Logical validation of devices against fraud
First Claim
1. A computer-implemented method for detecting security threats on a payment terminal capable of communicating with a payment object reader, the method comprising:
- generating, by a tamper monitoring component of the payment terminal, a request for attesting security of the payment terminal;
sending, by the tamper monitoring component of the payment terminal, the request for attesting security of the payment terminal to a payment processing server;
generating, by a tamper detection component of the payment processing server, at least one command to scan or test the payment terminal against pre-determined test criteria;
sending, by the tamper detection component of the payment processing server, the command to the payment terminal;
executing, by the tamper monitoring component of the payment terminal, the command to generate attestation data indicative of one or more security threats;
determining, by the tamper detection component of the payment processing server, the attestation data based on the command, wherein attestation data includes at least one of a current state of the payment terminal, a previous state of the payment terminal, a risk rating, and a merchant profile saved on the payment terminal;
sending the attestation data from the tamper detection component of the payment processing server to the tamper monitoring component of the payment terminal;
determining, by the tamper detection component of the payment processing server, whether to approve or deny the request for attesting security based on a comparison of one or more of attestation data with known behavior;
if the determination yields that the request has been approved, further generating an attestation ticket having one or more validity conditions, wherein the one or more validity conditions include expiration time that indicates the time after which the attestation ticket becomes invalid; and
sending the attestation ticket to the payment terminal, wherein the attestation ticket indicates that the payment terminal is secure;
andif the determination yields that the request has been denied, further generating another attestation ticket at least includes denial notification, wherein the denial notification indicates a reason for denial of the request; and
sending the other attestation ticket to the payment terminal, wherein the attestation ticket indicates that the payment terminal is not secure.
2 Assignments
0 Petitions
Accused Products
Abstract
Disclosed herein is a method and system to determine whether a payment terminal has been tampered with based on a comparison of attestation data received from the payment terminal. If the determination yields that the request has been approved, the terminal generates an attestation ticket having one or more validity conditions, wherein the validity conditions include expiration time that indicates the time after which the attestation ticket becomes invalid. The attestation ticket can be used as long as it is valid or until another trigger causes the ticket to be invalidated or regenerated.
-
Citations
22 Claims
-
1. A computer-implemented method for detecting security threats on a payment terminal capable of communicating with a payment object reader, the method comprising:
-
generating, by a tamper monitoring component of the payment terminal, a request for attesting security of the payment terminal; sending, by the tamper monitoring component of the payment terminal, the request for attesting security of the payment terminal to a payment processing server; generating, by a tamper detection component of the payment processing server, at least one command to scan or test the payment terminal against pre-determined test criteria; sending, by the tamper detection component of the payment processing server, the command to the payment terminal; executing, by the tamper monitoring component of the payment terminal, the command to generate attestation data indicative of one or more security threats; determining, by the tamper detection component of the payment processing server, the attestation data based on the command, wherein attestation data includes at least one of a current state of the payment terminal, a previous state of the payment terminal, a risk rating, and a merchant profile saved on the payment terminal; sending the attestation data from the tamper detection component of the payment processing server to the tamper monitoring component of the payment terminal; determining, by the tamper detection component of the payment processing server, whether to approve or deny the request for attesting security based on a comparison of one or more of attestation data with known behavior; if the determination yields that the request has been approved, further generating an attestation ticket having one or more validity conditions, wherein the one or more validity conditions include expiration time that indicates the time after which the attestation ticket becomes invalid; and sending the attestation ticket to the payment terminal, wherein the attestation ticket indicates that the payment terminal is secure; and if the determination yields that the request has been denied, further generating another attestation ticket at least includes denial notification, wherein the denial notification indicates a reason for denial of the request; and sending the other attestation ticket to the payment terminal, wherein the attestation ticket indicates that the payment terminal is not secure. - View Dependent Claims (2, 3, 4)
-
-
5. A method for processing payment transactions at a payment terminal, comprising:
-
generating, by a tamper monitoring component of the payment terminal, a request for attesting security of the payment terminal; sending, by the tamper monitoring component of the payment terminal, the request for attesting security of the payment terminal to a payment processing server; generating, by a tamper detection component of the payment processing server, at least one command to scan or test the payment terminal against pre-determined test criteria; determining, by the tamper detection component of the payment processing server, attestation data based on execution of the command on the payment terminal, wherein attestation data includes a state of the payment terminal indicative of one or more signs of fraud or tampering of the payment terminal; determining, by the tamper detection component of the payment processing server, whether to approve or deny the request for attesting security based on a comparison of one or more of attestation data with known behavior; if the determination yields that the request has been approved, further generating an attestation ticket having one or more validity conditions, wherein the one or more validity conditions include expiration time that indicates the time after which the attestation ticket becomes invalid; and sending the attestation ticket to the payment terminal, wherein the attestation ticket indicates that the payment terminal is secure; and if the determination yields that the request has been denied, further generating another attestation ticket that at least includes a denial notification, wherein the denial notification indicates a reason for denial of the request; and sending the other attestation ticket to the payment terminal, wherein the attestation ticket indicates that the payment terminal is not secure. - View Dependent Claims (6, 7, 8, 9, 10, 11, 12, 13, 14)
-
-
15. A payment server, comprising:
-
a communication interface, wherein the communication interface is configured to receive a request for attesting to security of a payment terminal, and wherein the request comprises a frame of data corresponding to the payment terminal; a transaction database comprising records, for the payment terminal and a plurality of additional payment terminals, of previous response messages from previous requests and predetermined test criteria; and a processing element configured to; generate at least one command to scan or test the payment terminal against the records; obtain, from the payment terminal submitting the request, attestation data in response to the command; determine whether to approve or deny the request for attesting security based on a comparison of one or more of attestation data with known behavior; if the determination yields that the request has been approved, generate an attestation ticket having one or more validity conditions, wherein the one or more validity conditions include expiration time that indicates the time after which the attestation ticket becomes invalid; and send the attestation ticket to the payment terminal, wherein the attestation ticket indicates that the payment terminal is secure; and if the determination yields that the request has been denied, generate another attestation ticket that at least includes a denial notification, wherein the denial notification indicates a reason for denial of the request; and sending the other attestation ticket to the payment terminal, wherein the attestation ticket indicates that the payment terminal is not secure. - View Dependent Claims (16, 17, 18, 19, 20, 21, 22)
-
Specification