WO2011013136A1 - Integrated 3d security for mobile devices - Google Patents
Integrated 3d security for mobile devices Download PDFInfo
- Publication number
- WO2011013136A1 WO2011013136A1 PCT/IN2009/000694 IN2009000694W WO2011013136A1 WO 2011013136 A1 WO2011013136 A1 WO 2011013136A1 IN 2009000694 W IN2009000694 W IN 2009000694W WO 2011013136 A1 WO2011013136 A1 WO 2011013136A1
- Authority
- WO
- WIPO (PCT)
- Prior art keywords
- user
- transaction
- financial
- mobile
- financial instrument
- Prior art date
Links
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06Q—INFORMATION AND COMMUNICATION TECHNOLOGY [ICT] SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES; SYSTEMS OR METHODS SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES, NOT OTHERWISE PROVIDED FOR
- G06Q20/00—Payment architectures, schemes or protocols
- G06Q20/38—Payment protocols; Details thereof
- G06Q20/40—Authorisation, e.g. identification of payer or payee, verification of customer or shop credentials; Review and approval of payers, e.g. check credit lines or negative lists
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06Q—INFORMATION AND COMMUNICATION TECHNOLOGY [ICT] SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES; SYSTEMS OR METHODS SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES, NOT OTHERWISE PROVIDED FOR
- G06Q20/00—Payment architectures, schemes or protocols
- G06Q20/30—Payment architectures, schemes or protocols characterised by the use of specific devices or networks
- G06Q20/32—Payment architectures, schemes or protocols characterised by the use of specific devices or networks using wireless devices
- G06Q20/322—Aspects of commerce using mobile devices [M-devices]
- G06Q20/3223—Realising banking transactions through M-devices
Definitions
- the invention relates to a method and system for secure transactions from a mobile device. More particularly, the invention relates to a method and system for 3D secure mobile commerce transactions.
- An “acquiring bank” is a financial institution that processes payments for the products or services on behalf of a merchant
- an “issuing bank” is a financial institution that issues the financial instrument to the user and authorizes payments on this financial instrument.
- a user attempts a financial transaction using a financial instrument such as a credit card
- the credit card details are forwarded to the issuing bank for authentication and transaction authorization.
- the issuing bank for a 3D Secure transaction typically includes an access control server (ACS) that authenticates the cardholder ('user') and issues authentication values that are used by the issuing bank to authorize the transaction as a 3D-Secure transaction.
- ACS access control server
- the access control server on receiving an authentication request verifies the cardholder either by way of confirming the date of birth of the cardholder or any other value that is mandated by the issuing bank, but is not available on the credit card itself. On successfully authenticating the cardholder, the access control server generates authentication values that are used by the issuing bank to authorize the transaction as a 3D-Secure transaction.
- 3D-Secure refers to the three domains in a financial transaction, namely, the issuer domain between the card holder and the issuing bank, the acquiring domain between the merchant and the acquiring bank, and the interoperability domain between the issuer domain, the acquiring domain and the infrastructure provided by the card associations to support the 3-D Secure protocol.
- a transaction secured using this protocol is referred to as a 3D secure transaction.
- Figure 1 is a schematic diagram illustrating a method for registering a financial instrument for a mobile device in accordance with an embodiment of the invention.
- Figure 2 is a schematic diagram illustrating a method for securely conducting a financial transaction in accordance with an embodiment of the invention.
- FIG. 3 is a schematic illustration of a Mobile Network Transaction System in accordance with an embodiment of the invention.
- the invention relates to a method of authorizing a financial transaction over a communication network, the communication network including a mobile network transaction system comprising registering a user at the mobile network transaction system with a mobile communication identifier and a financial instrument for the user; registration of user including authenticating the financial instrument with a provider of the financial instrument and linking the financial instrument to the mobile communication identifier on a valid authentication; receiving details of the financial transaction to be authorized for a user including the mobile communication identifier for the user; authenticating the user at the mobile network transaction system; and authorizing the financial transaction at the mobile network transaction system for the authenticated user.
- the invention also provides for a mobile network transaction system for authorizing a financial transaction over a communication network, the system comprising an authentication processor for registering a user in a user database with a mobile communication identifier and a financial instrument to be linked to the mobile communication identifier; an user interface configured to receive user registration details including details of the financial instrument and the mobile communication identifier for the user; a switch for communicating with a provider of the financial instrument; and a transaction authorization server for authorizing a transaction wherein the system is configured to authenticate the financial instrument with the provider of the financial instrument and to link the financial instrument to the mobile communication identifier on a valid authentication; the system further configured to receive details of the financial transaction to be authorized for a user including the mobile communication identifier for the user; to authenticate the user at the mobile network transaction system; and to authorize the financial transaction at the mobile network transaction system for the authenticated user.
