Secure smart card transactions

US 10,475,024 B1
Filed: 10/15/2012
Issued: 11/12/2019
Est. Priority Date: 10/15/2012
Status: Active Grant

First Claim

Patent Images

1. A method of facilitating a transaction between a customer and a merchant using a smart card reader, the method comprising:

storing, by the smart card reader, a reader cryptographic key and a message type tag list that identifies a plurality of tag values, each tag value corresponding to at least one type of non-sensitive message;

reading, by the smart card reader, a first message from a smart card, wherein the first message includes a first tag value;

identifying, by the smart card reader, that the first message is non-sensitive by comparing the first tag value in the first message to the plurality of tag values in the message type tag list and determining that the first tag value in the first message matches a tag value of the plurality of tag values in the message type tag list, wherein the first message identifies one or more supported application types that are supported by the smart card;

in response to identifying that the first message is non-sensitive, transmitting, by the smart card reader, the first message to a mobile device communicatively coupled to the smart card reader;

receiving, by the smart card reader from the mobile device, a response message that is responsive to the first message, the response message identifying a selected application type of the one or more supported application types identified in the first message;

transmitting, by the smart card reader to the smart card, the selected application type;

receiving, by the smart card reader and from the smart card, a second message including a second tag value;

identifying, by the smart card reader, that the second message includes a sensitive portion that includes transaction information associated with the selected application type by comparing the second tag value in the second message to the plurality of tag values in the message type tag list and determining that the second tag value in the second message does not match a tag value of the plurality of tag values in the message type tag list;

formatting, by the smart card reader, the second message to conform to level 1 requirements of a transaction protocol at least by encapsulating at least the sensitive portion of the second message with a non-sensitive header identifying the transaction;

encrypting, by the smart card reader, the sensitive portion of the second message using the reader cryptographic key;

sending, by the smart card reader, the second message through the mobile device to a payment transaction server in response to encrypting the sensitive portion of the second message and formatting the second message to conform to the level 1 requirements of the transaction protocol; and

receiving, by the smart card reader and from the payment transaction server through the mobile device, and in response to sending the second message to the payment transaction server, an indication that the payment transaction server has approved the transaction of the selected application type.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A method of securely conducting a financial transaction includes receiving, at a card reader, a first plurality of messages from a smart card; identifying, using the reader, one or more sensitive messages in the first plurality of messages, where the first plurality of messages conforms to a protocol of the financial transaction; encrypting, using the reader, the one or more sensitive messages using a cryptographic key of the reader to generate encrypted messages; formatting, using the reader, a second plurality of messages according to the protocol to send to a mobile device, where the second plurality of messages includes the encrypted messages and messages in the first plurality of messages that are not sensitive; determining, using a mobile device, action steps according to the protocol, where the action steps are determined from the second plurality of messages; and executing the action steps.

195 Citations

21 Claims

1. A method of facilitating a transaction between a customer and a merchant using a smart card reader, the method comprising:
- storing, by the smart card reader, a reader cryptographic key and a message type tag list that identifies a plurality of tag values, each tag value corresponding to at least one type of non-sensitive message;
  
  reading, by the smart card reader, a first message from a smart card, wherein the first message includes a first tag value;
  
  identifying, by the smart card reader, that the first message is non-sensitive by comparing the first tag value in the first message to the plurality of tag values in the message type tag list and determining that the first tag value in the first message matches a tag value of the plurality of tag values in the message type tag list, wherein the first message identifies one or more supported application types that are supported by the smart card;
  
  in response to identifying that the first message is non-sensitive, transmitting, by the smart card reader, the first message to a mobile device communicatively coupled to the smart card reader;
  
  receiving, by the smart card reader from the mobile device, a response message that is responsive to the first message, the response message identifying a selected application type of the one or more supported application types identified in the first message;
  
  transmitting, by the smart card reader to the smart card, the selected application type;
  
  receiving, by the smart card reader and from the smart card, a second message including a second tag value;
  
  identifying, by the smart card reader, that the second message includes a sensitive portion that includes transaction information associated with the selected application type by comparing the second tag value in the second message to the plurality of tag values in the message type tag list and determining that the second tag value in the second message does not match a tag value of the plurality of tag values in the message type tag list;
  
