WO1998005011A2

WO1998005011A2 - A system, method and article of manufacture for secure, stored value transactions over an open communication network utilizing an extensible, flexible architecture

Info

Publication number: WO1998005011A2
Application number: PCT/US1997/013673
Authority: WO
Inventors: Kevin T. B. Rowney
Original assignee: Verifone, Inc.
Priority date: 1996-07-31
Filing date: 1997-07-31
Publication date: 1998-02-05
Also published as: AU3906497A; EP0923769A2; WO1998005011A3

Abstract

An architecture that provides a server that communicates bidirectionally with a gateway over a first communication link, over which service requests flow to the server for one or more merchants and/or consumers is disclosed. Service requests are associated with a particular merchant based on storefront visited by a consumer or credentials presented by a merchant. Service requests result in merchant specific transactions that are transmitted to the gateway for further processing on existing host applications. By presenting the appropriate credentials, the merchant could utilize any other computer attached to the Internet utilizing a SSL or SET protocol to query the vPOS system remotely and obtain capture information, payment administration information, inventory control information, audit information and process customer satisfaction information. Secure transmission of a value transfer protocol transaction is provided between a plurality of computer systems over a public communication system, such as the Internet. A connection is created between two computer systems using a public network, such as the Internet, to connect the computers. Then, digital certificates and a digital signature are exchanged to ensure that both parties are who they say they are. Finally, the two smart cards involved in a transaction are read by individual computers connected utilizing the network, and the value transfer protocol is executed over the secured network. The value transfer protocol facilitates the exchange of money between the two smart cards.

Description

A SYSTEM, METHOD AND ARTICLE OF MANUFACTURE FOR

SECURE, STORED VALUE TRANSACTIONS OVER AN OPEN COMMUNICATION

NETWORK UTILIZING AN EXTENSIBLE, FLEXIBLE ARCHITECTURE

Field Of The Invention

The present invention relates to the secure, electronic payment in exchange for goods and services purchased over a communication network, and more specifically, to a system, method and article of manufacture for securely transmitting value transfers from one smart card to another smart card over an open, communication network utilizing a flexible, extensible architecture.

The present invention relates to an electronic representation of a monetary system for implementing electronic money payments as an alternative medium of economic exchange to cash, checks, credit and debit cards, and electronic funds transfer. The Electronic-Monetary System is a hybrid of currency, check, card payment systems, and electronic funds transfer systems, possessing many of the benefits of these systems with few of their limitations. The system utilizes electronic representations of money which are designed to be universally accepted and exchanged as economic value by subscribers of the monetary system.

Today, approximately 350 billion coin and currency transactions occur between individuals and institutions every year. The extensive use of coin and currency transactions has limited the automation of individual transactions such as purchases, fares, and bank account deposits and withdrawals. Individual cash transactions are burdened by the need to have the correct amount of cash or providing change therefor. Furthermore, the handling and managing of paper cash and coins is inconvenient, costly and time consuming for both individuals and financial institutions.

Although checks may be written for any specific amount up to the amount available in the account, checks have very limited transferability and must be supplied from a physical inventory. Paper-based checking systems do not offer sufficient relief from the limitations of cash transactions, sharing many of the inconveniences of handling currency while adding the inherent delays associated with processing checks To this end, economic exchange has stπven for greater convenience at a lower cost, while also seeking improved security

Automation has achieved some of these qualities for large transactions through computerized electronic funds transfer ( 'EFT") systems Electronic funds transfer is essentially a process of value exchange achieved through the banking system s centralized computer transactions. EFT services are a transfer of payments utilizing electronic ' checks, which are used primarily by large commercial organizations

The Clearing House (ACH) where a user can enter a pre-authoπzed code and download information with billing occurring later, and a Point Of Sale (POS) system where a transaction is processed by connecting with a central computer for authorization for the transaction granted or denied immediately are examples of EFT systems that are utilized bv retail and commercial organizations However, the payments made through these types of EFT systems are limited in that they cannot be performed without the banking system Moreover, ACH transactions usually cannot be performed duπng off business hours

Home Banking bill payment services are examples of an EFT system used by individuals to make payments from a home computer Currently, home banking initiatives have found few customers Of the banks that have offered services for payments, account transfers and information over the telephone lines using personal computers, less than one percent of the bank s customers are using the service One reason that Home Banking has not been a successful product is because the customer cannot deposit and withdraw money as needed in this type of system

Current EFT systems, credit cards, or debit cards, which are used in conjunction with an online system to transfer money between accounts, such as between the account of a merchant and that of a customer, cannot satisfy the need for an automated transaction system providing an ergonomic interface Examples of EFT systems which provide non-ergonomic interfaces are disclosed in US Patents Numbers 5,476,259, 5,459,304, 5,452,352, 5,448,045, 5,478,993, 5,455,407, 5,453,601 , 5,465,291 , and 5,485,510 To implement an automated, convenient transaction that can dispense some form of economic value, there has been a trend towards off-line payments For example, numerous ideas have been proposed for some form of "electronic money" that can be used m cashless payment transactions as alternatives to the traditional currency and check tvpes of payment systems See U S. Pat No 4,977,595, entitled "METHOD AND APPARATUS FOR IMPLEMENTING ELECTRONIC CASH, and U S. Pat. No. 4,305,059, entitled "MODULAR FUNDS TRANSFER SYSTEM

The more well known techniques include magnetic stnpe cards purchased for a given amount and from which a prepaid value can be deducted for specific purposes Upon exhaustion of the economic value, the cards are thrown away Other examples include memorv cards or so called smart cards which are capable of repetitively stoπng information representing value that is likewise deducted for specific purposes.

It is desirable for a computer operated under the control of a merchant to obtain information offered by a customer and transmitted by a computer operating under the control of the customer over a publicly accessible packet-switched network (e.g., the Internet) to the computer operating under the control of the merchant, without nsking the exposure of the information to interception by third parties that have access to the network, and to assure that the information is from an authentic source It is further desirable for the merchant to transmit information, including a subset of the information provided by the customer, over such a network to a payment gateway computer system that is designated, by a bank or other financial institution that has the responsibility of providing payment on behalf of the customer, to authorize a commercial transaction on behalf of such a financial institution, without the nsk of exposing that information to interception by third parties Such institutions include, for example, financial institutions offeπng credit or debit card services

One such attempt to provide such a secure transmission channel is a secure payment technology such as Secure Electronic Transaction (hereinafter SET' ), jointly developed by the Visa and MasterCard card associations, and descπbed m Visa and MasterCard s Secure

Electronic Transaction (SET) Specification, February 23, 1996, hereby incorporated by reference Other such secure payment technologies include Secure Transaction Technology ("STT"), Secure Electronic Payments Protocol ("SEPP"), Internet Keyed Payments ("lKP"), Net Trust, and Cybercash Credit Payment Protocol. One of ordinary skill in the art readily comprehends that any of the secure payment technologies can be substituted for the SET protocol without undue expeπmentation. Such secure payment technologies require the customer to operate software that is compliant with the secure payment technology, interacting with third-party certification authoπties, thereby allowing the customer to transmit encoded information to a merchant, some of which may be decoded by the meicnant. and some which can be decoded only by a payment gateway specified by the customer

Another such attempt to provide such a secure transmission channel is a general-purpose secure communication protocol such as Netscape, Inc s Secure Sockets Layer (hereinafter "SSL") , as descπbed m Freier, Karlton & Kocher (hereinafter "Freier"), The SSL Protocol Version 3.0, March 1996, and hereby incorporated by reference SSL provides a means for secure transmission between two computers. SSL has the advantage that it does not require special- purpose software to be installed on the customer's computer because it is already incorporated into widely available software that many people utilize as their standard Internet access medium, and does not require that the customer interact with any third-party certification authoπty. Instead, the support for SSL may be incorporated into software already in use by the customer, e.g., the Netscape Navigator World Wide Web browsing tool. However, although a computer on an SSL connection may initiate a second SSL connection to another computer, a drawback to the SSL approach is each SSL connection supports only a two-computer connection Therefore, SSL does not provide a mechanism for transmitting encoded information to a merchant for retransmission to a payment gateway such that a subset of the information is readable to the payment gateway but not to the merchant Although SSL allows for robustly secure two-party data transmission, it does not meet the ultimate need of the electronic commerce market for robustly secure three party data transmission. Other examples of general-purpose secure communication protocols incjude Pπvate Communications Technology ("PCT") from Microsoft, Inc., Secure Hyper-Text Transport Protocol ("SHTTF) from Teπsa Systems, Shen, Kerberos, Photuπs, Pretty Good Pπvacy {'PGP which meets the IPSEC cπteπa One of ordinary skill in the art readily comprehends that anv of the general-purpose secure communication protocols can be substituted for the SSL transmission protocol without undue expeπmentation. Banks desire an Internet payment solution that emulates existing Point of Sale (POS) applications that are currently installed on their host computers, and require minimal changes to their host systems. This is a critical requirement since any downtime for a banks host computer system represents an enormous expense. Currently, VeriFone supports over fourteen hundred different payment-related applications. The large number of applications is necessary to accommodate a wide variety of host message formats, diverse methods for communicating to a variety of hosts with different dial-up and direct-connect schemes, and different certification around the world. In addition, there are a wide variety of business processes that dictate how a Point of Sale (POS) terminal queries a user for data and subsequently displays the data. Also, various vertical market segments, such as hotels, car rental agencies, restaurants, retail sales, mail sales / telephone sales require interfaces for different types of data to be entered, and provide different discount rates to merchants for complying with various data types. Moreover, a plethora of report generation mechanisms and formats are utilized by merchants that banking organizations work with.

Banks are unwilling to converge on "standards" since convergence would facilitate switching from one acquiring bank to another by merchants. In general, banks desire to increase the cost that a merchant incurs in switching from one acquiring bank to another acquiring bank. This is accomplished by supplying a merchant with a terminal that only communicates utilizing the bank's proprietary protocol, and by providing other value-added services that a merchant may not be able to obtain at another bank.

Internet-based payment solutions require additional security measures that are not found in conventional POS terminals. This additional requirement is necessitated because Internet communication is done over publicly-accessible, unsecured communication line in stark contrast to the private, secure, dedicated phone or leased line service utilized between a traditional merchant and an acquiring bank. Thus, it is critical that any solution utilizing the Internet for a communication backbone, employ some form of cryptography.

As discussed above, the current state-of-the-art in Internet based payment processing is a protocol referred to as SET. Since the SET messages are uniform across all implementations, banks cannot differentiate themselves in any reasonable way. Also, since SET is not a proper superset of all protocols utilized today, there are bank protocols which cannot be mapped or translated into SET because they require data elements for which SET has no placeholder. Further, SET only handles the message types directly related to authorizing and capturing credit card transactions and adjustments to these authorizations or captures. In a typical POS terminal in the physical world, these messages comprise almost the entire volume of the total number of messages between the merchant and the authorizing bank, but only half of the total number of different message types. These message types, which are used infrequently, but which are critical to the operation of the POS terminal must be supported for proper transaction processing.

Recently, the Internet was proposed as a communication medium connecting personal computers with specialized reader hardware for facilitating reading and writing to smart cards. However, the Internet is not a secure communication medium and value transfer was not secured. Thus, a solution was necessary to shore up the Internet with secure value transfer processing to facilitate smart card processing over the Internet. In addition, support was required to ensure that no third party could hijack a value transfer transaction. This would occur if someone diverted the transaction before it even started. In the prior art face-to-face solution, both parties can confirm the other party's identity. However, the Internet separates the parties with miles of wire.

SUMMARY OF THE INVENTION

According to a broad aspect of a preferred embodiment of the invention, secure transmission of a value transfer protocol transaction is provided between a plurality of computer systems over a public communication system, such as the Internet. A connection is created between two computer systems using a public network, such as the Internet, to connect the computers. Then, digital certificates and a digital signature are exchanged to ensure that both parties are who they say they are. Finally, the two smart cards involved in a transaction are read by individual computers connected utilizing the network, and the value transfer protocol is executed over the secured network. The value transfer protocol facilitates the exchange of money between the two smart cards. DESCRIPTION OF THE DRAWINGS

The foregoing and other objects, aspects and advantages are better understood from the following detailed descπption of a preferred embodiment of the invention with reference to the drawings, m which:

Figure 1A is a block diagram of a representative hardware environment in accordance with a preferred embodiment;

Figure IB depicts an overview in accordance with a preferred embodiment;

Figure IC is a block diagram of the system in accordance with a preferred embodiment,

Figure 2 depicts a more detailed view of a customer computer system in communication with merchant system under the Secure Sockets Layer protocol in accordance with a preferred embodiment;

Figure 3 depicts an overview of the method of securely supplying payment information to a payment gateway in order to obtain payment authorization in accordance with a preferred embodiment;

Figure 4 depicts the detailed steps of generating and transmitting a payment authorization request in accordance with a preferred embodiment;

Figures 5A through 5F depict views of the payment authorization request and its component parts m accordance with a preferred embodiment;

Figures 6A and 6B depict the detailed steps of processing a payment authorization request and generating and transmitting a payment authorization request response in accordance with a preferred embodiment; Figures 7A through 7J depict views of the payment authorization response and its component parts in accordance with a preferred embodiment;

Figure 8 depicts the detailed steps of processing a payment authorization response in accordance with a preferred embodiment;

Figure 9 depicts an overview of the method of securely supplying pavment capture information to a payment gateway in accordance with a preferred embodiment;

Figure 10 depicts the detailed steps of generating and transmitting a payment capture request in accordance with a preferred embodiment,

Figures 11 A through 1 IF depict views of the payment capture request and its component parts in accordance with a preferred embodiment;

Figures 12A and 12B depict the detailed steps of processing a payment capture request and generating and transmitting a payment capture request response in accordance with a preferred embodiment;

Figures 13A through 13F depict views of the payment capture response and its component parts in accordance with a preferred embodiment;

Figure 14 depicts the detailed steps of processing a payment capture response in accordance with a preferred embodiment;

Figure 15A fit 15B depicts transaction processing of merchant and consumer transactions in accordance with a preferred embodiment;

Figure 16 illustrates a transaction class hierarchy block diagram in accordance with a preferred embodiment,

Figure 17 shows a typical message flow between the merchant, vPOS terminal and the Gateway in accordance with a preferred embodiment, Figures 18A-E are block diagrams of the extended SET architecture in accordance with a preferred embodiment,

Figure 19 is a flowchart of vPOS merchant pay customization in accordance with a preferred embodiment,

Figures 20A-20H are block diagrams and flowcharts setting forth the detailed logic of thread processing in accordance with a preferred embodiment,

Figure 21 is a detailed diagram of a multithreaded gateway engine m accordance with a preferred embodiment,

Figure 22 is a flow diagram in accordance with a preferred embodiment, Figure 23 illustrates a Gateway's role in a network m accordance with a preferred embodiment,

Figure 24 is a block diagram of the Gateway in accordance with a preferred embodiment,

Figure 25 is a block diagrεun of the vPOS Terminal Architecture m accordance with a preferred embodiment,

Figure 26 is an architecture block diagram in accordance with a preferred embodiment,

Figure 27 is a block diagram of the payment manager architecture in accordance with a preferred embodiment,

Figure 28 is a Consumer Payment Message Sequence Diagram m accordance with a preferred embodiment of the invention,

Figure 29 is an illustration of a certificate issuance form in accordance with a preferred embodiment, Figure 30 illustrates a certificate issuance response in accordance with a preferred embodiment,

Figure 31 illustrates a collection of payment instrument holders in accordance with a preferred embodiment,

Figure 32 illustrates the default payment instrument bitmap in accordance with a preferred embodiment,

Figure 33 illustrates a selected payment instrument with a fill in the blanks for the cardholder in accordance with a preferred embodiment,

Figure 34 illustrates a coffee purchase utilizing the newly defined VISA carα in accordance with a preferred embodiment of the invention,

Figure 35 is a flowchart of conditional authorization of payment in accordance with a preferred embodiment;

Figures 36-48 are screen displays in accordance with a preferred embodiment,

Figure 49 shows how the vPOS authenticates an incoming response to a request in accordance with a preferred embodiment,

Figure 50 is a flowchart for the merchant interaction with the Test Gateway in accordance -with a preferred embodiment,

Figures 51-61 are flowcharts depicting the detailed logic oi the gateway in accordance with a preferred embodiment,

Figure 62 is the main administration display for the Gateway in accordance with a preferred embodiment, Figure 63 is a configuration panel in accordance with a preferred embodiment.

Figure 64 is a host communication display for facilitating communication between the gateway and the acquirer payment host in accordance with a preferred embodiment;

Figure 65 is a Services display in accordance with a preferred embodiment;

Figure 66 is a graphical representation of the gateway transaction database in accordance with a preferred embodiment; and

Figure 67 illustrates a payment architecture in accordance with a preferred embodiment.

DETAILED DESCRIPTION A preferred embodiment of a system in accordance with the present invention is preferably practiced in the context of a personal computer such as the IBM PS/2, Apple Macintosh computer or UNIX based workstation. A representative hardware environment is depicted in Figure 1A, which illustrates a typical hardware configuration of a workstation in accordance with a preferred embodiment having a central processing unit 10, such as a microprocessor, and a number of other units interconnected via a system bus 12. The workstation shown in Figure 1A includes a Random Access Memory (RAM) 14, Read Only Memory (ROM) 16, an I/O adapter 18 for connecting peripheral devices such as disk storage units 20 to the bus 12, a user interface adapter 22 for connecting a keyboard 24, a mouse 26. a speaker 28, a microphone 32, and /or other user interface devices such as a touch screen (not shown) to the bus 12, communication adapter 34 for connecting the workstation to a communication network (e.g., a data processing network) and a display adapter 36 for connecting the bus 12 to a display device 38. The workstation typically has resident thereon an operating system such as the Microsoft Windows NT or Windows/95 Operating System (OS), the IBM OS/2 operating system, the MAC OS, or UNIX operating system. Those skilled in the art will appreciate that the present invention may also be implemented on platforms and operating systems other than those mentioned. A preferred embodiment is written using JAVA, C, and the C++ language and utilizes object oriented programming methodology. Object oriented programming (OOP) has become increasingly used to develop complex applications. As OOP moves toward the mainstream of software design and development, various software solutions require adaptation to make use of the benefits of OOP. A need exists for these principles of OOP to be applied to a messaging interface of an electronic messaging system such that a set of OOP classes and objects for the messaging interface can be provided.

OOP is a process of developing computer software using objects, including the steps of analyzing the problem, designing the system, and constructing the program. An object is a software package that contains both data and a collection of related structures and procedures.

Since it contains both data and a collection of structures and procedures, it can be visualized as a self-sufficient component that does not require other additional structures, procedures or data to perform its specific task. OOP, therefore, views a computer program as a collection of largely autonomous components, called objects, each of which is responsible for a specific task.

This concept of packaging data, structures, and procedures together in one component or module is called encapsulation.

In general, OOP components are reusable software modules which present an interface that conforms to an object model and which are accessed at run-time through a component integration architecture. A component integration architecture is a set of architecture mechanisms which allow software modules in different process spaces to utilize each others capabilities or functions. This is generally done by assuming a common component object model on which to build the architecture.

It is worthwhile to differentiate between an object and a class of objects at this point. An object is a single instance of the class of objects, which is often just called a class. A class of objects can be viewed as a blueprint, from which many objects can be formed.

OOP allows the programmer to create an object that is a part of another object. For example, the object representing a piston engine is said to have a composition-relationship with the object representing a piston. In reality, a piston engine comprises a piston, valves and many other components, the fact that a piston is an element of a piston engine can be logically and semantically represented in OOP by two objects.

OOP also allows creation of an object that "depends from" another object If there are two objects, one representing a piston engine and the other representing a piston engine wherein the piston is made of ceramic, then the relationship between th<^v two objects is not that of composiuon A ceramic piston engine does not make up a piston engine Rather it is merely one kind of piston engine that has one more limitation than the piston engine; its piston is made of ceramic In this case, the object representing the ceramic piston engine is called a deπved object, and it inheπts all of the aspects of the object representing the piston engine and adds further limitation or detail to it The object representing the ceramic piston engine "depends from" the object representing the piston engine The relationship between these objects is called mheπtance

When the object or class representing the ceramic piston engine inheπts all of the aspects of the objects representing the piston engine, it inheπts the thermal characteπstics of a standard piston defined in the piston engine class However, the ceramic piston engine object overπdes these ceramic specific thermal characteπstics, which are typically different from those associated with a metal piston It skips over the oπginal and uses new functions related to ceramic pistons Different kinds of piston engines have different characteπstics, but may have the same underlying functions associated with it (e.g., how many pistons in the engine, ignition sequences, lubπcation, etc ) To access each of these functions in any piston engine object, a programmer would call the same functions with the same names, but each type of piston engine may have different /overπding implementations of functions behind the same name This ability to hide different implementations of a function bemnd the same name is called polymorphism and it greatly simplifies communication among obiects

With the concepts of composition-relationship, encapsulation, neπtance and polymorphism, an object can represent just about anything in the real world. In fact, our logical perception of the reality is the only limit on determining the kinds of things that can become objects in object-oπented software. Some typical categoπes are as follows Objects can represent physical objects, such as automobiles in a traffic-flow simulation, electπcal components in a circuit-design program, countπes in an economics model, or aircraft in an air-traffic-control system

Objects can represent elements of the computer-user environment such as windows, menus or graphics objects.

An object can represent an inventory, such as a personnel file or a table of the latitudes and longitudes of cities.

An object can represent user-defined data types such as time, angles, and complex numbers, or points on the plane.

With this enormous capability of an object to represent just about any logically separable matters, OOP allows the software developer to design and implement a computer program that is a model of some aspects of reality, whether that reality is a physical entity, a process, a system, or a composition of matter. Since the object can represent anything, the software developer can create an object which can be used as a component in a larger software project in the future.

If 90% of a new OOP software program consists of proven, existing components made from preexisting reusable objects, then only the remaining 10% of the new software project has to be wπtten and tested from scratch Since 90% already came from an inventory of extensively tested reusable objects, the potential domain from which an error could oπgmate is 10% of the program. As a result, OOP enables software developers to build objects out of other, previously built, objects

This process closely resembles complex machinery being built out of assemblies and sub- assemblies OOP technology, therefore, makes software engineeπng more like hardware engineenng in that software is built from existing components, which are available to the developer as objects. All this adds up to an improved quality of the software as well as an increased speed of its development

Programming languages are beginning to fully support the OOP pπnciples, such as encapsulation, mhentance, polymorphism, and composition-relationship. With the advent of the C++ language, many commercial software developers have embraced OOP. C++ is an OOP language that offers a fast, machine-executable code. Furthermore, C++ is suitable for both commercial-application and systems- programming projects. For now, C++ appears to be the most popular choice among many OOP programmers, but there is a host of other OOP languages, such as Smalltalk, common lisp object system (CLOS), and Eiffel. Additionally, OOP capabilities are being added to more traditional popular computer programming languages such as Pascal.

The benefits of object classes can be summarized, as follows

Objects and their corresponding classes break down complex programming problems into many smaller, simpler problems.

Encapsulation enforces data abstraction through the organization of data into small, independent objects that can communicate with each other. Encapsulation protects the data in an object from accidental damage, but allows other objects to interact with that data by calling the object's member functions and structures. _ Subclassing and inheπtance make it possible to extend and modify objects through deπving new kinds of objects from the standard classes available in the system. Thus, new capabilities are created without having to start from scratch. Polymorphism and multiple inheritance make it possible for different programmers to mix and match characteristics of many different classes and create specialized objects that can still work with related objects in predictable ways.

Class hierarchies and containment hierarchies provide a flexible mechanism for modeling real-world objects and the relationships among them

Libraries of reusable classes are useful in many situations, but they also have some limitations. For example: _ Complexity. In a complex system, the class hierarchies lor relared classes can become extremely confusing, with many dozens or even hundreds of classes. Flow of control. A program wπtten with the aid of class libraries is still responsible for the flow of control (i.e., it must control the interactions among .all the objects created from a particular library). The programmer nas to decide which functions to call at what times for which kinds of objects.

Duplication of effort. Although class libranes allow programmers to use and reuse many small pieces of code, each programmer puts those pieces together in a different way. Two different programmers can use the same set of class libraries to write two programs that do exactly the same thing but whose internal structure (i.e. , design) may be quite different, depending on hundreds of small decisions each programmer makes along the way. Inevitably, similar pieces of code end up doing similar things in slightly different ways and do not work as well together as they should.

Class libraries are very flexible. As programs grow more complex, more programmers are forced to reinvent basic solutions to basic problems over and over again. A relatively new extension of the class library concept is to have a framework of class libraries. This framework is more complex and consists of significant collections of collaborating classes that capture both the small scale patterns and major mechanisms that implement the common requirements and design in a specific application domain. They were first developed to free application programmers from the chores involved in displaying menus, windows, dialog boxes, and other standard user interface elements for personal computers.

Frameworks also represent a change in the way programmers think about the interaction between the code they write and code written by others. In the early days of procedural programming, the programmer called libraries provided by the operating system to perform certain tasks, but basically the program executed down the page from start to finish, and the programmer was solely responsible for the flow of control. This was appropriate for printing out paychecks, calculating a mathematical table, or solving other problems with a program that executed in just one way.

The development of graphical user interfaces began to turn this procedural programming arrangement inside out. These interfaces allow the user, rather than program logic, to drive the program and decide when certain actions should be performed. Today, most personal computer software accomplishes this by means of an event loop which monitors the mouse, keyboard, and other sources of external events and calls the appropriate parts of the programmer's code according to actions that the user performs. The programmer no longer determines the order in which events occur. Instead, a program is divided into separate pieces that are called at unpredictable times and in an unpredictable order. By relinquishing control in this way to users, the developer creates a program that is much easier to use. Nevertheless, individual pieces of the program wπtten by the developer still call hbraπes provided by the operating system to accomplish certain tasks, and the programmer must still determine the flow of control within each piece after it's called by the event loop Application code still "sits on top of the system

Even event loop programs require programmers to wπte a lot of code that should not need to be wπtten separately for every application. The concept of an application framework carπes the event loop concept further Instead of dealing with all the nuts and bolts of constructing basic menus, windows, and dialog boxes and then making these things all work together, programmers using application frameworks start with working application code and basic user interface elements in place Subsequently, they build from there by replacing some of the geneπc capabilities of the framework with the specific capabilities of the intended apphcation

Application frameworks reduce the total amount of code that a programmer has to wπte from scratch However, because the framework is really a geneπc application that displays windows, supports copy and paste, and so on, the programmer can also relinquish control to a greater degree than event loop programs permit. The framework code takes care of almost all event handling and flow of control, and the programmer's code is called only when the framework needs it (e.g , to create or manipulate a propπetary data structure)

A programmer wnting a framework program not only relinquishes control to the user (as is also true for event loop programs), but also relinquishes the detailed flow of control within the program to the framework This approach allows the creation of more complex systems that work together m interesting ways, as opposed to isolated programs, having custom code, being created over and over again for similar problems.

Thus, as is explained above, a framework basically is a collection of cooperating classes that make up a reusable design solution for a given problem domain It typically includes objects that provide default behavior (e.g., for menus and windows), and programmers use it by inheπting some of that default behavior and ovemdmg other behavior so that the framework calls application code at the appropπate times. There are three mam differences between frameworks and class hbranes _ Behavior versus protocol. Class libraries are essentially collections of behaviors that you can call when you want those individual behaviors in your program. A framework, on the other hand, provides not only behavior but also the protocol or set of rules that govern the ways in which behaviors can be combined, including rules for what a programmer is supposed to provide versus what the framework provides.

Call versus override. With a class library, the code the programmer instantiates objects and calls their member functions. It's possible to instantiate and call objects in the same way with a framework (i.e., to treat the framework as a class library), but to take full advantage of a framework's reusable design, a programmer typically writes code that overrides and is called by the framework. The framework manages the flow of control among its objects. Writing a program involves dividing responsibilities among the various pieces of software that are called by the framework rather than specifying how the different pieces should work together. Implementation versus design. With class libraries, programmers reuse only implementations, whereas with frameworks, they reuse design. A framework embodies the way a family of related programs or pieces of software work. It represents a generic design solution that can be adapted to a variety of specific problems in a given domain. For example, a single framework can embody the way a user interface works, even though two different user interfaces created with the same framework might solve quite different interface problems.

Thus, through the development of frameworks for solutions to various problems and programming tasks, significant reductions in the design and development effort for software can be achieved. A preferred embodiment of the invention utilizes HyperText Markup Language (HTML) to implement documents on the Internet together with a general-purpose secure communication protocol for a transport medium between the client and the merchant. HTTP or other protocols could be readily substituted for HTML without undue experimentation. Information on these products is available in T. Berners-Lee, D. Connoly, "RFC 1866: Hypertext Markup Language - 2.0" (Nov. 1995); and R. Fielding, H, Frystyk, T. Berners-Lee, J. Gettys and J.C. Mogul, "Hypertext Transfer Protocol - HTTP/ 1.1: HTTP Working Group Internet Draft" (May 2, 1996). HTML is a simple data format used to create hypertext documents that are portable from one platform to another. HTML documents are SGML documents with generic semantics that are appropπate for representing information from a wide range of domains. HTML has been in use by the World-Wide Web global information initiative since 1990. HTML is an application of ISO Standard 8879: 1986 Information Processing Text and Office Systems; Standard Generalized Markup Language (SGML).

To date, Web development tools have been limited in their ability to create dynamic Web applications which span from client to server and mteroperate with existing computing resources. Until recently, HTML has been the dominant technology- used in development of Web-based solutions. However, HTML has proven to be inadequate m the following areas: o Poor performance; o Restπcted user interface capabilities; o Can only produce static Web pages; o Lack of interoperability with existing applications and data; and o Inability to scale.

Sun Microsystem's Java language solves many of the client-side problems by: o Improving performance on the client side; o Enabling the creation of dynamic, real-time Web applications; and o Providing the ability to create a wide vaπety of user interface components.

With Java, developers can create robust User Interface (UI) components Custom "widgets" (e.g. real-time stock tickers, animated icons, etc.) can be created, and client-side performance is improved. Unlike HTML, Java supports the notion of client-side validation, offloading appropπate processing onto the client for improved performance Dynamic, real-time Web pages can be created. Using the above-mentioned custom UI components, dynamic Web pages can also be created.

Sun's Java language has emerged as an industry-recognizeα langua e for "programming the Internet." Sun defines Java as: "a simple, object-onented. distπbuteα, interpreted, robust, secure, architecture-neutral, portable, high-performance, muluthreaded, dynamic, buzzword- compliant, general-purpose programming language. Java supports programming for the Internet in the form of platform-independent Java applets." Java applets are small, specialized applications that comply with Sun s Java Application Programming Interface (API) allowing developers to add ' interactive content ' to Web documents (e g simple animations, page adornments, basic games, etc ) Applets execute within a Java-compatible browser (e g Netscape Navigator) by copying code from the server to client From a language standpoint, Java's core feature set is based on C++ Sun s Java literature states that Java is basically "C++, with extensions from Objective C for more dynamic method resolution

Another technology that provides similar function to JAVA is provided by Microsoft and ActiveX Technologies, to give developers and Web designers wherewithal to build dynamic content for the Internet and personal computers ActiveX includes tools for developing animation, 3-D virtual reality, video and other multimedia content The tools use Internet standards, work on multiple platforms, and are being supported by over 100 companies The group s building blocks are called ActiveX Controls, small, fast components that enable developers to embed parts of software in hypertext markup language (HTML) pages ActiveX Controls work with a vaπetv of programming languages including Microsoft Visual C++, Borland Delphi, Microsoft Visual Basic programming system and, in the future, Microsoft's development tool for Java, code named "Jakarta ActiveX Technologies also includes ActiveX Server Framework, allowing developers to create server applications. One of ordinary skill in the art readily recognizes that ActiveX could be substituted for JAVA without undue expeπmentation to practice the invention

Figure IB depicts an overview of the present invention Customer computer system 120 is in communication with merchant computer system 130 The customer-merchant session 150 operates under a general-purpose secure communication protocol such as the SSL protocol Merchant computer system 130 is additionally in communication with payment gateway computer system 140 A payment gateway is a system that provides electronic commerce services in support of a bank or other financial institution, and that interfaces to the financial institution to support the authorization and capture of transactions The customer-institution session 170 operates under a vaπant of a secure payment technology such as the SET protocol, as descπbed herem, referred to as Merchant-Ongmated Secure Electronic Transactions ( 'MOSET ), as is more fully descπbed herein

Customer-to-Merchant Communication Figure 2 depicts a more detailed view of customer computer system 120 in communication with merchant system 130 using customer-merchant session 150 operating under the SSL protocol as documented in Freier and incorporated by reference

Customer computer system 120 initiates communication with merchant computer system 130 using any well-known access protocol, e.g , Transmission Control Protocol/ Internet Protocol ("TCP/IP") A descπption of TCP/IP is provided in Information Sciences Institute, Transmission Control Protocol DARPA Internet Program Protocol Specification (RFC 793)" (September, 1981), and Information Sciences Institute, "Internet Protocol DARPA Internet Program Protocol Specification (RFC 791)" (September, 1981). In this implementation, customer computer system 120 acts as a client and merchant computer system 130 acts as a server

Customer computer system 120 initiates communication by sending client hello' message 210 to the merchant computer system 130 When a client first connects to a server it is required to send the client hello message 210 as its first message. The client can also send a client hello message 210 in response to a hello request on its own initiative in order to renegotiate the secuπty parameters in an existing connection. The client hello message includes a random structure, which is used later in the protocol. Specifically, the random structure includes the current time and date in standard UNIX 32-bit format according to the sender s internal clock and twenty-eight bytes of data generated by a secure random number generator The client hello message 210 further includes a variable length session identifier If not empty, the session identifier value identifies a session between the same client and server whose secuπty parameters the client wishes to reuse. The session identifier may be from an earlier connection, the current connection, or another currently active connection It is useful to specify the current connection if the client only wishes to update the random structures and deπved values of a connection It is useful to specify another currently active connection if the client wishes to establish several simultaneous independent secure connections to the same server without repeating the full handshake protocol. Client hello message 210 further includes an indicator of the cryptographic algoπthms supported b\ the client in order of the client s preference, ordered according to client preference In response to client hello message 210, if merchant computer system 130 wishes to correspond with customer computer system 120, it responds with server hello message 215 If merchant computer system 130 does not wish to communicate with customer computer system 120, it responds with a message, not shown, indicating refusal to communicate

Server hello message 215 includes a random structure, which is used later in the protocol The random structure in server hello message 215 is in the same format as, but has contents independent of, the random structure m client hello message 210 Specifically, the random structure includes the current time and date in standard UNIX 32-bit format according to the sender s internal clock and twenty-eight bytes of data generated by a secure random number generator Server hello message 215 further includes a vanable length session identifier The session identifier value identifies a new or existing session between the same client and server Server hello message 215 further includes an indicator of the cryptographic algoπthms selected from among the algoπthms specified by client hello message 210, which is utilized in further encrypted communications

Optionally, Merchant computer system 130 transmits a server certificate 220 If transmitted, server certificate 130 enables customer computer system 120 to authenticate the identity of merchant computer system 130

If merchant computer system 130 does not transmit a server certificate 220, or if server certificate 220 is suitable only for authentication, it may optionally transmit a server key exchange message 225 Server key exchange message 225 identifies a key that mav be used by customer computer system 120 to decrypt further messages sent by merchant computer system 130

After transmitting server hello message 215, and optionally transmitting server certificate 220 or server key exchange message 225, merchant computer system 130 transmits a server hello done message 230 and waits for a further response from customer computer system 120

Customer computer system 120 optionally transmits client certificate 240 to merchant computer system 130 If transmitted, client certificate 240 enables merchant computer system 130 to authenticate the identity of customer computer system 120 Alternatively, customer computer system 120 may transmit a no-client-certificate alert 245, to indicate that the customer has not registered with any certification authoπty.

If customer computer system 130 does not transmit a client certificate 240, or if client certificate 240 is suitable only for authentication, customer computer system 130 may optionally transmit a client key exchange message 250 Client key exchange message 250 identifies a key that may be used by merchant computer system 130 to decrypt further messages sent by customer computer system 120.

After optionally transmitting client certificate 240, no-client-certificate alert 245 and/or client key exchange message 250, customer computer system 120 transmits a finished message 260

At this point, customer computer system 120 and merchant computer system 130 have: 1) negotiated an encryption scheme that may be commonly employed in further communications, and 2) have communicated to each other a set of encryption keys that may be used to decrypt further communications between the two computer systems.

Customer computer system 120 and merchant computer system 130 may thereafter engage in secure communications 270 with less nsk of interception by third parties.