- an authentication processor for registering a user in a user database with a mobile communication identifier and a financial instrument to be linked to the mobile communication identifier
- modules may be implemented as a hardware circuit comprising custom very large scale integration circuits or gate arrays, off-the-shelf semiconductors such as logic, chips, transistors, or the other discrete components.
- a module may also be implemented in programmable hardware devices such as field programmable gate arrays, programmable array logic, programmable logic devices or the like.
- Modules may also be implemented in software for execution by various types of processors.
- An identified module of executable code may, for instance, comprise one or more physical or logical blocks of computer instructions which may, for instance, be organised as an object, procedure, or function. Nevertheless, the executables of an identified module need not be physically located together, but may comprise disparate instructions stored in different locations which, when joined together, comprise the module and achieve the started purpose for the module.
- a module of executable code could be a single instruction, or many instructions, and may even be distributed over several different code segments, among different programs, and across several memory devices.
- operational data may be identified and illustrated herein within modules, and may be embodied in any suitable form and organised within any suitable type of data structure. The operational data maybe collected as a single data set, or may be distributed over different locations including over different member disks, and may exist, at least partially, merely as electronic signals on a system or network.
- a "user” is a cardholder in possession of a credit/debit card linked to a financial account with a financial institution;
- an "issuer bank” is a financial institution that issues the financial instrument to the "user” and authorizes payments on this financial instrument.
- transaction authorization values are transaction codes generated for each transaction to authorise a financial transaction and are essential for a transaction to be completed;
- a financial instrument such as credit or debit card or a bank account
- a mobile communication identifier which is subsequently used for mobile transactions.
- a method and system for authorizing a financial transaction over a communication channel is disclosed.
- a 3D secure transaction method and system for mobile devices is disclosed.
- a Mobile Network Transaction System is configured with an access control servers (ACS) of issuer banks such that the task of authenticating a user and generation of transaction authorization values are carried out by the Mobile Network Transaction System.
- ACS access control servers
- a user may register for mobile transactions from various channels including a client application on the mobile device, through a web-banner, through an online portal, by way of interactive voice response (IVR) or by way of a simple SMS.
- the client application on the mobile device may be a Java based application like J2ME (Java 2 platform, Micro Edition) or BREW (Binary Runtime Environment for Wireless) or a SIM based application.
- the client application may reside in the SIM card of the mobile device.
- the user To register a financial instrument such as a credit card or debit card (herein after referred to as 'card') with the Mobile Network Transaction System, the user transmits the details of his financial instrument e.g., a card number, an expiry date and a card verification value (CW2) number to the mobile network transaction system, as indicated by step 1.
- the user is also required to transmit a mobile communication identifier.
- the mobile communication identifier may be a mobile number or a mobile device number.
- the user is requested to enter the date of birth (DOB).
- DOB date of birth
- any numeric or non-numeric information which is not available on the Card but is registered with the issuer bank by the user may be submitted.
- the Mobile Network Transaction System server then communicates with the card association (e.g., VISA or MasterCard) Directory Server (DS) for the URL of the Access Control Server of the issuer bank for the card selected by the user, as indicated by step 2.
- the card association e.g., VISA or MasterCard
- DS Directory Server
- the initial registration involves verifying the financial instrument at the issuer bank, the step of verification may also be done by a Transaction Authorization Server of the Mobile Network Transaction Server that functions as an access control server.
- the Mobile Network Transaction System that is integrated with the existing access control servers for various issuer banks determines the Access Control Server for the card selected by the user.
- the Mobile Network Transaction System sends the card details, mobile number and the date of birth to the Access Control Server for validation, as indicated by step 3.
- the access control server receives the details sent by the Mobile Network Transaction System and verifies the details of the user.
- the access control server communicates with the Mobile Network Transaction System after checking the user details, as indicated by step 4.
- the Mobile Network Transaction System then prompts the user to select and confirm a Mobile Network Transaction System Personal Identification Number, or PIN (which may be a six-digit numeric value), as indicated by step 5.
- PIN Mobile Network Transaction System Personal Identification Number
- the user input PIN result is returned to the mobile network transaction server and upon successful authentication, marks the user or the card as "Verified", as indicated by step 6.
