METHOD AND APPARTUS FOR TRANSMITTING PAYMENT DATA USING A PUBLIC DATA NETWORK

Abstract

A method for transmitting transaction data using a public data network, comprising the steps of: transmitting primary transaction data from a provider data base via the public data network to a display device connected to the data network and, locally, visually and/or acoustically displaying the primary transaction data thereon, in particular visually on a displayed provider website as bar code or QR code, b1) recording the display and generating a primary transaction file in a user terminal of an access network, or b2) recording the display and generating a primary transaction file in a recording device and then transmitting the primary transaction file to a user terminal of an access network, via a wireless near field data transmitter of the recording device and user terminal, processing the primary transaction file on the user terminal for extracting at least a part of the transaction data, and generating an extract file, inputting an authorization data set of a debit or credit card configured as a smart card and equipped with a wireless near field data transmitter at the user terminal and associating the authorization data set with the extract file, e1) transmitting the extract file and the associated authorization data set from the user terminal to the smart card wirelessly connected thereto, or e2) internally transferring the extract file and the associated authorization data set to the smart card component in the user terminal, f) checking the extract file in conjunction with the authorization data set by a processor of the smart card or smart card component based on comparison data stored thereon and, if correct, outputting a correctness confirmation message to the user terminal or internally in the user terminal, g) generating a secondary transaction file comprising the primary transaction data and user data in the user terminal based on the confirmation message, h) transmitting the secondary transaction file from the user terminal via the access network to an access server in the data network, fetching or receiving a transaction confirmation message from the access server by or at a provider receiver, at least one of visually or acoustically displaying the message on the provider website.

Claims

1. A method for transmitting transaction data using a public data network, comprising the steps of: transmitting primary transaction data from a provider data base via said public data network to a display device connected to the data network and, locally, at least one of visually or acoustically displaying said primary transaction data thereon, in particular visually on a displayed provider website as bar code or QR code, b1) recording the display and generating a primary transaction file in a user terminal of an access network, or b2) recording the display and generating a primary transaction file in a recording device and then transmitting said primary transaction file to a user terminal of an access network, via a wireless near field data transmitter of said recording device and user terminal, processing said primary transaction file on said user terminal for extracting at least a part of the transaction data, and generating an extract file, inputting an authorization data set, in particular a PIN, of a debit or credit card configured as a smart card and equipped for wireless near field data transmission at said user terminal and associating said authorization data set with said extract file, e1) transmitting said extract file and the associated authorization data set from said user terminal to the smart card wirelessly connected thereto, or e2) internally transferring said extract file and the associated authorization data set to the smart card component in said user terminal, f) checking said extract file in conjunction with said authorization data set by a processor of the smart card or smart card component based on comparison data stored thereon and, if correct, outputting a correctness confirmation message to said user terminal or internally in said user terminal, g) generating a secondary transaction file comprising said primary transaction data and user data in said user terminal based on said confirmation message, h) transmitting said secondary transaction file from said user terminal via said access network to an access server in said data network, 1) fetching or receiving a transaction confirmation message from said access server by or at a provider receiver and at least one of visually or acoustically displaying said message on said provider website.

2. A method for transmitting transaction data using a public data network, comprising the steps of: b′) transmitting primary transaction data from a provider data base via said public data network to a user terminal of an access network connected to said data network and generating a primary transaction file in said user terminal, processing said primary transaction file on said user terminal for extracting at least a part of the transaction data, and generating an extract file, inputting an authorization data set of a debit or credit card configured as a smart card and equipped with a wireless near field data transmitter at said user terminal and associating said authorization data set with said extract file, e1) transmitting said extract file and the associated authorization data set from said user terminal to the smart card wirelessly connected thereto, or e2) internally transferring said extract file and the associated authorization data set to the smart card component in said user terminal, checking said extract file in conjunction with said authorization data set by a processor of the smart card or smart card component based on comparison data stored thereon and, if correct, outputting a correctness confirmation message to said user terminal or internally in said user terminal, generating a secondary transaction file comprising said primary transaction data and user data in said user terminal based on said confirmation message, transmitting said secondary transaction file from said user terminal via said access network to an access server in said data network, 1) fetching or receiving a transaction confirmation message from said access server by or at a provider receiver and, in particular, visually and/or acoustically displaying said message on said provider website.