  formatting, by the smart card reader, the second message to conform to level 1 requirements of a transaction protocol at least by encapsulating at least the sensitive portion of the second message with a non-sensitive header identifying the transaction;
  
  encrypting, by the smart card reader, the sensitive portion of the second message using the reader cryptographic key;
  
  sending, by the smart card reader, the second message through the mobile device to a payment transaction server in response to encrypting the sensitive portion of the second message and formatting the second message to conform to the level 1 requirements of the transaction protocol; and
  
  receiving, by the smart card reader and from the payment transaction server through the mobile device, and in response to sending the second message to the payment transaction server, an indication that the payment transaction server has approved the transaction of the selected application type.
- View Dependent Claims (2, 3, 4, 5, 12)
- - 2. The method of claim 1, further comprising:
    - transmitting a third message from the smart card reader to the mobile device; and
      
      ,determining, by the mobile device, a next step that conforms to level 2 requirements of the transaction protocol based on a timing between transmission of the first message to the mobile device and transmission of the third message to the mobile device.
  - 3. The method of claim 1, wherein the selected application type is one of a credit application type or a debit application type, and wherein the transaction is one of a credit transaction or a debit transaction.
  - 4. The method of claim 1, further comprising:
    - receiving, by the smart card reader, a prompt from the smart card requesting a PIN entry;
      
      sending a PIN prompt message from the smart card reader to the mobile device; and
      
      receiving, at the smart card reader from a card issuer via the mobile device, one of an indication of successful PIN entry or an indication of failed PIN entry.
  - 5. The method of claim 1, further comprising:
    - generating a nonce value at the smart card reader;
      
      receiving, at the smart card reader from the mobile device, a transaction amount associated with the transaction; and
      
      sending, from the smart card reader to the payment transaction server via the mobile device, a cryptographic message authentication code (MAC) generated using at least the nonce value and the transaction amount, wherein the indication that the payment transaction server has approved the transaction of the selected application type is received after the MAC is sent.
  - 12. The method of claim 1, wherein the transaction protocol is a Europay Mastercard Visa (EMV) transaction protocol.

6. A system for facilitating a transaction between a customer and a merchant, the system comprising:
- a smart card reader comprising;
  
  a reader interface;
  
  a communication interface communicatively coupled to a mobile device;
  
  a memory that stores instructions, a reader cryptographic key, and a message type tag list that identifies a plurality of tag values, each tag value corresponding to at least one type of non-sensitive message;
  
  a controller coupled to the communication interface and the memory, wherein the instructions when executed by the controller cause the controller to perform operations including;
  
  reading, using the reader interface, a first message from a smart card, wherein the first message includes a first tag value;
  
  identifying that the first message is non-sensitive by comparing the first tag value in the first message to the plurality of tag values in the message type tag list and determining that the first tag value in the first message matches a tag value of the plurality of tag values in the message type tag list, wherein the first message identifies one or more supported application types that are supported by the smart card;
  
  in response to identifying that the first message is non-sensitive, transmitting, using the communication interface, the first message to the mobile device;
  
  receiving, using the communication interface, a response message that is responsive to the first message, the response message identifying a selected application type of the one or more supported application types identified in the first message;
  
  transmitting, using the reader interface, the selected application type to the smart card;
  
  receiving, from the smart card using the reader interface, a second message including a second tag value;
  
  identifying that the second message includes a sensitive portion that includes transaction information associated with the selected application type by comparing the second tag value in the second message to the plurality of tag values in the message type tag list and determining that the second tag value in the second message does not match a tag value of the plurality of tag values in the message type tag list;
  
  formatting the second message to conform to level 1 requirements of a transaction protocol at least by encapsulating at least the sensitive portion of the second message with a non-sensitive header identifying the transaction;
  
  encrypting the sensitive portion of the second message using the reader cryptographic key;
  
  sending, using the communication interface, the second message through the mobile device to a payment transaction server in response to encrypting the sensitive portion of the second message and formatting the second message to conform to the level 1 requirements of the transaction protocol; and
  
  in response to sending the second message to the payment transaction server, receiving using the communication interface, from the payment transaction server through the mobile device, an indication that the payment transaction server has approved the transaction of the selected application type.
- View Dependent Claims (7, 8, 9, 10)
- - 7. The system of claim 6, wherein the instructions, when executed by the controller, further cause the controller to perform operations including:
    - receiving, from the mobile device using the communication interface, transaction details;
      
