Method and system for secure authentication
First Claim
1. A secure passcode authentication system, the system comprising:
- an Access Control Server (ACS) configured to receive a request for passcode authentication of a Primary Account Number (PAN) from a merchant server, and configured to request a passcode corresponding to the PAN from a cardholder device, wherein the ACS is associated with an issuer of the PAN;
a front end Hardware Security Module (HSM) coupled to the ACS, and configured to receive the passcode in an encrypted format and generate an encrypted passcode using a local encryption key; and
a back end HSM configured to receive the encrypted passcode from the front end HSM and further configured to recover a clear form of the passcode, generate a back end encrypted passcode, and communicate the back end encrypted passcode to an authentication network, wherein the system authenticates the passcode, wherein the ACS is further configured to receive an authentication message from the authentication network.
1 Assignment
0 Petitions
Accused Products
Abstract
A system and method configured to provide secure Personal Identification Number (PIN) based authentication is disclosed. A passcode or PIN associated with a customer value card can be securely authenticated by an issuer prior to authorizing payment. An Access Control Server (ACS) can receive the PIN or passcode from a customer via a secure connection over a public network. The ACS can generate an encrypted PIN and can communicate the encrypted PIN to a remote issuer for authentication. The ACS can use one or more hardware security modules to generate the encrypted PIN. The hardware security modules can be emulated in software or implemented in hardware. The system can be configured such that the PIN is not exposed in an unencrypted form in a communication link or in hardware other than the originating customer terminal.
184 Citations
34 Claims
-
1. A secure passcode authentication system, the system comprising:
-
an Access Control Server (ACS) configured to receive a request for passcode authentication of a Primary Account Number (PAN) from a merchant server, and configured to request a passcode corresponding to the PAN from a cardholder device, wherein the ACS is associated with an issuer of the PAN; a front end Hardware Security Module (HSM) coupled to the ACS, and configured to receive the passcode in an encrypted format and generate an encrypted passcode using a local encryption key; and a back end HSM configured to receive the encrypted passcode from the front end HSM and further configured to recover a clear form of the passcode, generate a back end encrypted passcode, and communicate the back end encrypted passcode to an authentication network, wherein the system authenticates the passcode, wherein the ACS is further configured to receive an authentication message from the authentication network. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 29, 33, 34)
-
-
14. A secure passcode authentication system, the system comprising:
-
an Access Control Server (ACS) configured to receive a request for Personal Identification Number (PIN) authentication of a Primary Account Number (PAN), and configured to generate a request for a PIN corresponding to the PAN, the request for the PIN including hidden fields comprising a unique transaction identifier and a hash value; a front end Hardware Security Module (HSM) coupled to the ACS, and configured to generate the hash value based in part on the unique transaction identifier, and further configured to receive an encrypted PIN, decrypt the PIN to recover a clear form of the PIN, and generate a local encrypted PIN using a local encryption key; and a back end HSM configured to receive the local encrypted PIN from the front end HSM and further configured to recover a clear form of the PIN from the local encrypted PIN, generate an Acquirer Working Key (AWK) encrypted PIN, and communicate the AWK encrypted PIN to an authentication network. - View Dependent Claims (15)
-
-
16. A secure passcode authentication system, the system comprising:
-
an Access Control Server (ACS) configured to receive a request for Personal Identification Number (PIN) authentication of a Primary Account Number (PAN), and configured to generate a request for a PIN corresponding to the PAN, the request for the PIN including an instruction to provide the PIN to a destination address; and a front end Hardware Security Module (HSM) having said destination address and coupled to the ACS, and configured to receive an encrypted PIN, decrypt the PIN to recover a clear form of the PIN, and generate an Acquirer Working Key (AWK) encrypted PIN using an AWK encryption key, and configured to communicate the AWK encrypted PIN to an authentication network. - View Dependent Claims (30)
-
-
17. A method for providing secure passcode authentication, the method comprising:
-
requesting a Personal Identification Number (PIN) corresponding to a Primary Account Number (PAN) wherein requesting the PIN includes generating a unique transaction identifier, generating a hash value with a front end Hardware Security Module (HSM) based in part on the unique transaction identifier, generating a query having the unique transaction identifier and hash value as fields in the query, and communicating the query; receiving an encrypted PIN in the front end Hardware Security Module (HSM) in response to the request; generating a PINBLOCK based in part on the encrypted PIN; encrypting the PINBLOCK using a local key in a front end Hardware Security Module (HSM) to generate a local key encrypted PINBLOCK; decrypting the local key encrypted PINBLOCK with a back end HSM; generating a back end encrypted PIN with the back end HSM; communicating the back end encrypted PIN to an authentication network; and receiving an authentication response from the authentication network. - View Dependent Claims (18, 19, 20, 21, 22, 23, 24)
-
-
25. A method for providing secure passcode authentication, the method comprising:
-
receiving an encrypted Personal Identification Number (PIN) corresponding to a Primary Account Number (PAN) in a front end Hardware Security Module (HSM) over a Secured Sockets Layer (SSL) internet connection between a cardholder device and the front end HSM, wherein the PIN is exclusively SSL encrypted; decrypting the encrypted PIN in the front end Hardware Security Module (HSM) to generate a clear form of the PIN; generating a PINBLOCK based in part on the clear form of the PIN; generating in a back end HSM a back end encrypted PIN based in part on the PINBLOCK; communicating the back end encrypted PIN to an authentication network; and receiving an authentication response from the authentication network. - View Dependent Claims (26, 27)
-
-
28. A method for providing secure passcode authentication, the method comprising:
-
generating encryption data; querying a cardholder for a Personal Identification Number (PIN) corresponding to a Primary Account Number (PAN); receiving in a front end Hardware Security Module (HSM) an encrypted PIN and at least a portion of the encryption data from the cardholder in response to the query; generating a clear form of the PIN based in part on the encrypted PIN; generating a PINBLOCK based in part on the clear form of the PIN; encrypting the PINBLOCK in a front end Hardware Security Module (HSM) using triple DES encryption to generate an encrypted PIN (EPIN); decrypting the EPIN in a back end HSM to recover the clear form of the PIN; encrypting the clear form of the PIN in the back end HSM using an Acquirer Working Key (AWK) to generate an AWK encrypted PIN; communicating the AWK encrypted PIN to an authentication network; and receiving an authentication response. - View Dependent Claims (31)
-
-
32. A method for providing secure passcode authentication, the method comprising:
-
generating encryption data, wherein the encryption data comprises a transaction ID, a base redirection url, and an http redirect type, wherein the encryption data further comprises a hashed message authentication code based on the transaction ID, the base redirection URL, and the http redirect type; querying a cardholder for a Personal Identification Number (PIN) corresponding to a Primary Account Number (PAN); receiving in a front end Hardware Security Module (HSM) an encrypted PIN and at least a portion of the encryption data from the cardholder in response to the query; generating a clear form of the PIN based in part on the encrypted PIN; generating a PINBLOCK based in part on the clear form of the PIN; encrypting the PINBLOCK in a front end Hardware Security Module (HSM) using triple DES encryption to generate an encrypted PIN (EPIN); decrypting the EPIN in a back end HSM to recover the clear form of the PIN; encrypting the clear form of the PIN in the back end HSM using an Acquirer Working Key (AWK) to generate an AWK encrypted PIN; communicating the AWK encrypted PIN to an authentication network; and receiving an authentication response.
-
Specification