Method and system for facilitating data access and management on a secure token

US 9,430,666 B2
Filed: 08/26/2013
Issued: 08/30/2016
Est. Priority Date: 10/07/2002
Status: Active Grant

First Claim

Patent Images

1. A method of using a server computer operated by a value added service provider, the method comprising:

receiving a directory identifier by the server computer from an issuer bank server computer corresponding to a first directory instance of multiple directory instances in a file system on a secure token device, wherein the file system includes an open storage architecture having a common data storage space shared by multiple value added service providers, and wherein the first directory instance is associated with a first value added service provider for use with the secure token device,providing, over a network via a network interface, access parameters from the server computer to a first value-added application associated with the first value added service provider stored on a client device, wherein the client device is configured to store multiple value-added applications associated respectively with the multiple value added service providers for access to the common data storage space of the secure token device, andwherein data stored in the common data storage space associated with the first value added service provider is shared among the first value-added application and a second value-added application associated with a second value added service provider when a customer is participating in a joint promotional program of the first value added service provider and the second value added service provider, andwherein the data associated with the first value added service provider is only accessible by the first value-added application when the customer is not participating in the joint promotional program of the first value added service provider and the second value added service provider.

View all claims

0 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A system for facilitating data access and management on a smart card is provided. According to one exemplary aspect of the system, a storage architecture is provided in the smart card which allows data stored thereon to be shared by multiple parties. Access to data stored on the smart card is controlled by various access methods depending on the actions to be taken with respect to the data to be accessed.

Citations

20 Claims

1. A method of using a server computer operated by a value added service provider, the method comprising:
- receiving a directory identifier by the server computer from an issuer bank server computer corresponding to a first directory instance of multiple directory instances in a file system on a secure token device, wherein the file system includes an open storage architecture having a common data storage space shared by multiple value added service providers, and wherein the first directory instance is associated with a first value added service provider for use with the secure token device,providing, over a network via a network interface, access parameters from the server computer to a first value-added application associated with the first value added service provider stored on a client device, wherein the client device is configured to store multiple value-added applications associated respectively with the multiple value added service providers for access to the common data storage space of the secure token device, andwherein data stored in the common data storage space associated with the first value added service provider is shared among the first value-added application and a second value-added application associated with a second value added service provider when a customer is participating in a joint promotional program of the first value added service provider and the second value added service provider, andwherein the data associated with the first value added service provider is only accessible by the first value-added application when the customer is not participating in the joint promotional program of the first value added service provider and the second value added service provider.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12)
- - 2. The method of claim 1 wherein the client device communicates with the secure token device and the server computer operated by the value added service provider in cooperation with the first value-added application, andwherein the access parameters provide the first value-added application with access and management of the first directory instance and its associated subdirectories and storage cells on the secure token device, and wherein the first value-added application accesses the first directory instance and its associated subdirectories and storage cells based on the access parameters.
  - 3. The method of claim 1 wherein each directory instance of the multiple directory instances is configured to access the common data storage space and is associated with one or more subdirectory instances, and wherein each subdirectory instance is associated with one or more storage cells,wherein the access parameters are configured for setting access at different levels for the multiple value-added applications including a directory level, a subdirectory level, and a storage cell level.
  - 4. The method of claim 1 further comprising associating one or more directory attributes with the first directory instance, wherein each directory attribute determines a level of access to the first directory instance, andwherein the one or more directory attributes are configured to permit access to the first directory instance by the first value-added application and the second value-added application of the second value added service provider, and to deny access to the first directory instance by a third value-added application of a third value added service provider.
  - 5. The method of claim 4 further comprising associating one or more subdirectory attributes with a first subdirectory of the first directory instance, wherein each subdirectory attribute determines a level of access to the first subdirectory, andwherein the one or more subdirectory attributes are configured to permit access to the first subdirectory by the first value-added application of the first value added service provider and the second value-added application of the second value added service provider, and to deny access to the first subdirectory by the third value-added application of the third value added service provider.
  - 6. The method of claim 4 further comprising associating one or more storage cell attributes with a first storage cell of a first subdirectory of the first directory instance, wherein each storage cell attribute determines a level of access to the first storage cell, andwherein the one or more storage cell attributes are configured to permit access to the first storage cell by the first value-added application of the first value added service provider and the second value-added application of the second value added service provider, and to deny access to the first storage cell by the third value-added application of the third value added service provider.
  - 7. The method of claim 6 wherein the one or more storage cell attributes associated with a first storage cell of the first subdirectory further control operations on contents of the first storage cell by the multiple value-added applications in a manner wherein the one or more storage cell attributes permit a first set of operations on the contents of the first storage cell by the first value-added application and permit a second set of operations on the contents of the first storage cell by the second value-added application, wherein the first set of operations is different from the second set of operations.
  - 8. The method of claim 1, wherein the file system includes a table of contents associated with each directory instance that is configured to translate between logical addresses provided by the value-added applications and physical addresses associated with storage cells in the common storage space of the secure token device in a manner wherein data on the secure token device can be accessed by the client device in cooperation with a value-added application without requiring the client device to know the underlying details of the physical address of the storage cell containing the data.
  - 9. The method of claim 1 wherein a file in the file system of the secure token device is protected by different keys that relate to different commands including read commands and update commands.
  - 10. The method of claim 1 wherein multiple files in the file system of the secure token device are protected by a same key for all commands including read commands and update commands.
  - 11. The method of claim 1 wherein the first value added service provider provides control parameters to both the issuer bank server computer and the client device for setting directory attributes, subdirectory attributes, and storage cell attributes.
  - 12. The method of claim 7 wherein the first set of operations includes read only access and the second set of operations includes read access and update access for the first directory instance.