Among the messages communicated by customer computer system 120 to merchant computer system 130 may be messages that specify goods or services to be ordered and payment information, such as a credit card number and related information, collectively referred to as "payment information," that may be used to pay for the goods and/or services ordered. In order to obtain payment, the merchant must supply this information to the bank or other payment gateway responsible for the proffered payment method This enables the merchant to perform payment authorization and payment capture Payment authorization is the process by which permission is granted by a payment gateway operating on behalf of a financial institution to authorize payment on behalf of the financial institution. This is a process that assesses transaction nsk, confirms that a given transaction does not raise the account holder s debt above the account s credit limit, and reserves the specified amount of credit. Payment capture is the process that tπggers the movement of funds from the financial institution to the merchant s account after settlement of the account

Payment Authorization

Merchants utilize point-of-sale products for credit and debit transactions on a daily basis. An embodiment in accordance with the subject invention allows an acquirer processor to accept transactions from Internet storefronts without alteπng a current host environment. The system easily converts payment protocol messages and simultaneously manages transactions from a number of Internet merchant servers As the number of transactions grows, the payment gateway can be scaled to handle the increased business, and it can be configured to work with specific business processes used by the acquirer/ processor Thus, the payment gateway supports Internet processing utilizing payment processing operations.

The payment gateway provides support for configuπng and installing the Internet payment capability utilizing existing host point-of-sale technology. The payment gateway also provides an intuitive Graphical User Interface (GUI) with support built in to accommodate future payment instruments such as debit cards, electronic checks, electronic cash and micropayments. The payment gateway implements secure transactions using RSA public-key cryptography and the MasterCard /Visa Secure Electronic Transaction (SET) protocol. The gateway also provides full functionality for merchant payment processing including authorization, capture, settlement and reconciliation while providing monitor activity with reporting and tracking of transactions sent over the Internet. Finally, the payment gateway also implements Internet payment procedures that match current processor business models to ensure consistency for merchants. Handling Internet transactions is destined to become a necessary function for every payment processing system Today, merchants often transmit data received over the Internet inefficiently Some fax the information or waste time keying data into a non-Internet system.

Figure 3 depicts an overview of the method of securely supplying payment information to a payment gateway in order to obtain payment authorization. In function block 310, merchant computer system 130 generates a payment authorization request 315 and transmits it to payment gateway computer system 140. In function block 330, payment gateway system 140 processes the payment authorization request, generates a payment authorization response 325 and transmits it to merchant computer system 130. In function block 320, merchant computer system 130 processes payment authorization response 325 and determines whether payment for the goods or services sought to be obtained by the customer has been authorized

Payment Authorization Request Generation

Figure 4 depicts the detailed steps of generating and transmitting a payment authorization request. Figures 5A through 5F depict views of the payment authorization request and its component parts. In function block 410, merchant computer system 130 creates a basic authorization request 510 The basic authorization request is a data area that includes all the information for determining whether a request should be granted or denied. Specifically, it includes such information as the party who is being charged, the amount to be charged, the account number of the account to be charged, and any additional data, such as passwords, needed to validate the charge. This information is either calculated based upon pπor customer merchandise selection, or provided by the customer over the secure link 270 established in the customer-merchant general-purpose secure communication protocol session. Fig 5A depicts a basic authorization request 510.

In function block 420, merchant computer system 130 combines basic authorization request 510, a copy of its encryption public key certificate 515 and a copy of its signature public key certificate 520. Merchant computer system 130 calculates a digital signature 525 for the combined contents of the combined block 530 compπsing basic authorization request 510, the encryption public key certificate 515 and the signature public key certificate 520, εmd appends it to the combination of the combined basic authorization request 510, the encryption pubhc key certificate 515 and the signature public key certificate 520. The merchant computer system calculates digital signature 525 by first calculating a "message digest" based upon the contents of the combined basic authorization request 510, the encryption public key certificate 515 and the signature public key certificate 520. A message digest is the fixed-length result that is generated when a variable length message is fed into a one-way hashing function.

Message digests help venfy that a message has not been altered because alteπng the message would change the digest The message digest is then encrypted using the merchant computer system's 130 digital signature pπvate key, thus forming a digital signature

Figure 5B depicts the combined block 530 formed by function block 420 and containing basic authorization request 510, the encryption public key certificate 515, the signature public key certificate 520, and digital signature 525

In function block 430, merchant computer system 130 generates a random encryption key RK- 0 540, denoted as RK-0 Random encryption key RK-0 540 is a symmetπc encryption key A symmetπc encryption key is a key characterized by the property that a message encrypted with a symmetπc key can be decrypted with that same key This is contrasted with an asymmetπc key pair, such as a public-key/ pπvate-key key pair, where a message encrypted with one key of the key pair may only be decrypted with the other key of the same key pair Figure 5C depicts random encryption key RK-0 540

In function block 440, merchant computer system 130 encrypts combined block 530 using random encryption key RK-0 540 to form encrypted combined block 550 Figure 5D depicts encrypted combined block 550 The encryption state of encrypted combined block 550 is graphically shown by random key lock 555, which indicates that encrypted combined block 550 is encrypted using random key RK-0 540

In function block 450, merchant computer system 130 encrypts random encryption key RK-0 540 using the public key of payment gateway system 140 to form encrypted random key 560 Figure 5E depicts encrypted random key 560 The encryption state of encrypted random key 560 is graphically shown by payment gateway public key lock 565, which indicates that encrypted random key 560 is encrypted using the payment gateway public key

In function block 460, merchant computer system 130 concatenates encrypted combined block 550 and encrypted random key 560 to form merchant authorization request 315 Figure 5F depicts merchant authorization request 315 compπsing encrypted combined block 550 and encrypted random key 560 In function block 470, merchant computer system 130 transmits merchant authorization request 315 to payment gateway system 140 Payment Authorization Request Processing

Figure 6 depicts the detailed steps of processing a payment authorization request and generating and transmitting a payment authorization request response Function blocks 610 through 630 depict the steps of processing a payment authorization request, while function blocks 635 through 685 depict the steps of generating and transmitting a payment authoπzauon request response.

In function block 610, payment gateway computer system 140 applies its pπvate key to encrypted random kev 560 contained within received merchant authorization request 315 thereby decrypting it and obtaining a cleartext version of random key RK-0 540. In function block 615, payment gateway computer system 140 applies random key RK-0 540 to encrypted combined block 550, thereby decrypting it and obtaining a cleartext version of combined block 530. Combined block 530 compπses basic authorization request 510, a copy of merchant computer system's 130 encryption public key certificate 515 and a copy of merchant computer system's 130 signature public key certificate 520, as well as merchant digital signature 525

In function block 620, payment gateway computer system 140 veπfies merchant computer system's 130 encryption public key certificate 515 and merchant computer system's 130 signature public key certificate 520 Payment gateway computer system 140 performs this venfication by making a call to the certification authoπties associated with each certificate. If veπfication of either certificate fails, payment gateway computer system 140 rejects the authorization request

In function block 625, payment gateway computer system 140 validates merchant digital signature 525. Payment gateway computer system 140 performs this validation by calculating a message digest over the contents of the combined hasic authorization request 510, the encryption public key certificate 515 and the signature public key certificate 520 Payment gateway computer system 140 then decrypts digital signature 525 to obtain a copy of the equivalent message digest calculated by merchant computer system 130 in function block 420. If the two message digests are equal, the digital signature 525 is validated. If validation fails, payment gateway computer system 140 rejects the authorization request.

In function block 630, payment gateway computer system 140 determines the financial institution for which authorization is required by inspection of basic authorization request 510. Payment gateway computer system 140 contacts the appropriate financial institution using a secure means, e.g, a direct-diεd modem-to-modem connection, or a proprietary internal network that is not accessible to third parties, and using prior art meεins, obtains a response indicating whether the requested payment is authorized.

Payment Authorization Response Generation

Function blocks 635 through 685 depict the steps of generating and transmitting a payment authorization request response. Figures 7A through 7J depict views of the payment authorization response and its component parts.

In function block 635, payment gateway computer system 140 creates a basic authorization response 710. The basic authorization request is a data area that includes all the information to determine whether a request was granted or denied. Figure 7A depicts basic authorization response 710.

In function block 640, payment gateway computer system 140 combines basic authorization response 710, and a copy of its signature public key certificate 720. Payment computer system 140 calculates a digital signature 725 for the combined contents of the combined block 730 comprising basic authorization response 710 and the signature public key certificate 720, and appends the signature to the combination of the combined basic authorization response 710 and the signature public key certificate 720. The payment gateway computer system calculates digital signature 725 by first calculating a message digest based on the contents of the combined basic authorization response 710 and signature public key certificate 720. The message digest is then encrypted using the merchant computer system's 140 digital signature private key, thus forming a digital signature. Figure 7B depicts the combined block 730 formed in function block 640 and containing basic authorization response 710, the signature public key certificate 720, and digital signature 725.

In function block 645, payment gateway computer system 150 generates a first symmetπc random encryption key 740, denoted as RK- 1. Figure 7C depicts first random encryption key RK- 1 740.

In function block 650, payment gateway computer system 140 encrypts combined block 730 using random encryption key RK- 1 740 to form encrypted combined block 750. Figure 7D depicts encrypted combined block 750. The encryption state of encrypted combined block 750 is graphically shown by random key lock 755, which indicates that encrypted combined block 750 is encrypted using random key RK- 1 740.

In function block 655, payment gateway computer system 140 encrypts random encryption key RK- 1 740 using the public key of merchεmt computer system 130 to form encrypted random key RK 760. Figure 7E depicts encrypted random key RK- 1 760. The encryption state of encrypted random key 760 is graphically shown by merchant public key lock 765, which indicates that encrypted random key 760 is encrypted using the merchant public key

In function block 660, payment gateway computer system 140 generates a random capture token 770 Random capture token 770 is utilized in subsequent payment capture processing to associate the payment capture request with the payment authorization request being processed Figure 7F depicts capture token 775.

In function block 665, payment gateway computer system 140 generates a second symmetπc random encryption key 775, denoted as RK-2. Figure 7G depicts second rεuidom encryption key RK-2 775.

In function block 670, payment gateway computer system 140 encrypts capture token 770 using random encryption key RK-2 770 to form encrypted capture token 780. Figure 7H depicts encrypted capture token 780. The encryption state of encrypted capture token 780 is graphically shown by random key lock 785, which indicates that encrypted capture token 780 is encrypted using random key RK-2 770.

In function block 675, payment gateway computer system 140 encrypts second random encryption key RK-2 775 using its own public key to form encrypted random key RK-2 790. Figure 71 depicts encrypted random key RK-2 790. The encryption state of encrypted random key 790 is graphically shown by payment gateway public key lock 795, which indicates that encrypted random key 790 is encrypted using the payment gateway public key.

In function block 680, payment gateway computer system 140 concatenates encrypted combined block 750, encrypted random key RK-1 760, encrypted capture token 780 and encrypted random key RK-2 790 to form merchant authorization response 325. Figure 7J depicts merchant authorization response 325 comprising encrypted combined block 750, encrypted random key RK-1 760, encrypted capture token 780 and encrypted random key RK- 2 790. In function block 685, payment gateway computer system 140 transmits merchant authorization response 325 to merchant system 130.

Payment Authorization Response Processing

Figure 8 depicts the detailed steps of processing a payment authorization response. In function block 810, merchant computer system 130 applies its private key to encrypted random key

RK-1 760 contained within received merchant authorization response 325, thereby decrypting it and obtaining a cleartext version of random key RK- 1 740. In function block 820, merchant computer system 130 applies random key RK- 1 740 to encrypted combined block 750, thereby decrypting it and obtaining a cleartext version of combined block 730. Combined block 730 comprises basic authorization response 710, a copy of payment gateway computer system's

140 signature public key certificate 720, as well as payment gateway digital signature 725. In function block 830, merchant computer system 130 verifies payment gateway computer system's 140 signature public key certificate 720. Merchant computer system 130 performs this verification by making a call to the certification authority associated with the certificate. If verification of the certificate fails, merchant computer system 130 concludes that the authorization response is counterfeit and treats it though the authorization request had been rejected. In function block 840, merchant computer system 130 validates payment gateway digital signature 725. Merchant computer system 130 performs this validation by calculating a message digest over the contents of the combined basic authorization request 710 and the signature public key certificate 720. Merchant computer system 130 then decrypts digital signature 725 to obtain a copy of the equivalent message digest calculated by payment gateway computer system 140 in function block 640. If the two message digests are equal, the digital signature 725 is validated. If validation fails, concludes that the authorization response is counterfeit and treats it though the authorization request had been rejected

In function block 850, merchant computer system 130 stores encrypted capture token 780 and encrypted random key RK-2 790 for later use in payment capture. In function block 860, merchant computer system 130 processes the customer purchase request in accordance with the authorization response 710. If the authorization response indicates that payment in authorized, merchant computer system 130 fills the requested order. If the authorization response indicates that payment is not authorized, or if merchant computer system 130 determined m function block 830 or 840 that the authorization response is counterfeit , merchant computer system 130 indicates to the customer that the order cannot be filled

Payment Capture

Figure 9 depicts an overview of the method of securely supplying payment capture information to payment gateway 140 in order to obtain payment capture. In function block 910, merchant computer system 130 generates a merchant payment capture request 915 and transmits it to payment gateway computer system 140. In function block 930, payment gateway system 140 processes the payment capture request 915, generates a payment capture response 925 and transmits it to merchant computer system 130. In function block 920, merchant computer system 130 processes payment capture response 925 and veπfies that payment for the goods or services sought to be obtεuned by the customer have been captured.

Payment Capture Request Generation

Figure 10 depicts the detεdled steps of generatmg and transmitting a payment capture request. Figures 11A through 11F depict views of the payment capture request and its component parts. In function block 1010, merchant computer system 130 creates a basic capture request 510. The basic capture request is a data area that includes all the information needed by payment gateway computer system 140 to trigger a transfer of funds to the merchant operating merchant computer system 130.

Specifically, a capture request includes a capture request amount, a capture token, a date, summary information of the purchased items and a Merchant ID (MID) for the particular merchant. Figure 11A depicts basic authorization request 1110.

In function block 1020, merchant computer system 130 combines basic capture request 1110, a copy of its encryption public key certificate 1115 and a copy of its signature public key certificate 1120. Merchant computer system 130 calculates a digital signature 1125 for the combined contents of the combined block 1130 comprising basic capture request 1110, the encryption public key certificate 1115 and the signature public key certificate 1120, and appends it to the combination of the combined basic capture request 1110, the encryption public key certificate 1115 and the signature public key certificate 1120. The merchant computer system calculates digital signature 1125 by first cεdculating a message digest over the contents of the combined basic capture request 1110, the encryption public key certificate 1115 and the signature public key certificate 1120. The message digest is then encrypted using the merchant computer system's 130 digital signature private key, thus forming a digital signature.

Figure 1 IB depicts the combined block 1130 formed by function block 1020 and containing basic capture request 1110, the encryption public key certificate 1115, the signature public key certificate 1120, and digital signature 1125. In function block 1030, merchant computer system 130 generates a random encryption key 1140, denoted as RK-3. Random encryption key RK-3 1140 is a symmetric encryption key. Figure 11C depicts random encryption key RK- 3 1140. In function block 1040, merchant computer system 130 encrypts combined block 1130 using random encryption key RK-3 1140 to form encrypted combined block 1150. Figure 11D depicts encrypted combined block 1150. The encryption state of encrypted combined block 1150 is graphically shown by random key lock 1155, which indicates that encrypted combined block 1150 is encrypted using rεmdom key RK-3 1140. In function block 1050, merchant computer system 130 encrypts rεmdom encryption key RK-3 1140 using the public key of payment gateway system 140 to form encrypted random key 1160 Figure HE depicts encrypted random key 1160. The encryption state of encrypted random key 1160 is graphically shown by payment gateway public key lock 1165, which indicates that encrypted random key RK-3 1160 is encrypted using the payment gateway public key.

In function block 1060, merchant computer system 130 concatenates encrypted combined block 1150, encrypted random key 1160, and the encrypted capture token 780 and encrypted random key RK-2 790 that were stored in function block 850 to form merchεint capture request 915. Figure 11F depicts merchant capture request 915, compπsing encrypted combined block 1150, encrypted random key 1160, encrypted capture token 780 and encrypted random key RK-2 790. In function block 1070, merchant computer system 130 transmits merchant capture request 915 to payment gateway system 140.

Payment Capture Request Processing Figure 12 depicts the detailed steps of processing a payment capture request and generating and transmitting a payment capture request response. Function blocks 1210 through 1245 depict the steps of processing a payment capture request, while function blocks 1250 through 1285 depict the steps of generating and transmitting a payment capture request response. In function block 1210, payment gateway computer system 140 applies its private key to encrypted random key 1160 contained within received merchant capture request 915, thereby decrypting it and obtaining a cleartext version of random key RK-3 1140. In function block 1215, payment gateway computer system 140 applies random key RK-3 1140 to encrypted combined block 1150, thereby decrypting it and obtaining a cleartext version of combined block 1130. Combined block 1130 comprises basic capture request 1110, a copy of merchant computer system's 130 encryption public key certificate 1115 and a copy of merchant computer system's 130 signature public key certificate 1120, as well as merchant digital signature 1125. In function block 1220, payment gateway computer system 140 veπfies merchant computer system's 130 encryption public key certificate 1115 εind merchant computer system's 130 signature pubhc key certificate 1120. Payment gateway computer system 140 performs this veπfication by making a call to the certification authoπues associated with each certificate. If veπfication of either certificate fails, payment gateway computer system 140 rejects the capture request. In function block 1225, payment gateway computer system 140 validates merchant digital signature 1125. Payment gateway computer system 140 performs this validation by calculating a message digest over the contents of the combined basic capture request 1110, the encryption public key certificate 1115 and the signature public key certificate 1120. Payment gateway computer system 140 then decrypts digital signature 1125 to obtain a copy of the equivalent message digest calculated by merchant computer system 130 in function block 1020. If the two message digests are equal, the digital signature 1125 is validated. If validation fails, payment gateway computer system 140 rejects the capture request In function block 1230, payment gateway computer system 140 applies its pπvate key to encrypted rεmdom key RK-2 790 contained within received merchant capture request 915, thereby decrypting it and obtaining a cleartext version of random key RK-2 775 In function block 1235, payment gateway computer system 140 applies random kev RK-2 775 to encrypted capture token 780, thereby decrypting it and obtaining a cleartext version of capture token 770

In function block 1240, payment gateway computer system 140 veπfies that a proper transaction is being transmitted between capture token 780 and capture request 1110. A capture token contains data that the gateway generates at the time of authorization When the authorization is approved, the encrypted capture token is given to the merchant for storage At the time of capture, the merchant returns the capture token to the gateway along with other information required for capture. Upon receipt of the capture token, the gateway compares a message made of the capture request data and the capture token data and transmits this information over a traditional credit/ debit network. If an improperly formatted transaction is detected, payment gateway computer system 140 rejects the capture request In function block 1245, payment gateway computer system 140 determines the financial institution for which capture is requested by inspection of basic capture request 1110. Payment gateway computer system 140 contacts the appropπate financial institution using a secure means, e.g, a direct-dial modem-to-modem connection, or a propnetary internal network that is not accessible to third parties, and using pnor art means, instructs a computer at the financial institution to perform the requested funds transfer after settlement Payment Capture Response Generation

Function blocks 1250 through 1285 depict the steps of generating and transmitting a payment capture request response. Figures 13A through 13F depict views of the payment capture response and its component parts.

In function block 1250, payment gateway computer system 140 creates a basic capture response 710. The basic capture request is a data area that includes all the information to indicate whether a capture request was grεmted or denied. Figure 13A depicts basic authorization request 1310.

In function block 1255, payment gateway computer system 140 combines basic capture response 1310, and a copy of its signature public key certificate 1320. Payment computer system 140 cεdculates a digital signature 1325 for the combined contents of the combined block 1330 comprising basic capture response 1310 and the signature public key certificate 1320, and appends the signature to the combination of the combined basic authorization request 1310 and the signature public key certificate 1320. The payment gateway computer system calculates digital signature 1325 by first calculating a message digest over the contents of the combined basic capture response 1310 and signature public key certificate 720. The message digest is then encrypted using the merchant computer system's 140 digital signature private key, thus forming a digital signature.

Figure 13B depicts the combined block 1330 formed by function block 1255 and containing basic capture request 1310, the signature public key certificate 1320, and digital signature 1325. In function block 1260, payment gateway computer system 140 generates a symmetric random encryption key 1340, denoted as RK-4. Figure 13C depicts random encryption key RK- 4 1340. In function block 1275, payment gateway computer system 140 encrypts combined block 1330 using random encryption key RK-4 1340 to form encrypted combined block 1350. Figure 13D depicts encrypted combined block 1350. The encryption state of encrypted combined block 1350 is graphically shown by random key lock 1355, which indicates that encrypted combined block 1350 is encrypted using random key RK-4 1340. In function block 1275, payment gateway computer system 140 encrypts random encryption key RK-4 1340 using the public key of merchant computer system 130 to form encrypted random key RK-4 1360 Figure 13E depicts encrypted random key RK-4 1360 The encryption state of encrypted random key 1360 is graphically shown by merchant pubhc key lock 1365, which indicates that encrypted random key 1360 is encrypted using the merchant public key In function block 1280, payment gateway computer system 140 concatenates encrypted combined block 1350 and encrypted random key RK-4 1360 to form merchant capture response 925 Figure 13F depicts merchant capture response 925 rompnsing encrypted combined block 1350 and encrypted random key RK-4 1360 In function block 1285, payment gateway computer system 140 transmits merchεuit capttire response 925 to merchant system 130.

Payment Capture Response Processing

Figure 14 depicts the detailed steps of processing a payment capture response In function block 1410, merchant computer system 130 applies its pπvate key to encrypted random key RK-4 1360 contained within received merchant capture response 925, thereby decrypting it and obtaining a cleartext version of random key RK-4 1340 In function block 1420, merchant computer system 130 applies random key RK-4 1340 to encrypted combined block 1350, thereby decrypting it and obtaining a cleartext version of combined block 1330 Combined block 1330 compπses basic capture response 1310, a copy of payment gateway computer system's 140 signature public key certificate 1320, as well as payment gateway digitεd signature 1325 In function block 1430, merchant computer system 130 veπfies payment gateway computer system's 140 signature pubhc key certificate 1320 Merchant computer system 130 performs this veπfication by making a call to the certification authoπtv associated with the certificate If veπfication of the certificate fails, merchant computer system 130 concludes that the capture response is counterfeit and raises an error condition

In function block 1440, merchεmt computer system 130 validates oayment gateway digital signature 1325. Merchant computer system 130 performs this validation by calculating a message digest over the contents of the combined basic authorization request 1310 and the signature public key certificate 1320 Merchant computer system 130 then decrypts digital signature 1325 to obtain a copy of the equivalent message digest calculated by payment gateway computer system 140 in function block 1255. If the two message digests are equal, the digital signature 1325 is validated If validation fails, merchant computer system 130 concludes that the authorization response is counterfeit and raises an error condition In function block 1450, merchant computer system 130 stores capture response for later use in by legacy system accounting programs, e.g to perform reconciliation between the merchant operating merchant computer system 130 and the financial institution from whom payment was requested, thereby completing the transaction The system of the present invention permits immediate deployment of a secure payment technology εirchitecture such as the SET architecture without first establishing a public-key encryption infrastructure for use by consumers It thereby permits immediate use of SET-comphant transaction processing without the need for consumers to migrate to SET-comphant application software.

VIRTUAL POINT OF SALE (vPOS) DETAILS

A Virtuεd Point of Sale (vPOS) Terminal Cartπdge is descπbed in accordance with a preferred embodiment. The vPOS Terminal Cartπdge provides payment functionality similar to what a VeπFone POS terminal ("gray box") provides for a merchant today, allowing a merchant to process payments securely using the Internet It provides full payment functionality for a variety of payment instruments.

Payment Functionality

Figure 15A illustrates a payment processing flow in accordance with a preferred embodiment The payment functionality provided by the vPOS terminal is divided into two mam categoπes- "Merchant-Initiated" 1510 and "Consumer-Initiated" 1500. Some payment transactions require communication with the Acquirer Bank through the Gateway 1530. The normal flow of a transaction is via the vPOS Cartridge API 1512 to the vPOS C++ API 1514 into the payment protocol layer 1516 which is responsible for converting into the appropnate format for transmission to the Gateway for additional processing and forwarding to existing host payment authorization systems Host legacy format refers to an existing authorization system for credit card approval currently utilized with the VenFone Point of Sale (POS) gray terminals. The output from the payment protocol layer 1516 is transmitted to the authorization processing center via the gateway 1530. These transactions are referred to as "Online Transactions" or "Host Payments." The transactions that can be done locεdly by the merchεmt without having to communicate with the Acquirer Bank are referred to as "Local Functions and Transactions " To support different types of payment instruments, the vPOS Terminal payment functionality is categorized as set forth below • Host Payment Functionality: These transactions require communication with the final host, either immediately or at a later stage. For example, an Online Authorization-Only transaction, when initiated, communicates with the host immediately. However, an Off-line Authoπzation-Only transaction is locally authorized by the vPOS terminal without having to communicate with the host, but at a later stage this off-line authorization transaction is sent to the host. Within the Host Payment Functionality some transactions have an associated Payment Instrument, while others do not. These two kinds of transactions are:

• Host Financial Payment Functionality: These transactions have a Payment Instrument (Credit Cεird, Debit Card, E-Cash, E-Check, etc.) associated with them For example, the

"Return" transaction, which is initiated upon returning a merchandise to the merchant

• Host Administrative Payment Functionality: These transactions do not require a payment instrument, and provide either administrative or inquiry functionεϋity Examples of these transactions are "Reconcile" or the "Batch Close." • Local Functions and Transactions: These trεinsactions do not require communicaUon with the host at any stage, and provide essential vPOS terminal administrative functionality An exεimple of this is the vPOS terminal configuration function, which is required to set up the vPOS terminal. .Another example is the "vPOS Batch Review" function, which is required to review the different trεmsactions in the vPOS Batch or the Transaction Log.

Payment Instruments

A preferred embodiment of a vPOS terminal supports vaπous Payment Instruments. A consumer chooses a payment based on personal preferences. Some o^f the Payment Instruments supported include:

• Credit Cεurds • Debit Cards

• Electronic Cash

• Electronic Checks

• Micro- Payments (electronic coin)

• Smart Cards URL Table

The table below enumerates the URLs corresponding to the transactions supported by the vPOS Terminal Cartπdge. Note that the GET method is allowed for all trεmsactions, however, for transactions that either create or modify information on the merchant server, a GET request returns an HTML page from which the transaction is performed via a POST method

Transaction URL POST Access Control

HOST FINANCIAL PAYMENT FUNCTIONALITY auth capture /vPOSt/mi/authcaptur allowed merchant e/ login /password auth capture /vPOSt/ci/authcapture allowed no access control

/ auth only /vPOSt/mi/authonly/ εdlowed merchant login /password auth only /vPOSt/ci/authonly/ allowed no access control adjust /vPOSt/mi/adjust/ allowed merchant login / password forced post /vPOSt/mi/forcedpost/ allowed merchant login /password offline auth /vPOSt/mi/offlmeauth/ allowed merchant login/ password offline auth /vPOSt/ci/offlmeauth/ allowed no access control pre auth /vPOSt/mi/preauth/ allowed merchant login / password pre auth comp /vPOSt/mi/preauthcom allowed merchant

P/ login / password return /vPO St /mi /return allowed merchant login /' password return /vPOSt/ci/return/ allowed no access control void /vPOSt/mι/voιd/ allowed merchant login/ password HOST ADMINISTRATIVE PAYMENT FUNCTIONALITY bεilεmce inquiry /vPOSt/mi/bi/ not allowed merchant login/ password host logon /vPOSt/mi/hostlogon/ allowed merchant login / password parameter /vPOSt/ mi/ parameters not allowed merchant download dnld/ login password reconcile /vPOSt/mi/reconcile/ allowed merchant login / password test host /vPOSt/mi/testhost/ not allowed merchant login / password

LOCAL FUNCTIONS & TRANSACTIONS accum review /vPOSt/mi/accum/revi not allowed merchant ew/ login / password batch review /vPOSt/mi/batch/revie not allowed merchant w/ login / password cdt review /vPOSt/mi/cdt/review/ not allowed merchant login/ password cdt update /vPOSt/mi/cdt/update εdlowed merchεuit

/ login / password cpt review /vPOSt/mi/cpt/review not allowed merchant login / password cpt update /vPOSt/mi/cpt/update allowed merchant

/ login/ password clear accum /vPOSt/accum/clear/ allowed merchant login / password clear batch /vPOSt/mi/batch/clear allowed merchant

/ login/ password hdt review /vPOSt/mi/hdt/review/ not allowed merchant login /password hdt update /vPOSt/mi/hdt/update allowed merchant

/ login /password lock vPOS /vPOSt/mi/lock/ εdlowed merchant login/ password query txn /vPOSt/ci/querytxn/ not allowed no access control query txn /vPOSt/mi/querytxn/ not allowed merchant login/ password tet review /vPOSt/mi/tct/review/ not εdlowed merchant login / password tet update /vPOSt/mi/tct/update/ allowed merchant login /password unlock vPOS /vPOSt/mi/unlock/ allowed merchant login / password

URL Descriptions

This section desenbes the GET εmd POST .arguments that are associated with each transaction URL. It also descπbes the results from the GET and POST methods. For URLs that produce any kind of results, the following fields .are present in the HTML document that is returned by the vPOS Terminal Cartπdge:

txnDate Date of the transaction (mm/dd/yy or dd/mm/yy) txnTime Time of the transaction (hh:mm:ss GMT or hh mm:ss local

merchantld Merchant ID of the merchant using the vPOS terminal terminalld vPOS Terminal Id txnNum Transaction number of the given transaction txnType Type of tiansaction

For URLs that deal with financial transactions, the following fields are present in the HTML document that is returned by the vPOS terminal cartπdge:

txnAmount Transaction amount that is being authorized, forced posted, voided, etc. poNumber Purchase order number authldentNu Authorization ID number for the transaction m retRefNum Retπeval reference number for the given transaction pilnfo Payment instrument information. This vanes for different payment instruments. For exεimple, in the case of credit cards, the credit card number (piAcctNumber) and expiration date (piExpDate) are returned.

Accumulate Review

URL Functionality: This is a local information inquiry function that retπeves the local

(merchant's) transaction totals (accumulators).

GET Arguments: None.

GET Results: Retπeves the trεmsaction totals for the merchant. Currently, the total is returned as an HTML document. The transaction totals currently returned are:

creditAmt Totεd Credit Amount since the last settlement logged in the vPOS terminal creditCnt Total Credit Count since the last settlement logged in the vPOS terminal debitAmt Total Debit Amount since the last settlement logged in the vPOS terminal debitCnt Total Debit Count since the last settlement logged in the vPOS terminal

Note: Accum Review is a local function, as opposed to Balance Inquiry which is done over the Internet with the host.

Adjust

URL Functionality: Corrects the amount of a previously completed trεmsaction. GET Arguments: None GET Results: Because the Adjust transaction modifies data on the merchant server, the POST method should be used Using the GET method returns an HTML form that uses the POST method to perform the transaction. POST Arguments.

pvsTxnNum Previous transaction number txnAdjustedAmou The adjusted transaction amount. Note that the oπginal nt transaction amount is easily retπevable from the previous transaction number

POST Results' On success, pvsTxnNum and txnAdjustedAmount are presented in the HTML document, in addition to the transaction fields descπbed above

Auth Capture

URL Functionality This transaction is a combination of Auth Only (Authorization without capture) and Forced Post transactions GET Arguments. None

GET Results' Because the Auth Capture transaction modifies data on the merchant server side, the POST method should be used. Using the GET method returns an HTML form that uses the POST method to perform the transaction. POST Arguments.

piAcctNumber Payment Instrument account numoer, e.g , Visa credit card number piExpDate Expiration date txnAmt Trεmsaction amount

POST Results: On success, an HTML document that contains the transaction fields descπbed above is returned. On failure, an HTML document that contεuns the reason for the failure of the transaction is returned. The transaction is logged into a vPOS Termmεd transaction log for both instances Auth Only

URL Functionality: Validates the cardholder's account number for a Sale that is performed at a later stage. The transaction does not confirm the sale to the host, and there is no host data capture The vPOS captures this transaction record and later forwards it to confirm the sale m the Forced Post transaction request GET Arguments: None.

GET Results: Because the Auth Only transaction modifies data on the merchant server side, the POST method should be used. Using the GET method returns an HTML form that uses the POST method to perform the transaction. POST Arguments: piAcctNumber Payment Instrument account number, e g , Visa credit card number piExpDate Expiration date txnAmt Transaction amount

POST Results: On success, an HTML document that contains the transaction fields is returned On failure, an HTML document that contains the reason for the failure of the trεmsaction is returned. The trεmsaction is logged into vPOS Terminal transaction log for both instances.

NOTE: The /vPOSt/ci/authonly/ URL should be used for customer-initiated transactions. /vPOSt/mi/authonly/ should be used for merchε t-imtiated transactions.

Balance Inquiry URL Functionality: Performs an on-line inquiry or the merchant's balance. GET Arguments: None GET Results:

mrchtBlnceA Merchant balance amount for a given merchant. The mt balance amount at any given time is the difference between the credit and debit amount since the last settlement between the merchant and the acquirer Batch Review

URL Functionality: Retπeves all records from the transaction log or the batch.

GET Arguments: None

GET Results: The GET method retπeves the transactions that have been batched in the vPOS terminal for future reconciliation. The batch can be cleared from the vPOS terminal after a manual reconciliation between the acquirer and the vPOS. The batch data is retπeved as a set of records and is formatted as a table in the HTML document. The following fields are present in a typicεil record:

nTransType Transaction type nPurchOrderNo Purchase order number szAcctNum Customer's payment instrument account number szExpDate Customer's payment instrument expiration date szTrans.Amt Transaction amount szTransDate Transaction date szTrε sTime Transaction time szRetπevalRefN u Transaction's retπeval reference number m szAuthld Authorization ID for the trεmsaction szOπgAmt Original transaction amount szBatchNum Batch number for the given transaction nCurrencyType Currency in which the trεmsaction was done

InTransNum Transaction number

CDT Review

URL Functionality: Displays the vPOS terminal configvi ration data corresponding to the Cεird

Definition Table (CDT).

GET Arguments: None

GET Results: The GET method returns a default HTML form that contains the current configuration values. The form can be modified and posted using the /vPOSt/mi/cdt/update/ URL to update the card definition table. Not all fields in the card definition table are editable The following fields are returned in a form to the user:

nHostlndex Index into the Host Definition Table or the Acquirer that maps to this card issuer. szPANLo Low end of the PAN (Pπmary Account Number) range szPANHi High end of the PAN range nMaxPANDigit Maximum number of digits in the PAN for this acquirer.

NMinPANDigit Minimum number of dits in the PAN for the acquirer szCardLabel Card Issuer's name

Transactions Specifies if a particular transaction is allowed for a given

Available bit card range, vector

(Some of these fields are not editable by a merchant, and still need to be determined.)

CDT Update

URL Functionality: Updates the vPOS terminεd configuration data corresponding to the Card

Definition Table (CDT). GET Arguments: None

GET Results: The GET method returns a default HTML form that contains the current configuration values. The form can be filled out εmd posted using the /vPOSt/mi/cdt/ update

URL to update the card definition table.

POST Arguments: (Editable CDT fields need to be decided.) POST Results: (Depends on editable CDT fields, and therefore needs to be decided )

Clear Accumulator

URL Functionality: Zeroes out the accumulator totals currently resident in the vPOS termmal. GET Arguments: None. GET Results: Presents a form that uses the POST method to zero the accumulators. POST Arguments: None. POST Results: Zeroes the accumulators/ transaction totals in the vPOS terminal.

Clear Batch

URL Functionality: Zeroes out the transaction logs currently batched in the vPOS terminal. GET Arguments: None.

GET Results: Presents a form that uses the POST method to clear the batch.

POST Arguments: None.

POST Results: Zeroes the trεmsactions that comprise the batch in the vPOS terminεil.

Forced Post

URL Functionality: Confirms to the host the completion of a sale, and requests for data capture of the transaction. This is used as a follow-up transaction after doing an Authorization (Online or Off-line) trεmsaction. GET Arguments: None. GET Results: Returns the HTML form for performing the Forced Post transaction. POST Arguments:

pvsTxnNum the previous trεmsaction number from an auth only transaction

POST Results: On success, pvsTxnNum is presented in the HTML document. On failure, an HTML document is returned that contains the reason for the failure of the transaction.

HDT Review

URL Functionality: Displays the vPOS terminεd configuration data corresponding to the Host Definition Table (HDT). GET Arguments: None

GET Results: The GET method returns a default HTML form that contains the current configuration values. The form can be modified εmd posted using the /vPOSt/mi/hdt/update URL to update the hosts definition table. Not all fields in the host definition table are editable. The following fields are returned in a form to the user:

szTermld Terminal ID for this vPOS terminεd szMerchld Merchant ID for this vPOS terminal szCurrBatchNu Current batch number existing on the vPOS m szTrεmsNum Reference number for the next transaction in the vPOS transaction log/ batch. This is generated by vPOS and is not editable by the merchant. szTPDU Transport Protocol Data Unit. Required for building the

ISO 8583 packet.

