WO2010114799A1 - Method and system for securing a payment transaction with trusted code base - Google Patents
Method and system for securing a payment transaction with trusted code base Download PDFInfo
- Publication number
- WO2010114799A1 WO2010114799A1 PCT/US2010/029075 US2010029075W WO2010114799A1 WO 2010114799 A1 WO2010114799 A1 WO 2010114799A1 US 2010029075 W US2010029075 W US 2010029075W WO 2010114799 A1 WO2010114799 A1 WO 2010114799A1
- Authority
- WO
- WIPO (PCT)
- Prior art keywords
- password
- code base
- trusted code
- mobile device
- transaction
- Prior art date
Links
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06Q—INFORMATION AND COMMUNICATION TECHNOLOGY [ICT] SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES; SYSTEMS OR METHODS SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES, NOT OTHERWISE PROVIDED FOR
- G06Q20/00—Payment architectures, schemes or protocols
- G06Q20/30—Payment architectures, schemes or protocols characterised by the use of specific devices or networks
- G06Q20/32—Payment architectures, schemes or protocols characterised by the use of specific devices or networks using wireless devices
- G06Q20/325—Payment architectures, schemes or protocols characterised by the use of specific devices or networks using wireless devices using wireless networks
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06Q—INFORMATION AND COMMUNICATION TECHNOLOGY [ICT] SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES; SYSTEMS OR METHODS SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES, NOT OTHERWISE PROVIDED FOR
- G06Q20/00—Payment architectures, schemes or protocols
- G06Q20/02—Payment architectures, schemes or protocols involving a neutral party, e.g. certification authority, notary or trusted third party [TTP]
- G06Q20/027—Payment architectures, schemes or protocols involving a neutral party, e.g. certification authority, notary or trusted third party [TTP] involving a payment switch or gateway
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06Q—INFORMATION AND COMMUNICATION TECHNOLOGY [ICT] SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES; SYSTEMS OR METHODS SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES, NOT OTHERWISE PROVIDED FOR
- G06Q20/00—Payment architectures, schemes or protocols
- G06Q20/08—Payment architectures
- G06Q20/20—Point-of-sale [POS] network systems
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06Q—INFORMATION AND COMMUNICATION TECHNOLOGY [ICT] SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES; SYSTEMS OR METHODS SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES, NOT OTHERWISE PROVIDED FOR
- G06Q20/00—Payment architectures, schemes or protocols
- G06Q20/30—Payment architectures, schemes or protocols characterised by the use of specific devices or networks
- G06Q20/32—Payment architectures, schemes or protocols characterised by the use of specific devices or networks using wireless devices
- G06Q20/322—Aspects of commerce using mobile devices [M-devices]
- G06Q20/3227—Aspects of commerce using mobile devices [M-devices] using secure elements embedded in M-devices
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06Q—INFORMATION AND COMMUNICATION TECHNOLOGY [ICT] SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES; SYSTEMS OR METHODS SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES, NOT OTHERWISE PROVIDED FOR
- G06Q20/00—Payment architectures, schemes or protocols
- G06Q20/30—Payment architectures, schemes or protocols characterised by the use of specific devices or networks
- G06Q20/32—Payment architectures, schemes or protocols characterised by the use of specific devices or networks using wireless devices
- G06Q20/322—Aspects of commerce using mobile devices [M-devices]
- G06Q20/3229—Use of the SIM of a M-device as secure element
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06Q—INFORMATION AND COMMUNICATION TECHNOLOGY [ICT] SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES; SYSTEMS OR METHODS SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES, NOT OTHERWISE PROVIDED FOR
- G06Q20/00—Payment architectures, schemes or protocols
- G06Q20/30—Payment architectures, schemes or protocols characterised by the use of specific devices or networks
- G06Q20/34—Payment architectures, schemes or protocols characterised by the use of specific devices or networks using cards, e.g. integrated circuit [IC] cards or magnetic cards
- G06Q20/356—Aspects of software for card payments
- G06Q20/3567—Software being in the reader
-
- G—PHYSICS
- G07—CHECKING-DEVICES
- G07F—COIN-FREED OR LIKE APPARATUS
- G07F7/00—Mechanisms actuated by objects other than coins to free or to actuate vending, hiring, coin or paper currency dispensing or refunding apparatus
- G07F7/08—Mechanisms actuated by objects other than coins to free or to actuate vending, hiring, coin or paper currency dispensing or refunding apparatus by coded identity card or credit card or other personal identification means
- G07F7/10—Mechanisms actuated by objects other than coins to free or to actuate vending, hiring, coin or paper currency dispensing or refunding apparatus by coded identity card or credit card or other personal identification means together with a coded signal, e.g. in the form of personal identification information, like personal identification number [PIN] or biometric data
