WO2002027624A1 - System and method for processing a secure consumer transaction through a network - Google Patents

System and method for processing a secure consumer transaction through a network Download PDF

Info

Publication number
WO2002027624A1
WO2002027624A1 PCT/US2001/030758 US0130758W WO0227624A1 WO 2002027624 A1 WO2002027624 A1 WO 2002027624A1 US 0130758 W US0130758 W US 0130758W WO 0227624 A1 WO0227624 A1 WO 0227624A1
Authority
WO
WIPO (PCT)
Prior art keywords
transaction
consumer
server
consumer computer
network
Prior art date
Application number
PCT/US2001/030758
Other languages
French (fr)
Inventor
Greg Chapman
Rogel Patawaran
Original Assignee
R G Tecq Inc
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by R G Tecq Inc filed Critical R G Tecq Inc
Priority to AU2001294952A priority Critical patent/AU2001294952A1/en
Publication of WO2002027624A1 publication Critical patent/WO2002027624A1/en

Links

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06QINFORMATION AND COMMUNICATION TECHNOLOGY [ICT] SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES; SYSTEMS OR METHODS SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES, NOT OTHERWISE PROVIDED FOR
    • G06Q30/00Commerce
    • G06Q30/06Buying, selling or leasing transactions

Definitions

  • the present invention relates to a method and system for processing a secure consumer transaction through a computer network.
  • Computer networks have been established to interconnect a large number of computers.
  • networks including local area networks (LANs), metropolitan area networks (MANs) and wide area networks (WANs).
  • LANs local area networks
  • MANs metropolitan area networks
  • WANs wide area networks
  • PDNs public data networks
  • TCP/IP internet protocol
  • the Internet includes a number of routers that route information transmitted between computers and computer systems.
  • the routers contain memory, logic circuitry, etc. that receives information, determines a destination for the information, and then transmits the information.
  • server computer systems have been connected to the Internet.
  • the server may contain a web site written in a Hypertext Markup Language (HTML) that can be readily transmitted to another computer for viewing by an end user of the system.
  • the web site may have a graphical user interface (GUI) that allows the end user to interact with the site.
  • GUI graphical user interface
  • the confidential information may be a credit card number, or a personal identification number (PIN) associateed with an automatic teller machine (ATM) card.
  • PIN personal identification number
  • ATM automatic teller machine
  • the debit/credit information is transmitted into the network by the consumer's computer.
  • the information is routed by routers, and then stored and processed by both the merchant and financial information servers/systems.
  • the confidential credit/debit information may be illegally accessed during the transmission or retention processes.
  • a secure socket layer (SSL) protocol has been widely used to encrypt data transmitted through the Internet.
  • SSL protocol allows client computers to exchange certified public keys, set up a session key, encrypt data, authenticate digital signatures and decrypt data.
  • U.S. Patent Nos. 5,461,217; 5,367,572; 5,524,073; 5,524,072; 5,493,613; 5,517,569 and 5,809,143 all disclose systems for entering credit/debit information through a pin pad and/or magnetic reader and then encoding/encrypting the information for transmission through a network.
  • the ' 143 patent discloses a secure keyboard that encrypts confidential information, and then transmits the encrypted information to a secure host computer. The host computer can then send a request to a bank server and a merchant server to complete a commercial transaction. In this system the merchant server receives the confidential information. The merchant server thus provides another point of entry for illegal access to the information.
  • Systems and security methods of the prior art are still susceptible to illegal access of the consumer's confidential information. It would be desirable to provide a system and method that enhanced the security of a consumer transaction through a network.
  • One embodiment of the present invention includes a consumer computer that is coupled to a merchant server through a network.
  • the network also couples the merchant server and the consumer computer to a transaction server.
  • the transaction server can be coupled to a processing network that can authorize a consumer transaction between the consumer computer and the merchant server.
  • the transaction server can transmit a transaction process to the consumer computer.
  • the transaction process may include a proprietary encryption algorithm that encrypts confidential information that is transmitted to the transaction server in a request to authorize the transaction between the consumer computer and the merchant server.
  • the confidential information may be located within two or three layers of encryption.
  • the transaction server obtains authorization from the processing network. The authorization is provided to the merchant server and consumer computer so that the consumer transaction can be completed. The confidential information is then purged from the transaction server.
  • Figure 1 is an illustration of an embodiment of a network system of the present invention
  • Figure 2 is a schematic showing a consumer computer of the network
  • Figures 3a-d are flowcharts showing a method for processing a consumer transaction through the network.
  • the present invention includes a method and system for processing secure consumer transactions through a network.
  • the system includes a consumer computer that is coupled to a merchant server through a network.
  • a consumer can "shop” on a web site provided by the merchant server. After selecting the goods and/or services to be purchased the consumer can then enter a request to "checkout" and complete the sale.
  • the merchant server instructs the consumer computer to upload a transaction process from a transaction server.
  • the transaction process may include a proprietary encryption algorithm.
  • the consumer may enter confidential credit/debit information by either swiping a credit card or automated teller machine (ATM) card through a magnetic reader coupled to the computer.
