1. Field of the Invention
This invention pertains to a security enhancement for an electronic cashless transaction system comprising elements such as a bank center, a bank ATM (automatic teller machine) [e.g. a modified CD (cash dispenser)], an IC (Integrated Circuit) card [e.g. an IC smart card or an IC memory card] and a store transaction terminal [e.g. a modified POS (point of sales) terminal]. [A store is defined as a retailer, a wholesaler, a shop storage area or the like.] More specifically, it relates first to a system for controlling a key necessary for authenticating elements in proper operations of the electronic cashless transaction system and second to a money transfer system for enhancing the security of transferring money stored in the IC card.
2. Description of the Related Arts
Recently, a variety of debit cards have been offered for sales, which shed or reduce the necessity for carrying or using changes, and improve cash flows of the issuers. In Japan, those cards are used for paying a telephone charge for a call from a public phone booth, a transportation fare at a train station or even aboard a bus, and a food voucher at a restaurant.
However, most debit cards are currently good only for specific goods or services offered by the issuers, they are not valid for merchandise transactions in general. Besides, most debit cards offered for sales in Japan are of a disposable type, i.e. good only for the use of their stated values, unlike fare cards offered for sales e.g. by the BART in San Francisco, which allow additional fares to be supplemented for storage.
Therefore, an all-in-one card is awaited as an powerful electronic cashless transaction medium, whereby a financial institution, e.g. a bank, issues an IC card to its customer such that he asks his bank to credit a desired amount to his IC card, e.g. by transferring from his other accounts, and a participating store to debit a purchase amount to the card and credits the same to the store's account, thereby consummating a transaction without an actual exchange of cash. In the following description, debits and credits are defined as being from the ledger entries of the issuers of the all-in-one cards, and are exactly the opposite for the holders of such cards.
Such an all-in-one card system has an advantage in safety and efficiency in that the customers need not carry cash and stores and banks need not physically transport printed bills and coins accumulated as sales proceeds.
However, such an advantage is premised on an wholeness of an ATM, an IC card, and a store's POS system.
FIG. 1 is a block diagram of a conventional electronic cashless transaction system using an all-in-one card, based on an IC card 11.
The conventional cashless system comprises an IC card 11, a store transaction terminal (POS terminal) 12 provided at a participating store allowing a holder of the IC card 11 to make a purchase, and a bank center 13.
The bank center 13 has a customer account 14 of the holder of the IC card 11, a customer card balance log file 15 for storing data on an amount a holder transfers to his card, an unsettled funds file 16 for storing the sum total of amounts a user transfers to a plurality of cards, a store account 17 of a participating store into which the sales proceeds are transferred from the unsettled funds file 16. A bank center 13 has at least one [1] unsettled funds file 16. A customer account 14 and a customer card balance file 15 exist for each holder of the IC card 11. A store account 17 exists for each participating store.
The IC card 11 has a balance storage register 18 for registering the amount expendable with the IC card 11. Also, the store transaction terminal 12 has a sales data file 19 for storing the total amount of the sales and the total amount of the sales returns and allowances.
A holder of the IC card 11 transfers money to his card before using it. He enters his PW (password) from a keypad on the IC card 11. After activating the IC card 11, he accesses the bank center 13 via a finance terminal or a money transfer terminal such as an ATM 20. On determining that the amount the holder wishes to transfer to the IC card 11 of his own is within the funds balance or a predetermined revolving limit of the customer account 14, the bank center 13 instructs the ATM 20 to credit the transferred amount (a card transfer amount 21) to the balance storage register 18 in the IC card 11 and to debit the same to the customer account 14 of his own. That is, at the same time, the bank center 13 stores the card balance in the customer card balance log file 15.
The customer card balance log file 15 operates as a first check in preventing a fraud using the IC card 11. This is because, since the amount stored in the balance storage register 18 of the IC card 11 cannot be more than the amount stored in the customer card balance log file 15, an amount stored in the balance storage register 18 of the IC card 11 which is more than the amount stored in the customer card balance log file 15 can be construed as a possible falsification of the IC card 11.
Also, the amount stored in the customer card balance log file 15 can be used as a basis for calculating an insured value for the holder of the IC card 11 for compensating a damage to or a loss of the IC card 11.
When a store has the store transaction terminal 12 credit to the IC card 11 an amount of a sales return and allowance, the bank center 13 has the customer card balance log file 15 control an amount credited by a store due to a sales return and allowance separately from an amount credited by a holder of the IC card 11 due to a transfer-in from his other account, thereby limiting the amount a store can credit a customer on the IC card 11 as a sales return and allowance, e.g. to the credit balance posted in the unsettled funds file 16.
The holder of the IC card 11 wishing to make a purchase at a participating store inserts the IC card 11 into the store transaction terminal 12 indicating a sales amount or an amount of sales returns and allowances, and enters his PW on the keypad of the IC card 11, thereby performing a purchase activation 22 of the IC card 11. The store transaction terminal 12 updates the fund balance stored in the balance storage register 18 of the IC card 11 by debiting the sales amount or crediting the amount of sales returns and allowances, thereby performing a balance adjustment 23, and credits the sales amount or debits the amount of sales returns and allowances to the sales data file 19. More specifically, when the holder of the IC card 11 has an account in a bank A, the store transaction terminal 12 updates amounts a related to accounts for bank A in the sales data file 19.