InSTAN System trace number; message number of the next transaction to be transmitted to this acquirer. szNII Network International Number. Required for building the

ISO 8583 packet. szHostName Name for identifying the host. nHostType Host type nNumAdv Number of off-line transactions that can be piggy-backed at the end of an on-line transaction.

Data Capture Specifies for which transactions data capture is Required Bit required. vector:

(Some of these fields are not editable by a merchant and need to be determined.)

HDT Update URL Functionality: Updates the vPOS terminεd configuration data corresponding to the Host Definition Table (HDT). GET Arguments: None GET Results: The GET method returns a default HTML form that contains the current configuration values. The form can be filled out εmd posted to the merchεmt server using the /vPOSt/mi/hdt/update URL to update the host definition table

Unlock vPOS URL Functionality: Local function that starts the vPOS at the start of the day GET Arguments: None

GET Results: Returns an HTML form that uses the POST method to perform this transaction. POST Arguments: None.

POST Results: Resets a Boolean flag on the merchant server that enables transactions to be accepted by the vPOS terminal.

Offline Auth

URL Functionality. This transaction is same as the "Authorization Only" trεmsaction, except that the transaction is locally captured by the vPOS terminal without having to communicate with the host. A Forced Post operation is done as a follow-up operation of this transaction. GET Arguments: None.

GET Results: Because the Offline Auth transaction modifies data on the merchant server side, the POST method should be used. Using the GET method returns an HTML form for using the POST method to perform the transaction. POST Arguments: piAcctNumber Payment Instrument account number, e g., Visa credit card number piExpDate Expiration date txnAmt Transaction amount

POST Results: On success, an HTML document that contains the transaction fields descπbed in Section 4.1 is returned. On failure, an HTML document that contains the reason for the failure of the transaction is returned. The transaction is logged into vPOS terminal transaction log for both instances. Parameter Download

URL Functionality: Downloads the vPOS configuration information from the host and sets up the vPOS in the event of the configuration data being changed. GET Arguments: None GET Results: Retrieves an HTML form that uses the POST method for the parameter download transaction.

POST Arguments: None.

POST Results: Downloads the following parameters from the host and uploads them into the vPOS terminal configuration table. • card /issuer definition table (CDT)

• host/ acquirer definition table (HDT)

• communications parameter table (CPT)

• termmal configuration table (TCT)

The vaπous configuration parameters can be reviewed and modified using the URLs for the desired functionality.

Pre Auth

URL Functionality: Used m lodging and hotel establishments to pre-authoπze a charge that is completed some time in future. GET Arguments: None GET Results: Retrieves the HTML form for posting the pre-authoπzation transaction. POST Arguments:

piAcctNumber Payment Instrument account number, e g , Visa credit card number piExpDate Expiration date

Pre Auth Comp

URL Functionality: Completes a pre-authoπzation transaction. GET Arguments: None GET Results: Retπeves the HTML form for posting the pre-authoπzation completion transaction.

POST Arguments.

pvsTxnNum Previous transaction number from an auth only transaction

POST Results: On success, pvsTxnNum is presented m the HTML document On failure, an HTML document is returned that contains the reason for the failure of the transaction

Reconcile URL Functionality This transaction is done at the end of the day to confirm to the host to start the settlement process for the transactions captured by the host for that particular vPOS batch.

GET Arguments: None

GET Results: Retπeves the HTML form for posting the Reconcile transaction POST Arguments- None.

POST Results: On success, the reconcile function pπnts any discrepancies m the merchant's batch of transactions and totals vis-a-vis the host's batch of transactions in totals. The output format is a combination of the output of the Batch Review and Accum Review transactions.

Return

URL Functionality Credits the return amount electronically to the consumer's account when previously purchased merchandise is returned. The vPOS terminal captures the trεmsaction record for this transaction. GET Arguments: None GET Results: Retneves the HTML form for posting the Retimi transaction POST Arguments.

prevTxnNum Reference to the previous transaction number The previous trεmsaction has access to the following fields

txnAmount Transaction amount piAccountNu Payment instrument account number m piExpDate Payment instrument expiration date

POST Results: On success, pvsTxnNum is presented in the HTML document, in addition to

Test Host

URL Functionality- Checks the presence of the host and also the mtegπty of the link from the vPOS to the host. GET Arguments: None.

GET Results: On success, an HTML document is returned that reports success in connecting to the host. On failure, an HTML document is returned that reports the error encountered in testing the host.

Lock vPOS

URL Functionality: This local function locks or stops the vPOS terminal from accepting any transactions

GET Arguments: None.

GET Results: Returns an HTML form that posts the locking of the vPOS terminεd

POST Arguments: None.

POST Results: On success, εm HTML document is returned that contams the status that vPOS terminεd was successfully. On fεdlure, an HTML document is returned that reports the cause of failure of the operation, e.g., access denied, the vPOS terminal is already locked or is presently processing a transaction, etc.

Void

URL Functionality: Cancels a previously completed draft capture transaction. GET Arguments: None. GET Results: Retπeves an HTML form for posting the Void transaction POST Arguments:

pvsTxnNum Trεmsaction number from a previous Auth Only trεmsaction.

Host Logon

URL Functionality: Administrative transaction used to sign-on the vPOS with the host at the start of the day, and also to download encryption keys for debit trεmsactions. GET Arguments. None

GET Results: Retπeves an HTML form for posting the Host Logon transaction POST Arguments: None.

POST Results: Currently, debit cεird based transactions are not supported. The result is an HTML document indicating the success or failure of the host logon operation.

CPT Review

URL Functionality: Returns the vPOS terminεd configuration data corresponding to the Communications Parεimeter Table (CPT). GET Arguments: None

GET Results: The GET method returns a default HTML form that contains the current configuration values corresponding to the vPOS terminal's communication parameters. The form can be filled out and posted to the merchant server using the /vPOSt/mi/cpt/ update URL to update the communications parameter table. The following fields are returned in a form to the user:

szAcqPriAddress Primary Host address szAcqSecAddress Secondary Host address szActTerAddress Tertiary Host address nRespTimeOut Time-out value (in seconds) before which the vPOS should receive a response from the host CPT Update URL Functionality: Updates the vPOS terminal configuration data corresponding to the Communications Parameter Table (CPT). GET Arguments: None

GET Results. The GET method returns a default HTML form that contams the current configuration values. The form can be modified and posted to update the communication parameter table POST Arguments:

szAcqPπAddress Primary Host address szAcqSecAddress Secondary Host address szActTerAddress Tertiary Host address nRespTimeOut Time-out value (m seconds) before which the vPOS should receive a response from the host

POST Results On success, the HTML document returned by the vPOS contains the values set by the merchant. On failure, the HTML document contains the reason for the failure of the invocation of the URL

TCT Review URL Functionality: Returns the vPOS termmal configuration data corresponding to the

Terminal Configuration Table (TCT)

GET Arguments- None

GET Results: The GET method returns a default HTML form that contains the current configuration values. The form cε be filled out εmd posted using the /vPOSt/mi/tct/update URL to update the terminal configuration table. The following fields εire returned in a form to the user.

szMerchName Merchεmt nεime szSupervisorPwd Supervisor password fvPOSLock 1= vPOS locked, 0 = vPOS unlocked szAuthOnlyPwd Password for initiating auth-only transaction szAuthCaptPwd Password for initiating auth with capture transaction szAdjustPwd Password for adjust transaction szRefundPwd Password for refund transaction szForcedPostPwd Password for forced post transaction szOfflmeAuthPwd Password for offline auth transaction szVoidPwd Password for void transaction szPreAuthPwd Password for pre-authonzation transaction szPreAuthCompP Password for pre-authonzation completion wd

TCT Update URL Functionality Updates the vPOS terminal configuration data corresponding to the Terminal Configuration Table (TCT) GET Arguments: None

GET Results: The GET method returns a default HTML form that contains the current configuration values The form can be filled out and posted using the /vPOSt/mi/tct/update URL to update the terminal configuration table

POST Arguments All arguments in TCT Review functionality are the returned values from the /vPOSt/mi/tct/update the URL

szMerchName Merchant name szSupervisorPwd Supervisor password fvPOSLock 1= vPOS locked, 0 = vPOS unlocked szAuthOnlyPwd Password for initiating auth-only transaction szAuthCaptPwd Password for initiating auth with capture transaction szAdjustPwd Password for adjust transaction szRefundPwd Password for refund transaction szForcedPostPwd Password for forced post transaction szOfflmeAuthPwd Password for offline auth transaction szVoidPwd Password for void transaction szPreAuthPwd Password for pre-authoπzation transaction szPreAuthCompP Password for pre-authoπzation completion wd

POST Results- On success, the POST modifies values of the terminal configuration table parameters. On failure, the HTML document contains the reason for the failure of the transaction.

Query Transactions

URL Functionality: Permits the merchεmt and customer to querv a s ven transaction corresponding to a transaction number. GET Arguments: txnNum Transaction number

GET Results: For a given transaction, the URL returns an HTML document If a transaction refers to an older transaction, the transaction's entire history is made a\aιlable.

URL results

Depending upon the method (GET/ POST) as well as the success or failure of the HTTP request, different documents are returned to the user. The vPOS terminal provides a framework whereby different documents are returned based upon a number of preferences. Currently the language and content-type are supported as preferences

A simple framework is proposed here. Each of the transaction has a set of documents associated with it: form for the payment transaction, GET success, GET failure, POST success, and POST failure

In the directory structure defined below, documents are stored corresponding to the preferences. The top level of the directory structure is the content-tvpe, the next level is language (for NLS support). For example, to create text/ html content m US English & French, the directory structure given below would contεun the HTML documents for each of the trεmsacϋons. The vPOS terminal cartridge has a configuration file that allows the user to specify the content-type as well as the language to be used for a cartridge. The first release of the vPOS terminal cartπdge supports one content-type and language for each server. Data Structures & Functions

Functions

A bπef descπption of the Virtual Point of Sale Terminal cartπdge functions are provided below vPOSTInιt(), vPOSTExecQ and vPOSTShut() are the entry points required for each cartπdge in accordance with a preferred embodiment. The other functions implement some of the key vPOST cartπdge functionality. A source listing of the vPOS code is provided below to further accentuate the detailed disclosure of a preferred embodiment

vPOSTInitO

/* vPOST cartridge Initialization here */ WRBRetumCode vPOSTInιt( void **clιentCtx ){ vPOSTCtx *vPOSTCxp ; /* Allocate memory for the client context */ if (.(vPOSTCxp = (vPOSTCtx *)malloc(sιzeof(vPOSTCtx)») return WRB_ERROR ;

* chentCtx = (void *) vPOSTCxp ; return (WRB_DONE) ;}

vPOSTShut()

WRBRetumCode vPOSTShutf void *WRBCtx, void *chentCtx ){ *WRBCtx ; / * not used */ assert( chentCtx ) ; / * Free the client context allocated in vPOSTInιt() rouune

free( chentCtx ) ,

return (WRB_DONE) ,}

vPOSTExec()

/ * The dπver cartridge routine */ WRBReturnCode vPOSTExec( void *WRBCtx, void *chentCtx ) f vPOSTCtx *vPOSTCxp ; char *uri ; char *txnMethod ; /* HTTP method */ enum evPOSTTxn *txn ; /* vPOST transaction */ char *txnOutFile ; /* Output file from transaction */ char **txnEnv ; /* environment vanables values for transaction */ char *txnContent ; /* transaction's POST data content */

WRBEntry *WRBEntnes ; int numEntπes; vPOSTCxp = (vPOSTCtx *) chentCtx ; /* WRBGetURL gets the URL for the current request */ if (!(uπ = WRBGetURL( WRBCtx ))) return (WRB_ERROR) ; /* WRBGetContentO gets the Query Stnng/ POST data content */ if (!(txnContent = WRBGetContentf WRBCtx ))) { return WRB_ERROR ;

/* WRBGetPεuτserContent() gets the parsed content */ if (WRB_ERROR == WRBGEtParsedContent( WRBCtx, &WRBEntnes, &numEntπes)) { return WRB_ERROR ;

/* WRBGetEnvironmentO gets the HTTP Server Environment * / if (!(txnEnv = WRBGetEnvironment( WRBCtx ))) { return WRB_ERROR ;

)

/* vPOSTGetMethodO gets the method for the current request */ if (! (method = vPOSTGetMethod( txnEnv ))){ return (WRB_ERROR) ,

/* vPOSTGetTxn() g^{ets the} vPOST transaction for the request */ txn = vPOSTGetTxn( uπ ), if (eTxnError == txn) { return (WRB_ERROR) ,

/* vPOSTExecuteTransactionO executes the vPOST transaction */ txnOutFile = vPOSTExecuteTransactιon( WRBCtx, txn, txnMethod, txnEnv, txnContent ) , if (i (txnOutFile)) { return (WRB_ERROR) ,

/* Wnte out the file */ vPOSTWπteFιle( txnOutFile ) , return (WRB_DONE) ,

vPOSTGetTxnQ enum evPOSTTxn vPOSTGetTxn( char *uπ ) i

* The function scans the uπ and extracts the stπng

* corresponding to the trεmsaction and returns it to the

* caller

^*/

1 Transaction Log format

This section descπbes the format of a record for the transaction log for the vPOST cartπdge Field Name Field Description

nTransType Transaction Type nPurchOrderNo Purchase Order Number szAcctNum Payment Instrument Account number szExpDate Payment instrument expiration date s^TrεmsAmt Transaction amount szTransDate Date of transaction (configurable to be mm/dd/yy or dd/mm/yy) szTrεmsTime Time of transaction (configurable to be GMT or local time) szRetπevalRefNum Retπeval reference number szAuthld Authorization ID szOrigAmt Oπginal trεmsaction amount szBatchNum Batch number to which this particular transaction belongs in the vPOST batch nCurrencyType Currency InTransNum Transaction number

In the block diagram shown in Figure 15B, the vPOS provides an interface for transactions which are initiated both by the consumer and the merchant. The merchant initiates a transaction from a Graphical User Interface (GUI) 1550 and all the transactions that are initiated by the consumer are routed by the Merchant WEB Server 1545.

The Authorization/ Data Capture Module 1560 processes the requests originated by the merchant or the consumer and routes them to the Protocol Module 1565. The Protocol Module is responsible for building the payment protocol request packet (e.g., an SSL-encapsulated ISO 8583 packet) 1570 before sending the request to the Gateway 1579. Then, the Gateway 1579 awaits a response from the Protocol Module 1565, and upon receiving the response, the Gateway 1579 parses the data εmd provides unwrapped data to the Authorization/ Data- Capture Module 1560. The Authorization /Data-Capture Module 1560 analyzes the response and up ates the Transaction Log 1580. The Transaction Log 1580 contains information concerning any successfully completed transactions and the accumulators or the transaction totals The vPOS terminal creates and maintains the Transaction Log 1580, and the vPOS Configuration Data 1585 contains information which is used to configure the behavior of the vPOS The entire vPOS functionality is thread-safe and hence using the vPOS in a multi- threaded environment does not require any additional interfacing requirements

Figures 36-48 are vPOS screen displays in accordance with a preferred embodiment.

Payment Functionality As discussed above, the different Payment Functionality provided by the vPOS terminal can be divided into two main categoπes as "Merchant Initiated" and "Consumer Initiated." Some of these transactions require communication with the Gateway and these transactions are referred to as "Online Transactions." The transactions which can be done locally to the merchant without having to communicate are referred to as "Local Functions/Transactions." In order to provide support for many different types of Payment Instruments, the vPOS Payment Functionality have been categorized.

Host payment functionality and transactions require communication with the host either immediately or at a later stage. Each of the host financial payment transactions come to this category and require a Payment Instrument. These transactions can be initiated with different types of Payment Instruments which the vPOS terminal supports.

An authorization without capture transaction is used to validate the card holder's account number for a sale that needs to be performed at a later stage. The transaction does not confirm a sale's completion to the host, and there is no host data capture in this event. The vPOS captures this transaction record and later forwards it to the host to confirm the sale in a forced post transaction request. An authorization without capture transaction can be initiated both by the consumer and the merchant.

A forced post transaction confirms to a host computer that a completion of a sale has been accomplished and requests data capture of the transaction. The forced post transaction is used as a follow-up transaction after doing an authorization (Online or Off-line) transaction The transaction can be initiated only by the merchant

The authorization with post transaction is a combination of authorization without capture and forced post transactions This transaction can be initiated both by the consumer and the merchant

The offline post transaction is identical to the "authorization without capture" transaction, except that the transaction is locally captured by the vPOS without initiating communication with a host A forced post operation is done as a follow-up operation of this transaction This transaction can be initiated by both the consumer and the merchant

The return transaction is used to credit the return amount electronicεdly to the consumer's account when a purchased merchandise is returned The vPOS captures the return transaction record when the merchandise is returned, and this transaction can be initiated only by the merchant

The void transaction cancels a previously completed draft capture transaction The vPOS GUI provides an interface for retπevmg a transaction record required to be voided from the batch and passes it to the Authorization/ Data-Capture module after confirmation The batch record is undated to reflect the voided transaction after getting an approval from the gateway This transaction can be initiated only by the merchant

The pre-authonzation transaction is identical to the authorization without capture transaction, but the consumers' "open-to-buy" amount is reduced by the pre-authoπzation amount An example of this type of transaction is the "check-in" transaction m a hotel environment A check-in transaction sends a pre-authonzation request to the host, so that an amount required for the customers' stay in the hotel is reserved The pre-authoπzation transaction is followed by a pre-authoπzation complete transaction This transaction can be initiated both by the consumer and the merchant The pre-authoπzation compk 2 trεmsaction is done as a follow-up to the pre-authonzation transaction This transaction informs the host of the actual transaction amount The pre- authoπzation complete transaction amount could be more or less than the pre-authonzation amount An example is the "check-out" transaction in a hotel environment The check-out amount can be less than or more than the check-in amount This transaction can only be initiated by a merchant

The adjust transaction is initiated to make a correction to the amount of a previously completed transaction The adjust transaction can be initiated only by the merchant The h administrative transactions do not require any payment instrument The balance inquiry transaction is used for on-line inquiry into the balance of the merchant's account The batch data or the configuration data is not affected by this transaction

The reconciliation or close transaction is processed at the end of the day to start the settleme process for the transactions captured by the host for that particular vPOS

The host log-on transaction is an administrative transaction which is used to synchronize the vPOS with the host at the start of the day and also initiate a fresh batch at the vPOS termina

The parameters download transaction is used to download the vPOS configuration informatio from the host and set-up the vPOS in the event of any change in the configuration data A te transaction is used to detect the presence of a host and the status of a link from the vPOS to the nost

Local transactions or functions are initiated by a merchant and do not require communicatio with the gateway These transactions can only be initiated by a merchant The totals or accumulators review is a local information inquiry function and is used to retπeve the local (merchant's) totals The detail transaction or the batch review function is used to retneve all the records from the transaction log or the batch The clear batch function is used to start a fresh batch This transaction is utilized to electronically reconcile the vPOS with the host an to manually reconcile the vPOS with the host After completing the manual reconciliation processing, the merchant can initiate this transaction to start a fresh batch The clear accumulator function is similar to the clear batch functionality and resets all vPOS terminal accumulators to zero This function is required when the merchant is not able to reconcile the vPOS with the host eiectronicalh

The vPOS unlock or start transaction is a local function used to start the vPOS at the start of the day The vPOS lock or stop function is used to Lock or stop the vPOS from accepting any transactions. The vPOS configuration setup function is used to setup the vPOS configuration data The vPOS configuraαon data is divided into different tables, for example, the Card/ Issuer Definition Table (CDT), the Host/ Acquirer Definition Table (HDT), the Communications Parameters Table (CPT) and the Termmal Configuration Table (TCT) The following sections explεun each of these configuration tables in detail

Host Definition Table (HDT)

The table contains information specific to the acquirer

Field Attributes/ Field Description/ Comments Bytes

Terminal Identifier ANS(20) Termmal ID for this acquirer/ host

Merchant Identifier ANS(20) Merchant ID for this acquirer/host

Cuπ-ent Batch N(6) Batch Number for the batch currently existing Number on the vPOS

Transaction 1(2) Reference Number for next transaction m the Number vPOS transaction log/ batch (vPOS generated)

TPDU AN (10) Transport Protocol Data Unit - Required for building the ISO 8583 packet

STAN U4) Systems Trace Number - Message Number of the transaction to be transmitted next for this acquirer

Nil N(3) Network International Identifier - Required for building the ISO 8583 packet

Host Name or ANS(20) Name for identifying the host, e g , "AMEX-SIN" Label This is only a text stπng and is used for the purpose of identifying the host.

No. of advice 1(2) No. of off-line transactions (advice messages) messages that can be piggy-backed at the end of ε online trεmsaction. If set to zero then piggybacking is disabled.

The following fields specify whether Data Capture Required for a particular transaction for this acquirer.

Field Attributes/ Field Description/ Comments Bytes

Host Protocol Type 1(2) Host Protocol type, e.g., ISO 8583, SET, etc.,

Host Protocol Sub- 1(2) Sub protocol type, e.g., AMEX-IS08583, Type MOSET, etc.,

Auth Only DC Flag Bit(l bit) 1 = REQUIRED, 0 = NOT REQUIRED

Auth Capture DC Bit(l bit) 1 = REQUIRED, 0 = NOT REQUIRED Flag

Adjust DC Flag Bit(l bit) 1 = REQUIRED, 0 = NOT REQUIRED

Refund DC Flag Bit(l bit) 1 - REQUIRED, 0 = NOT REQUIRED

Cash Advance DC Bit(l bit) 1 = REQUIRED, 0 = NOT REQUIRED Flag

Cash Back DC Flag Bit(l bit) 1 = REQUIRED, 0 = NOT REQUIRED

Off-line Auth DC Bit(l bit) 1 = REQUIRED, 0 = NOT REQUIRED Flag

Void DC Flag Bit(l bit) 1 = REQUIRED. 0 = NOT REQUIRED

Pre-Auth DC Flag Bit(l bit) 1 = REQUIRED, 0 = NOT REQUIRED

Pre-Auth Complete Bit(l bit) 1 = REQUIRED, 0 = NOT REQUIRED DC Flag

Card Definition Table (CDT)

This table contains information which are specific to the card issuer. Field Attributes/ Field Description/Comments Bytes

Host Index 1(2) Index into the HDT or the acquirer which maps to this card issuer.

PAN Low Range N(19) Low end of the PAN range .

PAN High Range N(19) High end of the PAN range.

Minimum PAN 1(2) The minimum number of digits in the PAN for digits this acquirer.

Maximum PAN 1(2) The maximum number of digits in the PAN for digits this acquirer.

Card Label ANS(20) Card Issuer Name for identification, e.g., VISA.

The following fields specify whether a particular transaction is allowed for a card range.

Field Attributes/ Field Description/ Comments Bytes

Auth Only Allowed Bit(l bit) 1 = ALLOWED, 0 = NOT ALLOWED

Auth Capture Bit(l bit) 1 = ALLOWED, 0 = NOT ALLOWED Allowed

Adjust Allowed Bit(l bit) 1 = ALLOWED, 0 = NOT ALLOWED

Refund Allowed Bιt(l bit) 1 = ALLOWED, 0 = NOT ALLOWED

Cash Advance Bιt(l bit) 1 = ALLOWED, 0 = NOT ALLOWED Allowed

Cash Back Allowed Bit( l bit) 1 = ALLOWED, 0 = NOT ALLOWED

Off-line Auth Bit(l bit) 1 = ALLOWED, 0 = NOT ALLOWED Allowed

Void Allowed Bit(l bit) 1 = ALLOWED, 0 = NOT ALLOWED

Pre-Auth Allowed Bιt( l bit) 1 = ALLOWED, 0 = NOT ALLOWED

Pre-Auth Complete Bit(l bit) 1 = ALLOWED, 0 = NOT ALLOWED Allowed Communications Parameter Table (CPT)

This table contains communications parameters information specific to an acquirer The HDT and this table have a one-to-one mapping between them

Field Attributes/ Field Description /Comments Bytes

Pπmary Address AN(100) Primary Host Address (Telephone number, IP address, etc )

Secondary Address AN( 100) Secondary Host Address to be used if the Pπmary Address is busy or not available

Tertiary Address AN(100) Tertiary Host Address

Response Time-out 1(2) Time-out value (in seconds) before which the vPOS should receive a response from the host

Terminal Configuration Table (TCT)

This table contams information specific to a particular vPOS terminal

Field Attributes/ Field Description/Comments Bytes

Merchant Name ANS(IOO) Name of the merchant having the vPOS terminal vPOS Lock Flag Bit ( 1 bit) 1 = vPOS Locked, 0 = vPOS Unlocked

Payment Instruments

As discussed above, the vPOS terminal supports different Payment Instruments εmd each of the Payment Functions descπbed above can be initiated by these different Payment Instruments The consumer making a purchase from a merchant provides a choice of payment methods depending upon their personal preference. The Payment Instrument Class Hierarchy which is used by the different vPOS terminal Payment Functions is described below

Message Sequence Diagram Figure 17 shows a typical message flow between the consumer, merchant, vPOS terminεd and the Gateway This section descπbes the different classes listed in the previous section, their data and members, and defines the type of the transaction that is to be performed Processing commences at 1700 when a merchant server receives a sales order and passes it via the vPOS Graphical User Interfece (GUI) 1710 to an authoπzer 1720 for approval and subsequent protocol processing 1730 and ultimately transmission via the gateway 1740 to the network

Class Name :

CVPCLTransaction Data :

Transaction Type (int)

Transaction Date and Time (CPCLDateTime)

Card Definition Table (CVPCL_CDT)

Host Definition Table (CVPCL.HDT) Communications Parameters Table (CVPCL_CPT)

Termmal Configuration Parameters (CVPCL_TCT)

Batch Record (CVPCLBatch)

Accumulator Record (CVPCLAccum) Member Functions : CVPCLTransactιon();

EStatus GetTransType();

EStatus GetTransDateTιme(CPCLDateTιme&),

EStatus SetTransType(const int); virtual EStatus InιtialιzeTrans(TvPOSParamsBlk *) = 0, virtual EStatus ExecuteTrans(TvPOSResultsBlk *) = 0, virtual EStatus ShutDown() = 0;

Host Transaction Class Definitions

This section contains all the host trεmsaction class definitions.

Host Transaction Class (CVPCLHostTrans) This is an abstract base class deπved from the CVPCLTransaction class and is used for deπving transaction classes which need to communicate with the host either immediately or at a later stage.

Class Name :

CVPCLHostTrans Data :

Member Functions : CVPCLHostTrans(),

Financial Transaction Class (CVPCLFinancialTrans)

This is an abstract base class deπved from the CVPCLHostTrans. This class is used to deπve transaction classes which require a payment instrument (e.g., a Credit Card) associated with them to perform the transaction.

Class Name :

CVPCLFinancialTrans Data : Transaction Amount (CVPCLAmt)

Purchase Order Number (char[]])

Trεmsaction Number (chειr[])

Authorization Identification Number (chειr[])

Retπeval Reference Number (char[]) Batch (CVPCLBatch)

Accumulators (CVPCLAccumulators) Member Functions :

CVPCLF ancialTransO ; EStatus GetTransAmt(CVPCLAmt&); EStatus GetPurchOrderNum(char *);

EStatus GetTransRefNum(char *);

EStatus GetRetRefNum(char *); EStatus GetAuthId(char *); EStatus GetCurrencyType(EPCLCurrency *); EStatus SetPurchOrderNum(const chεtr *); EStatus SetTransRefNum(const char *); EStatus SetRetRefNum(const char *); EStatus SetAuthId(const char *); EStatus SetCurrencyType (const char *)

Financial Credit Card Transaction Class (CVPCLFinCCTrans)

This is the base abstract class for the financial host transaction which require a Credit Card payment instrument. This class is derived from the CVPCLFinancialTrans.

Class Name : CVPCLFinCCTrans

Data :

Credit Card Payment Instrument (CPCLCreditCard)

Member Functions : CVPCLFinCCTransO;

Credit Card Authorization Only Transaction Class (CVPCL CCAuthOnly)

This is the class derived from the CVPCLFinCCTrans class and implements the Authorization Only Transaction.

Class Name :

CVPCL_CCAuthOnly Data :

Member Functions :

CVPCL_CCAuthOnly(); EStatus InitializeTrans(TvPOSParamsBlk *);

EStatus ExecuteTransfTvPOSResultsBlk *);

EStatus ShutDownTrans();

EStatus FormBatchRecO;

Credit Card Authorization with Capture Transaction Class (CVPCL_CCAuthCapt)

This is the class denved from the CVPCLFinCCTrans class and implements the Authorization with Data Capture Transaction.

Class Name :

CVPCL_CCAuthCapt

Data :

Member Functions :

CVPCL_CCAuthCapt(); EStatus InitializeTrans(TvPOSParamsBlk *);

EStatus ExecuteTrans(TvPOSResultsBlk *); EStatus ShutDownTrans(); EStatus FormBatchRecO;

Credit Card Return Transaction Class (CVPCL_CCReturn)

This is the class derived from the CVPCLFinCCTrans class and implements the Return Transaction.

Class Name : CVPCL_CCReturn

Data :

Member Functions :

CVPCL_CCReturn(); EStatus InitializeTrans(TvPOSParamsBlk *);

EStatus ExecuteTransfTvPOSResultsBlk *); EStatus ShutDownTrans(); EStatus FormBatchRecO;

Credit Card Pre-Authorization Transaction Class (CVPCL-CCPreAuth)

This is the class derived from the CVPCLFinCCTrans class and implements the Pre- Authorization Transaction.

Class Name :

CVPCL-CCPreAuth

Data : Member Functions :

CVPCL_CCPreAuth();

EStatus InitializeTransfTvPOSParamsBlk *); EStatus ExecuteTransfTvPOSResultsBlk *); EStatus ShutDownTrans(); EStatus FormBatchRecO ;

Credit Card OfT-line Authorization Only Transaction Class (CVPCL_CCOfflineAuth)

This is the class derived from the CVPCLFinCCTrans class and implements the Offline Authorization Class Transaction. Class Name :

CVPCL_CCOfllineAuth Data :

Member Functions : CVPCL_CCOfflineAuth();

EStatus InitializeTransfTvPOSParamsBlk *); EStatus ExecuteTransfTvPOSResultsBlk *); EStatus ShutDownTrans(); EStatus FormBatchRecO;

Credit Card Adjust Transaction Class (CVPCL.CCAdjust)

This is the class derived from the CVPCLFinCCTrans class and implements the Adjust Transaction. Class Name :

CVPCL_CCAdjust Data :

Member Functions :

CVPCL_CCAdjust();

EStatus InitializeTransfTvPOSParamsBlk *)

EStatus ExecuteTransfTvPOSResultsBlk *);

EStatus ShutDownTransO;

EStatus FormBatchRecO;

Credit Card Void Transaction Class (CVPCL_CCVoid) This is the class derived from the CVPCLFinCCTrεms class and implements the Void Transaction.

Class Name :

CVPCL_CCVoid Data :

Member Functions :

CVPCL_CCVoid();

EStatus InitializeTransfTvPOSParamsBlk *); EStatus ExecuteTransfTvPOSResultsBlk *);

EStatus ShutDownTransO; EStatus FormBatchRecO;

Credit Card Forced Post Transaction Class (CVPCL_CCForcedPost) This is the class derived from the CVPCLFinCCTrans class and implements the Forced Post Trεmsaction. Class Name :

CVPCL_CCForcedPost Data :

Member Functions :

CVPCL_CCForcedPost() ; EStatus InitializeTransfTvPOSParamsBlk *); EStatus ExecuteTransfTvPOSResultsBlk *); EStatus ShutDownTransO; EStatus FormBatchRecO ;

Pre-Authorization Complete Transaction Class (CVPCL_CCPreAuthComp)

This is the class denved from the CVPCLFinCCTrans class and implements the Pre- Authoπzation Completion Transaction.

Class Name :

CVPCL_CCPreAuthComp Data :

Member Functions :

CVPCL_CCPreAuthComp() ; EStatus InitializeTransfTvPOSParamsBlk *); EStatus ExecuteTransfTvPOSResultsBlk *); EStatus ShutDownTransO; EStatus FormBatchRecO;

Credit Card Balance Inquiry Class (CVPCL_CCBalanceInq)

This class is denved from the CVPCLFinCCTrans class and is used to perform the Merchant Balance Inquiry function.

Class Name :

CVPCL_CCBalanceInq Data :

Member Functions :

CVPCL_CCBalanceInq() ; EStatus InitializeTransfTvPOSParamsBlk *);

EStatus ExecuteTransfTvPOSResultsBlk *); EStatus ShutDownTransO;

Administrative Host Transaction Class (CVPCLAdminHostTrans) This is an abstract base class derived from the CVPCLHostTrans class and is used to derive the administrative host transaction classes.

Class Name :

CVPCLAdminHostTrans Data :

Member Functions :

CVPCLAdminHostTransO ; int GetHostIndex(); EStatus SetHostlndex (const int);

Reconcile Transaction Class (CVPCLReconcile)

This is the class derived from the CVPCLAdminHostTrans class and implements the Reconcile or Close functionality. Class Name :

CVPCLReconcile Data :

Member Functions : CVPCLReconcileO;

EStatus InitializeTrans(TvPOSParamsBlk *); EStatus ExecuteTransfTvPOSResultsBlk *); EStatus ShutDownTransO;

Host Log-on Transaction Class (CVPCLHostLogon)

This is the class derived from the CVPCLAdminHostTrans class and implements the Host Log- on Transaction.

Class Name :

CVPCLHostLogon Data :

Member Functions :

CVPCLHostLogon));

EStatus InitializeTransfTvPOSParamsBlk *); EStatus ExecuteTransfTvPOSResultsBlk *); EStatus ShutDownTransO ;

Parameters Download Transaction Class (CVPCLParamsDwnld)

This is the class derived from the CVPCLAdminHostTrans class and implements the Parameters Download (vPOS configuration information from the host) functionality.

Class Name :

CVPCLParamsDwnld Data :

Member Functions :

CVPCLParamsDwnld ;

EStatus InitializeTransfTvPOSParamsBlk *); EStatus ExecuteTransfTvPOSResultsBlk *); EStatus ShutDownTransO;

Test Transaction Class (CVPCLTestHost)

This is the class derived from the CVPCLAdminHostTrans class and implements the Test functionality which is used to test the host and the link. Class Name :

CVPCLTestHost Data :

Member Functions :

CVPCLTestHost();

Local Transaction Class Definitions (CVPCLLocalTrans)

This is the abstract base class for all the transactions that are performed locally to the vPOS.

Class Name :

CVPCLLocalTrans Data :

Record Number (int) Host Index (int) Member Functions :

CVPCLocalTransO; int GetRecNumO; int GetHostIndex() EStatus SetRecNum(const int); EStatus SetHostIndex(const int);

Virtual POS Lock/Stop Class (CVPCLvPOSLock)

This class implements the vPOS Lock or the Stop Local functionality. Under the locked state the vPOS does not accept any trεmsaction requests. The class is derived from the CVPCLLocalTrans base class. Class Name : CVPCLvPOSLock Data : Member Functions :

CVPCLvPOSLockO, EStatus InitializeTransfTvPOSParamsBlk *),

EStatus ExecuteTransfTvPOSResultsBlk *), EStatus ShutDownTransO,

Virtual POS UnLock/ Start Class (CVPCLvPOSUnlock) This class implements the vPOS UnLock or the Start Local functionality. The class is deπved from the CVPCLLocalTrans base class

Class Name :

CVPCLvPOSUnLock Data :

Member Functions :

CVPCLvPOSUnlock();

EStatus ShutDownTransO;

Transaction Data Administration Class (CVPCLTransDataAdmin)

This is an abstract base class used to denve the classes which are required to review/ manage the transaction data which includes the batch data and the accumulator data The class is denved from the CVPCLLocalTrans base class.

Class Name :

CVPCLTransDataAdmin Data :

Member Functions :

CVPCLTransDataAdmmO ; Batch Review Class (CVPCLBatchReview)

This class is deπved from the CVPCLTransDataAdmin base class and implements the batch review functionality Class Name :

CVPCLBatchReview Data :

Member Functions : CVPCLBatchReviewO ,

EStatus InitializeTransfTvPOSParamsBlk *), EStatus ExecuteTransfTvPOSResultsBlk *), EStatus ShutDownTransO,

Clear Batch Class (CVPCLClearBatch)

This class is deπved from the CVPCLTransDataAdmin base class and implements the clear batch functionality, which is used to clear the batch in the event of doing a manual reconciliation between the vPOS and the acquirer

Class Name :

CVPCLClearBatch Data : Member Functions :

CVPCLClearBatch(), EStatus InitializeTransfTvPOSParamsBlk *),

EStatus ExecuteTransfTvPOSResultsBlk *), EStatus ShutDownTransO,

Accumulators Review Class (CVPCLAccumReview) This class is denved from the CVPCLTransDataAdmin base class and implements the Accumulators Review functionεihty Class Name : CVPCLAccumReview Data : Member Functions :

CVPCLAccumReviewO; EStatus InitializeTransfTvPOSParamsBlk *);

EStatus ExecuteTransfTvPOSResultsBlk *); EStatus ShutDownTransO;

Clear Accumulators Class (CVPCLClearAccum) This class is derived from the CVPCLTransDataAdmin base class and implements the Accumulators Clear functionality.

