The present invention relates to a method of loading commands in the security module of a terminal. More specifically, the present invention relates to the controlled loading of data in the security module of a smart card operated terminal by means of the execution of commands.
Terminals, such as vending machines or public telephones, often comprise a security module for securely storing usage data. Such payment data is e.g. the number of times the terminal has been used, the amount of money spent by consumers at the particular terminal, or the number of telephone metering pulses the (telephone) terminal has collected. A security module, which is usually mechanically and/or electronically protected against abuse, comprises electronic memory means (such as counters and EEPROM) for registering payment data and for storing keys. A security module may further comprise processing means for processing data, such as usage data. Such processing means normally comprise a microprocessor running programs consisting of commands stored in the security module. The processing often comprises the cryptographic protection of the usage data in order to prevent fraud. An example of a security module and its use is disclosed in U.S. Pat. No. 5,572,004 (Raimann), which patent is incorporated by reference in this text.
It is often necessary to update the data stored in a security module, e.g. for adding new functions or modifying existing functions. Data may be added or altered using commands, the execution of which effects the desired addition or alteration. However, the functioning of the additions and alterations needs to be verified. This is especially true since security modules often store monetary data or their equivalents.
Thus the need arises to be able to load such new data into the security module and to verify its effects, i.e. the proper functioning of the modifications brought about by that data. As in practice it will be necessary to effect changes in security modules in many different locations, verifying the functioning of those security modules constitutes a problem. The Prior Art does not offer a solution for this problem.
U.S. Pat. No. 4,972,478 discloses a cryptographic circuit connected with external programming equipment which may perform an execution test to verify that the cryptographic circuit accurately performs its cipher algorithm. How this execution test is performed, and which results are transferred to the external programming equipment, is not disclosed. Said patent does not deal with a smart card operated terminal.
U.S. Pat. No. 5,495,571 discloses a method for parametric testing of a function programming interface. A testing plan invokes the function with different parameter values and it is tested whether the function returns appropriate error codes. Said patent does not deal with the controlled loading of data and commands. Also, said patent does not deal with a smart card operated terminal.