WO2011013136A1 - Integrated 3d security for mobile devices - Google Patents

Integrated 3d security for mobile devices Download PDF

Info

Publication number
WO2011013136A1
WO2011013136A1 PCT/IN2009/000694 IN2009000694W WO2011013136A1 WO 2011013136 A1 WO2011013136 A1 WO 2011013136A1 IN 2009000694 W IN2009000694 W IN 2009000694W WO 2011013136 A1 WO2011013136 A1 WO 2011013136A1
Authority
WO
WIPO (PCT)
Prior art keywords
user
transaction
financial
mobile
financial instrument
Prior art date
Application number
PCT/IN2009/000694
Other languages
French (fr)
Inventor
Saurabh Sharma
Suresh Antantpurkar
Sanjay Swami
Original Assignee
Mchek India Payment Systems Pvt. Ltd.
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Mchek India Payment Systems Pvt. Ltd. filed Critical Mchek India Payment Systems Pvt. Ltd.
Publication of WO2011013136A1 publication Critical patent/WO2011013136A1/en

Links

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06QINFORMATION AND COMMUNICATION TECHNOLOGY [ICT] SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES; SYSTEMS OR METHODS SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES, NOT OTHERWISE PROVIDED FOR
    • G06Q20/00Payment architectures, schemes or protocols
    • G06Q20/38Payment protocols; Details thereof
    • G06Q20/40Authorisation, e.g. identification of payer or payee, verification of customer or shop credentials; Review and approval of payers, e.g. check credit lines or negative lists
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06QINFORMATION AND COMMUNICATION TECHNOLOGY [ICT] SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES; SYSTEMS OR METHODS SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES, NOT OTHERWISE PROVIDED FOR
    • G06Q20/00Payment architectures, schemes or protocols
    • G06Q20/30Payment architectures, schemes or protocols characterised by the use of specific devices or networks
    • G06Q20/32Payment architectures, schemes or protocols characterised by the use of specific devices or networks using wireless devices
    • G06Q20/322Aspects of commerce using mobile devices [M-devices]
    • G06Q20/3223Realising banking transactions through M-devices

