CPC G06F 21/45 (2013.01) [G06Q 20/3678 (2013.01); H04L 9/3226 (2013.01); H04L 63/083 (2013.01); H04L 63/0853 (2013.01); H04L 63/123 (2013.01); G06Q 2220/00 (2013.01)] | 12 Claims |
1. A method for authenticating a transaction that requires the use of a personal identification number (PIN), the method being implemented by at least one processor, the method comprising:
i) receiving, by at least one processor of a point-of-sale terminal, a request for executing a transaction using a card that includes an embedded chip, comprising:
receiving the card at the point-of-sale terminal, and
establishing a first data flow by establishing communication between the card and the point-of-sale terminal using asymmetric keys;
ii) obtaining, by the at least one processor of the point-of-sale terminal, chip information from the embedded chip, the chip information being card-specific information;
iii) receiving, by the at least one processor of the point-of-sale terminal, a user input via a keypad that includes at least the PIN identifying the user and input by the keypad in a second data flow;
iv) transmitting the PIN from the point-of-sale terminal to the embedded chip of the card;
v) combining, by the embedded chip of the card, the PIN with the chip information and transaction information about the executed transaction, the transaction information including a transaction date, a transaction type, a currency code, and a transaction amount;
vi) generating, by the embedded chip of the card, a first transaction-specific cryptogram from the combination of the PIN, the chip information, and the transaction information prior to transmission by performing a message authentication code, denoted as a MAC code, operation on the combination;
vii) transmitting, by the at least one processor of the point-of-sale terminal, in a third data flow, the first transaction-specific cryptogram, the chip information, and the transaction information to an acquirer server, and refraining from transmitting the PIN, separately from the first transaction-specific cryptogram;
viii) transmitting, in a fourth data flow, an authorization request including the first transaction-specific cryptogram, the chip information, and the transaction information from the acquirer server to a payment network server, requesting an authorization of the transaction based on the generated first transaction-specific cryptogram;
ix) forwarding, from the payment network server, to an issuer server, in a fifth data flow, the authorization request, the first transaction-specific cryptogram, the chip information, and the transaction information; and
x) generating, by the issuer server, a sixth data flow including:
retrieving from a memory of the issuer server, PIN information, identifying the user, corresponding to the chip information,
generating a second transaction-specific cryptogram, independent of the generating of the first transaction-specific cryptogram, using the received chip information, the received transaction information, and the received PIN information retrieved from the card information database corresponding to the chip information of the issuer server, and
authenticating the transaction when the first and second transaction-specific cryptograms match and the PIN entered in the second data flow is the same as the PIN information, retrieved by the issuer server in the sixth data flow.
|