|Publication number||US20100057561 A1|
|Application number||US 12/616,440|
|Publication date||Mar 4, 2010|
|Filing date||Nov 11, 2009|
|Priority date||Dec 16, 1993|
|Also published as||DE69431306D1, DE69431306T2, EP0734556A1, EP0734556A4, EP0734556B1, EP1235177A2, EP1235177A3, US5724424, US6049785, US6195649, US6199051, US6205437, WO1995016971A1|
|Publication number||12616440, 616440, US 2010/0057561 A1, US 2010/057561 A1, US 20100057561 A1, US 20100057561A1, US 2010057561 A1, US 2010057561A1, US-A1-20100057561, US-A1-2010057561, US2010/0057561A1, US2010/057561A1, US20100057561 A1, US20100057561A1, US2010057561 A1, US2010057561A1|
|Inventors||David K. Gifford|
|Original Assignee||Soverain Software Llc|
|Export Citation||BiBTeX, EndNote, RefMan|
|Patent Citations (7), Non-Patent Citations (1), Referenced by (2), Classifications (45)|
|External Links: USPTO, USPTO Assignment, Espacenet|
This application is a continuation of U.S. patent application Ser. No. 09/711,511, filed on Nov. 14, 2000, and entitled “Digital Active Advertising,” which is a continuation of U.S. patent application Ser. No. 09/033,143, filed on Mar. 2, 1998, now U.S. Pat. No. 6,195,649, entitled “Digital Active Advertising,” which is a continuation of U.S. patent application Ser. No. 08/563,745, filed on Nov. 29, 1995, now U.S. Pat. No. 5,724,424, entitled “Digital Active Advertising,” which is a continuation of U.S. patent application Ser. No. 08/168,519, filed on Dec. 16, 1993, entitled “Digital Active Advertising,” the entirety of each of which is herein incorporated by reference.
The recent rapid growth of information applications on international public packet-switched computer networks such as the Internet suggests that public computer networks have the potential to establish a new kind of open marketplace for goods and services. Such a marketplace could be created with a network sales system that comprises a plurality of buyer and merchant computers, means for the users of the buyer computers to display digital advertisements from the merchant computers, and means for the users to purchase products described by the advertisements.
A network based sales system will need to allow users to preview products at little or no cost, and will need to make a large number of product advertisements available in a convenient manner. In addition, the shopping system will need to include easy-to-use facilities for a user to purchase desired products using a merchant independent payment method. In addition the network sales will need to allow new buyers and merchants to enter the market.
A central requirement for a marketplace is a payment mechanism, but at present no merchant independent payment mechanism is available for computer networks that permits users to utilize conventional financial instruments such as credit cards, debit cards, and demand deposit account balances. We expect that both retail payment and wholesale payment mechanisms will be required for networks, with consumers using the retail mechanism for modest size purchases, and institutions using the wholesale mechanism for performing settlement between trading partners. For wide acceptance the retail mechanism will need to be a logical evolution of existing credit-card, debit-card, and Automated Clearing House facilities, while for acceptance the wholesale mechanism will need to be an evolved version of corporate electronic funds transfer.
These problems of have been approached in the past by network based sales systems wherein, for example, each merchant maintains an account for each user. A user must establish an account with each merchant in advance in order to be able to utilize the merchant. The prior art network based sales systems are not designed to allow users to use their existing credit card and demand deposit accounts for payment, nor are they designed to allow for programs to be included in digital advertisements.
According, therefore, it is a primary objective of this invention to provide a user interactive network sales system in which the user can freely use any merchant of choice and utilize existing financial instruments for payment. Other objects include a network sales system which provides a high-quality user interface, which provides users with a wide variety and large volume of advertisements, which is easily extensible to new services, and which is easily expanded to new applications within the existing infrastructure of the system.
Still other objects of the invention are to provide a network payment system that will authorize payment orders and remove part of the risk of fraud from merchants.
An unavoidable property of public computer networks is that they are comprised of switching, transmission, and host computer components controlled by many individuals and organizations. Thus it is impossible for a network payment system to depend upon a specified minimum required degree of software, hardware, and physical security for all of the components in a public network. For example, secret keys stored in a given user's personal computer can be compromised, switches can be tampered with to redirect traffic, and transmission facilities can be intercepted and manipulated.
