CN110199309A - The method and system authenticated via credible performing environment - Google Patents
The method and system authenticated via credible performing environment Download PDFInfo
- Publication number
- CN110199309A CN110199309A CN201880007991.2A CN201880007991A CN110199309A CN 110199309 A CN110199309 A CN 110199309A CN 201880007991 A CN201880007991 A CN 201880007991A CN 110199309 A CN110199309 A CN 110199309A
- Authority
- CN
- China
- Prior art keywords
- application program
- payment
- equipment
- data
- calculating equipment
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
- 238000000034 method Methods 0.000 title claims abstract description 39
- 230000001737 promoting effect Effects 0.000 claims abstract description 8
- 230000004044 response Effects 0.000 claims abstract description 7
- 238000004891 communication Methods 0.000 claims description 33
- 238000003860 storage Methods 0.000 claims description 22
- 230000005540 biological transmission Effects 0.000 claims description 13
- 230000001815 facial effect Effects 0.000 claims description 4
- 210000001525 retina Anatomy 0.000 claims description 4
- 230000005611 electricity Effects 0.000 claims description 2
- 238000012545 processing Methods 0.000 description 32
- 230000006870 function Effects 0.000 description 17
- 238000012795 verification Methods 0.000 description 17
- 238000004590 computer program Methods 0.000 description 10
- 238000013475 authorization Methods 0.000 description 9
- 238000003032 molecular docking Methods 0.000 description 8
- 230000008569 process Effects 0.000 description 8
- 238000009826 distribution Methods 0.000 description 6
- 238000004364 calculation method Methods 0.000 description 4
- 238000005516 engineering process Methods 0.000 description 4
- 241001269238 Data Species 0.000 description 3
- 238000010586 diagram Methods 0.000 description 3
- 230000003287 optical effect Effects 0.000 description 3
- 238000004458 analytical method Methods 0.000 description 2
- 230000010267 cellular communication Effects 0.000 description 2
- 230000001413 cellular effect Effects 0.000 description 2
- 230000008859 change Effects 0.000 description 2
- 235000013399 edible fruits Nutrition 0.000 description 2
- 238000007689 inspection Methods 0.000 description 2
- 238000011835 investigation Methods 0.000 description 2
- 239000004973 liquid crystal related substance Substances 0.000 description 2
- 238000012986 modification Methods 0.000 description 2
- 230000004048 modification Effects 0.000 description 2
- 239000013307 optical fiber Substances 0.000 description 2
- 238000012546 transfer Methods 0.000 description 2
- 230000001052 transient effect Effects 0.000 description 2
- BQCADISMDOOEFD-UHFFFAOYSA-N Silver Chemical compound [Ag] BQCADISMDOOEFD-UHFFFAOYSA-N 0.000 description 1
- 238000004422 calculation algorithm Methods 0.000 description 1
- 238000006243 chemical reaction Methods 0.000 description 1
- 238000007796 conventional method Methods 0.000 description 1
- 239000013078 crystal Substances 0.000 description 1
- 238000000151 deposition Methods 0.000 description 1
- 239000010408 film Substances 0.000 description 1
- PCHJSUWPFVWCPO-UHFFFAOYSA-N gold Chemical compound [Au] PCHJSUWPFVWCPO-UHFFFAOYSA-N 0.000 description 1
- 229910052737 gold Inorganic materials 0.000 description 1
- 239000010931 gold Substances 0.000 description 1
- 230000003760 hair shine Effects 0.000 description 1
- 238000002955 isolation Methods 0.000 description 1
- 230000007246 mechanism Effects 0.000 description 1
- 238000010295 mobile communication Methods 0.000 description 1
- 230000000877 morphologic effect Effects 0.000 description 1
- 238000005457 optimization Methods 0.000 description 1
- 238000007639 printing Methods 0.000 description 1
- 239000004065 semiconductor Substances 0.000 description 1
- 229910052709 silver Inorganic materials 0.000 description 1
- 239000004332 silver Substances 0.000 description 1
- GOLXNESZZPUPJE-UHFFFAOYSA-N spiromesifen Chemical compound CC1=CC(C)=CC(C)=C1C(C(O1)=O)=C(OC(=O)CC(C)(C)C)C11CCCC1 GOLXNESZZPUPJE-UHFFFAOYSA-N 0.000 description 1
- 238000006467 substitution reaction Methods 0.000 description 1
- 239000010409 thin film Substances 0.000 description 1
- 238000013519 translation Methods 0.000 description 1
- 230000000007 visual effect Effects 0.000 description 1
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06Q—INFORMATION AND COMMUNICATION TECHNOLOGY [ICT] SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES; SYSTEMS OR METHODS SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES, NOT OTHERWISE PROVIDED FOR
- G06Q20/00—Payment architectures, schemes or protocols
- G06Q20/08—Payment architectures
- G06Q20/10—Payment architectures specially adapted for electronic funds transfer [EFT] systems; specially adapted for home banking systems
- G06Q20/105—Payment architectures specially adapted for electronic funds transfer [EFT] systems; specially adapted for home banking systems involving programming of a portable memory device, e.g. IC cards, "electronic purses"
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06Q—INFORMATION AND COMMUNICATION TECHNOLOGY [ICT] SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES; SYSTEMS OR METHODS SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES, NOT OTHERWISE PROVIDED FOR
- G06Q20/00—Payment architectures, schemes or protocols
- G06Q20/30—Payment architectures, schemes or protocols characterised by the use of specific devices or networks
- G06Q20/32—Payment architectures, schemes or protocols characterised by the use of specific devices or networks using wireless devices
- G06Q20/322—Aspects of commerce using mobile devices [M-devices]
- G06Q20/3227—Aspects of commerce using mobile devices [M-devices] using secure elements embedded in M-devices
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06Q—INFORMATION AND COMMUNICATION TECHNOLOGY [ICT] SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES; SYSTEMS OR METHODS SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES, NOT OTHERWISE PROVIDED FOR
- G06Q20/00—Payment architectures, schemes or protocols
- G06Q20/38—Payment protocols; Details thereof
- G06Q20/382—Payment protocols; Details thereof insuring higher security of transaction
- G06Q20/3821—Electronic credentials
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06Q—INFORMATION AND COMMUNICATION TECHNOLOGY [ICT] SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES; SYSTEMS OR METHODS SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES, NOT OTHERWISE PROVIDED FOR
- G06Q20/00—Payment architectures, schemes or protocols
- G06Q20/38—Payment protocols; Details thereof
- G06Q20/40—Authorisation, e.g. identification of payer or payee, verification of customer or shop credentials; Review and approval of payers, e.g. check credit lines or negative lists
- G06Q20/401—Transaction verification
- G06Q20/4014—Identity check for transactions
- G06Q20/40145—Biometric identity checks
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06Q—INFORMATION AND COMMUNICATION TECHNOLOGY [ICT] SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES; SYSTEMS OR METHODS SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES, NOT OTHERWISE PROVIDED FOR
- G06Q30/00—Commerce
- G06Q30/06—Buying, selling or leasing transactions
-
- G—PHYSICS
- G07—CHECKING-DEVICES
- G07F—COIN-FREED OR LIKE APPARATUS
- G07F7/00—Mechanisms actuated by objects other than coins to free or to actuate vending, hiring, coin or paper currency dispensing or refunding apparatus
- G07F7/08—Mechanisms actuated by objects other than coins to free or to actuate vending, hiring, coin or paper currency dispensing or refunding apparatus by coded identity card or credit card or other personal identification means
- G07F7/0873—Details of the card reader
- G07F7/088—Details of the card reader the card reader being part of the point of sale [POS] terminal or electronic cash register [ECR] itself
- G07F7/0886—Details of the card reader the card reader being part of the point of sale [POS] terminal or electronic cash register [ECR] itself the card reader being portable for interacting with a POS or ECR in realizing a payment transaction
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/04—Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
- H04L63/0428—Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/08—Network architectures or network communication protocols for network security for authentication of entities
- H04L63/0853—Network architectures or network communication protocols for network security for authentication of entities using an additional device, e.g. smartcard, SIM or a different communication terminal
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/08—Network architectures or network communication protocols for network security for authentication of entities
- H04L63/0861—Network architectures or network communication protocols for network security for authentication of entities using biometrical features, e.g. fingerprint, retina-scan
Landscapes
- Business, Economics & Management (AREA)
- Engineering & Computer Science (AREA)
- Accounting & Taxation (AREA)
- General Physics & Mathematics (AREA)
- Physics & Mathematics (AREA)
- Finance (AREA)
- Strategic Management (AREA)
- General Business, Economics & Management (AREA)
- Theoretical Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Networks & Wireless Communication (AREA)
- General Engineering & Computer Science (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- Signal Processing (AREA)
- Economics (AREA)
- Development Economics (AREA)
- Marketing (AREA)
- Health & Medical Sciences (AREA)
- Biomedical Technology (AREA)
- General Health & Medical Sciences (AREA)
- Financial Or Insurance-Related Operations Such As Payment And Settlement (AREA)
- Management, Administration, Business Operations System, And Electronic Commerce (AREA)
Abstract
A kind of method of the certification for promoting via credible performing environment includes: the evidence for payment in the first application program in the first memory region for reading and being stored in and calculating equipment;The second application program certification request sent in the credible performing environment with first memory region disconnecting for being stored in and calculating equipment;Prompt based on the instruction display supplied by the second application program to authentication data;Receive authentication data;The authentication data transmitted and received to external computing device;Authentication result from external computing device is received by the second application program of calculating equipment;And authentication result is sent to the first application program in certification request by the second application response of calculating equipment.
