Enabling use of smart cards by consumer devices for internet commerce

US 7,103,575 B1
Filed: 08/31/2000
Issued: 09/05/2006
Est. Priority Date: 08/31/2000
Status: Expired due to Fees

First Claim

Patent Images

1. A computer program product for enabling use of a smart card by a consumer using a consumer device for trusted transactions in a networking environment in which the consumer'"'"'s device is untrusted and is communicably coupled over a public network to a merchant computer of a merchant and to an issuer computer of an issuer of the smart card and in which the merchant computer communicates with an acquirer computer of an acquirer that is distinct from the issuer and that processes payments for the merchant, the computer program product embodied on one or more computer readable media readable by one or more computing systems in the networking environment and comprising:

computer-readable program code means for initiating a transaction with the merchant computer from the consumer device; and

computer-readable program code means for providing, directly from the consumer device to the merchant computer, a payment authorization for the transaction, further comprising;

computer-readable program code means for sending, via the consumer device, an authorization request message directly from the smart card to the issuer computer;

computer-readable program code means for obtaining, at the consumer device, an authorization token from an authorization response when the issuer computer is authorizing payment for the transaction, wherein the authorization response is sent directly from the issuer computer to the consumer device, responsive to receiving and processing the authorization request message at the issuer computer; and

computer-readable program code means for including the authorization token thereby signifying the payment authorization, in a payment message which corresponds to the transaction and which is sent directly from the consumer device to the merchant computer; and

computer-readable program code means for verifying, by the merchant computer upon receiving the payment message, that the issuer computer has authorized the payment by authenticating an issuer digital signature on the authorization token, wherein the issuer digital signature was created by the issuer computer using a digital certificate of the issuer, such that the merchant computer does not need to communicate with the issuer computer or the acquirer computer to determine whether the payment is authorized.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A method, system, and computer readable code for enabling use of smart cards by consumer devices for Internet commerce. This is achieved by integrating an existing “Integrated Circuit Card Specification for Application Payment Systems” standard (commonly known as the “EMV” standard) with an augmented version of the Four-Party Credit/Debit Payment Protocol which was disclosed in U.S. Pat. No. 6,327,578. The result of the integration allows a consumer to use a smart card from a personal computer system for credit or debit transactions, while preserving the level of security and other features required by the credit card associations and banks. No modifications are required to the existing EMV standard or existing EMV smart cards.

338 Citations

32 Claims

1. A computer program product for enabling use of a smart card by a consumer using a consumer device for trusted transactions in a networking environment in which the consumer'"'"'s device is untrusted and is communicably coupled over a public network to a merchant computer of a merchant and to an issuer computer of an issuer of the smart card and in which the merchant computer communicates with an acquirer computer of an acquirer that is distinct from the issuer and that processes payments for the merchant, the computer program product embodied on one or more computer readable media readable by one or more computing systems in the networking environment and comprising:
- computer-readable program code means for initiating a transaction with the merchant computer from the consumer device; and
  
  computer-readable program code means for providing, directly from the consumer device to the merchant computer, a payment authorization for the transaction, further comprising;
  
  computer-readable program code means for sending, via the consumer device, an authorization request message directly from the smart card to the issuer computer;
  
  computer-readable program code means for obtaining, at the consumer device, an authorization token from an authorization response when the issuer computer is authorizing payment for the transaction, wherein the authorization response is sent directly from the issuer computer to the consumer device, responsive to receiving and processing the authorization request message at the issuer computer; and
  
  computer-readable program code means for including the authorization token thereby signifying the payment authorization, in a payment message which corresponds to the transaction and which is sent directly from the consumer device to the merchant computer; and
  
