DATA PROTECTION WITH TRANSLATION

US 20130212026A1
Filed: 01/07/2013
Published: 08/15/2013
Est. Priority Date: 01/05/2012
Status: Active Grant

First Claim

Patent Images

1. A method comprising:

receiving, by an access device, a personal identification number (PIN) and sensitive data;

encrypting, by the access device, the PIN, wherein PIN encryption uses a first encryption key variant based on an initial key;

encrypting, by the access device, the sensitive data, wherein sensitive data encryption uses a second encryption key variant based on the initial key; and

transmitting, to a host server, an authorization request message including the encrypted PIN and encrypted sensitive data.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Systems and methods are disclosed in which data associated with a transaction are protected with encryption. At an access device, a PIN associated with a payment account may be encrypted with a first key derived from an initial key of the access device and sensitive data associated with the payment account may be encrypted with a second key derived from the initial key. At a secure module associated with a host server encrypted sensitive data of an authorization request message may be decrypted. The secure module associated with the host server can re-encrypt the sensitive data using a zone encryption key associated with a payment processing network. A translated authorization request message including the re-encrypted sensitive data can be transmitted by the merchant server to the payment processing network.

Citations

34 Claims

1. A method comprising:
- receiving, by an access device, a personal identification number (PIN) and sensitive data;
  
  encrypting, by the access device, the PIN, wherein PIN encryption uses a first encryption key variant based on an initial key;
  
  encrypting, by the access device, the sensitive data, wherein sensitive data encryption uses a second encryption key variant based on the initial key; and
  
  transmitting, to a host server, an authorization request message including the encrypted PIN and encrypted sensitive data.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10)
- - 2. The method of claim 1, wherein the initial key is generated by a derived unique key per transaction (DUKPT) key management scheme.
  - 3. The method of claim 1, wherein at least one of the PIN and the sensitive data are encrypted using Triple DES Encryption Algorithm (TDEA).
  - 4. The method of claim 1, wherein the sensitive data includes at least one of a primary account number (PAN), a cardholder name, a cardholder address, and discretionary data.
  - 5. The method of claim 1, wherein a subset of discretionary data remains unencrypted when discretionary data is included in encrypted sensitive data.
  - 6. The method of claim 1, wherein an encrypted PAN is written to the PAN field of the authorization request message, wherein the encrypted PAN has the same format as the unencrypted PAN.
  - 7. The method of claim 6, wherein a subset of digits of the unencrypted PAN remain unencrypted in the encrypted PAN.
  - 8. The method of claim 6, wherein an expiration date field of the authorization request message is overwritten with an altered expiration date to indicate that the PAN field of the authorization request message contains an encrypted PAN.
  - 9. The method of claim 1, wherein the access device is a point of sale terminal.
  - 10. The method of claim 1, wherein the access device receives information associated with an e-commerce transaction.

11. A method comprising:
- receiving, by a host server, an authorization request message, wherein the authorization request message includes encrypted sensitive data;
  
  decrypting, by a secure module communicatively connected to the merchant server, the encrypted sensitive data;
  
  re-encrypting, by the secure module, the decrypted sensitive data, wherein the sensitive data re-encryption uses a first sensitive data zone encryption key associated with the first payment processing network; and
  
  transmitting, by the host server, a first translated authorization request message to the first payment processing network, wherein the translated authorization request message includes the re-encrypted sensitive data.
- View Dependent Claims (12, 13, 14, 15, 16, 17, 18)
- - 12. The method of claim 11, wherein the authorization request message further includes an encrypted PIN, the method further comprising:
    - decrypting, by the secure module, the encrypted PIN; and
      
      re-encrypting, by the secure module, the decrypted PIN, wherein the PIN re-encryption uses a first PIN zone encryption key associated with a first payment processing network; and
      
      wherein the first translated authorization request message includes the re-encrypted PIN.
  - 13. The method of claim 12, wherein the secure module is configured to transmit a second translated authorization request message to a second payment processing network, wherein a second PIN zone encryption key is used for re-encryption a PIN for the second translated authorization request message and a second sensitive data zone encryption key is used for re-encryption of sensitive data for the second authorization request message.
  - 14. The method of claim 11, wherein the encrypted PIN is encrypted using a first encryption key variant based on an initial key and the encrypted sensitive data is encrypted using a second encryption key variant based on the initial key.
  - 15. The method of claim 14, wherein the initial key is generated by a derived unique key per transaction (DUKPT) key management scheme.
  - 16. The method of claim 11, wherein the secure device is a tamper resistant security module.
  - 17. The method of claim 11, wherein the secure device is a hardware security module.
  - 18. The method of claim 11, wherein the sensitive data includes at least one of a primary account number (PAN), a cardholder name, a cardholder address, and discretionary data.