The store transaction terminal 12 thus credits the total amount of sales or debits the total amount of the sales returns and allowances to the sales data file 19, then sends their sum totals to the bank center 13 by coding these amounts in the sales data file 19 after a lapse of a predetermined period. That is, the store transaction terminal 12 sends to the bank center 13 of bank A sales (billing) data 24 by coding the amounts a, comprising the amount of sales and the amount of sales returns and allowances. The bank center 13 decodes the sales (billing) data 24 and transfers the amounts from the unsettled funds file 16 to the store account 17.
FIG. 2 is a block diagram for explaining conventional updations of sales tallying data and a fund balance stored in the IC card 11 by the store transaction terminal 12.
As explained in the description of FIG. 1, a holder wishing to make a purchase inserts the IC card 11 into the store transaction terminal 12 after activating it by entering his PW, and allows the store transaction terminal 12 to debit a purchase amount 25. The purchase amount 25 is an input to an adder 26 of
the store transaction terminal 12 and a subtracter 27 of the IC card 11, which is outputted to an amount display 28 of the IC card 11. This allows the holder of the IC card 11 to judge whether or not the purchase amount 25 is appropriate.
The other input to the adder 26 of the store transaction terminal 12 is sales tallying data 29. On receiving an input of the purchase amount 25, the adder 26 adds to the sales tallying data 29 data on the purchase amount 25, thereby updating the sales tallying data 29. Meanwhile, the other input to the subtracter 27 of the IC card 11 is the value of the balance storage register 18. On receiving an input of the purchase amount 25, the subtracter 27 subtracts the purchase amount 25 from the value of the balance storage register 18, and re-stores the difference in the balance storage register 18, thereby updating the balance.
As described above, a conventional all-in-one card system takes security measures, e.g. an access control for disabling the abuse by an inappropriate holder and a coding to prevent eavesdropping of line between a store and the bank center 13.
However, the conventional system such as described above has a security problem in that it has no defense against a fraud via the store transaction terminal 12.
FIG. 3 is a block diagram of a conventional process for transferring a replenishing amount to an all-in-one card, such as the IC card 11.
The system shown in FIG. 3 comprises the IC card 11, the ATM 20 for handling a money transfer from or to another account, and the bank center 13 of the issuer of the IC card 11.
The holder of the IC card 11 wishing to transfer money to or from the IC card 11 inserts the IC card 11 into the ATM 20 after activating the IC card 11 by entering his PW for the IC card 11 e.g. from the keypad of the IC card 11. Alternatively, the holder may activate the IC card 11 by entering his PW e.g. from the touch sensor panel of the ATM 20 after inserting the IC card 11 into the ATM 20. This allows a communications link to be established between the IC card 11 and the bank center 13 via the ATM 20.
Then, the holder of the IC card 11 inputs a transfer amount 34 (which is defined as being positive for a transfer-in to the IC card 11 and being negative for a transfer-out from the IC card 11) e.g. from the keyboard of the ATM 20. Alternatively, the holder of the IC card 11 can input the transfer amount 34 from the keypad of the IC card 11 before he inserts his card to the ATM 20.
Thereafter, the ATM 20 reads the balance stored in the IC card 11 (from the balance storage register 18) and sends to the bank center 13 data on the stored balance and on the transfer amount 34, asking for an authorization to credit or debit the transfer amount 34 to the IC card 11 and to debit or credit to the customer account 14.
The bank center 13 determines whether it can authorize the transfer-in to or transfer-out from the IC card 11, calculates a new balance by adding the transfer amount 34 to the hitherto stored balance, and sends the new balance to the ATM 20. The ATM 20 in turn stores the new balance to the IC card 11.
The above processes allow the IC card 11 to have a new balance, thereby completing a transfer-in or transfer-out.
Conventionally, the IC card 11 and the ATM 20 share a key-A 35 for coding communications between the IC card 11 and the ATM 20, thereby masking a protocol for a money transfer. However, in most cases, the communications between the ATM 20 and the bank center 13 are not coded. When they are in fact coded, the bank center 13 and the ATM 20 share a same key for coding and decoding the communications between them.
However, a conventional system such as this has a security problem with respect to an unauthorized money transfer due to its openness to eavesdropping. That is, the communications between the ATM 20 and the bank center 13, unless coded, are vulnerable to unwanted interceptions, which may allow one of skill to detect and analyze the data flow between the ATM 20 and the bank center 13 and transmit phony data that enable money to be transferred without a proper approval, or even bogus account data to be created.
Besides, even when the communications between the bank center 13 and the ATM 20 are coded, the key needs to be changed every time, for a defense against the possibility that a hacker can somehow log on to the ATM 20 and interpret the communications between the bank center 13 and the ATM 20 for the purpose of interfering with the system e.g. by destroying data.