Magnetic stripe cards are often used today for conducting transactions such as debit and credit payments. Such payment cards store information in “tracks”—commonly denoted as “Track 1,” “Track 2,” and “Track 3”—on the magnetic stripe. When such payment cards are swiped through a card reader, data from the tracks is sent over a network to complete a transaction. Such cards typically also include an authentication value printed on the card and an authentication value (which is usually different from the printed value) stored in the magnetic stripe, both of which help to protect against fraud. On a typical MasterCard™ card, the authentication value stored in the magnetic stripe is called CVC1, and the printed authentication value is called CVC2. The printed authentication value does not get transferred to carbon copy paper when a magnetic stripe card is run through an imprinter to make a mechanical copy of the card. Because of this, a duplicate of the card cannot readily be made from the account information transferred to a sales slip (i.e., account number, cardholder name, and expiration date). For telephone or internet purchases where a purchaser is not in the presence of a merchant, the printed value is especially useful to protect against fraud because only the person in possession of the card can verify the printed value to the merchant.
When a transaction involving a magnetic stripe card is conducted using a terminal, the terminal reads the information stored on at least one of the tracks of the credit card. Currently, most terminals read Track 1 and/or Track 2 of the magnetic stripe. The tracks are formatted according to standards promulgated by the International Organization for Standardization (ISO). The relevant ISO standards specify the required data elements to be included on the tracks including, for example, the credit card holder's primary account number, a service or country code, the account holder's name, and a longitudinal redundancy check value. In addition to the foregoing specified data elements, the relevant ISO standards also reserve a data field for use at the discretion of the card issuer. This field is called the “discretionary data field.” Card issuers typically store an authentication value in the discretionary data field. On MasterCard cards, the CVC1 value is stored in the discretionary data field.
Unfortunately, the static nature of a conventional authentication value (whether printed or stored in the magnetic stripe) increases the risk of fraud, because if an unauthorized person obtains the account information and the printed authentication value, that person has all the information required to fabricate a duplicate card.
One approach to reducing the risk of fraud is to use smart cards or integrated circuit cards, which include internal processing functionality, to produce dynamic authentication values. To date, however, smart card technology has used digital signature schemes based on public key cryptography techniques. Such an approach is costly and inconvenient because it requires cards and terminals that must perform cryptographic functions and requires management of public keys. Furthermore, this approach requires the costly modification of and/or addition to the existing payment network infrastructure that currently exists, because the existing infrastructure has been designed for processing magnetic stripe payment cards.
A need therefore exists for better, more cost-effective security for payment card transactions.
This invention addresses the above-described drawbacks of the prior art by using a dynamic authentication value—preferably generated cryptographically—which is placed in the discretionary data field of a an ISO standard track (preferably, Track 1 and/or Track 2) data field by a proximity device or by a terminal, and is transmitted from the terminal to the issuer of the card or other proximity device being used to conduct a transaction. Along with the dynamic authentication value, the discretionary data field also includes other data to be used by an issuer for verifying the transaction. Preferably, the dynamic authentication value is not the same as the static authentication printed on a magnetic stripe card, but instead, changes with each transaction. As a result, even if an unauthorized person obtains an authentication value used for a particular transaction, the unauthorized person could not use that authentication value for other transactions. Furthermore, because the authentication data is stored in an already-defined field of Track 1 and/or Track 2 in the specified binary coded decimal (BCD) format, the existing payment card network infrastructure can be used with little or no modification.
In accordance with one aspect of the present, a transaction is conducted using a proximity device by the following steps: dynamically generating a first authentication value; transmitting the first authentication value from the proximity device to a terminal; including the first authentication value in a discretionary data field of message data, the message data being arranged in an ISO format; and transmitting the message data from the terminal for verification. Preferably, the message is arranged in an ISO Track 1 or ISO Track 2 format.
In accordance with an additional aspect of the present invention, a transaction is conducted using a proximity device by the following steps: generating a random number; transmitting an authentication command contactlessly from the terminal to the proximity device, the authentication command including the random number; dynamically generating first authentication value using a first authentication key by the proximity device to derive the first authentication value from data comprising at least the random number; transmitting the first authentication value from the proximity device to a terminal; including the first authentication value in a discretionary data field of message data, the message data being arranged in a format including at least one of an ISO Track 1 and an ISO Track 2 format; transmitting the message data from the terminal to an issuer; calculating a second authentication value by an issuer using a second authentication key and the message data; and comparing the second authentication value to the first authentication value by the issuer.
