WO2012070923A1 - A method and a system to ensure a secured online transaction for a debit card - Google Patents

A method and a system to ensure a secured online transaction for a debit card Download PDF

Info

Publication number
WO2012070923A1
WO2012070923A1 PCT/MY2011/000070 MY2011000070W WO2012070923A1 WO 2012070923 A1 WO2012070923 A1 WO 2012070923A1 MY 2011000070 W MY2011000070 W MY 2011000070W WO 2012070923 A1 WO2012070923 A1 WO 2012070923A1
Authority
WO
WIPO (PCT)
Prior art keywords
merchant
entity
user
debit card
package
Prior art date
Application number
PCT/MY2011/000070
Other languages
French (fr)
Inventor
Fui Bee Tan
Chong Seak See
Kang Siong Ng
Rashidah Binti Haron Galoh
Original Assignee
Mimos Berhad
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Mimos Berhad filed Critical Mimos Berhad
Publication of WO2012070923A1 publication Critical patent/WO2012070923A1/en

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/321Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving a third party or a trusted authority
    • H04L9/3213Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving a third party or a trusted authority using tickets or tokens, e.g. Kerberos
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06QINFORMATION AND COMMUNICATION TECHNOLOGY [ICT] SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES; SYSTEMS OR METHODS SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES, NOT OTHERWISE PROVIDED FOR
    • G06Q20/00Payment architectures, schemes or protocols
    • G06Q20/08Payment architectures
    • G06Q20/12Payment architectures specially adapted for electronic shopping systems
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06QINFORMATION AND COMMUNICATION TECHNOLOGY [ICT] SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES; SYSTEMS OR METHODS SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES, NOT OTHERWISE PROVIDED FOR
    • G06Q20/00Payment architectures, schemes or protocols
    • G06Q20/38Payment protocols; Details thereof
    • G06Q20/382Payment protocols; Details thereof insuring higher security of transaction
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/006Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols involving public key infrastructure [PKI] trust models
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/3234Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving additional secure or trusted devices, e.g. TPM, smartcard, USB or software token
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L2209/00Additional information or applications relating to cryptographic mechanisms or cryptographic arrangements for secret or secure communication H04L9/00
    • H04L2209/56Financial cryptography, e.g. electronic payment or e-cash

