METHOD FOR PAYMENT AUTHORIZATION ON OFFLINE MOBILE DEVICES WITH IRREVERSIBILITY ASSURANCE

Abstract

A methods for payment authorization (10) on mobile devices (DM) such as smartphones, tablets or any others available, which may be offline; the method for payment authorization (10) comprises the compilation of sequential steps of method (M1) of the payer (20) with method (M2) of the operational system (50) or application that constitutes a logical structure for alignment with the method (M3) of the payee (30), resulting in authenticated payment (PG) of financial transactions (TF) with assurance of non-repudiation through generation of a private key (51) and public key (52), as well as association of positive identification (21a) and personal identification (21b) of the payer (PG) with the mobile device (DM); said methods (M1), (M2) and (M3) are executed on mobile devices (DM) with enough processing capacity for execution of encryption algorithms and which may be used for issuing payment orders (PG), on-site or otherwise, carried out with financial resources (RF) or credit limits (LC) such as bonuses, points, products, tickets, etc. of the payer (20) of the device (DM).

Claims

1) A method for payment authorization on offline mobile devices with irreversibility assurance, more precisely related to a method for payment authorization (10) on mobile devices (DM) such as smartphones, tablets or other devices available which may be offline, wherein said methods for offline payment authorization (10) comprise: (A) the compilation of sequential steps of the method (M1) of the payer (20) with the method (M2) of the operational system (50) or application that constitutes a logical structure for alignment with the method (M3) of the payee (30), resulting in authenticated offline payment (PG) of financial transactions (TF) with assurance of non-repudiation through generation of a private key (51) and public key (52); (B) the association of positive identification (21a) and personal identification (21b) of the payer (PG) with the mobile device (DM); (C) that the methods (M1), (M2) and (M3) are executed on mobile devices (DM) capable of processing encryption algorithms which can be used for authorizing payments (PG), in person or otherwise, performed with financial resources (RF) or credit limits (LC) such as bonuses, points, products, vouchers, etc. of the payer (20) of the device (DM).

2) The method for payment authorization on offline mobile devices with irreversibility assurance, according to claim 1 and in a preferred operational version, wherein the method (M1) of the payer (20) starts with the steps for authorization request (21) for performance of the financial transaction (TF) through identification means (21a) and (21b) and association of the mobile device (DM) with the holder/payer for execution of the financial transaction (TF).

3) The method for payment authorization on offline mobile devices with irreversibility assurance, according to claim 1, wherein the steps (P1) for identification (21a) and (21b) are: a) positive identification (21a) and preview of the holder/payer (20) of the device(s) (DM) used to perform payments (PG); said positive identification may be carried out in many ways, such as digital certificate, on-site validation, notary office, credit bureaus, etc.; b) personal identification (21b) of the payer (20) through the respective e-mail, tax identifier as the personal identification number, device (DM) identification, but in case the device (DM) is a smartphone, identification is through the phone number by installing the application (50) and other devices may have other forms of identification, as well as identification of other complementary information such as payer address; c) request of the association (21c) of the mobile device (DM) to its identity (21a) and (21b); the payer (20) may, optionally, prove that he is in possession of the device (DM), but if the device (DM) is a smartphone, such proof may be provided, for example, by sending a random numbercodethrough a text message to the device (DM) and the requesting that the payer (20) inputs the received code to the application (50); other devices may have some kind of unique serial number and the payer (20) shall inform during such action; d) request the payer (20) to provide some sort of payment authorization key (PG), which may be represented by a security code (23)PIN, a biometric feature such as fingerprint, iris recognition, face, voice, etc. or any other means.

4) The method for payment authorization on offline mobile devices with irreversibility assurance, according to claim 1, wherein the method (M2) of the operational system (50) proceeds with the logical steps for association of the mobile device (DM) with the holder/payer (20).