The risk of performing retail payment in a public network is compounded by statutes that make a payment system operator in part liable for the security lapses of its users. Existing Federal statutes in the United States, including the Electronic Funds Transfer Act and the Consumer Credit Protection Act, require the operator of a payment mechanism to limit consumer liability in many cases. Payment system operators may have other fiduciary responsibilities for wholesale transactions. Similar responsibilities exist in other countries for retail and wholesale transactions.
In existing credit card payment systems, a credit card's issuing bank takes on the fraud risk associated with misuse of the card when a merchant follows established card acceptance protocols. Acceptance protocols can include verifying a card holder's signature on the back of their card and obtaining authorization for payments over a certain value. However, in network based commerce a merchant can not physically examine a purchasers credit card, and thus the fraud risk may revert to the merchant in so called “card not present” transactions. Many merchants can not qualify to take this risk because of their limited financial resources. Thus the invention is important to allow many merchants to participate in network based commerce.
Other objects of the invention include utilizing existing financial instruments such as credit cards, debit cards, and demand deposit accounts for merchant payments.
Existing network payment systems do not connect to the financial system for authorization and are not compatible with conventional financial instruments. Existing network payment systems include the Simple Network Payment Protocol [Dukach, S., SNPP: A Simple Network Payment Protocol, MIT Laboratory for Computer Science, Cambridge, Mass., 1993.], Sirbu's Internet Billing Server [Sirbu, M. A., Internet Billing Service Design and Prototype Implementation, Information Networking Program, Carnegie-Mellon University, 1993], and NetCash [Medvinsy, G., and Newman, B. C., NetCash: A Design for Practical Electronic Currency on the Internet, Proc. 1st ACM Conf. on Comp. and Comm. Security, November, 1993].
A further object of the invention is to allow users in an untrusted network environment to use conventional financial instruments without requiring modification to existing financial system networks.
The following definitions apply to the present invention. A principal is a person, company, institution, or other entity that is authorized to transact business as part of a network payment system. A payment order describes the identity of a sender, a payment amount, a beneficiary, and a sender unique once. A sender is a principal making a payment. A beneficiary is a principal to be paid by the payment system. A sender unique nonce is an identifier that is used only once by a given sender. An example of sender unique nonces are unique timestamps. An external account is an account that can be used to settle a payment order for either a sender or a beneficiary in the external financial system. Examples of external accounts include demand deposit accounts and credit card accounts. An external device is a physical object that is kept in the possession of a user for the purpose of identifying the user.
A network payment system is a service that authorizes and executes digital payment orders that are backed by external accounts. A payment system authenticates a payment order, checks for sufficient funds or credit, and then originates funds transfer transactions to carry out the payment order. A payment system acknowledges acceptance or rejection of a payment order. More than one payment system may exist on a given network, and a given payment system may operate on more than one host to increase its reliability, availability, and performance. An authenticator is a digital value that is appended to a payment order and becomes part of the payment order that authenticates the payment order as genuine.
The invention relates to a network sales system for enabling users to purchase products using a plurality of buyer computers that communicate over a network with a plurality of merchant computers. Each merchant computer has a database of digital advertisements. Each digital advertisement includes a price and a product abstract. Buyer computers request, display, and respond to digital advertisements from merchant computers. Users can purchase products with their buyer computers after they have specified an account to pay for the purchase. A network payment service is used to authorize the purchase before merchant fulfillment is performed.
In a particular aspect of the invention, the merchant computer can request account information when it is not provided by the buyer computer. In another aspect of the invention, the buyer computer can present to a merchant a pre-authorized payment order that is obtained from a network payment system.
In another aspect of the invention, an electronic sales system contains digital advertisements that include programs. The programs are executed on behalf of a user by a buyer computer, and can lead to a purchase request directed to a merchant computer that performs product fulfillment.
In another aspect of the invention a network payment system executes payment orders. A payment order includes a sender, a beneficiary, a payment amount, and a nonce identifier. A payment order is signed by a client computer with an authenticator that is checked by the payment system. Payment orders are backed by accounts in the banking system, and are authorized by the network payment system by sending messages into a financial authorization network that knows the status of these accounts. The payment system accomplishes settlement by sending messages into an existing financial system network.
