Method and system for secure credit card transactions
What It Does (in plain English):
This invention incorporates the process described in US Patent # 6,831,982 and uses it to create cryptographically-secure credit card transactions. In this process, a seller is able to create a purchase transaction that the buyer is able to review and accept. Once accepted, the buyer signs the transaction using keys created as part of 6,831,982 to encrypt an acceptance transaction. This encrypted acceptance can be passed to the seller or directly to a credit card clearing house. The decryption (and verification) process requires the decryption key described by 6,831,982 to validate a submitted purchase transaction. Once verified, the seller is notified of the completed transaction. Since this processes passes no usable credit card number, it delivers significantly greater security between parties who may be mutually-distrusting.
A customer making a credit card transaction inserts their smart card into a card reader attached to the merchant’s system. The card reader activates the customer’s card and passes certain merchant information. The merchant’s system then requests a “billing digest” from the customer’s card. The billing digest is returned to the merchant’s card reader that forwards it (and the transaction information which includes customer information and merchant information) to the corresponding credit card issuer, which maintains the customer’s credit card account. In one embodiment, the customer information and the merchant information are encrypted. Upon receiving the billing digest, transaction information is decrypted if necessary and the credit card issuer looks up the customer’s master key using the customer’s account number. The credit card issuer then uses the transaction information to re-compute the billing digest (an authentication billing digest) and compares this new value with the billing digest submitted by the merchant. If authentic, the billing digest and authentication billing digest values are equivalent, then funds are transferred and an acceptance notification is returned to the merchant. If not authentic, a denial notification is returned to the merchant. Security is further enhanced by utilizing a unique reference for each transaction in the unique customer information used for creating the billing digest.
1. Technical Field
The present invention relates generally to an improved data processing system and in particular to a method and apparatus for managing data within a data processing system. More particularly, The present invention relates to the field of encryption technology. Still more particularly, the present invention relates to encryption key management for securing credit and debit card transactions.
2. Description of Related Art
For years now, credit and debit cards have proven to be an efficient and convenient transaction medium for consumer to business transactions. Consumers have grown to rely heavily on these cards as a transaction medium in lieu of currency especially when carrying large sums of currency is either impractical or unsafe. Travelers have long understood the benefits for using credit and debit cards as currency for their convenience and security over physical currency.
Some consumer transactions do not lend themselves well to physical currency, bank checks or bank drafts. It is difficult or impossible to conduct real time consumer transactions for tele-commerce businesses, e-commerce businesses and certain vending business applications using currency or checks. Merchants necessarily require a means for instantaneously debiting a valid consumer account prior to completing the transaction. On the other hand, consumers require real time responses from merchants and do not want to be troubled by carrying large sums of currency. Both the consumers and merchants suffer when currency, checks or other drafts are lost during transportation from the consumer to the merchant. Thus, many consumer/merchant transactions rely on credit and debit cards for completing the transaction.
However, in many instances losses resulting from theft and fraud of credit and debit cards or their account information, are not recovered but rather shifted from the consumer and/or merchant to a financial institution that issued the card. Thus, while the consumer/merchant transactions seem more secure and less prone to fraud and theft, many times the losses are only transparent to the consumer and merchant utilizing credit and debit card technologies. In fact, the entire traditional and e-commerce markets are plagued with fraud and security holes that cannot be overcome by current tools and applications designed to tighten security around credit and debit cards. Examples of fraud range from stealing physical cards, card numbers, or forging signatures to intercepting critical data related to the card.
A typical example of credit card fraud involves a cashier ‘swiping’ a customer’s card in a valid card reader and then re-swiping the card in a clandestine card reader. By the time that issuing financial institutes realize that the card numbers are being used for illegal transactions, several thousand card numbers may have been stolen. Tracking the source of such an operation is difficult, moreover identifying which cards used at the location that have been compromised is virtually impossible because of the extreme volume of financial institutions issuing credit cards.
Another example of fraud involves e-commerce transactions. e-commerce facilities are not always secure from hackers. A hacker may attack the merchant’s server, proxy or website to gain credit card information. Once a facility is compromised, credit card numbers can be used by the hacker or others for fraudulent transactions. In one recent case, a website was compromised and numerous credit card numbers were posted on a public website. This required the financial institutions that issued the credit cards to invalidate those card numbers, stop/verify pending transactions, and issue new card numbers to their account holders.
