Field of the Invention
The invention relates to a data transfer system having at least one terminal and at least one portable data carrier configuration which is provided with a non-volatile semiconductor memory that has at least a first value area acting as a counter and representing a debatable monetary value. The invention also relates to a recharging method for the value area of the portable data carrier configuration.
Such a portable data carrier configuration is, for example, a currently customary chip card, which is used, for example, as a phonecard. In that case, the stationary terminal is a card-compatible telephone set. Such chip cards constructed as simple memory cards contain a non-volatile semiconductor memory, for example an EEPROM, which acts essentially as a counter for the prepaid telephone units to be debited. The EEPROM in that case may be wired, for example, in accordance with European Patent 0 321 727 B1, corresponding to U.S. Pat. No. 5,001,332, so that it operates as a multistage abacus-like counter. The value of the card, and consequently the counting extent of the counter, is established by writing to and consequently blocking the areas of the counter which are no longer authorized. Before that establishing operation, the counter always has the maximum counting extent. Currently customary phonecards can be used only once and are discarded after use. However, the use of such chip cards as an electronic wallet is also under discussion. Chip cards which can be used for that purpose are only worthwhile if they are rechargeable, that is to say if the counter status can be incremented again after a certain amount has been debited. That increasing of the counter status takes place at special charging terminals, at which the user can credit his or her card by a certain amount either by cash payment, through the use of a credit card or by specifying an account number. When recharging the counter of a chip card, it may be necessary due to the construction of EEPROMs to initially clear a larger counting area or the entire counter, that is to say too high a counting extent may be temporarily set. It is only thereafter that the new counter status can be set by renewed restriction of the counting extent through programming operations.
If a user draws the card out of the terminal in the time between the clearing of the counter and the renewed programming, he or she would have too high an amount credited, as a result of which improper manipulation is made possible. It is also conceivable for a user to manipulate the data traffic between the terminal and the card, so that in such a way too high an amount may be credited.
The manipulation of the data on the transmission path could be prevented by a so-called electronic signature. The data to be transmitted can also be encoded through the use of a secret key and can only be decoded by a particular key uniquely assigned to the sender of the data, as a result of which the sender is definitively identifiable and the data cannot be manipulated, since the encoding key is secret. However, such encoding and decoding require a complex and very fast arithmetic unit, which is possible only with expensive microprocessors, such as are used, for example, in already known cryptocards.
Published European Patent Application 0 398 545 A1 describes a method and a configuration for storing data in a nonvolatile memory which has at least two areas, into which successive data are alternately written. In that case, each memory area can be identified as the memory which is valid at a specific point in time, for example the switching-on time, by a flag that can be set into a non-volatile state. Since each memory is assigned its own flag, which can assume two states, it may happen that both flags assume the same state. Therefore, it is necessary in the case of the known method and the known configuration to determine the actually valid state by an "arbitration" logic.
In the known configuration, in the "normal case" of memory operation both flags always assume the same set state at a specific point in time, but the flag which was not set last will be reset. However, that requires that a writing operation and an erasing operation are always necessary, which additionally takes time.