Definitions

  • the invention relates to a method and system for secure transactions from a mobile device. More particularly, the invention relates to a method and system for 3D secure mobile commerce transactions.
  • An “acquiring bank” is a financial institution that processes payments for the products or services on behalf of a merchant
  • an “issuing bank” is a financial institution that issues the financial instrument to the user and authorizes payments on this financial instrument.
  • a user attempts a financial transaction using a financial instrument such as a credit card
  • the credit card details are forwarded to the issuing bank for authentication and transaction authorization.
  • the issuing bank for a 3D Secure transaction typically includes an access control server (ACS) that authenticates the cardholder ('user') and issues authentication values that are used by the issuing bank to authorize the transaction as a 3D-Secure transaction.
  • ACS access control server
  • the access control server on receiving an authentication request verifies the cardholder either by way of confirming the date of birth of the cardholder or any other value that is mandated by the issuing bank, but is not available on the credit card itself. On successfully authenticating the cardholder, the access control server generates authentication values that are used by the issuing bank to authorize the transaction as a 3D-Secure transaction.
  • 3D-Secure refers to the three domains in a financial transaction, namely, the issuer domain between the card holder and the issuing bank, the acquiring domain between the merchant and the acquiring bank, and the interoperability domain between the issuer domain, the acquiring domain and the infrastructure provided by the card associations to support the 3-D Secure protocol.
  • a transaction secured using this protocol is referred to as a 3D secure transaction.
  • Figure 1 is a schematic diagram illustrating a method for registering a financial instrument for a mobile device in accordance with an embodiment of the invention.
  • Figure 2 is a schematic diagram illustrating a method for securely conducting a financial transaction in accordance with an embodiment of the invention.
  • FIG. 3 is a schematic illustration of a Mobile Network Transaction System in accordance with an embodiment of the invention.
  • the invention relates to a method of authorizing a financial transaction over a communication network, the communication network including a mobile network transaction system comprising registering a user at the mobile network transaction system with a mobile communication identifier and a financial instrument for the user; registration of user including authenticating the financial instrument with a provider of the financial instrument and linking the financial instrument to the mobile communication identifier on a valid authentication; receiving details of the financial transaction to be authorized for a user including the mobile communication identifier for the user; authenticating the user at the mobile network transaction system; and authorizing the financial transaction at the mobile network transaction system for the authenticated user.
  • the invention also provides for a mobile network transaction system for authorizing a financial transaction over a communication network, the system comprising an authentication processor for registering a user in a user database with a mobile communication identifier and a financial instrument to be linked to the mobile communication identifier; an user interface configured to receive user registration details including details of the financial instrument and the mobile communication identifier for the user; a switch for communicating with a provider of the financial instrument; and a transaction authorization server for authorizing a transaction wherein the system is configured to authenticate the financial instrument with the provider of the financial instrument and to link the financial instrument to the mobile communication identifier on a valid authentication; the system further configured to receive details of the financial transaction to be authorized for a user including the mobile communication identifier for the user; to authenticate the user at the mobile network transaction system; and to authorize the financial transaction at the mobile network transaction system for the authenticated user.
  • an authentication processor for registering a user in a user database with a mobile communication identifier and a financial instrument to be linked to the mobile communication identifier
  • modules may be implemented as a hardware circuit comprising custom very large scale integration circuits or gate arrays, off-the-shelf semiconductors such as logic, chips, transistors, or the other discrete components.
  • a module may also be implemented in programmable hardware devices such as field programmable gate arrays, programmable array logic, programmable logic devices or the like.
  • Modules may also be implemented in software for execution by various types of processors.
  • An identified module of executable code may, for instance, comprise one or more physical or logical blocks of computer instructions which may, for instance, be organised as an object, procedure, or function. Nevertheless, the executables of an identified module need not be physically located together, but may comprise disparate instructions stored in different locations which, when joined together, comprise the module and achieve the started purpose for the module.
  • a module of executable code could be a single instruction, or many instructions, and may even be distributed over several different code segments, among different programs, and across several memory devices.
  • operational data may be identified and illustrated herein within modules, and may be embodied in any suitable form and organised within any suitable type of data structure. The operational data maybe collected as a single data set, or may be distributed over different locations including over different member disks, and may exist, at least partially, merely as electronic signals on a system or network.
  • a "user” is a cardholder in possession of a credit/debit card linked to a financial account with a financial institution;
  • an "issuer bank” is a financial institution that issues the financial instrument to the "user” and authorizes payments on this financial instrument.
  • transaction authorization values are transaction codes generated for each transaction to authorise a financial transaction and are essential for a transaction to be completed;
  • a financial instrument such as credit or debit card or a bank account
  • a mobile communication identifier which is subsequently used for mobile transactions.
  • a method and system for authorizing a financial transaction over a communication channel is disclosed.
  • a 3D secure transaction method and system for mobile devices is disclosed.
  • a Mobile Network Transaction System is configured with an access control servers (ACS) of issuer banks such that the task of authenticating a user and generation of transaction authorization values are carried out by the Mobile Network Transaction System.
  • ACS access control servers
  • a user may register for mobile transactions from various channels including a client application on the mobile device, through a web-banner, through an online portal, by way of interactive voice response (IVR) or by way of a simple SMS.
  • the client application on the mobile device may be a Java based application like J2ME (Java 2 platform, Micro Edition) or BREW (Binary Runtime Environment for Wireless) or a SIM based application.
  • the client application may reside in the SIM card of the mobile device.
  • the user To register a financial instrument such as a credit card or debit card (herein after referred to as 'card') with the Mobile Network Transaction System, the user transmits the details of his financial instrument e.g., a card number, an expiry date and a card verification value (CW2) number to the mobile network transaction system, as indicated by step 1.
  • the user is also required to transmit a mobile communication identifier.