3. The method according to claim 1, wherein the following steps are carried out between steps h) and l): forwarding said secondary transaction file from said access server to a transaction server or a server system on said data network, generating a transaction confirmation message after processing said secondary transaction file for execution of the transaction on said transaction server or server system, fetching said transaction confirmation message by provider software or actively sending said transaction confirmation message from said transaction server or server system to said provider receiver.

4. The method according to claim 1, further comprising the step of: transmitting said transaction confirmation message via said access server and said access network to said user terminal of said access network and displaying it thereon.

5. The method according to claim 1, wherein said access network is a mobile communication network or WLAN and said user terminal is a smartphone or tablet on which a mobile app for executing steps c)-e2) and g) is installed and said mobile app checks said authorization data set in comparison with a secure element on a SIM card of said user terminal.

6. The method according to claim 1, wherein a proprietary input field is generated on a touch screen of said user terminal, and a position of said input field on said touch screen is specifically set for each input operation or for individual numeral inputs of an input operation.

7. The method according to claim 1, wherein the steps executed on said user terminal are executed within the scope of a secure execution environment, TEE, by a processor of said user terminal in a secure mode, wherein said mobile app authenticates itself to said processor of said user terminal, as a secure mobile app and wherein the switch to secure mode is effected by said mobile app.

8. The method according to claim 1, wherein said transaction data essentially comprises only one transaction number, and said user terminal, prior to generating said extract file in step c), obtains the remaining transaction data via the transaction server, assigned to said transaction number.

9. The method according to claim 5, wherein said mobile app demonstrates its authenticity to the user by the fact that the plug-in software module displays a warning message to said user that said transaction data has been acquired by an authentic mobile app if said plug-in software module has not received a confirmation message from said confirmation server in a certain time period after the presentation of said transaction data on said provider website.

10. The method according to claim 5, wherein said mobile app authenticates itself to said transaction server by at least one of a public key method or said mobile app and said transaction server communicate with one another in an encrypted manner.

11. The method according to claim 1, wherein step l), and optionally step k), are carried out at least partially via a confirmation functionality of said access server, irrespective of the current operating state of said user terminal.

12. The method according to claim 1, wherein the execution of steps f) and g) comprises the sub-steps of: first, checking the PIN on the smart card, and then generating a digital signature on the card based on said extract file by an asymmetric encryption method or generating a cryptogram by a symmetric encryption method and returning it as a correctness confirmation message to the smartphone, and then generating, by said smartphone, a secondary transaction file, which includes said correctness acknowledgment message and is forwarded to said access server for execution of the transaction.

13. The method according to claim 7, wherein an initial authenticity check of said trusted user interface is carried out, for which purpose a connection to an authentication web server is established and a mutual authentication of said mobile app and a web session implemented by said authentication web server is carried out.

14. An arrangement for transmitting transaction data using a public data network from a provider data base, in which primary transaction data is stored or generated, said arrangement comprising: a display device connected to said public data network for at least one of visually or acoustically displaying said primary transaction data locally, a user terminal connected to an access network of said public data network, comprising a data recorder that records said primary transaction data from said display device and a wireless near field data transmission, a debit or credit card configured as a smart card comprising a wireless near field data transmitter and a processor for checking received data, which comprise an authorization data set of said smart card, based on comparison data stored on said smart card and, if correct, outputting a correctness confirmation message, a mobile app installed on said user terminal for generating and processing a primary transaction file for extracting at least a part of said primary transaction data and generating an extract file as well as associating it with an authorization data set input at said user terminal; transmitting said extract file and the associated authorization data set from said user terminal to said smart card connected wirelessly thereto; generating a secondary transaction file comprising said primary transaction data and user data in said user terminal based on said correctness confirmation message, and transmitting said secondary transaction file from said user terminal via said access network to an access server in said data network, an access server connected to said access network and said data network for receiving said secondary transaction file and generating and transmitting an authorization confirmation message at a provider receiver.

15. The arrangement according to claim 14, wherein said the near field data transmitter is configured according to a near field communication, NFC, protocol and the EMV standard for chip-based payment cards.