Definitions

  • the present invention relates to an online transaction protocol for a debit card. More particularly, the present invention relates to a method and a system to ensure a secured, online transaction for a debit card by incorporating the debit card with a Public Key Infrastructure (PKI).
  • PKI Public Key Infrastructure
  • Credit card and debit card may be used as a smart card for paperless transactions and purchases but may also be used for online shopping, achieved by keying in the number on the credit card and debit card on merchants' website. While the credit card may cause the user to incur debt, the debit card would directly deduct a spending from the available balance in a user's bank account. Debit card has gained popularity among online shoppers, specially catering to users who cannot afford or do not own a credit card.
  • One method of debit transaction is known as online debit, otherwise PIN debit.
  • the online debit cards require electronic authorization of every transaction and debits are reflected in the user's account immediately.
  • the transaction be secured by PIN authentication wherein users have to key in their PIN at the point of sale. However, if the ⁇ of the user is stolen, the debit card ma ⁇ ' be misused. Therefore the current invention incorporates the debit card with encrypted value for automated secure payment protocol using the PKI technology.
  • PKI technology provides another layer of security to the debit card in addition to the usage of a PIN. By sending an encrypted package from one side to another, the user's hiformation, purchase information or the merchant information may not be easily hacked or stolen. Further, this method allows for the identification of the user and the merchant to the financial institution for immediate debiting and crediting of accounts by using the package digitally signed by the user and the merchant.
  • US patent 5715298 disclosed a bill payment system using debit cards.
  • the prior ait. which is a telepay system, avoids the usage of a ⁇ for real-time bill payment transactions by using the ke3' ad of a telephone.
  • the prior ait requires the usage of a telephone and does not apply for online purchasing. This thus requires an interactive voice response unit which could be troublesome to the user as the payer are required to enter an access code, account number debit card number and payment amount to inform the status of the transaction. Therefore, the transaction is substantially slow.
  • US patent 6834271 on the other hand disclosed an apparatus and a method of a secure ATM debit card and credit card payment transaction via the Internet. While the system uses layers of encryption to place the card information in a public key/private key encrypted financial payment transaction data block, the parties involve which are the buyer, the merchant and the bank uses different private/public key for the encryption of the user's and the merchant's information. Therefore, only dedicated encrypted package can be decrypted by the recipient party. Information such as users information can only be seen by the merchant but not the financial institution.
  • PKI Public Key Infrastructure
  • a method and a sj'stem comprising three entities and a debit card incorporated with PKI infrastructure.
  • the system to carry out a method of ensuring a secured online transaction comprises a first entity, a second entity and a third entity.
  • the entities represent a user of the debit card, a merchant and a financial institution.
  • the user makes an online transaction (online purchase) from a merchant using the debit card provided by the financial institution.
  • the user's account will be deducted with the purchase amount while the merchant's account is credited.
  • a confirmation is sent to the merchant who directs it to the user to inform the user on the status of the transaction.
  • the user of the debit card logs into the merchant's website with their PIN and digital certificate.
  • the user's information stored in the debit card as an encrypted value is extracted and combined with the purchase information to be signed, encrypted and sent to the merchant as a first package.
  • the merchant decrypts the first package, adds the merchant information and further signs and encrypts the first package and the merchant information to form a second package.
  • the second package is sent to the financial institution for coordination of the payment upon verification of the user's and merchant's information.
  • the financial institution deducts the purchase amount from the user's account and credits the merchant's account.
  • Fig. 1 is a diagram showing the entities of the system
  • Fig. 2 is a flow chart depicting steps of processing a debit card for a secured payment protocol
  • Fig. 3 is a payment protocol of the system:
  • Fig. 4 is a flow chart illustrating the process flow of the first and the second package as it goes through the online payment transaction.
  • a online transaction using a debit card involves a first entity (110). a second entity (120) and a third entity (130) as shown in Fig. 1.
  • the entities (110.120.130) are identified herein, but it should be noted that the entities are named for the convenience of description and is interchangeable as appropriate.
  • the first entity (110) is a user of the debit card while the second entity (120) is a respondent of the user, which may be a merchant having an online business.
  • the first entity (110) initiates an online transaction with the second entity (120).
  • the first entity (110) is linked to the second entity (120) through a buyer-seller relationship.
  • the first entity (110) purchases item(s) from the second entity (120) via the debit card while the second entity (120) receives the order(s) from the first entity (110).
  • the third entity (130) of the present invention is the issuer of the debit card, preferably a financial institution that comprises a payment server to coordinate the online transaction between the first entity (110) and the second entity (120).
  • a first step (151) is when the third entity (130), otherwise the financial institution, issues a debit card to be used by the first entity (110), otherwise the user.
  • the first entity (110) is responsible for activating the debit card as represented by a second step (152).
