Secure payment card transactions

US 7,891,563 B2
Filed: 05/17/2007
Issued: 02/22/2011
Est. Priority Date: 05/17/2007
Status: Active Grant

First Claim

Patent Images

1. A method of adding security to a point-of-sale (POS) terminal which communicates over a network with a POS server, the POS terminal including a POS terminal application installed thereon and a payment card reader, the POS terminal application configured to communicate with the POS server over a non-secure channel to process payment card transactions, the method comprising:

installing a POS security layer on the POS terminal, the POS security layer configured to at least;

(a) intercept payment data received from the payment card reader when a user initiates a payment card transaction, the payment data comprising actual card data;

(b) pass false card data to the POS terminal application for use in place of the actual card data, such that the false card data is transmitted over the non-secure channel to the POS server in place of the actual card data; and

(c) transmit the actual card data to the POS server over a secure channel;

such that the actual card data is inhibited from being transmitted over a non-secure channel.

View all claims

4 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Payment card transactions at a point of sale (POS) are secured in certain embodiments by intercepting, with a POS security layer installed on a POS terminal, payment data from the POS terminal, transmitting the payment data from the POS security layer to a server security application installed on a POS server, and providing false payment data from the POS security layer to a POS terminal application installed on the POS terminal. The false payment data in various embodiments is processed as if it were the payment data, such that the POS terminal transmits an authorization request to the POS server using the false payment data. In addition, the authorization request may be transmitted from the POS server to a payment gateway.

Citations

40 Claims

1. A method of adding security to a point-of-sale (POS) terminal which communicates over a network with a POS server, the POS terminal including a POS terminal application installed thereon and a payment card reader, the POS terminal application configured to communicate with the POS server over a non-secure channel to process payment card transactions, the method comprising:
- installing a POS security layer on the POS terminal, the POS security layer configured to at least;
  
  (a) intercept payment data received from the payment card reader when a user initiates a payment card transaction, the payment data comprising actual card data;
  
  (b) pass false card data to the POS terminal application for use in place of the actual card data, such that the false card data is transmitted over the non-secure channel to the POS server in place of the actual card data; and
  
  (c) transmit the actual card data to the POS server over a secure channel;
  
  such that the actual card data is inhibited from being transmitted over a non-secure channel.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8)
- - 2. The method of claim 1, wherein the false card data comprises a false payment card number.
  - 3. The method of claim 1, wherein the false card data is configured to be used as if it were the actual card data but does not correspond to a valid payment card account.
  - 4. The method of claim 1, wherein the POS security layer is configured to generate at least a portion of the false card data.
  - 5. The method of claim 4, wherein at least a portion of the false card data is re-used as a token for an additional payment card transaction.
  - 6. The method of claim 4, wherein the POS security layer is further configured to display a substitute payment screen configured to enable a cardholder to provide at least a portion of the payment data to the POS security layer.
  - 7. The method of claim 1, wherein the actual card data is obtained from a card swipe.
  - 8. The method of claim 1, wherein the actual card data is manually entered.

9. A computer-readable medium having stored thereon a point-of-sale (POS) security layer that is configured to be installed on a POS terminal that runs a POS terminal application and that communicates with a POS server over a network, the POS security layer comprising executable instructions that cause the POS terminal to at least:
- intercept actual payment data received from a card entry device when a user initiates a payment card transaction, such that the actual payment data is not made available to the POS terminal application;
  
  pass false payment data to the POS terminal application for use in place of the actual payment data, such that the POS terminal application transmits the false payment data to the POS server in place of the actual payment data; and
  
  transmit the actual payment data to the POS server.
- View Dependent Claims (10, 11, 12, 13, 14, 15, 16, 17, 18, 19, 20, 21)
- - 10. The computer-readable medium of claim 9, wherein the POS security layer is configured to obtain at least a portion of the false payment data from a security application that runs on the POS server.
  - 11. The computer-readable medium of claim 9, wherein the false payment data is generated using an algorithm that substantially guarantees that the false payment data does not represent valid card data.
  - 12. The computer-readable medium of claim 9, wherein the POS security layer intercepts the actual payment data by acting as a keylogger.
  - 13. The computer-readable medium of claim 9, wherein the POS security layer intercepts the actual payment data by accessing an input buffer on the POS terminal.
  - 14. The computer-readable medium of claim 9, wherein the false payment data comprises a portion of the actual payment data.
  - 15. The computer-readable medium of claim 9, wherein the POS security layer is further configured to encrypt the actual payment data at the POS terminal.
  - 16. The computer-readable medium of claim 9, wherein the POS security layer is configured to provide security to a preexisting non-secure POS terminal.
  - 17. The computer-readable medium of claim 9, wherein the POS security layer is capable of being invoked directly by a user action.
  - 18. The computer-readable medium of claim 17, wherein the user action comprises a hotkey press or manual key card input.
  - 19. The computer-readable medium of claim 9, wherein the POS security layer is capable of being invoked indirectly by entry of the payment data into the POS terminal.
  - 20. The computer-readable medium of claim 9, wherein the POS security layer is capable of being invoked programmatically.
  - 21. The computer-readable medium of claim 9, wherein the actual payment data is transmitted to the POS server over a secure channel.

