Credit card companies such as VISA® and MASTERCARD® have been very successful in persuading customers that credit cards should be used to complete any and all commercial transactions in place of cash. As a result of the success of the credit card, almost every retail establishment now has a magnetic card stripe reader to accept credit cards for payment. Concurrent with the proliferation of the magnetic stripe card readers used to process credit cards, many financial institutions have authorized the issuance of debit cards that are interoperable with the magnetic card readers.
Typically, a credit card is swiped through the magnetic card reader, and the credit card owner does not have to take further steps to complete the authorization of the transaction, although some establishments require a signature to complete the transaction. In contrast, a debit card typically requires the card owner to enter, via a keypad, a personal identification number (PIN) to complete customer authorization of the transaction, since funds are transferred directly from the customer's bank account for payment. The PIN, if present, is typically encrypted at the point of entry and then sent in an encrypted format over open communication links, such as a telephone line, to a host computer for transaction authorization. The encryption is used to protect the PIN from disclosure so that unauthorized persons may not obtain the PIN in clear form to defraud the legitimate card holder, the vendor, or an authorizing institution or card issuer.
Commonly owned U.S. Pat. No. 5,228,084, which is hereby incorporated by reference in its entirety, describes an encryption process for confidential information in the context of a fueling environment. Specifically, fueling environments include a plurality of fuel dispensers that accept debit cards and have a keypad for PIN entry. The '084 patent further describes that the fueling environment is divided into two zones. The first zone is a local zone within the fueling environment. The local zone extends from the data entry point to a security module associated with a site controller. The second zone is the host zone and extends from the security module to the host computer that authorizes the transaction. The PIN is encrypted by the data entry point device (a keypad, a card reader, or the like) using a local encryption algorithm, and is sent to the security module, which is tamper resistant. The security module decrypts the information from the data entry point device using the local encryption scheme and re-encrypts the information according to a host encryption algorithm used by the host computer. After re-encryption, the information is sent to the host computer for transaction authorization. Thus, the PIN is never present in an unencrypted format on the communication links.
While the '084 patent has been particularly efficacious at preventing fraud, the fueling environment has not remained static since its introduction. Specifically, the fuel dispenser has evolved to include a large display that may include a touch screen. Even if the display does not include a touch screen, the fuel dispenser has numerous keypads that are used to interact with the customer. The customer may respond to queries presented on the display by pressing one or more keys on the keypad or the touch screen. Not all of these queries solicit sensitive or confidential information like a PIN. For example, the response to a query about whether a customer wants a receipt is not necessarily confidential. The dual nature of the queries to the customer generates a quandary about what to do with the non-confidential information.
The obvious solution is to encrypt all data received from the customer and pass the encrypted information in the local zone to the security module for decryption so that the security module and the site controller can determine if the data needs re-encryption in the host zone or otherwise needs to be processed. However, this solution imposes a large processing burden on the security module and the site controller. Additionally, the constant communication from the fuel dispenser data entry point device and the security module for all input data, both confidential and non-confidential, burdens the internal communication network of the fueling environment, which in turn may delay the authorization of fueling or raise similar concerns. Thus, there needs to be a better way to encrypt confidential data at the data entry point device.