  • a personal identification number (PIN) is also entered through a pin pad when an ATM card is used by the consumer.
  • the confidential information is encrypted by the proprietary encryption algorithm and then encrypted again when transmitted to the transaction server with a secure socket layer (SSL) protocol. If an ATM card is used the PIN may be initially encrypted within the pin pad before being encrypted by the proprietary encryption algorithm.
  • the confidential information may therefore have three layers of encryption, pin pad encryption, proprietary algorithm encryption and SSL encryption.
  • the consumer computer transmits the encrypted confidential information in an authorization request provided to the transaction server.
  • the transaction server decrypts the data and transmits an authorization request to a processing network.
  • the processing network may include a bank server that transmits an authorization grant to the transaction server.
  • the transaction server then transmits an authorization id message to the merchant server and the consumer computer so that the transaction can be completed.
  • the merchant server does not receive the confidential information from either the consumer computer or the merchant server.
  • the confidential information is purged from the transaction server.
  • the three layers of encryption decreases the likelihood of a successful illegal access of the confidential information. Additionally, security is enhanced because the confidential information is not provided to the merchant server and not retained by the transaction server. Uploading the transaction process and the proprietary encryption algorithm further reduces the likelihood of a third party illegally accessing the confidential information.
  • the proprietary algorithm is only resident on the transaction server. A network firewall may be placed between the transaction server and the network to prevent illegal access to the server.
  • Figure 1 shows an embodiment of a system 10 of the present invention.
  • the system 10 may include a consumer computer 12 that is coupled to a network 14.
  • the network 14 may include various routers, computers, etc. interconnected and operated in accordance with TCP/IP protocols and commonly referred to as the Internet.
  • TCP/IP protocols and commonly referred to as the Internet.
  • an Internet network is described, it is to be understood that other networks can be employed in the present invention.
  • the system 10 may further have a merchant server 16 coupled to the network 14.
  • the merchant server 16 may have a resident web site that allows a consumer to purchase goods and/or services.
  • the merchant server 16 may also have a resident at least a portion of a program that allows a secure consumer transaction to occur through the network 14. This program will hereinafter be referred to as the Autotecq program.
  • the consumer computer 12 may also have a portion of the Autotecq program resident within the computer 12.
  • Both the consumer computer 12 and the merchant server 16 can be coupled to the network by an Internet Service Provider (ISP) connection 18.
  • ISP Internet Service Provider
  • the system 10 may further have a transaction server 20 that is coupled to the network 14 by a router 22 through an ISP connection 18.
  • the transaction server 20 may operate with the LINUX operating system.
  • the transaction server 20 may operate with other operating systems.
  • the transaction server 20 has resident at least a portion of the Autotecq program.
  • the system 10 may further have a firewall 24 to prevent illegal access to the transaction server 20.
  • the transaction server 20 may be coupled to a processing network 26.
  • the processing network 26 may include a bank server (not shown) that can process an authorization request to complete a consumer transaction.
  • the processing network 26 may be coupled to the transaction server 20 by a dedicated leased transmission line 28 to minimize the illegal access to information transmitted over the line 28.
  • the Autotecq program resident in the transaction server 20 can be written to operate with various operating systems and software languages used in the processing network 26.
  • FIG. 2 shows an embodiment of a consumer computer 12.
  • the computer 12 may include a microprocessor 30, memory 32 and an input/output (I/O) interface 34.
  • Memory 32 may include both volatile and non-volatile memory.
  • memory 32 may include a dynamic random access memory (DRAM) device(s), a read only memory (ROM) device(s) and a hard disk drive.
  • DRAM dynamic random access memory
  • ROM read only memory
  • the I/O interface 34 both transmits and receives information through network line 18.
  • the processor 30 performs software routines in accordance with instructions and data that are stored in memory 32.
  • the software routines may include a search engine commonly referred to as a browser for searching web sites connected to the Internet.
  • the processor 30 and memory 32 can be coupled to a keyboard, monitor, mouse, etc., as is known in the art.
  • a pin pad 36 may be coupled to the computer 12 through I/O ports 38 and 40.
  • the pin pad 36 may include a magnetic reader 42 that can read confidential information stored on the magnetic strip of a card (not shown).
  • the card may be a credit card that contains confidential credit card information, or the card may be an ATM card that provides confidential PIN and banking information.
  • the pin pad 36 may further have a keypad 44 that allows a consumer to enter a PIN or other information.
  • the pin pad 36 may have memory and logic circuits 46 that can encrypt a PIN entered through the keypad 44.
  • the memory/logic circuits 46 may encrypt the PIN with a master key that is stored in memory and a key encrypt key (KEK) provided through the network to create an encrypted PIN block.
  • the PIN block can be sent to the computer 12 through the I/O ports 38 and 40.
  • the encryption may be performed with standard DES ATM encryption known in the art.
  • the memory/logic circuit 46 may become disabled if a third party attempts to illegally access the memory of the pin pad 36.
  • FIGS. 3a-d are flowcharts showing a method for processing a secure consumer transaction through a network.