Description
Cross reference to related applications
This application claims the priority of the U.S. Provisional Patent Application No.62/449,390 submitted on January 23rd, 2017
And its equity.The complete disclosure of above-mentioned application is incorporated herein by reference.
Technical field
This disclosure relates to via the certification that credible performing environment executes, in particular to by using including that be stored in can
Multiple application programs including application program in letter performing environment are converted into point of sale device for equipment is calculated.
Background technique
Traditional point of sale device is special computing machine, these computing machines for small business especially for purchasing
It buys often expensive and is difficult to be arranged and use.As such, many personal or small business interested to sale product are normal
It can often adhere to cash transaction, lack the point of sales system for reading and handling credit card and other means of payment.In order to promote
The transaction of these types of small business, having developed can will such as desktop computer, tablet computer or smart phone
Etc conventional computing devices be converted into the product of point of sale device.In general, these product utilizations with calculate equipment interconnection it is hard
The application program that part element and load execute on the computing device and by calculating equipment.
Although the product of these types successfully reads evidence for payment from the means of payment and hands over evidence for payment as payment
Easy a part is submitted, but is analogous to traditional point of sale device, they utilize the standard memory and processing for calculating equipment
Technology.As such, they are easy by the hacker attack and damage in a manner of sensitive payment information may be made to be in danger.
In the case where may require consumer offer authentication information (such as personal identification number or signature), such as set from the machine input
During standby capture data, the risk that consumer data is damaged is bigger.
Therefore, it is necessary to a kind of technical solutions, and by the technical solution, application program and means of payment equipment reading hardware can
To provide the certification executed with more high security level using the credible performing environment calculated in equipment.
Summary of the invention
Present disclose provides the descriptions of the system and method for the certification for promoting via credible performing environment.Calculate equipment
Equipment and associated application program are read using the means of payment and the second application program, second application program are stored in place
It sets in the credible performing environment in the calculating equipment of all authentication datas and is executed via the credible performing environment, so that calculating
Equipment can use the existing means of payment and read device hardware and software and still be performed additional certification.It is credible to hold
The use of row environment may insure to execute additional certification successfully and under higher security level, damage simultaneously
(compromise) chance of data is less, and it is not necessary to modify the means of payment to read equipment and associated software.
A kind of method of the certification for promoting via credible performing environment includes: by reading with the tool for calculating equipment interconnection
Equipment is taken to read the evidence for payment being stored in the means of payment, wherein evidence for payment is electronically sent to first using journey
Sequence, the first application program have the program code in the first memory region for being stored in and calculating equipment;By the of calculating equipment
One application program electronically sends certification request to the second application program, and the second application program, which has, is stored in calculating equipment
The credible performing environment with first memory region disconnecting in program code;By the display equipment base with calculating equipment interconnection
In prompt of the instruction display supplied by the second application program for authentication data;By being connect with the input equipment for calculating equipment interconnection
Authentication data is received, wherein authentication data is electronically sent to the second application program;By the second application program of calculating equipment
External computing device is electronically sent by the authentication data received;By the second application program of calculating equipment from outside
It calculates equipment and receives the authentication result based on transmitted authentication data;And by calculating equipment the second application response in
Certification request and electronically to the first application program send authentication result.
A kind of system of the certification for promoting via credible performing environment includes: to read with the tool for calculating equipment interconnection
Equipment is configured as reading the evidence for payment being stored in the means of payment;Calculate equipment the first application program, be configured as from
Tool reads equipment and receives the evidence for payment read, and electronically sends certification request to the second application program, wherein
First application program has the program code in the first memory region for being stored in and calculating equipment and the second application program has
There is the program code in the credible performing environment with first memory region disconnecting for being stored in and calculating equipment;Show equipment, with
Equipment interconnection is calculated, the prompt based on the instruction display supplied by the second application program for authentication data is configured as;And
Input equipment is configured as receiving authentication data with calculating equipment interconnection, wherein electronically sending to the second application program
Authentication data, wherein the second application program is configured as the certification number electronically transmitted and received to external computing device
According to, from external computing device receive the authentication data based on transmission authentication result and in response to certification request and with electronics
Mode sends authentication result to the first application program.
Detailed description of the invention
When read in conjunction with the accompanying drawings, from exemplary embodiment it is described in detail below in the disclosure can be best understood
Range.Include with the following figure in attached drawing:
Fig. 1 is the certification in the payment transaction for promoting via credible performing environment shown accoding to exemplary embodiment
Advanced system architectural framework block diagram.
Fig. 2 is the figure for the certification via credible performing environment in payment transaction shown accoding to exemplary embodiment
The block diagram of the calculating equipment of 1 system.
Fig. 3 be credible performing environment in the system via Fig. 1 shown accoding to exemplary embodiment and issuer into
The flow chart of the processing of row certification.
Fig. 4 be credible performing environment in the system via Fig. 1 shown accoding to exemplary embodiment and the means of payment into
The flow chart of the processing of row certification.
Fig. 5 is the illustrative methods for showing the certification for promoting via credible performing environment accoding to exemplary embodiment
Flow chart.
Fig. 6 is the block diagram for showing computer system architectural framework accoding to exemplary embodiment.
According to detailed description provided below, the other application field of the disclosure be will be apparent.It should be understood that showing
The detailed description of example property embodiment is for illustration purposes only, and is therefore not intended to necessarily limit the scope of the present disclosure.
Specific embodiment
Nomenclature
Trading account-can be used for for the finance account provided with funds of trading, such as checking account, savings account, credit
Account, virtual payment account etc..Trading account can be associated with consumer, and consumer can be associated with payment account
The entity of any suitable type may include individual, family, company (company), enterprise (corporation), government's reality
Body etc..In some cases, trading account can be virtual, such as byThose of operation account etc..
Publisher-sets up (for example, opening) letter of credit or credit line for beneficiary, and according to the letter of credit or credit line
In specify the amount of money authorize by beneficiary extract draft entity.In many cases, publisher can be authorization and open letter
With the bank or other financial institutions of amount.In some cases, any entity of line of credit can be provided all to beneficiary
It can be considered as publisher.The credit line that publisher opens can indicate in the form of payment account, and can be by being benefited
People is extracted by using Payment Card.It such as will be for those skilled in the relevant art it will be evident that publisher can also be to disappearing
The person of expense provides other types of payment account, such as debit account, account of advances, e-wallet account, savings account, check account
Family etc., and physics or non-physical means for accessing and/or using this account, such as debit can be provided the consumer with
Card, prepaid card, automatic teller machine card, stored value card, check etc..
Acquirer-can represent the entity that businessman handles payment card transaction.Acquirer can be to be authorized to and represent at businessman
Manage the bank or other financial institutions of payment card transaction.In many cases, acquirer can open to the businessman for serving as beneficiary
Vertical credit line.In consumer (beneficiary of its credit line that can be publisher's offer) via Payment Card and by acquirer
In the case that the businessman of representative trades, acquirer can exchange fund with publisher.
Point of sale-calculating equipment or computing system are configured as receiving the friendship with user (for example, consumer, employee etc.)
Mutually, to input for buying and/or payment for merchandise and/or the transaction data of service, payment data and/or other suitable types
Data.Point of sale can be in the physical location that consumer accesses as a part of transaction (such as in " entity " shop)
Physical equipment (for example, cash register, self-service terminal, desktop computer, smart phone, tablet computer etc.), or can be with
It is online retail that is virtual, such as being communicated by the network of such as internet etc from client's reception in e-commerce environment
Quotient.In the case where point of sale can be virtual, if applicable, by user's operation with initiate transaction calculating equipment or
The computing system for receiving the data of the result as transaction can be considered as point of sale.
