service provided by the service providing machine SPM.

The method further involves the service providing machine SPM communi cating 1015 with the digital payment service functionality DPSF via the secure logical connection SLC to obtain a payment confirmation of successful performance of the digital payment. As previously explained, the secure logical connection SLC is effectuated physically via short-range wireless data communication SRWDC with the mobile communication device MCD, such that the mobile communication device MCD will relay communication between the service providing machine SPM and the digital payment service functionality DPSF via the secure logical connection SLC without having access to information contained in the communication.

The method finally involves the service providing machine SPM providing 1020 the service to the user U upon obtained payment confirmation.

Conveniently, a particular service providing machine SPM, or type, model, brand or version thereof, as known from Figure 9 may be upgraded to be able to support cloud-based digital payments like in Figure 10 by retrofitting the short-range wireless data communication module 1030 to the or each service providing machine SPM. Retrofitting the short-range wireless data communication module 1030 may involve replacing the payment module 930, or installing the short-range wireless data communication module 1030 in parallel to the payment module 930. In the latter case, the service providing machine SPM may thus continue to support cash payments as an alternative to cloud-based digital payments.

When upgrading the service providing machine SPM in this manner, the service providing machine SPM may be provided with relevant cryptographic information (such as a public cryptographic key, as previously described in this document) and software functionality needed for the establishment of the secure logical connection SLC and communication in step 1015. Such cryptographic information and software functionality may be stored in a memory or secure element of the controller 1040, or in a local memory or secure element of the short-range wireless data communication module 1030. If the service providing machine SPM to be upgraded already has the hardware needed for short-range wireless data communication SRWDC (for instance a service terminal in the form of a tablet computer that has a factory-installed Bluetooth transceiver chip), it may suffice to make an upgrade by adding the relevant cryptographic information and software functionality needed.

Reference is now made to Figure 11 which is a schematic diagram of a communication system 1101 that enables a service providing machine SPM to provide a service to a user U, subject to digital payment by the user U by means of a mobile communication device MCD. The mobile communication device MCD at the same time acts as a proxy of the service providing machine SPM to obtain a payment confirmation from a cloud-based digital payment service functionality DPSF. The communication system 1101 can be implemented in much the same way as the communication system G previously described with reference to Figure 3, wherein the aforementioned payee communication device PD1 hence is the service providing machine SPM acting as the second device 1132 (cf. device 32 in the previous description), and the payer communication device PD2 hence is the mobile communication device MCD acting as the first device 1131 (cf. device 31 in the previous description). Each element or activity being labelled with a “9” followed by one or two digits in Figure 11 can thus be the same, or at least have essentially the same or corresponding function as an element or activity being labelled by the same one or two digits in Figure 3. As the reader will understand, the communication system 1101 in Figure 11 will therefore be capable of performing the method that was described above in conjunction with Figure 10.

The invention has mainly been described above with reference to a few embodiments. However, as is readily appreciated by a person skilled in the art, other embodiments than the ones disclosed above are equally possible within the scope of the invention, as defined by the appended patent claims.

Claims

1. A method for performing a digital payment transaction that involves a payee communication device (PD1), a payer communication device (PD2) and cloud-based digital payment service functionality (DPSF), wherein a first device (31) among the payee communication device (PD1) and payer communication device (PD2) communicates with the digital payment service functionality (DPSF) directly by wide- area network (WAN) communication whereas a second device (32) among the payee communication device (PD1) and payer communication device (PD2) communicates with the digital payment service functionality (DPSF) via a secure logical connection (SLC) with the digital payment service functionality (DPSF), the secure logical connection (SLC) being effectuated physically via short-range wireless data communication (SRWDC) with the first device (31), the first device (31) thus relaying communication between the second device (32) and the digital payment service functionality (DPSF) via the secure logical connection (SLC) without access to information contained in the communication.

2. The method as defined in claim 1, wherein: when the payee communication device (PD1) is acting as said first device (31), it makes payee-related communications (12) of the digital payment transaction directly with the digital payment service functionality (DPSF) by wide-area network (WAN) communication and relays payer-related communications (22a, 22b) of the digital payment transaction from the payer communication device (PD2) to the digital payment service functionality (DPSF) by wide-area network (WAN) communication; and when the payer communication device (PD2) is acting as said first device (31), it makes payer-related communications (22) of the digital payment transaction directly with the digital payment service functionality (DPSF) by wide-area network (WAN) communication and relays payee-related communications (12a, 12b) of the digital payment transaction from the payee communication device (PD1) to the digital payment service functionality (DPSF) by wide-area network (WAN) communication.