  • the mobile communication identifier may be a mobile number or a mobile device number.
  • the user is requested to enter the date of birth (DOB).
  • DOB date of birth
  • any numeric or non-numeric information which is not available on the Card but is registered with the issuer bank by the user may be submitted.
  • the Mobile Network Transaction System server then communicates with the card association (e.g., VISA or MasterCard) Directory Server (DS) for the URL of the Access Control Server of the issuer bank for the card selected by the user, as indicated by step 2.
  • the card association e.g., VISA or MasterCard
  • DS Directory Server
  • the initial registration involves verifying the financial instrument at the issuer bank, the step of verification may also be done by a Transaction Authorization Server of the Mobile Network Transaction Server that functions as an access control server.
  • the Mobile Network Transaction System that is integrated with the existing access control servers for various issuer banks determines the Access Control Server for the card selected by the user.
  • the Mobile Network Transaction System sends the card details, mobile number and the date of birth to the Access Control Server for validation, as indicated by step 3.
  • the access control server receives the details sent by the Mobile Network Transaction System and verifies the details of the user.
  • the access control server communicates with the Mobile Network Transaction System after checking the user details, as indicated by step 4.
  • the Mobile Network Transaction System then prompts the user to select and confirm a Mobile Network Transaction System Personal Identification Number, or PIN (which may be a six-digit numeric value), as indicated by step 5.
  • PIN Mobile Network Transaction System Personal Identification Number
  • the user input PIN result is returned to the mobile network transaction server and upon successful authentication, marks the user or the card as "Verified", as indicated by step 6.
  • the Mobile Network Transaction System is configured to capture the mobile communication identifier from the user and validates each mobile number each time it is used for a financial transaction on each channel that may be used by the user. For example, for SMS based transactions, the Mobile Network Transaction System gets the SMS from the mobile number; for IVR based transactions., the Mobile Network
  • the Mobile Network Transaction System knows the mobile number that has called the IVR; and for transactions based on Wireless Application Protocol (WAP), the operator provides the mobile number in the header. Accordingly, the Mobile Network Transaction System does not require additional SMSs or the need to generate a one-time-password (OTP) and to validate that to verify the possession of the mobile device.
  • WAP Wireless Application Protocol
  • the Mobile Network Transaction System functions as an Access Control Server during transactions from a "verified" card.
  • the Mobile Network Transaction System generates one or more transaction authorization values that identify the transaction as a secure transaction.
  • the transaction authorization values may include a Cardholder Authentication Verification Value (CAW) for VISA card, an Universal Cardholder Authentication Field (UCAF) for MasterCard credit card, an Unique transaction ID of the 3D secure system (XID) and an Electronic Commerce Indicator (ECI).
  • CAW Cardholder Authentication Verification Value
  • UCAF Universal Cardholder Authentication Field
  • XID Unique transaction ID of the 3D secure system
  • ECI Electronic Commerce Indicator
  • the transaction authorization values generated by the Mobile Network Transaction System may depend on the card selected by the user.
  • the financial instrument to be used for the transaction may be stored in an encrypted form by the mobile client.
  • details of the financial instrument may be stored by the Mobile Network Transaction System linked to the mobile communication identifier.
  • the mobile client transmits details of the transaction to the Mobile Network Transaction System along the mobile communication identifier details.
  • the Mobile Network Transaction System receives these details and checks if the financial instrument has been marked as "verified” for the mobile communication identifier, as indicated by step 2. If the card is "verified", the Mobile Network Transaction System prompts the user to enter a Mobile Network Transaction System PIN, as indicated by step 3. The user input PIN result is returned to the Mobile Network Transaction System, as indicated by step 4.
  • the Mobile Network Transaction System authenticates the user. For the authenticated user, the Mobile Network Transaction System generates one or more transaction authorization values, as indicated by step 5. The Mobile Network Transaction System then submits the details of the transaction along with the generated transaction authorization values that identifies the transaction as a 3D secure transaction to the payment gateway for concluding the transaction, as indicated by step 6.
  • FIG. 3 illustrates a Communication Network 10 including a Mobile Network Transaction System 12 for authenticating a mobile user 14 and authorising a transaction in accordance with an embodiment.
  • a mobile device of the user 14, a payment gateway 16 and an issuer bank 30 are in communication connection with the Mobile Network Transaction System 12.
  • the Mobile Network Transaction System 12 includes an User Interface 18, an Authentication Processor 20, a Database 22. a Payment Gateway Interface 24, a Transaction Authorization Server 26 and a switch 28.
  • the database 22, user interface 18, the payment gateway interface 24 and the switch 28 are controlled by the authentication processor 20.
  • the mobile device 14 is capable of communicating remotely over the communication network 10 with the mobile network transaction system 12 by means of a mobile client on the mobile device 14.
  • the mobile client may be an application software or a web browser built specifically for mobile devices.
  • the mobile client may be a Java based application like J2ME (Java 2 platform, Micro Edition) or BREW (Binary Runtime Environment for Wireless) based application.
  • J2ME Java 2 platform, Micro Edition
  • BREW Binary Runtime Environment for Wireless
  • the mobile client enables seamless communication between the mobile device 14 and the Mobile Network Transaction System 12 regardless of underlying communications protocols.
  • the user interface 18 facilitates cross-platform communication between the Mobile Network Transaction System 18 and the mobile device 14.
  • the user interface 18 may include a security protocol that performs security related and data integrity related checks on the communication between the mobile device 14 and the Mobile Network Transaction System 12.
  • the security protocol may be SSL (Secure Socket Layer), TLS (Transport Layer Security), PPP (Point-to-Point protocol) or any other protocol known in the art.
  • the user interface 18 may be configured to receive user details from the mobile device 14. Alternatively, the user interface 18 may be connected to merchant interface, a web portal or a web banner to permit users to log on to the Mobile Network Transaction System 12.
  • the database 22 of the Mobile Network Transaction System 12 holds user details including mobile communication identifier details such as the mobile number, card details, CW, expiry date of card, issuer bank details, etc.
  • the database 22 may also be configured to store financial transaction details for transactions of the user.
  • the payment gateway interface 24 facilitates cross-platform communication between the Mobile Network Transaction System 12 and the payment gateway 16.
  • the Authentication Processor 20 of the Mobile Network Transaction System 12 facilitates in registering the user.
  • the Authentication Processor 20 authenticates the user by verifying the details of the financial instrument received from the user.