Transaction between-two entities of payment transaction, currency or other economic interests are handed over from an entity in this transaction
Change to another entity.Payment transaction can be the transfer of fund, for buying commodity or service, for paying one's debts or using
In any other economic interests exchange apparent for those skilled in the relevant art.In some cases, payment transaction
It can refer to the transaction provided with funds via Payment Card and/or payment account, such as credit card trade.It can be via publisher, branch
It pays network and acquirer handles this payment transaction.The process for handling this payment transaction may include authorization, batch processing, clear
At least one of calculate, settle accounts and provide with funds.Authorization may include consumer to businessman provide payment details, from businessman to it
Acquirer submit trade detail (e.g., including payment details) and with consumer's branch for providing with funds for transaction
Pay a bill family publisher verify payment details.Batch processing can refer to that the transaction by the transaction and other authorizations of authorization is stored in batch
In to be distributed to acquirer.Clearance may include sending batch transaction from acquirer to payment network to handle.Clearing can
To include that payment network is directed to the transaction of the beneficiary for being related to publisher and is included in the debit of publisher.In some cases, it issues
Side can pay the bill via payment network to acquirer.In other cases, publisher can directly pay the bill to acquirer.Money is provided
Gold may include that the payment transaction cleared and settled accounts is paid from acquirer to businessman.Those skilled in the relevant art are come
It says it is evident that the order of steps discussed above and/or classification a part for handling as payment transaction executes.
Payment network-is used for during given time period by using cash substitute for thousands of, millions of or even number
1000000000 transaction carry out the system or network of transferring money.A variety of different agreements and program can be used in payment network, to handle
The currency of various types of transaction shifts.It can may include product or service purchase, letter via the transaction that payment network executes
With purchase, debit transaction, fund transfer, account withdrawal etc..Payment network can be configured as that (it can be with via cash substitute
Including Payment Card, the letter of credit, check, trading account etc.) execute transaction.It is configured to act as the network or system of payment network
Example include byAmericanThe network or system of equal operations.The use of term " payment network " can both have been referred to herein
As the payment network of entity, and it can refer to physical payment network, equipment, hardware and software such as including payment network.
Track-infrastructure associated with payment network used in the processing in payment transaction is paid, and is being given
The payment network of thousands of, millions of or even billions of transaction and other realities with payment network interconnection are handled during section of fixing time
Transaction message between body and the communication of other similar data.Payment track may include for establish the hardware of payment network with
And the interconnection between payment network and other associated entities (financial institution, gateway processor etc.).In some cases,
Paying track can be with (such as via the special programming of the communication hardware and equipment that include payment track) by software impact.Example
Such as, payment track may include the routing for transaction message and the calculating equipment of special configuration that is specially configured, and transaction disappears
Breath can be the data-message of the special formatting sent via payment orbital electron, as discussed in more detail below.
System for being authenticated via credible performing environment
Fig. 1 is shown for making via the system 100 for calculating equipment and handling as point of sale device payment transaction is used
Using and calculating equipment as point of sale device includes that reading using credible performing environment and evidence for payment and handle discretely is held
Row certification associated there.
System 100 may include calculating equipment 102.The calculating equipment 102 being more thoroughly discussed below can be traditional
Equipment is calculated, which is specially configured as discussed herein and is programmed to act as handling electronics
The point of sale device of payment transaction.Calculate equipment 102 can be the desktop computer of such as special configuration, laptop computer,
Notebook computer, tablet computer, cellular phone, smart phone, smart television etc..Calculating equipment 102 can be with payment work
Tool reads equipment interconnection, and the means of payment read equipment and can be configured as from the reading evidence for payment of the means of payment 104 and other numbers
According to.Evidence for payment may include Transaction Account number, due date, title, safety code, transaction counter, password and/or be used to pass through
Any other data used in the processing for the payment transaction provided with funds as trading account associated there.The means of payment are read
It takes equipment to can be configured as the data encoded in magnetic stripe via decoding, receive number via the electron-transport from integrated circuit
According to, via use near-field communication electron-transport receive data and via from the means of payment 104 transmit evidence for payment it is any
Other suitable methods read evidence for payment.The means of payment 104 may include such as magnetic stripe payment card, integrated circuit payment
Card, the mobile device with electronic wallet application, check etc..
The means of payment 104 can be issued by issuer 106.Issuer 106 can be financial institution's (such as distribution silver
Row), or be configured as distribution for trading account the means of payment with used in provide with funds for electric payment transaction its
Its entity.Issuer 106, which can be configured as, to be determined approval or refuses to come the trading account managed via issuer 106
The payment transaction provided with funds.In some cases, issuer 106 can specify for payment transaction and when must make
The rule or guide that certification is executed for a part of payment transaction processing such as require to carry out the payment transaction more than 50 dollars
Additional Verification.
Calculate equipment 102 can store with and calculate equipment 102 docking the means of payment reading equipment associated first
Application program.First application program can be configured as via the means of payment read equipment from the means of payment 104 receive payment with
Card can be configured as and execute its any processing (for example, calculating of payment cipher), and can be configured as to acquirer
108 submit read evidence for payment and other transaction data thus to be handled.First application program, which can store, to be counted
In the memory for calculating equipment 102, which can be the standard memory for calculating equipment 102.
Calculating equipment 102 can identify when to need to execute Additional Verification to payment transaction.It in some cases, can be with needle
Additional Verification is executed to each transaction, or Additional Verification can be executed based on specific standards associated with transaction.For example,
The issuer 106 of the distribution means of payment 104 can provide the standard for illustrating and when needing Additional Verification, such as based on transaction
Transaction amount.In some such cases, standard can be supplied to the first application program before the trade.In other such feelings
Under condition, standard can store is transmitted to the first application program in the means of payment 104 and together with evidence for payment.
When requesting Additional Verification, the first application program can be to the second application program being stored in calculating equipment 102
Submit certification request.Second application program can store in credible performing environment.Credible performing environment can be calculating equipment
Private memory or memory area in 102, the private memory or memory area and the rest part for calculating equipment 102
Isolation, can be used dedicated rules and agreement only to modify or access.For example, credible performing environment can be safety element or its
Its hardware based safe storage device, and going to credible performing environment and all communications from credible performing environment can be with
It is encrypted.In some cases, credible performing environment can be software-based.Therefore, the first application program can be to second
Application program submits certification request, and wherein certification request is such as encrypted using the first key of key pair, wherein the second application
Program possesses the second key of key pair to request for decrypted authentication.Certification request can include at least and correspond to payment work
The associated primary account number of trading account of tool 104.
In some embodiments, the second application program, which can be configured as, only recognizes the first application program execution of authorization
Card.In such embodiments, the second application program can possess or can access mandate the first application program registration table.With
The associated entity of two application programs (for example, developer, publisher, operator etc.) may determine whether that first should be authorized
Application program, such as assure compliance with safety standard, check associated hardware (for example, means of payment reading equipment) etc. it
Afterwards.For example, entity may insure that the first application program is without damage, which may also be damaged by the capture of calculating equipment 102 simultaneously
It is sent to the authentication data of the second application program.Registration table, which is stored locally within, to be calculated in equipment 102, and being such as stored in has
In the credible performing environment of second application program, or it can be such as remote by contacting computing system associated with entity
Journey is addressable.In such embodiments, the certification request for submitting to the second application program may include and submit the of request
The associated unique identification value of one application program.Ident value can be used whether to determine the first application program in second application program
It is authorized to, such as by the way that the ident value to be compared or contact external computing system with internal registration table.If the first application
It is uncommitted, then the second application program will not continue to.If the first application program is authorized to, the second application program can be with
Continue to authenticate.
Second application program can receive certification request and decrypt the request to identify the data being stored therein.Then,
Second application program can prompt consumer to supply authentication data.The prompt can use the display docked with calculating equipment 102
Equipment shows the prompt for supplying certain types of data to be authenticated to consumer to consumer.Then, consumer can be through
By supplying authentication data with the input equipment that equipment 102 is docked is calculated.Authentication data may include such as personal identification number, label
Name, biological attribute data (for example, fingerprint, facial scan, retina scanning, voice signal etc.), password can be used for disappear
The person's of expense certification is any other data of the authorized user of the means of payment 104.In some cases, it can be used a plurality of types of
It authenticates (for example, combination of personal identification number and fingerprint).In some embodiments, the second application program uses prompt and other
The interface that interface element can be provided visually with the first application program distinguishes, and is such as used solely with indicating to the user that
Vertical application is authenticated.In some such embodiments, visually distinguishing feature can convey making for added security
With.
Second application program can (for example, via encrypted transmission from the input equipment for calculating equipment) reception certification number
According to and certification can be executed.In one embodiment, the second application program can execute certification via issuer 106.?
