This invention relates to data transaction systems, and more particularly, to data transaction systems using non-standard input/output devices.
Data transaction systems which communicate with a plurality of remote terminals to transfer information used to complete a transaction or compile a database are well known. Typically, such systems include a central transaction processing system which may maintain a database of information such as customer or consumer data. Exemplary information in such a database may include customer identification, customer account numbers, credit limits and/or account balances from which a customer may draw. The central transaction processing system is typically coupled to a plurality of remote transaction or data input terminals. Transaction computers may include special purpose devices such as automatic teller machines (ATMs), point of sale (POS) terminals, credit card terminals, and screen phone terminals. Screen phone terminals are devices which integrate a telephone with an ATM-like device and possibly a magnetic card swipe reader. Data input terminals may include personal computers (PCs) interfaced to data collection devices or special purpose data collection terminals or monitors.
In these known data transaction systems, a user usually initiates a transaction by requesting access to funds in an account or from a credit line maintained by the central processing system. The request is transmitted to the central processing system which performs a verification to determine whether the user is a valid user of the system, has an account within the system, and that the amount of the transaction is within the limits of the consumer""s credit line or that the user has the requested funds available in an existing account monitored by the central processing system. The central processing system then transmits authorization for or denial of the transaction to the remote terminal. In response to the message from the central processing system, the remote terminal dispenses cash (for an ATM) or the merchant provides the goods being purchased to the user if the authorization message indicates that the consumer""s funds will be transferred to the merchant""s account. Similar communication exchanges occur in data systems where electronic documents and other information are provided to a central site for compilation or processing. Consequently, this background discussion applies to all such transaction and data systems. Though the remainder of the discussion is directed to transaction systems, the reader should appreciate that the comments also apply to data systems as well.
The remote terminals may be coupled to the central processing system in several ways. For example, in some ATM systems, the ATMs are coupled to the central processing system through dedicated telephone or other data communication lines. These systems are preferred because they provide a relatively high degree of security since the dedicated data line coupling the central processing system to the ATM is not generally accessible by members of the public. The physical security of the dedicated data line is, however, expensive because no other traffic may utilize the line. Thus, the cost of leasing the dedicated line to an ATM with relatively low volumes of transactions may yield a high communication cost per transaction.
In an effort to reduce the communication cost per transaction, some transaction or data systems utilize telephone lines through a publicly-switched telephone network (PSTN) which may be accessed by other members of the public. Specifically, devices such as credit card terminals and screen phone terminals typically include a modem which converts the digital messages of the remote terminal into frequency modulated analog signals which may be transmitted over telephone lines to a modem at the central processing system. In other systems, the terminal may communicate digital data directly over ISDN lines of the PSTN to the central processing system. This line of communication between a remote terminal and the central processing system is performed by having the remote terminal dial a telephone number associated with the central processing system to establish communication with the central processing system. This type of communication path is relatively secure because the switching networks for the communication traffic through the PSTN are not readily accessible by the public and during the course of the financial transaction, only the central processing system and remote terminal are on the line.
Regardless of the communication method used to couple the central processing system to the remote terminals, the protocol and data formats used between the devices is typically proprietary. That is, the operator of each financial transaction system designs its own protocol and data message format for communication with the processor at the central site or generates a variant within a standard such as those established by the ANSI committee or the like for such communication. As a result, the remote terminals must include software that supports each operator""s protocol and message formats in order to be compatible with an operator""s central site. For example, application software in a credit terminal such as the TRANZ330, TRANZ380, or OMNI390 manufactured by VeriFone implement one or more of the communication protocols and formats for National Data Corporation (NDC), VISANET, MASTERCARD, BUYPASS, and National Bancard Corporation (NaBANCO) system processors in order to support transactions with the most popular transaction centers. Thus, the communication software absorbs a significant amount of terminal resources which could be used to support other terminal operations.
A related problem arises from the expanding home banking market. A customer of home banking system typically uses a screen phone terminal or a personal computer (PC) having a modem to establish communication through a PSTN to a central transaction processing system. Again, the operator of the central processing system must provide information regarding the data message formats for communicating with the central processing system to a vendor of software for the home banking terminals or must provide that software to its customers. As a result, home banking customers must purchase software to communicate with each banking system of which the customer wants to be a member. This cost and the need to install additional communication programs may make some consumers reluctant to be a member of more than one banking system or to change banking systems.