-
- G—PHYSICS
- G07—CHECKING-DEVICES
- G07F—COIN-FREED OR LIKE APPARATUS
- G07F7/00—Mechanisms actuated by objects other than coins to free or to actuate vending, hiring, coin or paper currency dispensing or refunding apparatus
- G07F7/08—Mechanisms actuated by objects other than coins to free or to actuate vending, hiring, coin or paper currency dispensing or refunding apparatus by coded identity card or credit card or other personal identification means
- G07F7/10—Mechanisms actuated by objects other than coins to free or to actuate vending, hiring, coin or paper currency dispensing or refunding apparatus by coded identity card or credit card or other personal identification means together with a coded signal, e.g. in the form of personal identification information, like personal identification number [PIN] or biometric data
- G07F7/1025—Identification of user by a PIN code
- G07F7/1091—Use of an encrypted form of the PIN
Definitions
- the present invention relates to data security and, more particularly, the securing of data in payment transactions.
- a modern point of sale system typically includes a terminal which accepts payment cards such as credit and debit cards.
- the merchant enters product and price information into the point of sale system.
- the customer may then initiate payment by swiping a payment card through a card reader or providing the card for the merchant to do so.
- the system then communicates via network with a transaction host that authorizes and processes the transaction on behalf of a financial institution that holds the account with which the payment card is associated.
- PIN personal identification number
- PED PIN Entry Device
- PIN before it is transmitted from the point of sale system to the transaction host, into a format essentially undecipherable by anyone without a corresponding decryption key.
- Conventional point of sale systems have typically employed symmetric (shared) key algorithms to encrypt the PIN. That is, the PIN is encrypted by the system using a secret key and then transmitted to the transaction host where it is decrypted using a secret key that is identical to the one used to encrypt it.
- symmetric key encryption is required by the transaction host.
- EBT Electronic Benefit Transfer
- the secret key used to encrypt the PIN is required to reside only within the PED into which the PIN is entered, and stringent physical requirements and regulations are applied to prevent physical or electronic tampering with the PED. Such measures may be prohibitively burdensome to merchants and, even when employed, may not entirely overcome the vulnerability of the shared secret key approach.
- FIG. 1 is a block diagram illustrating a system in which a secure payment transaction is performed in accordance with an embodiment of the present invention.
- FIG. 2 is a flow diagram illustrating a process performed by a mobile payment device to obtain a secure payment transaction in accordance with an embodiment of the present invention.
- FIG. 3 is a flow diagram illustrating a process performed by a cryptographic conversion host to secure a payment transaction in accordance with and embodiment of the present invention.
- FIG. 4 is a flow diagram illustrating a process performed by a transaction host to perform a secure payment transaction in accordance with an embodiment of the present invention.
- a method for obtaining a secure payment transaction on a mobile device A password is obtained from a customer and encrypted with a public key. The encrypted password is provided over a network and decrypted with a corresponding private key. The decrypted password is then applied to process the payment transaction.
- the public key encrypted password is transmitted to a cryptographic conversion host that decrypts the public key encrypted password with the corresponding private key, re-encrypts the password with a secret key, and then provides the secret key encrypted password to a transaction host that decrypts it with an identical secret key and applies the decrypted password to process the payment transaction.
- a trusted code base is provided for obtaining and encrypting the password.
- the trusted code base may be provided directly on the mobile device or, alternatively, on a removable system module such as a subscriber identity module residing on the mobile payment device. Access to the trusted code base by unauthorized processes is prevented to protect the password while unencrypted.
- the trusted code base can be digitally signed, and may include a digital certificate of the cryptographic conversion host.
- asymmetric key encryption is further provided to point of sale systems utilizing transaction hosts designed to accept symmetric key encrypted payment data.
- One advantage of enabling asymmetric key encryption in the point of sale system is that it allows for mobility of the payment device since it can utilize a public key to encrypt the payment data and is, therefore, no longer burdened with the restrictions associated with maintaining a secret key. This allows for password-based payment transactions to be performed by mobile devices such as PDAs and mobile phones, providing mobile payment capability with other practical functions in a single mobile communications device.