Class Name :

CVPCLClearAccum Data :

Member Functions :

C VPCLClear Accum() ;

vPOS Configuration Data Administration Class (CVPCLConfigDataAdmin)

This is an abstract base class and is used to deπve classes which implement the functionality for managing the vPOS configuration data. The class is derived from the CVPCLLocεdTrans base class.

Class Name :

CVPCLConfigDataAdmin Data : Member Functions :

Acquirer Data or the Host Definition Table Review Class (CVPCL_HDTReview) This class is derived from the CVPCLConfigDataAdmin class and implements the Host Definition Table Review functionality. Class Name :

CVPCL_HDTReview Data : Member Functions :

CVPCL_HDTReview();

EStatus InitializeTransfTvPOSParamsBlk *);

EStatus ExecuteTransfTvPOSResultsBlk *

EStatus ShutDownTransO;

Issuer Data or the Card Definition Table Review Class (CVPCL_ CDTReview)

This class is derived from the CVPCLConfigDataAdmin class and implements the Card Definition Table Review functionality. Class Name : CVPCL_CDTReview

Data : Member Functions :

CVPCL_CDTReview() ;

EStatus InitializeTransfTvPOSParamsBlk *);

EStatus ExecuteTransfTvPOSResultsBlk *); EStatus ShutDownTransO;

Communication Parameters Table Review Class (CVPCL .CPTReview) This class is derived from the CVPCLConfigDataAdmin class and implements the Communications Parameters Table Review functionality.

Class Name :

CVPCL_CPTRe iew Data :

Member Functions : CVPCL_CPTRevιew();

Terminal Configuration Table Review Class fCVPCL-TCTReview) This class is derived from the CVPCLConfigDataAdmin class and implements the Terminal Configuration Table Review functionality.

Class Name :

CVPCL rCTReview Data :

Member Functions : CVPCL_TCTReview() ;

Acquirer Dato or the Host Definition Table Update Class (CVPCL HDTUpdate) This class is derived from the CVPCLConfigDataAdmin class and implements the Host Definition Table Update functionality. Class Name : CVPCLJHDTUpdate

Data : Member Functions :

CVPCL_HDTUpdate();

EStatus ShutDownTransO; Issuer Data or the Card Definition Table Update Class (CVPCL.CDTUpdate)

This class is deπved from the CVPCLConfigDataAdmin class and implements the Card Definition Table Update functionality. Class Name : CVPCL_CDTUpdate

Data : Member Functions :

CVPCL_CDTUpdate() ;

EStatus InitializeTransfTvPOSParamsBlk *), EStatus ExecuteTransfTvPOSResultsBlk *);

EStatus ShutDownTransO;

Communications Parameters Table Update Class (CVPCL_CPTUpdate)

This class is deπved from the CVPCLConfigDataAdmin class and implements the Communications Parameters Table Update functionality

Class Name :

CVPCL_CPTUpdate Data :

Member Functions :

CVPCL_CPTUpdate();

EStatus InitializeTransfTvPOSParamsBlk *), EStatus ExecuteTransfTvPOSResultsBlk *); EStatus ShutDownTransO;

Terminal Configuration Table Update Class (CVPCLJTCTUpdate)

This class is deπved from the CVPCLConfigDataAdmin class and implements the Terminεd Configuration Table Update functionality.

Class Name :

CVPCLJTCTUpdate Data :

Member Functions :

CVPCLJTCTUpdateO;

EStatus InitializeTransfTvPOSParamsBlk *);

EStatus ExecuteTransfTvPOSResultsBlk *);

EStatus ShutDownTransO;

Batch Class (CVPCLBatch)

This class defines the batch record and the operations which are performed on the batch.

Class Name :

CVPCLBatch Data :

Batch Record Structure (TvPOSBatchRec) // Definition of the TvPOSBatchRec is as below, typedef struct _vPOSBatchRec

char szTrεmsAmtj]; char szTransDate[]; char szTransTime(j; char szRetrievalRefNum[]; / / Trε s. Ref. No. sent by the host char szAuthId(]; / / Approval Code sent by the host char szOrigAmt(); / / Original amount for - Adjust char szPurchOrderNumj]; char szBatchNumf]; EPCLTransType TransType; EPCLPmtlnst Pmtlnst; EPCLCurrency CurrencyType; EPCLDecimεds NumDecDigits; unsigned int nTransRef um; // Running Ref. Number gen. by the / /vPOS for every approved txn. unsigned long InSTAN; / / Sys. Trace Number incr. by vPOS / / for every trans, that is trans, to host TPmtlnstData PaylnstData; } TvPOSBatchRec; Member Functions : CVPCLBatchO;

EStatus SetTransType(const EPCLTransType);

EStatus SetRetRefNumfconst char *);

EStatus SetAuthldfconst char *);

EStatus SetPurchOrderNum(const char *); EStatus SetTransRefNum(const long);

EStatus SetTransAmt(const char *);

EStatus SetBatchNum(const char *);

EStatus SetSTAN(const long);

EStatus SetDateMMDDYYYY(const char *); EStatus SetTimeHHMMSS(const char *);

EStatus SetPmtlnstfconst EPCLPmtlnst);

EStatus SetCCAcctNum(const char *);

EStatus SetCCExpDatefconst char *);

EStatus SetOrigAmt(const char *); EStatus GetBatchRecfTvPOSBatchRec *);

EStatus InitBatch();

EStatus OpenBatch(const char *, FILE **, const char *);

EStatus CloseBatch(FILE *);

EStatus AddBatchRec (); / / Adds a record to the batch EStatus GetBatchRec (const long); / / Gets a record from the batch

EStatus UpdateBatchRec (const long); / / Update batch record with NR

EStatus DeleteBatchRec (const long); / / Deletes the batch record

Accumulator Class (CVPCLAccαm) This class defines the Accumulator record and the operations on the accumulators. Class Name :

CVPCLAccum Data :

Credit Amount (char szCreditAmt[AMT_SZ + 1]) Credit Count (int nCreditCnt) Debit Amount (char szDebitAmt(AMT_SZ + 1) Debit Count (int nDebitCnt)

Member Functions : int OpenAccum(int fHandle); int GetAccum (int nAccumType, int *pnAccumCnt, char "pszAccumAmt); int CloseAccumfint fHandle); int CleanAccumO ;

Host Definition Table Class (CVPCLJHDT)

This class defines the Host Definition Table record and the operations on the table. Class Name : CVPCLJHDT

Data :

Host Definition Table Record Structure (TvPOSHDTRec ) The TvPOSHDTRec structure contains the following fields, typedef struct _vPOSHDTRec { char sZTermId[); char szMerchId[]; chεir szBatchNum[]; char szTPDUO; char szNII[]; chεix szHostNειme{); EPCLHostProtType HostProtType; EPCLHostProtSubType HostProtSubType; / / Data Capture Required Flags vPOSBool fAuthOnlyDC; vPOSBool fAuthCaptDC; vPOSBool fForcedPostDC; vPOSBool fAdjustDC, vPOSBool fReturnDC; vPOSBool fOfflineAuthDC; vPOSBool fVoidDC, vPOSBool fPreAuthDC, vPOSBool fPreAuthCompDC, unsigned mt nNumAdv, // Max. No. of piggy-back trans, allowed unsigned mt nTrεmsRef um, unsigned long InSTAN, // Systems Trace Number ) TvPOSHDTRec;

Member Functions :

CVPCL_HDT(),

EStatus CleanHDTO, EStatus LoadHDTRec(const int);

EStatus SaveHDTRec(const int);

EStatus GetNumRecs(mt *);

EStatus GetHDTRecfTvPOSHDTRec *);

EStatus GetTermId(char *), EStatus GetMerchldfchar *),

EStatus GetBatchNumfchar *);

EStatus GetTransRefNum(unsιgned mt *),

EStatus GetTPDU(char *);

EStatus GetNII(char *); EStatus GetHostName(char *),

EStatus GetHostProtType(EPCLHostProtType *);

EStatus GetHostProtSubType(EPCLHostProtSubType *);

EStatus GetNumAdv(unsιgned int *);

EStatus GetSTAN(unsιgned long *); EStatus GetAuthOnlyDC(vPOSBool *);

EStatus GetAuthCaptDC(vPOSBool *);

EStatus GetAdjustDC(vPOSBool *); EStatus GetReturnDC(vPOSBool *);

EStatus GetForcedPostDC(vPOSBool *);

EStatus GetOfflineAuthDC(vPOSBool *);

EStatus GetVoidDC(vPOSBool *); EStatus GetPreAuthDC(vPOSBool *);

EStatus GetPreAuthCompDC(vPOSBool *);

EStatus SetHDTRecfTvPOSHDTRec *);

EStatus SetTermId(const char *);

EStatus SetMerchId(const char *); EStatus SetBatchNum(const char *) ;

EStatus SetTransRefNum(const unsigned int);

EStatus SetTPDU(const char *);

EStatus SetSTAN(const unsigned long);

EStatus SetNII(const char *); EStatus SetHostName(const char *);

EStatus SetHostProtType(const EPCLHostProtType);

EStatus SetHostProtSubType(const EPCLHostProtSubType);

EStatus SetNumAdv(const int);

EStatus SetAuthOnlyDC(const vPOSBool); EStatus SetAuthCaptDC(const vPOSBool);

EStatus SetAdjustDC(const vPOSBool);

EStatus SetRetumDC(const vPOSBool);

EStatus SetForcedPostDC(const vPOSBool);

EStatus SetOfflineAuthDC(const vPOSBool); EStatus SetVoidDC(const vPOSBool);

EStatus SetPreAuthDC(const vPOSBool);

EStatus SetPreAuthCompDC(const vPOSBool);

Card Definition Table Class (CVPCL.CDT) This class defines the Card Definition Table record and the operations on the table. Class Name :

CVPCL CDT Data :

Card Definition Table Record Structure (TvPOSCDTRec ) The TvPOSCDTRec structure contains the following fields, typedef struct _vPOSCDTRec { char szPANLo[]; char szPANHi[]; char szCardLabel[j; int nHostlndex; int nMinPAN Digit; int nMaxPANDigit; / / Transaction Allowed Flags vPOSBool fAuthOnlyAllwd; vPOSBool fAuthCaptAllwd; vPOSBool fForcedPostAllwd; vPOSBool fAdjustAllwd; vPOSBool fReturnAllwd; vPOSBool fOfflineAuthAllwd; vPOSBool fVoidAllwd; vPOSBool fPreAuthAllwd; vPOSBool fPreAuthCompAllwd; ) TvPOSCDTRec;

Member Functions : CVPCL_CDT();

EStatus CleanCDT();

EStatus LoadCDTRec(const int);

EStatus SaveCDTRec(const int);

EStatus GetNumRecsfint *); EStatus GetCDTRecfTvPOSCDTRec *);

EStatus GetPANLofchar *);

EStatus GetPANHi(char *); EStatus GetCardLabel(char *);

EStatus GetCDTHostIndex(int *);

EStatus GetMinPANDigit(int *);

EStatus GetMaxPANDigit(int *); EStatus GetAuthOnlyAllwd(vPOSBool *);

EStatus GetAuthCaptAllwd(vPOSBool *);

EStatus GetAdjustAllwd(vPOSBool *);

EStatus GetReturnAllwd(vPOSBool *);

EStatus GetOfflineAuthAllwd(vPOSBool *); EStatus GetVoidAllwd(vPOSBool *) ;

EStatus GetPreAuthAllwd(vPOSBool *);

EStatus GetPreAuthCompAllwdfvPOSBool *);

EStatus GetForcedPostAllwd(vPOSBool *);

EStatus SetCDTRecfTvPOSCDTRec *); EStatus SetHostIndex(const int);

EStatus SetMinPANDigit(const int);

EStatus SetMaxPANDigitfconst int);

EStatus SetPANLo(const char *);

EStatus SetPANHi(const char *); EStatus SetCardLabel(const char *);

EStatus SetAuthOnlyAllwd(const vPOSBool);

EStatus SetAuthCaptAllwd(const vPOSBool);

EStatus SetAdjustAllwd(const vPOSBool);

EStatus SetReturnAllwd(const vPOSBool); EStatus SetForcedPostAllwd(const vPOSBool);

EStatus SetOfflineAuthAllwd(const vPOSBool);

EStatus SetVoidAUwd(const vPOSBool);

EStatus SetPreAuthAllwd(const vPOSBool); EStatus SetPreAuthCompAllwd(const vPOSBool);

Communications Parameters Table Class (CVPCL.CPT)

This class defines the communications parameters table and the operations on the table. Class Name :

CVPCL_CPT Data : Communications Parameters Table Record Structure (TvPOSCPTRec

The TvPOSCPTRec structure contains the following fields, typedef struct _vPOSCPTRec

I char szAcqPriAddress[]; char szAcqSecAddress[); chεu- szAcqTerAddress[] ;

int nRespTimeOut; J TvPOSCPTRec;

Member Functions :

CVPCL_CPT();

EStatus CleanCPTO;

EStatus LoadCPTRec(const int); EStatus SaveCPTRecfconst int);

EStatus GetNumRecs(ιnt *);

EStatus GetCPTRecfTvPOSCPTRec *);

EStatus GetAcqPriAddress(chειr *);

EStatus GetAcqSecAddress(char *); EStatus GetAcqTerAddressfchar *);

EStatus GetRespTimeOut(int *);

EStatus SetCPTRecfTvPOSCPTRec *);

EStatus SetAcqPriAddress(const char *);

EStatus SetAcqSecAddress(const chεtr *); EStatus SetAcqTerAddress(const chεir *);

EStatus SetRespTimeOut(const int); Terminal Configuration Table Class (CVPCLJTCT)

This class defines the vPOS terminal configuration parameters table and the operations on the table.

Class Name :

CVPCLJTCT Data :

Terminal Configuration Table Record Structure (TvPOSTCTRec ) The TvPOSTCTRec structure contains the following fields, typedef struct _vPOSTCTRec

{ char szMerchNameQ; vPOSBool fvPOSLock; / / vPOS Lock/Unlock Toggle Flag

) TvPOSTCTRec;

Member Functions :

CVPCLjrCTO;

EStatus LoadTCTRecO;

EStatus SaveTCTRecO; EStatus CleanTCTO;

EStatus GetTCTRecfTvPOSTCTRec *);

EStatus GetMerchName(char *);

EStatus GetvPOSLock(vPOSBool *);

EStatus SetMerchNειme(const chair *); EStatus SetvPOSLock(const vPOSBool);

Amount Class (CVPCLAmount)

This class defines the εimount data items and the operations on them.

Class Name :

CVPCLAmount Data : Amount (char[)) Currency Type (EPCLCurrency) Member Functions :

CVPCLAmountO; EStatus Initialize(const CPCLAmount&);

EStatus Initialize(const char *); EStatus Initialize(const long); void operator = (const char *); void operator = (const long); EStatus GetAmount(char *); operator const char * () const; operator const long ();

Payment Instruments Class (CPCLPmtlnst) This section defines the Payment Instrument Class hierarchy. Figure 16 illustrates a transaction class hierarchy in accordance with a preferred embodiment.

Class Name :

CPCLPmtlnst Data :

Payment Instrument Type (EPCLPmtlnst) Member Functions : CPCLPmtlnstO;

EStatus GetPmtInstType(EPCLPmtInst *);

Bank Cards Class (CPCLBankCard) This class is derived from the CPCLPmtlnst class and implements the bank cards class.

Class Name : CPCLBankCard

Data :

Account Number (char( ]) Expiration Date (CPCLDateTime) Index into the CDT table (int) Member Functions :

CPCLBankCardO;

EStatus Initialize();

EStatus SetAcctNum(const char *);

EStatus SetExpDate(const char *);

EStatus GetAcctNum(char *); EStatus GetExpDate(char *);

EStatus ValidateCard(); int GetCDTIndex(); vPOSBool DoLuhnCheck(); vPOSBool DoCardRangingO; EStatus DoValidateExpDateO;

Credit Cards Class (CPCLCreditCard)

This class is derived from the CPCLBankCard class and has the same data and the methods as the CPCLBankCard class. Class Name :

CPCLCreditCard Data :

Member Functions : CPCLCreditCardO;

Debit Cards Class (CPCLDebitCard)

This class is derived from the CVPCLBankCard class and implements the debit card class.

Class Name :

CPCLDebitCard Data : Card Holder Encrypted PIN (char[ ]) Member Functions :

CPCLDebitCardO, EStatus GetEncryptedPIN(char *), EStatus SetEncryptedPIN(char *),

vPOS Class Library Interface and API Definition

This secuon explains the classes which provide the interface to the vPOS class library

Data Structures required for tbe vPOS Interface Class

Transaction Parameters Structure (TvPOSParamsBlk) - This structure is a subset of all the transaction parameters required for the different transactions

typedef struct _vPOSParamsBlk

{ char szTransAmt[], / / Without decimal point.

/ / Left most two digits implied to be decimal digits char szPurchOrderNum(), char szRetRefNum[], char szBatchNum[], char szNewBatchNum[]; chεir szOπgAmt[], char szCPSData[] , chεir szAuthId[], / / Auth Id for offline auth-only trεmsaction int Hostlndex, unsigned int nTransRefNum; vPOSBool fvPOSLock; ECPSDataType eCPSType ; EPCLTransType TransType,

EStatus TransResult, EPCLPmtlnst Pmtlnst; EPCLCurrency CurrencyType; EPCLDecimεds NumDecDigits; EVPCLAccumType AccumType; TPmtlnstData PaylnstData; union _vPOSConfigData

{

TvPOSHDTRec srHDTRec;

TvPOSCDTRec srCDTRec;

TvPOSCPTRec srCPTRec; TvPOSTCTRec srTCTRec ;

) vPOSConfigData; void *Context; // Context from the calling interface

EStatus (*vPOSCallBack)(TvPOSResultsBlk *, void *);

} TvPOSParamsBlk;

Transaction Results Structure (TvPOSResultsBlk) - This structure contains all the fields returned from the host εmd other fields which are required for doing terminal data capture.

typedef struct _vPOSResultsBlk

I char szNewBatchNum[]; int nHostlndex;

EStatus TransResult; TvPOSBatchRec srBatchRec;

TvPOSAccumRec srAccumRec; chεu szCειrdLabel(];

TvPOSHDTRec srHDTRec;

TvPOSCDTRec srCDTRec; TvPOSCPTRec srCPTRec;

TvPOSTCTRec srTCTRec; } TvPOSResultsBlk; The vaπous status codes for the enumeration EStatus are detailed below

vPOS Interface Class (CvPOSInterface) This class provides the interface to the vPOS Transaction Class Library. Class Name :

CvPOSInterface Data :

Member Functions : CvPOSlnterfaceO;

/ / Creates the Transaction Object, takes care // of other initialization and executes the transaction. CVPCLTransaction *pclTransFactory(TvPOSParamsBlk *); EStatus DestroyTrans(CVPCLTransactιon *);

vPOS API Definition

This section explains m the vPOS API which are required for interfacing with the vPOS Class Library. All the different vPOS transactions can be initiated using the API defined m this section.

vPOSInitialize - Initialize vPOS

This API is used to start and initialize the vPOS. The API definition is disclosed below.

API Definition : vPOSBool vPOSInιtιalιze(voιd);

Parameters : None Returns :

TRUE or FALSE indicating whether the function call was a success.

vPOSExecute - Execute a vPOS Transaction

This API is used to execute a particulεir vPOS tr-εmsaction. API Definition : vPOSBool vPOSExecutefTvPOSParamsBlk *, TvPOSResultsBlk *) Parameters :

Pointer to the Parameters Structure (TvPOSParamsBlk) Pointer to the Results Structure (TvPOSResultsBlk)

Returns :

TRUE or FALSE indicating whether the funcuon call was a success.

vPOSShutDown - Shutdown the vPOS This is used to shutdown the vPOS. API Definition : vPOSBool vPOSShutDown(void) Parameters : None Returns :

TRUE or FALSE indicating whether the function call was a success.

vPOS Status Codes

This section detεdls the different status codes (listed under the enumeration EStatus) which the vPOS returns for the different operations performed, enum EStatus

* eSuccess = 0, / / Function cεdl or operation successful eFailure, / / General failure evPOSLocked, / / vPOS locked, transaction not allowed

/ / Transaction related error codes ePmtlnstNotSupported, / / Payment Instrument not supported eTransNotSupported, / / Transaction type not supported eTrε sInitErr, / / Transaction Initialization Failed eAdjustNotAllwd, / / Adjust not εdlowed on this trεmsaction eVoidNotAllwd, / / Void not allowed on this transaction eForcedPostNotAllwd, / / Forced Post not allowed on this trεmsaction ePreAuthCompNotAllwd , // Pre-Auth. not εdlowed on this transaction eAmtErr, / / Error in the amount passed eHDTLoadErr, // Error duπng loading the HDT table eCDTLoadErr, // Error dunng loading the CDT table eCPTLoadErr, // Error during loading the CPT table eTCTLoadErr, // Error duπng loading the TCT table eHDTWriteErr, / / Error duπng wπtmg to the HDT table eCDTWriteErr, / / Error duπng wπting to the CDT table eCPTWriteErr, / / Error duπng wπting to the CPT table eTCTWriteErr, // Error duπng wπting to the TCT table eTCTFieldErr, / / Error handling a TCT table field eLuhnErr, / / Luhn check failed on the account eRangmgErr, / / Card range not found ePANLenErr, / / PAN length error eExpiredCard, / / Card expired elnvalidMonth, / / Invalid month in the expiration date eFileOpenErr, / / General file open error eFileCloseErr, / / General file close error

vPOS Terminal Architecture

Figure 25 is a block diagram of the vPOS Terminal Architecture in accordance with a preferred embodiment. The Internet 2500 provides the communicaUon processing necessary to enable the vPOS Terninal architecture. The terminal interface CGI 2520 communicates via the Internet to provide information to the vPOS OLE Server 2550 which formats information in accordance with the vPOS API DLL 2560 which uses the protocol class DLL 2570 to flesh out the message for delivery to the Gateway Server 2580. The collection of the vPOS OLE Server 2550, vPOS API DLL 2560 and the Protocol Class DLL 2570 make up the vPOS Software Development ToolKit (SDK) which εu-e used to enable vPOS applications for interfacing with an Operator 2540.

vPOS/ GATEWAY Architecture

The architecture of the Virtual Point of Sale (vPOS) and Virtual Gateway (GATEWAY) architecture maintains SET compliance while providing support for additional message types that are not enabled in SET. The architecture includes isolation of cryptographic details in a single module to facilitate single version government approval while maximizing the flexibility of the system for customization and facilitating transfer of updated versions on an acquirer specific basis. Figure 18 is a block diagram of the extended SET architecture m accordance with a preferred embodiment Processing commences at function block 1800 for a consumer- oπginated transaction via the World Wide Web (WWW) or 1810 for a merchant-onginated trεmsaction on the Internet In either case control passes immediately to the WWW server 1820 for the trεmsaction to be appropπately formatted and the appropπate interface page presented, whether the transaction is a store front 1822, shopping cart 1824, pay page 1826, standard terminal administration 1828-1830 transaction, or an extended terminal transaction 1834 If processing requires authentication of the transaction, then control passes through the Virtual Point of Sale (vPOS) Application Programming Interface (API) library 1840 for SET compliant transactions and through the vPOS API extensions library for extensions to the SET protocol Then, at function block 1842, if the transaction is SET compliant, and function block 1864 if the transaction is not SET compliant, a library of protocol stack information is used to conform the message before it is transmitted to a Gateway site for ultimate delivery to a bank host 1874 for authorization

Extended SET messages are processed at the Gateway site on a two track basis with the division cπteπa being SET compliance (which will change over time as more functionality is put into SET) or SET extensions. Set compliant messages are processed via the protocol statck library 1862, while SET extensions are processed via the protocol stack entension library 1864 Then, at function block 1870 the gateway engine processes SET and Host specific code including gateway administration extensions 1872 that bypass the normal processing and flow directly from the merchεmt εmd consumer server 1820 to the atewav administration extensions 1872 to the Gateway Engine 1870

As descπbed above, there are three channels by which messages are exchanged between vPOS 1846 and GATEWAY 1856

1 Standard SET messages The standard SET messages are oπginated by the merchant software either via a pay page 1826 directly controlled by the consumer, or via an operator interface consisting of a set of HTML pages and associated executables launched by the pages (e g pay page 1826 and standard terminal administration 1828-1830 )

Each SET message type (e g. , authorization v capture) transmits a different set of data and each requires a different Protocol Data Unit (PDU) to descπbe its encoding Examples of how Standard SET messages are encoded are given in the SET documentation previously incorporated by reference

2 Extended SET messages

The Extended SET messages are utilized as an "escape mechanism" to implement acquirer- specific messages such as settlement/ reconciliation, employee logon/ logoff, and parameter download The messages are developed as a set of name-value pairs encapsulated in a PKCS-7 wrapper and wrapped in Multipurpose Internet Mail Extensions (MIME), descπbed in a book by N Borenstem & N Freed, "RFC 1521. MIME (Multipurpose Internet Mail Extensions) Part One Mechanisms for Specifying and Descπbmg the Format of Internet Message Bodies" (Sep 1993) The name-value pairs can have arbitrary (8-bit) data, so arbitrary items can be passed through the extended SET channel, including executable programs and Dynamic Load Libranes (DLL)s

Figure 18B illustrates a multipart MIME message with one Extended SET message and one Standard SET authorizing message Mime is utilized as an outer wrapper 1890 to allow an Extended SET message 1891 to be transmitted as a compon of messages embedded in one MIME multipart message In this manner, a standard SET message can be sent with an Extended SET message in one vPOS/GATEWAY communication transaction

Embedding the Extended SET messages in a PKCS-7 wrapper enables the same message authentication to occur as m stεmdard SET messages Thus, for SET-comphant and non-SET- comphεmt messages, the same mechanism may be used to restπct which entities the vPOS or Gateway will trust m anv communications. .An important concept in Extended SET is that all messages, of any tvpe. εu-e sent in a uniform name /value pair format, thus allowing a single Protocol Data Unit to suffice for ε y type of message sent through the Extended SET channel. Since arbitrary data may be sent this way, a mechanism must be provided to preclude the use of the Extended SET channel by parties other thε approved financial institutions. If this is not ensured, then the NSA and the US Department of Commerce will not approve the software for export

SET itself to some degree ensures that this Extended SET channel is used only by financial institutions The protocol stack extension library only processes messages that have been signed by a financial institution SET certificate that is in turn signed by a payment instrument brand certificate (such as Visa or MasterCard) Stronger control over the Extended SET channel can be achieved by further restπctmg processing of messages to those signed (either instead of or in addtion to the financial institution SET certificate) by a second certificate belonging to a third-party agency, either governmental or pπvate (e.g., VeπFone, as manufacturer of the softwεire)

In this way, a particular set of Extended SET messages can be implemented by Bank X, and a different set of messages by Bank Y. If a vPOS has an extended terminal transaction interface as shown in Figure 18A at block 1834 for Bεtnk X, and has been configured to only accept messages from a Gateway with Bank X's certificate, then it will be able to communicate those messages to a Gateway that has the certificate for Bank X, and accepts messages of the types in Bank X's message set The vPOS will not be able to connect to the Bank Y gateway, or to any other system that purports to communicate via Extended SET. This restπction is further secured by utdizing a public key certificate that is "hard wired'' into vPOS, and which is distπbuted only to gateways that use the Extended SET mechanism

Figure 18C is an example flowchεu-t of message processing in accordance with a preferred embodiment. Processing commences at function block 1880 when a message is received by an HTTPS server or other listener and passed to decision block 1883 to determine if the sending vPOS has transmitted an authentic message and if the vPOS is authorized to communicate with this gateway. If the message is not authentic, then the message is logged as an error εmd the error is hεmdled as shown in function block 1889. If the message is authentic, then the message is decrypted at function block 1884 and the PDU parses the message into name / value pairs. Then, based on the message type and the extended SET version information, the remaining message is parsed at function block 1885 and the message is checked for conformance to the appropπate specification as shown at decision block 1887. If the message does not conform, then it is logged and the error handled at function block 1889. If the message conforms to the proper specification in decision block 1887 then the message is translated into the appropπate host format and sent to the host as shown in function block 1888. Thus, when a gateway receives an incoming message from a vPOS and parses the Extended SET portion of the message, a single MIME message can transmit a SET message and /or an Extended Set Message.

An export license for the encryption can be obtained on a case-by-case basis, and since there will be potentially millions of vPOS's, it is desireable to obtain a commodities juπsdiction for the vPOS, to enable a single version of the vPOS (rather than one version for each bank) to be supported by the vPOS architecture The architecture descπbed here ensures that the single version of vPOS, no matter how it is configured with extended terminal transaction interfaces, cannot be used to communicate any data other than that contained in the extended SET messages that have been approved for export by the US government to be used exclusively for a specific bank.

Figure 18D is an example of a simple message between vPOS and Gateway using the Extended SET channel enabling an employee to sign on, or "logon" to a given terminal in accordance with the subject invention. The message must contain the employee s logon ID, a password to be verified by the bank host computer, and the date and time as shown at 1894.

While the contents of the message are shown without encryption in Figure 18D, it should be noted that the information (including the logon password) are SET encrypted mside the PKCS-7 wrapper 1894. Certain fields may be designated as mandatory for an Extended SET message, to allow the Gateway or vPOS to decide how to handle the message For the sake of claπty, in this message 1894, only two fields, "messagetype" and "ESETverston , are mεmdatory. These fields inform the Gateway that this message is of type "logon, and that the vPOS is using version " 1.0A" of the ESET message formats defined for the Gatewav In this embodiment, the length indicator "[5]" is used to distinguish the length (m bytes) of the field of type 'messagetype' in the message In this way, there are no special end-of-data characters, and therefore arbitrary data need not have any escaped" characters

It should be noted that using escaped characters will work equally well Total message integπty is assured by the digitad signatures in the PKCS-7 wrapper This does not, however, preclude the use of other checksumming schemes for additional pinpointing of transmission or encoding errors The messagetype εmd ESETversion name /value pairs facilitate Gateway look up of what name/value pairs are expected in the 'logon message Some name/value pairs may be mandatory, and others may be optional

Figure 18E is an example of a simple message between vPOS and Gateway using the Extended SET channel enabling an employee to sign on, or 'logon to a given terminal in accordance with the subject invention. In response to the logon request message from a vPOS, the Gateway may respond with a logon accepted ' message 1894, as depicted in Figure 18E, which vPOS, upon receipt and authentication, then uses to unlock the terminal for that user

Figure 49 shows how the vPOS authenticates an incoming response to a request in accordance with a preferred embodiment Processing commences at function block 4930 when a message is received by the HTTPS, SET server, or other listener that oπgmated the request to which this reponse corresponds The message is passed to decision block 4940 to determine if the sending Gateway has transmitted an authentic message and if the gateway is authorized to communicate with this vPOS If the message is not authentic, then the message is logged as an error or possible attack and the error is handled as shown in function block 4970. If the message is authentic, then the message is decrypted at function block 4950 and the PDU parses the message into name/value pairs Then, based on the message type εmd the extended SET version information, the remaining message is parsed at funchon block 4960 and the message is checked for conformance to the appropπate specification as shown at decision block 4980. If the message does not conform, then it is logged and the error handled at function block 4970. If the message conforms to the proper specification in decision block 4980 then the message is translated into a standardized argument stnng to be passed to the appropπate executable or code entry point in the vPOS, as shown in function block 4990. Thus, when a vPOS receives an incoming message from a Gateway and parses the Extended SET portion of the message, the message may cause vPOS to execute a program that takes action or queries the user to take action.

3. Gatewav-intitiated messages Since all SET messages between a merchant and an acquirer are currently merchant-initiated (as specified in the SET documentation), there must be a separate mechanism for initiating a message from a gateway, for example to request the upload of management information base (MIB) data, or to download new parameters. This is accomplished by requiring the gateway to send a message to the merchant via a MIME-encapsulated PKCS-7 conformant message contεdning name-value pairs to the merchant server directly, rather than to the SET module. This channel is shown in Figure 18A at block 1860.

The message is verified for origination from the acquirer, and is utilized to either initialize, a merchant action, such as to update the merchant's administration page (for example by blinking a message saying, "PLEASE RE-INITIALIZE YOUR TERMINAL"), or by initiating a request/ response message pair originating from the merchant (for example, "HERE ARE THE CONTENTS OF MY MIB"). This is achieved by calling one of the extended terminal transaction interfaces (Figure 18A at 1834), which in turn initiates a SET or Extended SET transaction.

Gateway Customization via the Extended SET Channel

Gateway customization in extended SET is extremely powerful and a novel concept for vPOS processing. Each vPOS contains one or more "serial numbers" unique to each copy of the software (a serial number may be embedded in the software, or may be a component of a public key certificate used in the software). Once a merchant has selected an acquirer and obtained the appropriate certificates, the vPOS can be customized utilizing the communication link and messages containing customization applications.

A bank distributes vPOS via different sεdes channels. The first is direct from a bank to an existing merchant with whom the bank already has an existing relationship. In this case, a version of vPOS already customized for a bank is sent to the merchεmt, either directly by a bank, or through a third-party distributor or service bureau. T e customizations may involve modification or replacement of, for example, a store front 1822, shopping cεirt 1824, pay page 1826, standard terminal administration transaction interface 1828-1830 or an extended terminal transaction interface 1834. This is a standard model of distribution of software that is customized for small target market segments.

The more interesting case, and the one that concerns the novel use of the Extended SET channel, is where the potential merchant acquires, through some non-bank channel, a "generic" vPOS which has not yet been customized to interact with a specific bank. This vPOS can communicate with a "test gateway", which the merchant may use to experiment with the various features of vPOS and to test the integration of the vPOS into a totεd online storefront.

In order to actually transact business over the Internet, the merchant must first obtain a merchant ID from the merchant bank with which he signs an acquiring agreement. For online payment processing, the merchant must also obtain an appropriate set of digital credentials in the form of public key certificates and possibly additional passwords, depending on the financial institution. Once these credentials are obtained, the merchant is ready to customize the already-obtained vPOS to communicate with a merchant bank's gateway.

Using the built-in "serial number" certificate and the Test Gateway public key certificate (which is "hard-wired" into the vPOS sofware), it is possible to securely download a particular bank's customization applications to a specific copy of the vPOS software . Once the vPOS is appropriately configured, the last stage of customization download is to configure the vPOS so that it only responds to a public key certificate of the merchant's acquirer. This process is illustrated here in the context of a merchant who obtains a vPOS that talks to the VeriFone test gateway, and desires to customize the vPOS to interact with a gateway at a bank.

The merchant has purchased a vPOS from a non-bank channel. The version communicates with the VeriFone Test Gateway. The merchant uses the gateway to learn about using vPOS, and to test the integration of his storefront system with his payment system. The merchεmt εdso obtains certificates for payment processing from a bank, the merchant bank of choise for the merchant. The merchant is now ready to customize vPOS to talk to the bank gateway. The flowchart for the merchant interaction with the Test Gateway is shown in Figure 50. The merchant begins at function block 5000, where the newly-obtained merchant SET certificates are installed in the vPOS. The merchant then directs the vPOS to connect to the VeπFone Test Gateway, by selecting this option from the vPOS terminal administration home page 5005 The choice of this option invokes an extended terminal admin page from the default set of such pages supplied with the geneπc version of vPOS This program guides the customization process

The merchant, interacting with the extended terminal admin page, navigates to the list of gateways which is maintained by the Test Gateway, and selects the bank to connect by selecting from the list of bεmks, at function block 5015 Duπng this process, the merchant's public key certificates are uploaded to the Test Gateway, and checked (at decision block 5025) to veπfy that the certificates have been signed by the bank to customize the bank for the vPOS If the certificates do not match, the merchant is advised of the situation in function block 5028, and must select a different bank. If the certificates are not valid SET certificates as detected at decision block 5020, the merchεmt is advised at function block 5028, and the session terminates If the certificates are valid and match the selected bank, customization continues at function block 5030

The extended terminal administration progrεun in vPOS receives a list of the customizations from the Test Gateway that must be performed to speciεdize the vPOS for a specific bank Some of these customizations are mandatory, while others are optional In function block 5030, the vPOS advises the merchant of the customizations, prompting for any choices that must be made by the merchεmt The merchant's actions at this point dπve decision block 5035, in which the vPOS either returns itself to the "geneπc" state and terminates the interaction, or begins the configuration of the vPOS, depending on the merchant's confirmation of the request to begin the configuration.

