System and method for secure credit and debit card transactions

US 20030191945A1
Filed: 04/25/2002
Published: 10/09/2003
Est. Priority Date: 04/03/2002
Status: Abandoned Application

First Claim

Patent Images

1. A method of authorising secure transactions between a customer and a merchant, the method comprising the steps of:

i) storing customer information including a customer account number and an associated personal identification number (PIN) on a host computer;

ii) generating a pseudorandom security string in the host computer;

iii) transmitting the pseudorandom security string from the host computer to at least one remote electronic device operated by the customer;

iv) inputting the PIN and a transaction amount into the electronic device upon the customer conducting a transaction with the merchant;

v) generating a response code in the electronic device by applying a predetermined cryptographic algorithm to the pseudorandom security string, the PIN and the transaction amount;

vi) transmitting the response code, the transaction amount and the customer account number to the host computer;

vii) in the host computer, using the customer account number to retrieve the PIN and the pseudorandom security string, and then applying the predetermined cryptographic algorithm to the pseudorandom security string, the PIN and the transaction amount so as to generate a check code;

viii) in the host computer, comparing the check code and the response code and, if they match, authorising the transaction.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

There is disclosed a method and system for conducting secure credit and debit card transactions between a customer and a merchant. The customer is issued with a pseudorandom security string by a host computer, the security string being sent to the customer'"'"'s mobile telephone. A cryptographic algorithm running in a SIM card of the mobile telephone performs a hash on the security string or the One Time Code extracted from the security string, a customer PIN and a transaction amount, these last two items being entered by way of a keypad of the mobile telephone. A three-digit response code is generated by the algorithm and then passed to the merchant. The merchant then transmits the response code, transaction amount and a customer account number (card number) to the host computer, where the pseudorandom security string and PIN are retrieved from memory. The host computer then applies the same algorithm to the security string, PIN and transaction amount so as to generate a check code, and if the check code matches the response code transmitted by the merchant, the transaction is authorised.

Embodiments of the present invention make use of existing CVV2 security infrastructure, but provide a significantly greater degree of security. Embodiments of the present invention may be used with ordinary face-to-face or telephone transactions, and also in e-commerce (web-based) and m-commerce (mobile telephone-based) transactions.

Citations

27 Claims

1. A method of authorising secure transactions between a customer and a merchant, the method comprising the steps of:
- i) storing customer information including a customer account number and an associated personal identification number (PIN) on a host computer;
  
  ii) generating a pseudorandom security string in the host computer;
  
  iii) transmitting the pseudorandom security string from the host computer to at least one remote electronic device operated by the customer;
  
  iv) inputting the PIN and a transaction amount into the electronic device upon the customer conducting a transaction with the merchant;
  
  v) generating a response code in the electronic device by applying a predetermined cryptographic algorithm to the pseudorandom security string, the PIN and the transaction amount;
  
  vi) transmitting the response code, the transaction amount and the customer account number to the host computer;
  
  vii) in the host computer, using the customer account number to retrieve the PIN and the pseudorandom security string, and then applying the predetermined cryptographic algorithm to the pseudorandom security string, the PIN and the transaction amount so as to generate a check code;
  