- Such transactions may include, for example, PIN-based electronic benefit transfer (EBT) transactions, where the EBT host is configured to receive and decrypt a symmetric key encrypted PIN.
- EBT electronic benefit transfer
- An aspect of the invention thus provides the capability of mobile payment for EBT transactions by utilizing asymmetric key encryption to encrypt the PIN in the mobile payment device and then converting the asymmetric key encrypted PIN to a symmetric key encrypted PIN as expected by the EBT host.
- FIG. 1 is a block diagram illustrating a system in which a secure payment transaction is performed in accordance with an embodiment of the present invention.
- the system 100 shown in FIG. 1 provides for a secure payment transaction to be made for the sale of goods or services to a customer 110 by a merchant 120 who maintains a mobile payment device 130.
- the mobile payment device 130 may be, for example, a Personal Digital Assistant (PDA) or mobile phone configured to perform the payment functions described herein.
- PDA Personal Digital Assistant
- the mobile payment device 130 has a processor, volatile and nonvolatile memory, and other hardware and firmware elements operating in accordance with system and application software appropriate to the functions it provides.
- the mobile payment device 130 also includes a user interface with input means such as a keypad or touchpad through which information can be entered and display means such as a small display screen providing information to the user.
- the mobile payment device 130 includes a mobile payment device operating system (MPD OS) 132 which runs applications and performs other operating system functions appropriate for mobile devices such as mobile phones and PDAs.
- MPD OS mobile payment device operating system
- the mobile payment device 130 also includes a subscriber identity module (SIM) 135.
- SIM subscriber identity module
- the subscriber identity module 135 is a smart card that is inserted in the mobile payment device 130.
- the subscriber identity module 135 contains data unique to the subscriber and can also be configured to control functions of the mobile payment device 130.
- the subscriber identity module 135 contains its own processor and memory and includes a subscriber identity module operating system (SLM OS) 137 that is capable of running independently of the mobile payment device operating system 132.
- SLM OS subscriber identity module operating system
- the mobile payment device 130 further includes a card reader through which a payment card such as a credit or debit card can be swiped.
- the card reader may be a magnetic stripe card reader, smart card reader, or any apparatus appropriate for reading data from a payment card.
- the card reader is an internal card reader included within the mobile payment device 130.
- the mobile payment device 130 can obtain the customer data from an external card reader (not shown) to which it is communicatively connected.
- the system 100 includes a network 140 over which transaction data necessary to process the payment transaction is transmitted.
- the network 140 is any suitable telecommunications network having a wireless network component through which the mobile payment device 130 communicates, allowing the mobile payment device 130 to have mobile capability.
- the system 100 is provided with a host, referred to herein as a cryptographic conversion host 150, which converts public key encrypted data into secret key encrypted data.
- the cryptographic conversion host 150 interfaces with the network 140 and includes a hardware security module 155 which generates and securely stores a private key it uses to decrypt the public key encrypted data and a secret key it uses to re-encrypt the decrypted data.
- a hardware security module 155 which generates and securely stores a private key it uses to decrypt the public key encrypted data and a secret key it uses to re-encrypt the decrypted data.
- the cryptographic conversion host 150 may be implemented in a number of different ways and may be, for example, part of a host system that performs other tasks such as data security functions.
- the system 100 further includes a transaction host 160 which obtains transaction data via the network 140 and processes the payment transaction on behalf of a financial institution 170 that holds the account of the customer 110 for the payment card that has been used.
- FIG. 2 is a flow diagram illustrating a process performed by the mobile payment device 130 to obtain a secure payment transaction in accordance with an embodiment of the present invention
- the mobile payment device 130 obtains from the merchant 120 purchase information such as the price of goods or services provided to the customer 110.
- the mobile payment device 130 obtains payment information from the customer 110, such as an authorization to charge the purchase to his or her payment card. For example, customer 110 swipes an Electronic Benefit Transfer (EBT) card through the card reader of the mobile payment device 130.
- EBT Electronic Benefit Transfer
- the mobile payment device 130 obtains a password from the customer
- PIN Personal Identification Number
- the mobile payment device 130 in step 230 obtains a PIN from the customer 110 via the input means provided by the mobile payment device 130, such as by the customer 110 entering the PIN on a keypad or touchpad of the mobile payment device 130.