3. The method as defined in claim 1 or 2, wherein the payee communication device (PD1), at an initial stage of the digital payment transaction, makes transaction support data (TSD) available (3’) to the payer communication device (PD1), the transaction support data (TSD) comprising: an indication (524; 624) of a current ability of the payee communication device (PD1) to communicate directly with the digital payment service functionality (DPSF) by wide-area network (WAN) communication.

4. The method as defined in claim 3, the transaction support data (TSD) further comprising: an indication (525; 625) of an ability of the payee communication device (PD1) to act as said first device (31), thereby being capable of supporting the payer communication device (PD1) to act as said second device (32), and/or to act as said second device (32), thereby asking for support by the payer communication device (PD1) acting as said first device (31).

5. The method as defined in claim 3 or 4, the transaction support data (TSD) further comprising: a payment amount; and at least one of: a transaction identifier (ID); an identifier (PID 1) associated with the payee communication device

(PD1) or a payee user (PI).

6. The method as defined in any of claims 3-5, the transaction support data (TSD) further comprising: a resource locator (526; 626) that can be invoked by said payer communication device (PD2) for communication with the digital payment service functionality (DPSF) when acting as said first device (31) or said second device (32).

7. The method as defined in any of claims 3-6, wherein the payee communication device (PD1) makes the transaction support data (TSD) available (3’) to the payer communication device (PD1) by generating (520; 620) an optical code (4’) which is readable (530; 630) by the payer communication device (PD1).

8. The method as defined in any of claims 3-6, wherein the payee communication device (PD1) makes the transaction support data (TSD) available (3’) to the payer communication device (PD1) by communicating it to the payer communication device (PD1) by short-range wireless data communication.

9. The method as defined in any preceding claim, further comprising, when the payer communication device (PD2) has no current ability to communicate directly with the digital payment service functionality (DPSF) by wide-area network (WAN) communication: the payee communication device (PD1) receiving, by short-range wireless data communication (SRWDC), a first end-to-end link request (560) from the payer communication device (PD2), the first end-to-end link request (560) comprising a public cryptographic key (public key 2) associated with the payer communication device (PD2); the payee communication device (PD1) in response sending, by wide-area network (WAN) communication, a second end-to-end link request (562) to the digital payment service functionality (DPSF), the second end-to-end link request (562) comprising the public cryptographic key (public key 2) as received from the payer communication device (PD2); and the digital payment service functionality (DPSF) establishing the secure logical connection (SLC) with the payer communication device (PD2) by making use of the public cryptographic key (public key 2) associated with the payer communication device (PD2) and received in the second end-to-end link request (562) for encrypting upcoming wide-area network (WAN) communication being sent on the secure logical connection (SLC) to the payee communication device (PD1) acting as said first device (31) but being directed at the payer communication device (PD2) acting as said second device (32).

10. The method as defined in claim 9, wherein establishing the secure logical connection (SLC) between the digital payment service functionality (DPSF) and the payer communication device (PD2) involves: the digital payment service functionality (DPSF): generating a session key, encrypting the session key with the public cryptographic key (public key 2) associated with the payer communication device (PD2) and received in the second end-to-end link request (562), and transmitting (564) the encrypted session key by wide-area network (WAN) communication to the payee communication device (PD1); the payee communication device (PD1) forwarding (566) the encrypted session key to the payer communication device (PD2) by short-range wireless data communication (SRWDC); the payer communication device (PD2) decrypting the encrypted session key using a private cryptographic key associated with the payer communication device (PD2), and the payer communication device (PD2) and the digital payment service functionality (DPSF) using the session key as a shared secret in a cryptographic scheme for encrypting and decrypting information which is communicated between them when performing the digital payment transaction.