  • the authentication processor 20 further links the financial instrument of the user with the mobile communication identifier for the user upon successful validation.
  • the authentication processor 20 is further configured to mark the financial instrument as 'verified' on a successful validation.
  • the Authentication Processor 20 facilitates communication with the user's mobile device 14, the issuer bank 30 and the payment gateway 16 with the help of the user interface 22, the switch 28 and the payment gateway interface 24 respectively.
  • the Transaction Authorization Server 26 is configured to authorise a transaction for an authenticated user by generating one or more transaction authorization values for the transaction.
  • the payment gateway 16 concludes the transaction authenticated and authorized by the mobile network transaction system 12.
  • the switch 28 is an interface that assists the Mobile Network Transaction System 12 to connect and exchange information with the Issuing Bank 30.
  • the switch 28 may include a security protocol such as a Secure Socket Layer (SSL) or Virtual Private Network (VPN) protocol to confidently and securely communicate with the Issuing Bank 3 1 O.
  • SSL Secure Socket Layer
  • VPN Virtual Private Network
  • a mobile user 14 initiates a financial transaction on his mobile device.
  • the mobile user 14 enters the financial instrument details on his mobile device to initiate a transaction or selects a financial instrument from previously stored financial instruments.
  • the mobile network transaction system 12 may initiate a transaction by sending a request to the mobile device prompting the mobile user 14 to enter his financial instrument details.
  • the mobile network transaction system 12 may be configured to push a transaction to the mobile device of the user 14.
  • the mobile client of the mobile device may be configured to receive and execute the request received from the mobile network transaction system 12.
  • a Mobile Network Transaction System Personal Identification Number or a PIN is an input secret entry, such as an alphanumeric string that is used for authentication transaction by the mobile user.
  • the PIN may be a 6 digit or more digit personal identification number, a security code, biometric information of the user or any combination thereof.
  • the mobile communication identifier is any device used for communication over a wireless communication network and includes a mobile phone, a smart phone, a Personal Digital Assistant (PDA) or a pager.
  • Industrial Applicabflity is any device used for communication over a wireless communication network and includes a mobile phone, a smart phone, a Personal Digital Assistant (PDA) or a pager.
  • the Mobile Network Transaction System simultaneously performs the functions of an Access Control Server, in that it authenticates a user as well as generates transaction authorization values that are then forwarded to the payment gateway for the purposes of concluding the transaction.
  • the system and method disclosed does away with the need of forwarding the transaction details to an independent Access Control Server for the purposes of authenticating the user and generating transaction values.
  • the process for the user to initiate and authorize the transaction remains the same and the user on registering with the Mobile Network Transaction System is required only to enter a PIN as the details used for authentication to conclude the transaction.
  • the system and method disclosed offers a new 3D-Secure model for mobile commerce.
  • the system and method provides for a unique way for authorizing a financial transaction over a communication channel 10.
  • the Mobile Network Transaction System incorporates all three domains, namely, the issuer domain, the acquiring domain and the interoperability domain.
  • the Mobile Network Transaction System verifies the possession of a mobile communication identifier as well as authenticates the user and then allows the user to setup a unique password (Mobile Network Transaction System PIN).
  • the mobile communication identifier and the financial instrument details are linked together in a secure environment.
  • a method of authorizing a financial transaction over a communication network including a mobile network transaction system comprising registering a user at the mobile network transaction system with a mobile communication identifier and a financial instrument for the user; registration of user including authenticating the financial instrument with a provider of the financial instrument and linking the financial instrument to the mobile communication identifier on a valid authentication; receiving details of the financial transaction to be authorized for a user including the mobile communication identifier for the user; authenticating the user at the mobile network transaction system; and authorizing the financial transaction at the mobile network transaction system for the authenticated user.
  • authenticating the financial instrument includes receiving verification details for the financial instrument from the user and validating the verification details with the provider of the financial instrument.
  • authenticating the financial instrument includes validating the mobile communication identifier of the user with the provider of the financial instrument.
  • Such method as described above wherein registering a user at the mobile network transaction system includes generating a password for the user on a valid authentication.
  • authenticating the user at the mobile network transaction system includes receiving the password for the user.
  • authenticating the financial transaction at the mobile network transaction system includes generating transaction authorization values at the mobile network transaction system.
  • Such method as described above further comprising transmitting to a payment gateway the transaction authorization values for the authorised financial transaction.
  • a mobile network transaction system for authorizing a financial transaction over a communication network, the system comprising an authentication processor for registering a user in a user database with a mobile communication identifier and a financial instrument to be linked to the mobile communication identifier; an user interface configured to receive user registration details including details of the financial instrument and the mobile communication identifier for the user; a switch for communicating with a provider of the financial instrument; and a transaction authorization server for authorizing a transaction wherein the system is configured to authenticate the financial instrument with the provider of the financial instrument and to link the financial instrument to the mobile communication identifier on a valid authentication; the system further configured to receive details of the financial transaction to be authorized for a user including the mobile communication identifier for the user; to authenticate the user at the mobile network transaction system; and to authorize the financial transaction at the mobile network transaction system for the authenticated user.
  • the system as described above further configured to authenticate the financial instrument by receiving verification details for the financial instrument from the user and validating the verification details with the provider of the financial instrument.
  • the system as described above further configured to authenticate the financial instrument by validating the mobile communication identifier of the user with the provider of the financial instrument.
  • the system as described above further comprising a password generator for generating a password for the user on a valid authentication of the financial instrument.
  • the system as described above further configured to authenticate the user by receiving the password for the user.
  • the system as described above further configured to receive details of the financial transaction to be authorised from the registered mobile communication identifier for the user.
  • the system as described above further configured to transmit to a payment gateway the transaction authorization values for the authorised financial transaction.