  • Activation of the debit card is achieved by having the user keying in a preferred and confidential PIN which may be done at an Automatic Teller Machine (ATM).
  • ATM Automatic Teller Machine
  • the financial institution further extracts the user's personal information as provided by the user to the financial institution in an earlier step (not shown) and incorporates the information with the user's confidential PIN to generate an encrypted value which is stored in the debit card.
  • the debit card is usable for online transaction such as online purchase of item(s) from the merchant as shown in step three (153).
  • a payment protocol of the present invention as can be referred to in Fig. 3 begins with a first step (205) of making an online transaction.
  • the online transaction is made by purchasing item(s) off the Internet.
  • the purchase is made by the first entity (110), the user, from the second entity (120).
  • the merchant using the debit card incorporated with a Public Key Infrastructure (PKI) feature.
  • PKI Public Key Infrastructure
  • the PKI feature of the debit card allows information to be encrypted and decrypted using a combination of private and public keys used by the user, the merchant and the financial institution.
  • the user proceeds to access a merchant's server using a client certificate in the debit card.
  • the client certificate is authenticated preferably by an SSL authentication to ensure the security and privacy of the transaction as shown by a second step (210).
  • a third step (215) requires the user to log into a merchant's website using the user's digital certificate in order to proceed with an online transaction which is selecting and purchasing of items from the merchant.
  • the user Upon selection of the item(s) for purchase from the website, the user confirms the purchase amount and keys in the debit card PIN to read the pre-loaded encrypted value of the debit card as created by the financial institution.
  • the encrypted value of the debit card together with the transaction information is digitally signed using a private key from the user's debit card and encrypted using the merchant's public key as represented by a fourth step (220).
  • the signing and encryption of the information formed a first package, X as represented by the formula:
  • the purchase information may be the purchase amount and the name of the purchases.
  • the encryption by the merchant's public key may be achieved by an algorithm coded in a client plug-in module.
  • step (225) Upon confirmation of the selected purchase items, the user submits the first package to the merchant's server as shown in step (225).
  • a next step (230) is initiated when the merchant receives the first package and decrypts the first package using a private key provided to the merchant. The merchant further verifies the user's digital signature.
  • the merchant Upon verification, the merchant will form a second package by digitally signing the encrypted value, transaction information and merchant information with the private key provided to the merchant and encrypting it using a public key from the financial institution's payment server.
  • the second package, Y is represented by the formula:
  • the financial institutions' payment server with a code module receives the second package submitted by the merchant and decrypts the second package using a private key provided to the payment server and verifies the merchant's digital signature.
  • the user's information, the merchant's information together with the purchase information gathered from the second package will be used to deduct the purchase amount from the user's account at the financial institution.
  • the payment server further gathers the user's information which may be the account information and the identity of the user to perform a credit transaction(s) in which the purchase amount in the user's account is credited into the merchant's account.
  • the information of the merchant's account is obtained from the second package.
  • a confirmation code with the status of the transaction or the purchase may be sent to the merchant by the payment server as represented by the eighth step (240).
  • the merchant sends a message confirming the success of the transaction together with a receipt of confirmation to the user of the debit card.
  • the amount in the user's debit card is further updated.
  • Fig. 4. there is shown a flow chart that depicts the process flow of the first and the second package as it goes through the online payment transaction.
  • a first step (305) requires the user to key in the debit card PIN to extract the pre-loaded encrypted value which contains the user ' s information.
  • a second step (310) is to digitally sign the first package which comprises the encrypted value and the purchase information using the client's plug-in module which contains an algorithm. This is followed by a third step (315) wherein the client's plug-in module encrypts the signed first package using an algorithm also contained in the plug-in module.
  • the fourth step (320) requires the merchant's server to decrypt and verify the first package followed by a fifth step (325) of digitally signing the first package together with the merchant's information using an algorithm contained in a module within the merchant's server.
  • the sixth step (330) involves the merchant's server module encrypting the first package and the merchant's information to form the second package.
  • the second package is sent and received by the payment server which decrypts and verifies the second package as shown by seventh step (335).
  • the payment server checks for account validity as shown in the eighth step (340).
  • step (345a) If the user's account is valid, the user's checking or savings account is debited while the merchant's account is credited as shown by step (345a). Therefore, payment is achieved by transacting the money upon purchase, from the user's bank account to the merchant's bank account. If the user's account is invalid, no transaction is performed (345b). By validating the account of the user, wrongful usage of the user's debit card upon theft is avoided.
  • Step (345a) and (345b) is followed by having the payment server send a confirmation and status of transaction notification to the merchant as shown in step (350). In the last step (355), the merchant sends the confirmation on the status of the transaction which may be successful or not successful.