If the merchεmt has authorized the changes, control is passed to function block 5040 where, the POS storesthe certificates of any gateways that it will allow mture configuration changes to be initiated from in its database This may be only a specific bank, such as a bank and the Test Gateway, or other combinations. If only a single, non-Test, bank-owned, gateway is allowed to download changes, the vPOS is no longer customizable for any other bank Then, a new copy would be purchased by the merchant to have it customized for another bank If the Test Gateway is still allowed to customize the vPOS, the merchant could switch to another merchant bank and have the current vPOS updated to work with the new bank.

In funcuon block 5050, the customizations are downloaded to the vPOS The downloads compπse a set of HTML pages and a set of executable programs or scπpts that read data from the merchant, perform vεmous functions, and present data to the merchant. In general, the customizations downloaded may augment or replace m part or in whole any and all of function blocks 1822, 1824, 1826, 1828, 1830, or 1834 in Figure 18A. At a minimum, the terminal "home page" will be replaced so that it points to the new functionality At this point, the customization of the vPOS has been completed, and the merchant may now begin sending payment requests to the merchant bank or processor through the vPOS

Thread Safe vPOS - TID Allocation Physical terminals process a single transaction at a time since clerks are usually only able to process one transaction at a time. Web Servers can process many transactions at a time, so payment requests can often occur simultaneously Thus, the vPOS Software must have support for multi-tasking and provide support for multiple threads to be active at the same time in the same system as well as the same process. This requirement is relatively straight forward. However, the authorizing banks require that all transaction requests include a

Terminal ID (TID), εmd, for many banks, no single TID may be active in any two transaction requests that overlap in time Thus, the vPOS requires dynamic allocation of TIDs to requestmg threads

One way of providmg for multiple TID's is to assign a "base" TID, and either an "extension" (a set of extra digits appended to the base), or an increment (a number which is added to the base to obtain the complete TID). While such a solution can be used for the majoπty of banks and processors, not all banks/ processors can accomodate this solution. One exεunple is First Data Corporation. For its ENVOY protocol, the termmεd ID must use the Luhn check as recited in an ISO ransrk, which adds a checksum digit to the the terminεd ID to reduce chεmces of fraud or of mistyped information. Thus, to be general enough to handle all bank /processor situations, a pool of TID's is used. The TID's stored in the pool need not be a sequential set of numbers; in fact they can be alpha/ special/ numeπc combinations, and the TID's need have no relation to one another. In a preferred embodiment, a TID is represented as a token in a pool that can be associated with a particular transaction.

To provide for this requirement, the vPOS provides a TID pool in tabular form in a database management system (DBMS). This table has two colums: TID NAME & Allocation date/time. If the TID date is null, then the TID is not in use and may be assigned. A date/ time field is utilized to εdlow TID allocations to expire. TID requests εire made utilizing a SQL query on the TID Pool to find the first null or expired date/ time, which is replaced with the current date/time and the TID name returned.

REMOTE vPOS

The unique εirchtitecture of the Cardholder 120, Merchant 130 and Gateway 140, as shown in Figure IB, provides communication capability between the modules utilizing the Internet to support linkages 150 and 170. Since the Internet is so pervasive, and access is available from virtually any computer, utilizing the Internet as the communication backbone for connecting the cardholder, merchant and access to the authorizing bank through a gateway allows the merchant vPOS software to be remotely located from the merchant's premises. For example, the cεudholder could pay for goods from any computer system attached to the Internet at any location in the world. Similarly, the merchant vPOS system could be located at a central host site where merchant vPOS systems for various merchεmts all resided on a single host with their separate access points to the Internet. The merchant could utilize εmy other computer attached to the Internet utilizing a SSL or SET protocol to query the remote vPOS system and obtain capture information, payment administration information, inventory control information, audit information and process customer satisfaction information. Thus, without having to incur the overhead of maintaining sufficient computer processing power to support the vPOS softwεire, a merchant can obtain the information necessary to run a business smoothly and avoid hiring IS personnel to maintain the vPOS system.

vPOS Multi-Merchant Processing Multiple merchant processing refers to the ability of a plurality of merchants to process their individual vPOS transactions securely on a single computer. The architecture relies on each payment page obtaining the merchant name in a hidden field on the payment page. The vPOS engine receives tl. ^• merchant name with a particular transaction and synchronizes the processing utilizing a Set Merchant method. This command causes the vPOS API to look up a unique registry tree based on the merchant name. This process causes the vPOS engine to engage the appropπate configuration to process the transaction at hand utilizing a Registry Tree A registry tree contains Card Definition Tables (CDT)s, Acquirer Definition Tables (ADT)s, Merchant Definition Tables (MDT)s, Protocol Configuration Tables (PCT)s, etc. The CDTs point to specific ADTs since each supported card can be supplied by a distinct acquirer. This is one form of split connection. Each of the ADTs in turn point to PCTs, and some acquirers can support multiple parallel gateways A merchant's name refers to a unique database in the database management system which contains for example, TIDs.

So, for example, to fully qualify a particular merchant in a multi-merchant system, the Acquirer Definition Table is queπed to ascertain the particular Gateway (VFITest), then if Bεmk of Amenca requires veπfication of network communication information, the particular CardDT is accessed with for example VISA The particular merchant will service VISA transactions utilizing a particular acquirer. The particular piece of merchandise will also be detailed in a data base Finally, the merchant Configurations wil 1 also be stored in the database to facilitate E-mail and name lookup

vPOS CLIENT The interaction between the vPOS and a client commences when a pay page solicits parameters of a transaction. Then, the parameters are validated to be sure the payment instrument, for example, cardnumber is not null Then, a transaction object is created, eg. AUTHONLY, and the object is initialized and stuffed with parameters of the transaction, eg. ao.setpan(accnum), and the object is executed This execution invokes the vPOS engine. The vPOS engine further validates the parameters based on the particular merchant's configuration. For exεimple, some merchans do not accept Ameπcan Express Cεirds, but will take Visa, and all merchants check the expiration date of the card. Assuming a valid and acceptable card has been tendered, then a TID is assigned (expiπng, existing TIDs) or block a new TID from the TID Pool This generates a STAN, XID, RRPID unique tag and creates an initial record in the transaction database which is flagged as before gateway processing in case the transaction crashes and must be backed out. Then the protocol parameters are identified in the registry based on card type, εmd a particulεu" acquirer identified. Then, a protocol object is created and executed to extract results from the protocol object and the before gateway "bit" is flipped to again flag the location of the transaction in the process as it is submitted to the Gateway

The results received back from the Gateway are placed into a transaction object with is reported back to the pay page and ultimatey back to the pay page user

vPOS Merchant Pay Customization

A novel feature of the vPOS software provides payment page customization based on a merchant's preferences This feature automatically lists cards that are accepted by a particular merchant based on the active terminal configuration Each approved card for a particular merchant is linked to the display via an URL that provides a pointer to the credit card information supported by the merchant. Each card has an entry in a data structure referred to as the Card Definition Table (CDT)

A preferred embodiment of the vPOS merchant pay customization software in accordance with a preferred embodiment is provided in Figure 19 which illustrates the logic utilizing a flowchart, and a listing of the source code below Processing commences at terminal 1900 and immediately flows to function block 1910 where an index vaπable is mitiεdized for stepping through each of the accepted payment instruments for the merchant's page Then, at function block 1930, a URL key is obtained associated with the current merchant pay page and index value. The URL key is a registry key name that points to a picture of a credit card that the merchant has associated with the pay page and which the merchant accepts as payment. At output block 1940 the card image associated with the URL key is obtained εmd displayed on the termmal The CDT entry is obtained at function block 1950 utilizing the URL key. The CDT is utilized for stoπng information associated with each card Then, at decision block 1960, a test is performed to determine if the last payment method card has been processed and displayed on the merchant display If not, then the index is incremented at function block 1920 and the loop reiterated to process the next card at function block 1930 If all the cards have been processed, then control is returned to the merchεmt program for processing the transaction at terminal 1970. Figures 20 A through 20H are block diagrams and flowcharts setting forth the detailed logic of thread processing in accordance with a preferred embodiment Figure 20A illustrates a pπor art approach to POS processing utilized in most grocery stores and department stores today POS Terminal 2001 accepts transactions provided to it one at a time by customers 2000 For each transaction, POS Terminal 2001 builds a transaction request 2002 and transmit it to acquiring bank 2004 over communications link 2003

Figure 20B is a data structure 2002 representing a POS transaction request in accordance with a preferred embodiment The data structure 2002 includes a TID field 2005, which identifies the physical terminal from which the transaction originates In addition to the TID field, the data structure also includes other data 2006 necessary to process a transaction This data includes such fields as a transaction type, a transaction amount, a currency type (such as U S dollars), credit card account number, credit card expiration date, etc

Figure 20C illustrates a vPOS architecture with account requests being processed by a single acquiring bank vPOS 2007 processes a plurality of customers 2000 concurrently For each such customer 2000, vPOS 2007 builds a data structure 2010, representing the transaction to be performed for that customer Each data structure 2010 contains a unique "virtual terminal" ID vPOS 2007 selects a virtual terminal ID using database 2008 For each data structure 2010, vPOS 2007 initiates communication with acquiring bank 2004 using communication link 2003

Figure 20D is a data structure 2010 representing a vPOS transaction request in accordance with a preferred embodiment The data structure 2010 includes a TID field 2012, which identifies a virtual terminal ID associated with a particular transaction In addition to the TID field 2012, the data structure also includes other data 2006 necessary to process a transaction This data includes such fields as a transaction type, a transaction amount, a currency type (such as U S dollars), credit card account number, credit card expiration date, etc Figure 20E illustrates a TID allocation database 2008 in accordance with a preferred embodiment Database 2008 includes a TID allocation table 2011 TID allocation table 2011 includes a plurality of rows, one for each TID used by each acquiring bank One such row 2013 is illustrated in detail Row 2013 includes a good/service order (GSO) identifier 2014. which identifies the order being transmitted, a TID field 2015, which identifies a terminal ID that may be used with a particular acquiring bank, and an acquiring bank field 2016. which identifies the acquiring bank for which the TID is valid In addition, row 2013 may optionally include other fields 2017 that may be used in conjunction ith the order processing A null GSO value indicates that the 1 ID/Acquirer combination is not currently in use

Figures 20F through 20H are flowcharts of the detailed logic used to perform virtual terminal ID allocation Figure 20F illustrates the main line operation of virtual TID allocation In step 2020, execution begins In step 2021, a skeletal transaction request structure is prepared In step 2022, the main line routine obtains a virtual TID for inclusion within the transaction request structure, as will be more fully disclosed with reference to Figure 20G, below In step 2023, the routine verifies that a TID was obtained. If the TID was not obtained, for example, if more transactions are currently being processed than there are TIDs, then execution continues to step 2024 In step 2024. the transaction request is put on a queue for future processing In step 2025, the routme waits for a transaction process to end. which would free up a TID in use At that point, control resumes from step 2022, and the routine again attempts to obtain a TID

If the TID was successfully obtained in step 2023, control proceeds to step 2026 In step 2026, the routme submits the transaction to the acquiring bank. In step 2027, the transaction ii orocessed In step 2028, the routine makes a database call to free up the TID that was used in the transaction In siep 2029 transaction processing ends Figure 20G depicts in detail the process of obtaining a TID from the database. Execution begins in step 2040. In step 2041. the routine constructs a database call to reserve a TID for processing, for example, by constructing an SQL statement to retrieve a TID row from the database In step 2042, the routine executes the database call that was constructed in step 2041. In step 2043, the routine constructs a second database c.»ll to extract the TID from the row that was reserved in step 2042. In step 2044, the database call constructed in step 2043 is executed to obtain the TID. ln step 2045, a return code is checked to verify whether the TID was successfully obtained If the TID was successfully obtained, control proceeds to step 2046, which returns to the calling program. If, however the TID was not obtained, control proceeds to step 2047 In step 2047, the routine checks to see whether an excessive number of retries have already been attempted. If there have been an excessive number of retries, control proceeds to step 2048, which exits with an error indication. If there has not been an excessive number of retries, control proceeds once again to step 2043 to retry the extraction operation.

Figure 20H depicts the operation of releasing a TID that had been used in a prior transaction. Execution begins in step 2060. In step 2062, the routine constructs a database call to update the row for the selected TID so that the value for the good and service order is null, thereby indicating that the selected TID is not associated with any good or service order, and is therefore free for reuse. In step 2064, the routine executes the SQL statements constructed in step 2062. thereby releasing the TID for use in future transactions. In step 2069, the routine returns to the calling program.

A source code listing for the transaction request processing is provided below m accordance with a preferred embodiment.

#mclude "rr.h" #ifndef _NT #defιne _NT extern void _setenvp(); #endif

/////////////////////////////////////////////////////////////// // AcquireBillHtml

// On Pay page, output form entries to acquire billing information

/////////////////////////////////////////////////////////////// EStatus AcquireBillHtml(CWSINT& clWSINT, int nTot, CProf& cIProfile, EPCLCurrency eCurrency) { //Current time time_t tNow; //figure out current year for Credit card expiry struct tm *tmNow; char szYear[DB_YEAR_SZ + 1]; char szAmount[FORMATTED_CURRENCY + 1];

time(&tNow); tmNow = localtime(&tNow); strftime(&szYear[0], (size_t)DB_YEAR_SZ + 1, "%Y", tmNow); //needs extra 1 for null int nYear = atoi(szYear); /*<TH>Payment Type</TH>\n<TD><INPUT SIZE = 20 NAME=b_instrument VALUE=\"" \ << cIProfile. m_b_instrument << "\"></TD>" \ « ^»*/ clWSINT « "<CENTER><TABLE BORDER=0><CAPTION ALIGN = TOP><B>Bill To</B>< / CAPTION> \n "; clWSINT « "<TR ALIGN=LEFT><TH>Account Number</TH><TD COLSPAN = 5><INPUT

SIZE = 56 MAXLENGTH = "

« ACCT_NUM_SZ « " NAME=b_card> </TD></T >\π"; clWSINT « "<TR ALIGN=LEFT><TH>Name on Card</TH><TD><INPUT SIZE= 20 MAXLENGTH= " « NAME_SZ << " NAME=b_name VALUE=\"" « cIProfile. m_b_name

« "\"> </TD><TH>Expiration</TH^χTD>Month <SELECT NAME = b_expire_month><OPTION> 01 \n <OPTION> 02 \n" « "<OPTION> 03 \n <OPTION> 04\n<OPTION> 05\n<OPTION> 06\n<OPTION> 07\n<OPTION> 08\n<OPTION> 09\n" <<

^• <OPTION> 10\n<OPTION> l l \n<OPTION> 12 \n</SELECT> Year <SELECT NAME = b_expιre_year><OPTION>" << nYear << "<OPTION>" << nYear + 1 « "<OPTION>" « nYear + 2 « "<OPTION>^" « nYear

+ 3 « "<OPTION>" << nYear + 4 «

"</SELECT^χ/TD></TR>\n", / /<TH>Expιres</TH><TD>Month <INPUT SIZE=3 NAME=b_expιre_month> Year <INPUT SIZE=5 NAME=b_expιre_year>< /TD>< /TR> \n" ; clWSINT « "<TR ALIGN=LEFT><TH>Address Line 1 </TH><TD COLSPAN=5><INPUT

SIZE=56 MAXLENGTH= " « ADDR_SZ

<< " NAME=b_addrl VALUE=\"" « clProfile.m_b_addrl « " \" > </TD></TR> \n \ clWSINT « "<TR ALIGN=LEFT><TH>Address Line 2</TH><TD COLSPAN=5><INPUT SIZE=56 MAXLENGTH= " « ADDR_SZ « " NAME=b_addr2 VALUE=\"" « cIProfile m_b_addr2 « " \"> </TD></TR> \n , clWSINT « "<TR ALIGN=LEFT^χTH>Cιty</TH^χTD><INPUT MAXLENGTH= " « CITY_SZ « " NAME=b_cιty VALUE=\""

« clProfιle.m_b_cιty « " \"> </TD>" « "<TH>State/Provιnce</TH><TD><INPUT MAXLENGTH= " « STATE_SZ « " NAME=b_state VALUE-V" « cIProfile. m_b_state « "\"> </TD></TR>\n" , clWSINT « "<TR ALIGN=LEFT^χTH>Country</THχTD><INPUT MAXLENGTH= " « COUNTRY_SZ

<< " NAME=b_country VALUE=\ "" << cIProfile. m_b_country << "\"> </TD><TH>Zιp/ Postal Code</TH><TD><INPUT MAXLENGTH= " « ZIP_SZ « " NAME=b_zιp VALUE=\'"' « clProfile.m_b_zιp « " \">

</TD^χ /TR>\n"; clWSINT « "<TR ALIGN=LEFT><TH>Email</TH><TDxINPUT MAXLENGTH= " « BEMAIL_SZ « " NAME=b_emaιl VALUE=\""

« clProfιle.m_b_emaιl « "\"> </TD>" « "<TH>Phone</TH><TD><INPUT Mi\XLENGTH= " « BPHONE_NUM_SZ

<< " NAME=b_phone VALUE=\"" « cIProfile. m_b_phone « " \"> </TDx /TR>\n"; clWSINT « "</TABLE^χ/CENTER^χP>\n";

//NPW« " NAME=b_addrl> </TD>" « "<TH>Payment Instrument</TH>\n<TD><SELECT NAME =b_instrument>"; //hack from ini (bug) which pay instruments supported

//NPW clWSINT « "<OPTION> Credit Card\n" « "<OPTION> Debit Card\n</SELECT^χ/TD></TR>\n";

CurrFormat(nTot, eCurrency, szAmount); clWSINT « "<CENTER><FONT SIZE=5>Total = " << szAmount « "</FONT></CENTER>"; return (eSuccess);

/////////////////////////////////////////////////////////////// / / PayButtonsHtml

/ / Output buttons on pay page: return to shop, pay, pay window, / / modify order

/////////////////////////////////////////////////////////////// void PayButtonsHtml(CWSINT& clWSINT, char* pszShopUrl, CRRReg& clReg) {

char *pszHomeUrl = clWSINT. LookUp("home_url"); char *pszModifyUrl = clWSINT.LookUp("modify_url"); char *pszSoftUrl = clWSINT.LookUp("soft_url");

if (IpszHomeUrl) pszHomeUrl = pszShopUrl; //Home Page

//if (.pszModifyUrl) pszModifyUrl = pszShopUrl; //Shopping Cart typically

clWSINT « "<CENTER><H4>By pressing the Pay! button I agree to pay the above total amount<br> according to the card issuer agreement<H4></CENTER>\n"; clWSINT « "<CENTER>\n<A HREF = " « pszShopUrl « > <IMG SRC=' « clReg.m_szReturnShop « " BORDER = 0></A>\n"; #ifdef SC clWSINT << ^"<INPUT TYPE = IMAGE NAME = gso SRC = " « clReg.m_szModifyOrder « " BORDER = 0>\n"; #else if (pszModifyUrl) clWSINT « "<A HREF = " « pszModifyUrl « "> <IMG SRC=" « clReg.m_szModifyOrder << " BORDER = 0></A>\n"; #endif clWSINT « "<INPUT TYPE = HIDDEN NAME = home_url VALUE = " « pszHomeUrl « ">\n" « "<INPUT TYPE = IMAGE NAME = vPOS SRC = " « clReg.m_szPay << " BORDER =

0>\n"

« "<INPUT TYPE = HIDDEN NAME = shop_url VALUE = " « pszShopUrl « ">\n" « "<INPUT TYPE = HIDDEN NAME = store VALUE = " « clWSINT.LookUp( store") <^ ">\n"; //Can't be NULL or error previously if (pszSoftUrl) clWSINT << "<INPUT TYPE = HIDDEN NAME = soft_.url VALUE = " « pszSoftUrl << ">\n"; clWSINT << "</CENTER>\n";

} /////////////////////////////////////////////////////////////// // DisplayPayPage / / Outputs billing form, buttons, and static gso

/////////////////////////////////////////////////////////////// EStatus DisplayPayPage(CWSINT& clWSINT, CRRReg& clReg, int nError) {

EStatus eStat; char szFileLine[BUFFER_SZ + 1); char *psiTag, *pszRefererUrl, *pszShopUrl, *pszExePath, "pszServerName; time_t tNow; int nTagExist = FALSE;

HKEY hCardsKey; / /To enumerate cards long retCode; mt nNoCards,

DWORD dwtype, dwlen,

HKEY hCardKey, char szCardBuf[MAX_PATH + 1), szCardPιc[MAX_PATH + 1],

#ιfdef _SC

CPOLBk clBkGso, #else char *pszTxn, *pszGsoNum, *pszGsoOpaque, *pszTot; #endιf

/ /Shipping headers If come from gso page and cookies are not set, set CProf *pProfile, pProfϊle = new CProf(), if ( ' pProfile) return (eRRNewFailed) ; eStat = pProfile->Imt(clWSINT), if (eStat '= eSuccess) return (eStat), / /Init failed

#ιfdef _SC /*No session cookie for the pay page. This means the user will either use a long term cookie or type in their info each time*/ clWSINT « "Set-Cookie: profile= ' « pProfιle->GetCookιeLιne() « ", path=/ \n ', /* if (clWSINT.LookUpC'Server Name")) clWSINT << , domain = ' « clWSINT LookUpf'Server Name") << , \n ',*/ #endιf

#ιfdef _SC

/ /Shipping filled m? if C(pProfile->m_s_name[0] && pProfile->m_s_addrl [0] && pProfile->m_s_city[0] && pProfile->m_s_state[0) && pProfϊle->m_s_zιp[0] && pProfile->m_s_country[0] && pProfile->m_s_ship[0])) eStat = DιsplayGsoPage(clWSINT, clReg, ERROR_DISPLAY); / /bug, return correct^' _'' return eStat;

}

//Creates shopping basket from CGI /Cookies eStat = clBkGso.Inιt(clWSINT, *pProfιle, clReg), if (eStat != eSuccess) return (eStat); / /eRRBasketCreateError

//Cookies then other headers clBkGso.ToCookιes(clWSINT, REGULAR),

#endιf

/ /clWSINT « "Pragma no-cache\n"; clWSINT « "Content-type: text/html\n\n" ;

/ /Where to position the page if all information is filled in, here if (.nError) {clWSINT « "<A

/ /Output HTML lfstream lfPay; ifPay.open(clReg.m_szPayTemplate, ιos::m | ios::nocreate); if (ifPay.faιl()) return (eRRCantOpenPayTemplate); / /couldn't read pay template file

/ /HTML Template while (ifPay) { ifPay gethne(szFιleLιne, BUFFER_SZ); if (!(pszTag = strst zFileLine, DYNAMIC _TAG))) clWSINT « szFileLme « " \n ", else { nTagExist = TRUE;

//Null the tag, Output the beginning of the line, / /make the dynamic basket call, output the rest of the line if (strlen(szFileLιne) == strlen(DYNAMIC_TAG)) psztfagfO] = NULL, else { pszTag{0] = (char) NULL; pszTag += strlen(DYNAMIC_TAG) + 1 , / /was 9

} clWSINT « szFileLine;

/ /Dynamic call pszRefererUrl = clWSINT.LookUp("Referer"), if (IpszRefererUrl) return (eRRNoRefererUrl), pszExePath = clWSINT.LookUp("Executable Path"); if (! pszExePath) return (eRRNoExePath) ; pszServerName = clWSINT.LookUpfServer Name ), if (.pszServerName) return (eRRNoServerName); clWSINT << "<FORM METHOD = POST ACTION = http' , if (clReg.m_nUseSSL) clWSINT « "s"; clWSINT << "./ /" << pszServerName << pszExePath << "#jump>",

/ *clWSINT « "<FORM METHOD = POST ACTION = " « pszExePath

/ / Setting Long Cookies clWSINT << "<CENTER>If you wish to have billing and shippmg defaults set in your browser, check this box "

« "<INPUT TYPE = CHECKBOX NAME=long_cookies>< / CENTER> \n" ;

/ /Fill it in message if (nError) { clWSINT « "<A

clWSINT « "<CENTER><H4>You must fill in <I>all</I> of the billing information except for <I>address line 2</I> and <I>emaιl</I> </ H4></CENTER>";

} / /GsoNum #ifdef _SC time(&tNow); / /For multithreading, append instantiation number clWSINT « "<TABLE ALIGN=RIGHT><TR^χTH>Order Number< /TH><TD>' << tNow « "</TD^χ/TR^χ/TABLE><BR CLEAR=ALL> \n<INPUT

TYPE=HIDDEN NAME=b_gso_num VALUE = « tNow « -> \ n "; #else

/ /Pay page API: transaction type, GSO #, gso opaque pszGsoNum = clWSINT. LookUp( 'b_gso_num"); if (pszGsoNum) clWSINT « "<TABLE ALIGN=RIGHT><TR> TH>Order Number< /TH><TD>'' << pszGsoNum

« "</TDx /TR^χ/TABLE><BR CLEAR=ALL \n INPUT TYPE=HIDDEN NAME=b_gso_num VALUE = " « pszGsoNum « ">\n"; else { time(δstNow); / /For multithreading, append instantiation number clWSINT « "<TABLE ALIGN=RIGHT><TR><TH>Order Number</TH><TD>" << tNow

« "</TD^χ/TR^χ/TABLE><BR CLEAR=ALL>\n<INPUT TYPE=HIDDEN NAME=b_gso_num VALUE = " « tNow « "> \n";

}

/ /Some pay page only specifics: transaction to execute, gso opaque pszTxn = clWSINT.LookUpC'transaction' j; if (pszTjcn) clWSINT « "<INPUT TYPE=HIDDE!; A- E=transaction VALUE =

" « psiTxn << "> \n ";

pszGsoOpaque = clWSINT. LookUpf gso_oρaque"); if (pszGsoOpaque) clWSINT « <INPUT TYPE=HIDDEN NAME=gso_opaque VALUE =

\"" << pszGsoOpaque << " \">\n"; #endif #ιfdef _SC

/ /Bill to information & Payment Instrument eStat = AcquιreBιllHtml(clWSINT, clBkGso GetTotQ, *pProfιle, (EPCLCurrency) clReg.m_eDefaultCurrency); #else

/ / Pay Page alone requires a total pszTot = clWSINT. LookUpC total"); if (IpszTot) return (eRRNoPayTotal); eStat = AcquιreBillHtml(clWSINT, atoι(pszTot), *pProfιle, (EPCLCurrency) clReg.m_eDefaultCurrency), clWSINT << '<INPUT TYPE=HIDDEN NAME=total VALUE = « pszTot << "> \n ', #endιf if (eStat != eSuccess) return (eStat); / /error from db^? within

AcquireBillHtml clWSINT « "<P>\n";

/ / Output Buttons on Form pszShopUrl = clWSINT. LookUpf'shop.url"); if (IpszShopUrl)

PayButtonsHtml(clWSINT, pszRefererUrl, clReg); else

PayButtonsHtml(clWSINT, pszShopUrl, clReg);

/ / Registry Card LookUp clWSINT « "<CENTER><TABLE CELLSPACING = 5><TR><TH>Cards

Accepted. </TH>",

RegOpenKeyEx(clReg.m_hStoreKey, "API\ \CDT", 0, KEY_READ, SthCardsKey), dwlen = sιzeof(mt);

RegQueryValueExfhCardsKey, "NoOfRows ", 0, &dwtype, (LPBYTE)&nNoCards, δεdwlen); for (int i = 0; i < nNoCards; i++) {

RegEnumKey(hCardsKey, i, szCardBuf, MAX_PATH + 1);

RegOpenKeyEx(hCardsKey, szCardBuf, 0, KEY_READ, &hCardKey); dwlen = MAX_PATH + 1 ; retCode = RegQueryValueEx(hCardKey, "CardPicture ", 0, &dwtype, (LPBYTE)szCardPic, &dwlen); if (retCode != ERROR_SUCCESS) return eRRRegistrvFailure; clWSINT « "<TD><IMG SRC = " << szCardPic << "></TD> ";

RegCloseKey (hCardKey) ;

RegClo seKey (h Card sKey ) ; clWSINT « "</TRx/TABLE^χ/CENTER> "; clWSINT « "</FORM> \n<HR>\n ";

#ifdef SC

//Output static HTML Table clBkGso.ToHtml(clWSINT, NOEDIT); //Output static Shipping information StaticShipHtml(clWSINT, *pProfile); / /Also NO_EDIT clWSINT « "<HR>\n";

#else

//Pay page alone takes and passes through a gso if (pszGsoOpaque) clWSINT « pszGsoOpaque < " \n";

#endif

//Rest of Line from template file if (pszTag) clWSINT « pszTag;

if (nTagExist != TRUE) retum(eRRNoDynamicTag) , else return (eSuccess);

//////////////////////////////// //Receipt Page

////////////////////////////////////////////////////////////////////////////// ////////////////#ifdef_SC /////////////////////////////////////////////////////////////// // StaticShipHtml

// On Pay page, output Static table of shipping information // based on cookies set in pπor page

/////////////////////////////////////////////////////////////// void StatιcShιpHtml(CWSINT& clWSINT, CProf cIProfile) { clWSINT « "<CENTER><TABLE CELLSPACING=10><CAPTION ALIGN = TOP><B>Ship To<B></CAPTION>\n"; clWSINT « "<TRxTH ALIGN=LEFT>Name</TH><TD>" « cIProfile. m_s_name « "</TD>" << "<TH ALIGN=LEFT>Address Line 1</TH><TD>" « clPτofιle.m_s_addrl «

"</TD></TR>\n"; clWSINT « "<TR><TH ALIGN=LEFT>Address Line 2</TH><TD>" « cIProfile. m_s_addr2 << "</TD>" <<

"<TH ALIGN=LEFT>Cιty</TH><TD>" « clProfile.m_s_cιty « "</TD></TR>\n"; clWSINT « "<TR><TH ALIGN=LEFT>State/Provιnce</TΗ^χTD>" « clProfιle.m_s_state

« "</TD>" <<

"<TH ALIGN=LEFT>Zιp/ Postal Code</TH><TD>" « cIProfile. m_s_zιp « "</TD></TR>\n"; clWSINT « "<TR><TH ALIGN=LEFT>Country</TH><TD> << clProfιle.m_s_country « "</TD>" «

"<TH ALIGN=LEFT>Shιppιng Method</TH><TD>" << cIProfile. m_s_shιp « "</TD></TR>\n"; clWSINT « "</TABLE^χ/ CENTER><P>";

#endif

nun III i iiiiiui III 11 ii n i mi ii /inn mi mi ii/;/// run 11

II StaticBillHtml

11 O Receipt page, output static table of billing information i ui i III in mu n ii III i mi ui 11 mi i nil i um i mi nuiui u void StaticBillHtml(CWSINT& clWSINT, CProf cIProfile) j

/ *<TH>Payment Type</TH> \n<TD>" « clProfιle.m_b_instrument

« "</TD>*/ clWSINT « "<CENTER><TABLE CELLSPACING= 10><CAPTION ALIGN = TOP><B>Bill To<B></CAPTION>\n"; clWSINT « "<TR ALIGN=LEFT><TH>Account Number</TH><TD COLSPAN=3>" « cIProfile. m_b_card « "</TD></TR>\n"; clWSINT « "<TR ALIGN=LEFT^χTH>Name on Card</TH><TD>" « clProfιle.m_b_name << "</TD><TD><B>Expιres:</B><I>Month</I> " << cIProfile. m_b_e?φire_month <<

" <I>Year</I> " << cIProfile. m_b_ejφire_year << "</TD></TR>\n"; clWSINT « "<TR ALIGN=LEFT><TH>Address Line 1</TH><TD COLSPAN=3>" « cIProfile. m_b_addrl << "</TD></TR> \n"; clWSINT « "<TR ALIGN=LEFT><TH>Address Line 2</TH><TD COLSPAN=3>" « clProfιle.m_b_addr2 « "</TD></TR>\n"; clWSINT « "<TR ALIGN=LEFT><TH>City</TH><TD>" « cIProfile. m_b_city « "</TD>"

« "<TH>State/Province</TH><TD>" * «- clProfile.ro_b_state << "</TD></TR> \n ' ; clWSINT << "<TR ALIGN=LEFT^χTH>Country^/TH><TD>" << clProfιle.m_b_country << "</TD><TH>Zip/Postal Code</TH><TD>" << cIProfile. m_b_zip « "</TD></TR> \n"; clWSINT « "<TR ALIGN=LEFT><TH>Email</TH><.TD « cIProfile. m_b_email « "</TD>" « "<TH>Phone</TH><TD>" « cIProfile. m_b_phone « "</TD></TR> \n"; clWSINT « "</TABLE></CENTER><P>\n";

/ ///////////////////////////////////////////// ///////////////// / /vPOSReceipt //Generates a receipt from the return block and profile info.

