Contact Us
Home\
Intellectual Property\ Patented Technologies\ Mobile Payment
IP Licensing Program
Patented Technologies
Mobile Payment
Pin Fraud Protection
Industry Perspective
White Papers
Mobile Payment

Mobile Technology Payment Methods

SECURE AND FRIENDLY PAYMENTS SYSTEM


Overview
CIDWAY’s patents in this area cover various methods for payment systems with different features.  Most of them use a portable device in the hands of the purchaser, where such portable device may be the purchaser mobile phone or any other portable device. Included is a case where the purchaser does not need to carry anything. 
 
There is a need to accommodate the following situations:
  • Point-of-Sale(POS) terminal NOT available
  • Credit Card (CC) company network system NOT available
  • Internet network NOT available
  • Electric power NOT available
  • A person who is NOT at one location
  • “One-person” business
And accomplish the following:
  • Complete a CC transaction
  • Verify a CC transaction on-the-spot
  • At any location world wide
  • Utilize strong security
  • Use the most advanced security technologies referred as Digital Signatures
  • Use the purchaser (p) and/or seller (s) mobile phones.


Payment Methods

1. Mobile (p) to Mobile (s)
The purchaser has a mobile phone, and uses it to charge his credit or debit account - instead of using a conventional plastic card with the magnetic stripe

The seller has a mobile phone and uses it, as a sole instrument, to complete a secure, verified, certified CC transaction.

The seller does not need a POS terminal, CC network, electric power

One of the common characteristic of most of the payments systems presented here is that they use the service of a Central Service (CS) of this system.


2. Mobile (p) to POS(s)
The seller has a conventional POS, able to read a conventional plastic card with magnetic strip.

The purchaser does not have a plastic CC for the CC account he is willing to charge

The purchaser does have the application of this invention previously installed in his mobile phone.

For this case, there is an additional Adapter device that enables the seller to charge the purchaser's CC account using his conventional POS.

The Adapter:
– Captures the purchaser mobile phone's generated acoustic message carrying the purchaser digital signature encoded to sound.
– Decodes the captured encoded digital signature
– Transmits the decoded digital signature to the Central Service Server

The Central Service Server (CSS):
– Receives the digital signature belonging to the purchaser
– Checks and verifies the digital signature
– If it is a truthful digital signature,  the Central Service Server identifies  the purchaser by means of the respective X.509 certificate whose serial numbers was within the digital signature
– Stores the received digital signature.
– Retrieves the purchaser’s CC account data, and transmits it back to the said Adaptor.


Now the Adaptor is in possession of all the purchaser CC account data needed in order to write in a conventional plastic card's magnetic stripe the received data or parts of it. The idea is to create a clone or a conventional plastic credit card corresponding to the respective purchaser's CC account.
Once the adaptor has written in the said plastic card's magnetic strip the received data, the plastic card is extracted from the adaptor and is ready to be used in the  Seller's conventional POS, as a standard plastic CC.
The POS reads the Customer's CC/ debit card data and completes the transaction as usual. The “clone” card is returned to adaptor and the magnetic stripe is erased.

3. Special POS case
We also applied for to special POS able to capture the acoustic messages generated by the Mobile phone purchaser's application of this invention.

 We refer here to a device with all the features and capabilities of a conventional POS which, in addition, is able to work with the mobile phone applications of this invention.

 We mean that the special POS has means to capture an acoustic message, like a microphone and one or more CPUs. The special POS will transmit the message, with the purchaser's and the seller's input, to the Central Service Server, in order to enable the server to proceed as in the above mentioned cases. Completing a CC transaction and returning a confirmation message to the special POS, preferable signed by the CSS.

Alternatively the CSS will verify the purchaser's digital signature, identify the purchaser, retrieve the purchaser's CC data and transmit the relevant data to the Special POS for the completion of the transaction by such special POS.
In a preferable configuration of the CSS, it will store the received digital signatures as digital testimonies of the willing of the parties to do the specific transaction.

4. FORM Filler
It is an additional object of this invention to present a solution for on-line purchasing security problems like identity theft.
It is a further aim of this invention to present a method, and software for easing the cumbersome procedures nowadays in use to complete an on-line transaction based on CC or debit cards,

We refer specially to the fact that, in most of the conventional cases, the purchaser must fulfill a form with all the necessary information, in order to enable the on-line transaction.

The method and software for on-line purchasing of this invention consists of the same Purchaser’s mobile phone application as in the other cases referred above and, additionally, a software application, easy to download into the potential on-line purchaser's PC, and, where the installation of such software is effortless, i.e.: like the ActiveX Microsoft technology.