16. An arrangement for transmitting transaction data using a public data network from a provider data base in which primary transaction data is stored or generated, said arrangement comprising: a display device connected to said public data network for at least one of visually or acoustically displaying said primary transaction data locally, a user terminal connected to an access network of said public data network, comprising data recorder that records said primary transaction data from said display device and a wireless near field data transmitter, a debit or credit card configured as a smart card component in said user terminal and comprising a processor for checking received data comprising an authorization data set of said debit or credit card based on comparison data stored in said smartcard component in said user terminal and, if correct, outputting a correctness confirmation message, a mobile app installed on said user terminal for generating and processing a primary transaction file for extracting at least a part of said primary transaction data and generating an extract file as well as associating it with an authorization data set input at said user terminal, transferring said extract file and the associated authorization data set in said user terminal to the internal smart card, generating a secondary transaction file comprising said primary transaction data and user data in said user terminal based on said correctness confirmation message, and transmitting said secondary transaction file from said user terminal via said access network to an access server in said data network, an access server connected to said access network and said data network for receiving said secondary transaction file and generating and transmitting an authorization confirmation message to a provider receiver.

17. An arrangement for transmitting transaction data using a public data network from a provider data base in which primary transaction data is stored or generated, said arrangement comprising: a user terminal connected to an access network of said public data network, comprising a receiver that receives said primary transaction data via said data network, a debit or credit card configured as a smart card component in said user terminal and comprising a processor for checking received data comprising an authorization data set of said debit or credit card based on comparison data stored in said smartcard component in said user terminal and, if correct, outputting a correctness confirmation message, a mobile app installed on said user terminal for generating and processing a primary transaction file for extracting at least a part of said primary transaction data and generating an extract file as well as associating it with an authorization data set input at said user terminal, transferring said extract file and the associated authorization data set in said user terminal to said internal smart card, generating a secondary transaction file comprising said primary transaction data and user data in said user terminal based on said correctness confirmation message, and transmitting said secondary transaction file from said user terminal via said access network to an access server in said data network, an access server connected to said access network and said data network for receiving said secondary transaction file and generating and transmitting an authorization confirmation message to a provider receiver.

18. The arrangement according to claim 17, wherein a secure element for storing said comparison data for said authorization data set is provided on a SIM card of said user terminal.

19. The arrangement according to claim 17, wherein said access server is configured to transmit said authorization confirmation message via said access network to said user terminal.

20. The arrangement according to claim 17, wherein said access server is configured to forward said secondary transaction file to said data network, and a transaction server or a server system is provided in said data network for processing said secondary transaction file for execution of the transaction and generating a transaction confirmation message.

21. The arrangement according to claim 17, wherein said access network is a mobile communications network or WLAN and said user terminal is a smartphone or tablet on which said mobile app is installed, and said mobile app provides a proprietary input field on the touch screen of said user terminal for inputting the PIN of said debit or credit card, wherein a position of said input field on said touch screen is specifically set for each input operation or for individual numeral inputs of an input operation.

22. The arrangement according to claim 17, wherein said access network is a mobile communications network or WLAN and said user terminal is a smartphone or tablet on which said mobile app is installed, and said user terminal including said mobile app is configured for in a Trusted Execution Environment, TEE, and said mobile app is configured for securely controlling hardware components of said user terminal.

23. The arrangement according to claim 17, wherein said user terminal has a device key for authentication at least with respect to an app loading system, comprising a private key in terms of a public key infrastructure, PKI.

24. The arrangement according to claim 21, wherein said mobile app is configured to control that first said PIN is checked on said smart card, and then said extract file is digitally signed by a private key on said smart card and returned to the smartphone as a correctness confirmation message, and then said smartphone generates a secondary transaction file, which includes said correctness confirmation message and is forwarded to said access server for execution of the transaction.

25. The arrangement according to claim 22, wherein said arrangement comprises an authentication web server with which an initial authenticity check of said trusted user interface is carried out, for which purpose a connection with said authentication web server is established and a mutual authentication of said mobile app and a web session implemented by said authentication web server is carried out.