In such embodiment, the second application program can be by the authentication data received and primary account number electronically (for example, via meter
Calculate the sending device of equipment 102) it is transferred to issuer 106.In such cases, transmission can be directly to issuer
106, issuer 106 can identify via primary account number, or transmission can be acquirer 108 and/or payment network
110, authentication data can be transmitted to issuer 106 by acquirer 108 and/or payment network 110.In many cases,
Authentication data can be encrypted before being transmitted, to be decrypted by issuer 106.Issuer 106 can connect
Receive authentication data and can be such as by previously providing the data with consumer and data associated with trading account
It is compared to authenticate the data.For example, issuer 106 can be preceding to right with elder generation by the fingerprint captured from calculating equipment 102
It should be compared in the fingerprint that the trading account of the means of payment 104 is registered.Then, issuer 106 can be by the result of certification
It electronically (for example, directly or via payment network 110 and/or acquirer 108) sends back and calculates equipment 102.
In some embodiments, calculate equipment 102 can no authentication data in the case where will (for example, encryption) it is main
Account number is electronically sent to issuer 106.In such embodiments, issuer 106 can identify and via main account
The authentication data of number associated earlier registration of the trading account identified, and can be by authentication data back to calculating equipment
102.Then, calculating equipment 102 can be compared the authentication data received with the authentication data of consumer entering, with life
At authentication result.In yet another embodiment, equipment can be read directly from the means of payment via the means of payment by calculating equipment 102
104 request authentication datas, the means of payment, which read equipment, can obtain the authentication data being stored in the means of payment 104.This
In embodiment, the means of payment read equipment and can read authentication data from the means of payment 104 and the authentication data is transmitted to the
Two application programs, the second application program may then based on this and determine authentication result.
Once the second application program identifies (for example, thereby determine that or received from issuer 106) authentication result,
Authentication result can be supplied to the first application program by two application programs.Then, the first application program can be based on this decision
Continue payment transaction.For example, the first application program can if authentication result is negative (for example, authentification failure)
To prevent to be further processed payment transaction, and it can indicate that display equipment notifies authentification failure to consumer.If certification knot
Fruit is affirmative (for example, authenticating successfully), then the first application program can submit to evidence for payment and other transaction data
Payment network 110 is to be handled.In such cases, evidence for payment and other transaction data are (for example, transaction amount, transaction
Time, trade date, geographical location, product data, merchant data, quote data, bonus data, loyalty data, publisher
Data, receipts forms data etc.) it can directly be sent out via payment track associated with payment network 110 or via acquirer 108
It is sent to payment network 110.Acquirer 108 can be financial institution (such as merchant bank), or be configured as management with just
In other entities of the associated trading account of businessman to its payment transaction.It in some embodiments, can be in accordance with Payment Card
Industry (PCI) data safety standard (DSS) proceeds to payment network 110 or from equipment 102 is calculated to any computing system, service
Device or other rear ends and/or transmission to payment network 110.
Then, conventional method and system can be used to handle payment transaction in payment network 110.One as processing
Point, payment network 110 can provide evidence for payment and other transaction data, issuer 106 to issuer 106 and can be based on
Apparent standard goes through or is rejected to determine transaction for those skilled in the relevant arts.Processing result (for example,
Approval or refusal transaction) it can electronically (for example, directly from payment network 110 or via acquirer 108) send back
Calculate equipment 102.Calculating equipment 102 can show to consumer as a result, and can be according to need via the display equipment of docking
Execute any additional function (for example, printing receipt, update transaction record etc.).
In some embodiments, calculating equipment 102 can be configured as encryption data before being transmitted.For example, by calculating
The evidence for payment that equipment 102 is read can by transmission of transaction data to payment network 110 or other systems (for example, receipts single machine
Structure 108, back-end server etc.) before be encrypted so that only be expected recipient can ciphertext data.For example, payment network
110 can be to the public key for calculating the supply encryption key pair of equipment 102, and for the public key, payment network 110 possesses corresponding private
Key.Calculating equipment 102 can be used public key to encrypt evidence for payment, which can be used only payment network 110 and possess
Private key decrypt.In some cases, equipment 102 and the other systems communicated with are calculated (for example, payment network 110, receipts
Single machine structure 108 etc.) mutual authentication process can be used during the connection setup before transmitting any data, to increase safety
Property.In some embodiments, payment network 110 or other back-end systems can require calculating equipment 102 not to be acquired super
User right (root) escapes from prison (jail-broken) to participate in system 100, or can execute safe inspection in other ways
It looks into ensure to calculate equipment 102 and not be damaged and meet any applicable safety standard.It, can in some such embodiments
Such inspection is executed using a part as the mutual authentication process for being related to calculating equipment 102.In some cases, it calculates
The certification of equipment 102 can with or alternatively may include to the first application program executed by calculating equipment 102 and/or the
The verifying or certification of two application programs.
Therefore, the method and system being discussed herein, which can make to calculate equipment 102, is able to use the second application program and credible
Performing environment and be specially configured, executed so as to which the means of payment of docking is combined to read equipment and associated application program
Additional Verification to payment transaction.Therefore, it is possible to use the method and system special configuration being discussed herein is equipped with credible execution
The conventional computing devices 102 of environment enable to handle payment transaction using Additional Verification, without modifying existing payment
Tool reads equipment, while still allowing the safer processing to payment transaction.
Calculate equipment
Fig. 2 shows the embodiments of the calculating equipment 102 in system 100.It will be obvious for those skilled in the relevant art
, the embodiment shown in Figure 2 for calculating equipment 102, which is only used as, to be illustrated to provide, and this may be adapted for carrying out without exhaustion
All possible configurations of the calculating equipment 102 for the function that text discusses.For example, showing in Fig. 6 and being discussed more fully below
Computer system 600 can be the suitable configurations for calculating equipment 102.
Calculating equipment 102 may include receiving device 202.Receiving device 202 can be configured as via one or more
Network protocol passes through one or more networks and receives data.In some cases, receiving device 202 can be configured as via one
Kind or a variety of communication means (radio frequency, local area network, radio area network, cellular communications networks, bluetooth, internet etc.) from branch
It pays tool 104, issuer 106, acquirer 108, payment network 110 and other systems and entity receives data.One
In a little embodiments, receiving device 202 may include multiple equipment, such as receive for receiving the different of data by heterogeneous networks
Equipment such as connects for the first receiving device by local area network reception data and for receiving the second of data by internet
Receiving unit.Receiving device 202 can receive electronics transmission data-signal, wherein data can be applied or in other ways by
Coding on data-signal and via receiving device 202 receive data-signal and by decoding, parsing, reading or in other ways
It obtains.In some cases, receiving device 202 may include parsing module, for parsing the data-signal received to obtain
Data superposed thereon.For example, receiving device 202 may include resolver program, which is configured as receiving
The available input of data-signal and the function of being transformed to be executed by processing equipment by the data-signal received is retouched herein with executing
The method and system stated.
Receiving device 202, which can be configured as, to be received by issuer 106 via suitable communication network and method with electricity
The data-signal that submode is sent, these data-signals are superimposed with authentication data and/or authentication result or encode in other ways.
Receiving device 202 can be additionally configured to receive the number electronically sent by acquirer 108 and/or payment network 110
It is believed that number, these data-signals can be superimposed with transaction message or encode in other ways.Transaction message can be special format
Data-message, transaction message can according to management financial transaction message exchange one or more standard (such as international standards
Change 20022 standard of ISO 8583 and ISO of tissue) and be formatted, and may include the number of deals for payment transaction
According to the transaction data includes the response code for indicating the processing result of related payment transaction.
Calculating equipment 102 can also include communication module 204.Communication module 204, which can be configured as, is calculating equipment 102
Module, engine, database, between memory and other components send data for executing functions discussed herein.It is logical
Believe that module 204 may include one or more communication types, and utilizes for calculating the various communication parties communicated in equipment
Method.For example, communication module 204 may include bus, contact pin connectors, conducting wire etc..In some embodiments, communication module
204 can be additionally configured in the internal component for calculating equipment 102 and external module (such as external connection for calculating equipment 102
Database, display equipment, input equipment etc.) between communicated.Calculating equipment 102 can also include processing equipment.Processing
Equipment can be configured as the function of executing the calculating equipment 102 being discussed herein, such as those skilled in the relevant art
It will be apparent.In some embodiments, processing equipment may include the one or more for being specially configured as executing processing equipment
The multiple engines and/or module of function, and/or be made of multiple engine and/or module, multiple engine and/or module are all
Such as enquiry module, data identification module, generation module 18.As it is used herein, term " module " can be and especially be compiled
Journey is to receive input, handled using input execution one or more and provide the software or hardware of output.Based on the disclosure, by each
Input, output and the processing that kind module executes will be apparent to practitioners skilled in the art.