#ifdef vPOS_OLE #ifdef _SC void vPOSReceipt(CWSINT& clWSINT, /* CVPCLFinCCTrans */ CVPCL_01eCCAuthOnly *pTxn, CProf& cIProfile, CRRReg& clReg, CPOLBk& cIBkGso) j #else void vPOSReceipt(CWSINT& clWSINT, /* CVPCLFinCCTrans */ CVPCL_01eCCAuthOnly *pTxn, CProfβt cIProfile, CRRReg& clReg) { #endif #else

#ifdef _SC void vPOSReceipt(CWSINT& clWSINT, CVPCLFinCCTrans *pTxn, CProf& cIProfile, CRRReg& clReg, CPOLBk& cIBkGso) { #else void vPOSReceipt(CWSINT& clWSINT, CVPCLFinCCTrans *pTxn, CProf& cIProfile, CRRReg& clReg) { #endif #endif

/ / Set Long cookies (if applicable) struct tm *tmNow; char szDate[32]; / /what is the max date? in this format/ bug time_t tNow; time(&tNow); tNow += clReg.m_nProfileLife * 86400;/ /ini constant for length of cookie stay tmNow = localtime(fittNow); strftιme(szDate, (sιze_t)31 , "%a, %d-%b-%y %H:%M:%S GMT", tmNow); ιf (clWSINT.LookUp("long_cookies")) clWSINT << "Set-Cookie: cust_profιle=" « cIProfile. GetCookιeLιne() << ";

<< szDate << "; path=/ \n"; / /Profile cookies

#ιfdef _SC / /Shopping cart sets local cookies on receipt clWSINT << "Set-Cookie: profιle=" << cIProfile. GetCookιeLιne() << " ; expires¹ << szDate << '; path=/ \n"; / /Profile cookies #endιf

/*clWSINT « "; domain = « clWSINT.LookUpfServer Name ) << " ;\n";*/

#ιfdef _SC / / Delete shopping basket clBkGso.ToCookιes(clWSINT, EXPIRE); #endιf clWSINT << "Pragma: no-cache\n"; clWSINT << "Content-type: text/html\n\n"; clWSINT « "<HTML><BODY " « clReg.m_szBackgroundStπng « "> \n"; clWSINT « "<A NAME=jumpχ/A>\n"; clWSINT « "<CENTER><IMG SRC=" « clReg.m_szReceιptBanner « ">< /CENTER> \n clWSINT << "<CENTER><H2>Thιs is your receipt. Please save it using the <I>Save As</I> option from the <I>Fιle Menu</I> in your browser</H2></CENTER>";

/ /vPOS Return Block char szGso(PURCH_ORDER_NUM_SZ + 1]; char szTransAmt[AMT_SZ + 1); char szDιsplayTransAmt[FORMATTED_CURRENCY + 1); / / Extra point for decimal enum EPCLCurrency eCurr;/ / = (EPCLCurrency) clReg.m_eDefaultCurrency; enum EPCLDecimals eDec;/ / = eTwoDecDigits; char szTιme[TRANS_TIME_SZ + lj; char szPan[ACCT_NUM_SZ + 1]; char szExpDate[EXP_DATE_SZ + 1]; char szRetRefNum[RET_REF_NUM_SZ + 1); pTxn->GetRespTransAmt(szTransAmt, AMT_SZ + 1 , &eCurr, &eDec); pTxn->GetPurchOrderNum(szGso, PURCH_ORDER_NUM_SZ + 1); pTxn->GetRespTransDate(szDate, TRANS_DATE_SZ + 1); pTjcn->GetRespTransTime(szTime, TRANS_TIME_SZ + 1); pTxn->GetRetRefNum(szRetRefNum, RET_REF_NUM_SZ + 1 ); pTxn->GetPAN(szPan, ACCT_NUM_SZ + 1); pTxn->GetExpDate(szExpDate, EXP_DATE_SZ+1);

clWSINT «"<CENTER^χTABLE BORDER=0 CELLSPACING= 10><CAPTION><B>" « clReg. m_szShopName

<< " - Order Number</B> - " << szGso « "</CAPTION> \n<TR ALIGN=LEFT><TH>Time</TH><TD>" « szTime[0]

<< szTime[l] << ":" << szTime[2] << szTime[3] << ":" << &szTime[4] << "</TD><TH>Date</TH><TD>"

« szDate[0] « szDate[l] « "/" « szDate[2] << szDate[3] « "/" << &szDate[4] << "</TD></TR>" « "<TR ALIGN=LEFT><TH>Account Number</TH><TD COLSPAN=3><B>" « szPan « "</B^χ/TD></TD>"

« "<TR ALIGN=LEFT><TH>Authorization Code</TH><TD>" << "No Auth?" « "</TD><TH>Reference Number</TH><TD>" << szRetRefNum << ^•</TD></TR>" « "</TABLE></ CENTER>";

eCurr, szDisplayTransAmt); clWSINT « "<CENTER><FONT SIZE=5>Total = " << szDisplayTransAmt « "</FONT></CENTER^χHR>\n";

/ /transtype, time, date, acct #, expire, vPOS id, transaction r/pe, auth code, ref#, amount / / Soft goods fulfillment char 'pszSoftUrl = clWSINT. LookUp("soft_url"); if (pszSoftUrl) clWSINT « pszSoftUrl « "<HR>";

#ifdef _SC

/ /Static Gso, placeholder crap until do LnGrp clBkGso.ToHtml(clWSINT, NOEDIT); clWSINT « "<HR>"; / /Static Billing

StaticBillHtml(clWSINT, cIProfile); clWSINT << "<HR>" ;

/ / Static Shipping

StaticShipHtml(clWSINT, cIProfile); clWSINT « "<HR>";

#else

/ / Static passed gso if it exists char *pszGso = clWSINT.LookUp('^*gso_opaque"); if (pszGso) clWSINT « pszGso; //Static Billing

StaticBillHtml(clWSINT, cIProfile); clWSINT « "<HR>";

#endif / /Merchant Signature Block (if/ when applicable)

//Buttons char *pszHomeUrl = clWSINT.LookUp("home_url ^'l, char *pszShopUrl = clWSINT.LookUp("shop_url"); clWSINT « "<CENTER> \n<A HREF = " « pszShopUrl

<< "> <IMG SRC=" « clReg.m_szReturnShop « " BORDER = 0></A>\n"

« "<A HREF = " « pszHomeUrl « "> <IMG SRC=" « clReg.m_szHome « " BORDER 0></A> \n"

« " </CENTER><HR>\n";

/ /Acquirer Banner char szPANLo[ACCT_NUM_SZ + lj, szPANHi[ACCT_NUM_SZ - 1 ], szBufJMAX_PATH + 1]; char szTruncPAN(ACCT_NUM_SZ+ l] ;

HKEY hCardsKey, hCardKey;

DWORD dwtype, dwlen; int nNoCards, nPANLen; long retCode;

RegOpenKeyEx(clReg.m_hStoreKey, "API\ \CDT", 0, KEY_READ, &hCardsKey); dwlen = sizeof(int);

RegQueryValueEx(hCardsKey, "NoOfRows", 0, &dwtype, (LPBYTEJ&nNoCards, δsdwlen); for (int i = 0; i < nNoCards; i++) {

RegEnumKey(hCardsKey, i, szBuf, MAX_PATH + 1);

RegOpenKeyEx(hCardsKey, szBuf, 0, KEY_READ, &hCardKey); dwlen = ACCT_NUM_SZ + 1 ; retCode = RegQueryVaiueEx(hCardKey, "PANLo", 0, &dwtype, (LPBYTE)szPANLo,

&dwlen); if (retCode != ERROR.SUCCESS) return; dwlen = ACCT_NUM_SZ + 1; retCode = RegQueryValueEx(hCardKey, "PANHi" , 0, &dwtype, (LPBYTE)szPANHi,

&dwlen); if (retCode != ERRORJSUCCESS) return; nPANLen = strlen(szPANLo) ; stmcpy(s^TruncPAN, szPan, nPANLen); s^TruncPAN[nPANLenl = '\0' ; if((atoi(s^TruncPAN) >= atoi(szPANLo) ) && (atoi(s.zTruncPAN) <= atoi(szPANHi))) { char szAcquirer[MAX_PATH + 1], szAcquirerBanner(MAX_PATH + 1); szAcquirer[0] = NULL; szAcquirerBanner(O) = NULL;

HKEY hAcquirersKey, hAcquirerKey; int nNoAcquirers = 0; dwlen = MAX_PATH + 1 ,

RegQueryValueExfhCardKey, "Acquirer', 0, δsdwtype, (LPBYTE)szAcquιrer, &dwlen);

RegOpenKeyEx(clReg.m_hStoreKey, "API\ \ADT", 0, KEY_READ, &hAcquιrersKey); dwlen = sιzeof(ιnt); retCode = RegQueryValueEx(hAcquιrersKey, "NoOfRows", 0, &dwtype, (LPBYTEJ&nNoAcq rers, &dwlen), for (int j = 0; j < nNoAcquirers; j++) ( retCode = RegEnumKey(hAcquιrersKey, j, szBuf, MAX_PATH + 1),

/ /Get jth Acquirer subkey in szbuf if (retCode '= ERROR_SUCCESS) break, if (!strcmp(szBuf, szAcquirer)) {

RegOpenKeyEx(hAcquιrersKey, szBuf, 0, KEY_READ, δεhAcquirerKey); dwlen = MAX_PATH + 1, retCode = RegQueryValueEx(hAcquιrerKey, "AcquirerBanner", 0, &dwtype, (LPBYTE)szAcquιrerBanner, &dwlen); if (retCode != ERROR_SUCCESS) break; clWSINT « "<CENTER><IMG SRC=" « szAcquirerBanner

« "></CENTER>\n ';

RegCloseKey (hAcquirerKey) ; break;

I )

RegCloseKey (hAcquirersKey) ; break;

} RegCloseKey(hCardKey) ; (

RegCloseKey(hCardsKey); clWSINT « "</HTML>"; II vPOSPay

/ / Create a PO object and invoke the vPOS

EStatus vPOSPay(CWSINT& clWSINT, CRRReg& clReg) {

EStatus eStat;

EPCLTransType eTxn; char *psiTxn = clWSINT.LookUpftransaction"), char szBuf]MAX_CGI_VAR + 1); //used for cgi variable tstore and for number later #ιfdef _SC

CPOLBk cIBkGso; //GSO data structure #else

/ /Total for transaction char *pszTotal = clWSINT.LookUp("total"); if (IpszTotal) return(eRRNoPayTotal);

#endιf

/ / Profile object CProf *pProfile, pProfile = new CProf(); if (! pProfile) return (eRRNewFailed); eStat = pProfιle->Inιt(clWSINT); if (eStat != eSuccess) return (eStat);

/ /Check billing information if (! (pProfile- >m_b_name[0] && pProfile- >m_b_addrl[0] && pProfile->m_b_cιty[0] && pProfile- >m_b_state[0] && pProfile->m_b_zip[0] && pProfile- >m_b_country[Oj && pProfile->m_b_phone[0] && pProfile->m_b_card[0] && pProf le->m_b_expire_month[0] && pProfile- >m_b_expire_ ear[0])) j eStat = Display PayPage(clWSINT, clReg, TRUE); return eStat;

//Payment transaction for a credit card #ifdef vPOS_OLE

CVPCL_01eCCAuthOnly *pTxn; #else

CVPCLFinCCTrans *pTxn; #endif

if (pszTxn) { eTxn = eNumTransTypes; if (!strcmp("authonly",

eTjcn = eTrεmsAuthOnly; /* if (!strcmp("authcapture", pszTjcn)) eTjcn = eTransAuthCapture; if (!strcmp("offlineauth", psiTxn)) eTxn = eTransOfflineAuth;*/

1 else eTxn = clReg.m_eDefaultAuthTrans;

/ / Create Transaction object switch (eTjcn) { case eTransAuthOnly:

#ifdef vPOS_OLE pTxn = new CVPCL_01eCCAuthOnly(); #else pTxn = new CVPCL_CCAuthOnly(); #endif if (IpTxn) return eFailure; / / Transaction Init Failure break; default: return eRRIllegalTransaction;

//Transaction Initialize char *pszMerchant = clWSINT. LookUpf store"); spπntf(szBuf, "MerchName="); strncat(szBuf, pszMerchant, (MAX_CGI_VAR- 10)); / /The 10 is for MerchName=

/ / Connect to the OLE Automation Server

#ifdef vPOS_OLE eStat = pTxn->CreateDispatch() ; if (eSuccess != eStat) { return e Failure ; }

#endif

eStat = pTxn->InitTrans(szBuf); if (eStat != eSuccess) return eFailure; / /eRRTxnlnitFailed

/ /GSO Number char* b_gso_num = clWSINT. LookUp("b_gso_num"); if (!b_gso_num) return (eRRNoGsoNum);

/ /Compose Gso object / /CPOLPO clPO(&b_gso_num);

/ /Creates shopping basket from CGI/ Cookies. This information is borrowed by

/ /Line Group class. For each item in the basket, put it in the PO object. We use a member function

/ /That others using the library cannot use because they may not have a basket object at their disposal.

/ /Those others must use the Set methods directly / /Then get prices from database. If prices differ, error code

#ifdef _SC eStat = clBkGso.Init(clWSINT, *pProfile, clReg); if (eStat != eSuccess) return (eStat); / / eStat = clPO.InitFromBk(clBkGso); if (eStat != eSuccess) return (eStat);

#endif

/ / set all stuff from profile object

/ / set custcookie

/ / set cust id / / set personal message

/ /Pay Page standalone. Call an integrator function, execute vPOS stuff, call an ending function.

/ /The calls before and after are for the integrator to reconcile his database with the vPOS.

/ /GSO VERIFICATION suggestions

/ / Check to see if this purchase order exists in the database & if it is linked properly with this price

/ / Insert GSO and line items into db with before vPOS TJO status / /eStat = GsoVerify(b_gso_num, pszTotal); / /For integrator to fill in.

/ /if (eStat != eSuccess) return eStat; / /Failed lookup check

#ifdef _SC int nTot; /* nTot = clBkGso.GetTot() * 100; if (((clBkGso.GetTotO * 100) - nTot) >= .5) ++nTot; spπntf(szBuf, "%.2f , nTot/ 100.0) , / /Transaction Amount, hack to get past 2 digits*/ / /erase szBuf below. Lose precision by flooring this integer, need to define round up/down spπntf(szBuf, "%d", (ιnt)clBkGso.GetTot()); pTjm->SetReqTransAmt(szBuf, (EPCLCurrency) clReg.m_eDefaultCurrency, eTwoDecDigits); #else

/ /Amount

NumClean(pszTotal) ; pTxn->SetReqTransAmt(pszTotal, (EPCLCurrency) clReg m_eDefaultCurrency, eTwoDecDigits); #endιf

/ /GSO Num pTxn->SetPurchOrderNum(b_gso_num); / /Retry Counter pTxn->SetRRPid(l), / /The first time a transaction is executed this must be set to 1

/ /AVS Data if (clReg.m_nAVS) { char avs_zιp[ZIP_SZ + lj; strncpy(avs_zιp, ρProfile->m_b_zip, ZIP_SZ); avs_zip[ZIP_SZ] = NULL; NumClean(avs_zip) ; pTxn->SetAVSData(avs_zιp);

} pTjcn->SetBName(pProfile->m_b_name); pTxn->SetBStreetAddressl(pProfile->m_b_addrl), pTxn- > SetBStreetAddress2 (pProfile->m_b_addr2) ; pTxn- > SetBCity (pProfile-> m_b_cit ) ; pTxn- > SetBStateProvmce(pProfile->m_b_state) ; pTjcn->SetBZipPostalCode(pProfile->m_b_zip); / /Insert as is zip into db pTjcn->SetBCountry(pProfile->m_b_country); pTxn- > SetBEMail(pProfile- >m_b_email) ; pTxn->SetBDayTimePhone(pProfile->m_b_phone);

/ / Cεird Number and expiry date NumClean(pProfile- >m_b_card) ; char szDate[DB_MONTH_SZ + DB_YEAR_SZ + 1]; strncpy (szDate, pProfile->m_b_expire_month, DB_MONTH_SZ); szDate[DB_MONTH_SZ] = NULL; strncat(szDate, pProfile- >m_b_e:xpire_year, DB_YEAR_SZ); pTxn->SetPAN(pProfιle->m_b_card); pTxn->SetExpDate(szDate);

//Execute Transaction eStat = pTjcn->ExecuteTrans(); if (eStat != eSuccess) return eStat; / /DB or Internal Error of some kind

/ /Transaction Shutdown eStat = pTjm-> ShutDownTransO; if (eStat != eSuccess) return eFailure; / /eRRTxnShutFailed

/ / Gso after for integrator to fill in

/ /Gso_reconcile(success or failure, gso_number);

/ /Delete cookies GSO. Set shipping/ billing cookies. Send receipt - member function of PO object. #ifdef _SC vPOSReceipt(clWSINT, pTxn, *pProfile, clReg, cIBkGso); //This should be PO object #else vPOSReceipt(clWSINT, pTxn, *pProfιle, clReg); / /Use Get Methods for Receipt #endif #ifdef vPOS_OLE

/ / Disconnect from the server pTjcn->ReleaseDispatch() ; #endιf return (eSuccess),

Default Gateway Configuration

The vPOS is initially shipped enabled to connect to a default gateway Λ th a single instance of a gateway defined that accesses a predefined site for testing of an installation before bringing it online in a production mode The test installation contacts and converses with an actual gateway that simulates live transactions. After the installation checks out utilizing a set of test transactions, the test gateway downloads the pre-checked customizations to the installation so that it can switch over to the production acquirer This download processing is enabled in extensions to SET

Internet Transaction Gateway Payment methods that issue cards for conducting business utilize four major entities These entities are the issuer, consumer, merchant and the acquirer. The issuing bank that provides the consumer with a credit card are usually not the same bank as the acquiring bank that serves the merchant When the consumer utilizes a credit card to pay for a purchase, the merchant swipes the card through the POS terminal which makes a connection to the merchant's acquirer via the telephone network and transmits an authorization request with data read from the magnetic stripe The acquirer's host processor, depending on the card number, will either perform local processing or switch the request to the correct issuing bank's host processor through the interchange network In a few seconds, the authorization response is returned to the originating POS indicating either an approval or a rejection

The Internet is a viable infrastructure for electronic commerce. Ubiquitous browser software for the World Wide Web provides around-the-clock access to a large Dase of information content provided by Web servers Utilizing a preferred embodiment, consumers using browsers can shop at virtual stores and malls presented as Web pages managed by the merchants' servers Consumers can make purchases and pay for them using credit cards or other digital payment instruments in a secure manner For such Internet-based payments to be authorized, a "gateway" is necessary at the back end to channel transactions to legacy processors and interchange networks.

Figure 21 is a detailed diagram of a multithreaded gateway engine in accordance with a preferred embodiment. Processing commences when a TCP transaction 2100 is received by a HTTPS Server 2102 and parsed to an appropπate Web Adaptor 2104 which posts an encrypted set transaction to the multithreaded gateway engine 2110. The encrypted SET request is received at a decryptor 2120, decrypted into a standard SET transaction and authenticated for converting by the forward converter 2124. Inside the forward converter 2124, decides if the request is an original request, and honest retry attempt or a replay attack. The converted transaction is passed to the socket multiplexor 2130 to communicate via an existing communication link 2140 to a host computer. A secuπty logger 2150 is also utilized for passing secuπty records back via a database server 2160 to a database administration application 2190. A transaction logger 2155 also utilizes the database server 2160 to capture transaction logs in a database 2180. Other system administration tasks 2195 include a web server administration task 2190 which logs web hits m a log 2170.

Figure 22 is a flow diagram in accordance with a preferred embodiment. Processing flows from customers 2200 that are paying for products over the Internet or other communication medium utilizing HTTPS or other protocols to one or more merchants 2210, 2220 or 2230 to a gateway 2240 which directs transactions to a particular host processor 2250 for authorization processing in accordance with the present invention.

Internet Payment Authorization

The Gateway is a secure computer system that mediates transactions between the merchants' servers and a payment processor. The Gateway supports secure communications between merchants using the Internet on one side, and a processor using standard secure financial networks on the other side. Between the two interfaces, the Gateway maintains a detailed log of all transactions, whether in-progress, completed, or failed. The Gateway accepts transactions from merchants and converts them into legacy compatible formats before forwarding them to the host processor Responses from the host, after the reverse conversions, will be returned to the oπgmating merchants

The Gateway performs many functions, including

• Receives encrypted credit card transactions from the merchants via the Internet • Unwraps and decrypts transactions

• Authenticates digital signatures of transactions based on certificates

• Supports all transaction types and card types

• Accepts concurrent transactions from each of the merchant servers

• Converts transaction data to legacy formats, forwards the mapped requests (in the clear) to a payment processor over existing communication links

• Converts transaction responses, correlates them with the oπginal requests, and sends the mapped responses back to the merchants

• Provides logging, monitoπng, reporting, and system administration

Figure 23 illustrates a Gateway's 2330 role in a network in accordance with a preferred embodiment The Gateway 2330 stπctly conforms to all SET stipulations regarding certificate management, PKCS signed data encapsulation, PKCS encrypted data encapsulation, ASN 1 representation, DER encoding, MIME encapsulation, and message sequencing A merchant server 2300 communicates via the Internet 2310 using the SET protocol 2320 through a gateway server 2330 using a network interface processor 2340 to communicate to a legacy network 2360 in, for example the X 25 protocol 2350 The iegacv host 2370 ultimately receives and processes the transaction from the merchant server 2300 without modification to its code.

Internet Communication Protocols

As discussed above, the TCP/IP protocol suite is utilized at the transport level At the application level, in compliance with SET, all requests arπve at the Gateway in MIME encapsulated HTTP format. Similarly, all responses from the Gateway to the merchant servers will be transferred in HTTP The HTTP protocol stipulates that a request-response pair will go through the same TCP connection and that the oπgmator, in this case a merchant server, will establish a connection to send the request and will take down the connection when it has received the response.

Host Payment Protocols

Message conversions performed by the Gateway will be significantly more than format transliterations: per-protocol differences in data elements and message semantics must be considered carefully. Some of the transaction types that are supported are listed below.

Transaction Types

Credit card sale with capture

Credit card sale without capture

Credit card sale with capture including AVS (MasterCard and VISA)

Credit card sale without capture including AVS (MasterCard and VISA)

Credit card return (Credit)

Credit card post authorization (Force Post)

Credit card post authorization (Force Post) with partial reversal support, enhanced authorization data, and AVS result code (VISA)

Credit card sale with capture - Void

Credit card return (Credit) - Void

Totals request (for balancing)

Host Communications Protocols A virtual, private network between the Gateway and the host processor is established to expedite host communication. In addition, two Network Interface Processors (NIP)s - a "near end" NIP that interfaces to the Gateway and a "far end" NIP that interfaces to the host. The NIPs will handle virtual connections between themselves. The far-end NIP will take care of specific communication details. The near-end NIP is an IP-addressable device that converts between TCP messages and packets. It is installed on a public network 2330, which is a LAN outside the corporate firewall The Gateway, on the secure public network 2330, utilizes TCP/ IP 2320 to communicate with the near-end NIP

GATEWAY FEATURES

Because the Gateway must sustain reliable operations and enable graceful evolution, it is designed with some important attπbutes, including Secum , Availability, Performance, Scalability, and Manageability

Security

Channel Secuntu

At the application level, SET provides signed and encrypted data encapsulanons of payment information portions of the transaction messages Transport-level encryption of the entire message packet is required for additional secuπty The HTTPS protocol - 1 e HTTP over SSL 3 0 - is utilized between the merchants and the Gateway The virtual connections between the near-end NIP and the host are part of a pπvate network The termination will occur outside the firewall Data between the Gateway and the host is sent m the clear with no encryption In this network configuration, a transaction between a merchant's vPOS and the host will cross the firewall four times SET request from vPOS to Gateway, legacy request from Gateway to NIP, LEGACY response from NIP back to Gateway, and SET response from Gateway back to vPOS

Certificate Management Payment Protocol Certificates

The Gateway uses certificates to authenticate the two parties involved in each MOSET transaction Through a Certificate Authoπty, one certificate is issued lor the Gateway and one certificate for each of the merchant servers

Secure Channel Certificates SSL will require separate certificates for the Gateway and the merchants Availability

Site redundancy and location redundancy allows the Gateway to sustain service through virtually instantaneous recovery from internal failures or external disasters that cause physical damages to the system. Minimum-outage recovery is possible with redundant configurations of important components.

Site Redundancy

The Gateway supports connections to a proprietary bank network and supports mirrored disk arrays.

Location Redundancy The Gateway architecture supports location redundancy where a secondary remote system is connected to the primary system via dedicated WAN links for software-driven database duplication.

Scalability

The Gateway software architecture, the choice of third-party software components, and the selection of hardware platforms enable the system to gracefully adapt and evolve to take on new demands in different dimensions.

The Gateway resides on an HP 9000 that is housed in a standard 19" EIA rack.

Gateway Hardware Configuration

Server Hardware Description

K-Class SMP Server - Model K420 - Standard Configuration

120 MHz PA-RISC 7200 CPU

128 MB ECC RAM

Built-in I/O includes Fast/ Wide /Differential SCSI-2, EtherTwist 802.3 LAN, AUI, RS-232C Connectors, Centronics Parallel Port, and Internal Modem 650 MB CD-ROM Dπve

HP-UX 10. 10 Operating System (with two-user license)

4 HP-PB Slots

Additions

SCSI-2 Disk Controller to support disk mirroring over dual SCSI-2 buses

2 GB Internal SCSI-2 Disk Drive, 20MB/ s transfer rate, not mirrored for systems software and swap space

4 GB External High-Availability Disk Arrays for databases - total of 4 x 2 MB modules required

4 GB DAT dπve with data compression

HP-PB Slot Expansion Option provides 4 additional HP-PB slots for peripheral controllers

FDDI interface cards (each card uses 2 HP-PB slots)

Option for eight-user license for HP-UX

Cryptographic Hardware

The encrypuon and decryption algorithms used in processing SET/ SSL messages require significant computational power. A "security processor" is deployed with the Gateway to boost the performance of cryptographic algorithms. The processor is a networked peripheral device to the HP 9000 server. It provides cryptographic services suitable for SET/ SSL processing, and its services are accessible via calls to software libraries running on HP-UX. Figure 24 is a block diagram of the Gateway in accordance with a preferred embodiment.

Gateway Architecture Operating System Software

The Gateway runs under the HP-UX Version 10.10 operating system and is upgraded to support future significant system releases. HP-UX 10.10 conforms to major standards, including: • X/Open UNIX 95 (conforming with the Single UNIX Specification, SPEC 1 170)

• X/Open Portability Guide Issue 4 Base Profile (XPG4) OSF AES

• IEEE POSIX 1003.1 and 1003.2

• AT&T System V Interface Definition (SVID3 base and kernel extensions subset) Level 1 API support • UC Berkeley Software Distribution 4.3 (BSD 4.3) including such features as job control, fast file system, symbolic links, long file names, and the C shell

• System V.4 File System Directory Layout

This compliance with various software standards assures that while a preferred embodiment of the invention is disclosed in association with a best mode of practicing the invention other similar software and hardware environments can be readily substituted without undue experimentation.

Relational Database Management System (RDBMS) Software

The Gateway uses Oracle7 Server version 7.3 as the RDMBS and will be upgraded to use future significant system releases. The multi-threaded, multi-server architecture of Oracle7 provides applications with scalability to high-volume transaction workloads. When deployed with the HP 9000 K-Class platform, Oracle7 performs a symmetrically parallel database operation across all available processors. In addition, Oracle7 includes options for creating high- availability systems:

• The Oracle7 Parallel Server option extends the reliability of applications by transparently harnessing the power of clustered computers in a single logical processing complex that can tolerate individual machine failures.

• Oracle7 Symmetric Replication provides high data availability. Data can be replicated from the primary system to one or more alternative sites. HTTP Server

The Gateway utilizes Netscape's Enterpnse Server 2 0 as the HTTP server The server is designed for large-scale Internet commerce deployment, Enterpnse Server 2.0 achieves performance and reliability with such features as optimized caching, SMP support, enhanced memory management, and SNMP-based performance momtoπng Efficient process management features minimize system load and increase server reliability Secuπty features are provided using the SSL 3.0 protocol

Protocol Stacks

Internet and LAN - The TCP/IP protocol stack will be provided aa part of the HP-UX operating system

Other Application-Level Protocols

Application-level protocols enable client-server interoperability. Each of the following protocols are transported using TCP or UDP

• HTML. HTML will be used to define screens for Gateway system administration. • HTTP. The HTTP layer is part of Enterpnse Server 2.0 The server is administered with a Web browser.

• SQL*Net. The Gateway's Oracle7 database can be accessed by administration clients using SQL*Net Administration software can establish database connectivity to retπeve data for generating transaction reports • SNMP. Enterpnse Server 2.0 can be monitored using SNMP. The Gateway utilizes SNMP for remote system management.

Transaction Performance Monitoring and Measurement

• The "hits" performance indicators are available from the Web server Statistics can be generated at any time to highlight the load pattern or to pinpoint the time when the server was most active. • Gateway statistics about transaction requests (by transaction type) and transaction results (e.g., success, failed due to host, failed due to authentication, etc.) can be determined at any time for a particular time interval by generating a report.

The Gateway is upgradeable to interoperate with a real-time event monitoπng system such as OpenVision's Performance Manager.

Basic Request/Response Mappings

The following table shows the basic request/ response mapping between the SET protocol and the LEGACY protocol.

SET LEGACY Request/Response

Request / Response Pair and Transaction Code

Pair

AuthReq, AuthRes LEG/CTR (05)

AuthRevReq, AuthRevRes LEG/CTR (99)

CapReq, CapRes LEG/CTR (42 or 44)

CapRevReq, CapRevRes LEG/CTR (41)

CredReq, CredRes LEG/CTR (40)

CredRevReq, CredRevRes LEG/CTR (90)

BalReq, BalRes CTA/CTL (48)

Detailed Message Field Mappings

The following sections map the fields in LEGACY messages To fields in SET messages. The names of the SET fields are the names used in the SET ASN.1 specification. The full scope of the SET fields is listed in order to remove any ambiguity (but does not necessarily reflect actual naming conventions in source code).

LEGACY - Authorization Request Record (LEG)

LEGACY - Authorization Place in SET request to get LEGACY request data Request Record

41 - CC Capture Void CapRevReq received

42 - CC Capture Post (non CapReq received (if CapReq . RespData . AVSResult is AVS) blank)

44 - CC Capture Post (AVS) CapReq received (if CapReq . RespData . AVSResult is non- blank)

I 76 - CC Authorization This transaction code will not be used.

¹ Reversal

(k) Alphabetic Card Issuer computed at Gateway from PAN Code

05 - CC Authorization AuthReq . PI . PANData . PAN Request

40 - CC Capture Credit CredReq . RespData . CapToken . TokenOpaque . PAN

41 - CC Capture Void CapRevReq . RespData . CapToken . TokenOpaque PAN

42 - CC Capture Post (non CapReq . RespData . CapToken . TokenOpaque . PAN AVS)

44 - CC Capture Post (AVS) CapReq . RespData . CapToken . TokenOpaque . PAN

76 - CC Authorization This transaction code will not be used. Reversal

(1) Authorization Amount

05 - CC Authorization AuthReq . AuthReqAmt Request

40 - CC Capture Credit CredReq . CredReqAmt (could be different thεui CapToken)

41 - CC Capture Void CapRevReq . CapRevAmt

42 - CC Capture Post (non CapReq . CapReqAmt AVS) LEGACY - Authorization Place in SET request to get LEGACY request data Request Record

44 - CC Capture Post (AVS) CapReq . CapReqAmt

76 - CC Authorization This transaction code will not be used. Reversal

(m) Cash Back Amount hard-coded to "00000000" (EBCDIC)

(n) Card or Driver's License Data

! 05 - CC Authorization i

■ Request AuthReq . PI . PANData . PAN

Account Number AuthReq . PI . PANData . CardExpiration Expiry Date

40 - CC Capture Credit Account Number CredReq . RespData . CapToken . TokenOpaque . PI . Expiry Date PAN

CredReq . RespData . CapToken . TokenOpaque . PI .

CardExp

41 - CC Capture Void Account Number CapRevReq . RespData . CapToken . TokenOpaque . PI Expiry Date PAN

CapRevReq . RespData . CapToken TokenOpaque. PI

CardExp

42/44 - CC Capture Post (non AVS or AVS) CapReq . RespData . CapToken . TokenOpaque . PI

Account Number PAN Expiry Date CapReq . RespData . CapToken . TokenOpaque . PI

CardExp

76 - CC Authorization This transaction code will not be used. Reversal

(o) Additional Data LEGACY - Authorization Place in SET request to get LEGACY request data Request Record

05 - CC Authorization Request i AuthReq . AVSData . ZIPCode (if VISA Card) blank (if

ZIP Code j non VISA Card)

40 ■ CC Capture Credit BANK Reference CredReq . RespData . LogReflD Number

41 - CC Capture Void BANK Reference CapRevReq . RespData . LogReflD Number

42 - CC Capture Post Authorization Code CapReq . RespData . AuthCode

44 - CC Capture Post AVS (p) CPS ACI Flag CapReq . RespData . CapToken . TokenOpaque . (q) CPS Transaction CPSAciFlag

ID CapReq . RespData . CapToken . TokenOpaque .

(r) CPS Validation CPSTransId

Code CapReq . RespData . CapToken . TokenOpaque .

(s) Visa Response CPSValCode

Code CapReq . RespData . CapToken . TokenOpaque

(t) Merchant Category VisaRespCode

Code CapReq . RespData . CapToken . TokenOpaque

(u) Entry Mode MerchantCatCode (v) Original CapReq . RespData . CapToken . TokenOpaque

Authorization Amount EntryMode

(w) AVS Result Code CapReq . RespData CapToken . AuthAmt (x) Authorization CapReq . RespData AVSResult

Code CapReq . RespData AuthCode

76 - CC Authorization This trεmsaction code will not be used. Reversal LEGACY - Authorization Request Response (CTR)

The field Settlement Date is returned by the host in a LEGACY Authorization Request Response (when a transaction is force posted).

This Settlement Date field contains the day that a posted transaction will be settled between the Merchant and the Acquiring Bank. Since a bank desires that this date be made available to the Merchant for the purposes of financial record keeping this field must be returned to vPOS.

LEGACY - Authorization Place in SET response to put LEGACY data Request Response returned from host

(a) Host Processing Address echoed by host, not included in SET response

(b) Record Type echoed by host, not included in SET response

(c) Control echoed by host, not included in SET response

(d) Settlement Date i echoed by host

(e) Sequence Number echoed by host, not included in SET response

(f) Original Sequence Number echoed by host, not included in SET response

(g) Account Indicator not included in SET response

(h) Device ID - part 1 echoed by host, not included in SET response

(i) Device ID - part 2 echoed by host, included in SET response in a location to be determined by the Payment Protocols Team. The vεdue echoed is the terminal-id as delivered in the SET request.

(j) Action Code The Action code returned in the LEGACY response will be combined with the Error Code (if present) εuid trεuislated to a canonical list of error codes. See section 0 for exactly where this canonical error code will be returned for each transaction type.

(k) Transaction Code echoed by host, not included in SET response LEGACY - Authorization Place in SET response to put LEGACY data Request Response returned from host

(1) Authorization Amount

05 - CC Authorization Request AuthResPayload . AuthAmt (if Salesind = False) SaleResPayload . CapAmt (if Salesind = True)

40 ■ CC Capture Credit CredRes . CredResSeq . CredResItem . CredActualAmt

41 - CC Capture Void CapRevRes . CapRevSeq . CapRevResItem ! CaptureAmt

42 - CC Capture Post (non CapRes . CapRevSeq . CapResItem AVS) CapResultPayload . CapAmt

44 - CC Capture Post (AVS) CapRes . CapRevSeq . CapResItem . CapResultPayload . CapAmt

76 - CC Authorization This transaction code will not be used. Reversal

(m) Authorization Code

05 - CC Authorization Request AuthResorSale . RespData . AuthCode (if

SalesInd=False)

AuthResorSale . RespData . AuthCode (if

SalesInd=True)

(n) AVS Result Code 1 AuthResorSale . RespData . AVSResult

(o) Reference Number AuthResorSale . RespData . LOGRefld

AVS Result Dato only received if transcode = 05 and VISA and 1 approved but not captured

(p) CPS ACI Flag AuthResorSεde . RespData . CapToken . TokenOpaque . CPSAciFlag

| (q) CPS Transaction Id AuthResorSale . RespData . CapToken . LEGACY - Authorization Place in SET response to put LEGACY data Request Response returned from host

: TokenOpaque . CPSTransId

(r) CPS Validation Code AuthResorSale . RespData . CapToken TokenOpaque . CPSValCode

(s) Visa Response Code i AuthResorSale . RespData . CapToken ¹ TokenOpaque . VisaRespCode

(t) Merchant Category Code . AuthResorSale . RespData . CapToken

• TokenOpaque . MerchantCatCode

(u) Entry Mode , AuthResorSale . RespData . CapToken ! TokenOpaque . EntryMode

Error Code Location in SET response messages

The following table shows the explicit SET field in which the canonical error code will be returned in SET response messages

SET Response Location of Canonical Error Code Message

AuthRes AuthResorSale RespData . RespCode (if

Salesind = False) AuthResorSale RespData RespCode (if

Salesind = True)

AuthRevRes AuthRev will not be supported by the Gateway

CapRes CapRes . CapResSeq . CapResItem . CapCode

CapRevRes CapRevRes CapRevResSeq . DraftCaptureStatus

CredRes CredRes . CredResSeq CredResItem CredCode

CredRevRes CredRev will not be supported by the Gateway

BalRes CapRes CapResSeq . CapResItem CapCode

Error Code Values in SET response messages

The following table itemizes the proposed mapping of LEGACY specific action codes and error code pεurs to the canonical error codes that will be sent m the SET J esponse messages. The canonical error response code values and descnptions were taKen directly from "ISO 8583 1987 section 4 3.8 Table 7". VeriFone Proprietary SET Extensions

The SET protocol cunently has no provisions to support "Balance Inquiry" requests. Balance Inquiry requests are used by the Merchant to query its Acquiring Bank as to various totals for the current days or past days transaction totals.

The following two sections detail a proposed mapping between the LEGACY protocol and two new VeriFone proprietary SET extensions: Ballnq (Balance Inquiry) and BalRes (Balance Response). The Ballnq request is used by vPOS to query the Gateway as to the transaction totals and BalRes is the response sent by the Gateway to vPOS.

LEGACY - Administrative Inquiry Record (CTA)

LEGACY - Administrative Inquiry Place in SET request to get LEGACY request Record data

(a) Host Processing Address name-value pair

(b) Record Type name-value pair

(c) Control name-value pair

(d) Merchant Number name-value pair

(e) Device ID - part 1 name-value pair

(f) Device ID - part 2 nεune-value pair

(g) Date and Time of Inquiry name-value pair

(h) Sequence Number name-value pair

(i) Transaction Code name-value pair

(j) Feedback Level name-value pair

10 - Totals online and offline for the

Merchant

20 - Totals online and offline for the

Chain LEGACY - Administrative Inquiry Place in SET request to get LEGACY request Record data

(k) Feedback Day name-value pair

0 - Today

1 - Yesterday

2 - Two Days Back

3 - Three Days Back j (I) Feedback Type name-value pair

00 - All combined Visa and ! MasterCard Sales j 10 - MasterCard Net Totals i 20 - Visa Net Totals

40 - Discover Totals

50 - Amex Totals

(m) Feedback ID name-value pair

Level 10: 7 Digit Merchεint Level 20: 5 Digit Chain

LEGACY - Administrative Response Record (CTL)

LEGACY - Administrative Response Place in SET response to put LEGACY data Record returned from host

(a) Host Processing Address name-value pair

(b) Record Type j nεune-value pair

(c) Control ι name-value pair

(d) Settlement Date 1 nεune-value pair LEGACY - Administrative Response Place in SET response to put LEGACY data Record returned from host

(e) Sequence Number nεime-value pair

(f) Device ID - part 1 I nεune-value pair

(g) Device ID - part 2 name-value pair

(h) Action Code (0,D or E) name-value pair

(i) Transaction Code name-value pair

Additional Data name-value pair

(j) Eπor Code

(k) Total Item Count

(1) Total Sales Amount (Credit Card)

(m) Totals Sales Item Count

(n) Total Credits Amount (Credit Card)

(o) Total Credits Item Count (Credit Card)

Gateway Analysis for SET Message Handling

This section tackles general design considerations of the Gateway software and is not limited to LEGACY (unless specifically mentioned). The complete functional behavior of the Gateway will be described in a separate document.