11. The method as defined in claim 9, wherein establishing the secure logical connection (SLC) between the digital payment service functionality (DPSF) and the payer communication device (PD1) involves: the digital payment service functionality (DPSF): invoking a known key derivate function to generate a session key from the public cryptographic key (public key 2) associated with the payer communication device (PD2) and received in the second end-to-end link request (562) as well as from a private cryptographic key associated with the digital payment service functionality (DPSF), and transmitting a public cryptographic key (PS) associated with the digital payment service functionality (DPSF) by wide-area network (WAN) communication to the payee communication device (PD1); the payee communication device (PD1) forwarding the received public cryptographic key (PS) associated with the digital payment service functionality (DPSF) to the payer communication device (PD2) by short-range wireless data communication (SRWDC); the payer communication device (PD2) invoking the known key derivate function to generate a session key from the received public cryptographic key (PS) associated with the digital payment service functionality (DPSF) as well as from a private cryptographic key associated with the payer communication device (PD2), and the payer communication device (PD2) and the digital payment service functionality (DPSF) using the session key as a shared secret in a cryptographic scheme for encrypting and decrypting information which is communicated between them when performing the digital payment transaction.

12. The method as defined in any of claims 1-8, further comprising, when the payee communication device (PD1) has no current ability to communicate directly with the digital payment service functionality (DPSF) by wide-area network (WAN) communication: the payer communication device (PD2) receiving, by short-range wireless data communication, a first end-to-end link request (660) from the payee communication device (PD1), the first end-to-end link request (660) comprising a public cryptographic key (public key 1) associated with the payee communication device (PD1); the payer communication device (PD2) in response sending, by wide-area network (WAN) communication, a second end-to-end link request (662) to the digital payment service functionality (DPSF), the second end-to-end link request (662) comprising the public cryptographic key (public key 1) as received from the payee communication device (PD1); and the digital payment service functionality (DPSF) establishing the secure logical connection (SLC) with the payee communication device (PD1) by making use of the public cryptographic key (public key 1) associated with the payee communication device (PD1) and received in the second end-to-end link request (662) for encrypting upcoming wide-area network (WAN) communication being sent on the secure logical connection (SLC) to the payer communication device (PD2) acting as said first device (31) but being directed at the payee communication device (PD1) acting as said second device (32).

13. The method as defined in claim 12, wherein establishing the secure logical connection (SLC) between the digital payment service functionality (DPSF) and the payee communication device (PD1) involves: the digital payment service functionality (DPSF): generating a session key, encrypting the session key with the public cryptographic key (public key 1) associated with the payee communication device (PD1) and received in the second end-to-end link request (662), and transmitting (664) the encrypted session key by wide-area network (WAN) communication to the payer communication device (PD2); the payer communication device (PD2) forwarding (666) the encrypted session key to the payee communication device (PD1) by short-range wireless data communication (SRWDC); the payee communication device (PD1) decrypting the encrypted session key using a private cryptographic key associated with the payee communication device (PD1), and the payee communication device (PD1) and the digital payment service functionality (DPSF) using the session key as a shared secret in a cryptographic scheme for encrypting and decrypting information which is communicated between them when performing the digital payment transaction.

14. The method as defined in claim 12, wherein establishing the secure logical connection (SLC) between the digital payment service functionality (DPSF) and the payee communication device (PD2) involves: the digital payment service functionality (DPSF): invoking a known key derivate function to generate a session key from the public cryptographic key (public key 1) associated with the payee communication device (PD1) and received in the second end-to-end link request (662) as well as from a private cryptographic key associated with the digital payment service functionality (DPSF), and transmitting a public cryptographic key (PS) associated with the digital payment service functionality (DPSF) by wide-area network (WAN) communication to the payer communication device (PD2); the payer communication device (PD2) forwarding the received public cryptographic key (PS) associated with the digital payment service functionality (DPSF) to the payee communication device (PD1) by short-range wireless data communication (SRWDC); the payee communication device (PD1) invoking the known key derivate function to generate a session key from the received public cryptographic key (PS) associated with the digital payment service functionality (DPSF) as well as from a private cryptographic key associated with the payee communication device (PD1), and the payee communication device (PD1) and the digital payment service functionality (DPSF) using the session key as a shared secret in a cryptographic scheme for encrypting and decrypting information which is communicated between them when performing the digital payment transaction.

15. The method as defined in any preceding claim, wherein communication between the payee communication device (PD1) and the digital payment service functionality (DPSF) involves: the payee communication device (PD1) requesting and receiving (510, 512; 610a-b, 612a-b) a transaction identifier (ID); and, at a different stage of the digital payment transaction, the payee communication device (PD1) receiving (594; 694a-b) a payment completion confirmation.

