Secure payment card transactions

US 7,770,789 B2
Filed: 05/17/2007
Issued: 08/10/2010
Est. Priority Date: 05/17/2007
Status: Active Grant

First Claim

Patent Images

1. A method of adding security to a point-of-sale (POS) server which communicates over a network with one or more POS terminals, each POS terminal including a payment card reader, the POS server including a POS server application installed thereon configured to communicate with the one or more POS terminals over a non-secure channel to process payment card transactions, the method comprising:

installing a server security application on the POS server, the server security application configured to cause the POS server to at least;

receive payment data from the one or more POS terminals over a secure channel, the payment data comprising actual card data obtained from the payment card reader;

access false card data comprising a sequence of digits that are chosen to fail a Luhn test, such that the false card data comprises an invalid payment card number;

provide the false card data to the POS terminal, the false card data configured to be processed as if it were the actual card data;

receive a first authorization request from the POS terminal over the non-secure channel, the first authorization request comprising the false card data instead of the actual card data; and

transmit a second authorization request to a remote server, the second authorization request comprising at least the actual card data.

View all claims

4 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Payment card transactions at a point of sale (POS) are secured in certain embodiments by intercepting, with a POS security layer installed on a POS terminal, payment data from the POS terminal, transmitting the payment data from the POS security layer to a server security application installed on a POS server, and providing false payment data from the POS security layer to a POS terminal application installed on the POS terminal. The false payment data in various embodiments is processed as if it were the payment data, such that the POS terminal transmits an authorization request to the POS server using the false payment data. In addition, the authorization request may be transmitted from the POS server to a payment gateway.

Citations

50 Claims

1. A method of adding security to a point-of-sale (POS) server which communicates over a network with one or more POS terminals, each POS terminal including a payment card reader, the POS server including a POS server application installed thereon configured to communicate with the one or more POS terminals over a non-secure channel to process payment card transactions, the method comprising:
- installing a server security application on the POS server, the server security application configured to cause the POS server to at least;
  
  receive payment data from the one or more POS terminals over a secure channel, the payment data comprising actual card data obtained from the payment card reader;
  
  access false card data comprising a sequence of digits that are chosen to fail a Luhn test, such that the false card data comprises an invalid payment card number;
  
  provide the false card data to the POS terminal, the false card data configured to be processed as if it were the actual card data;
  
  receive a first authorization request from the POS terminal over the non-secure channel, the first authorization request comprising the false card data instead of the actual card data; and
  
  transmit a second authorization request to a remote server, the second authorization request comprising at least the actual card data.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9)
- - 2. The method of claim 1, wherein the false card data is configured to be used as if it were the actual card data but does not correspond to a valid payment card account.
  - 3. The method of claim 1, wherein the server security application is configured to generate at least a portion of the false card data.
  - 4. The method of claim 3, wherein at least a portion of the false card data is re-used as a token for an additional payment card transaction.
  - 5. The method of claim 1, wherein the remote server is a gateway.
  - 6. The method of claim 1, wherein the actual card data is obtained from a card swipe.
  - 7. The method of claim 1, wherein the actual card data is manually entered.
  - 8. The method of claim 1, wherein the server security application is further configured to generate the false card data by generating a card number that fails the Luhn test.
  - 9. The method of claim 8, further comprising a POS security layer installed on the POS terminal, the POS security layer configured to disable use of the Luhn test in order to enable the POS terminal to accept the false card data.

10. A computer-readable medium having stored thereon a server security application that is configured to be installed on a point-of-sale (POS) server that runs a POS server application and that communicates with a POS terminal over a network, the server security application comprising executable instructions that cause the POS server to at least:
- receive payment data from the POS terminal, the payment data comprising actual card data from a payment card;
  
  provide false card data to the POS terminal, the false card data comprising an invalid payment card number;
  
  receive a first authorization request from the POS terminal, the first authorization request comprising the false card data instead of the actual card data, the false card data configured to be processed as if it were the actual card data; and
  
  transmit a second authorization request, the second authorization request comprising at least the actual card data.
- View Dependent Claims (11, 12, 13, 14, 15, 16, 17, 18, 19, 20)
- - 11. The computer-readable medium of claim 10, wherein the server security application is configured to generate at least a portion of the false card data.
  - 12. The computer-readable medium of claim 10, wherein the server security application is configured to generate the false card data on the POS server using an algorithm that substantially guarantees that the false card data does not represent valid payment data.
  - 13. The computer-readable medium of claim 10, wherein the false card data comprises a portion of the actual card data.
  - 14. The computer-readable medium of claim 10, wherein the server security application receives the actual card data from the POS terminal over a secure channel.
  - 15. The computer-readable medium of claim 14, wherein the actual card data is encrypted at the POS terminal.
  - 16. The computer-readable medium of claim 10, wherein the second authorization request further comprises the false card data.
  - 17. The computer-readable medium of claim 10, wherein the server security application is configured to provide security to a preexisting non-secure POS server.
  - 18. The POS server of claim 10, wherein the server security application is further configured to generate the false card data by generating a sequence of digits that fail a Luhn test.
  - 19. The POS server of claim 10, wherein the server security application is further configured to generate the false card data by selecting a sequence of digits selected from a range of invalid card numbers designated by a card association.
  - 20. The method of claim 19, further comprising disabling use of the Luhn test on the POS terminal in order to cause the POS terminal to accept the false card data.