      transmitting, using the reader interface, transaction details to the smart cart;
      
      receiving, from the smart card using the reader interface, an authorization request cryptogram (ARQC) based on the transaction details; and
      
      transmitting, using the communication interface, the ARQC based on the transaction details to the payment transaction server prior to receiving the indication that the payment transaction server has approved the transaction of the selected application type.
  - 8. The system of claim 6, wherein the smart card reader is embedded within the mobile device.
  - 9. The system of claim 6, wherein the smart card reader is in electronic communication with the mobile device via an audio jack of the mobile device.
  - 10. The system of claim 6, wherein the communication interface of the smart card reader includes at least one of a wireless local area network interface or a Bluetooth®
    - interface.

11. A method of facilitating a transaction between a customer and a merchant using a smart card reader, the method comprising:
- storing by the smart card reader, a reader cryptographic key and a message type tag list that identifies a plurality of tag values, each tag value corresponding to at least one type of sensitive message;
  
  reading, by the smart card reader, a first message from a smart card, wherein the first message includes a first tag value;
  
  identifying, by the smart card reader, that the first message is non-sensitive by comparing the first tag value in the first message to the plurality of tag values in the message type tag list and determining that the first tag value in the first message does not match a tag value of the plurality of tag values in the message type tag list, wherein the first message identifies one or more supported application types;
  
  in response to identifying that the first message is non-sensitive, transmitting, by the smart card reader, the first message to a mobile device communicatively coupled to the smart card reader;
  
  receiving, by the smart card reader from the mobile device, a response message that is responsive to the first message, the response message identifying a selected application type of the one or more supported application types identified in the first message;
  
  transmitting, by the smart card reader to the smart card, the selected application type;
  
  receiving, by the smart card reader and from the smart card, a second message including a second tag value;
  
  identifying, by the smart card reader, that the second message includes a sensitive portion that includes transaction information associated with the selected application type by comparing the second tag value in the second message to the plurality of tag values in the message type tag list and determining that the second tag value in the second message matches a tag value of the plurality of tag values in the message type tag list;
  
  formatting, by the smart card reader, the second message to conform to level 1 requirements of a transaction protocol at least by encapsulating at least the sensitive portion of the second message with a non-sensitive header identifying a transaction;
  
  encrypting, by the smart card reader, the sensitive portion of the second message using the reader cryptographic key;
  
  sending, by the smart card reader, the second message through the mobile device to a payment transaction server in response to encrypting the sensitive portion of the second message and formatting the second message to conform to the level 1 requirements of the transaction protocol; and
  
  receiving, by the smart card reader and from the payment transaction server through the mobile device, and in response to sending the second message to the payment transaction server, an indication that the payment transaction server has approved the transaction of the selected application type.
- View Dependent Claims (13, 14, 15, 16)
- - 13. The method of claim 11, further comprising:
    - receiving by the smart card reader, a prompt from the smart card requesting a PIN entry;
      
      sending a PIN prompt message from the smart card reader to the mobile device, the PIN prompt message requesting the PIN entry; and
      
      receiving, at the smart card reader from a card issuer via the mobile device, one of an indication of successful PIN entry or an indication of failed PIN entry.
  - 14. The method of claim 11, further comprising:
    - transmitting a third message from the smart card reader to the mobile device; and
      
      determining, by the mobile device, a next step that conforms to level 2 requirements of the transaction protocol based on a timing between transmission of the first message to the mobile device and transmission of the third message to the mobile device, wherein the transaction protocol is a Europay Mastercard Visa (EMV) transaction protocol.
  - 15. The method of claim 11, wherein the selected application type is one of a credit application type or a debit application type, and wherein the transaction is one of a credit transaction or a debit transaction.
  - 16. The method of claim 11, further comprising:
    - generating a nonce value at the smart card reader;
      
      receiving, at the smart card reader from the mobile device, a transaction amount associated with the transaction; and
      
      sending, from the smart card reader to the payment transaction server via the mobile device, a cryptographic message authentication code (MAC) generated using at least the nonce value and the transaction amount, wherein the indication that the payment transaction server has approved the transaction of the selected application type is received after the MAC is sent.