A communication system becoming increasingly popular and which provides standardized communication is the Internet. The Internet is an open network of networks which communicate through a variety of physical communication devices such as telephone lines, direct communication lines, and the like. Each network is coupled to the main Internet network for communication through a host computer supporting a TCP/IP router or bridger. The host computer typically includes a program, frequently called a Web server, which acts as a gateway to resources at the host computer which may be resident on the host computer or a network coupled to the host computer. Each server has an address identifying the location of the resources available through the Web server. The router recognizes communication for the server and directs the message to the server or it recognizes that the communication should be forwarded to another server. As a result, communication within the Internet may be point-to-point, but more likely, the communication path is a somewhat circuitous one with the information passing through the routers of multiple servers before reaching its final destination.
A number of message protocols and formats have been developed for the Internet. The physical communication protocol and data message format is the Transport Control Protocol/Internet Protocol (TCP/IP). The TCP/IP protocol involves multiple layers of encapsulating headers containing communication information which are used to provide byte streams or datagram communications to computers on the networks coupled to the Internet. Encapsulated within TCP/IP headers are protocols which are used to format the data messages or transfer data from one computer to another computer coupled to the Internet. These protocols include File Transfer Protocol (FTP), Simple Mail Transfer Protocol (SMTP), Post Office Protocol (POP), Telnet, and Hyper Text Transport Protocol (HTTP). The advantage of these protocols is that each provides a standardized communication format for transferring information between computers on the Internet. These protocols are typically called open system protocols as they are publicly known and may be utilized by any programmer to develop programs for communicating with another computer coupled to the Internet. These non-proprietary protocols have contributed to the acceptance of using the Internet as an open network for coupling computer networks together.
While the Internet provides an open network for computer communication with publicly accessible protocols and formats, the Internet suffers from a number of limitations which preclude its effective use as a transaction or data system which uses non-standard I/O terminals and devices. First, circuitous communication presents a number of security issues for such a system. For example, a Web server could incorporate a router which examines the address of each message coming through it and upon recognizing an address associated with a central transaction processing system, copy the data message for the unauthorized retrieval of customer-sensitive information such as account numbers and personal identification numbers (PINs) which may be contained in the message.
A second limitation of open networks such as the Internet is that communication on such networks is only supported for computers acting as servers or clients. Specifically, all of the protocols and formats are constructed for standard input/output (I/O) operations for a PC terminal. That is, text information is directed to a standard monitor screen, user input is expected from a standard keyboard, and files are transferred to standard peripherals such as a hard disk or diskette drive. Especially absent is the ability in open network protocols for communication with devices that only use communication interfaces such as RS-232C. As a result, communication over the Internet is primarily performed with standard PCs through network communication methods and interfaces.
This presents a number of problems for home banking or for interfacing non-standard I/O terminals such as credit card terminals or screen phones to open networks such as the Internet either directly or through a PC. Generally, non-standard I/O devices are devices which interface to a PC through a port not normally used for networks, such as a RS-232C port, or are devices which have limited input and output capabilities such as small screen displays or ten keypads. These devices are not supported on the Internet because servers use protocols that communicate with PCs supporting standard QWERTY keyboards and standard monitors. Consequently, users are limited to entering account numbers and the like through a keyboard of a PC-like device for processing at a central transaction processing system. To request a transaction, one need only have a person""s credit card account number. If the credit card number had to be input through a magnetic card reader, unauthorized access to a customer""s account would be less likely since physical possession of the credit card would be required to initiate the transaction.
Another limitation of the standard I/O devices currently supported by the open network protocols is the lack of encryption. For example, PIN pads, which are typically incorporated in ATMs, automatically encrypt in hardware a PIN entered by a user. Such devices typically encrypt the number by implementing a data encryption standard (DES) algorithm in hardware before the PIN is transmitted or stored. When a standard keyboard is used to input the PIN, no hardware encryption is performed and, as a result, an unencrypted copy of the PIN is provided to the memory of the PC. Storage of unencrypted PINs is in contravention of current banking regulations. If PIN pads could be read via Internet protocols, then such a lapse in PIN security would be less likely to occur.
