This invention relates generally to systems and methods for performing on-line revaluation of token information (such as "electronic cash" or "service usage credits" e.g. phone usage credits) stored in IC cards, also called smart cards, and more particularly to systems and methods for performing such revaluation in a private location.
One of the well-known uses of IC cards involves storing token information for the cardholder to utilize in carrying out a cashless transaction. IC cards and associated transaction terminals used for this purpose have utilized increasingly sophisticated security schemes to prevent unauthorized card manufacture, unauthorized card issuance, or fraudulent card use. See, for example, Nakano U.S. Pat. Nos. 4,810,862 and 4,839,504 for descriptions of security features introduced during manufacture and issuance of an IC card and thereafter employed during use to authenticate the card and the cardholder.
Some commercial applications involve issuance of an IC card with an initial token value and card logic or programming which only permits decrementing the stored token value until completely exhausted, after which the card is discarded and a new card must be purchased.
Other commercial applications involve issuance of an IC card which has an initial token value and card logic or programming which permits revaluation, i.e. incrementing token value in addition to decrementing. These applications have become known generally as the "electronic purse."
In some electronic purse applications, the IC card may only be revalued at a secure revaluation station, e.g. a sophisticated automated teller machine (see above-referenced Nakano '504 patent) or a special funds transfer terminal on line with a sophisticated host computer (see Mansvelt U.S. Pat. No. 5,175,416). These secure revalue stations are capable of full utilization of card and terminal security features and are typically maintained in secure environments to prevent fraudulent use and to preclude unauthorized access for sophisticated probing of security features which might thereafter be used to clone revaluation stations as part of fraudulent card issuance or revaluation schemes.
One of the limitations of electronic purse usage of IC cards is that the cardholder is unable to readily determine the remaining cash token value stored in the card until presenting it for use in consummating a transaction. If the stored cash token value is insufficient to cover the purchase amount, the cardholder must void the transaction or use some other form of payment. Another limitation is that the cardholder must typically visit a special terminal location for adding cash token value to the card, rendering the convenience level of the electronic purse application essentially the same as actual cash (i.e. government issued scrip) withdrawal at an ATM.
The desirability of permitting revaluation of an electronic purse IC card at a private location such as home or office is generally recognized in Ugon U.S. Pat. No. 4,656,342. This '342 patent also generally recognizes the desirability of incorporating a plurality of tokens in an electronic purse IC card with each token being associated with a particular service provided by an authorizing entity. In addition to a stored cash token value which can generally be used to purchase goods and services at locations having authorized electronic purse transaction terminals, the electronic purse may, for example, also have a telephone usage token value which may be used in public telephones having authorized IC card interface devices.
The electronic purse revaluation process described in the Ugon '342 patent involves the combination of a voice based telephone call to a special operator to request the special operator to revalue the cash token amount or other authorized token amount in the cardholder's electronic purse IC card. The operator and cardholder then establish a phone data link between an IC card interface unit on the premises of the cardholder and an authorizing terminal at the operator's location and the operator is thus enabled to utilize the authorizing terminal and the cardholder's card interface unit to perform a special card and service authentication function which, if successfully carried out, results in the IC card itself writing a new token value into the associated token value memory location.
Objects of this Invention
It is a principal object of this invention to provide an improved system and method for revaluation, by a cardholder at a private location, of one or more token values stored on an IC card. It is another object of this invention to provide an improved private transaction terminal for performing transaction operations in connection with an IC card.
Features and Advantages of this Invention
One aspect of this invention features a method for carrying out at a private location an alteration of a token value stored in an IC card issued to a cardholder via an on-line transaction session with an operatively compatible terminal at a remote location. This method utilizes an IC card having a microcontroller and associated microcontroller program memory, security protected memory locations for token value data and card security data, a data communication interface, and prearranged card security programs stored in said program memory for managing security of cardholder access and security of terminal access to security protected memory locations for transaction related data reading and writing operations.
