The role of a security module is to control the access to a stream transporting the encrypted digital data made available for users by a broadcasting server. For example, in the Pay-TV domain, a decoder allows to access and to decipher the broadcasted encrypted audio/video data stream according to rights registered in the security module associated with said decoder.
Generally, a security module is defined as a protected electronic module considered to be tamper-proof as for example a removable microprocessor card inserted in an appropriate reader, which connects the module to the decoder.
This security module, provided with communication interfaces, receives from a managing center messages intended for the management of access rights to broadcasted data. These messages are called management or administration messages EMM (Entitlement Management Message).
The document WO03/085959 describes a system comprising a managing center transmitting a data stream encrypted by control words included in control messages (ECM). The data stream is addressed to at least one user unit connected to a security module identified by a unique address. This module contains a credit, which is decremented on the basis of the purchase of products or on the consumption of the data stream. To reload the credit, the user communicates to the managing center an identifier representative of the unique address of the security module and a value code representing the reload amount. The managing center processes and verifies the value code before transmitting to the security module an encrypted management message (EMM) allowing the credit to be reloaded.
When the credit is sufficient in the security module two modes of purchasing are possible, namely:                local purchasing: the user decides to use all or part of his/her credit for buying a product. Thus, a new right is created in the security module for reception of said product after decrementation of the credit.        purchasing via the managing center: the user calls the managing center for buying a product. The managing center sends then an encrypted management message (EMM) containing the access right to said product as well as the amount to be decremented from the credit of the security module.        
In both cases, the purchase is carried out through the processing of messages containing a right for a product as well as the corresponding cost. If the available credit is sufficient, the security module processes the message i.e. the credit is decremented and the right is validated. The right thus authorizes the access to a broadcasted product at reception.
If the credit stored in the security module is insufficient, the received EMM management message is rejected and the access to the requested product is impossible. The same effect can also occur when the user unit is out of service and thus unable to validate the required right. Thereby the access control system and the managing center do not have any information about the real use of the credit, which represents a drawback when deductions for the products suppliers have to be established.
Since the user units have no direct feedback channel towards the access control system, the effective consumption rate of the products with regards to the sent messages cannot be determined. In fact, the quantity of transmitted messages being larger than the quantity of messages actually locally processed to release access to products, the managing center may pay to suppliers some surplus of rights and/or of products, which have never been consumed, nor paid by the users.
At the time of a purchase via the managing center, the user transmits a request comprising a security module identifier and a code related to the product or to the selected service. When this transmission is made via a feedback channel independent from the reception channel of the broadcasted data, such as sending the request by telephone or by a short message (SMS), a verification of the correspondence of the security module identifier with the effective user cannot be carried out. In fact, it would be possible to generate some services and products codes with security modules identifiers, with adequate software for example, and to transmit them to the managing center. The latter analyses these requests, accepts the ones whose security module identifier is known by the database of the center for broadcasting management messages EMM addressed to units relating to the recognized security module identifiers. At the time of the receipt of these EMM messages, the security modules corresponding to the identifiers of the recognized modules will have their credits debited unbeknown of the users of the concerned units. An error on entering the code on behalf of the user can also lead to the transmission of an EMM message resulting on an inopportune debit of a credit of another user's unit. The probability of such a debit increases proportionately to the number of units in service in the network.
The document U.S. Pat. No. 6,810,525 describes a method and a system for impulse purchase of services via a communication network. A service purchase request is transmitted by a subscriber terminal to an access control center, which generates an encrypted message including a service identifier and associated rights. The terminal receives this message together with the cost of the selected service and verifies if the available credit is sufficient. In case of success of the verification, a secure token is generated by an application of the terminal. This token is sent to a server of the network to determine the state of the rights of the subscriber before processing the purchase request by the access control center. This service purchase system is applied to a bidirectional network configuration in which the subscriber terminals are permanently connected to the access control center and to the server verifying the tokens. This system constitutes a solution to the problem of undesirable debits from other users as it uses a point-to-point transmission of the verification tokens using preferably a feedback channel depending on the terminal. However, the method cannot be easily executed automatically in a broadcasting system having a feedback channel independent from the terminal used for the sending of the requests only. A manual execution would imply the transmission by the user of two messages: the purchase request and the token generated by the terminal. This method would become uncomfortable and fastidious for a fast and impulsive purchase of services available on-line.
The document EP1398966 describes a system for a transaction carried out by a user of a receiver without feedback channel. The system comprises a broadcast center (head-end), a communication network and a receiver provided with a display suitable for receiving the digital data transmitted by the broadcast center via the communication network. The receiver comprises a security module configured in order to display a first unique code identifying the module; this code enables the creation of a transaction token. A second code identifying a service or a product to be ordered is also displayed, this code being included in the data of the broadcasted product. At the time of the purchase, the user selects a product and transmits its identification code and price together with the unique code of the security module (transaction token) to the broadcasting center. This transmission is carried out through a channel independent from the receiver such as the voice telephone, a short message (SMS) or something else. The broadcasting center decodes the token and releases the product after recognition on a database of the security module identifier extracted from the token.
This system is subject to the problem of undesirable debits from other users by transmission of identification codes being able to be recognized by the broadcasting center and corresponding to some security modules in service. Since it handles on a data transmission in broadcast mode, the managing messages allowing the viewing of the products and the debit of a credit on a given receiver are broadcasted towards all the receivers of the network. The encryption of the tokens mentioned in the document EP1398966 can be a solution to this problem. However, encryption keys and identifiers of security modules can be determined by malicious third parties, which can thus systematically generate tokens to cause debits in more or less large number of receivers.