Replay Attack Handling

A replay attack at the Gateway is a request where either: a) the request is stale; the request was received "too late" with respect to the reqdate in the request. This window is specified by a configurable Gateway policy. b) the request is not stale but the exact rrpid (Request/ Response Pair Id) has already been seen before in a request and still logged in the Gateway database. The <xid, mid, rrpid> tuple will be the primary key that determine whether a request had already been received. This will allow the possibility of the same rrpid to be generated from the same merchant but for a xid and also allow the same rrpid to be generated by a totally different merchant

New Attempt vs. Retry Attempt

It is possible that messages sent between the vPOS and Gateway may be lost in transit This could happen either because of hardware/ software problems in the Internet or for hardware /software reasons local to the Gateway or Merchant System The question is then "How does a Gateway recognize an honest retry attempt from an initiator^?" First a little background into the nature of a SET request All SET requests have the following fields. xid merchant's transaction id mid merchant id (contained in certificate) tid terminal id (from Merchant System) rrpid request response pair id reqdate request date (from Merchant System) reqdata request specific data

Let the following tuple represent a genenc SET request-

<xιd, mid, tid, rrpid, reqdate, reqdata>

The merchant establishes the xid duπng the shopping phase with the consumer. The same xid is used for both the AuthReq and the CapReq and subsequent CreditReq requests. Using the sεune xid for many requests makes it impossible for the Gateway to distinguish between repeated transactions vs. new transactions

For example, how could a Gateway possibly determine whether two valid CredReq requests were to be interpreted as two individual credits or a retrv of a single request.

request 1 <xidι, midm, tidt, rrpidi, reqdate ι_f reqdataι> (perhaps a CredReq for $ 10.00) request 2 <xidι, midm, tidt, rrpida, reqdatea, reqdαtαι> (perhaps a new CredReq for $10 00)

could also be interpreted as.. request 1 <xidι, midm, tidt, rrpidi, reqdate ι, reqdataι> (perhaps a CredReq for $10.00) request 2 <xidι, midm, tidt, rrpida, reqdatea, reqdαtαi > (perhaps a retry of above)

The reqdates are different in both cases because the date is generated along with the rrpid to thwart replay attacks In this example the Gateway will not be able to determine whether the second CreditReq should be performed or whether it is simply a retry to request 1 with rrpidi The Gateway must know whether or not to apply a new credit or to debver a response that it may already have from the host (it may have came too late for the first attempt or have been lost on the way to vPOS). If no response was logged from the host for request 1, the Gateway could repeat its ong al request to the host when receiving request 2 In a sense, the Gateway will act as an intelligent request/ esponse cache

The Gateway splits the rrpid number space into two pεuts One main part that will remain the same for the sεune request across all its retry attempts and a smaller portion to indicate the number of retry attempts. Then,

rrpidRetryCount ≡ rrpid MOD MAXRETRIES (0 for initial request, >0 for a retry)

NOTE : The initial rrpids generated by vPOS software are equal to 0 MOD MAXRETRIES and in subsequent retnes the lower order digits εire incremented by one for each retry attempt. This requires extra stored in the vPOS apphcation. The vPOS software must persistently store the rrpid used (which contains the retry count of the transaction) so that repeated attempts will follow the correct semantics

In general the Gateway will support the following logic [assuming the second request is fresh and not a replay attack). If two requests, request 1 :<xidι, midm, tidt, rrpidi, reqdate ι, reqdataι> request 2 : <xidι, midm, tidt, rrpida, reqdatea, reqdαtαι> are received at ti and t₂ (where t₂>tι) and,

[rrpidi - (rrpidi MOD MAXRETRIES)) ≡ {rrpida - {rrpida MOD MAXRETRIES)) then the Gateway will interpret the second request as a retry request But if,

{rrpidi - {rrpidi MOD 100)) ≠ {rrpida - (rrpida MOD MAXRETRIES)) then the Gateway will interpret the second request as a new request

In addition to being able to distinguish between a retry and a new request, the proposed rrpid scheme can be used to determine how many vPOS requests got lost in the Internet This is a useful value-added service for system mεmagement

Robustness and Error Handling Issues There are several robustness issues that need to addressed. The basic flow is that vPOS sends a request to the Gateway, the Gateway logs the SET key fields from the incoming attempt in the database The Gateway then generates a host request which it logs completely in the database The host handles the request and generates a response that is directed towards the Gateway which, when received is logged completely in the Gateway database Finally the Gateway generates an SET response to vPOS, the contents of which is not logged in the database

If the Gateway has not received the request or receives the request but is not able to log the request in the database it is easily handled by a vPOS retry attempt This recovery action needs no further discussion. In general, if the vPOS does not receive a reply to a request it has sent to the Gateway it must retry persistently until a response is received. All retry attempts from vPOS for the same request must have the same base portion of the rrpid but a different value m the retry counter

The Gateway must handle replay attacks as outlined previously in this document If the Gateway receives a request that it has already received from vPOS there could be several possible dispositions a) the request had already been handled completely with the host and a host response is in the Gateway database. In this case the Gateway can simply translate the host response to a SET response εmd send it to vPOS b) the request had been sent to the host before (as determined by a database field) but a response from the host is not on file. In this case the Gateway must retry the host request

If the vPOS times-out for any reason, it must retry later using an rrpid that indicates a retry attempt. If the Gateway receives a late-response (after vPOS has given up) it simply logs it in the database for that retry attempt (if no retry attempt for the transaction is still outstanding at the host) There is a glare situation where the oπginal response could arnve so late that it could be confused with the response from a currently outstanding retry attempt with the host This situation is logged and the first response not sent back to vPOS

A response from the host indicating a successful transaction may get lost on the way back to the Gateway or not be able to be logged m persistent storage m the Gateway In either case vPOS is in a situation where the retry request when received by the host may result in a response from the host indicating that the request is a duplicate. The vPOS software must be able to handle this. In the LEGACY case when a duplicate post is received by the host the second one automatically causes the first one to void and the second transaction fails too In this case vPOS should retry the transaction under a new rrpid. If the trεuisaction goes through end-to-end all effects of the previous transactions will not matter

TokenOpaque Contents

The Gateway requires information captured at the time of an AuthReq that must be repeated to the host at the time of the associated CapReq The mechanism of choice (built into SET) for this is enabled utilizing this data in the TokenOpaque token of the CapToken which is sent in an AuthRes This CapToken is stored at the Merchant system and represented to the Gateway at the time of the CapReq. The format of an TokenOpaque is an OrtetStnng. The following general format (not specific to LEGACY) is proposed for captunng this information

Field Name Field Data Type Explanation/ Example

VersionName char(8) e.g. "LEGACY" VersionRevision char(8) e.g " 1 0" (generally <major, mιnor>)

PILength integer length of PI data

PI unsigned char(PILength) strongly encrypted

HostS pec DataLengt integer length of host specific data h

HostSpecData unsigned host specific data char(HostSpecDataLength)

Host Specific Data (LEGACY-onlv)

For "LEGACY" version " 1.0", it is proposed that newhne seperated "name[length]=value" pairs be used to store the host specific data A null character will terminate the host specific data The following host specific data (name value pairs) will need to be included.

BrandID

CPSACIFlag

CPSTransactionld

CPSValidationCode

VisaResponseCode

MerchantCategoryCode

EntryMode

NOTE PI contεuns PAN and ExpiryDate

Proposal for AVS Data Encoding

The "Address Verification" data element for the "Address veπncation Service" (AVS) is defined in SET as an IA5Stnng. Each host may require different αata to be sent to use the AVS feature The Gateway will need to be able to extract the information from this to mter-work with the legacy systems. A well-defined format for this data is required, an IASStrmg blob is insufficient

The following data structure is utilized to deliver the AVS data \ StreetAddress 1=800 El Ca ino Real\n

StreetAddress2=Suιte 400 \n

Cιty=Menlo Park\n

StateProvιnce=CA\n

Country=USA\n

PostOfficeBox=\n

ZipPostalCode=94025 \n

\n

An empty line indicates the end of AVSData

The detailed information that is available for the Address Veπfication Service depends on the

Payment Window that captures the data from the consumer

AVS Data (LEGACY-onlyl

For "LEGACY" version " 1 0" only the ZipPostalCode nεune value pair is required The Gateway will only use the first 5 characters of this value.

Transaction Replay Attacks The processing of Internet-based payment transactions is a coordinated interaction between the Internet Transaction Gateway and the vPOS servers that is based on the following pπnciples. A vPOS terminal, as the initiator of the payment transaction, is responsible for the round-tπp logical closure of the transaction. vPOS will retry a transaction that has been initiated with the Gateway but where the response for the request was never received from the Gateway. A vPOS terminal selects — out of a pre-assigned range — aTerminαZ-/d that is to be used by the

Gateway in a request to the host processor. This data element must be transported from the vPOS to the Gateway along with the payment-related information. The Terminal-Ids must be unique among the concunent vPOS instances on a vPOS server system However, the Terminal-Ids have no history For example, a subsequent Force Post transaction need not use the same Terminal-Id as the oπgmεd Authorization transaction. The vPOS will be responsible for making sure that only one request is outstanding for the same <Merchant-id, Terminal- id> data elements from a vPOS server system. The Gateway does not know that a response was successfully received by vPOS. This means that the vPOS must be responsible for initiating any retry attempts. The Gateway never initiates a retry attempt with the host processor without an explicit retry request from vPOS. The Gateway when asked to retry a request with the host, performs a relational database look-up and delivers a response that has already been received from the host processor but was previously missed by vPOS. This behavior of the Gateway is also known as the "transaction response cache." The Gateway will need to know that a vPOS request is a retry of something already sent. The prior request may or may not have been received. A solution for determining the difference between a retry attempt and a new request was described earlier in this document. vPOS must understand the "canonical" error codes that it will receive via the Gateway and be able to initiate the proper recovery action and /or generate the appropriate user-interface dialog.

Certificate Processing

Merchεmts require a mechanism for verifying legitimate cardholders is of valid, branded bankcard account numbers. A preferred embodiment utilizes technology to link a cardholder to a specific bankcard account number and reduce the incidence of fraud and thereby the overall cost of payment processing. Processing includes a mechanism that allows cardholder confirmation that a merchant has a relationship with a financial institution allowing it to accept bankcard payments. Cardholders must also be provided with a way to identify merchants they can securely conduct electronic commerce. Merchant authentication is ensured by the use of digital signatures and merchant certificates.

In a prefened embodiment, a holder of a payment instrument (cardholder) surfs the web (Internet) for required items. This is typically accomplished by using a browser to view on-line catεdog information on the merchant's World Wide Web page. However, order numbers cεm be selected from paper catεdogs or a CD-ROM and entered manually into the system. This method allows a cardholder to select the items to be purchased either automatically or manually. Then, the cardholder is presented with an order form containing the list of items, their prices, and totals. The totals could include shipping, handling and taxes for example. The order form is delivered electronically from the merchant's server or created on the cεirdholder's computer by electronic shopping softwεue. An alternative embodiment supports a negotiation for goods by presenting frequent shopper identification and information about a competitor's prices. Once the price of goods sold εmd the means of payment has been selected, the merchant submits a completed order and the means for payment. The order and payment instructions are digitally signed by cardholders who possess certificates. The merchant then requests payment authorization from the cardholder's financial institution. Then, the merchant sends confirmation of the order, and eventually ships the goods or performs the requested services from the order. The merchant also requests payment from the cardholder's financial institution.

Figure IC is a block diagram of a payment processing system in accordance with a prefened embodiment. The Certificate Issuance at the Bank Web Site 162 resides at the bank web site 182. It is utilized for issuing SET complaint / X.5O0 certificates to consumers. The implementation of this system may vary from one bank to another. However, the system gathers consumer's personal information, and after processing the information, the system issues a certificate along with a payment instrument to the consumer.

The Single Account Wallet 160 at the bank web site 182 represents the MIME message that is created by the Certificate Issuance system. This MIME message contains a VeriFone wallet. The VeriFone wallet contains a single payment instrument and the certificate associated with it. For security reasons, the private key is not included in the wallet. The has to specify a private key before using the instrument for payment. When the consumer is issued the certificate, this MIME message is sent to the browser. The browser launches the Certificate Installation application 174, 144 which is defined as a helper application in the browser. The Certificate Installation application 174, 144 reads the MIME message and install the wallet into the wallet database 158.

Various helper applications 198, 172, 174, 176 are provided to make the consumer's shopping experience easy and efficient including the following helper applications. The Paywindow helper application 188 is utilized by the consumer to authorize the payment to the merchant, to administer their wallets, to review their previously completed payment transactions and to perform housekeeping activities on the wallets. This application is defined as a 'helper' application on the consumer's desktop The browser launches this application when the merchant system sends a MIME message requesting payment.

The PayWmdow Setup Helper application 172 is used by the consumer to install helper applications and other modules from the web site onto the consumer desktop When a consumer attempts to install an application for a first time, the consumer does not have a helper application on the desktop Thus, the first time installation of an application requires a consumer to perform two steps First the user must download the system package to their desktop and then the user must run setup to decompress and install the system. Thereafter, whenever the consumer gets a new release of system software, the browser launches this helper application which in turn installs the appropπate other system modules

The Certificate Installation Helper Application 174 is utilized to install a wallet that is issued by a bank When the bank's certificate issuance web system sends the MIME message containing the VeπFone wεdlet, the browser launches this apphcation This application queπes a consumer to determine if the payment instrument contained in the wallet is to be copied to an existing wεdlet or to be kept in the new wallet This application then installs the payment instrument and the certificate into the wallet database 158

The Certificate Issuance CGI scnpts 162 and the Single Account Wallet 160 at the Bank Web Site 182 is processed as descπbed in the native system The Certificate Installation Applet of the Bank Web Site 182 is utilized by the Certificate Issuance CGI scnpts 162 system to deliver a consumer's certificate to the consumer's desktop.

Figure 26 is an architecture block diagram in accordance with a preferred embodiment of the subject invention. Processing commences at function block 2600 where the Graphical User Interface (GUI) part of the application is mitiεdized. The GUI application 2600 provides the consumer with support for ordenng and making payments duπng the shopping process. There are also GUI components provided for wallet creation; importing, certificate and payment method creation and maintenance; and for transaction register review and reporting The screen designs, εmd their associated logic, for the helper applications and applets are individually discussed in detail below The Certificate Manager 2604 manages the automatic downloading of a consumer's certificate from a bank, validation of a consumer's and a merchant's certificates and automatic requisition of certificate renewal

The Payment Manager 2606 coordinates and completes the payment request that is received from the merchant system. The payment request is received via a MIME message in the native code implementation or via an applet m the Java implementation The payment request received contains the final GSO, Ship-To name, merchant certificate, merchant URL, coupons and the payment amount. The manager 2606 then communicates with the payment related GUI component to interact with the consumer to authorize and complete the payment transaction The manager is also responsible for determining the payment protocol based on the consumer's payment instrument and the merchant's preferred payment protocol

The manager 2606 includes a well defined Application Programming Interface (API) which enables OEMs to interface with the payment manager 2606 to make payments to specific HTTP sites The detailed logic associated with the payment manager 2606 is presented in Figure 27

The payment manager 2606 enforces standard operations in the payment process. For example the receipt and the transaction record can automatically be transfened to the Wallet file once the payment is completed The payment manager architecture m accordance with a prefened embodiment is presented in Figure 27. A user interfaces with the payment manager 2730 via a user interface 2700 that responds to and sends a vaπety of transactions 2710, 2708, 2706, 2704 and 2702 The transactions include obtaining the next record, payment record, receipt, acceptance of the payment instrument and GSO components. In turn, the payment manager 2730 sends transactions 2714 and receipts 2720 to the wallet manager 2722 and receives payment instruments, certificates and pnvate keys from the wallet manager 2722

The payment manager 2730 also sends and receives transactions to the protocol manager 2770 including a merchant's payment message 2760, a consumer certificate and PK handle 2750, a merchant URL 2742, a payment 2740, a signed receipt 2734 εmd a GSO, Selected Payment Protocol and Selected Payment Instrument 2732. The payment manager 2730 also accepts mput from the payment applet or MIME message from the merchant as shown at function block 2780. One aspect of the payment processing is a Consumer Payments Class Library (CPCL) 2770 which encapsulates the payment protocols into a single API. By encapsulating the payment protocols, applications are insulated from protocol vanations A SET Protocol provides an implementation of the client-side component of the Secure Electronic Transaction (SET) Protocol. A complete implementation of the client-side component of the CyberCash micro-payment protocol is also provided.

The Wallet Manager 2722 provides a standard interface to the wallet. It defines the wallet database structures εmd the payment instrument data structures, controls the access to the wallet and provides concurrency checking if more than one application attempts to open the same wallet. The interface to the wallet manager 2722 is published to allow OEMs to interface with the wallet manager and access the wallet database. The wallet manager consists of the following sub-components:

Wallet Access. This component provides an interface to read and wπte wallet information.

Transaction Manager. This component provides an interface to read and wπte transaction corresponding to a wallet into the wallet database.

Payment Instrument Manager. This component manager provides a common interface to the specific payment instrument access components.

Credit Card Access, Debit Card Access, Check Access. These components deal with a specific payment instrument.

A Data Manager provides storage and retneval of geneπc data items and database records. It is assumed that data fields, index fields or entire data records can be marked as encrypted and the encryption process is largely automated. The data manager has no specific knowledge of database records appropriate to different payment methods This layer is separated out so as to reduce changes required when new payment methods are introduced. However RSA key pairs and certificates might be considered as "simple" data types. This component also provides an abstraction which supports wallet files on computer disk or contεuned m smart cards. The Open Data Base Connectivity (ODBC) /Java Data Base Connectivity (JDBC) component provides Data Base Connectivity where formal database components are required. An embodiment of the Smart Card Wallet allows wallet data to be stored and /or secured by a cryptographic token.

A prefened embodiment includes a single file or directory of files comprising a "wallet" which contains personal information and information about multiple payment methods with the prefened implementation. These payment methods ( Visa cards, debit cards, smart cards, micro-payments etc. ) also contain information such as account numbers, certificates, key pairs, expiration dates etc. The wallet is envisaged to also contain all the receipts and transaction records pertaining to every payment made using the wallet. A Cryptographic API component provides a standard interface for RSA and related cryptographic software or hardware. This support includes encryption, signature, and key generation. Choice of key exchange algorithm, symmetric encryption algorithm, and signature algorithm should all be configurable. A base class stipulates generic behavior, derived classes handle various semantic options (e.g. softwεire based cryptography versus hardware based cryptography.)

The Cryptographic Software portion provides RSA and DES support. This may be provided utilizing the SUN, RSA or Microsoft system components depending on the implementation selected for a particular customer. Cryptographic Hardware creates a lower level API which can underpin the Cryptography API and be utilized to replace Cryptography Softwεire with an off the shelf cryptography engine. The message sequence charts describe the flow of messages /data between the consumer, the browser and/or the various major components of the Semeru system. The major components of the system are the Merchant system which includes the vPOS, the PayWindow, and the Payment Gateway. The merchant system allows a consumer to shop, accept the payment transactions sent by the PayWindow application, and send payment transactions to the acquiring bank. The Consumer Payments Class Library (CPCL) module is a layer within the application which sends the payment transactions, securely, from the consumer to the merchant.

Figure 28 is a Consumer Payment Message Sequence Diagram in accordance with a preferred embodiment of the invention. The diagram presents the flow of messages between the consumer, the browser, the merchant system, the PayWindow application, and CPCL This message flow descnbes the payment process from the time an order is completed and the consumer elects to pay, to the time the payment is approved and the receipt is returned to the consumer The difference between the Native implementation and Java implementation of the PayWindow application is in the delivery of the order information to the PayWindow Once the order information is received by the PayWindow, the flow of messages/data is the same for both implementations. In the case of the Native implementation, the order information is delivered via a MIME message. This MIME message is sent to the PavWmdow by the browser via a document file. In the Java implementation, the order information is delivered to the PayWindow by an applet. The merchant system sends an applet with the order information to the browser which in turn delivers the order to the PayWindow Once the order is received, the PayWindow interacts with the consumer and the Protocol modules for the completion of the payment process

Enters Order and Clicks Calculate Order 2820

This message represent the consumer order entry and the clicking of the 'Calculate Order' button. The consumer's shopping experience is all condensed into this one message flow for the purpose of highlighting the payment process The actual implementation of the shopping process vanes, however, the purpose does not, which is the creation of the order. Order 2830

This message represents the order information which is sent by the browser to the merchant

Payment Applet with GSO. PPPs, AIs, merchant certificate and URL 2840 On receipt of the order, the merchant system calculates the payment amount This message represents the HTML page which is sent by the merchant system detailing the payment amount along with the Java payment applet which contains the GSO. PPPs, AIs, merchant certificate and URL.

Run Payment Applet 2845

The Java enabled browser runs the Payment applet. The applet displays a button called "Pay" for the consumer to click. This is embedded m the HTML page delivered by the merchεmt Clicks Pav 2850

This message represents the clicking of the Pay button on the browser by the consumer after confirming the payment amount.

GSO. PPPs. AIs, merchant certificate and URL 2860

This message represents the GSO, PPPs, AIs, merchant certificate and the merchant URL carried by the Java applet. The Java applet now delivers these to the PayWindow application.

Merchant certificate 2862

This message represents the merchant's certificate which is sent to the CPCL module for checking the validity of the merchant.

Merchant's validity 2864 The CPCL modules examines the merchant's certificate and send this message to the PayWindow indicating whether or not the merchant is a valid merchant.

Wallet, Payment Instruments 2866

This message represents the wallets and payment instruments that is displayed to the consumer. Not all payment instruments from a wallet is shown to the consumer. Only the ones accepted by the merchant is shown.

Payment Instrument 2868

This message represents the payment instrument selected by the consumer. This message is created in the current design when the user double clicks on the payment image in the "Select Payment Method" Window.

GSO 2870

This indicates that the GSO is displayed to the consumer in the "Make Payment Authorization" screen.

Authorization of Payment 2872 This message represents the authorization of the payment by the consumer. The consumer authorizes the payment by clicking the 'Accept' button on the "Payment Authorization" screen

Decide Payment Protocol 2874 Once the consumer authorizes the payment, the payment protocol is decided by PayWindow based on the merchant's Payment Protocol Preferences and the consumer selected payment instrument

Payment Authorization 2875 These messages represent the merchant's URL, the GSO, payment protocol (PP) to use, account number, certificate and the private key handle (PK) associated with the payment instrument which is sent to the protocol module

GSO with Payment Authorization 2876 This message represents the payment instructions which is sent by the protocol module to the Merchant system. The GSO, PI, consumer certificate and PK is packaged based on the payment protocol

Signed Receipt 2878 This message represents the digitally signed transaction receipt received by the protocol module from the merchant.

Save Receipt with hash value 2880

The digitally signed transaction receipt is saved by the PayWindow for future reference.

Payment Successful 2882

This indicates that the transaction receipt and the payment successful' have been displayed to the consumer.

Certificate Processing

A payment instrument must be certified by a "certificate issuing authoπty" before it can be used on a computer network. In the case of credit card payments, the issuer may be one of the cεird issuing banks, but it might also be a merchant (eg SEARS), a transaction aquiπng bank or an association such as VISA or Mastercard

Payment instrument information is stored m the consumer's wallet The certificate which authorizes the payment instrument will be stored along with that data in a secured database The process of acquiπng a certificate is descπbed below A certificate can be delivered to a consumer in a preconfigured wallet The consumer receives a wallet which contains the certificate together with the necessary details associated with a payment instrument including a payment instrument bitmap which is authorized by a certificate issuing authoπty or the agencies represented by the issuing authoπty

Obtaining a certificate

A consumer will deliver or cause to be delivered information to a certificate issuing authonty Figure 29 is an illustration of a certificate issuance form m accordance with a preferred embodiment A user may fill out the form on-line, on paper and mail it in, or get his bank or credit card company to deliver it The consumer delivered data will usually contain a public key belonging to a secuπty key pair generated by consumer software This information will normally be mailed to the consumer's address and actuated by a telephone call from the consumer The certificate authonty takes this information and uses it to validate that he is indeed entitled to use the payment method This processing normally takes a few days to accomplish. Information will normally be exchanged with the organization issuing the payment method in the physical space if there is one, and with credit agencies The certificate information is loaded into the consumer's software to enable payment processing to proceed online

ln some cases the consumer will be able to select details about a payment mstument holder (wεdlet) he desires to own This may be the icon representing a holder, the access password or other information After creating the certificate, the issuing authoπty can use information received m the certificate application to create a custom payment instrument holder ready to use. This payment instrument holder will contain the following information. Payment instrument information including card number 2900 and expiration date 2902 Personal information including name 2904, address 2906, social secunty number 2908 and date of birth 2910

The associated certificate ( eg X509 standard ), an associated public key or in some cases pubhc /pπvate key pair ( eg RSA), and an approved bitmap representing the payment instrument are provided to the requesting consumer Figure 30 illustrates a certificate issuance response in accordance with a prefened embodiment An approved bitmap for a VISA card is shown at 3000. Also a default payment holder 3010 and a default payment holder name are provided with the certificate issuance. After the consumer aquires the payment instrument holder 3010, the payment instrument holder is immediately visible to him in his collection of payment instrument holders Figure 31 illustrates a collection of payment instrument holders m accordε ce with a prefened embodiment The predefined payment instrument holder 3100 is the same JOHN's WALLET that was predefined based on defaults by the certificate issuance form Figure 32 illustrates the default payment instrument bitmap 3200 associated with the predefined payment instrument holder 3210 resulting from the consumer filling in and obtaining approval for a VISA card

Figure 33 illustrates a selected payment instrument with a fill in the blanks for the cardholder in accordance with a prefened embodiment Next time the payment instrument holder is opened in a payment context the certificate issuing authorty s approved instrument bitmap can be used to select the payment instrument and utilize it to make purchases Figure 34 illustrates a coffee purchase utilizing the newly defined VISA card in accordance with a prefened embodiment of the invention

Figure 35 is a flowchart of conditional authorization of payment in accordance with a preferred embodiment Processing commences at 3500 where the program ini ializes the connection betweeen the cardholder and the merchant for the purposes of shopping. After the cardholder completes shopping, a new SSL connection is established which provides authenticating information to the merchant. At this point the merchant is able to execute payment functionality (based on SSL or SET) conditionally, based upon the quality and character of the digital signature and the certificate used to validate said signature. Then, at function block 3510, the cardholder selects the payment instrument for the particular transaction Payment instruments could include VISA, MASTERCARD, AMERICAN EXPRESS, CHECK, SMARTCARD or DEBIT CARDS The payment method is then submitted to the merchant at function block 3520 The merchant then initializes the SET connection to the acqumng bank at function block 3530 if the connection is not already established. Then, at function block 3540, the certificate is submitted to the merchant from the acquiπng bank. The certificate includes a public key portion and a pnvate key used as an lrrebutable digitεd signature to authenticate the parties to the transaction The certificate also includes information on the level of credit nsk which allows a merchant to conditionally decide on the authorization or rejection of credit under a particular payment instrument based on their nsk level and the merchant's personal comfort level with the ability of the cardholder to pay. This processing has not previously been possible because the information returned from the authorizing bank did not include a level of credit nsk a cardholder posed, it only contained credit rejected or approved

A detailed descnption of the gateway internals is presented below in accordance with a prefened embodiment.

Gw ClearSetRequestHandler

Figure 51 depicts a flow diagram for the GatewayClearSetRequestHandler routine Execution begins m Step 5105 In Step 5110 an SET analysis routine is called to analyze the SET request, as will be more fully disclosed below Step 5110 sets a status flag indicating the next stage to be performed by the Gateway In Step 5120 the Gateway checks to see whether the status is set to indicate that a response should be provided to the user If so, execution proceeds to Step 5190, which ends the request handling routine and returns control to a calling routine, which then provides a response to the user Otherwise execution proceeds to Step 5130 In Step 5130, the Gateway checks to see if the status is set to indicate that forward translation is required Forward translation is necessary to translate an outgoing message into a format that can be understood by the host computer. If forward translation is indicated, execution proceeds to Step 5135. In Step 5135, the outgoing message is forwarded translated, as more fully disclosed below with respect to Figure 53. If no forward translation is indicated, for example, if an already-translated transaction is bemg retned, execution proceeds to Step 5140 In Step 5140, the Gateway checks to see if the next step is communication to the host If so, the Gateway proceeds to Step 5145, and initiates host communication as will be more fully discussed below with respect to Figure 54 If not, execution proceeds to Step 5150. In Step 5150, the Gateway checks to see whether reverse translation is indicated Reverse translation translates a response from a host into a format useable by the calling routine If reverse translation is indicated, execution proceeds to Step 5155, and the reverse translation is performed, as will be more fully discussed below with respect to Figure 55. In any case, after either forward translation in Step 5135, host communication in Step 5145, or reverse translation in Step 5155, control returns to Step 5120 for further processing As will be more fully disclosed below, the forward translation, host communication, and reverse translation routines manipulate status indicators to prevent the occurrence of an infinite loop

The Gw_ClearSetRequestHandler routine as depicted in Fig. 51 may be implemented using the following C++ code:

mt Gw_CleειrSetRequestHεmdler(CPCLRequest*pRequest)

! gwAction action; char fatalError;

CPCLCCRequest *pVehιcle = (CPCLCCRequest*) pRequest, CGW_Engιne *setTrans = (CGW_Engιne *) pVehicle-

>GetContext();

action = setTrans->AnalyzeSetRequest(pVehιcle,&fatalError);

while ( (actιon!=GW_PROCEED_TO_RESPOND)&& (IfatalEnor) ) { switch (action) { case GW_PROCEED_TO_FWD_XLAT: action = setTrans->TranslateForward(pVehιcle), break;

case GW_PROCEED_WITH_HOST_COMMS. action = setTrans->DoHostCommunιcation(pVehιcle); breεik;

case GW_PROCEED_TO_REV_XLAT: action = setTrans->TranslateReverse(pVehιcle); break;

case GW_PROCEED_TO_RESPOND: default: break;

/ / Response should be built, return up the protocol / / stack so that it will encode εmd then crypt our response. if (fatalEnor) {

/ / Set an error code for the protocol stack. pVehicle->SetError(eEInvalidRequest); retum(O);

} else { return) 1);

AnalyzeSetRequest

Figures 52A εmd 52B describe the AnalyzeSetRequest routme. This routine is by Step 5110 as illustrated in Figure 51. Execution begins in Step 5200. ln Step 5205 the various fields in the SET record are obtained, as will be more fully disclosed below with respect to Figures 56A and 56B. In Step 5210 the Gateway checks the retry count. A retry count is zero indicates that the request being analyzed is a new request, and control proceeds to Step 5212, indicating a new request. If the retry account is non-zero, this means that the request is a retry of a prior request, and control proceeds to Step 5214 where a retry is indicated. Following either step 5212 or 5214, execution proceeds to Step 5215 In Step 5215 the Gateway checks to see whether the request represents a ' stale request," as will be more fully descnbed below with respect to Figure 57. In Step 5220, the Gateway tests the result of the stale check from Step 5215 If the request is stale it is marked as stale in Step 5222

Otherwise the record is marked as not stale in Step 5224 Following either Step 5222 or Step 5224, control proceeds to Step 5230 In Step 5230 a message representing the SET request is inserted into the database for tracking purposes, εmd control proceeds to Step 5240

In Step 5240 the Gateway checks to see if the request had been marked stale m Step 5222 If so, it proceeds to Step 5242, exiting with an error condition. In Step 5245 the Gateway attempts to retneve from the database a message corresponding to the current SET request, as will be fully disclosed below with respect to Figure 59. Step 5260 checks to see whether the message was successfully retπeved from the database If the message was not found in the database, this indicates that the SET request represents a new message, and control proceeds to Step 5270. In Step 5270 a new message representing the SET request is added to the database, as is more fully disclosed below with respect to Figure 60. Because this is a new request, it must be processed from the beginning, including forward translation. Therefore, after the new message is added in Step 5270, control proceeds to Step 5275 In step 5275, where a status flag is set indicating that the next step to be performed for this message is for translation If the message was found in Step 5260, this indicates that the request represents a request that is already in progress. Therefore, control proceeds to Step 5280 to update the database with current information representing the request status The update process is descnbed m further detεul with respect to Figure 61, below Following Step 5280, control proceeds to Step 5282. In Step 5282 the Gateway checks to see the disposition in which the SET request was left as a result of partial processing This is done, for exεunple, by lntenogating fields in the database record that indicate the steps that have already been performed for this request In Step 5283, based upon this status information, the Gateway indicates the next stage of processing to be performed, either forward translation, reverse translation, or communication with the host After this status has been set, whether for a new request in Step 5275, or for an already-existing request in Step 5283, control proceeds to Step 5290, which exits the AnalyzeSetRequest routine, returning control to Step 5110 in Figure 51 The AnalyzeSetRequest routine as depicted in Figs. 52A and 52B may be implemented using the following C++ code:

gwAction CGW_Engine::AnalyzeSetRequest(CPCLCCRequest* pVehicle, char

*fatalError)

! gwAction action; gwDBRC dbrc; gwRC re; int retryCount; char staleMsgFlag;

"fatalError = _FALSE; / / Default to "all is OK"

/ / Extract the key SET fields that are required. The key / / SET fields contain the primary key elements of the "setmsg" / / table. if ( (rc=GetSetKeyFields(_PVehicle))!= GW_SUCCESS) { switch(rc) { case GW_NOT_SUPPORTED:

BuildSetErrorResponse(pVehicle,ISO_RESP_FUNC_NOT_SUPP); break; default: BuildSetErrorResponse(pVehicle4SO_._RESP_SYS_MALFUNC); breε c; I

*fatalError=_TRUE; / / Only place we return this! return (GW_PROCEED_TO_RESPOND);

else

/ / Set this so that the front-end will be able to tell / / whether enough information was denved from the request / / in order to do update the setmsg" log m_haveKeyFιelds = 1 ,

/ / If the count of SET messages with current xid εmd npidbase is / / non-zero then the message is an honest retry otherwise it / / is a new request if ( (dbrc=Gwdb_GetSetMsgRetryCount(&retryCount)^= GWDB_SUCCESS) { if (retryCount == 0) m_setRequestClass= GW_SREQCL_NEW_REQUEST, else m_setRequestClass = GW_SREQCL_HONEST_RETRY,

} else f

BuιldSetErrorResponse(pVehιcle,ISO_RESP_SYS_MALFUNC), GW_LogError( LOG.ERR, "Gwdb_GetSetMsgRetryCount() %d , dbrc), return (GW_PROCEED_TO_RESPOND),

!

/ / Check whether the message is stale If it is, we still

/ / insert it into the database shortly but we will not process

/ / it

Gwdb_IsSetMsgStale(&staleMsgFlag), if (staleMsgFlag == _TRUE) m_setRequestDιsposιtion= GW_SREQDI_STALE, else m_setRequestDιsposιtιon= GW_SREQDI_OK, // Not stale

/ / Log the "SET message" in the database. If the insert fails

/ / then we must have a replay attack' dbrc = GwdbJnsertSetMsgQ, switch (dbrc) ( case GWDB_SUCCESS: break; case GWDB_DUPLICATE_ON NSERT:

BuildSetEnorResponse(pVehicle,ISO_RESP_SECURlTY_VIOLATION); dbrc = Gwdb_InsertReplayAttack(); if (dbrc != GWDB_SUCCESS) {

GW_LogError( LOG_ERR, "Gwdb_InsertReplayAttack(): %d", dbrc); } return (GW_PROCEED_TO_RESPOND); break; default:

BuildSetEnorResponse(pVehicle,ISO_RESP_SYS_MALFUNC); GW_LogEnor( LOG_ERR, "Gwdb_lnsertSetMsg() : %d" , dbrc); return (GW_PROCEED_TO_RESPOND); break;

/ / If the message is stale do no more. if (m_setRequestDisposition== GW_SREQDI_STALE) {

BuildSetEnorResponse(pVehicle,ISO_RESP_SECURITY_VIOLATION); return (GW_PROCEED_TO_RESPOND);

1

/ / If we reach this far in this function then:

/ / i) the request is new or an honest retry AND

/ / ii) the request is not stεde AND

/ / iii) a setmsg record has been added for this request.