Although not fraud per se, another credit card related concern is the potential for privacy violations. One type of such violation is the practice of “customer profiling”. Customer profiling is a means for identifying potential new customers based upon predicting individual’s future buying habits. These habits are developed into a “customer profile” by collecting and analyzing records of the customer’s past credit card transactions. Customer profilers create such customer profiles and make the information available to merchants. The targeted customers may be subject to bombardment with junk mail circulars, telephone solicitation, unsolicited e-mail or the like.
The current customer-merchant-bank methodology lends itself to theft or misuse of credit card information. Therefore, it would be advantageous to reduce the ease at which credit and debit cards and their information is misappropriated or misused.
The present invention provides a method and apparatus for securing credit and debit card transactions. The present invention employs a smart card as a credit card and contains memory and a microprocessor. A customer making a credit card transaction inserts their credit card into a card reader attached to the merchant’s system e.g. cash register billing computer or the like. The card reader activates the customer’s card and passes certain merchant information. After inputting the information, the merchant’s system asks the customer’s card for a “billing digest”. The billing digest is the result of a hashing function within the card operating upon the merchant information and the customer information (in combination the merchant information and customer information is referred to as transaction information). The merchant information, including merchant identification number, merchant name, transaction type, amount, time/date, etc. while the customer information may include the customer’s account number, name, etc. (the customer’s master key is not transmitted to the merchant or the credit card issuer). The billing digest is returned to the merchant’s card reader that forwards it (and the transaction information) to the corresponding credit card agency or issuer, which maintains the customer’s credit card account. In one embodiment, the transaction information is encrypted. The credit card issuer decrypts the information, if necessary, and looks up the customer’s master key using the customer’s account number from the customer information. The credit card issuer then uses the information, including the customer’s master key from the customer information, to verify the customer, merchant and transaction information by re-computing the billing digest and comparing this new value with the billing digest submitted by the merchant. This re-computed billing digest is termed an “authentication billing digest”. If the billing digest and authentication billing digest values are equivalent, then the customer’s account is billed/credited the transaction amount, the merchant’s account is billed/credited with the transaction amount, and an acceptance notification is returned to the merchant. If the billing digest values do not match, then no funds are transferred and a denial notification is returned to the merchant. Security is further enhanced by utilizing a unique reference for each transaction in the unique customer information used for creating the billing digest.
The novel features believed characteristic of the invention are set forth in the appended claims. The invention itself, however, as well as a preferred mode of use, further objectives and advantages thereof, will best be understood by reference to the following detailed description of an illustrative embodiment when read in conjunction with the accompanying drawings, wherein:
With reference to
Credit card issuer’s system 140 accesses customer and merchant databases 150 for customer and merchant information. Customer information comprises information about individual customers including account number, name, etc. while the merchant information comprises information about individual merchants including identification number, name, etc. in addition to transaction type, amount, time/date, etc. The combination of customer and merchant information will be referred to as transaction information and will be discussed in greater detail below.
The credit card issuer evaluates such criteria as customer account limits, current customer account balance, transaction type, customer account type and merchant account validity prior to approving the transaction between the merchant and the customer. If the transaction would not violate any credit card issuer parameters, based on the current customer account criteria, then the transaction is approved. Once approved, the customer’s account is debited/credited by the transaction amount. Simultaneously, the merchant’s account is credited/debited by an amount equal to the transaction amount. A transaction confirmation is then sent from the credit card issuer’s system 140 to merchant’s system 130, along with the new account balances for both the merchant’s account and the customer’s account. Upon receiving confirmation from the credit card issuer, the merchant usually prints out hard copies for itself and the customer, and then transmits the customer account balance information to card terminal 120. From there, the account balance information stored on customer’s smart card 100 is updated to reflect the transaction.
Hughes and McCown disclose an encryption key management technique in U.S. patent application Ser. No. 09/443,963, entitled “ENCRYPTION KEY MANAGEMENT SYSTEM USING MULTIPLE SMART CARDS”, filed on Nov. 19, 1999. That application is incorporated by reference in it entirety.
With reference to
A digest is the binary result of a hashing function, such as the HMAC-SHA-1 algorithm. A digest is computed by inputting a piece of data into a hashing function. Only hashes of equal inputs generate equal digests. Digests may be used to determine the authenticity of data from one instance to another. The billing digest returned in response to a new billing digest request is merely a digest generated from specific transaction information such as: transaction type, amount, time/date, merchant name, merchant identification number, customer account number, customer name. This value is generated on the customer’s smart card. With each request for a billing digest, a new 160-bit billing digest and a corresponding variable N are returned to the merchant (this process will be discussed in detail below with respect to the flowcharts). While the term “billing digest” is used herein, as a practical matter a billing digest will be requested for any customer transaction such as credit card charged purchases, account debited purchases, refunds and other customer transactions.