  • a method for processing a secure consumer transaction will be described with reference to Figs. 1, 2 and 3a-d.
  • the process is performed in accordance with the Autotecq program. Initially, at least some portion of the Autotecq program is resident within the merchant server 14, consumer computer 12 and transaction server 20. The consumer computer 12 is connected to a web site resident on the merchant server 14. The consumer can select to purchase goods and/or services listed on the web site.
  • the web site may have a graphical user interface (GUI) that allows the consumer to readily make the selections, as is known in the art. As shown in process block 100, the consumer may select a checkout button to complete the consumer transaction.
  • GUI graphical user interface
  • the selection of goods and/or services and other information is transferred to the Autotecq program resident in the merchant server 16 in process block 102.
  • the merchant server 16 transmits transaction information and an instruction to upload a transaction process from the transaction server 20 to the consumer computer 12.
  • the transaction information may include the identity of the consumer computer 12 and the cost of the items selected.
  • the transaction server 20 transmits a transaction plug-in process to the consumer computer 12.
  • the transaction process may append to the browser program within the computer 12.
  • the transaction process may include a proprietary encryption algorithm.
  • the encryption algorithm may be an algorithm specifically written by the proprietor of the Autotecq program and/or the transaction server 20.
  • the proprietary encryption algorithm may be a program provided by R.G. Tecq, the assignee of the present application, under the trademark DOGCRYPTION.
  • the transaction process prompts the consumer to choose a payment method.
  • the GUI of the program displayed by the computer 12 may have separate selectable icons to select either a credit card or an ATM card.
  • the consumer may select a credit card in block 110 as shown in Fig. 3 c.
  • the program then prompts the consumer to either swipe the credit card through the magnetic reader 42, or type in the relevant information into the keypad 44 in block 112.
  • the user then swipes or enters the data in block 114 as shown in Fig. 3d.
  • the transaction process encrypts the confidential information from the consumer computer 12 and the merchant server 16 with the proprietary encryption algorithm.
  • the transaction process opens a SSL connection with the transaction server 20 in accordance with SSL protocol in block 118.
  • An authorization request is transmitted from the consumer computer 12 to the transaction server 20.
  • the request includes confidential information that is double encrypted with both the proprietary encryption algorithm and the SSL encryption algorithm.
  • the Autotecq program resident in the transaction server 20 decrypts the confidential information and verifies that the transmission is a valid authorization request.
  • the transaction server 20 then transmits an authorization request to the processing network 26.
  • the processing network 26 determines whether the authorization request should be granted or denied.
  • the processing network 26 transmits an authorization grant or authorization denied message back to the transaction server 20.
  • the transaction server 20 verifies the message from the processing network 26 and sends a message to the merchant server 16.
  • the message is sent in accordance with the SSL protocol and may be encrypted with both the proprietary algorithm and the SSL algorithm.
  • the message may be a simple id number which instructs the merchant server 16 that the transaction request has been granted or denied.
  • the confidential information of the consumer is never sent to the merchant server 16 as part of the process. The confidential information is therefore never resident in the memory of the merchant server 16.
  • the transaction server 20 also transmits a double encrypted id message to the consumer computer 12 in accordance with the SSL protocol.
  • the transaction server may provide status information during the authorization request process in block 126. This information may be displayed by the consumer computer 12 through the GUI of the transaction plug-in process so that the consumer can monitor the authorization process. If authorization was granted then the process continues through block 128 to block 130 wherein the transaction process in the consumer computer links to a success web page in the merchant server so that the consumer transaction can be completed.
  • the transaction server 20 archives the transaction in a transaction log and then actively purges the confidential information from the server 20. With this process the confidential information is not retained by either the merchant server 16 or the transaction server 20. Additionally, the transaction process is not stored within non-volatile memory of the personal computer 12, so that the plug-in and associated proprietary algorithm is not resident in the computer 12.
  • the consumer may abort the transaction in block 136.
  • the consumer computer 12 is linked to a failed web page of the merchant web site. The process continues to block 132.
  • the consumer may attempt to complete the transaction in process block 140. The process will then continue to block 108.
  • the consumer may select payment with an ATM card in block 142. Although the selection of ATM payment has been described as being subsequent to the denial of a credit card payment, it is to be understood that the consumer could have initially selected payment with an ATM card.
  • the transaction plug-in process opens a SSL connection with the transaction server 20 and requests a key encrypt key.
  • the transaction server 20 transmits the KEK to the consumer computer 12 in block 146.
  • the transaction process transmits the KEK to the pin pad 36 in block 148.
  • the consumer swipes or enters the ATM information in block 150.
  • the transaction process prompts the consumer to enter the PIN for the ATM.
  • the consumer enters the PIN through the keypad 44.
  • the encrypted PIN block is created within the pin pad 36 using the PIN, the 155844-0005 (P001PCT) ]_ J