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Business, Economics & Management (AREA)
  • Accounting & Taxation (AREA)
  • Signal Processing (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Strategic Management (AREA)
  • General Physics & Mathematics (AREA)
  • Theoretical Computer Science (AREA)
  • General Business, Economics & Management (AREA)
  • Physics & Mathematics (AREA)
  • Finance (AREA)
  • Financial Or Insurance-Related Operations Such As Payment And Settlement (AREA)
  • Cash Registers Or Receiving Machines (AREA)

Abstract

A method and a system comprising three entities (110,120,130) and a debit card incorporated with PKI infrastructure are disclosed. The system to carry out the method of ensuring a secured online transaction comprises a first entity (110), a second entity (120) and a third entity (130). Preferably, the entities (110,120,130) represent a user of the debit card, a merchant and a financial institution. The user makes an online transaction (online purchase) from a merchant using the debit card provided by the financial institution. Based on the information of the user and the information of the merchant received by the financial institution, the user's account will be deducted with the purchase amount while the merchant's account is credited. The information exchanged between the entities (110,120,130) is digitally signed and encrypted to ensure confidentiality. A confirmation is sent to the merchant who directs it to the user to inform the user on the status of the transaction.

Description

A METHOD AND A SYSTEM TO ENSURE A SECURED ONLINE
TRANSACTION FOR A DEBIT CARD
FIELD OF INVENTION
The present invention relates to an online transaction protocol for a debit card. More particularly, the present invention relates to a method and a system to ensure a secured, online transaction for a debit card by incorporating the debit card with a Public Key Infrastructure (PKI).
BACKGROUND OF THE INVENTION
With the continuous development of the Internet, online transactions such as online shopping, online money transfer and the like have gained popularity due to the ease of use. The security level of such online transactions have been a major concern with the fear of users having their identity, password or Personal Identification Number (PIN) stolen and their online banking account hacked and used for wrongful transactions. However, the level of security for online transactions has improved with the implementation of online transaction security means such as the Public Key Infrastructure (PKI).
Financial institutions typically provide credit card and debit card sendees to their clients. Credit card and debit card may be used as a smart card for paperless transactions and purchases but may also be used for online shopping, achieved by keying in the number on the credit card and debit card on merchants' website. While the credit card may cause the user to incur debt, the debit card would directly deduct a spending from the available balance in a user's bank account. Debit card has gained popularity among online shoppers, specially catering to users who cannot afford or do not own a credit card. One method of debit transaction is known as online debit, otherwise PIN debit. The online debit cards require electronic authorization of every transaction and debits are reflected in the user's account immediately. The transaction
Figure imgf000004_0001
be secured by PIN authentication wherein users have to key in their PIN at the point of sale. However, if the ΡΓΝ of the user is stolen, the debit card ma}' be misused. Therefore the current invention incorporates the debit card with encrypted value for automated secure payment protocol using the PKI technology.
PKI technology provides another layer of security to the debit card in addition to the usage of a PIN. By sending an encrypted package from one side to another, the user's hiformation, purchase information or the merchant information may not be easily hacked or stolen. Further, this method allows for the identification of the user and the merchant to the financial institution for immediate debiting and crediting of accounts by using the package digitally signed by the user and the merchant.
Numerous prior arts disclose the usage of debit cards for online transaction. US patent 5715298 disclosed a bill payment system using debit cards. The prior ait. which is a telepay system, avoids the usage of a ΡΓΝ for real-time bill payment transactions by using the ke3' ad of a telephone. However, the prior ait requires the usage of a telephone and does not apply for online purchasing. This thus requires an interactive voice response unit which could be troublesome to the user as the payer are required to enter an access code, account number debit card number and payment amount to inform the status of the transaction. Therefore, the transaction is substantially slow.
US patent 6834271 on the other hand disclosed an apparatus and a method of a secure ATM debit card and credit card payment transaction via the Internet. While the system uses layers of encryption to place the card information in a public key/private key encrypted financial payment transaction data block, the parties involve which are the buyer, the merchant and the bank uses different private/public key for the encryption of the user's and the merchant's information. Therefore, only dedicated encrypted package can be decrypted by the recipient party. Information such as users information can only be seen by the merchant but not the financial institution.
Therefore, there is a need for a method and a system for ensuring a secured online transaction for a debit card using a Public Key Infrastructure (PKI) that is convenient and user- friendly but with added security that overcomes the disadvantages of the conventional method and the prior art.
SUMMARY OF INVENTION
Accordingly, it is a primary object of the present invention to provide a method and a system to ensure a secured online transaction for a debit card. It is another object of the present invention to provide a method and a system to ensure a secured online transaction for a debit card by incorporating the debit card with a Public Key Infrastructure (PKI).
