1. Field of the Invention
The present invention relates to automatic transaction systems that deliver goods or service by means of a machine exchanging information with a portable object which is debited by a given amount or value in consideration for the delivery of goods or service.
2. Discussion of Prior Art
The machine can be an automatic dispenser, e.g. for dispensing confectionery or drinks, or it can be a device for providing a service, for example controlled access implemented by opening a turnstile so as to give a traveller access to a transport system. Below, the term xe2x80x9cdelivery of goodsxe2x80x9d is sometimes used for short, but it should be understood that the invention naturally covers a much wider range of applications, including the delivery of all sorts of services.
In the same manner, although the portable object considered by way of example is a microcircuit card, the invention can also be applied to other types of portable object, such as magnetic cards or travel tickets, e.g. in the form of a magnetic coupon or the like. Nevertheless, it is preferred to use a microcircuit card, given the very high degree of security and reliability that is made possible thereby.
Goods or service is delivered as the result of implementing a transaction during which the card is temporarily coupled to the machine to enable information to be exchanged between the card and the machine, with payment being performed at least in part by modifying information stored in the memory of the card, which information is representative of the value contained in the card.
Coupling can be achieved between the card and the machine in various known ways, with or without metallic contact, and it is shown that the invention applies most advantageously to coupling of the so-called xe2x80x9ccontactlessxe2x80x9d type. With that type of coupling, there exists a non-negligible risk of communication between the card and the machine being interrupted in unexpected manner, e.g. because the card has moved out of the range of the machine before processing had been completed, or because of some temporary disturbance, e.g. the passage of a mass of metal close by, or indeed because the user passes the card too quickly in front of the machine to enable information to be interchanged in satisfactory manner.
The event that interrupts a transaction can equally well be accidental or deliberate, for example the user might deliberately seek to obtain delivery while nevertheless preventing the corresponding amount from being debited from the card.
In the context of an automatic transaction system of the kind described above, one of the objects of the invention is to associate payment (i.e. debiting of the card) with delivery in such a manner as to preserve not only the interests of the purchaser (user) but also those of the vendor (the operator of the machine), even if an event should interrupt the transaction or prevent payment being achieved.
Until now, the problem has usually been dealt with in one of the following ways:
no action is taken technically, so the event has to be dealt with by some human procedure;
the card is temporarily prevented from being withdrawn by the user, and the machine debits the card if and only if the goods or service is indeed delivered (this applies for example to machines in which the card is hidden by a flap or is xe2x80x9cswallowedxe2x80x9d while the transaction is taking place); and
the card remains accessible to the purchaser: this avoids the need to provide an expensive mechanism which slows down the transaction and is in any event inapplicable to transactions that take place without contact. However special precautions then need to be taken.
The third situation, in which the card remains physically accessible to the user leads to one or other of the following situations:
debiting takes place after delivery: the purchaser can attempt to prevent debiting, e.g. by withdrawing the card immediately after delivery or by making debiting impossible in some other way (e.g. by insulating one of the contact areas of the card""s microcircuit by means of a piece of adhesive); this can be acceptable if delivery is intrinsically spread out in time, for example a telephone call, in which case the advantage gained by such fraud is highly limited; however it is unsatisfactory if the machine delivers an article or opens a turnstile; and
debit takes place prior to delivery: under such circumstances, there is a risk of the purchaser being out-of-pocket because payment has taken place by information being interchanged over a communications channel that can be interrupted by the card being extracted or moving too far away; in other words it is possible that the card is debited but that the machine does not deliver goods or service since the debit is not confirmed.
The invention lies in the general context corresponding to the last-mentioned situation above, i.e. the situation in which the card is debited prior to delivery.
In the most general terms, a transaction takes place as follows:
10) the machine causes the card to be debited;
20) the card modifies its monetary value information (or some equivalent value in terms of xe2x80x9ctokensxe2x80x9d);
30) the card confirms to the machine that debiting has indeed taken place, i.e. that the monetary value in its memory has indeed been modified; and
40) the machine delivers the goods or service.
As will readily be understood, if the interchange between the card and the machine happens to be interrupted during step 30, then the purchaser will be out-of-pocket.
To mitigate that drawback, various practices have been used in the past:
if the purchaser withdraws the card in the middle of a transaction, it is the purchaser who is considered as being at fault and it is the purchaser who is liable to be penalized; in the event of the purchaser making a complaint, more-or-less arbitrary procedures are provided for indemnifying the user or for establishing means for determining after the event whether the transaction recorded in the card was indeed followed by delivery by the machine;
the purchaser is debited in small amounts only while delivery is taking place, so if the purchaser is indeed out-of-pocket, then the amount involved will be small and can be accepted: that solution is entirely suitable for delivering fluids or telephone calls, but it is impractical for delivering articles or for giving access to a transport network; and
a system is provided such that if the current transaction is interrupted with prejudice to the purchaser, then in a subsequent xe2x80x9cresumptionxe2x80x9d transaction, the goods or service can indeed be delivered, but without any further payment, i.e. without debiting the card again.
This third solution is a known practice as used for example in electronic purses complying with the draft European standard EN 1546.