Abstract

A method and system(10) for processing secure consumer transactions through a computer network (10). The system (10) includes a consumer computer (12) that is coupled to a merchant server through a network (14). The network (14) also couples the merchant server (16) and the consumer computer to a transaction server (20). The transaction server (20) can be coupled to a processing network (26) that can authorize a consumer transaction between the consumer computer (120) and the merchant server (16). The transaction server (20) can transmit a transaction process to the consumer computer (12). The transaction process may include a proprietary encryption algorithm that encrypts confidential information that is transmitted to the transaction server (20) in a request to authorize the transaction between the consumer computer (12) and the merchant server (16). The confidential information may be located within two or three layers of encryption. The transaction server (20) obtains authorization from the processing network (926). The authorization is provided to the merchant server (16) and consumer computer (120) so that the consumer transaction can be completed. The confidential information is then purged from the transaction computer.

Description

SYSTEM AND METHOD FOR PROCESSING A SECURE CONSUMER TRANSACTION THROUGH A NETWORK
BACKGROUND OF THE INVENTION
1. Field of the Invention
The present invention relates to a method and system for processing a secure consumer transaction through a computer network.
2. Background Information
Computer networks have been established to interconnect a large number of computers. There are many types of networks including local area networks (LANs), metropolitan area networks (MANs) and wide area networks (WANs). There are various types of WANs that are operated by public entities. These networks are commonly referred to as public data networks (PDNs). One popular PDN operates in accordance with a transmission control protocol and an internet protocol (TCP/IP) that is commonly referred to as the Internet.
The Internet includes a number of routers that route information transmitted between computers and computer systems. The routers contain memory, logic circuitry, etc. that receives information, determines a destination for the information, and then transmits the information. Additionally, server computer systems have been connected to the Internet. The server may contain a web site written in a Hypertext Markup Language (HTML) that can be readily transmitted to another computer for viewing by an end user of the system. The web site may have a graphical user interface (GUI) that allows the end user to interact with the site.
There has been developed a number of merchant web sites that allow consumers to purchase goods and services through the Internet. To complete a transaction to purchase goods and/or services the consumer must typically provide confidential debit or credit information that allows the merchant to receive payment from a financial institution such as a bank, or credit card institution. The confidential information may be a credit card number, or a personal identification number (PIN) asociated with an automatic teller machine (ATM) card. This information can be entered into the consumer's computer by entering information through a pin pad, and/or swiping a card through a magnetic card reader.
The debit/credit information is transmitted into the network by the consumer's computer. The information is routed by routers, and then stored and processed by both the merchant and financial information servers/systems. The confidential credit/debit information may be illegally accessed during the transmission or retention processes. To prevent such illegal access there has been developed a number of security systems and protocols to encrypt data that is transmitted through the Internet. For example, a secure socket layer (SSL) protocol has been widely used to encrypt data transmitted through the Internet. The SSL protocol allows client computers to exchange certified public keys, set up a session key, encrypt data, authenticate digital signatures and decrypt data.
U.S. Patent Nos. 5,461,217; 5,367,572; 5,524,073; 5,524,072; 5,493,613; 5,517,569 and 5,809,143 all disclose systems for entering credit/debit information through a pin pad and/or magnetic reader and then encoding/encrypting the information for transmission through a network. For example, the ' 143 patent discloses a secure keyboard that encrypts confidential information, and then transmits the encrypted information to a secure host computer. The host computer can then send a request to a bank server and a merchant server to complete a commercial transaction. In this system the merchant server receives the confidential information. The merchant server thus provides another point of entry for illegal access to the information. Systems and security methods of the prior art are still susceptible to illegal access of the consumer's confidential information. It would be desirable to provide a system and method that enhanced the security of a consumer transaction through a network.
BRIEF SUMMARY OF THE INVENTION
One embodiment of the present invention includes a consumer computer that is coupled to a merchant server through a network. The network also couples the merchant server and the consumer computer to a transaction server. The transaction server can be coupled to a processing network that can authorize a consumer transaction between the consumer computer and the merchant server. The transaction server can transmit a transaction process to the consumer computer. The transaction process may include a proprietary encryption algorithm that encrypts confidential information that is transmitted to the transaction server in a request to authorize the transaction between the consumer computer and the merchant server. The confidential information may be located within two or three layers of encryption. The transaction server obtains authorization from the processing network. The authorization is provided to the merchant server and consumer computer so that the consumer transaction can be completed. The confidential information is then purged from the transaction server. BRIEF DESCRIPTION OF THE DRAWINGS
Figure 1 is an illustration of an embodiment of a network system of the present invention;
Figure 2 is a schematic showing a consumer computer of the network;
Figures 3a-d are flowcharts showing a method for processing a consumer transaction through the network.