Further objects, features, and advantages of the invention will become apparent from the following detailed description taken in conjunction with the accompanying figures showing illustrative embodiments of the invention.
While the subject invention will now be described in detail with reference to the figures, it is done so in connection with the illustrative embodiments. It is intended that changes and modifications can be made to the described embodiments without departing from the true scope and spirit of the subject invention as defined by the appended claims.
The layout of exemplary data arranged in ISO Track I format is illustrated in
The layout of exemplary data arranged in ISO Track 2 format is illustrated in
The proximity device 102 preferably supports various features, such as an authentication key, a secure messaging key to write to memory areas that are protected, and a manufacturer cryptographic key. The manufacturer cryptographic key allows an issuer to securely load the authentication key, the secure messaging key, and payment related data. Single and double length cryptographic keys should be also supported. The proximity device 102 preferably protects data written to the device memory against deletion or modification, and prohibits the external reading of memory locations containing a cryptographic key. The proximity device 102 should also maintain a binary counter, preferably having at least 15 bits, and should increase the counter (step 608) every time the authenticate command is presented (step 606) to the device 102. The device 102 can implement ISO communication interface Type A, Type B, or both. These well-known interface types are described in ISO/IEC 14443 parts 1-4, which are incorporated herein by reference.
Preferably, the terminal 106 is configured to be capable of reading a magnetic stripe card as well as a proximity device 102. For a device containing both a magnetic stripe and a proximity chip 103, the terminal 106 should first try to perform the transaction using the proximity chip reader, and should use the magnetic stripe if there is an error in communicating with the chip.
At least two commands are typically used to send data from the terminal 106 to the proximity device 102, a select command and an authenticate command. Other commands can also be used, such as the well-known Europay Mastercard Visa (EMV) “get processing options” command. The select command is used to select a proximity chip payment application. The authenticate command initiates computation of the dynamic authentication code within the proximity device. The response to the authenticate command from the device 102 can contain Track 2 formatted data, the device serial number, and transaction flags.
The preferred method of calculating the dynamic authentication value is the well known DES technique. The proximity device 102 preferably calculates the dynamic authentication by the following steps, as depicted in
Preferably, the proximity chip 103 converts the proximity chip counter (15-bit) to BCD using the following steps. First, the chip selects the leftmost 3 bits of the counter, adds a zero bit to the left, and converts the result to BCD. Next, the chip selects the next 3 bits of the counter, adds a zero bit to the left and converts the result to BCD. The chip performs the second step an additional 3 times to translate the 15 bit counter to 5 BCD characters. If the above described procedure is used for converting the counter to BCD, each BCD digit will range from 0 to 7. This procedure is beneficial for simplifying the implementation of the hardware and/or software required to convert to BCD in a reduced functionality proximity device. Alternately the counter in the proximity chip 103 can itself be in BCD format, in which case the same format is preferably used in the issuer host system. A BCD-encoded counter makes it possible to increase the size of the maximum counter value to 99,999 in the chip using decimal counting (5 BCD characters, 4 bits per character using only BCD 0-9 characters), although this typically requires more processing logic in the chip.
The proximity device 102 replaces the discretionary data field 312 of Track 2 with the random number (5 BCD) field 502, the proximity chip counter (5 BCD) field 504, and the dynamic authentication value (3 or more BCD) field 506. The proximity device 102 returns the Track 2 data to the terminal 106 in the response to the authenticate command (step 616). The Track 2 data (maximum 19 ‘8 bit’ binary bytes) may be TLV (Tag Length Value) coded (Tag=“57”). The Track 2 data is assembled as follows, using 4-bit BCD values. A start sentinel is followed by the primary account number (up to 16 BCD). This is followed by a field separator, which may be Hex. ‘D’. This is followed by an expiration date, which may be 4 BCD in the format of YYMM. This can be followed by a service code (3 BCD). This may be followed by the dynamic discretionary data (13 or more BCD). The discretionary data can include the random number (5 BCD), followed by the proximity chip counter (5 BCD), followed by the dynamic authentication value. The dynamic authentication value may be 3 BCD when account number is 16 digits, but it can be greater than 3 BCD if account number is less than 16 digits. The discretionary data maybe followed by an end sentinel and a longitudinal redundancy check. Thus, while the discretionary data field used on a traditional magnetic stripe card merely contains enough characters to fill out the maximum record length of Track 2 (40 characters total) and is generally not verified during a transaction, the discretionary data field used with a proximity device in the illustrated example contains a dynamic authentication value in the discretionary data of Track 2 used for authentication of the device.