5) The method for payment authorization on offline mobile devices with irreversibility assurance, according to claim 1, wherein the method (m2) features the following steps (P2): a1) generation of a pair of keys (51) and (52) through the application (50), one being a private key (51) and the other a public key (52) by means of an RSA algorithm, or another similar type of asymmetric encryption, with n-bits, in which n may be any proper number, such as 1024 or 2048, in order to ensure the security level of the keys (51)/(52), which may vary due to the typical amounts of financial transactions, for example; b1) the private key (51) is stored in the device (DM) while encrypted through some symmetric encryption mechanism which only allows recovery with the key defined on step (d); c1) the public key (52) with identifications (21a) and (21b) of the payer (PG) and device (DM) is sent to a payment authorization server (53) which, in turn, records the association between this device (DM) and the public key (52) of the holder (20) of the mobile device (DM); d1) the holder (2) confirms the public key (52), confirming the device (DM) through the respective identifications (51) and (52) or through any other entity that may truthfully attest the person who can authorize the payments (PG), in the device (DM); optionally, the holder/payer (20) of the mobile device (DM) can establish use restrictions, such as location, product type and services to be paid, specific times for use, etc.; e1) After confirmation of the association of the holder/payer (20) and mobile device (DM), it is now registered and authorized to generate payment orders, transfer of financial resources or other similar activities; f1) for disqualification of the mobile device (DM) as means of payment, the holder/payer (20) can, for example, contact the customer service of the company that authorizes payments and request deactivation of the mobile device (DM); the simple removal of the corresponding public key (52) prevents that payment (PG) orders (O1) signed by the device (DM) are accepted thereafter.

6) The method for payment authorization on offline mobile devices with irreversibility assurance, according to claim 1, wherein the holder/payer (20) authorized to use the device (DM) for payments (PG) of varied financial transactions (TF) proceeds with the following steps (P3): i. communication of the amount (V1) of the transaction (TF); ii. optionally, any additional information such as identification of the entity that will validate the payment (PG) order (O1), currency of the payable amount (V1), identification of the financial source in case the payer (20) has more than one current account, credit card, etc.; iii. Identification of the purchase such as order number, invoice, description, etc.; iv. Identification of the recipient(s)/payee (30) that are authorized to receive such payment (PG); v. information of any other use restriction of the payment (PG) order (O1) such as determination of geographic region, specific purpose or any other restriction; vi. validity of the payment (PG) order (O1); vii. code(s) of the goods being traded; ix. necessary information for access to the private key (51), in other words, PIN, biometry, etc.

7) The method for payment authorization on offline mobile devices with irreversibility assurance, according to claim 1, wherein the method (M2) of the operational system (50) proceeds with the second sequence of logical steps after obtaining information of the steps (P3): a2) grouping (P4), necessarily, with the identifications (21a)/(21b) of the payer (20) which issues the authorization, in other words, account number, fiscal identifier or any other identification form of the payer (20) to the system (50); b2) grouping (P5) with information provided by the payer (20) and some information that ensure uniqueness of this payment (PG) order (O1), for example: i) identification of the authorizer's account; ii) universal identifierUUIDof the payment; iii) mobile device identifier (DM); iv) timestamp such as date/time at the moment of generation of the authorization; c2) from the information of the step (P3) and grouping (P4) and (P5), the device (DM) generates a payment (PG) authorization (P6), such as a byte sequence that provides the payment data (PG), additionally with a digital signature using the private key (51) of the holder/payer (20) of the mobile device (DM), through any common algorithm for this purpose such as SHA+RSA, MD5+RSA, etc.; d2) all data mentioned in steps (P3), (P4) and (P5), with the digital signature generated in step (P6) constitute the authorization (AT) of the payment (PG) order (O1); e2) the authorization (AT) generated in the previous step (d2) is then transferred to the payee (30) of the payment (PG) through a bar code, visual signals, electromagnetic waves, sound waves, etc.