- the keypad or touchpad is designed to emit a tone when pressed, and especially where different tones or tonal combinations are associated with different numeric or alpha-numeric selections such as with dual-tone multi-frequency (DTMF) tones, the PIN can be further protected from discovery by disabling tone emissions in the mobile payment device 130 during PIN entry.
- DTMF dual-tone multi-frequency
- the mobile payment device 130 stores the PIN obtained from the customer 110 in volatile memory within the mobile payment device 130.
- the PIN is stored in a buffer within the volatile memory that is locked to prevent any transference into a nonvolatile medium. This prevents the unencrypted PIN from being accessed by any other processes or recorded in any way that can be discovered thereafter.
- step 250 the mobile payment device 130 encrypts the PIN using an asymmetric
- the mobile payment device 130 applies an RSA algorithm utilizing Public Key Cryptography Standard (PKCS) #1 as defined by RSA Laboratories. Specifically, the mobile payment device 130 maintains an RSA public key previously generated by the hardware security module 155 of the cryptographic conversion host 150 which also generated and continues to maintain the corresponding RSA private key. The mobile payment device 130 places the PIN into the message portion of a PKCS #1 Type 2 encryption block and applies the RSA public key to encrypt the block. Immediately thereafter, in step 260, the mobile payment device 130 erases the buffer in nonvolatile memory in which the unencrypted PIN was stored.
- PKCS Public Key Cryptography Standard
- the functionality e.g., software and associated memory
- obtains and encrypts the PIN e.g. performs steps 230 to 260
- the trusted code base (which may also be referred to as a trusted computing base) is isolated from unauthorized processes (e.g., all other active processes) running on the mobile payment device 130 so as to prevent access to the PIN.
- unauthorized processes e.g., all other active processes
- a mobile payment device 130 running the Windows Mobile® operating system by Microsoft Corporation can employ the memory management unit (MMU) that is provided in the underlying computer system.
- MMU memory management unit
- an MMU is a hardware component capable of handling access to the memory by the processor and can be utilized to prevent access to unauthorized processes.
- the trusted code base can be digitally signed.
- the digital signature can then be verified by the operating system before allowing execution of the trusted code base. This will ensure that the software that performs steps 230 to 260 has not been tampered with while stored on the mobile payment device 130.
- An additional advantage of digitally signing the trusted code base can be realized by compiling a digital certificate of the cryptographic conversion host 150 into the trusted code base before it is digitally signed. Verification of the trusted code base thus ensures that the digital certificate has not been modified, preventing, for example, substitution of a foreign certificate that could perpetuate a "man in the middle" attack.
- the trusted code base is provided directly on the mobile payment device 130.
- the trusted code base is provided on a removable system module such as a subscriber identity module (SIM) 135 that is inserted in the mobile payment device 130.
- SIM subscriber identity module
- the subscriber identity module 135 is a removable smart card which includes its own memory, processor and subscriber identity module operating system 137 (e.g., Java Card) and can therefore prevent unintended access to the PIN by isolating the functionality that obtains and encrypts the PIN from other active processes running on the mobile payment device 130.
- the subscriber identity module 135 can be used to control primary functions of the mobile payment device 130, initial entry of the PIN can be adequately controlled by the SEVI-based trusted code base so as to protect the PEST from discovery or compromise.
- the SEvI operating system 137 functions independently of the mobile payment device operating system 132, and processes controlled by the SIM operating system 137 cannot be directly accessed by the operating system on the mobile payment device 130 or processes it controls.
- further protection of the PIN within the subscriber identity module 135 can be provided by limiting processes performed by the subscriber identity module 135 and/or by utilizing the security features native to the subscriber identity module operating system 137 to accomplish additional protection functions such as, where relevant, one or more of the trusted code base features described above.
- Providing the trusted code base on the subscriber identity module 135 also protects the PIN from discovery by physical means by automatically erasing stored data if the SIM card is tampered with.
- the mobile payment device 130 transmits the public key encrypted PIN via the network 140 to the cryptographic conversion host 150. Specifically, the mobile payment device 130 places the RSA public key encrypted PIN block into a transaction message and then transmits the transaction message to the cryptographic conversion host 150.
- the transaction message could be implemented in a variety of ways.
- the transaction message can be, for example, an ISO 8583 message which contains the PIN block along with other data related to the transaction.