  viii) in the host computer, comparing the check code and the response code and, if they match, authorising the transaction.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 19, 20, 21, 22, 23, 25)
- - 2. A method according to claim 1, wherein the remote electronic device is a mobile telephone, personal digital assistant or a pager.
  - 3. A method according to claim 1 or 2, wherein the response code is passed to the merchant by the customer, and the merchant then passes the response code, the transaction amount and the customer account number to the host computer in step v).
  - 4. A method according to claim 3, wherein the response code is passed to the merchant by the customer by way of a merchant website.
  - 5. A method according to claim 3, wherein the response code is passed to the merchant by the customer as a verbal or written message.
  - 6. A method according to claim 3, wherein the response code is passed to the merchant by the customer as an electronic transmission from the electronic device.
  - 7. A method according to any preceding claim, wherein the response code, transaction amount and customer account number are transmitted to the host computer in step v) by way of an intermediate server.
  - 8. A method according to any preceding claim, wherein the response code, transaction amount and customer account number are transmitted to the host computer in step v) by way of an Internet connection.
  - 9. A method according to any one of claims 1 to 7, wherein the response code, transaction amount and customer account number are transmitted to the host computer in step v) by way of an EPOS or EFTPOS machine operated by the merchant.
  - 10. A method according to any one of claims 1 to 7, wherein the response code, transaction amount and customer account number are transmitted to the host computer in step v) by way of a mobile telephone, personal digital assistant or the like operated by the merchant.
  - 11. A method according to any preceding claim, wherein a plurality of pseudorandom security strings is transmitted simultaneously from the host computer to the electronic device in step iii).
  - 12. A method according to any one of claims 2 to 11, wherein the algorithm runs as an applet in a SIM card installed in the electronic device.
  - 13. A method according to any preceding claim, wherein the response code and the check code are three digit decimal numbers.
  - 19. A system as claimed in any one of claims 13 to 18, further comprising an intermediate server by way of which the response code, transaction amount and customer account number are transmitted to the host computer in step v).
  - 20. A system as claimed in any one of claims 13 to 19, adapted to transmit the response code, transaction amount and customer account number to the host computer in step v) by way of an Internet connection.
  - 21. A system as claimed in any one of claims 13 to 19, further comprising an EPOS or EFTPOS machine adapted to transmit the response code, transaction amount and customer account number to the host computer in step v).
  - 22. A system as claimed in any one of claims 13 to 19, further comprising a mobile telephone, personal digital assistant or the like operated by the merchant, adapted to transmit the response code, transaction amount and customer account number to the host computer in step v).
  - 23. A system as claimed in any one of claims 13 to 22, wherein the host computer is adapted to transmit a plurality of pseudorandom security strings simultaneously to the electronic device in step iii).
  - 25. A system as claimed in any one of claims 13 to 24, wherein the response code and the check code are three digit decimal numbers.

14. A secure transaction system for authorising transactions made between a customer and a merchant, the system comprising a host computer and at least one customer-operated electronic device, wherein:
- i) customer information including a customer account number and an associated personal identification number (PIN) is stored on the host computer;
  
  ii) the host computer generates a pseudorandom security string and transmits the pseudorandom security string to the at least one customer-operated electronic device;
  
  iii) the electronic device receives an input from the customer comprising the PIN and a transaction amount when the customer conducts a transaction with the merchant;
  
  iv) the electronic device generates a response code by applying a predetermined cryptographic algorithm to the pseudorandom security string, the PIN and the transaction amount;
  
  v) the response code, the transaction amount and the customer account number are transmitted to the host computer;
  
  vi) the host computer uses the customer account number to retrieve the PIN and the pseudorandom string, and then applies the predetermined cryptographic algorithm to the pseudorandom string, the PIN and the transaction amount so as to generate a check code;
  
  viii) the host computer compares the check code and the response code and, if they match, authorises the transaction.
- View Dependent Claims (15, 16, 17, 18, 24)
- - 15. A system as claimed in claim 14, wherein the remote electronic device is a mobile telephone, personal digital assistant or a pager.
  - 16. A system as claimed in claim 14 or 15, adapted such that the response code is transmissible to the merchant by the customer, and such that the merchant can transmit the response code, the transaction amount and the customer account number to the host computer in step v).
  - 17. A system as claimed in claim 16, further comprising a merchant website adapted to receive the response code from the customer.
  - 18. A system according to claim 16, wherein the electronic device is adapted to transmit the response code to the merchant by way of an electronic transmission.
  - 24. A system as claimed in any one of claims 14 to 23, wherein the algorithm runs as an applet in a SIM card installed in the electronic device.

26. A method of authorising secure transactions between a customer and a merchant, substantially as hereinbefore described with reference to the accompanying drawing.

27. A secure transaction system for authorising transactions made between a customer and a merchant, substantially as hereinbefore described with reference to the accompanying drawing.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
swivel secure Ltd. (Marr Group Holdings Ltd.)
Original Assignee
Swivel Technologies Limited
Inventors
Keech, Winston Donald

Application Number

US10/131,489
Publication Number

US 20030191945A1
Time in Patent Office

Days
Field of Search
US Class Current

713/182
CPC Class Codes

G06Q 20/02   involving a neutral party, ...

G06Q 20/023   the neutral party being a c...

G06Q 20/04   Payment circuits

G06Q 20/341   Active cards, i.e. cards in...

G06Q 20/382   insuring higher security of...

G06Q 20/388   using mutual authentication...

G06Q 20/4014   Identity check for transact...

G06Q 20/40975   using encryption therefor

G07F 7/1008   Active credit-cards provide...

System and method for secure credit and debit card transactions

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

Citations

27 Claims

Specification

Solutions

Use Cases

Quick Links

System and method for secure credit and debit card transactions

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

27 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links