- the Mobile Network Transaction System is configured to capture the mobile communication identifier from the user and validates each mobile number each time it is used for a financial transaction on each channel that may be used by the user. For example, for SMS based transactions, the Mobile Network Transaction System gets the SMS from the mobile number; for IVR based transactions., the Mobile Network
- the Mobile Network Transaction System knows the mobile number that has called the IVR; and for transactions based on Wireless Application Protocol (WAP), the operator provides the mobile number in the header. Accordingly, the Mobile Network Transaction System does not require additional SMSs or the need to generate a one-time-password (OTP) and to validate that to verify the possession of the mobile device.
- WAP Wireless Application Protocol
- the Mobile Network Transaction System functions as an Access Control Server during transactions from a "verified" card.
- the Mobile Network Transaction System generates one or more transaction authorization values that identify the transaction as a secure transaction.
- the transaction authorization values may include a Cardholder Authentication Verification Value (CAW) for VISA card, an Universal Cardholder Authentication Field (UCAF) for MasterCard credit card, an Unique transaction ID of the 3D secure system (XID) and an Electronic Commerce Indicator (ECI).
- CAW Cardholder Authentication Verification Value
- UCAF Universal Cardholder Authentication Field
- XID Unique transaction ID of the 3D secure system
- ECI Electronic Commerce Indicator
- the transaction authorization values generated by the Mobile Network Transaction System may depend on the card selected by the user.
- the financial instrument to be used for the transaction may be stored in an encrypted form by the mobile client.
- details of the financial instrument may be stored by the Mobile Network Transaction System linked to the mobile communication identifier.
- the mobile client transmits details of the transaction to the Mobile Network Transaction System along the mobile communication identifier details.
- the Mobile Network Transaction System receives these details and checks if the financial instrument has been marked as "verified” for the mobile communication identifier, as indicated by step 2. If the card is "verified", the Mobile Network Transaction System prompts the user to enter a Mobile Network Transaction System PIN, as indicated by step 3. The user input PIN result is returned to the Mobile Network Transaction System, as indicated by step 4.
- the Mobile Network Transaction System authenticates the user. For the authenticated user, the Mobile Network Transaction System generates one or more transaction authorization values, as indicated by step 5. The Mobile Network Transaction System then submits the details of the transaction along with the generated transaction authorization values that identifies the transaction as a 3D secure transaction to the payment gateway for concluding the transaction, as indicated by step 6.
- FIG. 3 illustrates a Communication Network 10 including a Mobile Network Transaction System 12 for authenticating a mobile user 14 and authorising a transaction in accordance with an embodiment.
- a mobile device of the user 14, a payment gateway 16 and an issuer bank 30 are in communication connection with the Mobile Network Transaction System 12.
- the Mobile Network Transaction System 12 includes an User Interface 18, an Authentication Processor 20, a Database 22. a Payment Gateway Interface 24, a Transaction Authorization Server 26 and a switch 28.
- the database 22, user interface 18, the payment gateway interface 24 and the switch 28 are controlled by the authentication processor 20.
- the mobile device 14 is capable of communicating remotely over the communication network 10 with the mobile network transaction system 12 by means of a mobile client on the mobile device 14.
- the mobile client may be an application software or a web browser built specifically for mobile devices.
- the mobile client may be a Java based application like J2ME (Java 2 platform, Micro Edition) or BREW (Binary Runtime Environment for Wireless) based application.
- J2ME Java 2 platform, Micro Edition
- BREW Binary Runtime Environment for Wireless
- the mobile client enables seamless communication between the mobile device 14 and the Mobile Network Transaction System 12 regardless of underlying communications protocols.
- the user interface 18 facilitates cross-platform communication between the Mobile Network Transaction System 18 and the mobile device 14.
- the user interface 18 may include a security protocol that performs security related and data integrity related checks on the communication between the mobile device 14 and the Mobile Network Transaction System 12.
- the security protocol may be SSL (Secure Socket Layer), TLS (Transport Layer Security), PPP (Point-to-Point protocol) or any other protocol known in the art.
- the user interface 18 may be configured to receive user details from the mobile device 14. Alternatively, the user interface 18 may be connected to merchant interface, a web portal or a web banner to permit users to log on to the Mobile Network Transaction System 12.
- the database 22 of the Mobile Network Transaction System 12 holds user details including mobile communication identifier details such as the mobile number, card details, CW, expiry date of card, issuer bank details, etc.
- the database 22 may also be configured to store financial transaction details for transactions of the user.
- the payment gateway interface 24 facilitates cross-platform communication between the Mobile Network Transaction System 12 and the payment gateway 16.
- the Authentication Processor 20 of the Mobile Network Transaction System 12 facilitates in registering the user.
- the Authentication Processor 20 authenticates the user by verifying the details of the financial instrument received from the user.
- the authentication processor 20 further links the financial instrument of the user with the mobile communication identifier for the user upon successful validation.