Description

BRIEF DESCRIPTION OF THE DRAWINGS

[0038] Advantages and usefulness of the invention will be apparent from the following description of an exemplary embodiment and embodiments of the invention with reference to the figures. In the figures:

[0039] FIG. 1 is a schematic diagram of an arrangement according to the invention,

[0040] FIG. 2 shows another schematic diagram of the arrangement according to the invention,

[0041] FIG. 3 shows a partial aspect of an embodiment of the arrangement shown in FIGS. 1 and 2,

[0042] FIGS. 4A to 4E show a further partial aspect of an embodiment of the arrangement shown in FIGS. 1 and 2;

[0043] FIG. 5 is a schematic diagram of a further arrangement according to the invention, and

[0044] FIG. 6 shows a further partial aspect of an embodiment of the arrangement shown in FIGS. 1 and 2.

DETAILED DESCRIPTION OF THE PREFERRED EMBODIMENTS

[0045] The invention achieves the object by providing a method for authorizing and executing a transaction which, according to FIG. 1, includes the following steps in an advantageous embodiment and in simplified wording: [0046] a) presenting (primary) transaction data 3 on a web page 2, controlled by a plug-in software module 2a, on the display screen of a computer 1 used by a customer in an online purchase; [0047] b) automatically acquiring the transaction data 3 for generating a primary transaction file 5 by a smartphone 4 of the user and displaying the primary transaction file 5 thereon; [0048] c) processing the primary transaction file 5 on the smartphone 4 for extracting at least a part of the transaction data and generating an extract file 6 by means of a mobile app 7 installed on the smartphone 4, [0049] d) inputting a PIN 8 of a debit or credit card configured as a smart card 9 and equipped with means for wireless near field data transmission on the smartphone 4 and associating the PIN with the extract file 6, [0050] e) transmitting the extract file 6 and the associated PIN 8 from the smartphone 4 to the smart card 9 wirelessly connected thereto, [0051] f) checking the extract file 6 in conjunction with the PIN 8 by a processor of the smart card 9 based on comparison data stored thereon and, if correct, outputting a correctness confirmation message 10 to the smartphone 4, [0052] g) generating a secondary transaction file 11 comprising the primary transaction data and user data on the smartphone 4 based on the confirmation message 10 [0053] h) transmitting the secondary transaction file 11 from the smartphone 4 via the access network to an access/confirmation server 12 in the data network, [0054] i) forwarding the secondary transaction file 11 from the access/confirmation server 12 to a server system 13 in the data network, [0055] j) generating a transaction confirmation message 14 after processing the secondary transaction file 11 for execution of the transaction in the server system 13, [0056] k) fetching the transaction confirmation message 14 by provider software; [0057] l) receiving the transaction confirmation message 14 from the access/confirmation server 12 at a provider receiving means (not shown) and visually and/or acoustically displaying the message on the provider website 2.

[0058] FIG. 2 shows the communication steps relating to the authorization of the transaction and confirmation of its execution in more detail. Herein, provision is made for the smartphone 4 and the server system 13 to communicate at least a part of the data in the transaction file 11 and the (primary) confirmation message 14 encrypted and digitally signed and for the access/confirmation server 12 to nevertheless be able to read from this communication whether the server system 13 confirms the execution of the transaction and to send this information as a secondary confirmation message 15 to the plug-in software module 2a.

[0059] In particular, this is arranged in such a way that the plug-in software module 2a supplies the access/confirmation server 12 with a part of the transaction data at the time of the display of the transaction data 3 on the web page 2 and the access/confirmation server 12 can later associate the secondary confirmation message 15 with this initially received part of the transaction data 3.

[0060] The process according to FIG. 2 also differs from the process shown in FIG. 1 in that, upon receipt of the primary confirmation message 14′, the access/confirmation server 12 generates a confirmation message 16 for receiving and displaying on the smartphone 4 and sends it directly thereto via the access network (step m).

[0061] If the method according to the invention is embedded in a mobile commerce process, the use of a computer 1 and step a) according to the invention, in which the primary transaction data 3 is displayed on the web page 2 graphically, for example, as QR code, are omitted. In this case, step b) changes in such a way that the primary transaction data 3 no longer has to be scanned by the smartphone 4, but instead is transferred as part of a data communication from the web page 2 to a browser located on the smartphone.