 This software for on-line purchasing of this invention (ActiveX), once installed in the on-line purchaser's PC, and by means of the PC's microphone, is able to capture the acoustic message generated by the mobile phone purchaser's application according the invention presented here, i.e.: the acoustic message carrying the encoded to sound version of the purchaser's digital signature on the date and time and the transaction amount.
The same software for on-line purchaser’s PC (ActiveX) has the capability to decode the encoded digital signature and to transmit such digital signature to the CSS, whereas the CSS verifies and checks the received digital signature, and, eventually, if it is a true and accurate digital signature, identifies the purchaser, retrieves the purchaser CC as well as personal data (i.e.: address data) from its data base, and sends all the data necessary to fulfill the form to the purchaser's PC application (ActiveX).
Hence the form is filled automatically and conveniently by the application running in the PC

5. Case Over-the-phone transactions
Referring now to the case where the customer is willing to make an over-the-phone transaction using the mobile phone purchaser’s application of this invention.
We will assume that the phone merchant is a participant merchant and has an on-line PC equipped with a microphone The Seller is not necessarily equipped with a POS  and while he will use a PC, this PC doesn’t need to have any special application installed previously. Also the Seller will have nothing special in his mobile phone and can receive calls in any phone.
The customer: picks-up his mobile phone, calls the seller's number and at the due time decides to buy a good or service (i.e.: shares).
The seller: using his PC goes to CSS's site, enters his login name and PIN and the transaction amount and invites the customer to proceed with his  purchaser's mobile phone application
The customer: selects the purchaser's mobile phone application, enters the PIN, enters the amount, and presses "SEND by phone"
 The purchaser mobile phone application: generates a digital signature over the time-stamp and the amount and encodes it to sound (acoustic digital signature) and sends it through the voice channel
The Seller approaches his mobile phone to the PC's micro
The PC's captures the acoustic digital signature sent by the customer, decodes it, and transmits it to the Platform's Server.
The Server, acting as a POS, transmits to the CC company network the transaction data for approval, and if eventually everything is fine, the CC company returns to the Server with a confirmation number.

 
6. Pre-Authorization Notification
It is a further object of this invention to present a method to pre-announce to the Purchaser's CC issuer or, alternatively, to the purchaser's bank, or, in general, to the entity which manages the purchaser's account, the intention of the true account's owner to complete a specific transaction. We means here that the true and authorized account's owner identified  himself by means of his/her digital signature stamped on the time and date as well as on the amount, type of the transaction, has let the CSS server know of his willing to complete a transaction in all the cases mentioned above
 It is worth to note that the PAN is a valid option for all the cases presented here, and strongly increases the security of the use of  CC for any transaction, on-the-spot,  over-the-net, as well as over-the-phone, and in general, any transaction where the account manager ( i.e.: the issuer, the bank, etc) does not see the account owner.
Consequently, requesting the PAN for some or all the transaction with one particular account will strongly increase the security of such account.
And this security strengthen is valid for any case of remote transaction, where the entity which knows the account owner, usually the bank itself who manage such account, enables remote transactions.
 For all this cases, the PAN provides to be a clear-cut security solution due to the fact that the account manager may freeze the account and  reject any of such transaction attempts, of the type named  above, if he does not have the notification of the CSS about the perfectly secure  and non-repudiable identification of the account owner based in digital signature technologies

