The use of transaction or payment tokens, such as a credit card, debit card, or radio frequency device, is an increasingly important method for making payments, performing fund transfers, or effecting other transactions. These transactions can occur face-to-face at a point of sale, over the telephone, through the mail, over the Internet, or in other contexts. Regardless of the type of transaction, it is clearly desirable for all entities associated with the transaction to reduce the chance of fraud, through the unauthorized use of the transaction token and/or the payment account associated with the transaction token.
One approach to minimizing fraud is through the use of a personal identification number, or PIN which is managed in an international standardized way—such as according to ISO 9564. In one typical implementation of this approach, at the time of the transaction, the user's transaction card is inserted or swiped in a card reader. The reader extracts certain data from the card, such as an account number. The card reader then requests the user enter his or her PIN on a special keypad sometimes called a PinPad or PIN Entry Device (PED). The PIN is immediately encrypted and secured. The secured PIN data then is transmitted through secure means to an authorization location, such as an authorization computer, where cardholder data is stored. At the authorization computer, the account identification data is used to securely lookup or calculate the PIN for the account to verify that the PIN entered by the cardholder was correct. This approach minimizes fraud because the person in possession of the card must also know the secret PIN to complete the transaction.
The existing traditional internationally used architecture for a system for authenticating a static PIN transaction is shown in FIG. 1. A cardholder or user first enters a static PIN 101 at a terminal 103 having a secure PIN Entry Device (“PED”) connected to a Point of Sale (“POS”) terminal or ATM, where a payment card is accepted to perform a transaction. In traditional secure PEDs, the PIN is secured from the moment it is entered at the PIN pad. All PIN encryption, translation and decryption are performed in physically and logically secure hardware devices or facilities, whether secure PEDs, hardware security modules (“HSMs”), or secure facilities, all of which are well-known to those of ordinary skill in the art.
Each node in the network, such as the secure PED 103, shares an encryption key or key-pair with the node with which it communicates. These shared keys are sometimes referred to as “zone” keys, and they protect the communication link between nodes. Accordingly, the static PIN 101 entered at PED 103 may be encrypted with the shared key (Shared Key-1) that is associated with PED 103 and the Network Switch 111. The encrypted PIN 105 is placed in a PIN block portion of a traditional credit or debit network message containing other account and transaction information, formatted according to accepted standards, such as ISO 8583 or other standard format, using techniques well known to those having ordinary skill in the art.
The message is communicated to a Network Switch 111 having a HSM. In other network configurations, the message is first communicated from the terminal to an acquiring financial institution (not shown), such as a bank operating the ATM, in the case of an ATM transaction, or a bank where the merchant operating the terminal 103 maintains an account. That message is then routed to the network switch 111. The network switch 111 receives the PIN block and uses account information, such as the account number, or a portion thereof, to identify the bank or financial institution that issued the payment card, such as Bank A 117 or Bank B 119. The Network Switch 111 decrypts the PIN in the PIN Block 105 using Shared Key-1 within the HSM, so that it can change the encipherment key to be used in the next transmission. The switch 111 then re-encrypts the PIN Block with Shared Key-A 113 and transmits the encrypted PIN block in the PIN block portion of a traditional credit or debit network message to Bank A 117. Bank A 117 receives the message, decrypts the PIN block using Shared Key-A, and uses the account information in the message to find or calculate the PIN for the account associated with the transaction card being used, which is compared with the decrypted PIN information. If the comparison is successful, Bank A responds with a message indicating the PIN is verified, or the transaction was accepted. Otherwise, Bank A will send a message indicating the transaction is rejected.
Notably, participants in payment networks, such as merchants, acquiring financial institutions, and payment processors, have made substantial investments in the various secure computing hardware, software, communications links, secure PEDs, HSMs and other equipment associated with the static PIN messaging architecture shown in FIG. 1.
One disadvantage to this approach is that, because the PIN is static, a thief could capture the PIN when it is being entered through the use of a hidden camera or other methods during a legitimate transaction and reuse it in subsequent fraudulent transactions. A captured static PIN is usable by an attacker until it is discovered to be compromised.