In another aspect, payment orders are authenticated based on the delivery address they specify. In another aspect, the payment system will specify in its authorization legal delivery addresses. In another aspect, authenticators for payment orders are based on one-time transaction identifiers that are known only to the user and the payment system. In another aspect, payment orders for a given sender are only accepted from certain client computer network addresses. In another aspect, the network payment system sends messages into a financial authorization system in real-time before the network payment system will authorize a payment order.
Other objects, features, and advantages of the invention will appear from the following description taken together with the drawings in which:
A network sales system 200 as shown in
A digital advertisement includes a product description and a price. In digital advertisement database 65 prices and descriptions may be stored separately, and one price may apply to many product descriptions.
In an alternate embodiment, the network sales system further includes external devices that are kept in the possession of users so that the users can authenticate themselves when they use a buyer computer.
The software architecture underlying the particular preferred embodiment is based upon the hypertext conventions of the World Wide Web. Appendix A describes the Hypertext Markup Language (HTML) document format used to represent digital advertisements, Appendix B describes the HTML forms fill out support in Mosaic 2.0, Appendix C is a description of the Hypertext Transfer Protocol (HTTP) between buyer and merchant computers, and Appendix D describes how documents are named with Uniform Resource Locators (URLs) in the network of computers. A document is defined to be any type of digital data broadly construed, such as multimedia documents that include text, audio, and video, and documents that contain programs.
In an alternate embodiment, document 22 is executed at 23 as a program. A program is defined as a set of instructions that can exhibit conditional behavior based upon user actions or the environment of the buyer computer. As is known to those skilled in the art, there are many techniques for representing programs as data. The program can be interpreted or it can be directly executed by the buyer computer. The program when executed will cause the buyer computer to interact with the user leading to the user purchase request 24, and the purchase message 25.
The merchant computer then attempts to construct a payment order at 26 using the information it has gathered about the user. The buyer computer may have previously supplied certain credentials using fill out forms or other account identification means such as providing the network address of the buyer computer in the normal course of communication. If the buyer computer is able to construct a complete payment order at 26 the payment order is sent to a payment computer for authorization at 27. If a payment order can be constructed, processing continues at 28.
Alternatively, the buyer computer may construct the payment order at 24 and send it to the merchant computer at 25. In this case, the payment order assembly steps at 26, at the merchant computer, may only need to forward the payment order from the buyer computer.
A payment order includes user account information, merchant account information, an amount, and a nonce identifier that has not been previously used for the same user account. Variations of payment orders can be constructed, including payment orders that specify user or merchant identifiers in place of account information, payment orders that specify a valid time period, payment orders that specify foreign currencies, and payment orders that include comment strings. Part of the process of constructing a payment order is creating a corresponding authenticator using one of the authenticator methods described below.
In the illustrated embodiment of
In either case, the flowchart continues in
In an alternate embodiment, step 30 can encrypt the document using a key that is known to the buyer computer. As is known to those skilled in the art, the key can be communicated to the merchant computer using convention key distribution protocols. In this manner the document will be protected from disclosure to other users.
The fulfillment step at 30 can alternatively schedule a physical product to be shipped via ordinary mail or other means. This can be accomplished by updating a fulfillment request database or by sending a message to a shipping system. In this case the response at 31 is a confirmation that the product has been scheduled to ship. In this way the network sales system can implement an electronic mail order system.
When purchase button 48 is activated, a document 51 is sent by the merchant computer and displayed by the buyer computer as shown in
The buyer computer then proceeds at 57 to send a pre-authorized purchase request to the merchant computer. The unforgable certificate 56 is included in a purchase message at 57 that is sent at 58 to the merchant computer. Based upon the pre-authorized payment order the merchant computer performs fulfillment at 59 and returns the product at 60. In a variation, the merchant computer at 59 checks to ensure the payment order has not been previously used. This can be accomplished by checking with a payment computer or maintaining a merchant computer database of previously accepted payment orders. The unforgable certificate created at step 56 does not need to include the user account information. This variation is useful if the user wishes to make purchases and remain anonymous to the merchant.
A Network Payment System
A network payment system 300 as shown in
In an alternate embodiment, the network payment system further includes external devices that are kept in the possession of users so that the users can authenticate themselves when they use a buyer computer.
