At present, IC card applications are gaining in popularity and scope. Because IC cards are convenient to use, easy to carry, fast to operate and reliable for security purposes, etc., they are welcomed by more and more users, especially in self-service environments.
Nevertheless, payment systems of present IC cards are primarily directed to transactions after a sale, i.e., the user pays first, and then receives the services, e.g., shopping at store. For transactions before the sale, i.e., the payer receives the services first and then pays, e.g., refueling oil with an IC card, various factors render the use of such cards unsafe from a security standpoint, especially for services provided before the sale in self-service environments.
For example, when using current IC cards to refuel, the user inserts the IC card into a designated terminal. Both the IC card and the card terminal are mutually authenticated. The user refuels oil. After refueling is ended, the card terminal deducts money from the IC card. As can be seen from this procedure, during the period from when the user begins to refuel oil until the card terminal deducts money successfully, if the IC card is extracted from the card terminal or the power supply is interrupted or the card terminal has some accident, etc., then the card terminal does not deduct money from the IC card (known as escape card). This will cause a series of problems.
In order to solve this problem, a Grey Lock concept has been introduced to IC card refueling payment systems. The term Grey Lock indicates that a specific Mark is present on the IC card to identify its application state as of the last time the card was used. If the Grey Lock Mark is clear, this means the last transaction using the card was ended under normal circumstances and the card is ready to be used again. If the Grey Lock Mark is set, this means that the last transaction was not ended under normal circumstances. For this IC card (known as a grey or Grey Card) to be used again, its Grey Lock Mark must be cleared (also referred to as unlocking grey or unlocking Grey for short). Further, if the money which should have been deducted in the last transaction has not been deducted from the card, then a Supplementary Debit must be applied to the card.
Therefore, the procedures associated with a refueling transaction using an IC card as described above are changed to the following steps. The user inserts the card into a terminal. Both the IC card and the card terminal are mutually authenticated. The card terminal judges whether the card is a grey card. If the card is not a grey card, then the grey lock is set. The user can then refuel oil. After refueling is complete, the card terminal deducts money from the IC card and the card terminal unlocks the grey lock on the IC card. At the same time, an unlocking grey transaction is added. This procedure is as follows. If the IC card is a grey card, then the card terminal searches for a corresponding grey record. The card terminal judges whether the grey record matches with the one on the IC card. If grey records are matched, then supplementary debit is done (if necessary) according to the grey record, and the card terminal unlocks the grey lock on the IC card.
In the transaction procedures described above, the supplementary debit operation and unlocking grey operation are separate. Thus there can still be hidden security problems. For example, if there is only an unlocking grey operation without a supplementary debit operation, then the cardholder makes a profit and the card distributor realizes a loss. Herein, the “transaction beneficiary” concept is introduced for further description.
According to the beneficiary concept of an unauthorized IC card operation, the transaction (or IC card operation) is divided into a positive transaction and a negative transaction. Positive transactions (or IC card operations) include those transactions (or IC card operations) which are advantageous to the cardholder and are disadvantageous to the card distributor, including unauthorized operations such as, e.g., load, changing the limit of an overdrawn account, unlocking the personal identification number (PIN), updating protected files on the IC card, and the like. Negative transactions (or IC card operations) include those transactions (or IC card operations) which arc disadvantageous to the cardholder and advantageous to the card distributor, including unauthorized operations such as, e.g. consumption, and the like. In general, for positive transactions, an encryption key is kept at a card distributor computer. For negative transactions, an encryption key is kept at a card terminal, and is conventionally stored on the card terminal PSAM card.
According to the above definitions of positive transaction and negative transaction, it can be seen that a debit operation is a negative operation. An encryption key can be stored on a PSAM card. It can also be seen that an unlocking grey operation is a positive operation, such that an encryption key should be stored in the card distributor computer. Nevertheless, an unlocking grey operation, which cannot be on-line, has to occur in a normal transaction procedure, so that the following conflict can happen. If the encryption key of the unlocked grey is put on a PSAM card, then it is possible that the PSAM card will be illegally used for unlocking grey. Because the PSAM card is only an IC card, which only calculates and authenticates passively with an encryption key, there is no mechanism to limit the unlocking operation.
In current state-of-the-art procedures, the encryption key for unlocking a grey card is put in a card terminal encryption module. Alternatively, part of the encryption key for unlocking a grey card is put on the card terminal encryption module and part of it is put on the card terminal PSAM card. A program can be put on the encryption module so as to impart some autonomy thereto. The program can be used to secure control of the unlocking grey operation. For the encryption module to have secure control of the unlocking grey operation, it is necessary to lock the card before service, i.e., to set the grey lock mark of the IC card. If the card happens to escape the system during operation, the card terminal will report by network the escaped (or lost) amount of money and present balance of the card. During the next unlocking grey operation, a supplementary debit can be applied when the grey lock mark is set and the escaped amount of money and balance has been sent back by the network. After that the IC card grey lock mark can be reset.
There are also problems with this as well. For example, the IC card cannot judge whether the supplementary debit is legal. Only the card terminal and network can secure a guarantee of the supplementary debit. This is a weak point of security. In addition, as noted above, the unlocking operation is a positive transaction. The encryption key is within an application environment such as the IC card, which cannot be controlled by the card distributor.
Up till now, there is no thorough solution for this specific transaction before sale of the IC card.