Another I/O device not supported on open networks are smart cards which are increasing in use. Smart cards include a processor and memory in which information regarding the amount of funds in a particular account, a transaction history, account numbers, and customer data may be stored. The card may be read through a smart card reader which is a computer having a processor and memory but usually provided with non-QWERTY keypads and limited displays. A transaction processor may validate a card owner through a PIN provided through a keypad, determine the amount of money remaining on the card and debit the card itself for a transaction amount by communicating with the smart card reader with one of the proprietary protocols discussed above. Such information is not readily obtainable by the owner of the card and so cannot be entered through a keyboard or the like. Smart card readers are non-standard devices which may be coupled to a PC through a COMM1 or COMM2 port. However, none of the standard protocols and message formats for open network communications currently provide I/O operations for such devices.
All systems which attempt to provide three party communication to execute an electronic transaction suffer from a number of limitations which present risks greater than those in a normal transaction performed at the point of sale. In a typical point of sale (POS) transaction, the consumer hands a debit or credit card to a merchant""s agent who may examine the card for security markings such as holograms, watermarks, or a cardholder signature. The agent then places the card into a reader for acquiring information from the card and, in some cases, have the consumer enter a PIN into a PIN entry device which encrypts the PIN in a hardware implemented scheme. If the PIN is entered, it is transmitted with the information from the card to a processing center, typically in one of the formats discussed above, under a X.25 protocol or the like. The processing center returns an authorization granted or denied message. The reader typically has a printer coupled to it through an RS-232C port or the like and a purchase agreement is printed. The consumer signs the agreement, the merchant""s agent may verify the signature, and the merchant retains an original of the agreement and the consumer a copy. In this scenario, the merchant has initiated the communication to the processing center. The safeguards noted above permit the processing center to charge a merchant a lower processing fee than when a consumer initiates a transaction. Consumer initiated transactions present a greater risk because the consumer provides an agent an account number in a telephone conversation or non-encrypted DTMF transmission. Thus, there is no card inspection, signature verification, or PIN verification. As a result, such transactions are limited to credit cards because debit cards require that the cardholder be present to enter a PIN into an appropriate PIN entry device.
What is needed is a system that permits consumers remote from a merchant to order goods and present payment in a secured manner so the merchant""s risk and processing costs, as well as a cardholder""s exposure to fraud, is reduced. What is needed is a way for a processing center to communicate through an open network with non-standard I/O devices such as credit card terminals, personal digital assistants, and screen phone terminals or with non-standard I/O devices coupled to the open network through a PC or the like. What is needed is a transaction or data system which utilizes an open network such as the Internet to support electronic transactions or data compilation in a secure manner without undue limitation as to the devices with which communication may be made.
The present invention provides transaction and data systems which may be implemented on an open network such as the Internet. The system comprises a server for communicating in an open network protocol and a plurality of input/output (I/O) devices coupled to the server through an open network, the I/O devices communicating with the server in the extended open network protocol that supports communication with non-standard I/O devices over the open network. The system of the present invention provides a server with the capability of communicating with a number of I/O devices useful in transaction and data systems which heretofore have been unsupported on an open network system such as the Internet.
The system of the present invention is implemented by extending present open network communication protocols and data message formats to communicate with non-standard I/O devices either coupled to an open network as a client or coupled to an open network through a client, such as a PC, credit card terminal, screen phone, or PDA. That is, commands which are compatible with the communication schema of a presently-implemented protocol for the Internet are used and additions are made to commands implemented within the control structure of that existing protocol to support non-standard I/O device communication. At the server, the extended protocol is further supported by a common gateway interface (CGI) which converts the communication from a non-standard I/O device to a format which is compatible with a transaction or data application program which may be executed on the server or a computer coupled to the server. In this manner, the CGI permits the processing of the extended capability commands to be segregated from the communication functions performed by the server.
Preferably, the server and the I/O devices communicate through an Internet protocol and most preferably, the Hyper Text Transport Protocol (HTTP), to exchange data between an application program and non-standard I/O devices over an open network. Although HTTP is the preferred protocol used to implement the present invention, other protocols such as Telnet or SMTP, for example, may also be extended in a similar manner. Specifically, the HTTP protocol is expanded to communicate with printers, magnetic card readers, credit card terminals, smart card readers, check readers, PIN pads, bar-code readers, PDAs, or the like, and includes a command which instructs a non-standard I/O device to disconnect from the open network and re-couple to a transaction processing system to transfer funds from a consumer account to a merchant account through a PSTN or dedicated data line. By using these extended capability commands within HTTP, a processing system may operate on an open network such as the Internet and communicate with transaction or other data I/O devices which have not previously been able to couple to such open networks. Such a system may be used to execute a transaction between a consumer and a merchant so the merchant receives remittance information in a timely manner. The system permits the consumer to initiate a transaction and order from a merchant and then use a more secure link supported by PIN entry devices or the like to reduce the risk of fraud for the transaction.