  computer-readable program code means for verifying, by the merchant computer upon receiving the payment message, that the issuer computer has authorized the payment by authenticating an issuer digital signature on the authorization token, wherein the issuer digital signature was created by the issuer computer using a digital certificate of the issuer, such that the merchant computer does not need to communicate with the issuer computer or the acquirer computer to determine whether the payment is authorized.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11)
- - 2. The computer program product according to claim 1, wherein the computer-readable program code means for initiating the transaction further comprises:
    - computer-readable program code means or sending a transaction request from the consumer device to the merchant computer;
      
      computer-readable program code means for receiving the transaction request at the merchant computer; and
      
      computer-readable program code means for sending a payment initiation message for the transaction, responsive to the computer-readable program code means for receiving the transaction request, from the merchant computer to the consumer device, wherein the payment initiation message comprises a transaction amount, a timestamp, a random nonce, and data required by the smart card, wherein operation of the computer-readable program code means for providing the payment authorization is triggered by receiving the sent payment initiation message at the consumer device.
  - 3. The computer program product according to claim 2, wherein the payment initiation message is a wallet initiation message, and further comprising:
    - computer-readable program code means for invoking a wallet program upon receipt of the sent payment initiation message at the consumer device, wherein the wallet program prompts the consumer to insert the smart card into a smart card reader operably attached to the consumer device.
  - 4. The computer program product according to claim 2, wherein the payment initiation message is digitally signed by the merchant computer using a digital certificate of the merchant, and further comprising:
    - computer-readable program code means for verifying the digitally signed payment initiation message, by the issuer computer, using the digital certificate of the merchant, thereby ensuring that the payment initiation message was created by the merchant computer.
  - 5. The computer program product according to claim 1, wherein the computer-readable program code means for sending the authorization request message further comprises:
    - computer-readable program code means for sending a message from the consumer device to the smart card, causing the smart card to use an on-line authorization process whereby the issuer computer must be contacted for authorizing payment for the transaction;
      
      computer-readable program code means for receiving, at the consumer device, an authorization request (AR) sent from the smart card responsive to receiving the message from the consumer device, wherein the AR comprises a card account number of the smart card, an amount of the transaction, a date of the transaction, and a serial number of the smart card; and
      
      computer-readable program code means for creating the authorization request message by including the AR with information received by the consumer device in a payment initiation message sent to the consumer device from the merchant computer.
  - 6. The computer program product according to claim 1, further comprising:
    - computer-readable program code means for passing the authorization token from the consumer device to the smart card; and
      
      computer-readable program code means for evaluating the authorization token by the smart card to determine whether to accept the transaction, and if so, creating a transaction certificate (TC) as proof that the transaction was accepted, wherein the computer-readable program code means for including the authorization token in the payment message only operates if the consumer device receives the TC from the smart card, and wherein the TC is also included in the payment message.
  - 7. The computer program product according to claim 6, further comprising:
    - computer-readable program code means for digitally signing the TC by the smart card using a smart card digital certificate; and
      
      computer-readable program code means for verifying the digitally signed TC, by the merchant computer, using the smart card digital certificate, thereby ensuring that the TC was created by the smart card.
  - 8. The computer program product according to claim 1, further comprising:
    - computer-readable program code means for requesting, at the consumer device, an issuer public key from the issuer computer;
      
      computer-readable program code means for using the issuer public key to encrypt a personal identification number (PIN) to be transmitted to the issuer computer from the consumer device in the authorization request message; and
      
      computer-readable program code means for using an issuer private key corresponding to the issuer public key to decrypt the PIN by the issuer computer while processing the authorization request message, thereby ensuring that the PIN was transmitted from the consumer device.
  - 9. The computer program product according to claim 1, further comprising:
    - computer-readable program code means for using an issuer public key which has been statically and permanently provided in the consumer device to encrypt a personal identification number (PIN) to be transmitted to the issuer computer from the consumer device in the authorization request message; and
      
      computer-readable program code means for using an issuer private key corresponding to the issuer public key to decrypt the PIN by the issuer computer while processing the authorization request message, thereby ensuing that the PIN was transmitted from the consumer device.
  - 10. The computer program product according to claim 1, wherein the processing of the authorization request message at the issuer computer further comprises:
    - computer-readable program code means for verifying a card account number specified in the authorization request message;
      
