SYSTEM AND METHOD VERIFYING CARD HOLDER WITH ONE TIME PASSWORD IN SOFTWARE BASED POS'S

Abstract

A system and a method providing OTP (one time password) to verify a card holder in transactions over CVM (Cardholder Verification Method) limit for devices receiving EMV contactless payment commercially available on shelf by a software based SoftPOS mobile application.

Claims

1. A system providing use of a one time password to verify a card holder in transactions with excess limit by payment receiving mobile devices by use of SoftPOS software, characterized by comprising: a payment instrument having contactless transaction feature, a SoftPOS application running on a mobile device, providing taking payment by approaching said payment unit to mobile device, comprising an OTP interface allowing entrance of cardholder's one time password and/or displaying message requesting submission of authorization for verification of cardholder, a SoftPOS server recognizing said SoftPOS application and mobile device whereon SoftPOS application runs and executing security controls, an identity verification server conducting issuer bank distinction on basis of the payment instrument details for submission of the one time password, a user device belonging to the user and to which the one time password is sent, an SMS network gateway owned by the issuer bank and sending the one time password to the user's device for getting user authorization for cardholder verification, an application server owned by the issuer bank and providing sending of a PUSH notification for verification authorization for cardholder verification.

2. The system according to claim 1, wherein the SoftPOS application comprises an L3 work layer managing user interface experience and workflows.

3. The system according to claim 1, comprising an L2 kernel where core applications based on payment schemes are executed.

4. The system according to claim 1, comprising a mobile banking application running on the user device and where to the PUSH notification providing getting user's authorization is sent.

5. The system according to claim 1, wherein the SoftPOS server comprises an HSM unit providing hardware functioning of security key and cryptographic algorithms.

6. The system according to claim 1, wherein said payment instrument is a card or a mobile phone with contactless transaction feature.

7. A method providing use of a one time password to verify a card holder in transactions with excess limit by payment receiving mobile devices by use of SoftPOS software, characterized by comprising process steps of: entrance of payment amount by running a SoftPOS application providing receipt of payment (1001), tapping of a payment instrument providing payment by the SoftPOS application (1002), execution of EMV transaction flow by the SoftPOS application (1003), transmission of a cardholder verification request to SoftPOS server executing security controls (1004), SoftPOS server's sending cardholder verification request to an identity verification server (1005), determining issuer bank and transmission of cardholder verification request to the issuer bank by identity verification server (1006), forwarding of cardholder verification request to the user device by an SMS network gateway sending one time password and/or an application server capable to send PUSH notice, and receiving required authorization (1007), identifying values of OTP and BTN values coding authorization request message displayed in ISO fields under acquiring key and writing code symbolizing SoftPOS application processes into “POS Entry Mode” and transmitting to acquirer bank by SoftPOS server (1015), transmission of request message delivered to the acquirer bank to the issuer bank (1016), parsing ISO fields and controlling OTP and BTN values by issuer bank (1017), in case authorization request fails, displaying of information indicating that transaction is declined in SoftPOS application (1018a), in case authorization request is correct, displaying of information indicating that transaction is approved in SoftPOS application (1018b).

8. The method according to claim 7, wherein if said user device has a mobile banking application, the method comprises process steps of: sending a PUSH notification to the mobile banking application by the application server (1007b), sending information showing that notice is sent to the identity verification server by the issuer bank (1008b), sending notice status information to the SoftPOS server by the identity verification server (1009b), transmission of notice status information to the SoftPOS application by the SoftPOS server (1010b), displaying of approval request message in the SoftPOS application (1011b), giving approval by the mobile banking application running on the mobile device by cardholder (1012b), transmission of authorization request message to the SoftPOS server by the SoftPOS application (1013b).

9. The method according to claim 8, comprising the process step of displaying of a message approval request able to direct cardholder to the mobile banking application in the SoftPOS application.

10. The method according to claim 7, wherein if said user device does not have a mobile banking application, the method comprises process steps of: transmission of cardholder identification request to an SMS network gateway which will send one time password by the issuer bank (1007a), sending one time password to cardholder's mobile device by the SMS network gateway (1008a), sending information of one time password sending status to the identity verification server together with BTN number by Payment unit holder bank (1009a), sending no time password status information to the SoftPOS server by identity verification server (1010a), sending one time password status information to the SoftPOS application by SoftPOS server (1011a), if one time password status information is correct, opening of an OTP entry interface in the SoftPOS application (1012a), entrance of one time password over the SoftPOS application by the cardholder (1013a), sending authorization request message together with one time password to the SoftPOS server by the SoftPOS application (1014a).

11. The method according to claim 7, comprising the process step of submission of payment instrument verification request to the SoftPOS server together with coded PAN information.