Account database 73 maintains temporal spending amounts, such as the amount spent in the current day, and also maintains temporal spending limits. The account database may also maintain a translation between principal identifiers and external account identifiers. Settlement database 74 records committed payment orders along with any authorization information for the orders that was obtained from interface 78. Address database 75 maintains for each sender a list of authorized buyer computer and delivery addresses. Credential database 76 maintains a list of credentials for principals and information that can be used to authenticate principals.
If the payment order is authentic and address restrictions are desired, at 83, either or both of the client computer address or the specified delivery address can be checked against address database 75. If address restrictions are desired and if the addresses in the payment order are not in the database, the payment computer sends a rejection message to the client computer. Address database 75 specifies, for each principal, acceptable client computer addresses and delivery addresses. A delivery address can be a network address, or a street address for packaged goods. As is known in the art, database 75 can include wild-card specifications and similar techniques to reduce its size. For example, database 75 could contain an entry for principal identifier “*@acme.com” restricting legal delivery addresses to “computer: *.com”, “computer: cmu.edu”, and “surface: *, 34 Main Street, Anytown, U.S.A.”, indicating that any user at the company Acme can order products to be delivered to the network address at Acme or the university CMU, or to anyone at 34 Main Street, Anytown, U.S.A.
If payment order address restrictions are not desired or have been checked, processing continues at 84 where the payment order is checked for replay and temporal spending limits. Replay is checked for by making sure that the sender did not previously present a payment order with the same nonce by checking an index of committed payment orders by nonce in settlement database 74. If nonces are based on time, then a payment order that is older than an administratively determined value can be rejected out of hand. Time based nonces or sequential nonces permit old nonces to be removed from the settlement database 74. If a payment order has been previously processed or its nonce is too old, the payment order computer sends a rejection message to the client.
After the payment order passes the replay check, temporal spending limits are checked in account database 73. These spending limits can be applied on a per sender, per group of senders, and per payment system basis to limit fraud risk. The limits can be applied to any duration of time, for example a maximum spending amount per hour or per day. If the payment order would violate a spending limit, the payment computer sends a rejection message to the client.
Once the payment order passes the temporal spending check at 84, a message is constructed at 85 to check that the external account that backs the sender's payment system account has adequate funds or credit. If the sender identifier in the payment order is not already an account number in the external financial system, it is translated into a corresponding account number in the external financial system using account database 73. A real-time authorization request message is sent at 86 to the external financial system over interface 78. If the external financial system approves authorization request 86, an authorization message is returned at 87. If request 86 is not approved, the payment computer sends a rejection message to the client at 87.
In a variation of the above described approach, processing continues at 95 after 84. At 95 real-time authorization is only obtained when the total of a sender's payments since the last real-time authorization reaches a preset value, or the payment order is over a preset amount. These preset values can be optionally recorded on a per principal basis in database 73 or can be administratively determined for all principals. In this manner, the number of messages to the external financial system can be reduced. In addition, the payment system can avoid making real-time authorization requests for small payments when the risk is acceptable to the payment system operator. If real-time authorization is necessary, processing continues at 85 after 95. If real-time authorization is not necessary for a request, at 100 the payment order amount is added to the sender's total of payments since the last real-time authorization in database 73, and processing continues at 88.
In another variation after 100 a check is made at 101 in database 73 to see if a background authorization process should be scheduled. A background authorization process permits the payment computer to continue its normal processing while it checks with the financial authorization network on the sender's account. This mechanism can be used to limit payment system risk. If the background authorization fails, the account is suspended by so updating database 73. If the sender's total of payments since last authorization is over a preset value stored in 73 then a background authorization process is scheduled at 102. Otherwise processing continues at 88.
In another variation, at 95 and 101 authorizations are obtained based on the amount spent since last authorization and time since last authorization.
At 88 the payment order is committed to execution and is recorded in settlement database 74. Recorded with the payment order in database 74 are portions of authentication message 87 that show that the payment computer contacted the remote financial system. The amount of the payment order is added to running temporal spending records in database 73, and an authorization message is sent to the client computer at 90. The authorization message includes the payment order. In an alternate embodiment, at 90 the authorization message contains a truncated payment order that includes at least the payment order's sender and the payment order's unique nonce.
