System and method for secure credit and debit card transactions
First Claim
1. A method of authorising secure transactions between a customer and a merchant, the method comprising the steps of:
- i) storing customer information including a customer account number and an associated personal identification number (PIN) on a host computer;
ii) generating a pseudorandom security string in the host computer;
iii) transmitting the pseudorandom security string from the host computer to at least one remote electronic device operated by the customer;
iv) inputting the PIN and a transaction amount into the electronic device upon the customer conducting a transaction with the merchant;
v) generating a response code in the electronic device by applying a predetermined cryptographic algorithm to the pseudorandom security string, the PIN and the transaction amount;
vi) transmitting the response code, the transaction amount and the customer account number to the host computer;
vii) in the host computer, using the customer account number to retrieve the PIN and the pseudorandom security string, and then applying the predetermined cryptographic algorithm to the pseudorandom security string, the PIN and the transaction amount so as to generate a check code;
viii) in the host computer, comparing the check code and the response code and, if they match, authorising the transaction.
2 Assignments
0 Petitions
Accused Products
Abstract
There is disclosed a method and system for conducting secure credit and debit card transactions between a customer and a merchant. The customer is issued with a pseudorandom security string by a host computer, the security string being sent to the customer'"'"'s mobile telephone. A cryptographic algorithm running in a SIM card of the mobile telephone performs a hash on the security string or the One Time Code extracted from the security string, a customer PIN and a transaction amount, these last two items being entered by way of a keypad of the mobile telephone. A three-digit response code is generated by the algorithm and then passed to the merchant. The merchant then transmits the response code, transaction amount and a customer account number (card number) to the host computer, where the pseudorandom security string and PIN are retrieved from memory. The host computer then applies the same algorithm to the security string, PIN and transaction amount so as to generate a check code, and if the check code matches the response code transmitted by the merchant, the transaction is authorised.
Embodiments of the present invention make use of existing CVV2 security infrastructure, but provide a significantly greater degree of security. Embodiments of the present invention may be used with ordinary face-to-face or telephone transactions, and also in e-commerce (web-based) and m-commerce (mobile telephone-based) transactions.
-
Citations
27 Claims
-
1. A method of authorising secure transactions between a customer and a merchant, the method comprising the steps of:
-
i) storing customer information including a customer account number and an associated personal identification number (PIN) on a host computer;
ii) generating a pseudorandom security string in the host computer;
iii) transmitting the pseudorandom security string from the host computer to at least one remote electronic device operated by the customer;
iv) inputting the PIN and a transaction amount into the electronic device upon the customer conducting a transaction with the merchant;
v) generating a response code in the electronic device by applying a predetermined cryptographic algorithm to the pseudorandom security string, the PIN and the transaction amount;
vi) transmitting the response code, the transaction amount and the customer account number to the host computer;
vii) in the host computer, using the customer account number to retrieve the PIN and the pseudorandom security string, and then applying the predetermined cryptographic algorithm to the pseudorandom security string, the PIN and the transaction amount so as to generate a check code;
viii) in the host computer, comparing the check code and the response code and, if they match, authorising the transaction. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 19, 20, 21, 22, 23, 25)
-
-
14. A secure transaction system for authorising transactions made between a customer and a merchant, the system comprising a host computer and at least one customer-operated electronic device, wherein:
-
i) customer information including a customer account number and an associated personal identification number (PIN) is stored on the host computer;
ii) the host computer generates a pseudorandom security string and transmits the pseudorandom security string to the at least one customer-operated electronic device;
iii) the electronic device receives an input from the customer comprising the PIN and a transaction amount when the customer conducts a transaction with the merchant;
iv) the electronic device generates a response code by applying a predetermined cryptographic algorithm to the pseudorandom security string, the PIN and the transaction amount;
v) the response code, the transaction amount and the customer account number are transmitted to the host computer;
vi) the host computer uses the customer account number to retrieve the PIN and the pseudorandom string, and then applies the predetermined cryptographic algorithm to the pseudorandom string, the PIN and the transaction amount so as to generate a check code;
viii) the host computer compares the check code and the response code and, if they match, authorises the transaction. - View Dependent Claims (15, 16, 17, 18, 24)
-
-
26. A method of authorising secure transactions between a customer and a merchant, substantially as hereinbefore described with reference to the accompanying drawing.
-
27. A secure transaction system for authorising transactions made between a customer and a merchant, substantially as hereinbefore described with reference to the accompanying drawing.
Specification