Calculating equipment 102 may include memory 206.Memory 206 can be configured as storing data and set for calculating
Standby 102 use when executing functions discussed herein, the data public key and private key, symmetric key etc..Memory 206 can
Carry out storing data to be configured with suitable data format method and mode, and can be depositing for any suitable type
Reservoir, read-only memory, random access memory etc..Memory 206 may include such as encryption key and algorithm, communication
Agreement and standard, data format standard and agreement, for the module of processing equipment and program code, the Yi Jike of application program
With the other data for being suitble to calculating equipment 102 to use when executing function disclosed herein, such as the technology people of related fields
Member will be apparent.In some embodiments, memory 206 can be made of relational database or can in other ways include closing
It is database, which stores the structured data sets being stored therein using structured query language, knows
Not, modification, update, access etc..
Memory 206 can be configured as one or more first application programs 208 of storage.First application program 208 can
To be configured as receiving evidence for payment from the means of payment 104, and execute the processing and use with evidence for payment in payment transaction
Associated function.First application program 208 can be additionally configured to submit to the second application program 212 for calculating equipment 102
Certification request, for the Additional Verification in payment transaction.In some such cases, the first application program 208 can identify
When Additional Verification should be requested, this can be completed based on the standard provided by issuer 106 and/or the means of payment 104,
The standard can store in memory 206.Program code for the first application program 208 can store in memory 206
In, which can be executed by the processing equipment of calculating equipment 102.
In some embodiments, calculating equipment 102 may include multiple first application programs 208, such as shown in Figure 2
N the first application programs 208.In such embodiments, each first application program 208 can have associated there unique
Ident value, the unique identification value may include in the certification request for submitting to the second application program 212.In some such implementations
In example, each first application program 208 can be authorized in advance by entity associated with the second application program 212, to be allowed to
Request the certification executed by the second application program 212.As discussed herein, the first application program 208 can processing via
It is used when the payment transaction that the means of payment 104 are provided with funds.But the first application program 208 can with or alternatively may be used
To be that can represent to calculate the user of equipment 102 and execute and calculate any program of the certification of user of equipment 102, which can be with
(for example, in the example shown, such as being provided by the means of payment 104 or issuer 106) third party's data are provided.For example,
Custom agency (customs agency) can have the first application program for entering a national incomer for processing
208, wherein the second application program 208 can authenticate visitor based on the mark presented, wherein authentication data be can store
In the mark (for example, passport) presented or external computing system (for example, distribution government).
Calculating equipment 102 can also include credible performing environment 210.Credible performing environment 210 can be memory 206
Different piece, or can be the single memory for calculating equipment 102.In some cases, credible performing environment 210 can be
Calculate the individual hardware element (such as safety element) of equipment 102.Credible performing environment 210 can be it is hardware based, or
Person in some cases can be via software realization.Credible performing environment 210 can be safety zone, wherein being stored in safety zone
Data in domain are protected in terms of the confidentiality and integrity of data.In some cases, credible performing environment 210 is gone to
The one or more agreements or standard thus illustrated can be limited by with the communication from credible performing environment 210, such as
It is all to be transferred into and out the certain encryption level of communicating requirement.
Credible performing environment 210 can be configured as the program code that storage is used for the second application program 212, the program generation
Code can be executed by the processing equipment of calculating equipment 102.Second application program 212 can be configured as to be authenticated from consumer
Data, the authentication data can be received only by the second application program 212 and forbid being used by the first application program 208.Second
Application program 212 can be additionally configured to obtain authentication data and/or authentication result from issuer 106 and from the means of payment
104 obtain authentication data.Second application program 212 can be additionally configured to according to from consumer and from issuer 106 and/
Or the means of payment 104 received authentication datas determines authentication result.In some embodiments, the second application program 212 can be with
The registration table of the first application program 208 including authorization, the registration table may include the first application program 208 of each authorization
Unique identification value, and wherein the second application program 212 may insure execute the certification requested by the first application program 208 it
Preceding first application program 208 is authorized to.In some cases, the second application program 212 can be configured as from outside and calculate system
It unites and requests licensing status and/or receive authorization to update, for use as the alternative solution of registration table or for more new registry.
Calculating equipment 102 can also include one or more input equipments 214 or defeated with one or more in other ways
Enter the docking of equipment 214.Input equipment 214 can be in the inside for calculating equipment 102 or in the outside of calculating equipment 102, and passes through
By one or more connection (for example, wired or wireless) with calculate equipment 102 connect, be used for calculating equipment 102 and/or
Data are transmitted from equipment 102 is calculated.Input equipment 214 can be configured as from the user for calculating equipment 102 and receive input, this is defeated
Enter can (for example, via communication module 204) be provided to calculate equipment 102 another module or engine correspondingly to carry out
Processing.Input equipment 214 may include suitable for receiving any kind of defeated of the input for executing functions discussed herein
Enter equipment, keyboard, mouse, click wheel, idler wheel, microphone, touch screen, tracking plate, camera, optical image former etc..Input
Equipment 214 can be configured as the authentication data for for example receiving consumer entering, such as personal identification number, signature, biological characteristic
Data etc..
Calculating equipment 102 can also include display equipment 216 or dock in other ways with display equipment 216.Display is set
Standby 216 can connect (example in the inside for calculating equipment 102 or in the outside for calculating equipment 102, and via one or more
Such as, wired or wireless) it is connect with calculating equipment 102, for transmitting number to calculating equipment 102 and/or from equipment 102 is calculated
According to.Display equipment 216 can be configured as to the user for calculating equipment 102 and show data.Display equipment 216, which can be, to be suitable for making
For functions discussed herein a part and show any kind of displays of data, such as liquid crystal display shines two
Pole pipe display, TFT thin film transistor monitor, capacitive touch display, cathode-ray tube display, light projection display etc..
In some cases, calculating equipment 102 may include multiple display equipment 216.Display equipment 216 can be configured as example to
Consumer shows the prompt that request authentication data can be supplied, this also can indicate that the type of the authentication data to be supplied.It is aobvious
Show that equipment 216 can be additionally configured to the processing result of display authentication result and/or payment transaction.
Calculating equipment 102 can also include that tool reads equipment 218.Tool reads equipment 218 and can be and calculate equipment
The equipment of 102 docking, tool read equipment 218 and are configured as reading evidence for payment and other data from the means of payment 104.Tool
Reading equipment 218 can be in the inside for calculating equipment 102, or can be in outside and via suitable physics or non-physical company
It connects and is connect with calculating equipment 102.Tool, which reads equipment 218, can be configured as data, the reception warp that reading encodes in magnetic stripe
The data that are electronically sent by integrated circuit receive the data electronically sent via near-field communication, read in institute
The data that are encoded in the machine readable code of display or using for from the means of payment 104 read evidence for payment it is any its
Its suitable method.
Calculating equipment 102 can also include sending device 220.Sending device 220 can be configured as via one or more
A network protocol passes through one or more networks and sends data.In some cases, sending device 220 can be configured as via
One or more communication means, local area network, radio area network, cellular communication, bluetooth, radio frequency, internet etc. are to the means of payment
104, acquirer 108, issuer 106, payment network 110 and other entities send data.In some embodiments, it sends
Equipment 220 may include multiple equipment, such as sending the different sending devices of data by heterogeneous networks, such as leading to
It crosses local area network and sends the first sending device of data and the second sending device for sending data by internet.Sending device
220 can electronically send the data-signal that the data with superposition of equipment parsing can be calculated by receiving.Some
In the case of, sending device 220 may include for by data investigation, coding or in other ways be formatted as suitable for transmission number
It is believed that number one or more modules.
Sending device 220 can be configured as data-signal (for example, reading equipment 218 via tool) electronically
The means of payment 104 are sent to, which is superimposed with the request for authentication data or encodes in other ways.Sending device
220, which can be additionally configured to (for example, as indicated by second application program 212), electronically sends data signals to hair
Row mechanism 106, the data-signal are superimposed with certification request or encode in other ways, and certification request may include primary account number and recognize
Demonstrate,prove data.Sending device 220 can be additionally configured to (for example, as indicated by first application program 208) and electronically will
Data-signal is sent to acquirer 108 and/or payment network 110, which can be with evidence for payment and other transaction
Data investigation encodes in other ways, and evidence for payment and other transaction data may include according to one or more standards
In the transaction message that (including 20022 standard of ISO 8583 and ISO) formats.