/ / If there is already a "host message" then update the key / / with the new retry count. If there was not a "host message" / / then insert one. dbrc = Gwdb_GetHostMsg();

switch (dbrc) } case GWDB_SUCCESS: dbrc = Gwdb_UpdateHostMsgKeys(); break; case GWDB_ROW_NOT_FOUND: dbrc = Gwdb_InsertHostMsg(); if (dbrc ! = G WDB_SUCCESS) {

BuildSetErrorResponse(pVehicle,ISO_RESP_SYS_MALFUNC); } return(GW_PROCEED_TO_FWD_XLAT); break; default:

BuildSetErrorResponse(pVehicle,ISO_RESP_SYS_MALFUNC); GW_LogError( LOG_ERR, Gwdb_GetHostMsg() : %d", dbrc); return (GW_PROCEED_TO_RESPOND); break; )

if (dbrc != GWDB.SUCCESS) {

BuildSetErrorResponse(pVehicle,ISO_RESP_SYS_MALFUNC); GW_LogError( LOG_ERR, "Gwdb_UpdateHostMsgKeys(): %d", dbrc); return (GW_PROCEED_TO_RESPOND);

/ / If this request is an honest retry then determine if we / / can "short circuit" a) the forwεird trε slation, b) the / / communications to the host or c) the reverse translation

/ / all of which will save time, if (m_setRequestClass== GW_SREQCL_HONEST_RETRY)i switch (m_hostResponseDisposition){ case GW_HRESDI_UNKNOWN: action = GW_PROCEED_TO_FWD_X.LAT; break;

case GW_HRESDI_RECEIVED_OK: action = GW_PROCEED_TO_REV_XLAT; break;

case GW_HRESDI_REV_XLAT_FAILED: action = GW_PROCEED_TO_REV_XLAT; breεik;

case GW_HRESDI_RECEIVE_FA1LED: case GW_HRESDI_TIMEOUT: action = GW_PROCEED_WITH_HOST_COMMS; break;

default: break;

return (action) ;

TranslateForward

Figure 53 depicts the execution of the TranslateForward routine, which is called by Step 5135 in Figure 51. Execution begins at Step 5310. In Step 5320. the Gateway forwεird- trεmslates the request to prepare it for transmission to the host. Forward translation consists of packaging the fields in the request into a format that is understandable by the legacy system at the financial institution. The exact format of the translated request will vary from institution to institution. However, in general, the format will consist of a fixed length record with predetermmed fields, using a standard character set such as ASCII or EBCDIC. In Step 5330, the Gateway checks to see whether the translation was successfully performed. If not control proceeds to Step 5340, which returns an error condition. If the translation was successful, control proceeds to Step 5350. In Step 5350, the Gateway sets a status flag to indicate that the next stage to be performed for this SET request is to proceed to host communication. This will be used in the next iteration of the Gw_ClearSetRequestHandler routine as depicted in Figure 51. After the status is set in Step 5350. the translate forwarα routine returns control in Step 5360.

The TrεmslateForwεird routine as depicted in Figure 51 may be implemented using the following C++ code:

gwAction CGW_Engme: :TranslateForward(CPCLCCReques)*pVehιcle)

I I gwRC re; gwDBRC dbrc;

re = HM_TranslateForward(m_hostSpecificMessagepVehicle),

if (re == GW_SUCCESS) { return (GW_PROCEED_WITH_HOST_COMMS);

m_hostRequestDisposιtιon= GW_HREQDI_FWD_XLAT_FAILED. BuιldSetEnorResponse(pVehιcle,ISO_RESP_FORMAT_ERR);

dbrc = Gwdb_UpdateHostMsgRequestDisp(); if (dbrc != GWDB_SUCCESS) {

GW_LogError( LOG_ERR, "Gwdb_UpdateHostMsgRequestDisp(): %d" dbrc);

return (GW_PROCEED_TO_RESPOND); DoHostCommunication

Figure 54 depicts the step of host communication, as shown in Step 5145 in Figure 51 Execution begins in Step 5400 In Step 5405 the Gateway obtains from the request object the stnng representing the request text In Step 5410 it obtains the sequence number for the request In Step 5415 the Gateway determines the current time, in order to record the time at which the request is made. In Step 5420 the Gateway sends the request to the host and waits for a response from the host When a response is received, execution continues in Step 5425 In Step 5425, the Gateway again checks the current time, thereby determining the time at which a response was received In Step 5430, the Gateway checks to see whether the communication was successfully performed If a communication was not successful, the Gateway records that an enor occuned in Step 5432 If the communication was successful, the Gateway, in Step 5435, indicates that the request was successfully sent and responded to In Step 5437, the Gateway sets the response stnng based upon the response received in Step 5420 In Step 5439 the Gateway sets a status to indicate that reverse translation of the received response is required Regardless of whether the communication was successful or unsuccessful, execution continues to Step 5450 In Step 5450, the database is updated with status information from the host communication. In Step 5490, control is returned to the calling routine

The DoHostCommunication routine as depicted in Fig 54 may be implemented using the following C++ code

gwAction CGW_Engme DoHostCommunιcatιon(CPCLCCReques pVehicle)

{ gwHMRC hmrc, gwDBRC dbrc, gwAction action = GW_PROCEED_TO_RESPOND,

unsigned char hostRequestMessage[HOSTREQ_SZ+ 1], mt hostRequestLength= 0, unsigned char hostResponseMessage[HOSTREQ_SZ+ l], int hostResponseLength = 0;

long sequenceNo;

HM_GetRequestStnng(m_hostSpecificMessage,&hostRequestMessage[0], δshostRequestLength);

HM_GetSequenceNo( m_hostSpecιficMessage , &sequenceNo ) ,

tιme( &m_hostRequestTιme),

hmrc = SendToHostAndWaιt(

&hostRequestMessage[0),hostRequestLength, &hostResponseMessage[0]₍&hostResponseLength),

tιme( &m_hostResponseTιme);

swιtch(hmrc) { case GWHM_SUCCESS: m_hostRequestDιsposιtιon= GW_HREQDI_SENT_OK, m_hostResponseDιsposιtιon= GW_HRESDI RECE,.VED_OK, HM_SetResponseStnng(m_hostSpeciucMessage, ttt.hostResponseMessage[0], hostResponseLength),

action = GW_PROCEED_TO_REV_XLAT, break;

case GWHM_SEND_FAILED. m_hostRequestDιsposιtιon= GW_HREQD SEND_FAlLED; m_hostResponseDisposition= GW_HRESDI_UNKNOWN; break;

case GWHM_RCV_FAILED: m_hostRequestDisposition= GW_HREQDI_SENT_OK; m_hostResponseDisposition= GW_HRESDI_RECEIVE_FAILED; break;

case GWHM_RCV_TIMEOUT: m_hostRequestDisposition= GW_HREQDI_SENT_OK: m_hostResponseDisposition= GW_HRESDI_TIMEOUT; break;

default: break;

} if (hmrc != GWHM_SUCCESS) {

BuildSetErrorResponse(pVehicle,ISO_RESPJSSUERJNOP);

} dbrc = Gwdb_UpdateHostMsgAllInfo(sequenceNo,

6shostRequestMessage[0],hostRequestLength, &hostResponseMessage[0],hostResponseLength); if (dbrc != GWDB_SUCCESS) {

BuildSetErrorResponse(pVehicle,ISO_RESP_SYS_MALFUNC); GW_LogError( LOG_ERR, "Gwdb_UpdateHostMsgAlllnfo(): %d", dbrc);

! return (action);

TranslateReverse

Figure 55 depicts the operation of the TranslateReverse routine, as executed in Step 5155 in Figure 51. Execution begins at Step 5500. In Step 5510 the Gateway reverse-translates the response received from the legacy system host. Reverse translation consists of extracting data from the data records received from the legacy system, and placing them in objects so that they are useable by the Gateway. In Step 5520, the Gateway checks to veπfy that translation was successful. If translation was successful control proceeds to Step 5530, where a status flag is set indicating a successful translation If translation was not successful, control proceeds to Step 5540, in which the Status Flag is set to indicate an unsuccessful translation Regardless of whether translation was successful or unsuccessful, execution proceeds to Step 5550. In Step 5550, a status flag is set to indicate that the next stage for the request is to provide a response from the Gateway. This step is always executed, because regardless of whether the translation or any other aspect of the transaction was successful, a response indicating either success or failure must be returned by the Gateway Control then proceeds to Step 5590, in which the TranslateReverse routme returns control to the calling routine in Figure 51. It will be seen that the TranslateForward routine in Figure 53, the DoHostCommunication routine depicted in Figure 54, and the TranslateReverse routine depicted in Figure 55, each alter the status of the request. As a result as the loop depicted in Figure 51 executes a particular request will proceed through all three stages and finally to exit in Step 5190.

The TranslateReverse routine as depicted in Figure 55 may be implemented using the following C++ code: gwAction CGW_Engιne: :TranslateReverse(CPCLCCRequesf pVehicle) { gwRC re; gwDBRC dbrc; re = HM_TranslateReverse(m_hostSpecιficMessage pVehicle), if (re == GW_SUCCESS) { / / Success; we have a normal PDU to send back to VPOS!

/ / If there is any problem further to this (eg. PCL/ASN libs) / / that the frond-end is responsible tor calling the method / / LogSetErrorResponse()on this engine instance m_setResponseClass= GW_SRESCL_APP_NORMAL_PDU, m_setResponseDιsposιtιon= GW_SRESDI_ SENT_OK;

HM_GetResponseCode(m_hostSpecιficMessagem_setResponseCode); else { m_hostResponseDιsposition= GW_HRESDI_REV_XLAT_FAILED; BuildSetEnorResponse(pVehicle,ISO_RESP_INVALID_RESPONSE);

dbrc = Gwdb_UpdateHostMsgResponseDisp(); if (dbrc != GWDB_SUCCESS) {

GW_LogError( LOG_ERR, "Gwdb_UpdateHostMsgResponseDιsp(): %d", dbrc);

}

/ / Whether there was a translation enor or not we need to respond, return (GW_PROCEED_TO_RESPOND);

GetSetKeyFields

Figures 56A and 56B describe the GetSetKeyFields routine. This routine is cεdled by Step 5205 as illustrated in Figure 52A. Execution begins in Step 5600. In Step 5610, the Gateway interrogates the request object to determine the request type. In Step 5620, the Gateway determines whether the request type is for authorization only. If the request type is not for authorization only, execution proceeds to Step 5625. In Step 5625, the Gateway checks to see whether the request type is for a sale. If the request type is neither for authorization only nor for a sale, execution proceeds to Step 5630. In Step 5360, the Gateway indicates that the request type is not a supported request, and proceeds to Step 5635, where it returns to the caller.

If the request type is either for authorization only or ior a sale, execution proceeds with Step 5640. In step 5640, the Gateway initializes a container object to represent the request. In Step 5650, the Gateway extracts the [transaction identifier?] (XID) for the transaction. In Step 5652, the Gateway extracts the merchant identifier (MID) for the trεmsaction. In Step 5654, the Gateway extracts the [what is the RRPID?] (RRPID) and the terminal identifier (TID) for the request. In Step 5656, the Gateway extracts the retry count associated with the current request. In Step 5660, a message data area is initialized with the extracted contents The message area can then be used for further processing by the called rouune. In Step 5690, the GetSetKeyFields routine returns control to the caller.

The GetSetKeyFields as depicted in Figures 56A and 56B may be implemented using the following C++ code: gwRC CGW_Engme::GetSetKeyFields(CPCLCCRequesfpVehιcle)

{ gwRC transRc = GW_SUCCESS, unsigned mt got;

char s_RrpιdTιd[2*XID_SZ]; unsigned long rrpid, unsigned long tidOffset; m_setKeyFields.reqType= pVehιcle->GetRequestType(), swιtch(m_setKeyFields. reqType){ case CPCLRequest::CCAuthOnly: case CPCLRequest::CCSale:

! / / Initial cast to correct subclass.

CASN AuthonzationRequestDataContamei* s_req =

((CPCLCCAuthOnlyRequest*)pVehιcle)->GetRequestContaιner()- >get_data() - > get_data() ;

s_req->get_transactιon_id()->get_x_id()-> get_value( (unsigned chεir *) &m_setKeyFields.xιd,XID_SZ, &got);

#ιfdefJUNE_3RD strncpy(m_setKeyFields. mid ,"42581 " , MID_SZ) ; #else

/ / TODO: get code from Deepak for pulling MID out of s_req! stmcpy(m_setKeyFields.mid,"42581", MID_SZ); //bah! #endif

//

// NOTE: We have agreed with VPOS team that the RRPID field / / will contain the following:

/ /

/ / <rrpid> <space> <tid> <null>

/ /

/ / where <rrpid> is a string representing the rrpid value / / and <tid> is a string representing the tid vεdue. // / /

memset(s_RrpidTid, ' \0', sizeof(s_RrpidTid) );

s_req->get_AuthorizationRequestData_extensions()-> get_auth_req_res_pair_id()-> get_vεdue( (unsigned char *) &s_RrpidTid, sizeof(s_RrpidTid),&got);

/ / get rrpid εmd offset to the tid. sscanf(s_RrpidTid,"%d %n", &rrpid, &tidOffset);

/ / rrpidBase and retryCount m_setKey Fields. retryCount= rrpid % 100; m_setKeyFields.rrpidBase= rrpid - m_setKey Fields. retryCount;

/ / tid strncpy(m_setKeyFields.tid,(s_RιpidTid+tidOffset),TID.SZ);

/ / reqDate

GW_GetTimeFromASNTime(βε(m_setKeyFields.merchantTime), s_req->get_authorization_request. date(| ; break;

case CPCLRequest::CCAuthReversal: // == Void case CPCLRequest::CCCreditReversal: case CPCLRequest::CCCapture: case CPCLRequest::CCCredit: // == Refund ! Return case CPCLRequest::CCCaptureReversal: / / == Void // case eBallnquiry:

transRc = GW_NOT_SUPPORTED; break;

default: transRc = GW_NOT_SUPPORTED; breεik;

/ / Initialize the host message will with the key fields "in the clear"! if (m_hostSpecificMessage== NULL) { transRc = GW.FAILED;

I else ( HM_Initialize(m_hostSpecificMessage,&m_setKeyFields);

return (transRc);

Gwdb IsSetMsgStale

Figure 57 depicts the GwdbJsSetMsgStεde routine. This routine is called by Step 5215 as illustrated in Figure 52A. Execution begins in Step 5700. In Step 5710, the Gateway checks to see whether this is the first time the GwdbJsSetMsgStale has been called for this request If this is the first time, Steps 5715 through 5730 are performed; otherwise those steps are skipped. In Step 5715, a field representing the message life is initialized to a predetermined duration The message life is a field that will be used to determine how long the message representing the transaction will remain valid. The use of the message life field prevents a transaction that is effectively lost due to extensive processing delays from being processed. In Step 5720, the Gateway checks to see if the value of the message life is equal to zero If the message life is equal to zero, a default value, i.e , 300 seconds or 5 minutes, is assigned to the message life in Step 5725. In Step 5730, an indicator for this request is set to indicate that first time processing has already been performed for this request This flag is the same flag interrogated in Step 5710, and is used to prevent successive reinitialization of the message life field

In Step 5740, the Gateway checks to see whether the merchant's time stamp, plus the value of the message life, is less than the time of the request. If so, then the request is considered stale, and is marked stale in Step 5750. If not, the request is not stale, and is marked not stale in Step 5755 Following either of Step 5750 or 5755, the GwdbJsSetMsgStale exits in Step 5790. The GwdbJsSetMsgStale routine as depicted in Figure 57 may be implemented using the following C++ code: void CGW_Engιne::GwdbJsSetMsgStale(chaι*staleFlag)

{ static char gotStaleDuration=0; static long setMsgLife; static char *funcName = "GwdbJsSetMsgStale ' , / / Only get this once per process lifetime if (gotStaleDuration== 0) { FILE *fp; char duratιon[INI Jvl AXLNSZ+ 1 ] , if ( (fp=OpenIniFile())!= NULL) { setMsgLife = 0;

(void) ιnιGetParameter(fp,"GATEWAYADMIN' , SetMsgLife", duration), setMsgLife = atol(duratιon), / / could return 0, handled later (void) CloselnιFιle(fp),

} if (setMsgLife == 0) { setMsgLife = 5 * 60; / / Default to 5 minutes;

} gotStaleDuration = 1 ;

I / / If the message has expired its lifetime if ( (m_setKeyFields.merchantTιme+setMsgLιfe)< m_setRequestTιme)

"staleFlag = _TRUE; / / request is stale, else

"staleFlag = J^ALSE, / / honour request, it is not stale return, )

Gwdb InsertSetMsg

Figure 58 depicts the GwdbJnsertSetMsg routine. This routine is called from Step 5230 as illustrated in Figure 52A. Execution begins in 5800. In Step 5810, the routine invokes a database insert function by, for example, executing an SQL INSERT commεmd. In Step 5820, the database return code is obtained in order to be used as a return code from the GwbdJnsertSetMsg routine. In Step 5830, a database commit function is performed, thereby instructing the database engine to commit the database changes to a permanent recording, I e , by wπting the information to the file, and/ or by journalizing the change made by INSERT function. In Step 5890, the routine returns control to the calling program.

The GwdbJnsertSetMsg as depicted m Figure 58 may be implemented using the following C++ code: gwDBRC CGW JSngine. GwdbJnsertSetMsg()

EXEC SQL BEGIN DECLARE SECTION;

// Key char *h_xid = &(m_setKeyFields.xid[0]); long h_rrpidBase = m_setKeyFields.rrρidBase; int h_retryCount = m_setKeyFields.retryCount;

/ / Columns to insert into. char *h_mid = &(m_setKeyFields.mid[0]); char *h_tid = &(m_setKeyFields.tid[0]); char h_merchantTime[26]; int h_requestType = (int) m_ setKeyFields.reqType; char h_requestTime[26]; int h_requestClass = (int) m_setRequestClass; int h_requestDisposition = (int) m_setRequestDisρosιtion; char h_responseTime[26]; int h responseClass = (int) m_setRequestClass; int h_responseDisposition = (int) m_setResponseDιsposιtion; char *h_responseCode = m_setResponseCode;

EXEC SQL END DECLARE SECTION; static char *funcName = "GwdbJnsertSetMsg"; gwDBRC dbrc; GWJvlakeDateString(h_merchantTime-&(m_setKeyFields.merchaπtTime)); GW JvlakeDateString(h_requestTime,&m_setRequestTime) ;

GWJvIakeDateString(h_responseTime,&m_setResponseTime); EXEC SQL INSERT INTO setmsg

( xid, rrpidbase, retrycount. mid, tid, merchεmttime, requesttype, requesttime, requestclass, requestdisposition, responsetime, responseclass, responsedisposιtιon,responsecode

) VALUES :h_xιd, :h_rrpidBase, :h_retryCount, :h_mιd, :h_tιd,

TOJDATE(:h_merchantTιme,'DY MON DD HH24:MI:SS YYYY ),

:h_requestType,

TOJDATE(:h_requestTime, DY MON DD HH24:MI:SS YYYY ),

:h_requestClass, :h_requestDisposιtιon,

TOJDATE(:h_responseTιme,'DY MON DD HH24.M SS YYYY ),

:h_responseClass, :h_responseDisposition,:h_ responseCode

dbrc = DbJiCrror(funcName); (void) Db_Commιt(funcNειme); return (dbrc);

Gwbd GetHostMsg

Figure 59 depicts the Gwbd_GetHostMsg routine. This routine is called by Step 5245 as shown m Figure 52B. Execution begins m Step 5900. In Step 5910, the routine invokes a database select function by, for example, executing an SQL SELECT commεmd. In Step 5920, the database return code is obtained in order to be used as a return code from the

GwbdJnsertSetMsg routine. In Step 5930, the Gateway checks to see whether the database retrieve operation was successfully performed. If so, execution proceeds to Step 5935. In Step 5935, the Gateway sets a number of status vaπables from the values retπeved from the database records. This includes the time the request was made, the time a response was received, the contents of the request string, the contents of the response string, εmd a sequence number for this request. In Step 5940, a commit operation is performed. [What is the point of a commit operation following a retπeval, as opposed to an insert or an update?] In Step 5900, control returns to the calling progrεim.

The Gwdb_GetHostMsg as depicted in Figure 59 may be implemented using the following C++ code: gwDBRC CGWJ£ngιne::GwdbJ3etHostMsg() struct tm requestTimeTM; struct tm responseTimeTM; EXEC SQL BEGIN DECLARE SECTION; // Key. char *h_xid = &(m_setKeyFields.xid[0]); long h_rrpidBase = m_setKeyFields.rrpidBase;

// Indicator Variables. short h_requestStringInd; short h_responseStringInd;

/ / Columns to retreive. long h_sequenceNo = 0; int *h_reqYear = &requestTimeTM.tm_yeειr; int *h_reqMonth = &requestTimeTM.tm_mon; int *h_reqDay = &requestTimeTM.tm_mday; int *h_reqHour = &requestTimeTM.tmJιour; int *h_reqMinute = &requestTimeTM.tm_min; int *h_reqSecond = &requestTimeTM.tm_sec; int *h_requestDisposition = (int *) osmJiostRequestDisposition; VARCH AR h_requestString[ 128] ; int *h_resYeεu = &responseTimeTM.tm_yeειr; int *h_resMonth = &responseTimeTM.tm_mon; int *h_resDay = &responseTimeTM.tm_mday; int *h_resHour = &responseTimeTM.tmJ our; int *h_resMinute = &responseTimeTM.tm_min; int *h_resSecond = &responseTimeTM.tm_scc; int *h_responseDisposition = (int *) fomJiostResponseDisposition;

VARCHAR h_responseString[ 128] ; EXEC SQL END DECLARE SECTION; static char *funcName = "Gwdb_GetHostMsg"; gwDBRC dbrc;

/ / Set the "tm" structures to null. Set tm sdst to - 1 so that the / / mktimeQ function will determine if whether Daylight Savings Time / / is active. memset(&requestTimeTM,'\0', sιzeof(tm) ), requestTιmeTM.tm_ιsdst=- 1 , memset(&responseTimeTM,'\0', sιzeof(tm)), responseTιmeTM.tm_ιsdst=- 1 ,

EXEC SQL SELECT sequenceno, TOJWMBER(TOJ3HAR(requesttime,'YYYY))-1900, // see man mktime'

TOJ UMBER(TO_CHAR(requesttιme,'MM'))-l, //see man mktime"

TOJ UMBER(TO_CHAR(requesttιme,'DD)), TOJJUMBER( TO_CHAR(requesttime,^H24^•)),

TOJ^UMBER(TO HAR(requesttιme,'Mr)), TOJUMBER(TO ZHAR(requesttιme,'SS')), requestdisposition, requeststπng,

TOJ^UMBER(TO_CHAR(respons*ιme,'YYYY'))-1900, // see "man mktime" TOJUMBER(TC CHAR(responsetιme,'MM'))-l, // see "man mktime"

TO_NUMBER(TO_CHAR(responsetime,'DD')), TOJMUMBER(TOJ3HAR(responsetιme,HH24')), TOJMUMBER(TO HAR(responsetιme,'Mr)), TOJWMBERfTC CHARfresponsetime/SS')), responsedisposition.responsestnng

INTO : h_sequenceNo, h_reqYear, :h_reqMonth, .h_reqDay, :h_reqHour, :h_reqMmute. :h_reqSecond, h_requestDιsposιtιon,:h_requestStπng:h_requestStπngInd, .h_resYeειr, :h_resMonth, :h_resDay, :h_resHour, .h_resMinute, h_resSecond, h_responseDιsposιtιon,:h_responseStπng:h_responseStnngInd FROM hostmsg WHERE xid = :h_xid AND rrpidbase = :h_rrpidBase; dbrc = DbJ5nor(funcNειme); if (dbrc == GWDB.SUCCESS) { if (h_requestStnngInd== - 1) h_requestString.len=0; if (h_responseStringInd== - 1) h_responseString.len=0; mJiostRequestTime = mktime( &requestTimeTM ); m JiostResponseTime = mktime ( flsresponseTimeTM ) ;

HMJ3etRequestString(mJ ostSpecificMessage, h_requestString.arr, h_requestString.len) ; HMJ3etResponseString(mJιostSpecificMessage, h_responseString.arr, h_responseString. len) ; HM J3etSequenceNo( m JiostSpecificMessage, h_sequenceNo) ;

} (void) DbJ ommit(funcNειme); return (dbrc);

Gwdb InsertHostMsg Figure 60 depicts the GwdbJnsertHostMsg routine. This routme is called by Step 5270 as illustrated in Figure 52B. Execution begins in Step 6000. in Step 6010, the routine invokes a database insert function by, for example, executing an SQL INSERT command. In Step 6020, the database return code is obtained in order to be used as a return code from the GwbdJnsertSetMsg routine, in Step 6040, a commit operation is performed. In Step 6090, the routine returns control to the calling program.

The GwdbJnsertHostMsg as depicted in Figure 60 may be implemented using the following C++ code: gwDBRC CGWJΪngιne::GwdbJnsertHostMsg()

{

EXEC SQL BEGIN DECLARE SECTION; // Key. char *h_xid = &(m_setKeyFields.xιd[0]); long h_rrpidBase = m_setKeyFields.rrpidBase; int h_retryCount = m_setKeyFteIds.retryCount;

/ / Columns to insert into. long h_sequenceNo = 0; char h_requestTime[26]; int h_requestDisposition = (int) mJiostRequestDisposition; char h_responseTime[26]; int h_responseDisposition = (int) mJiostResponseDisposition;

EXEC SQL END DECLARE SECTION; static char *funcName = "GwdbJnsertHostMsg"; gwDBRC dbrc;

GWJvIεd eDateString(h_requestTime,&mJιostRequestTime); GWJvIakeDateString(h_responseTime,&mJιostResponseTime); EXEC SQL INSERT INTO hostmsg ( xid, npidbase, retrycount, sequenceno, requesttime, requestdisposition, responsetime, responsedisposition

) VALUES

( :h_xid, :h_npidBase, :h_retryCount,

:h_sequenceNo, TOJDATE(:h_requestTime,'DY MON DD HH24:MI:SS YYYY'), . h_requestDιsposιtion,

TOJ ATE(:h_responseTιme,'DY MON DD HH24.M SS YYYY'),

: h_responseDιsposιtion

dbrc = DbJϊnor(funcName); (void) Db_Commιt(funcNεune); return (dbrc),

GwdbJJpdateSetMsgResponselnfo

Figure 61 depicts a flow diagram for the GwdbJJpdateSetMsgResponselnfo routine Execution begins at Step 6100. In Step 6110, the routine invokes a database update function by, for example, executing an SQL UPDATE command. In Step 6120, the database return code is obtained in order to be used as a return code from the GwbdJJpdateSetMsgResponselnfo routine in Step 6190, the routine returns control to the calling program.

The GwdbJJpdateSetMsgResponselnfo as depicted in Figure 61 may be implemented using the following C++ code: gwDBRC CGW_Engιne: :Gwdb JJpdateSetMsgResponselnfoQ >

EXEC SQL BEGIN DECLARE SECTION; // Key. char *h_xιd = &(m_setKeyFields.xid[0]); long h_rrpιdBase = m_setKeyFιelds.rrpιdBase; mt h_retryCount = m_setKeyFιelds. retryCount;

/ / Columns to update, char h_responseTιme[26]; int h_responseClass = ( t) m_setResponseClass, int h_responseDisposition = (int) m_setResponseDιsposιtion; char *h_responseCode = m_setResponseCode;

EXEC SQL END DECLARE SECTION; static char *funcName = "GwdbJJpdateSetMsgResponselnfo '; gwDBRC dbrc;

GWJvIakeDateString(h_responseTime,&m_setResponseTime); EXEC SQL UPDATE setmsg SET responsetime = TO J-)ATE(:h_responseTime,'DY MON DD HH24:MI:SS YYYY'), responseclass = :h_responseClass, responsedisposition = :h_responseDisposιtion, responsecode = :h_responseCode WHERE xid = :h_xid AND rrpidbase = :h_rτpidBaseAND retrycount = :h_retry Count; dbrc = DbJ£rror(funcNειme); (void) DbJ ommit(funcName); return (dbrc);

Figure 62 is the main administration display for the Gateway in accordance with a preferred embodiment. A set of menu selections are presented at 6200 which will be described in more detεdl for each display. Figure 63 is a configuration panel in accordance with a preferred embodiment. The configuration panel provides access to management information for configunng a gateway management information database. The Merchant Identifier (Mid) 6310 is a thirty chεiracter, εdphanumeric field that uniquely defines a merchant. The Merchant Name 6320 is a fifty character, alphanumeric field, the Edit 6330 and Delete field 6340 are hyperlinks to detailed panels for modifying information in the management information database. Figure 64 is a host communication display for facilitating communication between the gateway and the acquirer payment host. The IP Address Field 6410 contεdns the Internet Protocol address for communicating via TCP/IP to the Internet. The TCP logical port field 6430 uniquely identifies the port for accessing the Internet, εmd the SAVE field 6430 invokes storing of the host communication information in the database. Figure 65 is a Services display in accordance with a preferred embodiment. This display initiates portions of the Gateway such as the host mulitplixer 2130 of Figure 21. Figure 66 is a graphical representation of the gateway transaction database in accordance with a prefened embodiment Each of the fields represents a portion of the internet database schema m accordance with a preferred embodiment

In today's environment value is transferred from one smart card to another smart card by inserting cards one at a time into a personal computer, or a pair of personal computers connected by a dedicated line. A value transfer protocol is employed to transfer the value as descπbed on the Modex Purse Functionality training mateπal. The transactions are performed face-to-face with trusted hardware utilizing a secure, dedicated communication link. VeπFone Inc. , a leading global provider of secure payment solutions supports Mondex smart cards just as Visa, MasterCard or other credit cards are supported This suppon enables VenFone to offer hardware and software for "electronic cash" payment VeπFone s family of smart card system products allows retail merchant and consumer Mondex smart cards to interface and to facilitate digital cash payments for all goods and services cunently purchased with coins and currency

Mondex is a smart card-based electronic cash payment system being introduced by banks around the world. Because the lcroprocessors contained on the Mondex smart cards can communicate securely with one another, cash-equivalent value can be stored in the cards, enabling consumers to purchase goods at retail stores and on the Internet. However, if the smart cards are utilized on the Internet without otherwise secunng the trεmsaction, interception and fraudulent transactions are possible.

Solutions in accordance with a preferred embodiment enable merchants to add Mondex chip card capability to their existing applications. In addition to supporting the Mondex electronic cash system, VeriFone chip card payment solutions are available for processing smart card-based stored-value, credit and debit progrεuns of other pavment associations Meeting high international secuπty standards, the system features an integrated dual track reader that can run both magnetic stπpe and smart card-based applications Additionally, the optional graphics display supports a vanety of icons, logos and various non-Roman character sets such as Arabic, Cyπlhc, Chinese and Japanese. Recently, the Internet was proposed as a communication medium connecting personal computers with specialized reader hardware similar to the Verifone hardware descπbed above. However, the Internet is not a secure communication medium and value transfer was not secured. Thus, a solution was necessary to shore up the Internet with secure value transfer processing to facilitate smart card processing over the Internet. In addition, support was required to ensure that no third party could hijack a value transfer transaction. This would occur if someone diverted the transaction before it even started. In the prior art face-to-face solution, both parties can confirm the other party's identity. However, the Internet separates the parties with miles of wire.

Figure 67 is a block diagram of a secure method for transfernng value from one smart card to another in accordance with a prefened embodiment of the invention. Devices 6700 and 6790 are personal computers with chip card readers such as the Mondex purse described m the Mondex system documentation. Digital certificates 6740 and 6730 are utilized in conjunction with digital signatures to ensure that both parties are who they say they are. In addition, a secure transport protocol 6750, such as SHTTP or SSL as described above is utilized to ensure the information flowing over the Internet 6710 is secure. Digitεd certificates εmd digitεd signatures positively identify the parties and establish a secure communication link before beginning a transaction. Identity information could even be displayed before beginning the trεuisaction to provide further security. Optionεdly, the display could indicate that a hierarchy was broken and present a suspicion factor to the user. Then, if a user demands confirmation before recommencmg the transaction with the identified party, security would be mεuntεdned. The authenticating actions that the parties perform m addition to the exchange of digital certificates and signatures could also entail the exchange of pεirεuneters of the transfer. For exεunple, how much money should be exchanged, what currency, the terms of the transfer such as interest, how long payments would last. Then, the chip card could begin its diεdog with the corresponding chip card along the line of established procedures to exchεmge value.

While vaπous embodiments have been described above, it should be understood that they have been presented by way of example only, and not limitation. Thus, the breadth εmd scope of a prefened embodiment should not be limited by any of the above described exemplary embodiments, but should be defined only in accordance with the following claims and their equivalents.

Claims

What is claimed is

1 A method for initiating secure communication between a first computer εmd a second computer connected to a network for authenticating and transfemng value from a first smart card to a second smart card, compπsing the steps of

(a) establishing a communication link between said first computer and said second computer via said network,

(b) identifying a cryptographic procedure for utilization by said first computer and said second computer;

(c) transmitting cryptographically secure authenticating information, from said second computer to said first computer using the communication link and said cryptographic procedure,

(d) receiving said cryptographically secure authenticating information at said first computer using the communication link and processing the authentication information utilizing the cryptographic procedure to authenticate said second smart card and said first smart card,

(e) reading said first smart card at the first computer,

(f) reading said second smart cεurd at the second computer; and

(g) transfemng value from said first smart cεird at the first computer to said second smart card at the second computer utilizing the network εmd sεud cryptographic procedure

2 The method as recited in claim 1 , including the step of utilizing the Internet for transmitting information between said first computer and said second computer

3. The method as recited in claim 1 , including the step of transmitting information from the second computer to a third computer for authorizing or denying credit in payment processing.

4 The method as recited in claim 1 , wherein the encrypted payment information conforms to a Secure Sockets Layer protocol

A method for initiating secure communication between a first computer and a second computer connected to a network for authenticating and transferring value from a first smart card attached to said first computer to a second smart card attached to a second computer, compπsing the steps of

(a) obtεumng authentication information for use in said secure transfer of value between a first smart cεird and a second smart card,

(b) establishing a communication between said first computer and said second computer via said network,

(c) repackaging said authentication information to comply with a secure protocol,

(d) reading a first smart card at the first computer,

(e) reading a second smart card at the second computer, and

(0 transfemng value from said first smart card on the first computer to said second smart card on said second computer over said network utilizing said secure protocol

6 The method as recited in claim 5, including

(d) transmitting encrypted payment information from said first computer to said second computer,

(e) receiving sεud encrypted payment information at said second computer and decrypting the payment information utilizing the decryption procedure, and

(0 performing further payment processing on said decrypted information

7 The method as recited in claim 5, wherein said authentication information is obtained via a telephone, fax machine or electronic mεul

8 The method as recited m clεum 5, wherein a digital signature is utilized to authenticate payment processing

9 The method as recited in claim 7, wherein said client information is obtained via a secure general purpose protocol

10. The method as recited m clεum 5, further compπses reversing previous value transfer transactions

1 1. Apparatus for initiating secure communication between a first computer and a second computer under the control of software with an attached display and an input device coupled to a network for authenticating and transfemng value from a first smart card to a second smart card, compnsing:

(a) means for establishing a communication link between said first computer and said second computer via said network;

(b) means for identifying an encryption procedure and a decryption procedure utilized by said first computer εmd sεud second computer,

(c) means coupled to the means for establishing a communication link for transmitting encrypted authentication information, from sa d second computer to said first computer using the communication link;

(d) meεms for receiving said encrypted authentication information at said first computer using the communication link and decrypting the authentication information utilizing the decryption procedure to authenticate said second smart card and said first smart card,

(e) means for reading the first smart cεird at the first computer;

(f) means for reading the second smart card at the second computer, and

(g) means for transferring value from said first smart card at said first computer to said second smart card at said second computer over the network.

12. The apparatus as recited in claim 11, wherein the network is an Internet

13. The apparatus as recited in claim 12, including means for transmitting from the second computer system to a third computer system for authorizing or denying credit m the payment processing.

14 An apparatus for initiating secure communication between a first and a second computer connected to a network for receiving and transmitting payment information, compnsmg-

(a) communication hardware utilized by a client to communicate information for use m said secure communication between a first and a second computer,

(b) a computer under the control of software which establishes secure communication between said first and said second computer via said network

(c) a computer under the control of software which repackages said payment mformation to comply with a third party secure protocol for further payment processing,

(d) means for reading a first smart card at the first computer;

(e) means for reading a second smart card at the second computer; and

⁽0 means for transferring value from said first smart card at the first computer to said second smart card at the second computer utilizing the network

15. A computer program embodied on a computer-readable medium in a first computer under the control of softwεire with an attached display and an mput device connected to a network for receiving and transmitting network mformation, compπsing

(a) a code segment for establishing a communication between a first computer and a second computer via sεud network;

(b) a code segment for identifying εm encryption procedure εmd a decryption procedure utilized by sεud first computer and said second computer;

(c) a code segment for transmitting encrypted authentication information from said second computer to said first computer,

(d) a code segment for receiving said encrypted a benticanon information at said first computer and decrypting the authentication information utilizing the decryption procedure;

(e) a code segment for reading a first smart card at said first computer;

(f) a code segment for reading a second smart card at said seconα computer; and

(g) a code segment for transferring value from said first smart card at said first computer to said second smart card at said second computer utilizing said network.

16. A computer program embodied on a computer- readable medium for authenticating and transfemng value from a first smart card attached to a first computer connected by network to a second smart card attached to a second computer connected by a network for receiving and transmitting network information, comprising' (a) a code segment for communicating secure information between said first and said second computer; (b) a code segment for establishing secure communication between said first and said second computer via said network; (c) a code segment for reading a first smart card attached to said first computer; (e) a code segment for reading a second smart card attached to said second computer; and (f) a code segment for transfemng value from said first smart card attached to said first computer through said secure communication between said first computer and said second computer via said network to said second smart card attached to said second computer.