Payment system for authorizing a transaction between a user device and a terminal

US 11,416,855 B2
Filed: 10/04/2013
Issued: 08/16/2022
Est. Priority Date: 04/05/2011
Status: Active Grant

First Claim

Patent Images

1. A method for communicating in accordance with EMV transaction protocols between a user device and a point-of-sale terminal in a transaction, the method comprising:

receiving, at the point-of-sale terminal from the user device comprising a payment application, an EMV application expiry date parameter associated with the payment application and including an expiration day, an expiration month, and an expiration year, an issuer action code, and a certificate having data stored within one or more data fields and a hash in one of the one or more data fields, the EMV application expiry date parameter not being in any data field in the certificate and the EMV application expiry date parameter repurposed to represent an expiration date of the certificate, and wherein the hash is generated by concatenating the EMV application expiry date parameter and at least some of the data stored within the one or more data fields of the certificate;

in response to the receiving the EMV application expiry date parameter and the certificate, concatenating data including the EMV application expiry date parameter and the at least some of the data stored within the one or more data fields of the certificate;

verifying, by the point-of-sale terminal, the hash, by performing a one-way mathematical operation including a SHA-1 hash algorithm on the concatenated data including the EMV application expiry date parameter and the at least some of the data stored within the one or more data fields of the certificate to form another hash, and comparing the hash and the another hash;

determining, by the point-of-sale terminal, that the EMV application expiry date parameter is not expired by comparing the EMV application expiry date parameter to a current date; and

in response to determining and verifying, authorizing, by the point-of-sale terminal, the transaction using the issuer action code.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Methods, apparatus and computer software are provided for authorizing an EMV transaction between a user device and a point of sale terminal, particularly, but not exclusively, in situations where a secure element is not made available for the deployment of a payment application on the user device. The payment application is instead deployed to a processing environment that is outside of any secure element on the user device. The payment application is associated with a certificate and a corresponding hash. The hash is adapted to be generated on the basis of an application expiration date parameter, which is adapted to comprise data indicative of an expiration date of day level granularity associated with the certificate. During processing of the EMV transaction, the point-of-sale terminal verifies the hash, thereby establishing the authenticity of the application expiration date, and hence the validity of the certificate.

13 Citations

View as Search Results

21 Claims

1. A method for communicating in accordance with EMV transaction protocols between a user device and a point-of-sale terminal in a transaction, the method comprising:
- receiving, at the point-of-sale terminal from the user device comprising a payment application, an EMV application expiry date parameter associated with the payment application and including an expiration day, an expiration month, and an expiration year, an issuer action code, and a certificate having data stored within one or more data fields and a hash in one of the one or more data fields, the EMV application expiry date parameter not being in any data field in the certificate and the EMV application expiry date parameter repurposed to represent an expiration date of the certificate, and wherein the hash is generated by concatenating the EMV application expiry date parameter and at least some of the data stored within the one or more data fields of the certificate;
  
  in response to the receiving the EMV application expiry date parameter and the certificate, concatenating data including the EMV application expiry date parameter and the at least some of the data stored within the one or more data fields of the certificate;
  
  verifying, by the point-of-sale terminal, the hash, by performing a one-way mathematical operation including a SHA-1 hash algorithm on the concatenated data including the EMV application expiry date parameter and the at least some of the data stored within the one or more data fields of the certificate to form another hash, and comparing the hash and the another hash;
  
  determining, by the point-of-sale terminal, that the EMV application expiry date parameter is not expired by comparing the EMV application expiry date parameter to a current date; and
  