Authenticate the first process of payment transaction
Fig. 3 is shown via the first process for using credible performing environment 210 to execute Additional Verification in payment transaction,
Middle authentication result is determined by issuer 106.
In step 302, the first application program 208 for calculating equipment 102 can be (for example, read equipment via tool
218) evidence for payment is read from the means of payment 104.Evidence for payment can include at least primary account number and can be in processing payment transaction
Used in any other additional data.First application program 208 can read evidence for payment, such as based on from (for example, such as
Using including distribution identification number identified via primary account number) the received standard of associated issuer 106 and
The transaction data of the payment transaction of trial and determination needs to be implemented Additional Verification.In step 304, the first application program 208 can
To request to execute Additional Verification by submitting certification request to the second application program 212 for calculating equipment 102.Certification request can
To be encrypted, and proper protocol associated with credible performing environment 210 can be used to send.
Within step 306, the second application program 212 can receive certification request, which can be decrypted to know
Not including data.Certification request can include at least in the evidence for payment read by the first application program 208
Primary account number.In step 308, the second application program 212 can indicate and calculate the display equipment 216 that equipment 102 docks and prompt
Consumer supplies authentication data.In the step 310, the second application program 212 can receive by consumer via with calculate equipment
The input equipment 214 of 102 docking is input to the authentication data calculated in equipment 102.In step 312, the second application program 212
The authentication data of primary account number and input can be encrypted, and the sending device 220 for calculating equipment 102 can be indicated encryption data
It is sent to directly or electronically via one or more intermediate entities (for example, acquirer 108, payment network 110 etc.)
Issuer 106.
In a step 314, issuer 106 can receive the data of encryption, the data of the encryption can when receiving quilt
Decryption is to obtain by the primary account number and authentication data of consumer's supply.In step 316, issuer 106 can authenticate and be supplied
The authentication data answered, such as by by authentication data and to trading account corresponding with the primary account number received register data into
Row compares, wherein certification can produce if Data Matching (for example, fingerprint matching of the fingerprint and earlier registration supplied)
Raw positive result, and if data mismatch (for example, the personal identification number of supply and the personal identification number of earlier registration are not
Together), then generating negative decision.In step 318, issuer 106 can electronically send authentication result to
Two application programs 212.In the exemplary embodiment, can according to the storage of the second application program in credible performing environment 210 come
Encrypted result.
In step 320, the second application program 212 can receive (for example, simultaneously decrypting as needed) authentication result.In step
In rapid 322, authentication result can be transmitted to the first application program 208 by the second application program 212.In step 324, it first answers
It can receive authentication result with program 208, then authentication result can be used to solve payment transaction.
For authenticating the second process of payment transaction
Fig. 4 is shown via the second process for using credible performing environment 210 to execute Additional Verification in payment transaction,
In by the second application program 212 determine authentication result using the data provided by the means of payment 104.
In step 402, the means of payment 104 can read equipment 218 to meter via the tool docked with calculating equipment 102
The first application program 208 for calculating equipment 102 provides evidence for payment.Evidence for payment may include primary account number and handle payment transaction
When any additional data for using.In step 404, the first application program 208 can receive evidence for payment, and can be such as
Based on from (for example, such as use including distribution identification number identified via primary account number) associated issuer 106
The transaction data of received standard and the payment transaction for being try to and determination need to be implemented Additional Verification.In step 406
In, the first application program 208 can be by submitting certification request to request to hold to the second application program 212 for calculating equipment 102
Row Additional Verification.Certification request can be encrypted, and proper protocol associated with credible performing environment 210 can be used
It sends.
In a step 408, the second application program 212 can receive certification request, which can be decrypted to know
The data for including in other certification request.Certification request can include at least in the evidence for payment read by the first application program 208
Including primary account number.In step 410, the second application program 212 can read equipment 218 via the tool for calculating equipment 102
It submits to the means of payment 104 for the request for the authentication data used in Additional Verification.In step 412, work is paid
Tool 104 can receive the request.In step 414, the means of payment 104, which can read equipment 218 via tool, will be stored in branch
The authentication data paid in tool 104 is sent to the second application program 212.In step 416, the second application program 212 can connect
Receive authentication data.
In step 418, the second application program 212 can indicate and calculate the display equipment 216 that equipment 102 docks and prompt
Consumer supplies authentication data.At step 420, the second application program 212 can receive consumer via with calculate equipment 102
The input equipment 214 of docking is input to the authentication data calculated in equipment 102.In step 422, the second application program 212 can
Will be compared from the received authentication data of the means of payment 104 with the authentication data of consumer entering, whether to determine data
Matching, wherein this compares generation authentication result.In step 424, authentication result can be forwarded to by the second application program 212
One application program 208.In step 426, the first application program 208 can receive authentication result, and then the authentication result can be with
It is used to solve payment transaction.
Illustrative methods for the certification promoted via credible performing environment
Fig. 5 shows for using multiple application programs the method 500 for authenticating the means of payment of payment transaction, multiple
Application program includes the application program being stored in the credible performing environment for calculating equipment.
In step 502, be stored in evidence for payment in the means of payment (for example, means of payment 104) can by with calculating
The tool of equipment (for example, calculate equipment 102) docking reads equipment (for example, tool reads equipment 218) and reads, wherein pay with
Card is electronically sent to the first application program (for example, first application program 208), and the first application program, which has, to be stored in
Calculate the program code in the first memory region (for example, memory 206) of equipment.In step 504, certification request can be with
It is electronically sent to the second application program (for example, second application program 212) by the first application program of calculating equipment, the
Two application programs have be stored in calculate equipment with the credible performing environment of first memory region disconnecting (for example, credible hold
Row environment 210) in program code.
In step 506, can by with calculate the display equipment (for example, display equipment 216) of equipment interconnection based on by the
The instruction of two application programs supply is to show the prompt for authentication data.In step 508, can by with calculate equipment interconnection
Input equipment (for example, input equipment 214) receive authentication data, wherein electronically to the second application program send authenticate
Data.
In step 510, the authentication data received can electronically be sent out by the second application program of calculating equipment
It is sent to external computing device (for example, issuer 106, means of payment 104 etc.).It in step 512, can be by calculating equipment
Second application program receives the authentication result of the authentication data based on transmission from external computing device.In the step 514, in response to
Certification request, authentication result can electronically be sent to the first application program by the second application program of calculating equipment.
In one embodiment, the authentication data received can not be sent to the first application program or cannot be by first
Application program access.In some embodiments, method 500 can also include by calculating equipment the second application program to outside
The electron-transport for calculating equipment encrypts the authentication data received before, wherein the private key using cipher key pair receives to encrypt
Authentication data, private key is stored in credible performing environment.In one embodiment, the prompt of authentication data can regarded
It is different from based on the display of data supplied by the first application program in feel.In some embodiments, authentication data may include
Below when at least one of: finger print data, retina scan data, facial scan data, voice recognition data, person identifier
Number and username and password.
In one embodiment, external computing device can be the means of payment, and the means of payment and the second application program
Between communication can use tool read equipment.In another embodiment, the means of payment and second can be encrypted using journey
Communication between sequence.In some embodiments, it can receive the second authentication data to replace authentication result, and calculate equipment
Second application program can be configured as generates certification knot based on the authentication data received compared with the second authentication data
Fruit.
Computer system architectural framework
Fig. 6 shows computer system 600, and embodiment of the disclosure or part thereof can be by computer system 600
It is embodied as computer-readable code.For example, the calculating equipment 102 of Fig. 1 can be used hardware, software, firmware, be stored thereon with finger
Non-transient computer-readable media of order or combinations thereof is realized in computer system 600, and can be counted in one or more
It is realized in calculation machine system or other processing systems.Hardware, software or any combination thereof can embody for realizing the side of Fig. 3-Fig. 5
The module and component of method.
If this logic can configured in terms of becoming dedicated by executable software code using programmable logic
It is executed on the commercial processing platform of calculation machine or special equipment (for example, programmable logic array, specific integrated circuit etc.).This field
Those of ordinary skill is it can be appreciated that the embodiment of disclosed theme can be with various computer system configurations come real
It tramples, these computer system configurations include multicore multicomputer system, minicomputer, mainframe computer and distributed function
The computer and the popular style or microcomputer that can be embedded into substantially any equipment of link or cluster.For example, can be with
Above-described embodiment is realized using at least one processor device and memory.
The processor unit or equipment being discussed herein can be single processor, multiple processors or combinations thereof.Processor
Equipment can have one or more processors " core ".Term " computer program medium ", " non-transient meter as discussed in this article
Calculation machine readable medium " and " computer usable medium " are commonly used in referring to tangible medium, such as removable memory module 618, removable
Dynamic hard disk storage unit 622 and be mounted in hard disk drive 612.