Abstract

A method and system of authorizing a financial transaction over a communication network, the communication network including a mobile network transaction system comprising registering a user at the mobile network transaction system with a mobile communication identifier and a financial instrument for the user; registration of user including authenticating the financial instrument with a provider of the financial instrument and linking the financial instrument to the mobile communication identifier on a valid authentication; receiving details of the financial transaction to be authorized for a user including the mobile communication identifier for the user; authenticating the user at the mobile network transaction system; and authorizing the financial transaction at the mobile network transaction system for the authenticated user.

Description

INTEGRATED 3D SECURITY FOR MOBILE DEVICES
The invention relates to a method and system for secure transactions from a mobile device. More particularly, the invention relates to a method and system for 3D secure mobile commerce transactions.
BACKGROUND
In existing systems employed for the authorisation of financial transactions for e-commerce or mobile originated transactions using financial instruments such as credit cards and debit cards, it is difficult to acquire a firm guarantee that the person initiating the financial transaction is authentic and authorised to conclude the financial transaction. Currently, the processes employed by financial institutions, e.g., banks, validate the card details and guarantee the availability of rands in the account and not the cardholder for mobile originated transactions. It is a process that provides no more than authorisation of the financial transaction after ensuring that funds are accessible to complete the financial transaction. However, these processes do not provide any means of authenticating the ownership of the financial instrument being used by the individual making the transaction.
Instances of fraud and charge-backs in mobile-based transactions are a constant concern, and validation of the mobile number in this regard is also useful. Banks and other financial institutions are still exploring the use of mobile commerce to allow their customers to not only access account information, but also make transactions, e.g. purchasing products and services, remitting money via mobile phones and other forms of mobile commerce. However, there exist security concerns of such l transactions and particularly issues relating to ownership of the financial instruments used in such transactions.
An "acquiring bank" is a financial institution that processes payments for the products or services on behalf of a merchant, whereas an "issuing bank" is a financial institution that issues the financial instrument to the user and authorizes payments on this financial instrument. When, a user attempts a financial transaction using a financial instrument such as a credit card, the credit card details are forwarded to the issuing bank for authentication and transaction authorization. The issuing bank for a 3D Secure transaction, typically includes an access control server (ACS) that authenticates the cardholder ('user') and issues authentication values that are used by the issuing bank to authorize the transaction as a 3D-Secure transaction. The access control server on receiving an authentication request verifies the cardholder either by way of confirming the date of birth of the cardholder or any other value that is mandated by the issuing bank, but is not available on the credit card itself. On successfully authenticating the cardholder, the access control server generates authentication values that are used by the issuing bank to authorize the transaction as a 3D-Secure transaction.
Prevailing security standards for e-commerce now require "3D-Secure" security for financial transactions. "3D" refers to the three domains in a financial transaction, namely, the issuer domain between the card holder and the issuing bank, the acquiring domain between the merchant and the acquiring bank, and the interoperability domain between the issuer domain, the acquiring domain and the infrastructure provided by the card associations to support the 3-D Secure protocol. A transaction secured using this protocol is referred to as a 3D secure transaction.
While there have been attempts at achieving security in mobile commerce, existing systems are unable to provide a 3D secure transactions for mobile devices. Moreover, it would be desirable to create security systems for mobile commerce that are user friendly and do not require the generation of one time passwords (OTP) or multiple communications between users and authentication systems. Furthermore, it would also be desirable if security systems for mobile devices could utilize, and seamlessly integrate with, existing financial transaction systems without the need for excessive infrastructure overhaul.
BRIEF DESCRIPTION OF DRAWINGS
Examples of embodiments of the invention are illustrated by way of illustration and not limitation in the figures of the accompanying drawings, in which like references indicate similar element and in which:
Figure 1 is a schematic diagram illustrating a method for registering a financial instrument for a mobile device in accordance with an embodiment of the invention.
Figure 2 is a schematic diagram illustrating a method for securely conducting a financial transaction in accordance with an embodiment of the invention.
Figure 3 is a schematic illustration of a Mobile Network Transaction System in accordance with an embodiment of the invention; Summary
The invention relates to a method of authorizing a financial transaction over a communication network, the communication network including a mobile network transaction system comprising registering a user at the mobile network transaction system with a mobile communication identifier and a financial instrument for the user; registration of user including authenticating the financial instrument with a provider of the financial instrument and linking the financial instrument to the mobile communication identifier on a valid authentication; receiving details of the financial transaction to be authorized for a user including the mobile communication identifier for the user; authenticating the user at the mobile network transaction system; and authorizing the financial transaction at the mobile network transaction system for the authenticated user.
The invention also provides for a mobile network transaction system for authorizing a financial transaction over a communication network, the system comprising an authentication processor for registering a user in a user database with a mobile communication identifier and a financial instrument to be linked to the mobile communication identifier; an user interface configured to receive user registration details including details of the financial instrument and the mobile communication identifier for the user; a switch for communicating with a provider of the financial instrument; and a transaction authorization server for authorizing a transaction wherein the system is configured to authenticate the financial instrument with the provider of the financial instrument and to link the financial instrument to the mobile communication identifier on a valid authentication; the system further configured to receive details of the financial transaction to be authorized for a user including the mobile communication identifier for the user; to authenticate the user at the mobile network transaction system; and to authorize the financial transaction at the mobile network transaction system for the authenticated user.
DETAILED DESCRIPTION
For the purpose of promoting an understanding of the principles of the invention, reference will now be made to the embodiment illustrated in the drawings and specific language will be used to describe the same. It will nevertheless be understood that no limitation of the scope of the invention is thereby intended, such alterations and further modifications in the illustrated system, and such further applications of the principles of the invention as illustrated therein being contemplated as would normally occur to one skilled in the art to which the invention relates.
It will be understood by those skilled in the art that the foregoing general description and the following detailed description are exemplary and explanatory of the invention and are not intended to be restrictive thereof. Throughout the patent specification, a convention employed is that in the appended drawings, like numerals denote like components.
Many of the functional units described in this specification have been labelled as modules, in order to more particularly emphasize their implementation independence. For example, a module may be implemented as a hardware circuit comprising custom very large scale integration circuits or gate arrays, off-the-shelf semiconductors such as logic, chips, transistors, or the other discrete components. A module may also be implemented in programmable hardware devices such as field programmable gate arrays, programmable array logic, programmable logic devices or the like.
Modules may also be implemented in software for execution by various types of processors. An identified module of executable code may, for instance, comprise one or more physical or logical blocks of computer instructions which may, for instance, be organised as an object, procedure, or function. Nevertheless, the executables of an identified module need not be physically located together, but may comprise disparate instructions stored in different locations which, when joined together, comprise the module and achieve the started purpose for the module.
Indeed, a module of executable code could be a single instruction, or many instructions, and may even be distributed over several different code segments, among different programs, and across several memory devices. Similarly, operational data may be identified and illustrated herein within modules, and may be embodied in any suitable form and organised within any suitable type of data structure. The operational data maybe collected as a single data set, or may be distributed over different locations including over different member disks, and may exist, at least partially, merely as electronic signals on a system or network.
