Typically, sensitive information may refer to personal data, such as, for example, identification data, personal medical data, banking data or any kind of data. The data must be protected from attempts to steal information by different security techniques, such as, data encryption, interactive user and/or hardware validation methods, etc.
However, when the communications network used is an Internet-type network, the techniques and technologies known to date do not satisfactorily resolve the problem of achieving a level of security similar to that in the “real” world. For example, in the real world, credit cards use the following security means: banking data is contained on a readable card, such as a card with a magnetic strip or chip; the user identifies himself as the owner of the card to the owner of the payment terminal; an identification number (PIN) is transmitted to a sensitive data management server to authenticate the owner up to the server, together with the card identification number (PAN). The data is transmitted by a telephone network or other communications network; and the owner signs an authorization of the monetary transaction performed.
However, when the transmission is by the Internet, via web interfaces, it is impossible to achieve this level of security. In fact, in whatever authorization or encryption method used, an individual who obtains the sensitive information in question (for example, the card number (PAN) and, if applicable, the personal identification number (PIN)) may force a transaction against the wishes of the legitimate card user. Obtaining this sensitive information or data is relatively easy, for example, if the card is stolen or lost.
The present specification discloses a method and a communications system for achieving levels of security similar to those present in transactions carried out by communications systems other than the Internet.
More particularly, the patent application comprises a method of authorizing a transaction between a computer and a remote server connected via a remote communications network, comprises the following steps: connecting a portable card reader to a computer by a standard communications port; reading a card data by the portable card reader; sending at least one item of sensitive card identification data to a management server for managing sensitive data contained in readable cards via a communications network connected to the computer; searching the electronic memory of the management server for the sensitive card identification data set sent; and, if the search does not return any positive data, the management server generates an instruction denying the transaction.
The method may be implemented by a system for sending sensitive information contained on a readable card via Internet-type networks, comprising: a computer with a connection to a remote communications network; a remote server connected to the computer via the remote communications network; and a management server for controlling sensitive data contained in readable cards, such that the system requests sensitive information contained on the readable card to authorize a transaction between the computer and the remote server, the authorization being issued by the management server according to an authorization procedure. The system can also comprise: a portable card reader connected to the computer via a standard communications port; in which communications between the different elements of the system are established by reading card data by the card reader; transmitting at least one item of sensitive card identification data, read by the card reader, to the management server via a communications network; and generating by the management server an instruction to deny or authorize the authorization.
The method and system are advantageous because they can achieve an improved level of security, in different ways. In fact, the portable card reader, which can be connected to any computer by a standard communications port, may “replace” the card owner in the proposed communications system. Thus, sensitive data is not input via the computer keyboard (a point through which the secure communications may be compromised) but are read by a card reader which need not be a fixed part of the computer that establishes the connection, improving security. The reader can be carried from one computer to another by the card owner, being portable, since it can be connected by a standard port.
However, any security system can be compromised in one way or another, and it is therefore desirable to increase security. Nevertheless, security systems generally tend to reduce the versatility and convenience of applications.