DETAILED DESCRIPTION OF THE PREFERRED EMBODIMENT In general the present invention includes a method and system for processing secure consumer transactions through a network. The system includes a consumer computer that is coupled to a merchant server through a network. A consumer can "shop" on a web site provided by the merchant server. After selecting the goods and/or services to be purchased the consumer can then enter a request to "checkout" and complete the sale. The merchant server instructs the consumer computer to upload a transaction process from a transaction server. The transaction process may include a proprietary encryption algorithm.
The consumer may enter confidential credit/debit information by either swiping a credit card or automated teller machine (ATM) card through a magnetic reader coupled to the computer. A personal identification number (PIN) is also entered through a pin pad when an ATM card is used by the consumer. The confidential information is encrypted by the proprietary encryption algorithm and then encrypted again when transmitted to the transaction server with a secure socket layer (SSL) protocol. If an ATM card is used the PIN may be initially encrypted within the pin pad before being encrypted by the proprietary encryption algorithm. The confidential information may therefore have three layers of encryption, pin pad encryption, proprietary algorithm encryption and SSL encryption.
The consumer computer transmits the encrypted confidential information in an authorization request provided to the transaction server. The transaction server decrypts the data and transmits an authorization request to a processing network. The processing network may include a bank server that transmits an authorization grant to the transaction server. The transaction server then transmits an authorization id message to the merchant server and the consumer computer so that the transaction can be completed. The merchant server does not receive the confidential information from either the consumer computer or the merchant server. The confidential information is purged from the transaction server.
The three layers of encryption decreases the likelihood of a successful illegal access of the confidential information. Additionally, security is enhanced because the confidential information is not provided to the merchant server and not retained by the transaction server. Uploading the transaction process and the proprietary encryption algorithm further reduces the likelihood of a third party illegally accessing the confidential information. The proprietary algorithm is only resident on the transaction server. A network firewall may be placed between the transaction server and the network to prevent illegal access to the server.
Referring to the drawings more particularly by reference numbers, Figure 1 shows an embodiment of a system 10 of the present invention. The system 10 may include a consumer computer 12 that is coupled to a network 14. The network 14 may include various routers, computers, etc. interconnected and operated in accordance with TCP/IP protocols and commonly referred to as the Internet. Although an Internet network is described, it is to be understood that other networks can be employed in the present invention.
The system 10 may further have a merchant server 16 coupled to the network 14. The merchant server 16 may have a resident web site that allows a consumer to purchase goods and/or services. The merchant server 16 may also have a resident at least a portion of a program that allows a secure consumer transaction to occur through the network 14. This program will hereinafter be referred to as the Autotecq program. The consumer computer 12 may also have a portion of the Autotecq program resident within the computer 12. Both the consumer computer 12 and the merchant server 16 can be coupled to the network by an Internet Service Provider (ISP) connection 18. The system 10 may further have a transaction server 20 that is coupled to the network 14 by a router 22 through an ISP connection 18. The transaction server 20 may operate with the LINUX operating system. Although a LINUX based server 20 is described, it is to be understood that the transaction server 20 may operate with other operating systems. The transaction server 20 has resident at least a portion of the Autotecq program. The system 10 may further have a firewall 24 to prevent illegal access to the transaction server 20.
The transaction server 20 may be coupled to a processing network 26. The processing network 26 may include a bank server (not shown) that can process an authorization request to complete a consumer transaction. The processing network 26 may be coupled to the transaction server 20 by a dedicated leased transmission line 28 to minimize the illegal access to information transmitted over the line 28. The Autotecq program resident in the transaction server 20 can be written to operate with various operating systems and software languages used in the processing network 26.
Figure 2 shows an embodiment of a consumer computer 12. The computer 12 may include a microprocessor 30, memory 32 and an input/output (I/O) interface 34. Memory 32 may include both volatile and non-volatile memory. For example, memory 32 may include a dynamic random access memory (DRAM) device(s), a read only memory (ROM) device(s) and a hard disk drive. The I/O interface 34 both transmits and receives information through network line 18.
The processor 30 performs software routines in accordance with instructions and data that are stored in memory 32. The software routines may include a search engine commonly referred to as a browser for searching web sites connected to the Internet. The processor 30 and memory 32 can be coupled to a keyboard, monitor, mouse, etc., as is known in the art. A pin pad 36 may be coupled to the computer 12 through I/O ports 38 and 40. The pin pad 36 may include a magnetic reader 42 that can read confidential information stored on the magnetic strip of a card (not shown). By way of example, the card may be a credit card that contains confidential credit card information, or the card may be an ATM card that provides confidential PIN and banking information. The pin pad 36 may further have a keypad 44 that allows a consumer to enter a PIN or other information.
The pin pad 36 may have memory and logic circuits 46 that can encrypt a PIN entered through the keypad 44. By way of example, the memory/logic circuits 46 may encrypt the PIN with a master key that is stored in memory and a key encrypt key (KEK) provided through the network to create an encrypted PIN block. The PIN block can be sent to the computer 12 through the I/O ports 38 and 40. The encryption may be performed with standard DES ATM encryption known in the art. The memory/logic circuit 46 may become disabled if a third party attempts to illegally access the memory of the pin pad 36.