      computer-readable program code means for verifying an ability of an account corresponding to the card account number to cover an amount specified in the authorization request message;
      
      computer-readable program code means for creating the authorization token to authorize transaction if the computer-readable program code means for verifying the card account number and the ability to cover the amount have a positive result; and
      
      computer-readable program code means for sending the authorization token from the issuer computer to the consumer device in the authorization response; and
      
      computer-readable program code means for receiving the sent authorization token, in the authorization response, at the consumer device.
  - 11. The computer program product according to claim 1, further comprising:
    - computer-readable program code means for sending a capture request from the merchant computer to the acquirer computer, responsive to a successful outcome of the computer-readable program code means for verifying, wherein the capture request asks the acquirer computer to obtain payment for the transaction from the issuer;
      
      computer-readable program code means for receiving the capture request at the acquirer computer;
      
      computer-readable program code means for forwarding the received capture request from the acquirer computer to the issuer computer; and
      
      computer-readable program code means for charging, responsive to receiving the forwarded capture request at the issuer computer, an account corresponding to the smart card for the transaction.

12. A system for enabling use of a smart card by a consumer using a consumer device for trusted transactions in a networking environment in which the consumer'"'"'s consumer device is untrusted and is communicably coupled over a public network to a merchant computer of a merchant and to an issuer computer of an issuer of the smart card and in which the merchant computer communicates with an acquirer computer of an acquirer that is distinct from the issuer and that processes payments for the merchant, comprising:
- means for initiating a transaction with the merchant from the consumer device;
  
  means for obtaining, at the consumer device, a payment authorization for the transaction directly from the issuer computer, further comprising;
  
  means for sending a message from the consumer device to the smart card, causing the smart card to use an on-line authorization process whereby the issuer computer must be contacted for authorizing payment for the transaction;
  
  means for receiving, at the consumer device, an authorization request (AR) sent from the smart card responsive to receiving the message from the consumer device, wherein the AR comprises a card account number of the smart card, an amount of the transaction, a date of the transaction, and a serial number of the smart card;
  
  means for creating an augmented authorization request message by augmenting a payment initiation message, received for the transaction by the consumer device from the merchant computer, with the AR;
  
  means for sending the augmented authorization request message directly from the consumer device to the issuer computer;
  
  means for receiving the sent augmented authorization request message at the issuer computer;
  
  means operable at the issuer computer, responsive to the means for receiving the sent augmented authorization request message, for creating an authorization token for the transaction when the issuer computer is authorizing payment for the transaction;
  
  means for sending the authorization token from the issuer computer directly to the consumer device as the payment authorization; and
  
  means for receiving the sent authorization token at the consumer device;
  
  means for including the authorization token as the payment authorization in a payment message which corresponds to the transaction and which is sent directly from the consumer device to the merchant computer; and
  
  means for authenticating, by the merchant computer, an issuer digital signature in the payment message, wherein the issuer digital signature was created by the issuer computer over the payment authorization using a digital certificate of the issuer, such that the merchant computer does not to communicate with the issuer computer or the acquirer computer to determine whether the payment is authorized.
- View Dependent Claims (13, 14, 15, 16, 17, 18, 19, 20)
- - 13. The system according to claim 12, wherein the means for initiating the transaction further comprises:
    - means for sending a transaction request from the consumer device to the merchant computer;
      