16. The method as defined in claim 15, wherein: when the payee communication device (PD1) is acting as said first device (31), the requesting and receiving (510, 512) of the transaction identifier (ID) and the receiving (594) of the payment completion confirmation occur directly by wide-area network (WAN) communication with the digital payment service functionality (DPSF); and when the payee communication device (PD1) is acting as said second device (32), the requesting and receiving (610a-b, 612a-b) of the transaction identifier (ID) and the receiving (694a-b) of the payment completion confirmation occur via the secure logical connection (SLC) and short-range wireless data communication (SRWDC) with the payer communication device (PD2).

17. The method as defined in any preceding claim, wherein communication between the payer communication device (PD2) and the digital payment service functionality (DPSF) involves: the payer communication device (PD2) sending a payment request (570a-b; 670), the payment request comprising payment details; and the payer communication device (PD2) receiving and responding (580b, 590a; 680, 690) to a payment commit request.

18. The method as defined in claim 17, wherein: when the payer communication device (PD2) is acting as said first device (31), the sending of the payment request (670) and the receiving of and responding to (680, 690) the payment commit request occur directly by wide-area network (WAN) communication with the digital payment service functionality (DPSF); and when the payer communication device (PD2) is acting as said second device (32), the sending of the payment request (570a-b) and the receiving of and responding to (580b, 590a) the payment commit request occur via the secure logical connection (SLC) and short-range wireless data communication (SRWDC) with the payee communication device (PD1).

19. The method as defined in claim 17 or 18, wherein the payment details comprise: a payment amount; an identifier (PID 2) associated with the payer communication device (PD2) or a payer user (P2); and at least one of: a transaction identifier (ID); and an identifier (PID 1) associated with the payee communication device

(PD1) or a payee user (PI).

20. The method as defined in any of claims 1-19, wherein the payee communication device (PD1) is a service providing machine (SPM) acting as said second device (32; 1132) and the payer communication device (PD2) is a mobile communication device (MCD) acting as said first device (31; 1131), the method involving: the mobile communication device (MCD) communicating (1010) with cloud- based digital payment service functionality (DPSF) by wide-area network (WAN) communication to perform a digital payment for the service provided by the service providing machine (SPM); the service providing machine (SPM) communicating (1015) with the digital payment service functionality (DPSF) via a secure logical connection (SLC) to obtain a payment confirmation of successful performance of the digital payment, the secure logical connection (SLC) being effectuated physically via short-range wireless data communication (SRWDC) with the mobile communication device (MCD), the mobile communication device (MCD) thus relaying communication between the service providing machine (SPM) and the digital payment service functionality (DPSF) via the secure logical connection (SLC) without access to information contained in the communication; and the service providing machine (SPM) providing (1020) the service to the user (U) upon obtained payment confirmation.

21. A communication system ( ) for real-time digital proximity payments, comprising: a payee communication device (PD1); a payer communication device (PD2); and digital payment service functionality (DPSF) which is accessible by wide-area network (WAN) communication, wherein the payee communication device (PD1) is configured for, when it has a current ability to communicate with the digital payment service functionality (DPSF) by wide-area network (WAN) communication: making payee-related communications directly with the digital payment service functionality (DPSF) by wide-area network (WAN) communication; and acting as a proxy for the payer communication device (PD2) to relay payer-related communications over a secure logical connection (SLC) between the payer communication device (PD2) and the digital payment service functionality (DPSF) by short-range wireless data communication (SRWDC) with the payer communication device (PD2) and wide-area network (WAN) communication with the digital payment service functionality (DPSF).

22. The communication system (G) as defined in claim 21, wherein the payer communication device (PD2) is configured for, when it has a current ability to communicate with the digital payment service functionality (DPSF) by wide-area network (WAN) communication: making payer-related communications directly with the digital payment service functionality (DPSF) by wide-area network (WAN) communication; and acting as a proxy for the payee communication device (PD1) to relay payee-related communications over a secure logical connection (SLC) between the payee communication device (PD1) and the digital payment service functionality (DPSF) by short-range wireless data communication (SRWDC) with the payee communication device (PD1) and wide-area network (WAN) communication with the digital payment service functionality (DPSF).

23. The communication system (G) as defined in claim 21 or 22, wherein the payee communication device (PD1) is configured for performing the functionality of the payee communication device (PD1) in the method defined by any of claims 1-20.