Figures 3a-d are flowcharts showing a method for processing a secure consumer transaction through a network. A method for processing a secure consumer transaction will be described with reference to Figs. 1, 2 and 3a-d. The process is performed in accordance with the Autotecq program. Initially, at least some portion of the Autotecq program is resident within the merchant server 14, consumer computer 12 and transaction server 20. The consumer computer 12 is connected to a web site resident on the merchant server 14. The consumer can select to purchase goods and/or services listed on the web site. The web site may have a graphical user interface (GUI) that allows the consumer to readily make the selections, as is known in the art. As shown in process block 100, the consumer may select a checkout button to complete the consumer transaction. The selection of goods and/or services and other information is transferred to the Autotecq program resident in the merchant server 16 in process block 102. In process block 104, the merchant server 16 transmits transaction information and an instruction to upload a transaction process from the transaction server 20 to the consumer computer 12. The transaction information may include the identity of the consumer computer 12 and the cost of the items selected.
In process block 106, the transaction server 20 transmits a transaction plug-in process to the consumer computer 12. The transaction process may append to the browser program within the computer 12. The transaction process may include a proprietary encryption algorithm. The encryption algorithm may be an algorithm specifically written by the proprietor of the Autotecq program and/or the transaction server 20. For example, the proprietary encryption algorithm may be a program provided by R.G. Tecq, the assignee of the present application, under the trademark DOGCRYPTION.
In decision block 108, the transaction process prompts the consumer to choose a payment method. The GUI of the program displayed by the computer 12 may have separate selectable icons to select either a credit card or an ATM card. The consumer may select a credit card in block 110 as shown in Fig. 3 c. The program then prompts the consumer to either swipe the credit card through the magnetic reader 42, or type in the relevant information into the keypad 44 in block 112. The user then swipes or enters the data in block 114 as shown in Fig. 3d.
In process block 116, the transaction process encrypts the confidential information from the consumer computer 12 and the merchant server 16 with the proprietary encryption algorithm. The transaction process opens a SSL connection with the transaction server 20 in accordance with SSL protocol in block 118. An authorization request is transmitted from the consumer computer 12 to the transaction server 20. The request includes confidential information that is double encrypted with both the proprietary encryption algorithm and the SSL encryption algorithm.
In block 120, the Autotecq program resident in the transaction server 20 decrypts the confidential information and verifies that the transmission is a valid authorization request. The transaction server 20 then transmits an authorization request to the processing network 26. The processing network 26 determines whether the authorization request should be granted or denied. The processing network 26 transmits an authorization grant or authorization denied message back to the transaction server 20.
In process block 122, the transaction server 20 verifies the message from the processing network 26 and sends a message to the merchant server 16. The message is sent in accordance with the SSL protocol and may be encrypted with both the proprietary algorithm and the SSL algorithm. The message may be a simple id number which instructs the merchant server 16 that the transaction request has been granted or denied. The confidential information of the consumer is never sent to the merchant server 16 as part of the process. The confidential information is therefore never resident in the memory of the merchant server 16.
In process block 124, the transaction server 20 also transmits a double encrypted id message to the consumer computer 12 in accordance with the SSL protocol. The transaction server may provide status information during the authorization request process in block 126. This information may be displayed by the consumer computer 12 through the GUI of the transaction plug-in process so that the consumer can monitor the authorization process. If authorization was granted then the process continues through block 128 to block 130 wherein the transaction process in the consumer computer links to a success web page in the merchant server so that the consumer transaction can be completed. In process block 132, the transaction server 20 archives the transaction in a transaction log and then actively purges the confidential information from the server 20. With this process the confidential information is not retained by either the merchant server 16 or the transaction server 20. Additionally, the transaction process is not stored within non-volatile memory of the personal computer 12, so that the plug-in and associated proprietary algorithm is not resident in the computer 12.
If authorization was denied the process continues to block 134. The consumer may abort the transaction in block 136. In block 138, the consumer computer 12 is linked to a failed web page of the merchant web site. The process continues to block 132.
The consumer may attempt to complete the transaction in process block 140. The process will then continue to block 108. The consumer may select payment with an ATM card in block 142. Although the selection of ATM payment has been described as being subsequent to the denial of a credit card payment, it is to be understood that the consumer could have initially selected payment with an ATM card.
In block 144, the transaction plug-in process opens a SSL connection with the transaction server 20 and requests a key encrypt key. The transaction server 20 transmits the KEK to the consumer computer 12 in block 146. The transaction process transmits the KEK to the pin pad 36 in block 148. The consumer swipes or enters the ATM information in block 150. In block 152, the transaction process prompts the consumer to enter the PIN for the ATM. The consumer enters the PIN through the keypad 44. The encrypted PIN block is created within the pin pad 36 using the PIN, the 155844-0005 (P001PCT) ]_ J
KEK and a master key pre-stored in the memory of the pin pad 36. The process then continues to block 116.
While certain exemplary embodiments have been described and shown in the accompanying drawings, it is to be understood that such embodiments are merely illustrative of and not restrictive on the broad invention, and that this invention not be limited to the specific constructions and arrangements shown and described, since various other modifications may occur to those ordinarily skilled in the art.

