The present invention relates generally to the field of secure communications, and more particularly, to the field of secure transactions using the Internet.
There is much concern about the security of financial transactions using the Internet. While the Internet is very useful for browsing for information, many are quite hesitant to send their credit card and personal identification number (PIN) via the Internet, because there is a significant risk that the information can be intercepted on the Internet and stolen. One way to avoid the problems of the Internet is not to use it at all, however, this means that the benefits of the Internet cannot be realized.
One proposed solution is described in U.S. Pat. No. 5,809,143 issued on Sep. 15, 1998. Apparatus and methods are disclosed in the ""143 patent for transacting secure purchase and bill payment transactions. The method for transacting a secure purchase via an Internet uses a system including a computer, a first communication device coupled to the computer and to the Internet, and a secure keyboard, the secure keyboard including a controller, an interface between the controller and the computer, a removable media interface, an alphanumeric keypad, an encryption device, and a second communication device coupled to a secure host. The method using the disclosed system includes the steps of browsing the Internet via the first communication device, and retrieving item data for a purchase from the Internet via the first communication device, and accessing information from removable media using the removable media interface. The information includes a user identifier and an issuer identifier, and a PIN entered on the alphanumeric keypad. The PIN is encrypted using the encryption device and sent to secure host via the second communication device along with the information, the item data, and the encrypted PIN. The secure host blocks the information and the PIN from access by others on the Internet. The secure host requests authorization from a bank system for making the purchase using the information and PIN and proceeds with the purchase if the secure host receives from the bank system a bank authorization for the purchase. Otherwise the secure host cancels the purchase. The secure host sends purchase transaction data to the secure keyboard via the second communication device. The secure keyboard then prints a purchase transaction receipt.
Disadvantageously, by definition, the xe2x80x9csecure keyboardxe2x80x9d disclosed in the ""143 patent relies on the use of a second phone line to route transaction data securely around the Internet, rather than over the Internet. This approach is appropriate for securing sensitive data in commercial and military applications, however, the burden for a second line (in terms of both the ongoing cost and the initial installation complexity) is onerous and unacceptable to most consumers. Further, the approach of routing the transaction data over a second path, and merging it later back at the merchant""s web site, adds an unacceptable level of difficulty to the implementation for merchants.
Another disadvantage is that the xe2x80x9csecure keyboardxe2x80x9d requires a modem, printer and card reader integrated into a keyboard. This results in a very expensive device, that needlessly, replicates hardware already present in a computer and therefore this is also impractical from a cost/market viewpoint.
It is, therefore, an object of the invention to conduct secure Internet transactions over the Internet using simplified commercially available hardware off the shelf.
Another object of the present invention is to conduct secure Internet transactions over the Internet using a single phone line.
Yet another object of the present invention is to provide a method and system of software loaded onto a consumer computer, merchant server and a centralized secure transaction-management software.
It is yet a further object of the present invention to encrypt a PIN and credit card or ATM card information using DES and public/private key encryption.
It is yet another object of the present invention to use a PIN/PAD to enter and encrypt a consumer PIN.
The present invention is directed to a combination software and/or hardware system that provides consumers and merchants with a secure method for making and accepting credit card and ATM card payments over the Internet. Using various software and/or hardware implementations, the system operates by:
1) creating (at the consumer""s Internet access device) a Data Encryption Standard (DES) encrypted Personal Identification Number (PIN) Block meeting American National Standards Institute (ANSI) X9.8 and Automatic Teller Machine (ATM) network requirements (as a result of the consumer entering their PIN number and encryption automatically taking place);
2) using additional layer(s) of encryption (also performed at the consumer""s Internet access device) to place the PIN block and card information in a public key/private key encrypted financial payment transaction data block (xe2x80x9cFP Blockxe2x80x9d).
3) transmitting the FP Block to the merchant, along with any necessary product or service order information, which may be transmitted over the Internet encrypted or in the clear according to the implementation method chosen by the system software at the merchant""s web site;
4) software at the merchant location then forwards the FP Block to a secure transaction management system, where the FP Block is decrypted using a decryption algorithm matching that used by the software at the consumer""s Internet access device. The financial data is then re-formatted for transmission to the appropriate transaction processing network, and forwarded to the payment service processor accordingly. The present invention is independent of the encryption algorithm(s) used, and may be implemented with any number of encryption algorithms.
The encrypted PIN block remains encrypted until reaching the payment processor where existing DES encryption hardware decrypts the PIN block. The present invention also covers systems where the PIN block is decrypted at the secure transaction management server (rather than the payment processor) manage the encryption keys at the consumer""s locations. The encryption of the PIN block at the consumer""s location is done either by hardware or by software executed by the Internet access device. In the case of hardware, the present invention covers both hardware attached as a peripheral or add-on, and hardware incorporated into the original design and/or manufacture of the device. The transaction is then processed using the existing credit card or ATM POS (Point Of Sale) transaction processing functions.
These and other objects of the present invention are achieved by a method of transacting a secure purchase via the Internet including browsing a merchant web site by a user. An encrypted PIN block is created. An order is built from the merchant web site including purchase information and the encrypted PIN block to form a data block. The data block is further encrypted to form an encrypted payment block. The encrypted payment block is forwarded to a secure host. A decrypted payment block formatted for use by a bank system is routed. The order is proceeded if the secure host receives from the bank system a bank authorization for the purchase, and if no authorization is received, then canceling the purchase. The authorization is forwarded to the merchant web site. An indication is sent of a completion of the purchase to the user.
The foregoing and other objects of the present invention are achieved by a system for transacting a secure purchase via the Internet including a consumer Internet access device having a merchant response software plug-in loaded into a web browser residing thereon for building an order.
A PIN/PAD is operatively connected to said consumer Internet access device for entering a consumer PIN.
A merchant server has a merchant response software residing thereon for recording information about consumer transactions with the merchant server.
A secure transaction management server has a merchant response software residing thereon for forwarding the PIN to a bank system and sending an authorization from the bank system to the merchant server and the consumer Internet access drive.
Still other objects and advantages of the present invention will become readily apparent to those skilled in the art from the following detailed description, wherein the preferred embodiments of the invention are shown and described, simply by way of illustration of the best mode contemplated of carrying out the invention. As will be realized, the invention is capable of other and different embodiments, and its several details are capable of modifications in various obvious respects, all without departing from the invention. Accordingly, the drawings and description thereof are to be regarded as illustrative in nature, and not as restrictive.