13. A server operated by a value added service provider comprising:
- a processor coupled with a network interface for communicating over a network, wherein the server is associated with a first value added service provider and is configured to;
  
  receive a directory identifier from an issuer bank server computer corresponding to a first directory instance of multiple directory instances in a file system on a secure token device, wherein the file system includes an open storage architecture having a common data storage space shared by multiple value added service providers, and wherein the first directory instance is associated with the first value added service provider for use with the secure token device,provide access parameters to a first value-added application associated with the first value added service provider stored on a client device, wherein the client device is configured to store multiple value-added applications associated respectively with the multiple value added service providers for access to the common data storage space of the secure token device, andwherein data stored in the common data storage space associated with the first value added service provider is shared among the first value-added application and a second value-added application associated with a second value added service provider when a customer is participating in a joint promotional program of the first value added service provider and the second value added service provider, andwherein the data associated with the first value added service provider is only accessible by the first value-added application when the customer is not participating in the joint promotional program of the first value added service provider and the second value added service provider.
- View Dependent Claims (14, 15, 16, 17, 18, 19, 20)
- - 14. The server of claim 13 wherein the client device communicates with the secure token device and the server operated by the value added service provider in cooperation with the first value-added application, andwherein the access parameters provide the first value-added application with access and management of the first directory instance and its associated subdirectories and storage cells on the secure token device, and wherein the first value-added application accesses the first directory instance and its associated subdirectories and storage cells based on the access parameters.
  - 15. The server of claim 13 further comprising one or more directory attributes associated with the first directory instance, wherein each directory attribute determines a level of access to the first directory instance, andwherein the one or more directory attributes are configured to permit access to the first directory instance by the first value-added application and the second value-added application of the second value added service provider, and to deny access to the first directory instance by a third value-added application of a third value added service provider.
  - 16. The server of claim 15 further comprising one or more subdirectory attributes associated with a first subdirectory of the first directory instance, wherein each subdirectory attribute determines a level of access to the first subdirectory, andwherein the one or more subdirectory attributes are configured to permit access to the first subdirectory by the first value-added application of the first value added service provider and the second value-added application of the second value added service provider, and to deny access to the first subdirectory by the third value-added application of the third value added service provider.
  - 17. The server of claim 15 further comprising one or more storage cell attributes associated with a first storage cell of a first subdirectory of the first directory instance, wherein each storage cell attribute determines a level of access to the first storage cell, andwherein the one or more storage cell attributes are configured to permit access to the first storage cell by the first value-added application of the first value added service provider and the second value-added application of the second value added service provider, and to deny access to the first storage cell by the third value-added application of the third value added service provider.
  - 18. The server of claim 17 wherein the one or more storage cell attributes associated with a first storage cell of the first subdirectory further control operations on contents of the first storage cell by the multiple value-added applications in a manner wherein the one or more storage cell attributes permit a first set of operations on the contents of the first storage cell by the first value-added application and permit a second set of operations on the contents of the first storage cell by the second value-added application, wherein the first set of operations is different from the second set of operations.
  - 19. The server of claim 13 wherein the first value added service provider provides control parameters to both the issuer bank server computer and the client device for setting directory attributes, subdirectory attributes, and storage cell attributes.
  - 20. The server of claim 18 wherein the first set of operations includes read only access and the second set of operations includes read access and update access for the first directory instance.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Visa International Service Association (Visa, Inc.)
Original Assignee
Visa International Service Association (Visa, Inc.)
Inventors
Reed, Sonia, Aabye, Christian
Primary Examiner(s)
DWIVEDI, MAHESH H

Application Number

US13/975,679
Publication Number

US 20140059706A1
Time in Patent Office

1,100 Days
Field of Search

705/65
US Class Current

1/1
CPC Class Codes

G06F 21/6218   to a system of files or obj...

G06F 21/77   in smart cards

G06Q 20/341   Active cards, i.e. cards in...

G06Q 20/35765   Access rights to memory zones

G07F 7/1008   Active credit-cards provide...

H04L 63/0853   using an additional device,...

Method and system for facilitating data access and management on a secure token

First Claim

0 Assignments

0 Petitions

Accused Products

Abstract

Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

Method and system for facilitating data access and management on a secure token

First Claim

0 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links