- the authentication processor 20 is further configured to mark the financial instrument as 'verified' on a successful validation.
- the Authentication Processor 20 facilitates communication with the user's mobile device 14, the issuer bank 30 and the payment gateway 16 with the help of the user interface 22, the switch 28 and the payment gateway interface 24 respectively.
- the Transaction Authorization Server 26 is configured to authorise a transaction for an authenticated user by generating one or more transaction authorization values for the transaction.
- the payment gateway 16 concludes the transaction authenticated and authorized by the mobile network transaction system 12.
- the switch 28 is an interface that assists the Mobile Network Transaction System 12 to connect and exchange information with the Issuing Bank 30.
- the switch 28 may include a security protocol such as a Secure Socket Layer (SSL) or Virtual Private Network (VPN) protocol to confidently and securely communicate with the Issuing Bank 3 1 O.
- SSL Secure Socket Layer
- VPN Virtual Private Network
- a mobile user 14 initiates a financial transaction on his mobile device.
- the mobile user 14 enters the financial instrument details on his mobile device to initiate a transaction or selects a financial instrument from previously stored financial instruments.
- the mobile network transaction system 12 may initiate a transaction by sending a request to the mobile device prompting the mobile user 14 to enter his financial instrument details.
- the mobile network transaction system 12 may be configured to push a transaction to the mobile device of the user 14.
- the mobile client of the mobile device may be configured to receive and execute the request received from the mobile network transaction system 12.
- a Mobile Network Transaction System Personal Identification Number or a PIN is an input secret entry, such as an alphanumeric string that is used for authentication transaction by the mobile user.
- the PIN may be a 6 digit or more digit personal identification number, a security code, biometric information of the user or any combination thereof.
- the mobile communication identifier is any device used for communication over a wireless communication network and includes a mobile phone, a smart phone, a Personal Digital Assistant (PDA) or a pager.
- Industrial Applicabflity is any device used for communication over a wireless communication network and includes a mobile phone, a smart phone, a Personal Digital Assistant (PDA) or a pager.
- the Mobile Network Transaction System simultaneously performs the functions of an Access Control Server, in that it authenticates a user as well as generates transaction authorization values that are then forwarded to the payment gateway for the purposes of concluding the transaction.
- the system and method disclosed does away with the need of forwarding the transaction details to an independent Access Control Server for the purposes of authenticating the user and generating transaction values.
- the process for the user to initiate and authorize the transaction remains the same and the user on registering with the Mobile Network Transaction System is required only to enter a PIN as the details used for authentication to conclude the transaction.
- the system and method disclosed offers a new 3D-Secure model for mobile commerce.
- the system and method provides for a unique way for authorizing a financial transaction over a communication channel 10.
- the Mobile Network Transaction System incorporates all three domains, namely, the issuer domain, the acquiring domain and the interoperability domain.
- the Mobile Network Transaction System verifies the possession of a mobile communication identifier as well as authenticates the user and then allows the user to setup a unique password (Mobile Network Transaction System PIN).
- the mobile communication identifier and the financial instrument details are linked together in a secure environment.
- a method of authorizing a financial transaction over a communication network including a mobile network transaction system comprising registering a user at the mobile network transaction system with a mobile communication identifier and a financial instrument for the user; registration of user including authenticating the financial instrument with a provider of the financial instrument and linking the financial instrument to the mobile communication identifier on a valid authentication; receiving details of the financial transaction to be authorized for a user including the mobile communication identifier for the user; authenticating the user at the mobile network transaction system; and authorizing the financial transaction at the mobile network transaction system for the authenticated user.
- authenticating the financial instrument includes receiving verification details for the financial instrument from the user and validating the verification details with the provider of the financial instrument.
- authenticating the financial instrument includes validating the mobile communication identifier of the user with the provider of the financial instrument.
- Such method as described above wherein registering a user at the mobile network transaction system includes generating a password for the user on a valid authentication.
- authenticating the user at the mobile network transaction system includes receiving the password for the user.
- authenticating the financial transaction at the mobile network transaction system includes generating transaction authorization values at the mobile network transaction system.
- Such method as described above further comprising transmitting to a payment gateway the transaction authorization values for the authorised financial transaction.
- a mobile network transaction system for authorizing a financial transaction over a communication network, the system comprising an authentication processor for registering a user in a user database with a mobile communication identifier and a financial instrument to be linked to the mobile communication identifier; an user interface configured to receive user registration details including details of the financial instrument and the mobile communication identifier for the user; a switch for communicating with a provider of the financial instrument; and a transaction authorization server for authorizing a transaction wherein the system is configured to authenticate the financial instrument with the provider of the financial instrument and to link the financial instrument to the mobile communication identifier on a valid authentication; the system further configured to receive details of the financial transaction to be authorized for a user including the mobile communication identifier for the user; to authenticate the user at the mobile network transaction system; and to authorize the financial transaction at the mobile network transaction system for the authenticated user.