The various embodiments of the disclosure are described according to this example computer system 600.After reading this description,
How to realize that the disclosure will for those skilled in the relevant art using other computer systems and/or computer body system structure
It is apparent.Although operation can be described as sequential processes, some operations in operation can actually concurrently, simultaneously
It hair ground and/or is executed in distributed environment, and program code is being locally or remotely stored for mono-processor machines or more
The access of processor machine.In addition, in some embodiments, the sequence of operation can be rearranged without departing from disclosed theme
Spirit.
Processor device 604, which can be, to be specially configured to execute the dedicated or general processor for the function being discussed herein and setting
It is standby.Processor device 604 may be coupled to the communications infrastructure 606, such as bus, message queue, network, multicore message transmission
Scheme etc..Network can be any network for being adapted for carrying out function as disclosed herein, and may include local area network (LAN),
It is wide area network (WAN), wireless network (for example, WiFi), mobile communications network, satellite network, internet, optical fiber, coaxial cable, red
Outside line, radio frequency (RF) or any combination thereof.Other suitable network types and configuration will be for those skilled in the relevant art
Significantly.Computer system 600 can also include main memory 608 (for example, random access memory, read-only memory etc.),
It and can also include additional storage 610.Additional storage 610 may include that hard disk drive 612 and removable Storage are driven
Dynamic device 614, floppy disk drive, tape drive, CD drive, flash memory etc..
Removable Storage driver 614 can read and/or write from removable memory module 618 in a well-known manner
Enter removable memory module 618.Removable memory module 618 may include can by removable Storage driver 614 read and
The movable storage medium of write-in.For example, if removable Storage driver 614 is floppy disk drive or universal serial bus end
Mouthful, then removable memory module 618 can be floppy disk or portable flash drive respectively.In one embodiment, removable
Dynamic storage unit 618 can be non-transient computer readable recording medium.
In some embodiments, additional storage 610 may include for allowing computer program or other instructions to be added
The substitutions of elements being downloaded in computer system 600, for example, removable memory module 622 and interface 620.The example of this component
It may include programming box and cartridge interface (for example, as found in video game system), removable memory chip (example
Such as, EEPROM, PROM etc.) and associated socket, and will be apparent other such as those skilled in the relevant art
Removable memory module 622 and interface 620.
The data for being stored in computer system 600 (for example, in main memory 608 and/or additional storage 610) can
To be stored on any kind of suitable computer-readable medium, optical storage is such as stored in (for example, CD, number
Word versatile disc, Blu-ray Disc etc.) or magnetic tape strip unit (for example, hard disk drive) on.It can be with any kind of suitable
Database configuration carrys out configuration data, such as relational database, structured query language (SQL) database, distributed data base, right
Image data library etc..Suitable configuration and storage class will be apparent those skilled in the relevant art.
Computer system 600 can also include communication interface 624.Communication interface 624 can be configured as allow software and
Data are transmitted between computer system 600 and external equipment.Exemplary communication interface 624 may include modem, net
Network interface (for example, Ethernet card), communication port, PCMCIA slot and card etc..The software and data transmitted via communication interface 624
It can be the form of signal, signal can be electric signal, electromagnetic signal, optical signal or such as those skilled in the relevant art
For by apparent other signals.Signal can advance via communication path 626, and communication path 626 can be configured as carrying
Signal and electric wire, cable, optical fiber, telephone wire, cellular phone link, radio frequency link etc. can be used to realize.
Computer system 600 can also include display interface device 602.Display interface device 602, which can be configured as, to be allowed to count
It is transmitted according between computer system 600 and external display 630.Exemplary display interface 602 may include that high-resolution is more
Media interface (HDMI), digital visual interface (DVI), Video Graphics Array (VGA) etc..Display 630 can be for showing
Via the display of any suitable type of the data of the transmission of display interface device 602 of computer system 600, including cathode-ray
Manage (CRT) display, liquid crystal display (LCD), light emitting diode (LED) display, capacitive touch display, film crystal
Manage (TFT) display etc..
Computer program medium and computer usable medium can refer to memory, such as can be memory semiconductor (example
Such as, DRAM etc.) main memory 608 and additional storage 610.These computer program products can be for department of computer science
System 600 provides the component of software.Computer program (for example, computer control logic) can store in main memory 608 and/or
In additional storage 610.Computer program can also be received via communication interface 624.Such computer program is being performed
When computer system 600 can be made to can be realized the method being discussed herein.Particularly, computer program when executed can be with
So that processor device 604 can be realized by Fig. 3-method shown in fig. 5, as discussed herein.Therefore, such computer
Program can indicate the controller of computer system 600.Using the software realization disclosure, software be can store
In computer program product and use removable Storage driver 614, interface 620 and hard disk drive 612 or communication interface
624 are loaded into computer system 600.
Processor device 604 may include the one or more modules for being configured as executing the function of computer system 600
Or engine.Hardware can be used to realize in each module or engine, and in some cases, also can use software, such as
Software corresponding with the program code and/or program that are stored in main memory 608 or additional storage 610.In such case
Under, before being executed by the hardware of computer system 600, program code can be by processor device 604 (for example, passing through compiling
Module or engine) compiling.For example, program code can be the source code write with programming language, which is converted into
Lower level language, such as assembler language or machine code, for by any of processor device 604 and/or computer system 600
Additional hardware components execute.The processing of compiling may include using morphological analysis, pretreatment, parsing, semantic analysis, grammar-guided
Translation, code building, code optimization and may be suitable for by program code conversion at be suitable for control computer system 600
To execute any other technology of the lower level language of function disclosed herein.It will be apparent for those skilled in the relevant art
It is that such processing cause computer system 600 to be specially programmed in terms of the particular arrangement for executing function as discussed above
Calculation machine system 600.
Among other features, it provides with the consistent technology of the disclosure and recognizes for what is promoted via credible performing environment
The system and method for card.Although the various exemplary embodiments of disclosed system and method are described above, answer
It should be appreciated that they are provided just for the sake of exemplary purpose, rather than limit.It is not detailed, and will
The disclosure is limited to disclosed precise forms.In view of above-mentioned introduction, modifications and variations are possible, or can be from the disclosure
Practice in obtain, without departing from range or range.
Claims (16)
1. a kind of method of the certification for promoting via credible performing environment, comprising:
The evidence for payment being stored in the means of payment is read by reading equipment with the tool for calculating equipment interconnection, wherein the payment
Voucher is electronically sent to the first application program, and first application program is deposited be stored in calculating equipment first
Program code in reservoir region;
Certification request, the second application program are electronically sent from the first application program of calculating equipment to the second application program
With the program code being stored in the credible performing environment with first memory region disconnecting for calculating equipment;
By being shown based on the instruction supplied by the second application program for authentication data with the display equipment for calculating equipment interconnection
Prompt;
By receiving authentication data with the input equipment for calculating equipment interconnection, wherein the authentication data is electronically sent to
Second application program;
External computing device is electronically sent by the authentication data received by the second application program of calculating equipment;
The certification based on transmitted authentication data is received from the external computing device by the second application program of calculating equipment
As a result;And
It is electronically sent to the first application program from the second application response of calculating equipment in the certification request
Authentication result.
2. the method as described in claim 1, wherein the authentication data received is not sent to the first application program or cannot
It is accessed by the first application program.
3. the method as described in claim 1, further includes:
The certification number received is encrypted before the electronics to external computing device is sent by the second application program of calculating equipment
According to wherein encrypting the authentication data received using the private key of cipher key pair, the private key is stored in the credible execution ring
In border.
4. the method as described in claim 1, wherein
The external computing device is the means of payment, and
Communication between the means of payment and the second application program reads equipment using the tool.
5. method as claimed in claim 4, wherein the communication between the means of payment and the second application program is encrypted.
6. the method as described in claim 1, wherein
The second authentication data is received instead of the authentication result, and
Second application program for calculating equipment is configured as the ratio based on the authentication data received and the second authentication data
Relatively generate the authentication result.
7. the method as described in claim 1, wherein for authentication data prompt visually and based on applying journey by first
The display of the data of sequence supply is different.
8. the method as described in claim 1, wherein the authentication data packet includes following at least one of work as: finger print data,
Retina scan data, facial scan data, voice recognition data, personal identification number and username and password.
