Local zone security architecture for retail environments
원문보기
IPC분류정보
국가/구분
United States(US) Patent
등록
국제특허분류(IPC7판)
G06K-015/00
G06F-017/00
G06K-005/00
출원번호
UP-0064526
(2005-02-23)
등록번호
US-7607576
(2009-11-10)
발명자
/ 주소
Robertson, Philip A.
Whitley, Chris
Siew, Simon Huang Seng
Weston, Timothy M.
Turner, Victor C.
Ringeman, Ken
Hampson, Greg K.
Aiken, Tyrone
Carapelli, Giovanni
Carozzini, Giorgio
출원인 / 주소
Gilbarco, Inc.
대리인 / 주소
Nelson Mullins Riley & Scarborough LLP
인용정보
피인용 횟수 :
9인용 특허 :
12
초록▼
A security architecture for a retail environment providing both on-line and off-line personal identification number (PIN) validation for a smart card transaction using a reduced number of secure access modules (SAMs). In one embodiment, the retail environment includes and security module and numero
A security architecture for a retail environment providing both on-line and off-line personal identification number (PIN) validation for a smart card transaction using a reduced number of secure access modules (SAMs). In one embodiment, the retail environment includes and security module and numerous fuel dispensers each including a controller and one or more PINpads and card readers. The security module includes one or more SAMs for off-line PIN validation. Each of the PINpads communicates with the security module, and the security module performs either on-line or off-line PIN validation for every PINpad in the retail environment. Accordingly, the security module uses one set of SAMs for off-line validation for every PINpad in the retail environment.
대표청구항▼
What is claimed is: 1. A validation system for customer transactions occurring in a retail environment, comprising: a) a security module comprising at least one secure access module (SAM), each of the at least one SAMs operating to perform off-line validation of a customer's personal identification
What is claimed is: 1. A validation system for customer transactions occurring in a retail environment, comprising: a) a security module comprising at least one secure access module (SAM), each of the at least one SAMs operating to perform off-line validation of a customer's personal identification number (PIN) associated with a smart card; and b) a plurality of customer terminals located apart from the security module, each of the plurality of customer terminals, comprising: i) a controller communicatively coupled to the security module; ii) a first card reader that reads data from the smart card and communicates the data to the controller; and iii) a first PINpad that allows the customer to enter a PIN and communicates the PIN to the controller; wherein the controller communicates the PIN to the security module and the security module provides the PIN to the at least one SAM which performs an off-line validation of the PIN based on the data. 2. The system of claim 1 wherein each of the plurality of customer terminals is a two-sided fuel dispenser and further comprises: a) a second card reader that reads second data from a second smart card and communicates the second data to the controller; and b) a second PINpad that allows a second user to enter a second PIN and communicates the second PIN to the controller; wherein the controller further communicates the second PIN to the security module and the security module provides the second PIN to the at least one SAM which performs an off-line validation of the second PIN based on the second data. 3. The system of claim 1 wherein the first PINpad encrypts the PIN using a first encryption key prior to transmitting the PIN to the controller. 4. The system of claim 3 wherein the first encryption key is derived based on an exponential key exchange between the security module and the first PINpad. 5. The system of claim 3 wherein the security module receives the PIN encrypted using the first encryption key from the controller and decrypts the PIN using the first encryption key. 6. The system of claim 3 wherein the second PINpad encrypts the second PIN using a second encryption key prior to transmitting the second PIN to the controller. 7. The system of claim 6 wherein the second encryption key is derived based on an exponential key exchange between the security module and the second PINpad. 8. The system of claim 6 wherein the security module receives the second PIN encrypted using the second encryption key from the controller and decrypts the second PIN using the second encryption key. 9. The system of claim 6 wherein communications between the first card reader and the controller are encrypted based on a third encryption key. 10. The system of claim 9 wherein the third encryption key is derived based on an exponential key exchange between the controller and the first card reader. 11. The system of claim 9 wherein communications between the second card reader and the controller are encrypted based on a fourth encryption key. 12. The system of claim 11 wherein the fourth encryption key is derived based on an exponential key exchange between the controller and the second card reader. 13. The system of claim 11 wherein communications between the first PINpad and the security module, the second PINpad and the security module, the first card reader and the controller, and the second card reader and the controller are encrypted based on the first, second, third, and fourth encryption keys, respectively, and one or more encryption algorithms selected from the group consisting of Rivest-Shamir-Adelman algorithm (RSA), the Diffie-Helman algorithm (DII), and the Data Encryption Standard (DES). 