21. A method for securing payment card transactions at a point of sale (POS), the method comprising:
- receiving, at a POS server, payment data from a POS terminal, the payment data comprising actual payment data from a payment medium, the actual payment data being encrypted;
  
  returning false payment data to the POS terminal in response to receiving the actual payment data, the false payment data comprising an invalid payment card number; and
  
  receiving, at the POS server, a first authorization request from the POS terminal, the first authorization request comprising the false payment data instead of the actual payment data, the false payment data configured to be processed as if it were the actual payment data;
  
  wherein said receiving the payment data, said returning the false payment data, and said receiving the first authorization request are implemented by one or more processors of the POS server.
- View Dependent Claims (22, 23, 24, 25, 26, 27, 28, 29, 30, 31, 32, 33, 34, 35, 36, 37, 38, 39, 40, 41)
- - 22. The method of claim 21, further comprising transmitting a second authorization request from the POS server, the second authorization request comprising at least the payment data.
  - 23. The method of claim 21, wherein the false payment data has a card-swipe compatible format.
  - 24. The method of claim 23, further comprising generating the false payment data using an algorithm that substantially guarantees that the false payment data does not represent valid payment data.
  - 25. The method of claim 21, wherein the false payment data comprises a portion of the actual payment data.
  - 26. The method of claim 21, wherein receiving the payment data from the POS terminal further comprises receiving the payment data over a secure channel.
  - 27. The method of claim 26, wherein receiving the payment data from the POS terminal further comprises receiving an encrypted version of the payment data.
  - 28. The method of claim 21, further comprising receiving two encrypted versions of the payment data, wherein one version of encrypted data is not decryptable at the POS server and the other version of encrypted data is decryptable at the POS server.
  - 29. The method of claim 28, further comprising encrypting a personal identification number (PIN) using the payment data.
  - 30. The method of claim 28, further comprising destroying the version of encrypted data that is decryptable at the POS server.
  - 31. The method of claim 28, further comprising destroying the version of encrypted data that is decryptable at the POS server after a time-out period.
  - 32. The method of claim 21, wherein the second authorization request further comprises the false payment data.
  - 33. The method of claim 21, wherein the steps of receiving the payment data and providing the false payment data are performed by a server security application installed on the POS server.
  - 34. The method of claim 21, wherein the false payment data is configured to be stored in a transaction database.
  - 35. The method of claim 34, wherein the false payment data is configured to be stored in a database as log data.
  - 36. The method of claim 35, wherein no complete actual payment data is stored at the POS server.
  - 37. The method of claim 21, wherein the payment medium comprises a payment card.
  - 38. The method of claim 21, wherein the payment medium comprises a radio frequency identification (RFID) device.
  - 39. The method of claim 21, wherein the payment data further comprises at least one of a personal identification number (PIN), a signature, biometric data, an expiration date, a cardholder name, a card security code, or a dynamic security code.
  - 40. The method of claim 21, wherein at least a portion of the false payment data is derived from a range of card numbers regarded as invalid by one or more card associations.
  - 41. The method of claim 21, wherein said returning false payment data comprises returning false payment data that fails a Luhn test.

42. A method for securing payment card transactions at a payment gateway, the method comprising:
- by a payment gateway server comprising computer hardware;
  
  receiving, an authorization request from a point-of-sale (POS) server, the authorization request comprising combined payment data and false card data, the payment data comprising encrypted actual card data from a payment card, the false payment data comprising an invalid payment card number, the false payment data configured to be processed as if it were the payment data;
  
  extracting the payment data from the combined payment data and false payment data;
  
  transmitting an authorization request to an authorizing entity, the authorization request comprising the payment data;
  
  receiving a response to the authorization request from the authorizing entity; and
  
  transmitting the response and the false payment data to the POS server, wherein the false payment data uniquely identifies the payment card.
- View Dependent Claims (43, 44, 45, 46, 47, 48, 49, 50)
- - 43. The method of claim 42, wherein the false payment data is processed as actual payment data by a POS terminal, wherein the POS terminal provided an original authorization request comprising the false payment data to the POS server.
  - 44. The method of claim 42, further comprising returning a token to the POS server for use in a recurring transaction.
  - 45. The method of claim 44, wherein at least a portion of the false payment data is used as the token.
  - 46. The method of claim 42, wherein the payment data is encrypted.
  - 47. The method of claim 46, extracting the actual payment data from the combined payment data and false payment data comprises decrypting the payment data.
  - 48. The method of claim 42, wherein transmitting the authorization request from the payment gateway to the authorizing entity comprises transmitting an encrypted version of the payment data.
  - 49. The method of claim 42, wherein the false payment data comprises a sequence of digits configured to fail a Luhn test.
  - 50. The method of claim 42, wherein the false payment data comprises a sequence of digits selected from a range of invalid card numbers designated by a card association.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Shift4 Corporation (Shift4 Payments, Inc.)
Original Assignee
Shift4 Corporation (Shift4 Payments, Inc.)
Inventors
Sommers, Steven Mark, Oder, John David II, Warner, Dennis William, Cronic, Kevin James, Oder, John David
Primary Examiner(s)
Lee; Michael G
Assistant Examiner(s)
GOODMAN, KEITH E

Application Number

US11/750,239
Publication Number

US 20080283592A1
Time in Patent Office

1,181 Days
Field of Search

726/20, 235/380, 705/16, 705/18, 705/64, 705/14.38
US Class Current

235/380
CPC Class Codes

G06Q 20/20   Point-of-sale [POS] network...

G06Q 20/382   insuring higher security of...

G06Q 20/40   Authorisation, e.g. identif...

G06Q 40/00   Finance; Insurance; Tax str...

G07F 7/088   the card reader being part ...

Secure payment card transactions

First Claim

4 Assignments

0 Petitions

Accused Products

Abstract

Citations

50 Claims

Specification

Solutions

Use Cases

Quick Links

Secure payment card transactions

First Claim

4 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

50 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links