Claims

CLAIMSWhat is claimed is:
1. A system for processing a consumer transaction, comprising: a network; a merchant server coupled to said network; a consumer computer coupled to said merchant server through said network, said consumer computer provides an authorization request to complete a consumer transaction with said merchant server, the authorization request contains confidential consumer information; a transaction server that is coupled to said network and receives the authorization request from said consumer computer, the confidential consumer information being purged from said transaction server when the consumer transaction is completed, said transaction server provides an authorization message to said merchant server and said consumer computer for said consumer computer to complete the consumer transaction in response to an authorization grant; and, a processing network coupled to said transaction server, said processing network receives an authorization request from said transaction server and provides the authorization grant to the transaction server.
2. The system of claim 1, wherein said transaction server provides a transaction process to said consumer computer.
3. The system of claim 2, wherein said transaction process includes a confidential encryption algorithm.
4. The system of claim 3, wherein said transaction server also provides a key encrypt key.
5. The system of claim 4, wherein the confidential consumer information is encrypted with the confidential encryption algorithm, and twice encrypted with the key encrypt key in accordance with a secure socket layer protocol.
6. The system of claim 5, wherein the confidential consumer information is thrice encrypted with a master key, the key encrypt key, and a personal identification number entered by an end user.
7. The system of claim 6, further comprising a pin pad that is coupled to said consumer computer and can receive the personal identification number.
8. The system of claim 2, further comprising a card reader that is coupled to said consumer computer and can receive credit card information that is encrypted with the proprietary encryption algorithm and in accordance with the secure socket layer protocol.
9. The system of claim 2, wherein the transaction process is attached to a search engine resident in said consumer computer.
10. The system of claim 2, wherein the transaction process is not stored within non- volatile memory of said consumer computer.
11. The system of claim 7, wherein said pin pad includes memory that is disabled in response to an unauthorized access to said memory.
12. The system of claim 1, wherein said transaction server operates in accordance with a Linux operating system.
13. A system for processing a consumer transaction, comprising: a network; a merchant server coupled to said network; a consumer computer coupled to merchant server through said network, said consumer computer provides an authorizaton request to complete a consumer transaction with said merchant server, the authorization request contains confidential consumer information; a transaction server that is coupled to said network and provides a transaction process to said consumer computer, said transaction server provides an authorization message to said merchant server and said consumer computer for said consumer computer to complete the consumer transaction in response to an authorization grant; and, a processing network coupled to said transaction server, said processing network receives an authorization request from said transaction server and provides the authorization grant to the transaction server.
14. The system of claim 13, wherein said transaction process includes a confidential encryption algorithm.
15. The system of claim 14, wherein said transaction server also provides a key encrypt key.
16. The system of claim 15, wherein the confidential consumer information is encrypted with the confidential encryption algorithm, and twice encrypted with the key encrypt key in accordance with a secure socket layer protocol.
17. The system of claim 16, wherein the confidential consumer information is thrice encrypted with a master key, the key encrypt key and a personal identification number entered by an end user.
18. The system of claim 17, further comprising a pin pad that is coupled to said consumer computer and can receive the personal identification number.
19. The system of claim 13, further comprising a card reader that is coupled to said consumer computer and can receive credit card information that is encrypted with the proprietary algorithm in accordance with the secure socket layer protocol.
20. The system of claim 13, wherein the transaction process is attached to a search engine resident in said consumer computer.
21. The system of claim 13, wherein the transaction process is not stored within non- volatile memory of said consumer computer.
22. The system of claim 18, wherein said pin pad includes memory that is disabled in response to an unauthorized access to said memory.
23. The system of claim 13, wherein said transaction server operates in accordance with a Linux operating system.
24. A system for processing a consumer transaction, comprising: a network; a merchant server coupled to said network; a consumer computer coupled to said merchant server through said network, said consumer computer provides an authorization request to complete a consumer transaction with said merchant server, the authorization request contains confidential consumer information, said consumer computer having a key encrypt key and a confidential encryption algorithm, said consumer computer can encrypt a personal identification number block with the confidential encryption algorithm and transmit the encrypted personal identification number block through said network using a secure socket layer protocol; a pin pad that is coupled to said consumer computer and can receive a personal identification number, said pin pad can create the personal identification number block with the personal identification number, key encrypt key and a master key resident within said pin pad, the personal identification number block being provided to said consumer computer; a transaction server that is coupled to said network and provides the key encrypt key to said consumer computer, said transaction server provides an authorization message to said merchant server and said consumer computer for said consumer computer to complete the consumer transaction in response to an authorization grant; and, a processing network coupled to said transaction server, said processing network receives an authorization request from said transaction server and provides the authorization grant to the transaction server.
25. The system of claim 24, further comprising a card reader that is coupled to said consumer computer and can receive credit card information that is encrypted with the proprietary encryption algorithm in accordance with the secure socket layer protocol.
26. The system of claim 24, wherein said transaction server provides a transaction process to said consumer computer, the transaction process being attached to a search engine resident in said consumer computer.
27. The system of claim 26, wherein the transaction process is not stored within non- volatile memory of said consumer computer.
28. The system of claim 27, wherein said pin pad includes memory that is disabled in response to an unauthorized access to said memory.
29. The system of claim 24, wherein said transaction server operates in accordance with a Linux operating system.
30. A method for processing a consumer transaction through a network, comprising: accessing a web site resident on a merchant server from a consumer computer; requesting a consumer transaction through the consumer computer; transmitting an authorization request from the consumer computer to a transaction server, wherein the authorization request includes confidential consumer information; transmitting an authorization request from the transaction server to a processing network; transmitting an authorization grant from the processing network to the transaction server; transmitting an authorization message from the transaction server to the merchant server and the consumer computer; completing the consumer transaction; and, purging the confidential consumer information from the transaction server.
31. The method of claim 30, further comprising transmitting a transaction process from the transaction server to the consumer computer.
32. The method of claim 30, wherein a key encrypt key is transmitted to the consumer computer from the transaction server.
33. The method of claim 32, further comprising encrypting confidential consumer information within the consumer computer with a proprietary encryption algorithm transmitted from the transaction server.
34. The method of claim 33, further comprising creating a personal identification number block that is an encryption of the key encrypt key, a master key and a personal identification number entered by an end user, and encrypting the personal identification number block with the proprietary encryption algorithm.
35. The method of claim 34, wherein the encrypted personal identification number block is transmitted to the transaction server in accordance with a secure socket layer protocol.
36. The method of claim 34, wherein the personal identification number block is encrypted within a pin pad.
37. A method for processing a consumer transaction through a network, comprising: accessing a web site resident on a merchant server from a consumer computer; requesting a consumer transaction through the consumer computer; transmitting a transaction process from the transaction server to the consumer computer; transmitting an authorization request from the consumer computer to a transaction server, wherein the authorization request includes confidential consumer information; transmitting an authorization request from the transaction server to a processing network; transmitting an authorization grant from the processing network to the transaction server; transmitting an authorization message from the transaction server to the merchant server and the consumer computer; and completing the consumer transaction.
38. The method of claim 37, wherein a key encrypt key is transmitted to the consumer computer from the transaction server.
39. The method of claim 38, further comprising encrypting confidential consumer information within the consumer computer with a proprietary encryption algorithm transmitted from the transaction server.
40. The method of claim 39, further comprising creating a personal identification number block that is an encryption of the key encrypt key, a master key and a personal identification number entered by an end user, and encrypting the personal identification number block with the proprietary encryption algorithm.
41. The method of claim 40, wherein the encrypted personal identification number block is transmitted to the transaction server in accordance with a secure socket layer protocol.
42. The method of claim 40, wherein the personal identification number block is encrypted within a pin pad.
43. A transaction process for encrypting confidential consumer information that is to be transmitted into a network to perform a consumer transaction, comprising: encrypting a key encrypt key, a master key and a personal identification number into a personal identification number block; encrypting the personal identification number block with a proprietary encryption algorithm; encrypting the encrypted personal identification number block with the key encrypt key in accordance with a secure socket layer protocol; and, transmitting the thrice encrypted personal identification number block through a network.
44. The method of claim 43, wherein the personal identification number is entered through a pin pad.
45. The method of claim 44, wherein the personal identification number block is encrypted within the pin pad.
46. The method of claim 45, wherein the master key is resident in the pin pad.
47. The method of claim 44, further comprising storing the master key within memory of the pin pad and disabling the memory in response to an unauthorized access to the memory.
PCT/US2001/030758 2000-09-29 2001-10-01 System and method for processing a secure consumer transaction through a network WO2002027624A1 (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
AU2001294952A AU2001294952A1 (en) 2000-09-29 2001-10-01 System and method for processing a secure consumer transaction through a network

