A system and method configured to provide secure Personal Identification Number (PIN) based authentication is disclosed. A passcode or PIN associated with a customer value card can be securely authenticated by an issuer prior to authorizing payment. An Access Control Server (ACS) can receive the PIN
A system and method configured to provide secure Personal Identification Number (PIN) based authentication is disclosed. A passcode or PIN associated with a customer value card can be securely authenticated by an issuer prior to authorizing payment. An Access Control Server (ACS) can receive the PIN or passcode from a customer via a secure connection over a public network. The ACS can generate an encrypted PIN and can communicate the encrypted PIN to a remote issuer for authentication. The ACS can use one or more hardware security modules to generate the encrypted PIN. The hardware security modules can be emulated in software or implemented in hardware. The system can be configured such that the PIN is not exposed in an unencrypted form in a communication link or in hardware other than the originating customer terminal.
대표청구항▼
What is claimed is: 1. A secure passcode authentication system, the system comprising: an Access Control Server (ACS) configured to receive a request for passcode authentication of a Primary Account Number (PAN) from a merchant server, and configured to request a passcode corresponding to the PAN f
What is claimed is: 1. A secure passcode authentication system, the system comprising: an Access Control Server (ACS) configured to receive a request for passcode authentication of a Primary Account Number (PAN) from a merchant server, and configured to request a passcode corresponding to the PAN from a cardholder device, wherein the ACS is associated with an issuer of the PAN; a front end Hardware Security Module (HSM) coupled to the ACS, and configured to receive the passcode in an encrypted format and generate an encrypted passcode using a local encryption key; and a back end HSM configured to receive the encrypted passcode from the front end HSM and further configured to recover a clear form of the passcode, generate a back end encrypted passcode, and communicate the back end encrypted passcode to an authentication network, wherein the system authenticates the passcode, wherein the ACS is further configured to receive an authentication message from the authentication network. 2. The system of claim 1, wherein the request for passcode authentication comprises a request for a Personal Identification Number (PIN) authentication. 3. The system of claim 1, wherein the ACS is further configured to generate a unique transaction identification and include the unique transaction identification as a hidden field in the request for the passcode. 4. The system of claim 3, wherein the front end HSM is configured to generate a hash value based in part on the unique transaction identification, and wherein the ACS is configured to include the hash value as an additional hidden field in the request for the passcode. 5. The system of claim 1, wherein the request for the passcode includes an instruction to direct the passcode to the front end HSM. 6. The system of claim 1, wherein the front end HSM comprises a software HSM. 7. The system of claim 1, wherein the front end HSM comprises a hardware HSM. 8. The system of claim 1, wherein the encrypted format comprises a Secure Sockets Layer (SSL) encrypted format. 9. The system of claim 1, wherein the front end HSM is configured to receive a cardholder encrypted passcode from the ACS. 10. The system of claim 1, wherein the front end HSM is configured to receive a cardholder encrypted passcode from a cardholder device. 11. The system of claim 1, wherein the back end HSM is configured to generate the back end encrypted passcode by generating a PINBLOCK using the clear form of the passcode and encrypting the PINBLOCK using an Acquirer Working Key (AWK). 12. The system of claim 1, wherein the authentication network comprises an Internet Payment Gateway Server (IPGS). 13. The system of claim 12, wherein the authentication network further comprises an issuer server coupled to the IPGS. 14. A secure passcode authentication system, the system comprising: an Access Control Server (ACS) configured to receive a request for Personal Identification Number (PIN) authentication of a Primary Account Number (PAN), and configured to generate a request for a PIN corresponding to the PAN, the request for the PIN including hidden fields comprising a unique transaction identifier and a hash value; a front end Hardware Security Module (HSM) coupled to the ACS, and configured to generate the hash value based in part on the unique transaction identifier, and further configured to receive an encrypted PIN, decrypt the PIN to recover a clear form of the PIN, and generate a local encrypted PIN using a local encryption key; and a back end HSM configured to receive the local encrypted PIN from the front end HSM and further configured to recover a clear form of the PIN from the local encrypted PIN, generate an Acquirer Working Key (AWK) encrypted PIN, and communicate the AWK encrypted PIN to an authentication network. 