      means for receiving the transaction request at the merchant computer; and
      
      means for sending a payment initiation message for the transaction, responsive to the means for receiving the transaction request, from the merchant computer to the consumer device, wherein the payment initiation message comprises a transaction amount, a timestamp, a random nonce, and data required by the smart card, wherein operation of the means for obtaining the payment authorization is triggered by receiving the sent payment initiation message at the consumer device.
  - 14. The system according to claim 13, wherein the payment initiation message is a wallet initiation message, and further comprising:
    - means for invoking a wallet program upon receipt of the sent payment initiation message at the consumer device, wherein the wallet program prompts the consumer to insert the smart card into a smart card reader operably attached to the consumer device.
  - 15. The system according to claim 13, wherein the payment initiation message is digitally signed by the merchant computer using a digital certificate of the merchant and further comprising:
    - means for verifying the digitally signed payment initiation message, by the issuer computer, using the digital certificate of the merchant, thereby ensuring that the payment initiation message was created by the merchant computer.
  - 16. The system according to claim 12, wherein:
    - the means for creating the authorization token for the transaction further comprises;
      
      means for verifying the card account number specified in the augmented authorization request message;
      
      means for verifying an ability of an account corresponding to the card account number to cover the amount specified in the augmented authorization request message; and
      
      means for creating the authorization token if the means for verifying the card account number and the ability to cover the amount have a positive result.
  - 17. The system according to claim 12, further comprising:
    - means for passing the authentication token from the consumer device to the smart card; and
      
      means for evaluating the authorization token by the smart card to determine whether to accept the transaction, and if so, creating transaction certificate (TC) as proof that the transaction was accepted, wherein the means for including the authorization token in the payment message only operates if the consumer device receives the TC from the smart card, and wherein the TC is also included in the payment message.
  - 18. The system according to claim 17, further comprising:
    - means for digitally signing the TC by the smart card using a smart card digital certificate; and
      
      means for verifying the digitally signed TC, by the merchant computer, using the smart card digital certificate, thereby ensuring that the TC was created by the smart card.
  - 19. The system according to claim 12, further comprising:
    - means for requesting, at the consumer device, an issuer public key from the issuer computer;
      
      means for using the issuer public key to encrypt a personal identification number (PIN) to be transmitted to the issuer computer from the consumer device in the augmented authorization request message; and
      
      means for using an issuer private key corresponding to the issuer public key to decrypt the PIN by the issuer computer while determining whether to authorize the payment, thereby ensuring that the PIN was transmitted from the consumer device.
  - 20. The system according to claim 12, further comprising:
    - means for using an issuer public key which has been statically and permanently provided in the consumer device to encrypt a personal identification number (PIN) to be transmitted to the issuer computer from the consumer device in the augmented authorization request massage; and
      
      means for using an issuer private key corresponding to the issuer public key to decrypt the PIN by the issuer computer while determining whether to authorize the payment, thereby ensuring that the PIN was transmitted from the consumer device.

21. A method for enabling use of a smart card by a consumer using a consumer device for trusted transactions in a networking environment in which the consumer'"'"'s consumer device is untrusted and is communicably coupled over a public network to a merchant computer of a merchant and to an issuer computer of an issuer of the smart card and in which the merchant computer communicates with an acquirer computer of an acquirer that is distinct from the issuer and that processes payments for the merchant, comprising the steps of:
- initiating a transaction with the merchant computer from the consumer device;
  
  obtaining, at the consumer device, an authorization token from an authorization response when the issuer computer is authorizing payment for the transaction, wherein the authorization response is sent directly from the issuer computer to the consumer device;
  
  including the authorization token, thereby signifying that payment for the transaction is authorized, in a payment message which corresponds to the transaction and which is sent directly from the consumer device to the merchant computer; and
  
  verifying, by the merchant computer upon receiving the payment message, that the issuer computer has authorized the payment by authenticating an issuer digital signature on the authorization token, wherein the issuer digital signature was created by the issuer computer using a digital certificate of the issuer, such that the merchant computer does not need to communicate with the issuer computer the acquirer computer to determine whether the payment is authorized.
- View Dependent Claims (22, 23, 24, 25, 26, 27, 28, 29, 30)
- - 22. The method according to claim 21, wherein the step of initiating the transaction further comprises the steps of:
    - sending a transaction request from the consumer device to the merchant computer;
      