It is another object of the present invention to provide a method and a system for online purchase(s) with a debit card that is convenient to use, simple and secured. It is another object of the present invention to provide a method and a system for online purchase(s) that deducts the amount of purchase after confirmation, from the user's account and crediting that amount of purchase into the merchant's account.
It is yet another object of the present invention to provide a method and a system to ensure a secured online transaction by sending signed and encrypted information packages from the user of the debit card to the merchant and from the merchant to the financial institution.
To fulfill the aforementioned objectives, a method and a sj'stem comprising three entities and a debit card incorporated with PKI infrastructure is provided. The system to carry out a method of ensuring a secured online transaction comprises a first entity, a second entity and a third entity. Preferably, the entities represent a user of the debit card, a merchant and a financial institution. The user makes an online transaction (online purchase) from a merchant using the debit card provided by the financial institution. Based on the information of the user and the merchant, received by the financial institution, the user's account will be deducted with the purchase amount while the merchant's account is credited. A confirmation is sent to the merchant who directs it to the user to inform the user on the status of the transaction. The user of the debit card logs into the merchant's website with their PIN and digital certificate. Upon logging into the website and confirming their purchases, the user's information stored in the debit card as an encrypted value is extracted and combined with the purchase information to be signed, encrypted and sent to the merchant as a first package. The merchant decrypts the first package, adds the merchant information and further signs and encrypts the first package and the merchant information to form a second package. The second package is sent to the financial institution for coordination of the payment upon verification of the user's and merchant's information. The financial institution deducts the purchase amount from the user's account and credits the merchant's account. The present preferred embodiments of the invention consists of novel features and a combination of parts hereinafter fully described and illustrated in the accompanying drawings and particularly pointed out in the appended claims; it being understood that various changes in the details may be effected by those skilled in the arts but without departing from the scope of the invention or sacrificing any of the advantages of the present invention. BRIEF DESCRIPTION OF THE DRAWINGS
These and other features, aspects and advantages of the present invention will be more fully understood when considered with respect to. the following detailed descriptions, appended claims and accompanying drawings wherein: Fig. 1 is a diagram showing the entities of the system;
Fig. 2 is a flow chart depicting steps of processing a debit card for a secured payment protocol;
Fig. 3 is a payment protocol of the system: and
Fig. 4 is a flow chart illustrating the process flow of the first and the second package as it goes through the online payment transaction.
DETAILED DESCRIPTION OF THE INVENTION
Hereinafter, a method and a system of the present invention shall be described according to the preferred embodiments of the present invention and by referring to the accompanying description and drawings. However, it is to be understood that limiting the description to the preferred embodiments of the invention and to the drawings is merely to facilitate discussion of the present invention and it is envisioned that those skilled in the art may devise various modifications without depaiting from the scope of the appended claim.
A method for ensuring a secured online transaction for a debit card is described. According to one embodiment of the invention, a online transaction using a debit card involves a first entity (110). a second entity (120) and a third entity (130) as shown in Fig. 1. The entities (110.120.130) are identified herein, but it should be noted that the entities are named for the convenience of description and is interchangeable as appropriate. The first entity (110) is a user of the debit card while the second entity (120) is a respondent of the user, which may be a merchant having an online business. The first entity (110) initiates an online transaction with the second entity (120). In the instance where the second entity (120) is a merchant, the first entity (110) is linked to the second entity (120) through a buyer-seller relationship. The first entity (110) purchases item(s) from the second entity (120) via the debit card while the second entity (120) receives the order(s) from the first entity (110). The third entity (130) of the present invention is the issuer of the debit card, preferably a financial institution that comprises a payment server to coordinate the online transaction between the first entity (110) and the second entity (120).
Referring now to Fig. 2, there is shown a flow chart depicting steps of processing a debit card for a secured payment protocol of the present invention. A first step (151) is when the third entity (130), otherwise the financial institution, issues a debit card to be used by the first entity (110), otherwise the user. The first entity (110) is responsible for activating the debit card as represented by a second step (152). Activation of the debit card is achieved by having the user keying in a preferred and confidential PIN which may be done at an Automatic Teller Machine (ATM). The financial institution further extracts the user's personal information as provided by the user to the financial institution in an earlier step (not shown) and incorporates the information with the user's confidential PIN to generate an encrypted value which is stored in the debit card. Upon completion, the debit card is usable for online transaction such as online purchase of item(s) from the merchant as shown in step three (153).