24. The communication system (G) as defined in any of claims 21-23, wherein the payer communication device (PD2) is configured for performing the functionality of the payer communication device (PD2) in the method defined by any of claims 1-20.

25. The communication system (G) as defined in any of claims 21-24, wherein the digital payment service functionality (DPSF) is configured for performing the functionality of the digital payment service functionality (DPSF) in the method defined by any of claims 1-20.

26. A communication device (PD1, PD2) configured for performing the functionality of the payee communication device (PD1) in the method defined by any of claims 1-20.

27. A communication device (PD1, PD2) configured for performing the functionality of the payer communication device (PD2) in the method defined by any of claims 1-20.

28. The communication device (PD1, PD2) as defined in any of claims 26-27, wherein the communication device is one of the following: a mobile communication device; a mobile phone; a smart phone; a tablet computer; a personal digital assistant; a portable computer; smart glasses, a smart watch; a smart bracelet; a service terminal; a point-of-sales terminal; a checkout counter; a delivery pickup point; a vending machine; a ticket machine; a dispensing machine; and an access control system.

29. A computer program product comprising computer code for performing the functionality of the payee communication device (PD1) in the method according to any of claims 1-20 when the computer program code is executed by a processing device.

30. A computer program product comprising computer code for performing the functionality of the payer communication device (PD2) in the method according to any of claims 1-20 when the computer program code is executed by a processing device.

31. A computer program product comprising computer code for performing the functionality of the digital payment service functionality (DPSF) in the method according to any of claims 1-20 when the computer program code is executed by a processing device.

32. A computer readable medium having stored thereon a computer program comprising computer program code for performing the functionality of the payee communication device (PD1) in the method according to any of claims 1-20 when the computer program code is executed by a processing device.

33. A computer readable medium having stored thereon a computer program comprising computer program code for performing the functionality of the payer communication device (PD2) in the method according to any of claims 1-20 when the computer program code is executed by a processing device.

34. A computer readable medium having stored thereon a computer program comprising computer program code for performing the functionality of the digital payment service functionality (DPSF) in the method according to any of claims 1-20 when the computer program code is executed by a processing device.

35. A method for providing a service by a service providing machine (SPM) to a user (U) subject to payment by said user for said service, the user being provided with a mobile communication device (MCD), the method involving: the mobile communication device (MCD) communicating (1010) with cloud- based digital payment service functionality (DPSF) by wide-area network (WAN) communication to perform a digital payment for the service provided by the service providing machine (SPM); the service providing machine (SPM) communicating (1015) with the digital payment service functionality (DPSF) via a secure logical connection (SLC) to obtain a payment confirmation of successful performance of the digital payment, the secure logical connection (SLC) being effectuated physically via short-range wireless data communication (SRWDC) with the mobile communication device (MCD), the mobile communication device (MCD) thus relaying communication between the service providing machine (SPM) and the digital payment service functionality (DPSF) via the secure logical connection (SLC) without access to information contained in the communication; and the service providing machine (SPM) providing (1020) the service to the user (U) upon obtained payment confirmation.

36. The method as defined in claim 35, wherein the service providing machine (SPM) is one of the following: a vending machine; a ticket machine; a dispensing machine; an access control system or device; a service terminal; a point-of-sales terminal; a checkout counter; and a delivery pickup point.

37. A service providing machine (SPM) comprising: a service module (1050) for providing a service to a user (U) subject to payment by said user for said service; a controller (1040); and a short-range wireless data communication module (1030), wherein the controller (1040) is configured for causing the short-range wireless data communication module (1030) to communicate with a cloud-based digital payment service functionality (DPSF) via a secure logical connection (SLC) to obtain a payment confirmation of a successful performance of a digital payment performed by said user (U) operating a mobile communication device (MCD), the secure logical connection (SLC) being effectuated physically via short-range wireless data communication (SRWDC) with the mobile communication device (MCD), the mobile communication device (MCD) thus being used as a relay of communication between the service providing machine (SPM) and the digital payment service functionality (DPSF) via the secure logical connection (SLC) without access to information contained in the communication, and wherein the controller (1040) is configured for causing the service module (1050) to provide the service to the user (U) upon obtained payment confirmation.

38. The service providing machine (SPM) as defined in claim 37, wherein the service providing machine (SPM) is one of the following: a vending machine; a ticket machine; a dispensing machine; an access control system or device; a service terminal; a point-of-sales terminal; a checkout counter; and a delivery pickup point.