8) The method for payment authorization on offline mobile devices with irreversibility assurance, according to claim 1, wherein the method (M3) of the payee's device (30), after receiving the payment (PG) order (O1), proceeds with the steps (P3): a3) sending of the payment (PG) order (O1) to the entity (ET) that authorizes and settles the payment (PG), with said entity (ET) typically being a bank, payment institution, credit company or similar; b3) said entity (ET) checks if such authorization is valid, analyzing all pertaining restrictions, such as location, spending limits, balance available, existing account, etc.; for such, the payee (30) needs an online mechanism for validation of the transaction (TF) for communication between the payee's device (30) and the entity (ET) that authorizes it, or any kind of trust bond between the payer (20) and the payee (30), so that the recipient may act on behalf of the entity (ET), even when offline. In this last case, the payee (30) takes the risk that the payment order may not be authorized afterwards by the (ET); c3) after the information of the financial transaction (TF) are validated, the authorizing entity (ET) checks the authenticity of the digital signature, comparing the payment (PG) information with the public key (52) previously registered for the device during step (e1) of the method (M2) of the operational system (50); the validation of the signature ensures that such order (O1) is truly generated by the device (DM) authorized and signed with the private key (51) of the holder/payer (20); d3) after validation of the steps (b3) and (c3), the payment (PG) order (O1) is processed, transferring funds from the payer's (20) account to the payee(s) (30) or generating any effect needed for such payment order (PG) to be processed, which may not necessarily involve money, but also credit from reward programs, shopping vouchers, etc.; e3) afterwards the payee (30) is notified about the transaction taking place, which is concluded and recorded.

9) The method for payment authorization on offline mobile devices with irreversibility assurance, according to claim 1, wherein methods (M1), (M2) and (M3) comprise the ability of the authorizing server to authorize a payment (PG) order (O1) generated by the offline mobile device (DM) of the payer (20), with no connection between the payer (20) and the authorization server, providing only a screen to show a bar code, a speaker to produce sounds, an NFC or any other means to send a small data amount to the mobile device (DM) of the vendor (30).

10) The method for payment authorization on offline mobile devices with irreversibility assurance, according to claim 1, wherein the methods (10) comprise the combination of various encryption techniques and digital signature for generation of a digital representation capable of ensuring authenticity of the payer's data (20), amount and other additional information.

Description

DESCRIPTION OF THE DRAWINGS

[0030] FIG. 1 shows a diagram of the method assembly of the payer, system and payee that constitutes offline payment.

[0031] FIG. 1A shows a general flowchart of the method.

[0032] FIG. 1B shows the optimized flowchart of the authorization phase of the payment order.

[0033] FIG. 1C shows the payment order generation flowchart.

[0034] FIG. 2 represents a block diagram of the logical sequence of the payer method.

[0035] FIGS. 3 and 4 show block diagrams of the logical sequence of the authorization method prepared by the operational system.

[0036] FIG. 4A shows a flowchart for generation of the pair of keys (public and private) associated to the payer and its mobile device.

[0037] FIG. 5 illustrates a block diagram of the logical sequence of the offline payment authorization method of the payee.

[0038] FIG. 5A shows the payment order generation flowchart.

[0039] FIG. 5B shows a flowchart of an example of payment authorization.

DESCRIPTION OF THE INVENTION

[0040] According to the figures, this invention relates to a METHOD FOR PAYMENT AUTHORIZATION ON OFFLINE MOBILE DEVICES WITH IRREVERSIBILITY ASSURANCE, more precisely relating to a method for payment authorization (10) on mobile payment devices (DM) such as smartphones, tablets or other devices available which may be offline.

[0041] According to this invention, said method for payment authorization (10) is executed, especially, on mobile devices (DM) with enough processing capacity for executing encryption algorithms and which may be used for generating payment orders (PG), on-site or otherwise, using financial resources (RF) or credit limits (LC) such as bonuses, points, products, tickets, etc. of the payer (20) of the device (DM).

[0042] Said method for payment authorization (10) comprises the compilation of sequential steps of the method (M1) of the payer (20) with the method (M2) of the operational system (50) or application that form a logical structure for alignment with the method (M3) of the payee (30), resulting in authenticated offline payment (PG) of financial transactions (TF) with non-repudiation assurance through generation of a private key (51) and a public key (52), as well as association of positive identification (21a) and personal identification (21b) of the payer (PG) with the mobile device (DM).

[0043] In a preferred operational version, the method (M1) of the payer (20) starts with the steps for authorization request (21) for performance of the financial transaction (TF) through identification means (21a) and (21b) and association of the mobile device (DM) with the holder/payer (20) for execution of the financial transaction (TF). The steps (P1) for identification (21a) and (21b) are:

[0044] a) Positive identification (21a) and preview of the holder/payer (20) of the device(s) (DM) used to perform the payments (PG). Said positive identification may be executed in many ways, such as digital certificate, on-site validation, notary office, credit bureaus, etc.;