A payment protocol of the present invention as can be referred to in Fig. 3 begins with a first step (205) of making an online transaction. Preferably, the online transaction is made by purchasing item(s) off the Internet. The purchase is made by the first entity (110), the user, from the second entity (120). the merchant using the debit card incorporated with a Public Key Infrastructure (PKI) feature. The PKI feature of the debit card allows information to be encrypted and decrypted using a combination of private and public keys used by the user, the merchant and the financial institution. The user proceeds to access a merchant's server using a client certificate in the debit card. The client certificate is authenticated preferably by an SSL authentication to ensure the security and privacy of the transaction as shown by a second step (210). A third step (215) requires the user to log into a merchant's website using the user's digital certificate in order to proceed with an online transaction which is selecting and purchasing of items from the merchant.
Upon selection of the item(s) for purchase from the website, the user confirms the purchase amount and keys in the debit card PIN to read the pre-loaded encrypted value of the debit card as created by the financial institution. The encrypted value of the debit card together with the transaction information is digitally signed using a private key from the user's debit card and encrypted using the merchant's public key as represented by a fourth step (220). The signing and encryption of the information formed a first package, X as represented by the formula:
X = Encry thfi t'i pvjbik fey- (S nwtr j priva* ksy (Encrypted value, purchase info.))
Eq. 1 In a preferred embodiment, the purchase information may be the purchase amount and the name of the purchases. The encryption by the merchant's public key may be achieved by an algorithm coded in a client plug-in module.
Upon confirmation of the selected purchase items, the user submits the first package to the merchant's server as shown in step (225). A next step (230) is initiated when the merchant receives the first package and decrypts the first package using a private key provided to the merchant. The merchant further verifies the user's digital signature. Upon verification, the merchant will form a second package by digitally signing the encrypted value, transaction information and merchant information with the private key provided to the merchant and encrypting it using a public key from the financial institution's payment server. The second package, Y is represented by the formula:
Y = k y CEnaypted value, merchant, info.))
Figure imgf000010_0001
Eq. 2
In seventh step (235), the financial institutions' payment server with a code module receives the second package submitted by the merchant and decrypts the second package using a private key provided to the payment server and verifies the merchant's digital signature. The user's information, the merchant's information together with the purchase information gathered from the second package will be used to deduct the purchase amount from the user's account at the financial institution. The payment server further gathers the user's information which may be the account information and the identity of the user to perform a credit transaction(s) in which the purchase amount in the user's account is credited into the merchant's account. The information of the merchant's account is obtained from the second package.
Additionally, upon completion of a successful transaction, a confirmation code with the status of the transaction or the purchase may be sent to the merchant by the payment server as represented by the eighth step (240). In the ninth step (245), the merchant sends a message confirming the success of the transaction together with a receipt of confirmation to the user of the debit card. The amount in the user's debit card is further updated. Referring now to Fig. 4. there is shown a flow chart that depicts the process flow of the first and the second package as it goes through the online payment transaction. A first step (305) requires the user to key in the debit card PIN to extract the pre-loaded encrypted value which contains the user's information. A second step (310) is to digitally sign the first package which comprises the encrypted value and the purchase information using the client's plug-in module which contains an algorithm. This is followed by a third step (315) wherein the client's plug-in module encrypts the signed first package using an algorithm also contained in the plug-in module.
The fourth step (320) requires the merchant's server to decrypt and verify the first package followed by a fifth step (325) of digitally signing the first package together with the merchant's information using an algorithm contained in a module within the merchant's server. Upon the assignment of digital signature, the sixth step (330) involves the merchant's server module encrypting the first package and the merchant's information to form the second package. The second package is sent and received by the payment server which decrypts and verifies the second package as shown by seventh step (335). The payment server checks for account validity as shown in the eighth step (340).
If the user's account is valid, the user's checking or savings account is debited while the merchant's account is credited as shown by step (345a). Therefore, payment is achieved by transacting the money upon purchase, from the user's bank account to the merchant's bank account. If the user's account is invalid, no transaction is performed (345b). By validating the account of the user, wrongful usage of the user's debit card upon theft is avoided. Step (345a) and (345b) is followed by having the payment server send a confirmation and status of transaction notification to the merchant as shown in step (350). In the last step (355), the merchant sends the confirmation on the status of the transaction which may be successful or not successful. Although this disclosure has described and illustrated certain preferred embodiments of the invention, it is to be understood that the invention is not restricted to those particular embodiments. Rather, the invention includes all embodiments which are functional or mechanical equivalence of the specific embodiments and features that have been described and illustrated.