15. The system of claim 14, wherein the front end HSM generates the local encrypted key using a triple DES algorithm. 16. A secure passcode authentication system, the system comprising: an Access Control Server (ACS) configured to receive a request for Personal Identification Number (PIN) authentication of a Primary Account Number (PAN), and configured to generate a request for a PIN corresponding to the PAN, the request for the PIN including an instruction to provide the PIN to a destination address; and a front end Hardware Security Module (HSM) having said destination address and coupled to the ACS, and configured to receive an encrypted PIN, decrypt the PIN to recover a clear form of the PIN, and generate an Acquirer Working Key (AWK) encrypted PIN using an AWK encryption key, and configured to communicate the AWK encrypted PIN to an authentication network. 17. A method for providing secure passcode authentication, the method comprising: requesting a Personal Identification Number (PIN) corresponding to a Primary Account Number (PAN) wherein requesting the PIN includes generating a unique transaction identifier, generating a hash value with a front end Hardware Security Module (HSM) based in part on the unique transaction identifier, generating a query having the unique transaction identifier and hash value as fields in the query, and communicating the query; receiving an encrypted PIN in the front end Hardware Security Module (HSM) in response to the request; generating a PINBLOCK based in part on the encrypted PIN; encrypting the PINBLOCK using a local key in a front end Hardware Security Module (HSM) to generate a local key encrypted PINBLOCK; decrypting the local key encrypted PINBLOCK with a back end HSM; generating a back end encrypted PIN with the back end HSM; communicating the back end encrypted PIN to an authentication network; and receiving an authentication response from the authentication network. 18. The method of claim 17, wherein requesting the PIN comprises: generating a query having an instruction directing a query response be directed to a destination address corresponding to the front end HSM; and communicating the query over an Internet connection to a cardholder device. 19. The method of claim 17, wherein receiving the PIN comprises receiving a Secure Sockets Layer (SSL) encrypted PIN. 20. The method of claim 19, wherein receiving the PIN further comprises receiving the SSL encrypted PIN at an Access Control Server (ACS). 21. The method of claim 19, wherein receiving the PIN further comprises receiving the SSL encrypted PIN from a cardholder device at the front end HSM. 22. The method of claim 17, wherein the front end HSM comprises a software HSM implementation within an Access Control Server (ACS). 23. The method of claim 17, wherein encrypting the PINBLOCK comprises encrypting the PINBLOCK using a triple DES encryption algorithm. 24. The method of claim 17, wherein generating the back end encrypted PIN comprises: generating a back end PINBLOCK from a clear form of the PIN; and encrypting the PIN with the back end HSM using an Acquirer Working Key (AWK). 25. A method for providing secure passcode authentication, the method comprising: receiving an encrypted Personal Identification Number (PIN) corresponding to a Primary Account Number (PAN) in a front end Hardware Security Module (HSM) over a Secured Sockets Layer (SSL) internet connection between a cardholder device and the front end HSM, wherein the PIN is exclusively SSL encrypted; decrypting the encrypted PIN in the front end Hardware Security Module (HSM) to generate a clear form of the PIN; generating a PINBLOCK based in part on the clear form of the PIN; generating in a back end HSM a back end encrypted PIN based in part on the PINBLOCK; communicating the back end encrypted PIN to an authentication network; and receiving an authentication response from the authentication network. 26. The method of claim 25, wherein the front end HSM comprises the back end HSM. 27. The method of claim 25, wherein generating the back end encrypted PIN comprises generating an Acquirer Working Key (AWK) encrypted PIN. 28. A method for providing secure passcode authentication, the method comprising: generating encryption data; querying a cardholder for a Personal Identification Number (PIN) corresponding to a Primary Account Number (PAN); receiving in a front end Hardware Security Module (HSM) an encrypted PIN and at least a portion of the encryption data from the cardholder in response to the query; generating a clear form of the PIN based in part on the encrypted PIN; generating a PINBLOCK based in part on the clear form of the PIN; encrypting the PINBLOCK in a front end Hardware Security Module (HSM) using triple DES encryption to generate an encrypted PIN (EPIN); decrypting the EPIN in a back end HSM to recover the clear form of the PIN; encrypting the clear form of the PIN in the back end HSM using an Acquirer Working Key (AWK) to generate an AWK encrypted PIN; communicating the AWK encrypted PIN to an authentication network; and receiving an authentication response. 