- the mobile payment device 130 and cryptographic conversion host 150 secure the transmission using a cryptographic protocol such SSL 3.0 (Secure Sockets Layer version 3.0) which provides various security features including encryption, authentication and data integrity.
- SSL 3.0 Secure Sockets Layer version 3.0
- One of ordinary skill will recognize that available protocols may change and improve over time, and will apply a means of securing the transmission that is appropriate for the application and circumstances at hand.
- step 280 the mobile payment device 130 awaits an acknowledgement of successful processing of the payment transaction and displays a confirmation to the user that the transaction has been completed.
- the mobile payment device 130 contains only the public key and not the corresponding private key.
- the mobile payment device 130 is not vulnerable to compromise of a key used to decrypt the PIN, as has been the case for conventional PIN entry devices which use a symmetric (shared secret key) cryptography algorithm.
- FIG. 3 is a flow diagram illustrating a process performed by the cryptographic conversion host 150 to secure a payment transaction in accordance with a specific embodiment of the present invention.
- the cryptographic conversion host 150 obtains the public key encrypted PIN from the mobile payment device 130 via the network 140. Specifically, the cryptographic conversion host 150 obtains the transaction message described above from the mobile payment device 130 and extracts the RSA public key encrypted PIN block. The cryptographic conversion host 150 then passes the public key encrypted PIN block to the hardware security module 155.
- step 320 the cryptographic conversion host 150 decrypts the public key encrypted PIN.
- the hardware security module 155 securely maintains an RSA private key which corresponds to the RSA public key that was used by the mobile payment device 130 to encrypt the PIN.
- the hardware security module 155 applies the RSA private key to decrypt the RSA public key encrypted PIN block and extracts the PIN from the resulting decrypted PKCS #1 Type 2 encryption block.
- the cryptographic conversion host 150 re-encrypts the PIN using an asymmetric (secret key) cryptography algorithm.
- the cryptographic conversion host 150 applies a Triple Data Encryption Standard (3DES) algorithm to encrypt the PIN.
- the hardware security module 155 securely maintains a 3DES secret key which is identical to a secret key maintained by the transaction host 160.
- the identical secret keys are generated, for example, by a Derived Unique Key Per Transaction (DUKPT) process.
- the hardware security module 155 applies the 3DES secret key to encrypt the PIN, placing it into an encrypted PIN block and then passing the encrypted PIN block back to the cryptographic conversion host 150.
- DUKPT Derived Unique Key Per Transaction
- FIG. 4 is a flow diagram illustrating a process performed by a transaction host to perform a secure payment transaction in accordance with the present invention
- the transaction host 160 obtains the secret key encrypted PIN from the cryptographic conversion host 150.
- the transaction host 160 obtains the transaction message described above via, for example, the network 140 and extracts the secret key encrypted PIN block from the transaction message.
- step 420 the transaction host 160 decrypts the secret key encrypted PIN block.
- the transaction host 160 stores a 3DES secret key that is identical to the 3DES secret key applied by the cryptographic conversion host 150 to encrypt the PIN block.
- the transaction host 160 applies the 3DES secret key to decrypt the 3DES secret key encrypted
- PIN block and extracts the PIN from the decrypted PIN block.
- step 430 the transaction host 160 determines whether the PIN is valid by comparing it to data associated with the account of the customer 110 the particular transaction. If the PIN is valid, the transaction host 160 performs the transaction in step 450, debiting the account of the customer 110 by the purchase amount, and confirms the transaction in step 460, sending an appropriate confirmation message back to the mobile payment device 130 via the network 140. If the PIN is not valid, the transaction host 160 sends a rejection message back to the mobile payment device 130 via the network 140.
- a hash function may be applied to the PIN when it is entered into the mobile payment device 130.
- the resulting hash of the PIN rather than the PIN itself, would thereafter be encrypted and transmitted by the mobile payment device 130.
- the transaction host 160 upon decrypting the hash of the entered PIN it receives, the transaction host 160 would compare it to a hash of the expected PPN in order to confirm validity of the PIN and perform the transaction.