In accordance with a preferred embodiment of the present invention, smart card 200 utilizes encryption variables for credit card account 222 in the HMAC-SHA-1 process. Encryption variables for credit card account 222 are but one of a plurality of sets of encryption variables for separate credit card accounts 223 and 224. Encryption variable for each credit card account 222, include a master key (KM), smart card number (G), credit card number (C) and a reference number (n), which is incremented at each transaction. KM, C and n are instantiated from the issuer of the credit card account. Additionally, other encryption variables for a credit card account may include the credit card account issuers public key (KP). Smart card 200 four encryption variables 222 comprise:
The length of the values presented herein are representative of a preferred embodiment of the present invention, but in practice may consist of any bit length. The master key is generated by an off-board application for the sole purpose of creating these cards and then destroyed. A one-time key is used for generating KM and destroyed. The KM is written to encryption smart card 200 when the smart card is initiated. KM must remain a secret because the key generation processes relies on three primary components: the range number (N), which may be found, unencrypted, in the transmitted information; the public domain hashing algorithms; and KM. Of the three, KM is the only secret component which will not be transmitted.
With respect to encryption variables 222, smart card number (G) is issued to the card or cards with the same KM. G can be any length, but a 4-byte value has been implemented. Credit card number (C) is a unique credit card account designation, which is assigned to each credit card customer, or group of customers sharing the same account. C can be any length, but it is currently implemented as a 16-byte value. Each encryption smart card 200 implements a key range variable (N), which is a concatenation of the card group (G), the individual card number (C), and the reference number (n) (of the form 0xGGGGCCCCCCCCCCCCCCCCnnnnn). For example, key card #1 would have the range 0x0000123456789012345600000–0x00001234567890123456FFFFF and key card #2 would have the range 0x0001123456789012345600000–0x000141234567890123456FFFFF.
Once initialized, C, G, and KM cannot be changed. After the customer’s smart card generates each billing key (described in detail below), n is incremented by one. When n reaches the boundary of the reference values (e.g., 0XFFFFF), encryption smart card 200 can no longer be used for key generation. Up to 4096 key generation cards may be created for a given KM and each card generates a unique set of keys.
In reference to
The customer’s smart card receives the unique merchant information (M) and the request for a billing digest, and compares the list of credit card issuers supported by the merchant with a list of credit card accounts resident on the smart card. The customer’s smart card selects a credit card issuer to transact with either by matching the merchant’s list with the customer’s accounts or utilizing a preset credit card account selection variable or manual input by the customer to the card terminal interface (step 308). Once a credit card issuer has been selected, the customer’s smart card discards all data concerning other credit card issuers passed by the merchant. Once a credit card account has been selected, the smart card retrieves unique customer card values from the smart card memory (step 310). The unique customer values include such variables as the customer credit card number (C) for the selected credit card account, smart card number (G), a recurrent reference number (n) and a master key (KM) for the selected credit card account. The customer credit card number (C) and the master key (KM) are provided to the customer’s smart card by the credit card issuer at the time the card was issued or renewed. Additionally, the credit card issuer provides a range of reference numbers from which reference number (n) is iterated at each transaction.
Once the customer’s smart card has received the unique merchant information and retrieved the unique customer values, the customer’s smart card concatenates the unique customer’s values of customer credit card number (C), smart card number (G) and the current referenced number (n) into a unique customer number (N) (step 312).
The billing digest, the unique merchant information (M) and the unique customer information (N) are then passed to the merchant (step 318). The merchant in turn transmits the billing digest, the unique merchant information (M) and the unique customer information (N) (the billing digest and transaction information) to the credit card issuer (step 320).
Returning to step 408, if the credit card issuer determines that the current reference number (n) has not been previously used, the credit card issuer looks up the master key (KM) using the customer’s credit card number (C) (step 412). With the master key (KM) and the unique customer values, the credit card issuer then invokes GetNextDigest( ). The GetNextKey( ) digest function is a hashing algorithm of which are well known in the art. With the GetNextDigest( ) function, the credit card issuer prepares an authentication billing digest using unique merchant information (M), the master key (KM) and unique customer information (step 414). The authentication billing digest is exactly the same as the billing digest, with the exception that it is generated by the credit card issuer and not in the customer’s smart card. The credit card issuer then compares the authentication billing digest with the billing digest transmitted from the merchant (step 416). If the authentication billing digest does not match the billing digest transmitted from the merchant, either an error has occurred during the transmission from the merchant or a fraud is being perpetrated. The credit card issuer then denies the transaction, alerts its internal security of the possibility of a fraud being perpetrated and returns a declination response and/or transmission error to the merchant (step 418). The transaction between the merchant and the credit card issuer then ends.
