This invention relates to purchase transaction systems that use payment card information and, more particularly, to systems in which cryptographic techniques are used to secure sensitive payment card information.
In modern financial systems, purchase transaction information often contains sensitive data. For example, when a customer makes a purchase at a store with a payment card such as a credit card or debit card, point-of-sale equipment in the store is used to acquire payment card data from the customer's card. The payment card information may be stored in tracks on a magnetic stripe on the card. The customer may swipe the magnetic stripe portion of the card through a card reader to make a purchase. The point-of-sale equipment conveys the track information that is acquired in this way to the computer systems of a purchase transaction processor. The purchase transaction processor may then process the transaction. For example, the purchase transaction processor may check the customer's account balance and other information to determine whether the customer is authorized to make a purchase and may debit the customer's account accordingly.
Track information on payment cards may include account number information, cardholder names, expiration data information, security codes, personal identification number (PIN) data, and other sensitive financial and personal data.
If care is not taken to secure sensitive payment card data, it is possible that an attacker may obtain unauthorized access to the payment card data. For example, a hacker might be able to install unauthorized eavesdropping software that monitors payment card data between the point at which the payment card data is first read off of a customer's payment card and the point at which the payment card data is successfully received at the purchase transaction processor.
The inadvertent disclosure of payment card data can result in the need to reissue cards and alert a potentially large number of affected customers. These responses to a successful attack may be exceedingly inconvenient and costly.
It would therefore be desirable to be able to provide improved techniques for securing sensitive payment card information in payment card data processing systems.