7. NOT DISRUPTIVE
 We refer here to remote transactions whereas there is an entity who manage a customer’s account, like a bank, and whereas the account owner provides instructions to such account manager to pay or withdraw monies from such account from a remote location respecting to the account manager.
In order to clarify this case lets take as example the case of the remote conventional transaction represented by the use of an ATM machine by a bank (account manager) customer in order to extract money.
As we said above the method presented here is not disruptive, i.e.: it will not change anything substantial in the way to accomplish the given remote transaction, but will add to the present-in-use procedure a pre-authorization notification step. (PAN step).
Therefore, for this particular ATM case, the procedure will be as follows: before the customer accomplishes the withdrawing of the money from the ATM machine as usual, he picks-up his mobile phone and selects the PAN application, which was previously installed in his mobile phone. Once activated the PAN application will offer a menu of possible remote transactions.
For this case the customer selects the ATM icon.
The application will ask the customer to enter the upper limit of the transaction’s amount (i.e.: 100). Once entered, the application will compute a time stamped digital signature over the amount and the type of transaction, ATM in this case.  The application will also encode the digital signature to sound and will place a call to the IVR system working in conjunction with a  Server. This Server, preferably located at the account manager facilities, will receive the digital signature, will check the validity of such digital signature, and, eventually, if everything is right, will prepare a digitally-signed-by-the-Server document stating the verified-by-the-server customer’s willing to accomplish an ATM transaction up to the upper limit within a short period of time. Let’s refer to this digitally-signed-by-the-Server document as a Digital Testimony. Now the server will transmit the Digital Testimony to the account manager (the customer’s bank mainframe, the CC issuer platform, etc).
 The customer proceed with the remote transaction as usual, in this case, he enters his plastic CC  in the ATM, his PIN, etc, exactly the procedure as today.
Application to CC purchasing
Let’s take now the example of a CC based on-line transaction whereas the on-line merchant is a non-participant on-line merchant, i.e.: a merchant which doesn’t know about the existent of the PAN method.
The customer will buy at such merchant as today, no procedure change but before completing the transaction, if the type and amount of the transaction fell within the category of restricted transactions as per the agreement between the customer and the account manager, thus the customer will add to the present-in-use procedure a pre-authorization notification step. (PAN step). Therefore the procedure will be as follows; before the customer accomplishes the transaction as usual, he picks-up his mobile phone and selects the PAN application, which was previously installed in his mobile phone. Once activated the PAN application will offer a menu of possible remote transactions.
For this case the customer selects the “CC on-line” icon.
The application will ask the customer to enter the upper limit of the transaction’s amount (i.e.: 150). Once entered, the application will compute a time stamped digital signature over the amount and the type of transaction, CC on-line in this case.  The application will place a call to the IVR system working in conjunction with a  Server and will also encode the digital signature to sound. This Server, preferably located at the account manager ( i.e.; the CC or Debit card issuer) facilities, will receive the digital signature, will check the validity of such digital signature, and, eventually, if everything is right, will prepare a digitally-signed-by-the-Server document stating the verified-by-the-server customer’s willing to accomplish an CC transaction up to the upper limit within a short period of time. Let’s refer to this digitally-signed-by-the-Server document as a Digital Testimony. Now the server will transmit the Digital Testimony to the account manager (the customer’s bank mainframe, the CC issuer platform, etc).
 The customer proceeds with the remote transaction as usual.
In this way, it is possible
 to overcome the security problems of the ATM transactions without the cooperation of the ATM owners,
  to overcome the security problems of the CC on-line transactions without the cooperation of the on-line merchants, nor the need to joint forces with the CC companies
 to overcome the security problems of the CC on-the-spot transactions without the cooperation of the acquirers, nor the issuers nor the POS owners ,
 to overcome the security problems of the checks without the need to change nothing
 to overcome the security problems of the on-line-banking without the need of a secure computer,
 to overcome the security problems of the phone-banking without the cooperation of the over-the-phone merchants (i.e.: the customer can send his pre-authorization to the bank though any on-line PC while calling the over-the-phone merchant).

8. Oral means
 It is a further objective of this invention to present a method for payments whereas the customer is equipped with a portable device able to store and, eventually, able to transmit, by means of a given technology (i.e.: Bluetooth, infrared, etc) , a specially modified X.509 certificate, whereas this specially modified X.509 certificate  is the encoding to bits of a declaration stating, amongst other things, that one  precise  and included CC account  belongs to the owner of a given voiceprint (included in the statement) whereas this voiceprint was created by means of a given “speaker identification “ technology at certain agreed upon conditions, and as said, the said voice print is also included in the statement. Additionally, the said declaration must be digitally signed by a Trusted Third Party (i.e.: a certification authority)
In more simple words, the modified X.509 of this invention is a digitally signed document associating a CC account with a voiceprint, and therefore, this link become unmalleable, and impossible to corrupt due to the digital signature.
In this way the customer can charge his CC account paying without any other means than the portable device which carries and transmits the special X.509 and by using his verbal commands. No other person can charge such account because such person voice will be, in principle, different to the voice of the true owner, and consequently the computed voiceprint will be different of the signed one, and the Bio POS will reject the transaction.

9. Purchaser does not need to carry anything
It is an additional objective of this invention to present a payment method by which the customer doesn’t need to bring or carry any portable device or material gadget in order to charge his CC account.
 According to this method, there is a  special X.509 Repository/ or data base, which stores all the special X.509 certificates , whereas each one of the special X.509 is as described above and the above described BIO POS is connected to the said repository, in a way that the Bio POS can retrieve a copy of any desired special X.509.
10. Referring now to the Anti-phishing features:
Further the methods of payments described in this invention may enjoy the “anti-phishing” features, as described in the US patent , granted to the author of this application, number US 6,957,185, whereas the server, after receiving the customer digital signature,  authenticates itself  in front of the customer and/ or the seller,  generating and transmitting a variable and specific code for each transaction (i.e.: each received digital signature)  and whereas the server transmits the variable codes to the seller, the seller’s transaction specific code,  and through the seller to the customer, the customer’s transaction specific code respectively, and whereas each of them, or preferable one of them, compares the received variable code with the one their respective cellular phone application of this invention displays. In the case the customer compares the received variable code, received after sending the digital signature on the type of transaction and amount, and find out that such one time  code is identical to the one displayed in his mobile phone display, he can rest sure that he is dealing with his true service provider and not with a phished service. The same can be said for the seller. It is practically impossible for a phisher or for a phished server to guess the number the purchaser’s mobile phone application will display after sending the digital signature. Only the CSS knows how to compute this one time code.



Cidway

CIDWAY NEWSLETTER

Keep up to date with what is happening at Cidway, subscribe to our newsletter:

  

Email:  info@cidway.com
Tel:  +41(0)21 331 2700
Privacy Policy   |   Terms & Conditions