[0045] b) Personal identification (21b) of the payer 920) through the respective e-mail, tax identifier as the personal identification number, device (DM) identification, but in case the device is a smartphone, identification is made from the phone number through installation of the application (50) and other devices may have other forms of identification, as well as identification of other complementary information such as payer address;

[0046] c) Request for association (21c) of the mobile device (DM) to its identity (21a) and (21b). The payer (20) may prove, optionally, that the holds the device (DM), but in case the device is a smartphone, said proof may be provided, for example, by sending a text message with a random numbercodeto the device (DM) and requesting that the payer (20) inputs the code received to the application (50). Other devices may have unique serial numbers and the payer (20) must provide it during this action;

[0047] d) Request the payer (20) to provide some sort of payment authorization key (PG), which may be represented by a security code (23)PIN, a biometric feature such as fingerprint, iris recognition, face, voice, etc. or any other means.

[0048] After identification of the payer (20) the method (M2) of the operational system (50) follows with logical steps for association of the mobile device (DM) with the holder/payer (20) through the following steps (P2):

[0049] a1) Generation of a pair of keys (51) and (52) through the application (50), one being a private key (51) and the other a public key (52) by means, for example, an RSA algorithm, or another with n-bits, in which n may be any proper number, such as 1024 or 2048, in order to ensure the security level of the keys (51)/(52), which may vary due to the typical amounts of financial transactions, for example;

[0050] b1) The private key (51) is stored in the device (DM) while encrypted through some symmetric encryption mechanism (with the PIN as the key) which only allows recovery with the key defined on step (d);

[0051] c1) The public key (52) with identifications (21a) and (21b) of the payer (PG) and device (DM) is sent to a payment authorization server (53) which, in turn, records the association between this device (DM) and the public key (52) of the holder (20) of the mobile device (DM). To perform this step, the payer's device (DM) must be online;

[0052] d1) The holder (20) confirms the public key (52), confirming the device (DM) through respective identifications (51) and (52) or any other entity that may truthfully attest the person who can authorize the payments (PG), in the device (DM). Optionally the holder/payer (20) of the mobile device (DM) can establish use restrictions, such as location, product type and services to be paid, specific times for use, etc.;

[0053] e1) After confirmation of the association of the holder/payer (20) and mobile device (DM), it is now registered and authorized to generate payment orders, transfer of financial resources or other similar activities;

[0054] f1) For disqualification of the mobile device (DM) as means of payment, the holder/payer (20) can, for example, contact the customer service of the company that authorizes payments and request deactivation of the mobile device (DM). The simple removal of the corresponding public key (52) prevents that payment (PG) orders (O1) signed by the device (DM) are accepted thereafter.

[0055] After the identification steps (21a) and (21b) and association of the possession of the mobile device (DM), the authorized holder/payer (20) to use the device (DM) for payments (PG) of various financial transactions (TF) proceeds with the following steps (P3):

[0056] i.Communication of the amount (V1) of the transaction (TF);

[0057] ii.Optionally, any additional information such as identification of the entity that will validate the payment (PG) order (O1), currency of the payable amount (V1), identification of the financial source in case the payer (20) has more than one current account, credit card, etc.;

[0058] iii.Identification of the purchase such as order number, invoice, description, etc.;

[0059] iv.Identification of the recipient/payee(s) (30) that are authorized to receive such payment (PG);

[0060] v.Information of any other use restriction of the payment (PG) order (O1) such as determination of geographic region, specific purpose or any other restriction;

[0061] vi.Validity of the payment (PG) order (O1);

[0062] vii.Code(s) of the goods being traded;

[0063] viii.Necessary information for access to the private key (51), in other words, PIN, biometry, etc.

[0064] After obtaining information of the steps (P3) the method (M2) of the operational system (50) proceeds with the second sequence of logic steps, which are:

[0065] a2) Grouping (P4), necessarily, with the identifications (21a)/(21b) of the payer (20) which issues the authorization, in other words, account number, fiscal identifier or any other identification form of the payer (20) to the system (50);

[0066] b2) Grouping (P5) with information provided by the payer (20) and some information that ensure uniqueness of this payment (PG) order (O1), for example: i) identification of the payee's account; ii) universal identifierUUIDof the payment; iii) mobile device identifier (DM); iv) timestamp such as date/time at the moment of generation of the authorization; [0067] v) a combination of this information; vi) other that may be applicable;