Some proximity chip manufacturers may not be able to produce a reduced functionality device that supports a DES algorithm. In such cases, a proprietary method can be used to calculate the device dynamic authentication value. Preferably, such a proprietary method should have the following features. A proven proprietary cryptographic algorithm should be used. The proximity chip counter should have a minimum of 15 bits in length. The random number should be 5 digits (5 BCD). The primary account number, the expiry date, the service code, the proximity chip counter, and the random number should be included in the calculation of the dynamic authentication value. The dynamic authentication value should have a minimum of 3 BCD characters. The proximity device 102 should be able to replace the Track 2 discretionary data 306 with the random number, the proximity chip counter, and dynamic authentication value (minimum 3 BCD). The device 102 should return the whole Track 2 data, the proximity device serial number and proximity device transaction flags and other device data. The random number, the proximity device proximity chip counter, and proximity device generated dynamic authentication value should fit in the discretionary data field 312 of the Track 2 data sent to a terminal 106.
Although the preferred method of calculating the dynamic authentication value is the DES method, PKI can also be used.
Each proximity chip authentication key is preferably unique and is preferably derived from a Master Derivation Key protected by the issuer. The Master Derivation Key should be a double length key. Derivation of proximity chip keys should preferably be done in a secure cryptographic device. The encryption function preferably uses the primary account number and the master derivation key to derive the proximity chip authentication key. When a double length proximity chip authentication key is used, the second part of the key should be derived by complementing each bit of the primary account number (1 bits changed to 0, 0 bits changed to 1) before the encryption process.
Even if the issuer uses a proprietary authentication method, the key derivation process should still be similar to the method described above. The device authentication key preferably has a minimum of 48 bits (64 for DES). The bit size doubles for a double length device key.
Upon receipt of an authorization request, the issuer performs the following steps. The issuer determines if the request originates from a proximity device 102, in order to initiate processing specific to proximity devices (step 802). The issuer can do this by a decoding data element (61 position 10) which the terminal would set to a value of ‘7’ to indicate that the request originated from a proximity device that the terminal has read. Alternately, or in addition, the issuer can list into the cardholder database the primary account numbers assigned to the proximity device 102. The issuer host system should, for each proximity device 102, keep track of the proximity chip counter and verify that the proximity chip counter received is the next sequential number (step 804). Verification of the proximity chip counter can be used to prevent transaction replay. Repeated counter values can also indicate that previously used proximity chip Track 2 data has been fraudulently obtained and is now being used by an unauthorized person. Using a proximity chip authentication key, the issuer calculates the proximity device dynamic authentication value as described above using the primary account number, expiry date, service code from the received Track 2, and the authentication data (proximity chip counter, random number) in the Track 2 discretionary field (step 808). The issuer compares the calculated dynamic authentication value to the one in the proximity device Track 2 discretionary data field (step 810) and either accepts (step 812) or rejects (814) the transaction. The issuer can process the authorization as a magnetic stripe authorization when the dynamic authentication value is successfully verified.
Derivation of proximity chip keys and verification of the dynamic authentication value should preferably be done in a secure cryptographic device, such as a host security module.
It will be appreciated by those skilled in the art that the methods of
Memory unit 1050 can include different types of memory, such as volatile and non-volatile memory and read-only and programmable memory. For example, as shown in
Software defined by
The elements of the processing section 910 can be included on a proximity chip 103. A coprocessor 1060 can be used to provide an enhanced ability to perform complex computations in real time, such as those required for DES and PKI encryption. The ROM 1052 preferably comprises a secure ROM which stores the first authentication key.
While there have been described what are believed to be the preferred embodiments of the present invention, those skilled in the art will recognize that other and further changes and modifications may be made thereto without departing from the spirit of the invention, and it is intended to claim all such changes and modifications as fall within the true scope of the invention. For example, specific calculations for the dynamic authentication value have been shown for an embodiment with a Track 2 layout but the invention is also applicable to a Track I layout.
This application claims priority to U.S. provisional application 60/365,737 filed on Mar. 19, 2002, entitled “Proximity Chip Payment Specification,” which is hereby incorporated by reference.
Filing Document | Filing Date | Country | Kind |
---|---|---|---|
PCT/US03/08377 | 3/19/2003 | WO |
Number | Date | Country | |
---|---|---|---|
60365737 | Mar 2002 | US |