Claims

1. A system to ensure a secured online transaction for a debit card incorporated with a Public Key Infrastructure (PKI) comprising:
a first entity (110);
a second entity (120) for receiving an initiation of an online transaction by the first entity (110);
a third entity (130) for coordinating the online transaction;
characterized in that
a signed and encrypted first package comprising information of the first entity (110) and information of the online transaction is sent from the first entity (110) to the second entity (120);
a signed and encrypted second package comprising information of the first entity (110), information of the online transaction and information of the second entity (120) is sent from the second entity (120) to the third entity (130) whereby upon receiving the second package, the third entity (130) utilises the information provided to complete the online transaction between the first and the second entity (110,120).
2. A system according to claim 1 wherein the first entity (110) is a user of the debit card, the second entity (120) is a merchant having an online business and the third entity (130) is a financial institution having a payment server.
3. A system according to claim 1 wherein the online transaction is a purchase of item(s) by the first entity (110) from the second entity (120) via the debit card.
4. A method to ensure a secured online transaction for a debit card incorporated with a Public Key Infrastructure (PKI) comprises the steps of:
initiating an online transaction by the user of the debit card with the merchant;
logging into a merchant's website using the user's digital certificate;
keying in the debit card PIN to read an encrypted value that is stored in the debit card; submitting a signed and encrypted first package from the user to the merchant;
decrypting the first package using a private key provided to the merchant;
submitting a signed and encrypted second package from the merchant to the financial institution;
gathering the user's and merchant's information from the second package by a financial institution's payment server which decrypts the second package using a private key provided to the payment server;
deducting the transaction amount from the user's account while simultaneously crediting the transaction amount to the merchant's account.
5. A method according to claim 4 further comprising the steps of:
sending a confirmation code with the status of the transaction to the merchant by the payment server; and
sending a message confirming the success of the transaction with a receipt of confirmation from the merchant to the user.
6. A method according to claim 4 wherein the encrypted value comprises the user's personal information and a confidential PIN which is keyed in by the user of the debit card at an Automatic Teller Machine (ATM).
7. A method according to claim 4 wherein the first package comprises the online transaction's information and the encrypted value.
8. A method according to claim 4 wherein the first package is digitally signed using a private key from the user's debit card and encrypted using a merchant's public key achieved by an algorithm coded in a plug- in module.
9. A method according to claim 4 wherein the second package comprises the encrypted value, the online transaction's information and merchant's information.
10. A method according to claim 4 wherein the second package is digitally signed using the merchant's private key and encrypted using an algorithm in a module in the merchant's server with a public key from the financial institution's payment server.
PCT/MY2011/000070 2010-11-26 2011-06-03 A method and a system to ensure a secured online transaction for a debit card WO2012070923A1 (en)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
MYPI2010005590 2010-11-26
MYPI2010005590A MY165285A (en) 2010-11-26 2010-11-26 A method and a system to ensure a secured online transaction for a debit card