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
US67634300A 2000-09-29 2000-09-29
US09/676,343 2000-09-29

Publications (1)

Publication Number Publication Date
WO2002027624A1 true WO2002027624A1 (en) 2002-04-04

Family

ID=24714144

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/US2001/030758 WO2002027624A1 (en) 2000-09-29 2001-10-01 System and method for processing a secure consumer transaction through a network

Country Status (2)

Country Link
AU (1) AU2001294952A1 (en)
WO (1) WO2002027624A1 (en)

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US5870473A (en) * 1995-12-14 1999-02-09 Cybercash, Inc. Electronic transfer system and method
US6029150A (en) * 1996-10-04 2000-02-22 Certco, Llc Payment and transactions in electronic commerce system
US6070149A (en) * 1998-07-02 2000-05-30 Activepoint Ltd. Virtual sales personnel
US6070176A (en) * 1997-01-30 2000-05-30 Intel Corporation Method and apparatus for graphically representing portions of the world wide web

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US5870473A (en) * 1995-12-14 1999-02-09 Cybercash, Inc. Electronic transfer system and method
US6029150A (en) * 1996-10-04 2000-02-22 Certco, Llc Payment and transactions in electronic commerce system
US6070176A (en) * 1997-01-30 2000-05-30 Intel Corporation Method and apparatus for graphically representing portions of the world wide web
US6070149A (en) * 1998-07-02 2000-05-30 Activepoint Ltd. Virtual sales personnel

Also Published As

Publication number Publication date
AU2001294952A1 (en) 2002-04-08

Similar Documents

Publication Publication Date Title
US20020123972A1 (en) Apparatus for and method of secure ATM debit card and credit card payment transactions via the internet
US6834271B1 (en) Apparatus for and method of secure ATM debit card and credit card payment transactions via the internet
JP5638046B2 (en) Method and system for authorizing purchases made on a computer network
US7392534B2 (en) System and method for preventing identity theft using a secure computing device
US20010039535A1 (en) Methods and systems for making secure electronic payments
US5907621A (en) System and method for session management
US20050085931A1 (en) Online ATM transaction with digital certificate
CA2670470C (en) Systems and methods for secure pin-based transactions via a host based pin pad
RU2560810C2 (en) Method and system for protecting information from unauthorised use (versions thereof)
US20020031225A1 (en) User selection and authentication process over secure and nonsecure channels
AU2004305043A1 (en) System and method of secure information transfer
WO2008042846A1 (en) System and method for secure data storage
GB2354102A (en) System for communicating over a public network
CA2561077A1 (en) System and method for secure verification of electronic transactions
EP1046976B1 (en) Method and apparatus for enabling a user to authenticate a system prior to providing any user-privileged information
WO2003050647A2 (en) Automated digital rights management and payment system with embedded content
CA2385671C (en) Apparatus for and method of secure atm debit card and credit card payment transactions via the internet
US20030221110A1 (en) Method of disposable command encoding (DCE) for security and anonymity protection in information system operations
EP1998279A1 (en) Secure payment transaction in multi-host environment
WO2002027624A1 (en) System and method for processing a secure consumer transaction through a network
JP4406171B2 (en) Data communication method and data communication software
WO2001016828A1 (en) System and method for conducting financial transactions on an internet enabled electronic funds transfer device
WO2001046917A2 (en) Identity authentication using transaction history
KR20030006901A (en) Electronic commerce billing system and method by using fingerprint authentication
CA2204547A1 (en) A method for providing full end to end secure transactional payment services and electronic fund transfer over any unsecured and unreliable network

Legal Events

Date Code Title Description
AK Designated states

Kind code of ref document: A1

Designated state(s): AE AG AL AM AT AU AZ BA BB BG BR BY BZ CA CH CN CO CR CU CZ DE DK DM DZ EE ES FI GB GD GE GH GM HR HU ID IL IN IS JP KE KG KP KR KZ LC LK LR LS LT LU LV MA MD MG MK MN MW MX MZ NO NZ PL PT RO RU SD SE SG SI SK SL TJ TM TR TT TZ UA UG UZ VN YU ZA ZW

AL Designated countries for regional patents

Kind code of ref document: A1

Designated state(s): GH GM KE LS MW MZ SD SL SZ TZ UG ZW AM AZ BY KG KZ MD RU TJ TM AT BE CH CY DE DK ES FI FR GB GR IE IT LU MC NL PT SE TR BF BJ CF CG CI CM GA GN GQ GW ML MR NE SN TD TG

DFPE Request for preliminary examination filed prior to expiration of 19th month from priority date (pct application filed before 20040101)
121 Ep: the epo has been informed by wipo that ep was designated in this application
REG Reference to national code

Ref country code: DE

Ref legal event code: 8642

32PN Ep: public notification in the ep bulletin as address of the adressee cannot be established

Free format text: COMMUNICATION UNDER RULE 69(1)EPC (EPO FORM 1205A OF 26.09.2003)

122 Ep: pct application non-entry in european phase
NENP Non-entry into the national phase

Ref country code: JP