In an alternate embodiment, the authorization message sent to the client at 90 includes at least one legal delivery addresses for the sender as determined from database 75.
Authorization message 90 must be transmitted in such a way that the client computer can be sure that it came from the payment computer. At 89 a payment system specific authenticator is added payment order. At 91 this authenticator is checked by the client computer. The steps at 89 are a dual of step 80, and the steps at 91 are a dual of step 82. The authentication means for steps 89 and 91 are described below.
Finally, settlement is performed at 92 in the external financial system 77 between external accounts that correspond to the sender and the beneficiary. If settlement is accomplished as part of real-time authorization at steps 86 and 87, as may occur in a real-time debit network, then no other steps need to be taken. If settlement is not accomplished as part of the authorization process, then financial system messages are sent to interface 77 to effect settlement. Depending on the external accounts involved, these messages may include electronic funds transfer messages or automated clearinghouse messages.
In an alternate embodiment, at 92 settlement messages are sent to reconcile net transfer balances between principles on a temporal basis, for example once a day. In this embodiment the number of settlement messages can be less than the number of payment orders.
Authenticators may be created and checked using one of the following methods. The payment computer can use any of the first four methods, and the client computer can use any of the methods described.
In a first method for authenticators, at steps 80 or 89, a digest of the payment order is signed by the sending computer using a public-key cryptographic system such as RSA. This signature is used as the authenticator. As is well known in the art, the signing can be accomplished using a private key created from a public-key pair, where the signing key is only known by the signer, and the other public key is known to the receiving computer. At the payment computer the public key corresponding to each sender is kept in credential database 76. The private key for the payment service is also kept in database 76. At steps 82 or 91, the signature of the received message is checked using the public key known to the receiving computer.
In a second method for authenticators, at steps 80 or 89, a digest of the payment order is signed by the sending computer with a private key cryptosystem such as DES. This signature is used as the authenticator. At the payment computer, the private key corresponding to each sender is kept in credential database 76. At step 80, a digest of the payment order is signed by the client computer, and at step 89 a digest of the payment order with an added approval code is signed by the payment computer using the same private key. At steps 82 or 91, the signature of the received message is checked using the shared private key.
In a third method for authenticators, at step 80 the authenticator is computed by a protected device external to the system such as a Smart-Card. A protected device is specifically designed to be extremely difficult both to replicate and to compromise. In this method, the payment order is communicated at 80 to a Smart-Card. The Smart-Card computes and signs a digest of the payment order, and then communicates the signature back at 80 to be used as an authenticator. A Smart-Card produced authenticator uniquely associates a payment order with its creating Smart-Card. This is accomplished by having the Smart-Card contain a secret key “K” that is used to create a digital signature of the payment order. “K” is never released outside of the Smart-card. The Smart-Card is designed to make it computationally infeasible to compute “K” even with possession of the device. In this method, at step 82, a signature checking key from database 76 is used to check the authenticator. In an alternate embodiment, a user must manually signal their acceptance of each payment order on an input device that is part of the external device before the authenticator is created by the external device.
In a fourth method for authenticators, at steps 80 or 89, a network address is used as an authenticator. At steps 82 or 91, a digest of the payment order is sent back to the specified network address along with a random password. The computer at the specified network address must then return the payment order digest along with the password. If the network guarantees to deliver messages to the proper network address, this method will guarantee that the user or computer at the specified network address approves of the payment order. Assuming that network delivery is trusted, this method can be used to authenticate a sender computer's network address in a payment order. Alternatively, electronic mail can be used to send such confirmation messages between a user and the payment system.
In a fifth method for authenticators, at step 80, the authenticator is produced by an external device that produces a sequence of non-predicable transaction identifiers that are device specific. The authenticator is entered by the user into the client computer by reading its display. One such device is described in U.S. Pat. No. 4,856,062. According to this method, at step 91, the authenticator can be checked using the sender specific fixed code of the device which is kept in database 76. This sequence of steps is also shown in
In a sixth method for authenticators, at step 80, the authenticator is obtained by querying the user for a transaction identifier that is the next string from a physical list of one-time authorization strings. Such as list could be produced on a card, and the user can cross off authorization strings as they are used. According to this method, at step 91, the authenticator is checked against the next expected string from the sender using database 76. Database 76 can hold for each sender a list of random authorization strings, or can hold a sender specific secret key that was used to generate the list of authentication strings along with how many strings have been used so far. This sequence of steps is also shown in
In a seventh method for authenticators, at step 80 the authenticator is a previously obtained personal identification number (PIN) for the user. In this method in 91 the authenticator is checked against the expected PIN for the sender using database 76.
