Internet commerce, or e-commerce as it is otherwise known, relates to the buying and selling of products and services by consumers and merchants over the Internet or other like transactional exchanges of information. The convenience of shopping over the Internet has sparked considerable interest in e-commerce on behalf of both consumers and merchants. Internet sales, or like transactions, have been typically carried out using standard credit cards such as Visa®, MasterCard®, Discover®, American Express®, or the like, or standard debit cards, i.e., check cards or automated teller machine (ATM) cards which directly access funds from an associated deposit account or other bank account.
While widely used for more traditional face-to-face transactions, use of these standard cards in connection with e-commerce presents certain difficulties, including difficulties concerning authentication or positive identification of the cardholder. For example, maintaining consumer confidence and security has become difficult with increased reports of fraud. The resulting apprehension is also fueled by consumer uncertainty of the reputation or integrity of a merchant with whom the consumer is dealing. The security of the consumer's card information or other personal information typically submitted along with a traditional e-commerce transaction (e.g., address, card number, phone number, etc.) serves to increase apprehension even more. Additionally, cardholders, merchants and financial institutions are all concerned about safeguarding against fraudulent or otherwise unauthorized transactions.
In particular, transactions involving debit cards (i.e., ATM or check cards) generally employ what is known as the PIN to verify the authenticity of the person using the debit card. The PIN is secret number or code known by the card's authorized user(s) but not generally known by others. The use of the otherwise secret PIN in conjunction with debit card transactions provides security against those who may have obtained the card number or Personal Account Number (PAN) without authorization, e.g., through unscrupulous or other means. Typically, the PAN alone (i.e., without the PIN) cannot be used to complete a transaction. That is to say, the debit card typically cannot be used unless the PIN number is also entered for the transaction. In this regard, the PIN number becomes important to providing security against theft or unauthorized charges against the cardholder's account.
Recently, attempts have been made to integrate the ability to use debit cards on web sites for purchasing goods and/or services over the Internet. This typically involves a transaction similar to a standard e-commerce transaction carried out with a credit card; however, the difference, as stated above, is that a debit card transaction also employs the cardholder's PIN in order to complete the transaction. Entry and/or use of the PAN and/or the PIN over an open network (such as the Internet) exposes both to potential security breaches.
For example, the secrecy of PIN codes can be compromised by “spy” software that is able to track a user's “movements” on-line. Generally speaking, spy software allows a third party to unknowingly eavesdrop on a user's Internet session and “watch” the web sites which are visited by the user. The unsuspecting user is often not be aware of the unauthorized third party, which can also observe the user conduct e-commerce transactions. By doing so, the third party is able to view and/or capture PANs, PINs and other information entered by the user. There have been various efforts devoted to thwarting such eavesdropping. One technique, for example, is to have entered keystrokes appear on the screen as asterisks or other indistinguishable characters; however, certain types of spy software can still detect keystrokes even though asterisks are used to disguise the appearance of entered PIN digits or other secret codes.
To address the problem of keystroke monitoring, another technique developed employs a graphical user interface (GUI) and has PAN and PIN numbers entered in a virtual alphanumeric keypad by the use of a mouse or other pointing device. With reference to FIG. 1, a traditionally used keypad 12 is shown on a display device 10. For example, in an e-commerce environment, this virtual keypad may be on a web page presented to a cardholder for entry of their PIN. That is to say, a designated server may provide the web page over a communications network to a client running a suitable browser when the transaction reaches the point where the cardholder operating the client is to enter their PIN. Optionally, the steps of entering the PIN are displayed in authentication window 16 during the debit transaction. Commonly, each button 14 within the keypad is arranged as a traditional keypad, with no variance therefrom.
The GUI method avoids the problem of someone monitoring keystrokes that are entered by the user. However, sophisticated spy software is also able to track mouse movements and scrolling in order to determine the location of interaction between the cursor, the clicking of the mouse and the content of the web page. Accordingly, by monitoring these activities, patterns can be discerned which may divulge a cardholder's PIN. That is to say, a series of consecutive mouse clicks which reoccur from transaction to transaction at or near the same relative locations can be correlated with the traditional keypad configuration shown in FIG. 1 to determine the PIN being entered.
Accordingly, it would be advantageous to have measures, devices and/or techniques which protect the PAN and/or the PIN, and in particular, which guard the secrecy of the PIN. More specifically, it is desired to have a method for carrying out secured debit card transactions, and, also, generally, any transaction employing a credit or debit card authorization over the Internet or other communications network.
The present invention contemplates a new and improved dynamic PIN pad which overcomes the above-referenced problems and others.