14. The system of claim 1 wherein the security module further comprises at least one bank key, and when on-line validation of the PIN is desired, the security module further operates to encrypt the PIN based on a select one of the at least one bank keys and communicate the encrypted PIN to a corresponding host computer for on-line validation. 15. The system of claim 1 further comprising a point-of-sale unit that establishes a communication path between the controller and the security module. 16. The system of claim 1 wherein each of the plurality of customer terminals further comprises a display. 17. The system of claim 16 wherein the controller further operates to logically control the display. 18. The system of claim 17 wherein the controller further operates to logically control the display such that only pre-defined messages are displayed on the display when the first PINpad operates in a non-secure mode. 19. The system of claim 1 wherein each of the plurality of customer terminals further comprises at least one component selected from the group consisting of a printer, an interrogator, a bar code reader, a cash acceptor, a proximity detector, and a coin acceptor and dispenser, wherein the controller further operates to control the at least one component. 20. The system of claim 1 wherein the first PINpad, the first card reader, and the controller are modular components. 21. The system of claim 1 wherein the first card reader further operates to read data from a magnetic stripe card. 22. A two-sided fuel dispenser, comprising: a controller including at least one secure access module (SAM), each of the at least one SAMs operating to perform off-line validation of a customer's personal identification number (PIN) associated with a smart card; a first card reader that reads first data from a first smart card associated with a first customer and communicates the first data to the controller; a first PINpad that allows the first customer to enter a first PIN and communicates the first PIN to the controller; a second card reader that reads second data from a second smart card associated with a second customer and communicates the second data to the controller; and a second PINpad that allows the second customer to enter a second PIN and communicates the second PIN to the controller; wherein the controller receives the first and second PINs and provides the first and second PINs to the at least one SAM which performs an off-line validation for the first PIN based on the first data and an off-line validation for the second PIN based on the second data. 23. The dispenser of claim 22 wherein the first PINpad encrypts the first PIN using a first encryption key prior to transmitting the first PIN to the controller. 24. The dispenser of claim 23 wherein the first encryption key is derived based on an exponential key exchange between the controller and the first PINpad. 25. The system of claim 23 wherein the controller receives the first PIN encrypted using the first encryption key from the first PINpad and decrypts the first PIN using the first encryption key. 26. The dispenser of claim 23 wherein the second PINpad encrypts the second PIN using a second encryption key prior to transmitting the second PIN to the controller. 27. The dispenser of claim 26 wherein the second encryption key is derived based on an exponential key exchange between the controller and the second PINpad. 28. The system of claim 26 wherein the controller receives the second PIN encrypted using the second encryption key from the second PINpad and decrypts the second PIN using the second encryption key. 29. The dispenser of claim 26 wherein communications between the first card reader and the controller are encrypted based on a third encryption key. 30. The dispenser of claim 29 wherein the third encryption key is derived based on an exponential key exchange between the controller and the first card reader. 31. The dispenser of claim 29 wherein communications between the second card reader and the controller are encrypted based on a fourth encryption key. 32. The dispenser of claim 31 wherein the fourth encryption key is derived based on an exponential key exchange between the controller and the second card reader. 33. The dispenser of claim 31 wherein communications between the first PINpad and the controller, the second PINpad and the controller, the first card reader and the controller, and the second card reader and the controller are encrypted based on the first, second, third, and fourth encryption keys, respectively, and one or more encryption algorithms selected from the group consisting of Rivest-Shamir-Adelman algorithm (RSA), the Diffie-Hellman algorithm (DH), and the Data Encryption Standard (DES). 34. The dispenser of claim 22 wherein the controller further comprises at least one bank key, and when on-line validation of the PIN is desired, the controller further operates to encrypt the PIN based on a select one of the at least one bank keys and communicate the encrypted PIN to a corresponding host computer for on-line validation. 35. The dispenser of claim 34 further comprising a point-of-sale unit communicatively coupled to the controller in each of the plurality of fuel dispensers and that establishes a communication path to the host computer. 