This disclosure is related to the field of data processing technologies, and particularly a payment system and a method for trading using an IC identification card.
As it is inconvenient and unsafe to carry lots of cash around, bank cards have been used widely for many different transaction occasions. More and more people are using bank cards for shopping. FIG. 1 shows a schematic block representation of an existing payment system that uses a bank card for processing transaction. In this existing system, there are a receiving terminal 113 which reads bank card information, a merchant subsystem 112, and an acquiring subsystem 111. The merchant subsystem 112 usually has a server and several customer terminals (not shown). The customer terminals at the merchant subsystem 112 connect to the receiving terminal 113 while the server of the merchant subsystem 112 connects to the acquiring subsystem 111 of an acquirer through a special designated line. When the acquirer of the acquiring subsystem 111 and participating bank are not the same, a connection from the acquiring subsystem 111 to the acquiring subsystem (not shown) of the participating bank is further made through an inter-bank trading subsystem of partnering banks (such as UnionPay of China).
When a user uses a bank card to make a payment using the payment of FIG. 1, receiving terminal 113 (e.g., a cash register) first verifies the authenticity of the bank card based on the readability of the bank card. Afterwards, customer terminal of merchant subsystem 112 transmits identity information (which has been entered by the user to present the user identity), the bank card number and other transaction information to a server of merchant subsystem 112. The server of the merchant subsystem 112 subsequently sends the information to acquiring subsystem 111. If acquirer and participating bank are the same, the acquiring subsystem 111 processes the transaction directly. Otherwise, this information is sent to the participating bank through an inter-bank trading subsystem. A participating bank subsystem uses the bank card information and the identity information to verify the identity of the user. If identity is validated, the participating bank subsystem processes a deduction from an account of the card number, and returns a bank transaction result of this deduction. If verification fails, the participating bank subsystem returns a message indicating that the identity cannot be verified. After the merchant subsystem 112 receives the message that deduction was successfully made, the merchant can then allow the customer (the user) to sign a sales slip for validation.
The above description shows the most common payment transaction process in the existing technologies. However, this payment process has certain flaws as discussed below.
In the payment process of FIG. 1, a bank card with a combination of account name and password are used to authenticate the user identity in the whole transaction. The method of authentication of the bank card relying the bank card by terminals such as Point-Of-Sales (POS) and Automated Teller Machine (ATM) in existing technologies has posed very high risks. Current bank cards are made using magnetic strip card technology. Since the anti-counterfeit capability of magnetic strip cards is low, these cards may be easily imitated or counterfeited.
As a result, smart card has been proposed recently to replace the magnetic strip card as a new generation of the bank card. A smart card, also called chip card, integrated circuit (IC) card, or simply IC card, is a pocket-sized card with embedded integrated circuits which can process information. A smart card can receive an input, process the input, and deliver it as an output. The card is made of plastic, generally PVC, but sometimes ABS. The card may embed a hologram to avoid counterfeiting. For example, one can use EMV technology to produce smart card. EMV is a standard for smart IC bank card technology developed together by international bank card organizations such as Europay, Master and Visa. This standard requires a CPU chip of the bank card to have standalone operations, encryption and decryption functions, as well as storage capability, thereby achieving a higher level of security.
However, the transformation of bank card from magnetic strip card to smart card has proven to be very costly and slow. The cost to manufacture a smart card is many times higher than that of a magnetic strip card. In addition, it is very expensive to modify the existing POS and ATM so that they can read smart cards. Even if the bank card's transformation from magnetic strip card to smart card could be made despite the huge cost of money and resources, penetrators would still be motivated and be able to imitate smart cards due to the existence of large profits. Furthermore, even though terminals such as ATM and POS may read the bank card and verify the authenticity of the bank card, they cannot confirm whether the bank card is the same bank card issued by a financial institution to the user, or whether the rightful user is using the smart card issued by the financial institution. Because there is no other practical ways to verify user identity, if penetrators obtain user information such as password, serious financial losses to the user and merchant may follow. In the existing technologies, after ATM and POS have received a bank account password entered by the user and read the bank account information of the bank card, usually only the bank account password is encrypted before it is transmitted over the network. Important financial information such as bank account numbers and transaction amounts are sent in plaintext format. If penetrators have obtained the bank account password through illegal means, it becomes very easy to obtain the financial information such as bank account numbers, potentially leading to financial losses for the real users and greatly reducing the security of bank transactions.
From another perspective, the transformation of bank card from magnetic strip card to smart card will not happen overnight. As such, there is a need for another practical method of verifying user identities in a payment process to guarantee the security of the transaction.