      receiving the transaction request at the merchant computer; and
      
      sending a payment initiation message for the transaction, responsive to the step of receiving the transaction request, from the merchant computer to the consumer device, wherein the payment initiation message comprises a transaction amount, a timestamp, a random nonce, and data required by the smart card, wherein operation of the step of obtaining the authorization token is triggered by receiving the sent payment initiation message at the consumer device.
  - 23. The method according to claim 22, wherein the payment initiation message is a wallet initiation message, and further comprising the steps of:
    - invoking a wallet program upon receipt of the sent payment initiation message at the consumer device, wherein the wallet program prompts the consumer to insert the smart card into a smart card reader operably attach the consumer device.
  - 24. The method according to claim 22, wherein the payment initiation message is digitally signed by the merchant computer using a digital certificate of the merchant, and further comprising the steps of:
    - verifying the digitally signed payment initiation message, by the issuer computer, using the digital certificate of the merchant, thereby ensuring that the payment initiation message was created by the merchant computer.
  - 25. The method according to claim 21, wherein the step of obtaining the authorization token further comprises the steps of:
    - sending a message from the consumer device to the smart card, causing the smart card to use an on-line authorization process whereby the issuer computer must be contacted for authorizing payment for the transaction;
      
      receiving, at the consumer device, an authorization request (AR) sent from the smart card responsive to receiving the message from the consumer device, wherein the AR comprises a card account number of the smart card, an amount of the transaction, a date of the transaction, and a serial number of the smart card;
      
      creating an authorization request message by including the AR with information received by the consumer device in a payment initiation message sent to the consumer device from the merchant computer;
      
      sending the authorization request message directly from the consumer device to the issuer computer;
      
      receiving the sent authorization request message at the issuer computer;
      
      creating, at the issuer computer, responsive to the step of receiving the sent authorization request message, the authorization token for the transaction, further comprising the steps of;
      
      verifying the card account number specified in the authorization request message;
      
      verifying an ability of an account corresponding to the card account number to cover the amount specified in the authorization request message; and
      
      authorizing the transaction if the steps of verifying the card account number and the ability to cover the amount have a positive result;
      
      sending the authorization token, in the authorization response, from the issuer computer to the consumer device; and
      
      receiving the sent authorization token, in the authorization response, at the consumer device.
  - 26. The method according to claim 21, further comprising the steps of:
    - passing the authorization token from the consumer device to the smart card; and
      
      evaluating the authorization token by the smart card to determine whether to accept the transaction, and if so, creating a transaction certificate (TC) as proof that the transaction was accepted, wherein the step of including the authorization token in the payment message only operates if the consumer device receives the TC from the smart card, and wherein the TC is also included in the payment message.
  - 27. The method according to claim 26, further comprising the steps of:
    - digitally signing the TC by the smart card using a smart card digital certificate; and
      
      verifying the digitally signed TC, by the merchant computer, using the smart card digital certificate, thereby ensuring that the TC was created by the smart card.
  - 28. The method according to claim 21, further comprising the steps of:
    - requesting, at the consumer device, an issuer public key from the issuer computer;
      
      using the issuer public key to encrypt a personal identification number (PIN) to be transmitted to the issuer computer from the consumer device in an authorization request message that request the issuer computer to authorize payment for the transaction; and
      
      using an issuer private a private issuer key corresponding to the issuer public key to decrypt the PIN by the issuer computer while processing the authorization request message, thereby ensuring that the PIN was transmitted from the consumer device.
  - 29. The method according to claim 21, further comprising the steps of:
    - using an issuer public key which has been statically and permanently provided in the consumer device to encrypt a personal identification number (PIN) to be transmitted to the issuer computer from the consumer device in an authorization request message that requests the issuer computer to authorize payment for the transaction; and
      
      using an issuer private key corresponding to the issuer public key to decrypt the PIN by the issuer computer while processing the authorization request message, thereby ensuring that the PIN was transmitted from the consumer device.
  - 30. The method according to claim 21, further comprising the step of selecting a brand of payment to use for the transaction, further comprising the steps of:
    - sending, by the merchant computer to the consumer device, one or more tuples of information representing brands which me accepted by the merchant;
      
      receiving, at the consumer device, the one or more tuples of information;
      
      comparing at the consumer device, the tuples against one or more brands supported by the consumer device to find one or more matching brands, wherein the selected brand is selected from the one or more matching brands.