Reference throughout this specification to "one embodiment", "an embodiment" or similar language means that a particular feature, structure, or characteristic described in connection with the embodiment is included in at least one embodiment of the present invention. Thus, appearances of the phrase "in one embodiment", "in an embodiment" and similar language throughout this specification may, but not necessarily, refer to the same embodiment. In the context of this specification:
A "user" is a cardholder in possession of a credit/debit card linked to a financial account with a financial institution;
The terms user, and mobile user are used interchangeably in the context of the following description.
an "issuer bank" is a financial institution that issues the financial instrument to the "user" and authorizes payments on this financial instrument.
a "transaction authorization values" are transaction codes generated for each transaction to authorise a financial transaction and are essential for a transaction to be completed;
In mobile commerce scenario, a financial instrument, such as credit or debit card or a bank account, is linked to a mobile communication identifier which is subsequently used for mobile transactions.
A method and system for authorizing a financial transaction over a communication channel is disclosed. A 3D secure transaction method and system for mobile devices is disclosed.
Referring to Figure 1, a Mobile Network Transaction System is configured with an access control servers (ACS) of issuer banks such that the task of authenticating a user and generation of transaction authorization values are carried out by the Mobile Network Transaction System.
Still referring to Figure 1, a method for registering a mobile user for mobile transactions is illustrated. A user may register for mobile transactions from various channels including a client application on the mobile device, through a web-banner, through an online portal, by way of interactive voice response (IVR) or by way of a simple SMS. The client application on the mobile device may be a Java based application like J2ME (Java 2 platform, Micro Edition) or BREW (Binary Runtime Environment for Wireless) or a SIM based application. The client application may reside in the SIM card of the mobile device.
For the purposes of describing the invention, reference is made to the embodiment illustrated in Figure 1 for registration from a J2ME client on the mobile. The method of registration described however is equally applicable for other channels of registration as well.
To register a financial instrument such as a credit card or debit card (herein after referred to as 'card') with the Mobile Network Transaction System, the user transmits the details of his financial instrument e.g., a card number, an expiry date and a card verification value (CW2) number to the mobile network transaction system, as indicated by step 1. The user is also required to transmit a mobile communication identifier. The mobile communication identifier may be a mobile number or a mobile device number. Additionally, the user is requested to enter the date of birth (DOB). Alternatively, any numeric or non-numeric information which is not available on the Card but is registered with the issuer bank by the user may be submitted.
The Mobile Network Transaction System server then communicates with the card association (e.g., VISA or MasterCard) Directory Server (DS) for the URL of the Access Control Server of the issuer bank for the card selected by the user, as indicated by step 2. Although in the embodiment illustrated, the initial registration involves verifying the financial instrument at the issuer bank, the step of verification may also be done by a Transaction Authorization Server of the Mobile Network Transaction Server that functions as an access control server.
Based on the URL provided by the card association, the Mobile Network Transaction System that is integrated with the existing access control servers for various issuer banks determines the Access Control Server for the card selected by the user. The Mobile Network Transaction System sends the card details, mobile number and the date of birth to the Access Control Server for validation, as indicated by step 3.
The access control server receives the details sent by the Mobile Network Transaction System and verifies the details of the user. The access control server communicates with the Mobile Network Transaction System after checking the user details, as indicated by step 4. The Mobile Network Transaction System then prompts the user to select and confirm a Mobile Network Transaction System Personal Identification Number, or PIN (which may be a six-digit numeric value), as indicated by step 5. The user input PIN result is returned to the mobile network transaction server and upon successful authentication, marks the user or the card as "Verified", as indicated by step 6.
The Mobile Network Transaction System is configured to capture the mobile communication identifier from the user and validates each mobile number each time it is used for a financial transaction on each channel that may be used by the user. For example, for SMS based transactions, the Mobile Network Transaction System gets the SMS from the mobile number; for IVR based transactions., the Mobile Network
Transaction System knows the mobile number that has called the IVR; and for transactions based on Wireless Application Protocol (WAP), the operator provides the mobile number in the header. Accordingly, the Mobile Network Transaction System does not require additional SMSs or the need to generate a one-time-password (OTP) and to validate that to verify the possession of the mobile device.
Once a user is registered with the Mobile Network Transaction System, the user may conduct secure transactions from the registered mobile device which is described in details with reference to Figure 2. The Mobile Network Transaction System functions as an Access Control Server during transactions from a "verified" card. The Mobile Network Transaction System generates one or more transaction authorization values that identify the transaction as a secure transaction. By way of example, the transaction authorization values may include a Cardholder Authentication Verification Value (CAW) for VISA card, an Universal Cardholder Authentication Field (UCAF) for MasterCard credit card, an Unique transaction ID of the 3D secure system (XID) and an Electronic Commerce Indicator (ECI). The transaction authorization values generated by the Mobile Network Transaction System may depend on the card selected by the user.
For the purposes of describing the invention, the following description refers to a transaction initiated from a mobile client. The financial instrument to be used for the transaction may be stored in an encrypted form by the mobile client. Alternatively, details of the financial instrument may be stored by the Mobile Network Transaction System linked to the mobile communication identifier.
In accordance with an embodiment, for a transaction initiated by a user from the mobile device, as indicated by step 1 in Figure 2, the mobile client transmits details of the transaction to the Mobile Network Transaction System along the mobile communication identifier details. The Mobile Network Transaction System receives these details and checks if the financial instrument has been marked as "verified" for the mobile communication identifier, as indicated by step 2. If the card is "verified", the Mobile Network Transaction System prompts the user to enter a Mobile Network Transaction System PIN, as indicated by step 3. The user input PIN result is returned to the Mobile Network Transaction System, as indicated by step 4. On a successful PIN verification, the Mobile Network Transaction System authenticates the user. For the authenticated user, the Mobile Network Transaction System generates one or more transaction authorization values, as indicated by step 5. The Mobile Network Transaction System then submits the details of the transaction along with the generated transaction authorization values that identifies the transaction as a 3D secure transaction to the payment gateway for concluding the transaction, as indicated by step 6.
Figure 3 illustrates a Communication Network 10 including a Mobile Network Transaction System 12 for authenticating a mobile user 14 and authorising a transaction in accordance with an embodiment. A mobile device of the user 14, a payment gateway 16 and an issuer bank 30 are in communication connection with the Mobile Network Transaction System 12. The Mobile Network Transaction System 12 includes an User Interface 18, an Authentication Processor 20, a Database 22. a Payment Gateway Interface 24, a Transaction Authorization Server 26 and a switch 28. The database 22, user interface 18, the payment gateway interface 24 and the switch 28 are controlled by the authentication processor 20. The mobile device 14 is capable of communicating remotely over the communication network 10 with the mobile network transaction system 12 by means of a mobile client on the mobile device 14. The mobile client may be an application software or a web browser built specifically for mobile devices. According to an embodiment, the mobile client may be a Java based application like J2ME (Java 2 platform, Micro Edition) or BREW (Binary Runtime Environment for Wireless) based application. The mobile client enables seamless communication between the mobile device 14 and the Mobile Network Transaction System 12 regardless of underlying communications protocols.