In such known circumstances, if payment has taken place, and if the user who has not obtained delivery restarts the transaction on the same machine, and if the new transaction (resumed transaction) is carried through successfully, then goods or service will indeed be delivered for fair payment.
Known systems for implementing a resumption transaction nevertheless share the following drawback.
If communication between the machine and the card is interrupted during above step 30, and if the user does not re-establish the link between the card and the same machine, then the user will be out-of-pocket.
In particular, when a plurality of machines exist close together for delivering identical goods or service (for example a row of turnstiles giving access to a transport network), a client who has passed a contactless card rather too fast and who finds that the turnstile has not opened, will often try again at an adjacent turnstile, i.e. using a machine other than the machine on which the initial transaction was begun. The second machine will debit the client even if the first machine has already made the same debit, such that the purchaser will be debited twice for single delivery of the same goods or service (one opening of the turnstile).
It is possible to mitigate that drawback by interconnecting machines in the same zone by means of a network enabling information suitable for resuming a transaction to be interchanged, e.g. a card identity number, the number of the last machine to have ordered a debit, the corresponding transaction number for that machine, etc. thus making it possible for the transaction to be resumed on any of the machines in the network.
The use of such a network suffers from two drawbacks, in particular:
the need for a network, with its associated hardware and software constraints; and
the fact that each machine must interrogate the network on every occasion prior to instructing the debiting of a card (step 10 above), thereby slowing down the transaction, or else each machine must store locally all of the information relating to transactions that have not terminated and that have taken place (at least recently) on the other machines in the network, and it must be capable of searching quickly to determine whether the card it is about to debit coincides with one such non-terminated transaction.
The invention proposes a solution to the above problem which avoids or minimizes the need to use a network, and which has characteristics that enable it to satisfy very severe constraints, such as those associated with a contactless card in transport situations, where each transaction:
must take place quickly (about 0.1 seconds);
can easily be interrupted without the user being at fault (card handled too fast or not accurately enough);
can implement a plurality of payment points (a plurality of turnstiles) between which the purchaser can move quickly (e.g. 1 or 2 seconds to go from one turnstile to the next); and
must be capable of operating satisfactory in the event of a breakdown of any one of its elements, in particular the network interconnecting the machines, supposing that such a network is implemented.
To this end, the invention provides a method of interchanging data between the non-volatile memory of a portable object, in particular a microcircuit card, and an automatic machine with which the card is temporarily coupled to enable goods or service to be delivered, the card having value information that can be debited by the machine in consideration for delivering the goods or service, the method being characterized in that it comprises steps in which the machine causes a ratification flag to be modified, which flag is stored in the non-volatile memory of the card, said flag having two states, a ratified state corresponding to the case in which the preceding transaction performed with the card, whether by the same machine or another machine, took place correctly, and a non-ratified state for the case in which said preceding transaction was interrupted while it was being executed, and in which the machine successively: conditionally debits the card if the flag is in the ratified state; causes the card to put the flag into the non-ratified state if a debit took place during the preceding step; then causes the goods or service to be delivered; and if delivery takes place effectively in the preceding step, causes the card to put the flag into the ratified state.
The method may include the following steps in particular: a) the machine reads the state of the ratification flag and jumps to step e) if it is in the non-ratified state; b) the machine causes the card to be debited by an amount corresponding to the goods or service to be delivered; c) the card records the debit by updating its value information, and it puts the flag into the non-ratified state; d) the card confirms to the machine that the debit has been recorded; e) the machine delivers the goods or service; f) the machine causes the flag to be set to the ratified state; and g) the card changes the state of the flag to put it into the ratified state.
According to various advantageous subsidiary characteristics:
conditional debiting of the card is also subordinate to a time delay elapsing since the preceding operation of putting the flag into the non-ratified state and/or to the machine performing the current transaction belonging to a group to which the machine that performed the preceding transaction also belongs;
when the flag is in the non-ratified state, delivery without debit is inhibited if the machine detects that delivery took place during the preceding use of the card;
card debiting and putting the flag into the non-ratified state are performed in indivisible manner;
at least a portion of the information modifying the state of the card, in particular commands enabling the flag to be put into the ratified state, and/or at least a portion of the information relating to the state of the card, in particular the state of the flag and confirmation that the debit has taken into account, is previously processed by cryptographic means implemented both in the card and in the machine;
the goods or service is delivered in deferred manner after a given time delay; in which case, provision can advantageously be made for delivery to take place prior to the time delay expiring in the event that it is confirmed that the card has properly executed the step of putting the flag into the ratified state; and/or, also by inserting a pause of random duration in the transaction;
the information interchanged between the machine and the card is enciphered in such a manner as to avoid revealing the moment at which the machine instructs the card to put the flag into the ratified state, or the moment at which the card performs that instruction;
counting is provided in the machine to determine the number of occasions on which it reads a flag in the non-ratified state;
counting is provided in the card to determine the number of occasions on which it stores the flag in the non-ratified state between two transactions, it being possible in particular to provide means for indicating that a given count threshold in the card has been exceeded, in particular means for inhibiting consecutive delivery of goods or service; and
the card memory includes information about the kind of goods or service to be delivered, which information is updated before any delivery of said goods or service.
Other characteristics and advantages appear from the following description of an example implementation of the invention.