12. The method according to claim 7, comprising the process step of management of user interface experience and workflows of SoftPOS application by an L3 wok layer.

13. The method according to claim 7, comprising the process step of running core applications of payment schemes by an L2 kernel.

14. The method according to claim 7, wherein if authorization request is correct, the method comprises process steps of: issuer bank's sending an approval message to the acquirer bank, acquirer bank's sending message to the SoftPOS server, SoftPOS server's sending message of “operation approved” to the SoftPOS application (2), display of approval of transaction on the SoftPOS application.

15. The method according to claim 7, wherein if authorization request is not correct, the method comprises process steps of: issuer bank's sending a denial message to the acquirer bank, acquirer bank's sending message to the SoftPOS server, SoftPOS server's sending message of “operation denied” to the SoftPOS application, display of denial of transaction on the SoftPOS application.

16. The method according to claim 7, comprising the process step of hardware operation of the SoftPOS server by means of a security key and cryptographic algorithms of HSM unit.

17. The method according to claim 7, comprising the process step of preparation of authorization data by the SoftPOS server according to ISO 8583 message structure.

Description

BRIEF DESCRIPTION OF FIGURES

[0029] FIG. 1 is a schematic view of the system disclosed under the invention.

[0030] FIG. 2 is flow chart diagram of the method disclosed under the invention.

REFERENCE NUMBERS

[0031] 1. Payment instrument [0032] 2. SoftPOS application [0033] 2.1. L3 work layer [0034] 2.2. L2 Kernel [0035] 2.3. OTP interface [0036] 3. SoftPOS server [0037] 3.1. HSM unit [0038] 4. Identity verification server [0039] 5. Acquirer Bank [0040] 6. Issuer Bank [0041] 6.1. SMS network gateway [0042] 6.2. Application server [0043] 7. User device [0044] 7.1. Mobile Banking application [0045] 1001. Entrance of payment amount by running SoftPOS application providing receipt of payment [0046] 1002. Tapping of payment instrument to SoftPOS application [0047] 1003. Execution of EMV transaction flow by SoftPOS application [0048] 1004. Transmission of cardholder verification request to SoftPOS executing security controls [0049] 1005. Sending cardholder verification request to identity verification server by SoftPOS server [0050] 1006. Determining of issuer bank and sending cardholder verification request to issuer bank by identity verification server [0051] 1007. Forwarding of cardholder verification request to user device by an SMS network gateway sending one time password and/or capable to send PUSH notification, and receiving required authorization [0052] 1007a. Transmission of cardholder verification request by issuer bank to SMS network gateway which will send one time password, [0053] 1007b. Sending PUSH notification to mobile banking application by application server [0054] 1008a. Sending one time password to cardholder's mobile device by SMS network gateway [0055] 1008b. Sending information showing that notice is sent to identity verification server by issuer bank's [0056] 1009a. Sending information of one time password sending states to identity verification server together with BTN number by issuer bank [0057] 1009b. Sending notice status information to SoftPOS server by identity verification server [0058] 1010a. Sending one time password status information to SoftPOS server by Identity verification server [0059] 1010b. Transmitting notice status information to SoftPOS application by SoftPOS server [0060] 1011a. Sending one time password status information to SoftPOS application by SoftPOS server [0061] 1011b. Displaying of approval request message in SoftPOS application [0062] 1012a. If one time password status information is correct, opening of OTP entry interface in SoftPOS application [0063] 1012b. Giving approval over mobile banking application running on mobile device by cardholder [0064] 1013a. Entrance of one time password over SoftPOS application by cardholder [0065] 1013b. Transmitting authorization request message to POS server by SoftPOS application [0066] 1014a. Sending authorization request message together with one time password to SoftPOS server by SoftPOS application [0067] 1015. Identifying values of OTP and BTN values coding authorization request message displayed in ISO fields under acquiring key and writing code symbolizing SoftPOS application processes into “POS Entry Mode” and transmitting to acquirer bank by SoftPOS server, [0068] 1016. Transmission of request message delivered acquirer bank to issuer bank, [0069] 1017. Parsing ISO fields and controlling OTP and BTN values by issuer bank [0070] 1018a. In case authorization request fails, displaying of information indicating that transaction is declined in SoftPOS application [0071] 1018b. In case authorization request is correct, displaying of information indicating that transaction is approved in SoftPOS application