The user interface 18 facilitates cross-platform communication between the Mobile Network Transaction System 18 and the mobile device 14. The user interface 18 may include a security protocol that performs security related and data integrity related checks on the communication between the mobile device 14 and the Mobile Network Transaction System 12. The security protocol may be SSL (Secure Socket Layer), TLS (Transport Layer Security), PPP (Point-to-Point protocol) or any other protocol known in the art. The user interface 18 may be configured to receive user details from the mobile device 14. Alternatively, the user interface 18 may be connected to merchant interface, a web portal or a web banner to permit users to log on to the Mobile Network Transaction System 12.
The database 22 of the Mobile Network Transaction System 12 holds user details including mobile communication identifier details such as the mobile number, card details, CW, expiry date of card, issuer bank details, etc. The database 22 may also be configured to store financial transaction details for transactions of the user.
The payment gateway interface 24 facilitates cross-platform communication between the Mobile Network Transaction System 12 and the payment gateway 16.
The Authentication Processor 20 of the Mobile Network Transaction System 12 facilitates in registering the user. The Authentication Processor 20 authenticates the user by verifying the details of the financial instrument received from the user. The authentication processor 20 further links the financial instrument of the user with the mobile communication identifier for the user upon successful validation. The authentication processor 20 is further configured to mark the financial instrument as 'verified' on a successful validation.
The Authentication Processor 20 facilitates communication with the user's mobile device 14, the issuer bank 30 and the payment gateway 16 with the help of the user interface 22, the switch 28 and the payment gateway interface 24 respectively.
The Transaction Authorization Server 26 is configured to authorise a transaction for an authenticated user by generating one or more transaction authorization values for the transaction.
The payment gateway 16 concludes the transaction authenticated and authorized by the mobile network transaction system 12.
The switch 28 is an interface that assists the Mobile Network Transaction System 12 to connect and exchange information with the Issuing Bank 30. The switch 28 may include a security protocol such as a Secure Socket Layer (SSL) or Virtual Private Network (VPN) protocol to confidently and securely communicate with the Issuing Bank 31O.
In accordance with a specific embodiment, a mobile user 14 initiates a financial transaction on his mobile device. The mobile user 14 enters the financial instrument details on his mobile device to initiate a transaction or selects a financial instrument from previously stored financial instruments.
Alternatively, the mobile network transaction system 12 may initiate a transaction by sending a request to the mobile device prompting the mobile user 14 to enter his financial instrument details. The mobile network transaction system 12 may be configured to push a transaction to the mobile device of the user 14. The mobile client of the mobile device may be configured to receive and execute the request received from the mobile network transaction system 12.
A Mobile Network Transaction System Personal Identification Number or a PIN is an input secret entry, such as an alphanumeric string that is used for authentication transaction by the mobile user. The PIN may be a 6 digit or more digit personal identification number, a security code, biometric information of the user or any combination thereof.
The mobile communication identifier is any device used for communication over a wireless communication network and includes a mobile phone, a smart phone, a Personal Digital Assistant (PDA) or a pager. Industrial Applicabflity
The Mobile Network Transaction System simultaneously performs the functions of an Access Control Server, in that it authenticates a user as well as generates transaction authorization values that are then forwarded to the payment gateway for the purposes of concluding the transaction. In this regard, the system and method disclosed does away with the need of forwarding the transaction details to an independent Access Control Server for the purposes of authenticating the user and generating transaction values. Moreover, the process for the user to initiate and authorize the transaction remains the same and the user on registering with the Mobile Network Transaction System is required only to enter a PIN as the details used for authentication to conclude the transaction.
The system and method disclosed offers a new 3D-Secure model for mobile commerce. The system and method provides for a unique way for authorizing a financial transaction over a communication channel 10. The Mobile Network Transaction System incorporates all three domains, namely, the issuer domain, the acquiring domain and the interoperability domain. The Mobile Network Transaction System verifies the possession of a mobile communication identifier as well as authenticates the user and then allows the user to setup a unique password (Mobile Network Transaction System PIN). The mobile communication identifier and the financial instrument details are linked together in a secure environment. Specific Embodiments:
A method of authorizing a financial transaction over a communication network, the communication network including a mobile network transaction system comprising registering a user at the mobile network transaction system with a mobile communication identifier and a financial instrument for the user; registration of user including authenticating the financial instrument with a provider of the financial instrument and linking the financial instrument to the mobile communication identifier on a valid authentication; receiving details of the financial transaction to be authorized for a user including the mobile communication identifier for the user; authenticating the user at the mobile network transaction system; and authorizing the financial transaction at the mobile network transaction system for the authenticated user.
Such method as described above wherein the mobile communication identifier is a mobile number or a mobile device number.
Such method as described above wherein authenticating the financial instrument includes receiving verification details for the financial instrument from the user and validating the verification details with the provider of the financial instrument.
Such method as described above wherein authenticating the financial instrument includes validating the mobile communication identifier of the user with the provider of the financial instrument.
Such method as described above wherein registering a user at the mobile network transaction system includes generating a password for the user on a valid authentication. Such method as described above wherein authenticating the user at the mobile network transaction system includes receiving the password for the user.
Such method as described above wherein details of the financial transaction to be authorised are received from the registered mobile communication identifier for the user.
Such method as described above wherein details of the financial transaction are received from a web portal.
Such method as described above wherein authenticating the financial transaction at the mobile network transaction system includes generating transaction authorization values at the mobile network transaction system.
Such method as described above further comprising transmitting to a payment gateway the transaction authorization values for the authorised financial transaction.
A mobile network transaction system for authorizing a financial transaction over a communication network, the system comprising an authentication processor for registering a user in a user database with a mobile communication identifier and a financial instrument to be linked to the mobile communication identifier; an user interface configured to receive user registration details including details of the financial instrument and the mobile communication identifier for the user; a switch for communicating with a provider of the financial instrument; and a transaction authorization server for authorizing a transaction wherein the system is configured to authenticate the financial instrument with the provider of the financial instrument and to link the financial instrument to the mobile communication identifier on a valid authentication; the system further configured to receive details of the financial transaction to be authorized for a user including the mobile communication identifier for the user; to authenticate the user at the mobile network transaction system; and to authorize the financial transaction at the mobile network transaction system for the authenticated user.
The system as described above further configured to authenticate the financial instrument by receiving verification details for the financial instrument from the user and validating the verification details with the provider of the financial instrument.
The system as described above further configured to authenticate the financial instrument by validating the mobile communication identifier of the user with the provider of the financial instrument.
The system as described above further comprising a password generator for generating a password for the user on a valid authentication of the financial instrument.
The system as described above further configured to authenticate the user by receiving the password for the user.
The system as described above further configured to receive details of the financial transaction to be authorised from the registered mobile communication identifier for the user.
The system as described above wherein the transaction authorization server generates transaction authorization values for the mobile network transaction system. The system as described above further configured to transmit to a payment gateway the transaction authorization values for the authorised financial transaction.
While specific language has been used to describe the invention, any limitations arising on account of the same are not intended. As would be apparent to a person in the art, various working modifications may be made to the system in order to implement the inventive concept as taught herein.

