1.1 Field of the Invention
The present invention relates to an electronic purse data carrier for performing monetary transactions and a method for managing electronic payments with such a carrier.
1.2 Description and Disadvantages of Prior Art
Electronic payment with so-called electronic purse applications and systems is considered likely to become more and more important for today's business processes, all over in the world. The multiple different prior art electronic purse applications are based on the same principle: they store electronic values representing so-called payment units for the purpose of financial transactions in a secure environment. These units are most often stored securely in chipcards to avoid undesired attacks. This protection is typically realized by applying cryptographic methods and secret keys which deny access to the security-relevant storage locations of a chipcard, and in particular, to the electronic monetary values. Examples are the EC-cards, and credit cards.
In view of the constraint to keep the total amount of active money in the system constant and controllable by state authorities it is necessary to avoid the existence of illegal copies of electronic monetary units. This is one of the key problems encountered with electronic payment.
Different approaches to solve this problem are known in prior art. An electronic purse system may encrypt all data while they are transmitted between interface devices being part of a monetary transaction. Any attempt to make an illegal copy of electronic payment units is fought against by storing the monetary units in tamper-resistant interface devices and by accessing them only from within a secure session. Wire-tapping the I/O line of a device is useless as the tapped information cannot be decoded.
The above encryption methods are of particular interest in applications of anonymous electronic money traffic. Such a system, for example, like the German ‘Geldkarte’ allows anonymous payment only for certain dedicated services. Purse-to-purse transactions with any desired person's purse is not possible. When being anonymous, the usage of any electronic monetary unit cannot be traced or be predicted. Any payment unit, abbreviated herein also as PU, being identified by a unique identification characteristic, can be exchanged between various customers and thereby multiplied, while the issuing party, i.e., a state-controlled banking authority, is not able to control or trace the current location or the current owner of it. Thus, the money traffic is not clear and transparent for the authorities. Any large-scale misuse of electronic payment units may have serious consequences for the macro-economics of a country, for example in terms of inflationary influences of such misuse.
Furthermore, this approach does not provide any means to return a monetary unit back to the issuing authority, if ever required.
Another method to protect the duplication of electronic monetary units is to uniquely label them in a non-anonymous purse. Here, the distributed payment units have a well-defined life cycle:
First, the issuing authority loads an electronic purse with monetary units. Then the customer may pay these units to a retailer or to any service provider when buying something. The retailer or service provider then returns the units to the issuing party to exchange the electronic ‘debits’ into an update of its real bank account. As the issuing party can identify the monetary unit, it also can trace the life of the unit which makes the transaction “non-anonymous”. The retailer or service provider cannot re-use the electronic payment unit once received. Inasmuch as such payment units are varying continously in value because they always correspond to the exact price of a respective service, or product, for example 322.65 EUR, a re-use is not desired.
This mechanism allows the issuing party a satisfactory proof of the authenticy of the electronic payment unit. Furthermore, the identification of the delivered payment units are stored, a duplicate payment request from a service provider therefore may be identified and can be traced. The customer, however, might not appreciate the non-anonymous approach as this method has always a strong impact to his privacy.
The usage of anonymous payment units, however, is of particular interest to the customer, in particular because his privacy is kept and a more flexible usage is enabled with it, for example by enabling for purse-to-purse transactions.
The increase in privacy, however, is a decrease in security and controllability from the perspective of the issuing party, as in the prior art no control can be gained over the large number of issued electronic payment units. This may lead to legal consequences as it is stated by law in some countries to keep the total amount of money supervised by an auditing party.
While there are sufficient means available with physical monetary bills through physical features, a proof of authenticy is practically not possible with electronic monetary units.
Further, a problem has been experienced in particular by the purse owner, when an electronic purse data carrier, like a chipcard, for example, which is loaded with some electronic payment units representing a definite monetary value, is destroyed. As a copy of payment units is not desired as has been described above, the electronic payment units of an anonymous purse typically reside at one location only at a time. If, accidentally, the carrier of these units should be destroyed there will be a definitive loss of the monetary value stored electronically on the carrier. This is a further significant obstacle for loading large amounts of electronic payment units to an anonymous electronic purse.
1.3 Objects of the Invention
It is thus an objective of the present invention to provide for a more flexible and secure money traffic, both, for the individual purse owner and the state, while keeping the traffic private.