  in response to determining and verifying, authorizing, by the point-of-sale terminal, the transaction using the issuer action code.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17)
- - 2. The method of claim 1, wherein the data stored within the one or more data fields of the certificate comprises a primary account number associated with the user device, a certificate serial number associated with the certificate, and a hash algorithm indicator that identifies the one-way mathematical operation.
  - 3. The method of claim 1, wherein the EMV application expiry date parameter is not signed by an issuer of the user device.
  - 4. The method of claim 1, wherein the method further comprises provisioning, by an issuer computer, a plurality of certificates and hashes to the user device, each certificate and hash being provisioned based at least in part on an expiration date parameter associated therewith.
  - 5. The method of claim 4, wherein, responsive to the satisfaction of a predetermined criterion, provisioning the user device with a given certificate and a given hash.
  - 6. The method of claim 5, wherein the predetermined criterion comprises a current day, a current month, and a current year matching a given application expiration date, wherein the current date, the current month, and the current year are being maintained by a certificate provisioning entity.
  - 7. The method of claim 5, wherein the predetermined criterion comprises receiving a request of a predetermined type, the request identifying at least the user device.
  - 8. The method of claim 4, wherein the provisioning of the plurality of certificates and the hashes occur via a communications network.
  - 9. The method of claim 1, wherein the certificate expires a predetermined number of days after provisioning of the certificate to the user device based on the EMV application expiry date parameter, the predetermined number of days being less than a predicted brute force decryption time to decrypt encrypted payment keys in the user device.
  - 10. The method of claim 1, wherein the issuer action code requires authorization of the transaction by an issuing bank associated with the payment application in the event that the EMV application expiry date parameter is prior to the current date.
  - 11. The method of claim 1, wherein the user device includes a first processing portion and a second processing portion, the first processing portion comprising a first application environment within a secure element and the second processing portion comprising a second application environment external to the secure element, and wherein the second processing portion comprises the payment application.
  - 12. The method of claim 11, wherein the user device includes a mobile communications device and the secure element comprises a Subscriber Identity Module.
  - 13. The method of claim 11, wherein the second application environment comprises a Trusted Execution Environment, and wherein the Trusted Execution Environment is configured to store or execute at least part of the payment application.
  - 14. The method of claim 1, wherein the point-of-sale terminal communicates with the user device using a radio frequency communications protocol.
  - 15. The method of claim 1, wherein the certificate is an ICC (Integrated Circuit Card) public key certificate and the user device is a mobile phone.
  - 16. The method of claim 1, wherein the at least some of the data stored within the one or more data fields of the certificate comprises a primary account number associated with the user device and a certificate serial number associated with the certificate.
  - 17. The method of claim 1, wherein the at least some of the data stored within the one or more data fields of the certificate includes a certificate format, a primary account number, a certificate serial number, a hash algorithm indicator, an ICC public key indicator, an ICC public key length, and an ICC public key.

18. A point of sale terminal comprising:
- a processor; and
  
  a computer readable medium, the computer readable medium comprising code, executable by the processor for performing a method for communicating in accordance with EMV transaction protocols in a transaction, the method comprising;
  
  receiving, from a user device comprising a payment application, an EMV application expiry date parameter associated with the payment application and including an expiration day, an expiration month, and an expiration year, an issuer action code, and a certificate having data stored within one or more data fields and a hash in one of the one or more data fields, the EMV application expiry date parameter not being in any data field in the certificate, and the EMV application expiry date parameter repurposed to represent an expiration date of the certificate, and wherein the hash is generated by concatenating the EMV application expiry date parameter and at least some of the data stored within the one or more data fields of the certificate;
  
  in response to the receiving the EMV application expiry date parameter and the certificate, concatenating data including the EMV application expiry date parameter and the at least some of the data stored within the one or more data fields of the certificateverifying, the hash, by performing a one-way mathematical operation including a SHA-1 hash algorithm on the concatenated data including the EMV application expiry date parameter and the at least some of the data stored within the one or more data fields of the certificate;
  
  determining that the EMV application expiry date parameter is not expired by comparing the EMV application expiry date parameter to a current date; and
  
  in response to determining, authorizing the transaction using the issuer action code, wherein the data stored within the one or more data fields of the certificate comprises a primary account number associated with the user device, a certificate serial number associated with the certificate, and a hash algorithm indicator that identifies the one-way mathematical operation.
- View Dependent Claims (19, 20, 21)
- - 19. The point of sale terminal of claim 18, wherein the certificate is an ICC (Integrated Circuit Card) public key certificate and the user device is a mobile phone.
  - 20. The point of sale terminal of claim 18, wherein the at least some of the data stored within the one or more data fields of the certificate comprises a primary account number associated with the user device and a certificate serial number associated with the certificate.
  - 21. The point of sale terminal of claim 18, wherein the at least some of the data stored within the one or more data fields of the certificate includes a certificate format, a primary account number, a certificate serial number, a hash algorithm indicator, an ICC public key indicator, an ICC public key length, and an ICC public key.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Visa Europe Limited (Visa, Inc.)
Original Assignee
Visa Europe Limited (Visa, Inc.)
Inventors
Fiske, Stuart
Primary Examiner(s)
McAtee, Patrick
Assistant Examiner(s)
Leffall-Allen, Nakia

Application Number

US14/046,840
Publication Number

US 20140040146A1
Time in Patent Office

3,238 Days
Field of Search

235380, 380277, 705 26, 705 38, 705 66, 713176
US Class Current
CPC Class Codes

G06Q 20/3229   Use of the SIM of a M-devic...

G06Q 20/326   Payment applications instal...

G06Q 20/327   Short range or proximity pa...

G06Q 20/3821   Electronic credentials

G06Q 20/3825   Use of electronic signatures

G06Q 20/3827   Use of message hashing

Payment system for authorizing a transaction between a user device and a terminal

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

13 Citations

21 Claims

Specification

Solutions

Use Cases

Quick Links

Payment system for authorizing a transaction between a user device and a terminal

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

13 Citations

21 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links