WO2005062215A1 - Apparatus for financial account information management and method therefor - Google Patents

Apparatus for financial account information management and method therefor Download PDF

Info

Publication number
WO2005062215A1
WO2005062215A1 PCT/IB2004/000236 IB2004000236W WO2005062215A1 WO 2005062215 A1 WO2005062215 A1 WO 2005062215A1 IB 2004000236 W IB2004000236 W IB 2004000236W WO 2005062215 A1 WO2005062215 A1 WO 2005062215A1
Authority
WO
WIPO (PCT)
Prior art keywords
information
account
payee
payer
storing
Prior art date
Application number
PCT/IB2004/000236
Other languages
French (fr)
Inventor
Ho Keung Tse
Original Assignee
Ho Keung Tse
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Priority claimed from GB0328806A external-priority patent/GB0328806D0/en
Priority claimed from GB0329882A external-priority patent/GB0329882D0/en
Application filed by Ho Keung Tse filed Critical Ho Keung Tse
Publication of WO2005062215A1 publication Critical patent/WO2005062215A1/en

Links

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06QINFORMATION AND COMMUNICATION TECHNOLOGY [ICT] SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES; SYSTEMS OR METHODS SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES, NOT OTHERWISE PROVIDED FOR
    • G06Q40/00Finance; Insurance; Tax strategies; Processing of corporate or income taxes
    • G06Q40/02Banking, e.g. interest calculation or account maintenance