Returning to step 416, if the authentication billing digest generated by the credit card issuer exactly matches the billing digest transmitted from the merchant, the transaction can be completed. In that case, credit card issuer debits/credits the customer’s account for the transaction amount, credits/debits the merchant’s account for the transaction amount and returns a transaction confirmation to the merchant (step 420). The process is then complete with respect to responding to a secure transaction.
Of course, at this point, the customer will perform the obligatory signing of the credit card receipt and the transaction information may be written onto the memory of the customer’s smart card. The transaction is complete with the customer retrieving the smart card.
With reference to
The above-described flowcharts disclose a secure credit card keying process in accordance with a preferred embodiment of the present invention. Creating a billing digest to accompany merchant and customer information secures the transaction process from unauthorized persons attempting to gain access to the customer’s credit card number. In fact, customer, merchant and credit card information is commonly transmitted unencrypted. Therefore, customer profilers may conspire with the merchant to track all transactions occurring in the merchant’s place of business. Even though the above-described processes greatly reduce the possibility of an unauthorized person conducting a transaction with a customer’s credit card number, the customer and transaction information is still available to a customer profiling agency via the merchant. In accordance with another preferred embodiment of the present invention, the above-described processes are modified by encrypting all pertinent information prior to passing information to the merchant. In so doing, the customer has complete anonymity from tracking or profiling. This functionality is added to the customer’s smart card.
In reference to
Next, the smart card encrypts the unique merchant information (M) and the unique customer values (N) using the credit card issuers public key (KP) (step 618). Once encrypted, all data passed to the merchants will be indecipherable. Smart card then passes the digest along with the encrypted unique merchant information (M) and the encrypted customer values (N) to the merchant (step 620). The merchant then transmits the billing digest, encrypted unique merchant information (M) and the encrypted customer information (N) to the credit card issuer (step 622). The process for creating a billing digest for conducting a secure credit card transaction is now complete.
With reference to
Returning to step 710, if the current reference number (n) had not been previously used, the credit card issuer uses customer’s credit card number (C) to look up the master key (KM) issued to the customer (step 714). Next, the GetNextDigest( ) is invoked, which prepares an authentication billing digest using the unique merchant information (M), the master key (KM) and the unique customer information (N) (step 716). Next, the credit card issuer checks the authentication billing digest against the billing digest transmitted from the merchant (step 718). If the authentication billing digest does not exactly match the billing digest transmitted from the merchant, the transmission is denied. The credit card issuer alerts its internal security of the possibility of a fraud and returns a declination response and/or transmission error to the merchant (step 720). Returning to step 718, if the authentication billing digest matches exactly the billing digest transmitted from the merchant, the customer’s account is debited/credited for the transaction amount and the merchant’s account is credited/debited for the transaction amount(step 722). The credit card issuer returns a transaction confirmation to the merchant, it is understood that the confirmation must not contain any of the sensitive information that was previously encrypted in the transmission from the merchant which may identify the customer either by name or by credit card. The process ends.
The description of the present invention has been presented for purposes of illustration and description, and is not intended to be exhaustive or limited to the invention in the form disclosed. Many modifications and variations will be apparent to those of ordinary skill in the art. For example, although the HMAC-SHA-1 hash process is illustrated, other hashing algorithms are common and may be used. Further, while the presently described mechanism of the present invention for encrypting the transmission between the merchant and the credit card issuer is a public/private encryption scheme, other encryption techniques are well known and wide spread in the industry. For example, the credit card issuer may utilize a private/private key encryption scheme. Still another modification of the present invention is for the merchant’s machine to utilize the present process for hashing the transaction information. Additionally, the mechanism of the present invention also may be applied to transactions other than commercial credit card transactions. The preferred processes are easily adapted to any transaction in which a smart card is used to transmit sensitive information. Still further the transaction information may include any combination of information types from the customer and merchant with the exception of some private information, the master key, know only to the customer and the credit card issuer. However, the transaction information must provide the credit card issuer with a customer identifier for looking up the customer’s account and master key, and, of course, a merchant identifier to look up the merchant’s account. The embodiment was chosen and described in order to best explain the principles of the invention, the practical application, and to enable others of ordinary skill in the art to understand the invention for various embodiments with various modifications as are suited to the particular use contemplated.