Because the server may communicate through such open networks with non-standard I/O devices, the transaction or data processing system is available for the ever-expanding market available through the Internet. Such a system is able to communicate with non-standard I/O devices in myriad locations such as retail establishments or in consumers"" homes. For example, a consumer may utilize the standard capability of an Internet protocol to communicate with a server that provides information regarding services or goods for sale over the Internet and then consummate a sales transaction by using the extended capability of the Internet protocol. Such a home consumer could provide transaction data through a smart card reader coupled to a COMM1 or COMM2 port of a PC. A database program executing at the server for the central processing site may accept product ordering information from a non-standard keypad or touch screen associated with a screen phone terminal at the remote site and then communicate with the smart card reader to consummate the transaction. Such a transaction system requires that the consumer have physical possession of the smart or credit card and not simply knowledge of the account number. Likewise, the server would be able to communicate with a PIN pad or the like to ensure the hardware encryption of PINs and other data before it is transmitted to the server site. Such a system is less susceptible to consumer fraud.
Another feature of the present invention is a PAYMENT command implemented in the extended Internet protocol that directs a non-standard I/O device or a PC interfaced with such devices to communicate with a transaction processor through an alternative communication link. In one form, the PAYMENT command is used by a merchant terminal to submit a consumer""s account number with a merchant deposit account number through a PSTN network or the like to the processing center. In another form of the PAYMENT command, a client program in a consumer""s terminal receives an account number for a merchant account from a merchant""s server with the PAYMENT command. On receipt of this command, the client program suspends its operation and passes the account number to a conventional bank processing program co-resident in memory. The bank processing program establishes a standard communication link with a transaction processing system through a dedicated data line or a PSTN network. Using that communication link, the bank processing program executes a commercial transaction using a standard VISA protocol or the like. The consumer may use a magnetic stripe reader and a PIN entry device to improve the security of the data transmission. The transaction center may transmit remittance data over the open network to the merchant so the merchant is apprised of payment and ships the ordered product. Once this consumer initiated transaction is complete, the bank processing program terminates and returns control to the client program which may terminate communication with the open network or retrieve information from another server on the open network for another transaction. In this way, the user may use the open network for non-confidential communication such as collecting product information, pricing, and product availability. This information may be collected quickly and efficiently using the extended Internet protocol. The conventional bank processing program and more secure communication links may then be used for the confidential information required for the transaction. Thus, the present invention is able to combine the features and advantages of the Internet with the more secure communication link and data security enhancing devices of systems presently known.
Preferably, an editor is provided which permits a user to define an application database table with data fields, define client application data fields, and define the integrated forms for communicating data between the defined database tables and a client application. The editor verifies the syntax of the user generated integrated forms containing extended Internet protocol statements and client application statements. The editor ensures that the variable names for the client application and the data fields for the database application correspond. Following the generation of the integrated form, the editor parses the integrated form to segregate the database language statements from the extended Internet protocol statements. A database language identifier is substituted in the Internet protocol statements for the database statements contained in the integrated form. The Internet protocol statements are downloaded as a file which is interpreted by the client program for the collection and submission of data from non-standard I/O devices to the database application. The database language statements segregated from the extended Internet protocol statements are placed in a second file which is named to correspond to the database table defined by the user. The CGI application recognizes the database language identifier contained in the returned forms of the Internet protocol statements. The CGI application correlates the database identifier with the file previously generated by the editor which contains the database command statements. The application then inserts the data from the returned form into the database command statements and provides the re-integrated database command statements to the database application. In this manner, the database may be queried by or retrieve data from the non-standard I/O device. In the most preferred embodiment, the editor permits a user to develop integrated forms comprised of the extended HTML language and standard query language (SQL) database application statements. In this manner, the user does not have to manually generate the SQL commands, the HTML commands, and carefully correlate the data fields of the two commands in order to implement a transaction between a client and a database.
These and other advantages and features of the present invention may be discerned from reviewing the accompanying drawings and the detailed description of the invention.