19. A system comprising:
- a processor; and
  
  a computer readable medium coupled to the processor, wherein the computer readable medium comprises code executable by the processor for implementing a method of routing transactions, the method comprising;
  
  encrypting, by an access device, a personal identification number (PIN), wherein the PIN encryption uses a first encryption key variant based on an initial key;
  
  encrypting, by the access device, sensitive data, wherein the sensitive data encryption uses a second encryption key variant based on the initial key; and
  
  transmitting, to a host server, an authorization request message including the encrypted PIN and encrypted sensitive data.
- View Dependent Claims (20, 21, 22)
- - 20. The system of claim 19, wherein the processor is a secure cryptoprocessor.
  - 21. The system of claim 19, wherein the system includes a tamper resistant security module.
  - 22. The system of claim 19, wherein the system includes a tamper resistant security module.

23. A system comprising:
- a processor; and
  
  a computer readable medium coupled to the processor, wherein the computer readable medium comprises code executable by the processor for implementing a method comprising;
  
  receiving, by a host server, an authorization request message, wherein the authorization request message includes encrypted sensitive data;
  
  decrypting, by a secure module communicatively connected to the merchant server, the encrypted sensitive data;
  
  re-encrypting, by the secure module, the decrypted sensitive data, wherein the sensitive data re-encryption uses a first sensitive data zone encryption key associated with the first payment processing network; and
  
  transmitting, by the merchant server, a first translated authorization request message to the first payment processing network, wherein the translated authorization request message includes re-encrypted sensitive data.
- View Dependent Claims (24, 25, 26, 27, 28)
- - 24. The method of claim 23, wherein the authorization request message further includes an encrypted PIN, the method further comprising:
    - decrypting, by the secure module, the encrypted PIN; and
      
      re-encrypting, by the secure module, the decrypted PIN, wherein the PIN re-encryption uses a first PIN zone encryption key associated with a first payment processing network; and
      
      wherein the first translated authorization request message includes the re-encrypted PIN.
  - 25. The system of claim 23, wherein the secure module is configured to transmit a second translated authorization request message to a second payment processing network, wherein a second PIN zone encryption key is used for re-encryption of a PIN for the second translated authorization request message and a second sensitive data zone encryption key is used for re-encryption of sensitive data for the second authorization request message.
  - 26. The system of claim 23, wherein the processor is a secure cryptoprocessor.
  - 27. The system of claim 23, wherein the system includes a tamper resistant security module.
  - 28. The system of claim 23, wherein the system includes a hardware security module.

29. A method, comprising:
- receiving data associated with a personal account identifier (PAI)encrypting, by the access device, the PAI, wherein the encrypted PAI has the same format as the PAI;
  
  writing the encrypted PAI to a field of an authorization request message, wherein the field is designated to receive a PAI;
  
  using an authorization request message data element as a signal to identify the presence of the encrypted PAI in the authorization request message; and
  
  transmitting the authorization request message.
- View Dependent Claims (30, 31, 32, 33, 34)
- - 30. The method of claim 29, wherein the PAI is a primary account number (PAN), wherein a subset of digits of the encrypted PAN in the authorization request message are unencrypted digits of the PAN.
  - 31. The method of claim 30, wherein the first six digits of the encrypted PAN are the same as the first six digits of the unencrypted PAN and wherein the last four digits of the encrypted PAN are the same as the last six digits of the unencrypted PAN.
  - 32. The method of claim 30, further comprising calculating a value for a designated digit of the encrypted PAN such that the last digit of the unencrypted PAN is the same as the last digit of the encrypted PAN and wherein the last digit of the encrypted PAN is a valid check digit for the encrypted PAN.
  - 33. The method of claim 32, wherein the designated digit is the twelfth digit of the encrypted PAN.
  - 34. The method of claim 29, wherein the authorization request message includes an expiration date, and wherein the expiration date field of the authorization request message is overwritten with an altered expiration date when the PAI field of the authorization request message contains an encrypted PAI.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Visa International Service Association (Visa, Inc.)
Original Assignee
Visa International Service Association (Visa, Inc.)
Inventors
Powell, Glenn, Sheets, John, Wagner, Kim, Koganti, Krishna, Tait, Paul, Perl, Marc, Rodriguez, Hector, Zloth, Susan

Granted Patent

US 10,147,089 B2
Time in Patent Office

Days
Field of Search
US Class Current

705/71
CPC Class Codes

G06F 21/606   by securing the transmissio...

G06Q 20/3823   combining multiple encrypti...

G06Q 20/4012   Verifying personal identifi...

G07F 7/1091   Use of an encrypted form of...

H04L 2209/56   Financial cryptography, e.g...

H04L 2463/061   applying further key deriva...

H04L 2463/102   applying security measure f...

H04L 63/06   for supporting key manageme...

H04L 9/0866   involving user or device id...

H04L 9/0894   Escrow, recovery or storing...

H04L 9/14   using a plurality of keys o...

H04L 9/3226   using a predetermined code,...

DATA PROTECTION WITH TRANSLATION

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

Citations

34 Claims

Specification

Solutions

Use Cases

Quick Links

DATA PROTECTION WITH TRANSLATION

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

34 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links