Claims

We claim:
1. A method of authorizing a financial transaction over a communication network, the communication network including a mobile network transaction system comprising:
registering a user at the mobile network transaction system with a mobile communication identifier and a financial instrument for the user; registration of user including authenticating the financial instrument with a provider of the financial instrument and linking the financial instrument to the mobile communication identifier on a valid authentication;
receiving details of the financial transaction to be authorized for a user including the mobile communication identifier for the user;
authenticating the user at the mobile network transaction system; and authorizing the financial transaction at the mobile network transaction system for the authenticated user.
2. A method as claimed in claim 1 wherein the mobile communication identifier is a mobile number or a mobile device number.
3. A method as claimed in claim 1 wherein authenticating the financial instrument includes receiving verification details for the financial instrument from the user and validating the verification details with the provider of the financial instrument.
4. A method as claimed in claim 1 wherein authenticating the financial instrument includes validating the mobile communication identifier of the user with the provider of the financial instrument.
5. A method as claimed in claim 1 wherein registering a user at the mobile network transaction system includes generating a password for the user on a valid authentication.
6. A method as claimed in claim 5 wherein authenticating the user at the mobile network transaction system includes receiving the password for the user.
7. A method as claimed in claim 1 or 4 wherein details of the financial transaction to be authorised are received from the registered mobile communication identifier for the user.
8. A method as claimed in claim 1 wherein details of the financial transaction are received from a web portal.
9. A method as claimed in claim 1 wherein authenticating the financial transaction at the mobile network transaction system includes generating transaction authorization values at the mobile network transaction system.
10. A method as claimed in claim 9 farther comprising transmitting to a payment gateway the transaction authorization values for the authorised financial transaction.
11. A mobile network transaction system for authorizing a financial transaction over a communication network, the system comprising: an authentication processor for registering a user in a user database with a mobile communication identifier and a financial instrument to be linked to the mobile communication identifier; an user interface configured to receive user registration details including details of the financial instrument and the mobile communication identifier for the user; a switch for communicating with a provider of the financial instrument; and a transaction authorization server for authorizing a transaction wherein the system is configured to authenticate the financial instrument with the provider of the financial instrument and to link the financial instrument to the mobile communication identifier on a valid authentication; the system further configured to receive details of the financial transaction to be authorized for a user including the mobile communication identifier for the user; to authenticate the user at the mobile network transaction system; and to authorize the financial transaction at the mobile network transaction system for the authenticated user.
12. A system as claimed in claim 11 further configured to authenticate the financial instrument by receiving verification details for the financial instrument from the user and validating the verification details with the provider of the financial instrument.
13. A system as claimed in claim 11 further configured to authenticate the financial instrument by validating the mobile communication identifier of the user with the provider of the financial instrument.
14. A system as claimed in claim 11 further comprising a password generator for generating a password for the user on a valid authentication of the financial instrument.
15. A system as claimed in claim 14 further configured to authenticate the user by receiving the password for the user.
16. A system as claimed in claim 11 further configured to receive details of the financial transaction to be authorised from the registered mobile communication identifier for the user.
17. A system as claimed in claim 11 wherein the transaction authorization server generates transaction authorization values for the mobile network transaction system.
18. A system as claimed in claim 17 further configured to transmit to a payment gateway the transaction authorization values for the authorised financial transaction.
19. A method of authorizing a financial transaction over a communication network substantially as herein described with reference to and as illustrated by the accompanying drawings.
20. A mobile network transaction system substantially as herein described with reference to and as illustrated by the accompanying drawings.
PCT/IN2009/000694 2009-07-28 2009-11-30 Integrated 3d security for mobile devices WO2011013136A1 (en)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
IN1775CH2009 2009-07-28
IN1775/CHE/2009 2009-07-28

Publications (1)

Publication Number Publication Date
WO2011013136A1 true WO2011013136A1 (en) 2011-02-03

Family

ID=41426428

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/IN2009/000694 WO2011013136A1 (en) 2009-07-28 2009-11-30 Integrated 3d security for mobile devices

Country Status (2)

Country Link
AU (1) AU2009101174A4 (en)
WO (1) WO2011013136A1 (en)

Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20060294025A1 (en) * 2005-06-28 2006-12-28 Paypal Inc. Mobile device communication system
US20070143230A1 (en) * 2003-06-30 2007-06-21 Selvanathan Narainsamy Transaction verification system

Patent Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20070143230A1 (en) * 2003-06-30 2007-06-21 Selvanathan Narainsamy Transaction verification system
US20060294025A1 (en) * 2005-06-28 2006-12-28 Paypal Inc. Mobile device communication system

Also Published As

Publication number Publication date
AU2009101174A4 (en) 2009-12-17

Similar Documents

Publication Publication Date Title
AU2021200521B2 (en) Systems and methods for device push provisioning
KR100994289B1 (en) Mobile account authentication service
US20090172402A1 (en) Multi-factor authentication and certification system for electronic transactions
CN115907763A (en) Providing payment credentials to a consumer
US11750368B2 (en) Provisioning method and system with message conversion
US20180082298A1 (en) Method and system for authorization of multiple transactions using a single authentication process
US11625713B2 (en) Method for securing transactional data processing, corresponding terminal and computer program
RU2644132C2 (en) Method, system and device for checking validation of transaction process
WO2021178773A1 (en) User authentication at access control server using mobile device
AU2009101171A4 (en) 3D security for mobile devices
US20220353253A1 (en) Secure and accurate provisioning system and method
AU2009101174A4 (en) Integrated 3D security for mobile devices
US20110153503A1 (en) Device and Method for Identity Theft Resistant Transcations
US11973871B2 (en) Domain validations using verification values
US20230231717A1 (en) Domain validations using verification values
US20230237172A1 (en) Data broker
AU2009100984B4 (en) A Method and System of Financial Instrument Authentication in a Communication Network
UA23036U (en) Method for implementation of payment operations by users of mobile electronic communication devices

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 09847753

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 09847753

Country of ref document: EP

Kind code of ref document: A1

32PN Ep: public notification in the ep bulletin as address of the adressee cannot be established

Free format text: NOTING OF LOSS OF RIGHTS PURSUANT TO RULE 112(1) EPC (EPO FORM 1205A DATED 04/07/2012)

122 Ep: pct application non-entry in european phase

Ref document number: 09847753

Country of ref document: EP

Kind code of ref document: A1