17. A system for facilitating a transaction between a customer and a merchant, the system comprising:
- a smart card reader comprising;
  
  a reader interface;
  
  a communication interface communicatively coupled to a mobile device;
  
  a memory that stores instructions, a reader cryptographic key, and a message type tag list that identifies a plurality of tag values, each tag value corresponding to at least one type of sensitive message;
  
  a controller coupled to the communication interface and the memory, wherein the instructions when executed by the controller cause the controller to perform operations including;
  
  reading, using the reader interface, a first message from a smart card, wherein the first message includes a first tag value;
  
  identifying that the first message is non-sensitive by comparing the first tag value in the first message to the plurality of tag values in the message type tag list and determining that the first tag value in the first message does not match a tag value of the plurality of tag values in the message type tag list, wherein the first message identifies one or more supported application types that are supported by the smart card;
  
  in response to identifying that the first message is non-sensitive, transmitting, using the communication interface, the first message to the mobile device;
  
  receiving, using the communication interface, a response message that is responsive to the first message, the response message identifying a selected application type of the one or more supported application types identified in the first message;
  
  transmitting, using the reader interface, the selected application type to the smart card;
  
  receiving, from the smart card using the reader interface, a second message including a second tag value;
  
  identifying that the second message includes a sensitive portion that includes transaction information associated with the selected application type by comparing the second tag value in the second message to the plurality of tag values in the message type tag list and determining that the second tag value in the second message matches a tag value of the plurality of tag values in the message type tag list;
  
  formatting the second message to conform to level 1 requirements of a transaction protocol at least by encapsulating at least the sensitive portion of the second message with a non-sensitive header identifying the transaction;
  
  encrypting the sensitive portion of the second message using the reader cryptographic key;
  
  sending, using the communication interface, the second message through the mobile device to a payment transaction server in response to encrypting the sensitive portion of the second message and formatting the second message to conform to the level 1 requirements of the transaction protocol; and
  
  in response to sending the second message to the payment transaction server, receiving using the communication interface, from the payment transaction server through the mobile device, an indication that the payment transaction server has approved the transaction of the selected application type.
- View Dependent Claims (18, 19, 20, 21)
- - 18. The system of claim 17, wherein the instructions, when executed by the controller, further cause the controller to perform operations including:
    - receiving, from the mobile device using the communication interface, transaction details;
      
      transmitting, using the reader interface, transaction details to the smart card;
      
      receiving, from the smart card using the reader interface, an authorization request cryptogram (ARQC) based on the transaction details; and
      
      transmitting, using the communication interface, the ARQC based on the transaction details to the payment transaction server prior to receiving the indication that the payment transaction server has approved the transaction of the selected application type.
  - 19. The system of claim 17, wherein the smart card reader is embedded within the mobile device.
  - 20. The system of claim 17, wherein the smart card reader is in electronic communication with the mobile device via an audio jack of the mobile device.
  - 21. The system of claim 17, wherein the communication interface of the smart card reader includes at least one of a wireless local area network interface or a Bluetooth®
    - interface.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Block, Inc. (f/k/a Square, Inc.)
Original Assignee
Block, Inc. (f/k/a Square, Inc.)
Inventors
Behren, Robert von, Quigley, Oliver S.
Primary Examiner(s)
Nilforoush, Mohammad A.

Application Number

US13/652,365
Time in Patent Office

2,584 Days
Field of Search

705 50-912
US Class Current
CPC Class Codes

G06Q 20/204   comprising interface for re...

G06Q 20/3223   Realising banking transacti...

G06Q 20/34   using cards, e.g. integrate...

G06Q 20/341   Active cards, i.e. cards in...

G06Q 20/3415   Cards acting autonomously a...

G06Q 20/382   insuring higher security of...

G06Q 20/38215   Use of certificates or encr...

G06Q 20/3829   involving key management

G06Q 20/4012   Verifying personal identifi...

G06Q 20/40975   using encryption therefor

G07F 7/0873   Details of the card reader

G07F 7/0893   the card reader reading the...

Secure smart card transactions

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

195 Citations

21 Claims

Specification

Solutions

Use Cases

Quick Links

Secure smart card transactions

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

195 Citations

21 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links