It has been common for buyers to pay for goods and services using credit and debit cards. The use of credit cards has eliminated the need to carry large amounts of cash in order to pay for these goods and services. Further, the use of a credit card has eliminated the need for car rental agencies and hotels to require large deposits in order to assure return of vehicles or to reserve rooms. Thus, the use of credit cards has facilitated the transacting of business and thus provides a significant convenience to the buyer. However, credit cards have also facilitated the occurrence of fraud and errors in which the customer is double billed for the same item or billed the incorrect amount.
With the explosion in Internet access and usage, an increasing volume of business is occurring between individuals and firms, who have never seen each other, let alone engaged in any prior business transactions. Currently, a typical Internet user would have a browser installed in his local computer or server such as Internet Explorer™ or Netscape™. Using this browser, the user would access an Internet service provider, such as America-On-Line (AOL™), via a modem over the local public switched telephone network (PSTN). Once logged onto the Internet server, the user may utilize one of the many search engines, such as Yahoo™ or Lycos™, to specify search terms. The user may also use a web crawler, spider or robot to attempt to find a product, service or information desired. The search engine or web crawler would then respond with a list of web sites which matched the search terms the user provided. The user would then log onto a web site and view the products or services available for sale. If the user decides to buy the item from the web site, the firm operating the web site would again frequently request a credit card number be entered by the user in order to pay for the product or service. Once the credit card charge is approved, the operator of the web site will then typically ship the item to the user. In the case where the item ordered is digital in format, such as software, graphics, text, video, or music, the item ordered maybe downloaded into the user's PC, server, lap top, palm computer or other processor-based system.
With the advent of cellular phones with and without wireless access protocol (WAP), a user may also “surf” the Internet and order goods and services directly through the WAP-capable phone or a processor-based system connected to the cellular phone in a similar manner as that used with a PC. Thus, a user may order goods and services from anywhere with a cellular phone, satellite phone, or other type of mobile station. Therefore, a person could be sitting in the middle of a remote area, many miles away from another human being, let alone a telephone line, and order a video game from a web site on the other side of the planet and download it into his palm computer connected to a cellular or a standalone WAP or HTML (Hypertext Markup Language) capable phone and play the game on the spot.
However, the user or consumer may not know who is operating the web site and may have a legitimate fear of supplying a credit card number over the Internet to a stranger who may or may not deliver the desired product. Further, the user may be concerned that the agreed upon price will not be the price actually charged to his credit card even when the buyer is dealing directly in a face to face transaction with the seller. In addition, there is also the possibility even in a face to face transaction that the buyer may be double billed for the same item. Also, in an Internet transaction there is no guarantee that the goods will be delivered if the web site operator is less than honest.
Credit card companies have attempted to resolve the issues related to double billing or billing the incorrect amount by providing dispute resolution services in which a customer may challenge a charged amount and the credit card company will launch an investigation. However, such an investigation may take a long time and the buyer is not guaranteed of a satisfactory resolution. In the case of fraud due to a stolen credit card, the credit card company will normally limit liability if the card is promptly reported as stolen. In the case of a debit card, the bank may not be required to limit liability in case of loss or theft.
Other methods utilized to prevent fraud and error in commercial transactions has been through the use of digital signatures that may not be repudiated. In public key systems, an entity called the certification authority (CA) performs two central functions: issuance and revocation of certificates. A certificate is used to connect a name or an authorization, such as permission to make purchases, to a public signature verification key. The certificate is signed by the CA. To verify the certificate an authentic copy of CA's public signature verification key is required. For example, assuming a person or entity has the public key of a certain CA (CA1). This person or entity can verify certificates issued by a certain CA (CA2), only if CA2's public key has been certified by CA1. This type of cross-certification of CAs is referred to as a “public key infrastructure” (PKI). Thus, in order for digital signatures to have widespread usage such digital signatures require the presence of a global PKI which is difficult to develop since it requires contracts and agreements between a large number of parties. Attempts to create such a global PKI system have so far met with failure. Public key certificates and cross certification are discussed in further detail in Section 13.4.2 “public key certificates” and Section 13.6.2 “Trust models involving multiple certification authorities” of Handbook of Applied Cryptography by A. J. Menezes et al., CRC Press 1997, ISBN 0-8493-8523-7, which are incorporated herein by reference.
Therefore, what is needed are a system and method which allows a user or consumer to pay for goods and services while ensuring that an hacker or criminal may not listen in or tap into a payment transaction between a legitimate buyer and seller and later use this knowledge to make purchases which are charged to the legitimate user. This system and method should further not allow the legitimate user from repudiating legitimate charges he has made. This system and method should also prevent a seller from forging payment transactions in the name of a legitimate consumer. This system and method should also not require the establishment of a new infrastructure in order to operate properly.