31. A method for using smart cards to perform trusted transactions with untrusted computing devices in a public networking environment, comprising the steps of:
- providing a smart card reader function for an untrusted computing device;
  
  initiating, by a user of the computing device, a transaction with a merchant;
  
  reading a selected smart card with the smart card reader function, wherein the selected smart card is to be used for a debit or credit of the transaction;
  
  receiving merchant information from a computer of the merchant, responsive to the initiating step, wherein the merchant information comprising an identification of the merchant and a merchant digital signature;
  
  causing the computing device to send the merchant information along with authorization information pertaining to the smart card and the transaction directly to an issuer computer of an issuer of the smart card, wherein the authorization information comprises an amount of the transaction, an account number to use for the debit or credit or a reference to the account number, a date of the transaction, and a serial number of the smart card, verifying, by the issuer computer, the merchant digital signature;
  
  determining, by the issuer computer, whether to authorize the transaction using the authorization initiation;
  
  returning an authorization token from the issuer computer to the computing device if the determining has a positive result, wherein the authorization token comprises the authorization information and the merchant information and wherein the authorization token is digitally signed by the issuer computer;
  
  forwarding the authorization token from the computing device to the smart card;
  
  creating, by the smart card, a transaction completion indication if the authorization token is acceptable to the smart card;
  
  forwarding the transaction completion indication and authorization token through the computing device to the merchant computer, thereby signifying that a payment for the transaction is authorized;
  
  receiving, by the merchant computer, the transaction completion indication and authorization token; and
  
  accepting the transaction, by the merchant, if the issuer'"'"'s digital signature of the authorization token is successfully verified, thereby avoiding a need for the merchant, or an acquirer that process payments for the merchant, to contact the issuer to determine whether payment for the transaction is authorized.
- View Dependent Claims (32)
- - 32. The method according to claim 31, wherein the accepting step further comprises the steps of:
    - sending, by the merchant computer, a capture request to an acquirer computer of the acquirer, thereby signaling the acquirer computer to acquire the payment funds authorized for the transaction, wherein the capture request comprises one or both of (1) the authorization token and (2) the transaction completion indication;
      
      notifying the issuer computer, by the acquirer computer, to transfer the payment to an account of the merchant, responsive to receiving the capture request at the acquirer computer; and
      
      transferring the payment to the merchant'"'"'s account, by the acquirer computer, the transfer having been pre-authorized by the authorization token.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
International Business Machines Corporation
Original Assignee
International Business Machines Corporation
Inventors
Linehan, Mark Holmes
Primary Examiner(s)
Trammell, James P.
Assistant Examiner(s)
Reagan, James A.

Application Number

US09/653,078
Time in Patent Office

2,196 Days
Field of Search

705/64, 705/44, 705/26, 235/379, 235/380
US Class Current

705/64
CPC Class Codes

G06Q 20/12   specially adapted for elect...

G06Q 20/382   insuring higher security of...

G06Q 20/40   Authorisation, e.g. identif...

G06Q 30/0601   Electronic shopping [e-shop...

Enabling use of smart cards by consumer devices for internet commerce

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

338 Citations

32 Claims

Specification

Use Cases

Quick Links

Others

Enabling use of smart cards by consumer devices for internet commerce

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

338 Citations

32 Claims

Specification

Subscription Required

Use Cases

Quick Links

Others