Abstract
Description
Claims
Priority Applications (5)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
AU2010232817A AU2010232817A1 (en) | 2009-03-30 | 2010-03-29 | Method and system for securing a payment transaction with trusted code base |
CA2794560A CA2794560A1 (en) | 2009-03-30 | 2010-03-29 | Method and system for securing a payment transaction with trusted code base |
EP10759266.9A EP2415003A4 (en) | 2009-03-30 | 2010-03-29 | Method and system for securing a payment transaction with trusted code base |
MX2011010306A MX2011010306A (en) | 2009-03-30 | 2010-03-29 | Method and system for securing a payment transaction with trusted code base. |
BRPI1015475A BRPI1015475A2 (en) | 2009-03-30 | 2010-03-29 | method and mobile device for secure payment transaction |
Applications Claiming Priority (4)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
US12/414,446 US20100250441A1 (en) | 2009-03-30 | 2009-03-30 | Method and system for securing a payment transaction with trusted code base on a removable system module |
US12/414,446 | 2009-03-30 | ||
US12/414,423 | 2009-03-30 | ||
US12/414,423 US20100250442A1 (en) | 2009-03-30 | 2009-03-30 | Method and system for securing a payment transaction with a trusted code base |
Publications (1)
Publication Number | Publication Date |
---|---|
WO2010114799A1 true WO2010114799A1 (en) | 2010-10-07 |
Family
ID=42828648
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
PCT/US2010/029075 WO2010114799A1 (en) | 2009-03-30 | 2010-03-29 | Method and system for securing a payment transaction with trusted code base |
Country Status (6)
Country | Link |
---|---|
EP (1) | EP2415003A4 (en) |
AU (1) | AU2010232817A1 (en) |
BR (1) | BRPI1015475A2 (en) |
CA (1) | CA2794560A1 (en) |
MX (1) | MX2011010306A (en) |
WO (1) | WO2010114799A1 (en) |
Cited By (3)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN103337021A (en) * | 2013-05-08 | 2013-10-02 | 上海方付通商务服务有限公司 | Film card and secure transaction method based on same |
CN106603237A (en) * | 2015-10-16 | 2017-04-26 | 中兴通讯股份有限公司 | Security payment method and apparatus |
US20220092598A1 (en) * | 2020-09-24 | 2022-03-24 | Ncr Corporation | System and method for touchless pin entry |
Citations (5)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US20030200184A1 (en) * | 2002-04-17 | 2003-10-23 | Visa International Service Association | Mobile account authentication service |
US20050049978A1 (en) * | 2003-08-06 | 2005-03-03 | Martin Kleen | Method for secure transaction of payments via a data network |
US20050160277A1 (en) * | 2000-07-06 | 2005-07-21 | Lasercard Corporation | Secure transactions with passive storage media |
US20060020811A1 (en) * | 2004-07-23 | 2006-01-26 | Data Security Systems Solutions Pte Ltd | System and method for implementing digital signature using one time private keys |
US20080189214A1 (en) * | 2006-10-17 | 2008-08-07 | Clay Von Mueller | Pin block replacement |
Family Cites Families (6)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US7516331B2 (en) * | 2003-11-26 | 2009-04-07 | International Business Machines Corporation | Tamper-resistant trusted java virtual machine and method of using the same |
WO2005109360A1 (en) * | 2004-05-10 | 2005-11-17 | Hani Girgis | Secure pin entry using personal computer |
US7844255B2 (en) * | 2004-12-08 | 2010-11-30 | Verifone, Inc. | Secure PIN entry device for mobile phones |
CA2922293C (en) * | 2005-01-28 | 2018-10-30 | Cardinal Commerce Corporation | System and method for conversion between internet and non-internet based transactions |
KR100834582B1 (en) * | 2006-07-26 | 2008-06-02 | 한국정보통신주식회사 | System for Payment |
CN101324942A (en) * | 2007-06-13 | 2008-12-17 | 阿里巴巴集团控股有限公司 | Payment system and method performing trade by identification card including IC card |
-
2010
- 2010-03-29 MX MX2011010306A patent/MX2011010306A/en not_active Application Discontinuation
- 2010-03-29 AU AU2010232817A patent/AU2010232817A1/en not_active Abandoned
- 2010-03-29 WO PCT/US2010/029075 patent/WO2010114799A1/en active Application Filing
- 2010-03-29 BR BRPI1015475A patent/BRPI1015475A2/en not_active IP Right Cessation
- 2010-03-29 EP EP10759266.9A patent/EP2415003A4/en not_active Withdrawn
- 2010-03-29 CA CA2794560A patent/CA2794560A1/en not_active Abandoned
Patent Citations (5)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US20050160277A1 (en) * | 2000-07-06 | 2005-07-21 | Lasercard Corporation | Secure transactions with passive storage media |