Definitions

  • the present invention relates to management of information received from a user for accessing his financial accounts, and particularly, to significantly reduce the risk for handling the confidential information.
  • an internet purchase is made by a user submitting his credit card information including an account number as well as a piece of information for identity authentication such as a password or the like, by means of an internet computer, to a merchant web site server which in turn submits the information to a credit card transaction centre for authentication of user identity and approval of the payment.
  • Transmission of such credit card information in Internet is vulnerable to hacker attack.
  • a merchant web site server would typically store the user credit card information in a secure data storage for the user future purchase use, but still a number of hacker attacks have been made to such secure data storage successfully.
  • FIG.1 is a timing diagram summarizing, a user registration procedure performed by a first embodiment of the present invention.
  • FIG.2 is a timing diagram summarizing, a user sign up procedure for effectuating a transaction. Detailed description of the preferred embodiments A First Embodiment -User Registration
  • a user registration procedure there is provided a user registration procedure.
  • FIG.l which summarizes the procedure, and provides separate time lines 10, 11 and 12 for showing respectively, steps performed by a user internet computer, a merchant web site server and a credit card transaction centre.
  • the merchant web site server receives user credit card information from the user internet computer and submits the same together with an identification code for identifying the merchant web site server itself as well as other information defining a transaction, to a credit card transaction centre, in a confidential manner, which may be by means of a secure communication link, or in an encrypted form.
  • the merchant web site server will erase all copies of the piece of information for identity authentication, of the user credit card information, existing in its digital memory system, for the sake of security.
  • the credit card transaction centre upon receiving those information from the merchant web site server, will authenticate the credit card information and if authentic, will approve the transaction if it meets with other criteria such as within a predetermined credit limit. Otherwise, the transaction will be denied. Further, if the credit card information being authentic, the credit card transaction centre will also store the credit account number into a table specific to the merchant web site in a secure data storage of its own for future reference, with no regard as to whether the transaction being accepted or not. It will also erase all copies of the piece of information for identity authentication in its memory, obtained directly or indirectly from the merchant web site server.
  • the merchant web site server upon receipt of an indication that the credit card information being authentic, from the credit card transaction centre, will also save the credit account number in a table of its own, in a secure data storage. Further, the merchant web site server will provide the user with a service account number and password, as well as saving the same in a location associated with the location storing the user's credit account number. Both locations are in the same above-mentioned table. In this way, the merchant web site server is capable of retrieving a user's credit account number from the table, once knowing his service account number.
  • This embodiment further reduce risks by having the credit card transaction centre to receive the user credit account information directly from the user, rather than through the merchant web site server.
  • the merchant web site server will request the user to select a credit card transaction centre from a list and then, according to the user's selection, contact the selected credit card transaction centre which will then send a small program to the user's computer.
  • the small program will open up a sub-window in the user's computer screen and request the user to enter his credit account information. Then, the small program will encrypt and submit the received user credit account information back to the credit card transaction centre.
  • credit card transaction centre will inform the merchant web site server of this fact as well as an account identifying number, which does not necessarily be same as the credit account number and may be a newly generated random number which not being previously used for the same account identifying purpose, and which is to be recorded in the 2 afore-mentioned tables under control of the credit card transaction centre and the merchant web site server respectively.
  • an account identifying number in place of the original credit account number enhances security, while providing the same functionality. And, the merchant web site will allow the registration accordingly.
  • FIG.2 is a timing diagram which summarizes a user sign up procedure for effectuating a transaction and provides separate time lines 13, 14 and 15 for showing respectively, steps performed by a user internet computer, a merchant web site server and a credit card transaction centre.
  • the merchant web site server will retrieve from the above-mentioned table of its own the credit account number which being associated with verified the service account number, in the manner as mentioned above, and submit it together with other necessary information including the merchant web site server's identification code, to the credit card transaction centre for approval of the transaction, in the confidential manner as mentioned above.
  • the credit card transaction centre will verify if the credit account number submitted is existing in the table specific to the merchant web site, and if it does exist, the credit card transaction centre will treat the user identity as authenticated without using the information for identity authentication and approve the transaction if it meets with other criteria such as within a predetermined credit limit.
  • the merchant web site server will treat the user identity as authenticated and provide the user the service as requested, without re-submitting to the credit card transaction centre any information for verification.
  • a user is required to access the credit card transaction centre directly by means of an internet computer, and then submit his credit card information.
  • the credit card transaction centre will provide a list of merchant web sites the user has registered in the past, to the user's computer, for to be displayed thereby.
  • the merchant web site has to inform the credit card transaction center which will record the identity of a merchant web site into the list corresponding to that user.
  • the credit card transaction centre can assume a successful registration is done when it informs a merchant web site that a user credit card information being authentic in the user registration procedure.
  • the credit card transaction centre will itself erase the user credit account number in all the tables specific to those selected merchant web sites in the above-mentioned secure data storage of its own, and further, it will inform the servers of those selected merchant web sites of the fact so that they will erase all service account records as well as the credit account numbers of the user in the above-mentioned tables under their respective control.
  • a debit account rather than a credit account, may be used instead.
  • user credit card information may be submitted to a merchant's computer by means of a dual tone telephone, rather than to the merchant's web site server by means of an internet computer.
  • a transaction may not necessarily be initiated by a user; it may be initiated by a merchant web site server for charging a registered user for monthly service fee or the like.
  • the credit card information may be stored in the user internet computer and submitted to the merchant web site server or credit card transaction centre when internet computer receives a specific command from the user.

Abstract

An apparatus for handling financial account information, comprising a merchant web site server and a transaction centre, and a method therefor. The merchant web site server submits an internet customer's information for accessing a financial account including a password or the like, to the transaction centre. Once the transaction centre determined the financial account information as authentic, it will store the financial account number in a table and approve any future transaction requests from the merchant web site server, having the financial account number therein but without the password or the like.