29. The system of claim 1, further comprising a Directory Server configured to verify a Primary Account Number's eligibility to participate in secure passcode authentication. 30. The system of claim 16, wherein the instruction to provide a PIN to a destination address is an HTTP redirect instruction. 31. The method of claim 28, wherein the encryption data comprises a transaction ID, a base redirection url, an http redirect type. 32. A method for providing secure passcode authentication, the method comprising: generating encryption data, wherein the encryption data comprises a transaction ID, a base redirection url, and an http redirect type, wherein the encryption data further comprises a hashed message authentication code based on the transaction ID, the base redirection URL, and the http redirect type; querying a cardholder for a Personal Identification Number (PIN) corresponding to a Primary Account Number (PAN); receiving in a front end Hardware Security Module (HSM) an encrypted PIN and at least a portion of the encryption data from the cardholder in response to the query; generating a clear form of the PIN based in part on the encrypted PIN; generating a PINBLOCK based in part on the clear form of the PIN; encrypting the PINBLOCK in a front end Hardware Security Module (HSM) using triple DES encryption to generate an encrypted PIN (EPIN); decrypting the EPIN in a back end HSM to recover the clear form of the PIN; encrypting the clear form of the PIN in the back end HSM using an Acquirer Working Key (AWK) to generate an AWK encrypted PIN; communicating the AWK encrypted PIN to an authentication network; and receiving an authentication response. 33. The method of claim 1 wherein the access control server, the front end hardware security module, and the back end are co-located. 34. The system of claim 1, wherein the ACS is further configured to return an authentication response to the merchant server.
연구과제 타임라인
LOADING...
LOADING...
LOADING...
LOADING...
LOADING...
이 특허에 인용된 특허 (94)
Campbell ; Jr. Carl M. (Newtown Square PA), Account file for off-line transaction authorization.
Conrow Paul W. (Danville CA) McHale Kevin J. (Redwood City CA) Bartell Paul M. (San Mateo CA) Prempas John L. (Pleasanton CA), Adaptive communication system within a transaction card network.
Gauthier,Patrick; Hammad,Ayman; Merckling,Roger, Compact protocol and solution for substantially offline messaging between portable consumer device and base device.
Gauthier, Patrick; Hammad, Ayman; Merckling, Roger, Compact protocol and solution for substantially offline messaging between portable consumer device and based device.
Hilt James J. (Daly City CA) Hodges Ron (San Ramon CA) Pardue Stephen W. (Half Moon Bay CA) Powar William L. (Palo Alto CA), Electronic bill pay system.
James J. Hilt ; Ron Hodges ; Stephen W. Pardue ; William L. Powar, Electronic bill pay system for consumers to generate messages directing financial institutions to pay a biller's bill.
Levine Jack (Agoura Hills CA) Brandt Priscilla C. (San Mateo CA) Jackson Nydia (Redwood City CA) Johnson David L. (Woodside CA) Clark Helen (Mill Valley CA), Method and apparatus for distributing currency.
Botros, Sherif M.; Diep, Thanh A.; Izenson, Martin D., Method and apparatus for training a neural network model for use in computer network intrusion detection.
Levy,Philippe; Hammad,Ayman; Simcox,Virginia I.; Sloan,Jerry; Gorden,Mary, Method and system for facilitating memory and application management on a secured token.
Chan Alfred ; Kekicheff Marc B. ; Weise Joel M. ; Wentker David C., System and method for a multi-application smart card which can facilitate a post-issuance download of an application onto the smart card.
Chan Alfred ; Kekicheff Marc B. ; Weise Joel M. ; Wentker David C., System and method for a multi-application smart card which can facilitate a post-issuance download of an application onto the smart card.
Shenker,Gavin; Raj,Thanigaivel Ashwin; Sahota,Jagdeep Singh; Kashef,Forough; Hurry,Simon, System and method for managing electronic data transfer applications.
Fox, Barbara L.; Waters, Lester L.; Spelman, Jeffrey F.; Seidensticker, Robert B.; Thomlinson, Matthew W., System and method for secure electronic commerce transaction.
Kashef, Forough; Billon, Jean-Paul; Colas, Christophe; Nakamura, Lance Shigeo; Sak, Thomas H., Terminal software architecture for use with smart cards.
※ AI-Helper는 부적절한 답변을 할 수 있습니다.