[0062] If the online retailer does not want to make the payment method according to the invention obviously selectable for all buyers because only a portion of the buyers are equipped with smartphones 4 and smart cards 9 according to the invention, the mobile commerce variant of the payment method according to the invention may also be integrated into an already established payment system.

[0063] In this case, the initial web page of the established payment system may include a JavaScript that is loaded into the smartphone browser and there acquires the user agent string, and, if it indicates an Android based Chrome browser, directs the browser to a new web page on which the user has to confirm the further progress by pressing a menu button. Subsequently, the new web page returns an URL to the Chrome browser, which is configured such that the browser is either caused by means of an Android Intent Call to open a mobile app 7 according to the invention installed on the smartphone, or, if this is not possible, is redirected to the initial page of the established payment system.

[0064] The established payment method is also applied when the JavaScript of the initial web page judges, based on the determined user agent string, that the connected browser is not an Android-based Chrome browser.

[0065] FIG. 3 schematically illustrates that the mobile app 7 runs in a trusted execution environment 16 on the smartphone and securely drives certain hardware resources 17 such as the keyboard, the display and the NFC controller of the smartphone. The smartphone 4, as part of the hardware resources 17, contains a device key with which the smartphone authenticates itself. The device key is a private key in terms of the Public Key Infrastructure (PKI).

[0066] Before executing the method, the mobile app is loaded by an app loading system 18 in the over-the-air method OTA into the trusted execution environment 16 of the smartphone 4 after the smartphone has authenticated itself to the app loading system 18 by means of its device key.

[0067] FIG. 5 shows an implementation of the mobile app on Samsung S6 and S7 smartphones, wherein the reference numerals for the components from FIGS. 1-3 are used and the essential steps of the process are designated by S1 . . . S7. The mobile app 7 is divided into three parts, a richOS Android part, a Trusted App#1 part (TA#1) running in the Trusted Execution Environment, and a Trusted App #2 part (TA#2) running in the embedded Secure Element (eSE).

[0068] The main task of the TA#1 is to provide a secure user interface, via which the correct payment data are displayed and the card PIN is entered securely.

[0069] The main task of the TA#2 is the secure communication with the peripheral components, the smart card 9, and the confirmation server (PSP) 12 and the server system 13 with cryptographic keys, which are loaded onto the eSE as part of the mobile app installation process and thenceforth operate securely therefrom.

[0070] The communication between both Trusted Apps occurs via the insecure part of the mobile app, i.e., the richOS Android part of the app. To ensure that the card PIN cannot be tapped when it is transmitted from TA#1 to TA#2, TA#1 encrypts it with the public key of TA#2. To ensure, that the payment data displayed to the user and confirmed by the user cannot be tampered with thereafter, they are digitally signed in TA#1 and verified for integrity in TA#2 prior to the communication to the smart card.

[0071] A possible fraud scenario is that the user in the app store is offered a fake mobile app for download which, since the appropriate cryptographic key is lacking, does not make payments, but can obtain the card PIN by espionage. FIG. 6 shows a method for defending against such card PIN phishing, which allows the user to verify at the end of the app installation and from then on each time the application is used, whether the trusted screen interface, the so-called trusted user interface, is genuine.

[0072] After the mobile app 7 with its two trusted apps has been installed on the user's smartphone 4, the user, in the first step, opens a website via a second device, for example the user's laptop, to check the authenticity of the mobile app 7, which is therefore called “Remote Attestation Web Page”. On the website, the user enters a security code, which the user has made up himself/herself.

[0073] In the second step, the user scans a QR code, which is displayed on the website, with the user's mobile app. The QR code indicates the web session to the mobile app, in which the laptop and a web server 18 belonging to the website are currently connected and allows the mobile app 7 to log into the same web session.

[0074] In the third step, the mobile app 7 and the website authenticate each other. For the mobile app 7, preferably a private key of TA#2 is used.

[0075] In the fourth step, after a successful authentication, the web server 18 confidentially shares with the mobile app 7 the security code previously entered by the user, preferably encrypted with the public key of TA#2 used in the mutual authentication. The TA#2 passes the security code confidentially to the TA#1, which then displays it as a sign of authenticity on the trusted user interface.

[0076] In a slightly modified process, the security code could also be entered via the trusted user interface (TUI) and then be displayed on the “Remote Attestation Web Page” to check the authenticity of the TUI.