9. a kind of system of the certification for promoting via credible performing environment, comprising:
Equipment is read with the tool for calculating equipment interconnection, is configured as reading the evidence for payment being stored in the means of payment;
The first application program for calculating equipment is configured as reading the evidence for payment that equipment receives reading from tool, and with electricity
Submode sends certification request to the second application program, wherein the first application program, which has, is stored in the first storage for calculating equipment
Program code and the second application program in device region have be stored in calculate equipment with first memory region disconnecting
Program code in credible performing environment;
It shows equipment, with calculating equipment interconnection, is configured as showing based on the instruction supplied by the second application program for recognizing
Demonstrate,prove the prompt of data;And
Input equipment is configured as receiving authentication data, wherein electronically to the second application program with calculating equipment interconnection
The authentication data is sent, wherein
Second application program is configured as the authentication data electronically transmitted and received to external computing device,
The authentication result of the authentication data based on transmission is received from the external computing device, and
The authentication result electronically is sent to the first application program in response to the certification request.
10. system as claimed in claim 9, wherein the authentication data received is not sent to the first application program or cannot
It is accessed by the first application program.
11. system as claimed in claim 9, wherein second application program for calculating equipment is additionally configured to arrive outside
The electronics transmission for calculating equipment encrypts the authentication data received before, wherein the private key using cipher key pair receives to encrypt
Authentication data, the private key is stored in the credible performing environment.
12. it is system as claimed in claim 9, wherein
The external computing device is the means of payment, and
Communication between the means of payment and the second application program reads equipment using the tool.
13. system as claimed in claim 12, wherein the communication between the means of payment and the second application program is encrypted.
14. it is system as claimed in claim 9, wherein
The second authentication data is received instead of the authentication result, and
Second application program for calculating equipment is configured as the ratio based on the authentication data received and the second authentication data
Relatively generate the authentication result.
15. system as claimed in claim 9, wherein for authentication data prompt visually with based on by first apply journey
The display of the data of sequence supply is different.
16. system as claimed in claim 9, wherein the authentication data packet includes following at least one of work as: finger print data,
Retina scan data, facial scan data, voice recognition data, personal identification number and username and password.
Applications Claiming Priority (3)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| US201762449390P | 2017-01-23 | 2017-01-23 | |
| US62/449,390 | 2017-01-23 | ||
| PCT/US2018/014786 WO2018136914A1 (en) | 2017-01-23 | 2018-01-23 | Method and system for authentication via a trusted execution environment |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN110199309A true CN110199309A (en) | 2019-09-03 |
| CN110199309B CN110199309B (en) | 2023-06-16 |
Family
ID=61148533
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201880007991.2A Active CN110199309B (en) | 2017-01-23 | 2018-01-23 | Method and system for authentication via trusted execution environment |
Country Status (6)
| Country | Link |
|---|---|
| US (1) | US11244296B2 (en) |
| EP (1) | EP3571652B1 (en) |
| CN (1) | CN110199309B (en) |
| AU (1) | AU2018210544B2 (en) |
| CA (1) | CA3051246A1 (en) |
| WO (1) | WO2018136914A1 (en) |
Cited By (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN113626777A (en) * | 2020-05-08 | 2021-11-09 | 华为技术有限公司 | Identity authentication method, storage medium and electronic device |
| CN115242478A (en) * | 2022-07-15 | 2022-10-25 | 江苏保旺达软件技术有限公司 | Method and device for improving data security, electronic equipment and storage medium |
Families Citing this family (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US10552701B2 (en) * | 2008-02-01 | 2020-02-04 | Oath Inc. | System and method for detecting the source of media content with application to business rules |
| US20090307140A1 (en) * | 2008-06-06 | 2009-12-10 | Upendra Mardikar | Mobile device over-the-air (ota) registration and point-of-sale (pos) payment |
| US8862767B2 (en) | 2011-09-02 | 2014-10-14 | Ebay Inc. | Secure elements broker (SEB) for application communication channel selector optimization |
| CN111090865B (en) * | 2019-12-17 | 2022-01-25 | 支付宝(杭州)信息技术有限公司 | Secret key authorization method and system |
| US11347875B2 (en) * | 2020-01-28 | 2022-05-31 | Intel Corporation | Cryptographic separation of memory on device with use in DMA protection |
Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CA2924683A1 (en) * | 2013-09-20 | 2015-03-26 | Visa International Service Association | Secure remote payment transaction processing including consumer authentication |
| CA2932346A1 (en) * | 2013-12-02 | 2015-06-11 | Mastercard International Incorporated | Method and system for secure authentication of user and mobile device without secure elements |
| US20160132861A1 (en) * | 2012-02-29 | 2016-05-12 | Mobeewave, Inc. | Method, device and secure element for conducting a secured financial transaction on a device |
Family Cites Families (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US8965281B2 (en) * | 2006-04-05 | 2015-02-24 | Nokia Corporation | Mobile device with near field communication module and secure chip |
| US9317704B2 (en) * | 2013-06-12 | 2016-04-19 | Sequent Software, Inc. | System and method for initially establishing and periodically confirming trust in a software application |
| KR102329258B1 (en) * | 2014-10-28 | 2021-11-19 | 삼성전자주식회사 | Apparatus and method for payment using a secure module |
| EP3262582B1 (en) * | 2015-02-27 | 2021-03-17 | Samsung Electronics Co., Ltd. | Electronic device providing electronic payment function and operating method thereof |
| CN105897721B (en) | 2016-05-03 | 2019-01-25 | 广州广电运通金融电子股份有限公司 | Verify the method and device of fiscard user identity reliability |
-
2018
- 2018-01-23 CN CN201880007991.2A patent/CN110199309B/en active Active
- 2018-01-23 CA CA3051246A patent/CA3051246A1/en active Pending
- 2018-01-23 EP EP18702887.3A patent/EP3571652B1/en active Active
- 2018-01-23 WO PCT/US2018/014786 patent/WO2018136914A1/en active Application Filing
- 2018-01-23 AU AU2018210544A patent/AU2018210544B2/en active Active
- 2018-01-23 US US15/877,613 patent/US11244296B2/en active Active
Patent Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20160132861A1 (en) * | 2012-02-29 | 2016-05-12 | Mobeewave, Inc. | Method, device and secure element for conducting a secured financial transaction on a device |
| CA2924683A1 (en) * | 2013-09-20 | 2015-03-26 | Visa International Service Association | Secure remote payment transaction processing including consumer authentication |
| US20150088756A1 (en) * | 2013-09-20 | 2015-03-26 | Oleg Makhotin | Secure Remote Payment Transaction Processing Including Consumer Authentication |
| CA2932346A1 (en) * | 2013-12-02 | 2015-06-11 | Mastercard International Incorporated | Method and system for secure authentication of user and mobile device without secure elements |
Cited By (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN113626777A (en) * | 2020-05-08 | 2021-11-09 | 华为技术有限公司 | Identity authentication method, storage medium and electronic device |
| CN113626777B (en) * | 2020-05-08 | 2025-03-07 | 华为技术有限公司 | Identity authentication method, storage medium and electronic device |
| CN115242478A (en) * | 2022-07-15 | 2022-10-25 | 江苏保旺达软件技术有限公司 | Method and device for improving data security, electronic equipment and storage medium |
| CN115242478B (en) * | 2022-07-15 | 2024-01-02 | 江苏保旺达软件技术有限公司 | Method and device for improving data security, electronic equipment and storage medium |
Also Published As
| Publication number | Publication date |
|---|---|
| AU2018210544B2 (en) | 2023-03-09 |
| WO2018136914A1 (en) | 2018-07-26 |
| AU2018210544A1 (en) | 2019-08-01 |
| US20180211236A1 (en) | 2018-07-26 |
| EP3571652B1 (en) | 2024-04-17 |
| US11244296B2 (en) | 2022-02-08 |
| CN110199309B (en) | 2023-06-16 |
| CA3051246A1 (en) | 2018-07-26 |
| EP3571652A1 (en) | 2019-11-27 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US12093954B2 (en) | Method and system for secure authentication of user and mobile device without secure elements | |
| JP6889967B2 (en) | Methods and systems for generating advanced storage keys on mobile devices without secure elements | |
| JP6353537B2 (en) | Method and system for performing secure authentication of users and mobile devices without using a secure element | |
| CN109919604A (en) | Method and system for the transaction for using the consumer of crypto token to initiate | |
| CN109804401A (en) | For the method and system via block chain certification discount coupon | |
| CN109716374A (en) | Method and system for trade without card ATM via mobile device | |
| CN110199309A (en) | The method and system authenticated via credible performing environment | |
| CN109155029A (en) | The method and system of electronic distribution for controlled token | |
| US20170262853A1 (en) | Method and system for biometric confirmation of suspect transactions | |
| CN109155031A (en) | The method and system of distribution evidence for payment for voice authentication | |
| US11868984B2 (en) | Method and system for contactless transmission using off-the-shelf devices |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |