The present invention relates to an apparatus having multiple point-of-sale card reading/keypad devices on each operable side of an energy dispensing apparatus. More particularly, the present invention relates to an apparatus having secure multiple point-of-sale card reading/keypad devices wherein the placement of one of the aforementioned card reader/keypad devices is such that it is conveniently accessible to disabled individuals.
In retail environments such as stores and service stations, there is a need for maintaining security of customer-entered Personal Identification Numbers (PINs). This is especially true in gasoline service stations where the customer may initiate the sale of the product by inserting a magnetic strip credit or debit card (or other type of information bearing card) into a card reader which is mounted on a gasoline dispenser, or perhaps elsewhere in a service station. The customer then enters a PIN number via a keypad. The PIN is transmitted along with data read from the magnetic strip to a host computer which can compare the PIN and data from the card to authorize a purchase.
The PIN must be protected from disclosure so that unauthorized persons may not use the PIN in conjunction with the card to defraud either the legitimate card holder, the vendor or an authorizing financial institution or card issuer. In some service station circumstances, the customer is requested to enter his/her PIN number using a keypad which is a part of the dispenser housing. Alternatively, he/she may enter the number using a special purpose PIN pad (commercially available from several different companies), when the sale is controlled from a point of sale console. It is desirable, and required in most instances, that the PIN number be encrypted at the point of entry so that no transmissions of the clear text (i.e. not encrypted) PIN occur across any transmission medium that is subject to interception. Thus, it is desirable to use encryption techniques in the PIN pads and in the dispensers if they are such points of entry. Typically, the PIN pads and/or dispensers must be injected with cryptographic keys which are used in the encryption process for exchange of PIN data.
The injection must be done in a secure environment because the cryptographic keys must be initially loaded into PIN pads or dispensers in their clear text form and are therefore subject to interception. PIN pads are small, easily replaceable, and easily injected with cryptographic keys in a secure environment. However, this is not true of dispensers because they require periodic service, which cause them to lose their key data and necessitate another injection process. Since the dispensers are bulky, the removal of the dispenser and shipment to a secure environment for re-keying are impractical. Installing separate, replaceable PIN pads in the dispensers is feasible, but not cost effective for service stations which have a large number of dispensers and requires a large inventory of replacement devices.
Also, it would be desirable to have the encryption keys used in the host system as secure as possible, since unauthorized access to those keys could lead to large losses. If each dispenser has the host system encryption key in it, the chances for loss increase. Accordingly, it would be desirable to avoid injecting the host keys into the dispensers, or any part of the dispenser, to enhance security.
The problem solved by the present invention is connecting two or more PIN-pad devices (e.g. Keypads), such as a Gilbarco, Inc. SmartPad(trademark), to one CRIND(copyright) BIOS (basic input/output system) board in a way that is invisible to entities downstream of the BIOS in the communication sequence (e.g., CRIND(copyright) Application, G-SITE(copyright), Gilbarco Security Module (GSM), etc.). Providing multiple PIN-pad devices is important in order to meet Americans with Disabilities Act (ADA) governmental requirements for providing access to energy dispensers to handicapped individuals.
CRIND(copyright) is an acronym for xe2x80x9cCard Reader IN Dispenserxe2x80x9d which is a style of energy dispensing apparatus made and sold by Gilbarco, Inc., of Greensboro, N.C. Usage of the term CRIND(copyright) in this application implies an energy dispensing apparatus having card reading and keypad capabilities. These capabilities typically include communication of card information to a remotely (i.e., not on the energy dispensing apparatus) situated station controller. If desired, a CRIND(copyright) board can be configured to process touchscreen input data as well. The CRIND(copyright) board need not, however, be restricted to the energy dispensing arts as it is applicable to virtually any point-of-sale device having multiple keypad inputs.
To meet the requirements under the ADA given the physical construction of some energy dispensers, it is desirable to place a second keypad on the dispenser in an area reachable to disabled persons. Where secure keypads are desired, it is then required that both keypads on the dispenser be secure keypads such as a Gilbarco, Inc. SmartPad(trademark). Since secure keypads require a unique key per transaction (UKPT) base key in order to perform debit operations, and since the security module (GSM) device does not currently support two independent secure keypads at a single pay-point, it is desirable to add a second secure keypad to the pay-point in a manner invisible to the security module (GSM) device.
Referring now to the drawings, FIG. 1 illustrates conventional PIN block transmission from a single secure keypad 10 to the CRIND(copyright) 12 BIOS, and to the security module 14 (GSM) for subsequent host-specific encryption and transmission. The PIN block 16 is first encrypted with a unique key per transaction (UKPT) key 19, then encrypted with the master/session key 20 and sent to the CRIND(copyright) board 12. The CRIND(copyright) 12 BIOS then removes the master/session encryption layer and transmits the UKPT-encrypted PIN block to the GSM 14. The GSM 14 then decrypts the UKPT-encrypted PIN block for subsequent processing. The security module 14 cannot perform the master/session decryption because the secure keypad was added to the architecture after a period where the CRIND(copyright) 12 handled the encryption of the PIN block.
Current security modules (GSMs) do not support multiple sources of UKPT-encrypted PIN blocks from a single pay-point. To do so would require additional data blocks and protocol changes to the security module firmware in order to support the UKPT approach for each additional secure keypad. Since there is an extensive population of security module devices in the field that do not support multiple secure keypads at a single pay-point, it is most desirable to make any such change invisible to the security module (GSM).
The present invention provides a system and method of adding multiple secure keypads to a system that currently supports only one secure keypad without compromising security or backward compatibility.
The present invention provides a system and method of adding multiple secure keypads to a single pay-point without affecting the site security module. This is accomplished by creating a master/satellite architecture in which the original secure keypad becomes the master to additional satellite secure keypads. In this architecture, the master secure keypad becomes a xe2x80x9cvirtual site security modulexe2x80x9d to the satellite keypads, thus relaying the encryption data provided by the site security module in an equally or more secure manner to the satellites.
According to one aspect of the invention, two (2) or more secure keypad devices are connected to a single CRIND(copyright) board that communicates with a security module such that either keypad may initiate and perform a consumer transaction. Between the keypad(s) and the security module sits the CRIND(copyright) board which serves both the security module downstream (transaction authorization) and the keypad upstream (transaction initiation). The present invention presents a new architecture on the upstream side of the CRIND(copyright) board which permits multiple secure keypads to be used in a manner that is invisible to the security module. A unique message sequence is disclosed among multiple keypads in which only one keypad may be deemed active at a given moment for purposes of passing transaction data through the CRIND(copyright) board to the security module. The CRIND(copyright) board is responsible for linking each of the keypads together and funneling message traffic among them. In one embodiment, one keypad is deemed the master, acting as a virtual security module, while all other keypads are deemed satellites.
As used herein, the phrase xe2x80x9csecure keypad devicexe2x80x9d refers to any device capable of receiving personal identification number information from a customer and forwarding the personal identification number information to another secure keypad device or to the security module. Any such device may include a keypad, a touch screen, or other input device for receiving input from a customer, an encryption unit for encrypting the input from the customer and a decryption unit for decrypting information from other secure keypad devices or from the security module. A secure keypad device may also include communication circuitry for communicating with other keypad devices or with the security module.
According to another aspect, the present invention may include a two-level secure keypad arrangement in which a master secure keypad communicates with multiple satellite secure keypads and with the security module. The satellite secure keypads have a common architectural level. This architecture eliminates the need for an intercessor device, such as the CRIND(copyright) BIOS between the secure keypads and the security module.
According to another aspect, the present invention includes an N-leveled secure keypad arrangement in which a master secure keypad is located on a first architectural level and a plurality of satellite secure keypads are located on successive architectural levels higher than the first architectural level. This architecture eliminates the need for an intercessor device, such as the CRIND(copyright) BIOS, between the secure keypads and the security module.
It is, therefore, an object of the present invention to provide for multiple secure keypad devices at a single pay point.
It is a further object of the present invention to provide for multiple secure keypad devices at a single pay point in which keypad activity is invisible to a downstream security module responsible for host transaction processing.
Some of the objects of the invention having been stated hereinabove, other objects will become evident as the description proceeds, when taken in connection with the accompanying drawings as best described hereinbelow.