[0077] To enhance security, the mobile app 7 is preferably restricted to the communication with selected smart cards 9 assigned to the user. In this case, the mobile app could not communicate with any other smartcards and initiate payments via them.

[0078] The user registers the smart card 9 on the mobile app 7 as one assigned to the user. For this, before the first use of the smart card, the bank account associated with the smartcard must be entered into the mobile app, and then the reason for payment of an automatic transfer to this account must be read and finally must be entered into the mobile app for authentication.

[0079] As an alternative to this process, which is quite complex for the user, the mobile app may be restricted to the use of a certain number of smartcards over its entire life cycle. For this, the confirmation server 12, via which the transaction files 11 are passed, monitors the combinations of the IDs of the mobile app 7 and the cards 9 and stops a transaction file 11 when it was signed by a card 9 that exceeds the allowable maximum amount of cards assignable to one mobile app 7.

[0080] In the proposed method, the smartphone, which plays a central role having the function of a point-of-sale terminal in the communication chain between user, card and bank of the retailer, has to meet special security requirements. The solution according to the invention must, for example, prevent the card PIN from being tapped by malicious software on the smartphone and prevent the smartphone from authorizing a different amount and recipient for the payment from that displayed to and authorized by the user.

[0081] The invention meets the security requirements on the smartphone in particular by using a so-called Trusted Execution Environment (TEE). As part of a TEE, the smartphone may have a processor the arithmetic register of which can operate in normal and secure mode. In the secure mode according to the invention, operating system functions such as securely displaying the amount and the recipient and entering the PIN, which are not available in normal mode, can be executed. The register is switched to secure mode by the mobile app according to the invention after the mobile app has authenticated itself to the register as a secure mobile app by means of a public key method.

[0082] Said entry of the girocard PIN via the smartphone poses a particular security risk because the girocard PIN fulfils a central function, such as for withdrawing cash and paying in businesses, and corrupted PINs could cause enormous damage. On the other hand, smartphones present a larger target to potential attackers than point-of-sale terminals more restricted in function. Therefore, special security measures are required to protect a PIN entered via the smartphone from spying.

[0083] Malicious software (malware) on the smartphone could intercept the communication between the operating system of the smartphone and the mobile app when the PIN is entered via the given keyboard of the smartphone.

[0084] A specially configured mobile app provides the customer with a separate PIN input keypad on the touch display that is different from the standard keypad of the smartphone operating system, as discussed below with reference to FIGS. 4A to 4E.

[0085] If the keypad would be displayed statically, the malicious software might recognize a pattern that indicates the PIN due to the 4 touch points on the display. The keypad is therefore advantageously displayed differently on the touch display [0086] a) for each customer, [0087] b) for each PIN entry, or even [0088] c) for each individual PIN number.

[0089] A different display of the keypad may mean that [0090] 1. the entire keypad or individual number fields are displayed differently in size, [0091] 2. the entire keypad or individual number fields are slightly rotated [0092] 3. the entire keypad or individual number fields are moved to the left/right and upwards/downwards.

[0093] Further embodiment: When the PIN input keypad moves to another location on the display before the entry of each PIN number, this could create memory problems for the customers, which memorize the PIN by means of a graphical input pattern on the display. In order to show the customer which keys have already been pressed, the keys on the keypad already pressed could be specially marked. In addition, it could be shown graphically how many of the 4 numbers have already been entered.

[0094] Further embodiment: In order to make it more difficult for malicious software to analyze the embedded display image and thus the position of the keypad, also the mechanisms of web pages, which defend against automated denial-of-service attacks by displaying numerical codes to be entered manually in a pictorial manner, could be used. In reference to the display of the keypad field according to the invention, this means that lines and numbers are not displayed via XML functions but as images.

[0095] Further embodiment: While the keyboard field in the embodiments above is distorted but keeps its number arrangement structure, in a further embodiment the number layout on the keypad field may also be shuffled arbitrarily. For customers memorizing the PIN by means of a graphical input pattern on the display, a different number layout would mean a disadvantage, however.

[0096] The embodiment of the invention is not limited to these examples, but a variety of modifications which are within the scope of skill in the art are possible.