DETAILED DESCRIPTION OF THE INVENTION

[0072] In this detailed description, novelty being subject of this invention has been disclosed solely for the purpose of better understanding of the subject and with samples described in a manner not causing any restrictive effect. Our invention is a system for use of one time password to verify card holder in transactions with excess limit by payment accepting mobile devices by means of SoftPOS software. A schematic view of the system disclosed under the invention is given in FIG. 1. Accordingly the system comprises a payment instrument (1) having contactless transaction feature; a SoftPOS application (2) comprising OTP interface (2.3) running on a mobile device, providing receipt of payment by approving said payment instrument (1) to mobile device, providing entrance of one time password by cardholder and/or displaying message requesting authorization for verification of cardholder; SoftPOS server (3) recognizing said SoftPOS application (2) and mobile device on which SoftPOS application runs, and performing security controls; identity verification server (4) distinguishing issuer bank (6) based on payment instrument (1) information for sending one time password; SMS network gateway (6.1) owned by user owned user device (7) issuer bank (6) where one time password is sent, and sending one time password to user device (7) for getting cardholder verification user approval; application server (6.2) owned by issuer bank (6) and providing sending of PUSH notice for getting cardholder verification user approval.

[0073] In a preferred application of the system, said SoftPOS application (2) comprises L3 work layer (2.1) managing user interface experience and workflows, L2 kernel (2.2) where core applications of payment charts are run.

[0074] Our invention also comprises mobile banking application (7.1) installed on user device (7) and where PUSH notification providing getting authorization from cardholder is sent.

[0075] Said SoftPOS server (3) comprises HSM unit (3.1) providing hardware functioning of security key and cryptographic algorithms.

[0076] A flow diagram of the method disclosed under the invention is given in FIG. 2. Working principle of our invention is as follows:

[0077] Payment amount is entered by running SoftPOS application (2) providing receipt of payment. Card holder taps payment instrument (1) by SoftPOS application (2) after shopping. Communication between SoftPOS application (2) and payment instrument (1) is preferably provided by NFC. Said payment instrument (1) is characterized in being a card of contactless transaction feature or a mobile phone. SoftPOS application (2) is a mobile application developed as alternate of physical POS devices and running on preferably Android devices.

[0078] After payment instrument (1) is read by SoftPOS application (2) running on a mobile device, EMV payment flow is executed and cardholder verification request is sent to SoftPOS server (3) together with PAN information. SoftPOS server (3) transmits incoming request to identity verification server (4). Identity verification server (4) identifies issuer bank (6) and cardholder verification request is transmitted to issuer bank (6).

[0079] If user device (7) does not have mobile banking application (7.1):

[0080] Cardholder identification request is transmitted to SMS network gateway (6.1) which will send one time password (OPT) by issuer bank (6). SMS network gateway (6.1) sends one time password to cardholder's mobile device (7). Issuer bank (6) also submits OTM transmission information together with BTN (Bank Transaction Number) details to identity verification server (4). Identity verification server (4) sends OTP transmission details to SoftPOS server (3) and SoftPOS server (3) transmits it to SoftPOS application (2). After receipt of information by SoftPOS application (2), SoftPOS application (2) opens OTP interface (2.3) to enable card holder to enter OTP. cardholder makes OTP entrance. SoftPOS application (2) sends OTP information together with authorization data to SoftPOS server (3).

[0081] If user device (7) has mobile banking application:

[0082] Application server (6.2) sends PUSH notification to banking application (7.1). issuer bank (6) sends information showing that notice is sent, to identity verification server (4). Identity verification server (4) sends notice status information to SoftPOS server (3). SoftPOS server (3) transmits notice status information to SoftPOS application (2). SoftPOS application (2) gives a message to direct user to bank application. Cardholder gives approval by mobile banking application (7.1) running on mobile device (7). SoftPOS application (2) transmits authorization request message to SoftPOS server (3).

[0083] SoftPOS server (3) prepares authorization data according to ISO 8583 message structure. OTP data and BTN data are added into ISO message fields to be assigned. Code symbolizing SoftPOS application (2) operations are written to “POS Entry Mode” field to enable issuer bank (6) distinguish between SoftPOS operations. Authorization request message is transmitted to acquirer bank. Acquirer bank (5) sends request to issuer bank (6) for authorization confirmation. Issuer bank (6) parses ISO message. When POS Entry Mode is recognized as SoftPOS application (2), OTP and BTN values are checked and authorization confirmation or decline message is given.

[0084] If authorization request is successful, [0085] Issuer bank (6) sends authorization message to acquirer bank (5). [0086] Acquirer bank (5) sends message to SoftPOS server (3). [0087] SoftPOS server (3) sends message of operation approval to SoftPOS application (2). [0088] SoftPOS application (2) shows approval of transaction.

[0089] If authorization is not approved without any reasons; [0090] Issuer bank (6) sends declined message to acquirer bank (5). [0091] Acquirer bank (5) sends message to SoftPOS server (3). [0092] SoftPOS server (3) sends message of operation denial to SoftPOS application (2). [0093] SoftPOS application (2) shows denial of transaction message.