US20030200184A1 (en) * | 2002-04-17 | 2003-10-23 | Visa International Service Association | Mobile account authentication service |
US20050049978A1 (en) * | 2003-08-06 | 2005-03-03 | Martin Kleen | Method for secure transaction of payments via a data network |
US20060020811A1 (en) * | 2004-07-23 | 2006-01-26 | Data Security Systems Solutions Pte Ltd | System and method for implementing digital signature using one time private keys |
US20080189214A1 (en) * | 2006-10-17 | 2008-08-07 | Clay Von Mueller | Pin block replacement |
Non-Patent Citations (1)
Title |
---|
See also references of EP2415003A4 * |
Cited By (4)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN103337021A (en) * | 2013-05-08 | 2013-10-02 | 上海方付通商务服务有限公司 | Film card and secure transaction method based on same |
CN106603237A (en) * | 2015-10-16 | 2017-04-26 | 中兴通讯股份有限公司 | Security payment method and apparatus |
US20220092598A1 (en) * | 2020-09-24 | 2022-03-24 | Ncr Corporation | System and method for touchless pin entry |
US11887120B2 (en) * | 2020-09-24 | 2024-01-30 | Ncr Atleos Corporation | System and method for touchless pin entry |
Also Published As
Publication number | Publication date |
---|---|
CA2794560A1 (en) | 2010-10-07 |
EP2415003A4 (en) | 2013-05-01 |
BRPI1015475A2 (en) | 2016-04-26 |
AU2010232817A1 (en) | 2011-11-17 |
EP2415003A1 (en) | 2012-02-08 |
MX2011010306A (en) | 2012-01-20 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
US20100250442A1 (en) | Method and system for securing a payment transaction with a trusted code base | |
US20090281949A1 (en) | Method and system for securing a payment transaction | |
US10595201B2 (en) | Secure short message service (SMS) communications | |
US20190043299A1 (en) | System and method for selective encryption of input data during a retail transaction | |
KR100791432B1 (en) | Providing a user device with a set of access codes | |
US9852418B2 (en) | Trusted service manager (TSM) architectures and methods | |
US20140143150A1 (en) | Electronic payment method and device for securely exchanging payment information | |
US6990471B1 (en) | Method and apparatus for secure electronic commerce | |
EP2481230B1 (en) | Authentication method, payment authorisation method and corresponding electronic equipments | |
US20100250441A1 (en) | Method and system for securing a payment transaction with trusted code base on a removable system module | |
US20090222383A1 (en) | Secure Financial Reader Architecture | |
EP2098985A2 (en) | Secure financial reader architecture | |
US20120095919A1 (en) | Systems and methods for authenticating aspects of an online transaction using a secure peripheral device having a message display and/or user input | |
CN102667800A (en) | Method for securely interacting with a security element | |
CN113595714A (en) | Contactless card with multiple rotating security keys | |
WO2010114799A1 (en) | Method and system for securing a payment transaction with trusted code base | |
KR101394147B1 (en) | How to use Certificate safely at Mobile Terminal | |
JP2012186604A5 (en) | ||
JP2012186604A (en) | Portable terminal verification system capable of verifying that encryption function for encrypting pin is implemented in portable terminal |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
121 | Ep: the epo has been informed by wipo that ep was designated in this application |
Ref document number: 10759266 Country of ref document: EP Kind code of ref document: A1 |
|
WWE | Wipo information: entry into national phase |
Ref document number: MX/A/2011/010306 Country of ref document: MX |
|
NENP | Non-entry into the national phase |
Ref country code: DE |
|
WWE | Wipo information: entry into national phase |
Ref document number: 2010759266 Country of ref document: EP |
|
ENP | Entry into the national phase |
Ref document number: 2010232817 Country of ref document: AU Date of ref document: 20100329 Kind code of ref document: A |
|
ENP | Entry into the national phase |
Ref document number: 2794560 Country of ref document: CA |
|
REG | Reference to national code |
Ref country code: BR Ref legal event code: B01A Ref document number: PI1015475 Country of ref document: BR |
|
ENP | Entry into the national phase |
Ref document number: PI1015475 Country of ref document: BR Kind code of ref document: A2 Effective date: 20110930 |