As will be obvious to one skilled in the art, any of the methods for creating authenticators can be used together to increase system security. For example, authenticator method six can be used to create an authenticator based on a transaction identifier, and then a payment order including a transaction identifier can be given a further authenticator using authenticator method one. In this example the resulting authenticators would be checked with their respective methods.
A digest of a payment order can be created with an algorithm such as MD5 [R. Rivest, The MD5 Message-Digest Algorithm, MIT Laboratory for Computer Science, Network Working Group Request for Comments 1321]. Alternatively, a digest can be the entire payment order or other functions of the payment order's component parts.
In addition in both the sales and payment systems alternate authenticator techniques can be used such as those described by Voydock and Kent in “Security Mechanisms in High-level Network Protocols”, Computing Surveys Vol. 15, No. 2, June 1983. As will be appreciated by those skilled in the art, two-way authenticated byte-stream or remote procedure call interface connections that protect against replay can replace our message based authenticators.
Additions, subtractions, deletions, and other modifications of the described embodiment will be apparent to those practiced in the art and are within the scope of the following claims.
|Cited Patent||Filing date||Publication date||Applicant||Title|
|US4386266 *||Feb 11, 1980||May 31, 1983||International Business Machines Corporation||Method for operating a transaction execution system having improved verification of personal identification|
|US4992940 *||Mar 13, 1989||Feb 12, 1991||H-Renee, Incorporated||System and method for automated selection of equipment for purchase through input of user desired specifications|
|US5319542 *||Sep 27, 1990||Jun 7, 1994||International Business Machines Corporation||System for ordering items using an electronic catalogue|
|US5383113 *||Jul 25, 1991||Jan 17, 1995||Checkfree Corporation||System and method for electronically providing customer services including payment of bills, financial analysis and loans|
|US5475585 *||Feb 2, 1994||Dec 12, 1995||Bush; Thomas A.||Transactional processing system|
|US5694551 *||Apr 24, 1995||Dec 2, 1997||Moore Business Forms, Inc.||Computer integration network for channeling customer orders through a centralized computer to various suppliers|
|WO1991016691A1 *||Apr 10, 1991||Oct 31, 1991||Jonhig Ltd||Value transfer system|
|1||*||"ALANTEC: ALANTEC Delivers Another Industry First; IP Multicast Routing Support for Desktop Video Conferencing and Broadcast Video." Business Editors and Computer Writers, San Jose, Calif, August 16, 1993.|
|Citing Patent||Filing date||Publication date||Applicant||Title|
|US7908150 *||May 3, 2002||Mar 15, 2011||Jean-Luc Rochet||System and a method for performing personalised interactive automated electronic marketing of the marketing service provider|
|US20040204952 *||May 3, 2002||Oct 14, 2004||Jean-Luc Rochet||System and a method for performing personalised interactive automated electronic marketing of the marketing service provider|
|U.S. Classification||705/14.49, 705/14.73|
|International Classification||G06Q10/00, G06Q30/00, G06Q20/00, B65G61/00, G06F13/00, G06F17/30, G07F7/00|
|Cooperative Classification||G06Q30/02, G06Q20/10, G06Q20/385, G06Q30/0609, G06Q20/023, G07F7/00, G06Q20/401, G06Q30/0253, G06Q30/0601, G06Q20/085, G06Q30/06, G06Q20/12, G06Q10/087, G06Q30/0277, G06Q20/027, G06Q30/0251, G06Q20/02, G06Q20/04|
|European Classification||G06Q20/04, G06Q30/02, G06Q20/12, G06Q20/02, G06Q30/06, G06Q10/087, G06Q20/10, G06Q20/027, G06Q20/085, G06Q30/0277, G06Q20/385, G06Q30/0253, G06Q30/0609, G06Q20/401, G06Q20/023, G06Q30/0601, G06Q30/0251, G07F7/00|