The operatively compatible terminal at the remote location includes a data communication interface and prearranged transaction security programs compatible with said prearranged card security programs.
It should be understood that the IC card may have only one token value stored, e.g. a cash token, or may be a multiple token value card. It should also be understood that the terms "IC card" and "smart card" are used interchangeably in describing this invention.
The method of this invention involves first establishing a card data link to said data communication interface in said IC card and then communicating a cardholder data security message to said IC card via said card data link to enable said card security programs to produce secure cardholder identification data. The method also involves establishing a terminal data link to an external terminal at a remote location and then communicating secure transaction messages between said IC card and said external terminal via said card data link and said terminal data link, including token change vector data from said cardholder, to enable said IC card and said external terminal to perform mutual authentication functions and to execute a secure token value change transaction;
After the transaction between the IC card and the remote terminal is completed, the method continues with reading a revised token value stored in said IC card via said card data link and then communicating said revised token value to said cardholder. By having all of the secure authentication and transaction message data items created in the IC card itself and simply passing these messages via a remote data link, the method of this invention enables remote revaluation of IC card tokens in a simplified manner and facilitates the use of simple and inexpensive hardware on the cardholder end of the transaction. Another aspect of this invention features a terminal for carrying out at a private location a transaction consisting of alteration of a token value stored in an IC card issued to a cardholder via an on-line transaction session with an operatively compatible terminal at a remote location. The IC card and operatively compatible terminal have the features discussed above.
The private terminal used by the cardholder comprises means for establishing a card data link to said data communication interface in said IC card and means for accepting cardholder entry of a security data item and for communicating said security data item to said IC card via said card data link to enable said card security programs to prepare and return cardholder and card authentication data items;
The private terminal further includes means for enabling said cardholder to initiate a token value change transaction including means for accepting cardholder entry of a token change vector and means responsive to said cardholder initiating a token change transaction for- establishing a terminal data link via a public switched telephone network to an external terminal at a remote location.
Another element of the private terminal is means for communicating a series of secure messages between said IC card and said external terminal via said card data link and said terminal data link. These messages include secure authentication messages to enable said IC card and said external terminal to execute respective terminal authentication and IC card authentication programs, and secure transaction messages, including said token change vector, to enable said IC card and said external terminal to execute a secure token value change transaction.
The private terminal also includes means for reading a revised token value stored in said IC card via said card data link and for communicating said revised token value to said cardholder. This means for communicating the revised token value may be an alphanumeric display or a printer or a computer generated voice readout.
The private terminal of this invention has the advantage of simplicity and low cost since the IC card and the remote terminal compose all secure messages and handle the programmed transaction activity with the private terminal acting principally as a message passing entity. This reduces the risk of fraud because the private terminal itself is incapable of interacting with the IC card to do any transaction activity. The private terminal does not have to be maintained in a secure environment and thus such terminals can be distributed for use in cardholders' homes and offices and other private locations.
The private terminal of this invention is also not dedicated to a particular cardholder and can thus be utilized by any cardholder holding a compatible IC card. Thus, while the private terminal could be made portable, it is unnecessary to do so. A single terminal in each office location can be used by a number of cardholders to read the value of the tokens on their cards and to revalue the tokens as desired using the facilities of the terminal.
By having remote terminal phone numbers and other banking data stored on the IC card, the private terminal can function essentially as a dumb communication terminal for other banking transactions as well as token revaluation on the IC card. Once the remote terminal and the IC card have exchanged account and other data on a secure basis, the remote terminal and the private terminal can interact with banking function messages provided by the remote terminal and selection of functions by the cardholder. The degree of intelligence provided in the private terminal for personal ATM type transactions is, of course, optional. For example, the private terminal may include elementary function keys for account balance inquiries, mini-statement inquiries, deposit and check payment inquiries and the like.
Other objects, features, and advantages of this invention will be apparent from the detailed description below of embodiments of the invention.