- the system as described above further configured to authenticate the financial instrument by receiving verification details for the financial instrument from the user and validating the verification details with the provider of the financial instrument.
- the system as described above further configured to authenticate the financial instrument by validating the mobile communication identifier of the user with the provider of the financial instrument.
- the system as described above further comprising a password generator for generating a password for the user on a valid authentication of the financial instrument.
- the system as described above further configured to authenticate the user by receiving the password for the user.
- the system as described above further configured to receive details of the financial transaction to be authorised from the registered mobile communication identifier for the user.
- the system as described above further configured to transmit to a payment gateway the transaction authorization values for the authorised financial transaction.
Abstract
Description
Claims
Applications Claiming Priority (2)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
IN1775CH2009 | 2009-07-28 | ||
IN1775/CHE/2009 | 2009-07-28 |
Publications (1)
Publication Number | Publication Date |
---|---|
WO2011013136A1 true WO2011013136A1 (en) | 2011-02-03 |
Family
ID=41426428
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
PCT/IN2009/000694 WO2011013136A1 (en) | 2009-07-28 | 2009-11-30 | Integrated 3d security for mobile devices |
Country Status (2)
Country | Link |
---|---|
AU (1) | AU2009101174A4 (en) |
WO (1) | WO2011013136A1 (en) |
Citations (2)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US20060294025A1 (en) * | 2005-06-28 | 2006-12-28 | Paypal Inc. | Mobile device communication system |
US20070143230A1 (en) * | 2003-06-30 | 2007-06-21 | Selvanathan Narainsamy | Transaction verification system |
-
2009
- 2009-11-17 AU AU2009101174A patent/AU2009101174A4/en not_active Ceased
- 2009-11-30 WO PCT/IN2009/000694 patent/WO2011013136A1/en active Application Filing
Patent Citations (2)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US20070143230A1 (en) * | 2003-06-30 | 2007-06-21 | Selvanathan Narainsamy | Transaction verification system |
US20060294025A1 (en) * | 2005-06-28 | 2006-12-28 | Paypal Inc. | Mobile device communication system |
Also Published As
Publication number | Publication date |
---|---|
AU2009101174A4 (en) | 2009-12-17 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
AU2021200521B2 (en) | Systems and methods for device push provisioning | |
KR100994289B1 (en) | Mobile account authentication service | |
US20090172402A1 (en) | Multi-factor authentication and certification system for electronic transactions | |
CN115907763A (en) | Providing payment credentials to a consumer | |
US11750368B2 (en) | Provisioning method and system with message conversion | |
US20180082298A1 (en) | Method and system for authorization of multiple transactions using a single authentication process | |
US11625713B2 (en) | Method for securing transactional data processing, corresponding terminal and computer program | |
RU2644132C2 (en) | Method, system and device for checking validation of transaction process | |
WO2021178773A1 (en) | User authentication at access control server using mobile device | |
AU2009101171A4 (en) | 3D security for mobile devices | |
US20220353253A1 (en) | Secure and accurate provisioning system and method | |
AU2009101174A4 (en) | Integrated 3D security for mobile devices | |
US20110153503A1 (en) | Device and Method for Identity Theft Resistant Transcations | |
US11973871B2 (en) | Domain validations using verification values | |
US20230231717A1 (en) | Domain validations using verification values | |
US20230237172A1 (en) | Data broker | |
AU2009100984B4 (en) | A Method and System of Financial Instrument Authentication in a Communication Network | |
UA23036U (en) | Method for implementation of payment operations by users of mobile electronic communication devices |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
121 | Ep: the epo has been informed by wipo that ep was designated in this application |
Ref document number: 09847753 Country of ref document: EP Kind code of ref document: A1 |
|
NENP | Non-entry into the national phase |
Ref country code: DE |
|
122 | Ep: pct application non-entry in european phase |
Ref document number: 09847753 Country of ref document: EP Kind code of ref document: A1 |
|
32PN | Ep: public notification in the ep bulletin as address of the adressee cannot be established |
Free format text: NOTING OF LOSS OF RIGHTS PURSUANT TO RULE 112(1) EPC (EPO FORM 1205A DATED 04/07/2012) |
|
122 | Ep: pct application non-entry in european phase |
Ref document number: 09847753 Country of ref document: EP Kind code of ref document: A1 |