36. The dispenser of claim 22 wherein each of the plurality of fuel dispensers further comprises: a first display; a second display; and a second controller communicatively coupled to the controller and the first and second displays and providing information to each of the first and second displays to be displayed. 37. The dispenser of claim 36 wherein the controller communicates with the second controller to logically control the first and second displays. 38. The dispenser of claim 37 wherein the controller communicates with the second controller to logically control the first and second displays such that only pre-defined messages can be displayed on the first and second displays when a corresponding one of the first and second PlNpads operates in a non-secure mode. 39. The dispenser of claim 36 wherein each of the plurality of fuel dispensers further comprises at least one pair of components selected from the group consisting of a first and second printer, a first and second interrogator, a first and second bar code reader, a first and second cash acceptor, a first and second proximity detector, and a first and second coin acceptor and dispenser, wherein the second controller further operates to control the at least one pair of components. 40. The dispenser of claim 22 wherein the first and second PlNpads, the first and second card readers, and the controller are modular components. 41. The dispenser of claim 22 wherein the first and second card readers further operates to read data from magnetic stripe cards. 42. A method of validating customer transactions occurring in a retail environment, comprising: a) communicatively coupling a controller in each of a plurality of customer terminals to a security module comprising at least one secure access module (SAM), each of the at least one SAMs operating to perform off-line validation of a customer's personal identification number (PIN) associated with a smart card; b) reading data from the smart card at a first card reader; c) communicating the data to the controller; d) receiving the customer's PIN at a PINpad; e) communicating the PIN to the controller; f) communicating the PIN from the controller to the security module; and g) providing the PIN to the at least one SAM which performs an off-line validation of the PIN based on the data. 43. The method of claim 42 further comprising: reading second data from a second smart card associated with a second customer at a second card reader; communicating the second data to the controller; receiving a second PIN from the second customer at a second PINpad; communicating the second PIN to the controller; communicating the second PIN from the controller to the security module; and providing the second PIN to the at least one SAM which performs an off-line validation of the second PIN based on the second data. 44. The method of claim 43 wherein the step of communicating the PIN to the controller comprising encrypting the PIN using a first encryption key prior to transmitting the PIN to the controller. 45. The method of claim 44 further comprising generating the first encryption key based on an exponential key exchange between the security module and the first PINpad. 46. The method of claim 44 wherein the step of providing the PIN to the at least one SAM comprises decrypting the PIN using the first encryption key. 47. The method of claim 44 wherein the step of communicating the second PIN to the controller comprises encrypting the second PIN using a second encryption key prior to transmitting the second PIN to the controller. 48. The method of claim 47 further comprising generating the second encryption key is derived based on an exponential key exchange between the security module and the second PINpad. 49. The method of claim 47 wherein the step of providing the second PIN to the at least one SAM comprises decrypting the second PIN using the second encryption key. 50. The method of claim 47 wherein the step of communicating the data to the controller comprises encrypting the data using a third encryption key prior to transmitting the data to the controller. 51. The method of claim 50 further comprising generating the third encryption key based on an exponential key exchange between the controller and the first card reader. 52. The method of claim 43 wherein the step of communicating the second data to the controller comprises encrypting the second data using a fourth encryption key. 53. The method of claim 52 further comprising generating the fourth encryption key based on an exponential key exchange between the controller and the second card reader. 54. The method of claim 52 wherein the steps of encrypting the PIN, encrypting the data, encrypting the second PIN, and encrypting the second data comprises encrypting the PIN, the data, the second PIN, and the second data based on the first, second, third, and fourth encryption keys, respectively, based one or more encryption algorithms selected from the group consisting of Rivest-Shamir-Adelman algorithm (RSA), the Diffie-Hellman algorithm (DH), and the Data Encryption Standard (DES). 