22. A method of securing payment transactions at a point of sale (POS), the method comprising:
- intercepting payment data on a POS terminal, the payment data comprising actual payment data from a payment medium; and
  
  providing false payment data to the POS terminal, the false payment data configured to be processed as if it were the actual payment data, such that the POS terminal transmits an authorization request using the false payment data in place of the actual payment data;
  
  wherein the false payment data is configured to be stored in a transaction database as log data and wherein no complete actual payment data is stored at the POS terminal.
- View Dependent Claims (23, 24, 25, 26, 27, 28, 29, 30, 31, 32, 33, 34, 35, 36, 37, 38)
- - 23. The method of claim 22, further comprising transmitting the payment data from the POS terminal to a POS server.
  - 24. The method of claim 23, wherein transmitting the payment data from the POS terminal to the POS server further comprises transmitting the payment data over a secure channel.
  - 25. The method of claim 22, further comprising encrypting the payment data at the POS terminal.
  - 26. The method of claim 23, further comprising providing two encrypted versions of the payment data, wherein one version of encrypted data is not decryptable at the POS server and another version of encrypted data is decryptable at the POS server.
  - 27. The method of claim 22, further comprising encrypting a personal identification number (PIN) of the payment medium using the payment data.
  - 28. The method of claim 26, further comprising destroying the version of encrypted data that is decryptable at the POS server.
  - 29. The method of claim 26, further comprising destroying the version of encrypted data that is decryptable at the POS server after a time-out period.
  - 30. The method of claim 23, wherein the POS terminal transmits the authorization request using the false payment data over a non-secure channel.
  - 31. The method of claim 22, wherein the false payment data has a card-swipe compatible format.
  - 32. The method of claim 31, further comprising generating the false payment data using an algorithm that substantially guarantees that the false payment data does not represent valid payment data.
  - 33. The method of claim 22, wherein intercepting the payment data on a POS terminal comprises accessing an input buffer on the POS terminal.
  - 34. The method of claim 22, further comprising displaying a substitute payment screen configured to facilitate the intercepting of the payment data on the POS terminal.
  - 35. The method of claim 22, wherein the payment medium is a payment card.
  - 36. The method of claim 22, wherein the payment medium is a radio frequency identification (RFID) device.
  - 37. The method of claim 22, wherein the payment data further comprises at least one of a personal identification number (PIN), a signature, biometric data, an expiration date, a cardholder name, a card security code, or a dynamic security code.
  - 38. The method of claim 22, wherein at least a portion of the false payment data is derived from a range of card numbers regarded as invalid by one or more card associations.

39. A method of providing false payment data for use in place of actual payment data at a point of sale (POS) to inhibit the transmission of actual payment data over a non-secure channel, the method comprising:
- capturing payment data on a POS terminal, the payment data comprising actual card data from a payment card;
  
  generating false card data configured to be processed as if it were the actual card data, the false card data configured such that a Luhn modulus 10 test performed on the false card data determines that the false card data comprises an invalid payment card number; and
  
  providing the false card data to the POS terminal, such that the POS terminal transmits an authorization request to the POS server using the false card data in place of the actual card data.
- View Dependent Claims (40)
- - 40. The method of claim 39, further comprising providing the actual card data to the POS server over a secure channel.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Shift4 Corporation (Shift4 Payments, Inc.)
Original Assignee
Shift4 Corporation (Shift4 Payments, Inc.)
Inventors
Sommers, Steven Mark, Oder, John David II, Warner, Dennis William, Cronic, Kevin James, Oder, John David
Primary Examiner(s)
Kim; Ahshik

Application Number

US11/750,181
Publication Number

US 20080283590A1
Time in Patent Office

1,377 Days
Field of Search

235/383, 235/380, 705/64, 705/70
US Class Current

235/383
CPC Class Codes

G06Q 20/20   Point-of-sale [POS] network...

G06Q 20/202   Interconnection or interact...

G06Q 20/3278   RFID or NFC payments by mea...

G06Q 20/34   using cards, e.g. integrate...

G06Q 20/382   insuring higher security of...

G06Q 20/3821   Electronic credentials

G06Q 20/40   Authorisation, e.g. identif...

G06Q 20/401   Transaction verification

G06Q 20/409   Device specific authenticat...

G06Q 2220/00   Business processing using c...

G06Q 40/00   Finance; Insurance; Tax str...

G07F 7/088   the card reader being part ...

Secure payment card transactions

First Claim

4 Assignments

0 Petitions

Accused Products

Abstract

Citations

40 Claims

Specification

Solutions

Use Cases

Quick Links

Secure payment card transactions

First Claim

4 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

40 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links