Publications (1)

Publication Number Publication Date
WO2012070923A1 true WO2012070923A1 (en) 2012-05-31

Family

ID=46146081

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/MY2011/000070 WO2012070923A1 (en) 2010-11-26 2011-06-03 A method and a system to ensure a secured online transaction for a debit card

Country Status (2)

Country Link
MY (1) MY165285A (en)
WO (1) WO2012070923A1 (en)

Cited By (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2017013672A1 (en) 2015-07-23 2017-01-26 Natco Pharma Ltd Process for the preparation of pharmaceutical grade dimethyl fumarate
US9760738B1 (en) 2014-06-10 2017-09-12 Lockheed Martin Corporation Storing and transmitting sensitive data
US10430789B1 (en) * 2014-06-10 2019-10-01 Lockheed Martin Corporation System, method and computer program product for secure retail transactions (SRT)

Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20020095388A1 (en) * 2000-12-01 2002-07-18 Yu Hong Heather Transparent secure electronic credit card transaction protocol with content-based authentication
WO2006128215A1 (en) * 2005-05-31 2006-12-07 Salt Group Pty Ltd Method and system for secure authorisation of transactions

Patent Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20020095388A1 (en) * 2000-12-01 2002-07-18 Yu Hong Heather Transparent secure electronic credit card transaction protocol with content-based authentication
WO2006128215A1 (en) * 2005-05-31 2006-12-07 Salt Group Pty Ltd Method and system for secure authorisation of transactions

Cited By (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US9760738B1 (en) 2014-06-10 2017-09-12 Lockheed Martin Corporation Storing and transmitting sensitive data
US10430789B1 (en) * 2014-06-10 2019-10-01 Lockheed Martin Corporation System, method and computer program product for secure retail transactions (SRT)
WO2017013672A1 (en) 2015-07-23 2017-01-26 Natco Pharma Ltd Process for the preparation of pharmaceutical grade dimethyl fumarate

Also Published As

Publication number Publication date
MY165285A (en) 2018-03-21

Similar Documents

Publication Publication Date Title
US11880815B2 (en) Device enrollment system and method
US11329822B2 (en) Unique token authentication verification value
AU2015259162B2 (en) Master applet for secure remote payment processing
US20180315043A1 (en) Dynamic primary account number (pan) and unique key per card
US10354321B2 (en) Processing transactions with an extended application ID and dynamic cryptograms
EP1245008B1 (en) Method and system for secure authenticated payment on a computer network
US20170132633A1 (en) Systems and methods providing payment transactions
CN109716373B (en) Cryptographically authenticated and tokenized transactions
US20150178730A1 (en) System and method for downloading an electronic product to a pin-pad terminal using a directly-transmitted electronic shopping basket entry
WO2018040653A1 (en) Nfc-based off-line payment method
WO2003065164A2 (en) System and method for conducting secure payment transaction
US20120254041A1 (en) One-time credit card numbers
US10628881B2 (en) Processing transactions with an extended application ID and dynamic cryptograms
US9152957B2 (en) System and method for downloading an electronic product to a pin-pad terminal after validating an electronic shopping basket entry
US11481766B2 (en) Method for payment authorization on offline mobile devices with irreversibility assurance
WO2012070923A1 (en) A method and a system to ensure a secured online transaction for a debit card
CN111386545A (en) Method and system for conducting transaction
CN116711267A (en) Mobile user authentication system and method
Jewson E-payments: Credit Cards on the Internet

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 11842565

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 11842565

Country of ref document: EP

Kind code of ref document: A1