55. The method of claim 42 wherein when on-line validation of the PIN is desired, the method further comprises: encrypting the PIN in the security module based on a select one of at least one bank keys; and communicating the encrypted PIN to a corresponding host computer for on-line validation based on the data. 56. The method of claim 42 further comprising establishing a communication path between the controller and the security module through a point-of-sale. 57. The method of claim 42 further comprising control a display in the customer terminal such that only pre-defined messages are displayed on the display when the first PINpad operates in a non-secure mode. 58. A method of validating customer transactions occurring at a two-sided fuel dispenser, comprising: a) reading first data from a first smart card at a first card reader; b) communicating the first data to a controller in the fuel dispenser, the controller comprising at least one secure access module (SAM), each of the at least one SAMs operating to perform off-line validation of a customer's personal identification number associated with a smart card; c) receiving a first PIN associated with the first smart card at a first PINpad; d) communicating the first PIN to the controller; e) providing the first PIN to the at least one SAM which performs an off-line validation of the first PIN based on the first data; f) reading second data from a second smart card at a second card reader; g) communicating the second data to the controller; h) receiving a second PIN associated with a second smart card at a second PINpad; i) communicating the second PIN to the controller; and j) providing the second PIN to the at least one SAM which performs an off-line validation of the second PIN based on the second data. 59. The method of claim 58 wherein the step of communicating the first PIN to the controller comprising encrypting the first PIN using a first encryption key prior to transmitting the first PIN to the controller. 60. The method of claim 59 further comprising generating the first encryption key based on an exponential key exchange between the controller and the first PINpad. 61. The method of claim 59 wherein the step of providing the first PIN to the at least one SAM comprises decrypting the first PIN using the first encryption key. 62. The method of claim 59 wherein the step of communicating the second PIN to the controller comprises encrypting the second PIN using a second encryption key prior to transmitting the second PIN to the controller. 63. The method of claim 62 further comprising generating the second encryption key is derived based on an exponential key exchange between the controller and the second PINpad. 64. The method of claim 62 wherein the step of providing the second PIN to the at least one SAM comprises decrypting the second PIN using the second encryption key. 65. The method of claim 62 wherein the step of communicating the first data to the controller comprises encrypting the first data using a third encryption key prior to transmitting the first data to the controller. 66. The method of claim 65 further comprising generating the third encryption key based on an exponential key exchange between the controller and the first card reader. 67. The method of claim 65 wherein the step of communicating the second data to the controller comprises encrypting the second data using a fourth encryption key. 68. The method of claim 67 further comprising generating the fourth encryption key based on an exponential key exchange between the controller and the second card reader. 69. The method of claim 58 wherein the steps of encrypting the first PIN, encrypting the first data, encrypting the second PIN, and encrypting the second data comprises encrypting the first PIN, the first data, the second PIN, and the second data based on the first, second, third, and fourth encryption keys, respectively, based one or more encryption algorithms selected from the group consisting of Rivest-Shamir-Adelman algorithm (RSA), the Diffie-Heilman algorithm (DH), and the Data Encryption Standard (DES). 70. The method of claim 58 wherein when on-line validation of the PIN is desired, the method further comprises: encrypting the first and second PINs in the controller based on select ones of at least one bank key; and communicating each of the encrypted first and second PINs to a corresponding host computer for on-line validation. 71. The method of claim 70 further comprising establishing a communication path to the host computer via a point-of-sale unit communicatively coupled to the controller in each of the plurality of fuel dispensers. 72. The method of claim 58 further comprising controlling a first display and a second display such that only pre-defined messages are displayed on the first and second displays when a corresponding one of the first and second PlNpads operates in a non-secure mode.
연구과제 타임라인
LOADING...
LOADING...
LOADING...
LOADING...
LOADING...
이 특허에 인용된 특허 (12)
Deo Vinay ; Seidensticker Robert B. ; Simon Daniel R., Authentication system and method for smart card transactions.
Greene, John C., Methods and systems for securely communicating personal identification number information between a security module and a plurality of secure keypad devices.
Johnson William S. (Jamestown NC) Payne Edward A. (Greensboro NC) Boschker Donald A. (Greensboro NC) Phipps Benita W. (Greensboro NC), Security apparatus and system for retail environments.
Johnson William S. (Jamestown NC) Payne Edward A. (Greensboro NC) Boschker Donald A. (Greensboro NC) Phipps Benita W. (Greensboro NC), Security apparatus and system for retail environments.
Johnson William S. (Jamestown NC) Payne Edward A. (Greensboro NC) Boschker Donald A. (Greensboro NC) Phipps Benita W. (Greensboro NC), Security apparatus and system for retail environments.
※ AI-Helper는 부적절한 답변을 할 수 있습니다.