It is known to make purchases on the Internet using a user terminal or main access device such as a personal computer. An architecture and system using a smart card for payment of goods and/or services purchased on-line over the Internet is known from U.S. Pat. No. 6,282,522. A client server on a client terminal controls the interaction with a consumer and interfaces to a card reader which accepts the consumer's smart card. A payment server on the Internet includes a computer and terminals that handle the transaction and data store. Also connected over the Internet is a merchant server advertising the goods and/or services offered by a merchant for sale on a web site. The merchant contracts with an acquirer to accept smart card payments for goods and/or services purchased over the Internet. A consumer uses his smart card at the client terminal in order to purchase goods and/or services from the remote merchant server. The Internet provides the routing functionality between the client terminal, merchant server and payment server.
FIG. 1 is a schematic representation of a user terminal or main access device 1, e.g. for accessing and browsing the Internet. Typically, the terminal 1 includes a central processor unit (CPU) 2 which is connected with memory 4 and input/output (I/O) devices 6 via a bus 3 for two way communication. I/O devices 6 may be a keyboard for entering data and a screen such as a visual display unit, e.g. a liquid crystal (LCD) or light emitting diode (LED) display, a CRT for displaying the progress of the transaction and/or for displaying messages or prompts. One of the I/O devices 6 may be a card reader 7 with which an integrated circuit card (ICC) 5 may be read when it is introduced into a receiving slot in the reader 7. Alternatively, the card reader 7 may be a standalone device for reading the ICC 5. One of the I/O devices 6 may be also a modem 9 for accessing the Internet via an Internet Service Provider (ISP), e.g. a 56K, an ADSL, a wireless or a cable modem. The actual form of the terminal may vary greatly, and may include a processor such as the Pentium™ family of microprocessors supplied by Intel Corp. USA. Further, it is not necessary that the terminal 1 is all situated at one location, the various parts of the terminal such as the card reader 7, the I/O devices such as the keyboard and the display, the modem and the processor may located at different positions and connected by cables, wireless transmission or similar or be part of a local area network or interconnected by telecommunications networks.
FIG. 2 is a schematic representation of an integrated circuit card (ICC) 5. The ICC 5 includes at least an input/output (I/O) port 10 and some permanent storage, e.g. a non-volatile memory which may be provided, for instance, by a an EEPROM 15 connected to the I/O port 10 via a bus 17 or by battery-backed random access memory (RAM). The I/O port 10 can be used for communication with the terminal 1 via card reader 7. An integrated circuit card is a card into which one or more integrated circuits are inserted to perform at least memory functions. Optionally, the ICC 5 may be a self-contained portable intelligent card and include a read/writable working memory e.g. volatile memory provided by a RAM 14 and a central processor 12 as well as all necessary circuits so that card ICC 5 can operate as a microprocessor, e.g. read only memory 13 for storing code, a sequencer 16 and connections with the card reader 7 for receiving the voltage sources Vss and VDD, a reset for the processor 12 and clock CLK to the sequencer 16. The ICC 5 can be used as bank card, credit card, debit card, electronic purse, health card, SIM card or similar. Other features of the microcontroller may be present but are not shown, such as a clock, a random number generator, interrupt control, control logic, a charge pump, power connections, and interface contacts that allow the card to communicate with the outside world. For example, an encryption module (not shown) is an optional hardware module used for performing a variety of encryption algorithms.
E-commerce merchants provide a web server with web-site access to commodities or services which can be accessed from user terminals as shown in FIG. 1 usually via web pages and these commodities and services may be purchased using cards such as the ICC 5 of FIG. 2. Many e-commerce merchants currently support cardholder profiling. Cardholder profiling consists of collecting information about the cardholder and using this data to streamline the cardholder's checkout process. The information collected typically includes billing address, shipping address, payment method details (e.g., card number and expiration date), email address and communication preferences. Most merchants also support non-profiled checkout. In this case, either the merchant does not support a cardholder profile database or the cardholder has chosen not to create a profile with this merchant. In either case, the non-profiled checkout process requires the cardholder to manually provide full shipping, billing and payment details. E-commerce merchants have implemented a variety of on-line checkout processes in an attempt to make the on-line shopping and purchase experiences more efficient for cardholders. A number of merchants have implemented an express checkout process (FIG. 3) intended to provide the cardholder with a streamlined purchase process by making full use of cardholder data and payment details stored in a profile database managed by the merchant. After browsing and selecting a particular item, or items, the Cardholder selects the express checkout option. The Merchant retrieves the Cardholder's profile, and presents a page at the user terminal combining details of the order and Cardholder's payment details. The Cardholder can review these details and submit/confirm the order.
Single-click checkout processes have been implemented by many merchants (see FIG. 4). The single-click checkout process is intended to provide the cardholder with the most efficient on-line purchase process available by making full use of cardholder data and payment details stored in a profile database managed by the merchant. After browsing and selecting a particular item, the Cardholder selects the single click order option which is generally available on all pages where an item's details and price are described. Usually the customer can either add the item to their ‘shopping basket’, or order and pay for it with a ‘single click’. The Merchant combines the details of the order and Cardholder's payment details to create an order, which is then acknowledged in a page to the Cardholder. Customers can usually cancel, amend or even combine multiple single click orders after the initial single-click through some form of customer administration/status page.
Most merchants support the standard checkout, which is usually a process of confirming the order details and collecting the Cardholder's payment details (see FIG. 5). The standard checkout process must be used by non-profiled cardholders since the payment details need to be collected. However even profiled cardholders will often opt to use the standard checkout if, for example, they wish to use different payment/personal details.
After browsing and selecting a particular item, or items, the Cardholder selects the standard checkout option. The Merchant presents a page showing details of the order and requesting the Cardholder's payment details. The Cardholder can review the order details, supply their payment details and if necessary other pertinent personal information and submit/confirm the order. In some cases this combined order details confirmation/payment details requesting page can be split into two pages, as shown in FIG. 5.
Today, remote transactions represent a significant transaction volume of all financial transactions. An explanation of various financial transaction systems can be found in books such as “Secure Electronic Commerce”, W. Ford and M. S. Baum, Prentice Hall, 1997; “Digital Cash” by P. Wayner, Academic Press, 2nd edition, 1997; “Designing Systems for Internet Commerce”, G. W. Treese and L. C. Stewart, Addison-Wesley, 1998. From a risk perspective these transactions are often not guaranteed and are therefore at the Acquirer/Merchant's risk. Security of such financial transfers on the Internet should be high but also allow convenient shopping without complex procedures. There is a continuing need to improve the ease and security of Internet financial transactions.