[0068] c2) From the information of the step (P3) and grouping (P4) and (P5), the device (DM) generates a payment (PG) authorization (P6), such as a byte sequence that provides the payment data (PG), additionally with a digital signature using the private key (51) of the holder/payer (20) of the mobile device (DM), through any common algorithm for this purpose such as SHA+RSA, MD5+RSA, etc.;

[0069] d2) All data mentioned in steps (P3), (P4) and (P5), with the digital signature generated in step (P6) constitute the authorization (AT) of the payment (PG) order (O1);

[0070] e2) The authorization (AT) generated in the previous step (d) is then transferred to the payee (30) of the payment (PG), either through a bar code, visual signals, electromagnetic waves, sound waves, etc.

[0071] The Method (M3) of the payee (30), after receiving the payment (PG) order (O1), proceeds with the following steps:

[0072] a3) Sending of the payment (PG) order (O1) to the entity (ET) that authorizes and settles the payment (PG), with said entity (ET) typically being a bank, payment institution, credit company or similar;

[0073] b3) Said entity (ET) verifies if the authorization is valid, analyzing all pertaining restrictions, such as location, spending limits, balance available, existing account, etc. For such, the payee's device (30) needs an online mechanism for communication between the payee's device (30) and the entity (ET) that authorizes it, or any kind of trust bond between the payer (20) and the payee (30), so that the recipient may act on behalf of the entity (ET), even when offline. In this last case, the payee takes the risk that the payment order may not be authorized afterwards by the (ET);

[0074] c3) After the information of the financial transaction (TF) is validated, the authorizing entity (ET) checks the authenticity of the digital signature, comparing the payment (PG) information with the public key (52) previously registered for the device during step (e) of the method (M2) of the operational system (50). The validation of the signature ensures that such order (O1) is indeed generated by the device (DM) authorized and signed with the private key (51) of the holder/payer (20) and, therefore, free of tampering prior to reaching the ET;

[0075] d3) After validation of the steps (b) and (c), the payment (PG) order (O1) is processed, transferring funds from the payer's (20) account to the payee's (30) account or generating any effect needed for such payment order (PG) to be processed, which may not necessarily involve money, but also credit from reward programs, shopping vouchers, etc.;

[0076] e3) Afterwards the payee's device (30) is notified about the transaction taking place, which is then concluded and recorded.

[0077] It should be noted, then, that the technical evolution of this invention lies in the methods (M1), (M2) and (M3) herein featuring the ability of the authorization server in authorizing a payment (PG) order (O1) generated by the mobile device (DM) of the payer (20) without any connection between the payee (30) and the authorization server, enabling the payer (20) to be completely offline, with only a screen to show a bar code, a speaker for producing sounds, an NFC or any other means for sending a small amount of data to the sales device (DM) of the vendor (30) in an unidirectional manner.

[0078] Another relevant aspect of this invention is the combination of various encryption techniques and digital signature for generating a digital representation capable of ensuring authenticity of its information (payer, amount and other additional information).

[0079] Another relevant aspect refers to the optimization of the implementation of encryption algorithms, digital signature and generation of the digital code so that the processing requisites are compatible with the capacity of most current mobile devices (CPU, memory, screen resolution).

[0080] Aside from the optimization related to the implementation of the aforementioned algorithms, optimization of the digital representation may also be mentioned, regarding the amount of bits needed to store all information of the payment order.

[0081] It is certain that when this invention is put into practice, modifications may be introduced concerning certain construction and shaping details, without departing from the base principles that are clearly substantiated in the set of claims, therefore considering that the terminology used is not limiting in any sense.

METHOD FOR PAYMENT AUTHORIZATION ON OFFLINE MOBILE DEVICES WITH IRREVERSIBILITY ASSURANCE

Inventors

Cpc classification

Classification Explorer

G06Q20/3829

PHYSICS

Classification Explorer

G06Q20/322

PHYSICS

Classification Explorer

G06Q20/40145

PHYSICS

Classification Explorer

G06Q20/4015

PHYSICS

Classification Explorer

G06Q20/401

PHYSICS

International classification

Classification Explorer

G06Q20/38

PHYSICS

Classification Explorer

G06Q20/40

PHYSICS

Abstract

Claims

Description