Description

Apparatus for Financial Account information Management and Method therefor
Field of the invention
The present invention relates to management of information received from a user for accessing his financial accounts, and particularly, to significantly reduce the risk for handling the confidential information.
Background of the invention
Conventionally, an internet purchase is made by a user submitting his credit card information including an account number as well as a piece of information for identity authentication such as a password or the like, by means of an internet computer, to a merchant web site server which in turn submits the information to a credit card transaction centre for authentication of user identity and approval of the payment. Transmission of such credit card information in Internet is vulnerable to hacker attack. In order to reduce risk and unnecessary hassle of repeated entry of the credit card information by a user, a merchant web site server would typically store the user credit card information in a secure data storage for the user future purchase use, but still a number of hacker attacks have been made to such secure data storage successfully. As such credit card information, unlike handwritten signatures or the like, capable of being repeatedly used, those hackers have caused very significant damages to the web merchants concerned and their customers. Further, those credit card information have in many circumstances become a means solely for user identity authentication purpose, for accessing a service which being restricted to a group of users, such as eBay bidding service, where no payment is required. Such merchant web site servers are perceived as high risk and many Internet surfers refrain from using their services or make purchases for worrying their credit card information being stolen. It is therefore an object of the present invention to provide an apparatus for reducing risk of transmission of such credit card information in Internet, by reducing the number of such transmissions to those that are absolutely necessary, and a method therefor. It is therefore another object of the present invention to provide an apparatus for reducing risk of storage of such credit card information in a merchant web site server, by eliminating the necessity of storing the information for identity authentication, and a method therefor.
Brief Description of the Drawings
FIG.1 is a timing diagram summarizing, a user registration procedure performed by a first embodiment of the present invention.
FIG.2 is a timing diagram summarizing, a user sign up procedure for effectuating a transaction. Detailed description of the preferred embodiments A First Embodiment -User Registration
According to a first embodiment of the present invention, there is provided a user registration procedure. Refer to FIG.l, which summarizes the procedure, and provides separate time lines 10, 11 and 12 for showing respectively, steps performed by a user internet computer, a merchant web site server and a credit card transaction centre. In the procedure, the merchant web site server receives user credit card information from the user internet computer and submits the same together with an identification code for identifying the merchant web site server itself as well as other information defining a transaction, to a credit card transaction centre, in a confidential manner, which may be by means of a secure communication link, or in an encrypted form. Then, the merchant web site server will erase all copies of the piece of information for identity authentication, of the user credit card information, existing in its digital memory system, for the sake of security. Note that a copy of the credit card account number is maintained; details will be discussed herein below. The credit card transaction centre, upon receiving those information from the merchant web site server, will authenticate the credit card information and if authentic, will approve the transaction if it meets with other criteria such as within a predetermined credit limit. Otherwise, the transaction will be denied. Further, if the credit card information being authentic, the credit card transaction centre will also store the credit account number into a table specific to the merchant web site in a secure data storage of its own for future reference, with no regard as to whether the transaction being accepted or not. It will also erase all copies of the piece of information for identity authentication in its memory, obtained directly or indirectly from the merchant web site server. On the other hand, the merchant web site server, upon receipt of an indication that the credit card information being authentic, from the credit card transaction centre, will also save the credit account number in a table of its own, in a secure data storage. Further, the merchant web site server will provide the user with a service account number and password, as well as saving the same in a location associated with the location storing the user's credit account number. Both locations are in the same above-mentioned table. In this way, the merchant web site server is capable of retrieving a user's credit account number from the table, once knowing his service account number.
A Second Embodiment
This embodiment further reduce risks by having the credit card transaction centre to receive the user credit account information directly from the user, rather than through the merchant web site server. Specifically, when a user visits the merchant web site by means of an internet computer and desires to make a registration for a service account and password, the merchant web site server will request the user to select a credit card transaction centre from a list and then, according to the user's selection, contact the selected credit card transaction centre which will then send a small program to the user's computer. The small program will open up a sub-window in the user's computer screen and request the user to enter his credit account information. Then, the small program will encrypt and submit the received user credit account information back to the credit card transaction centre. If the credit card information being determined by the credit card transaction centre as authentic, credit card transaction centre will inform the merchant web site server of this fact as well as an account identifying number, which does not necessarily be same as the credit account number and may be a newly generated random number which not being previously used for the same account identifying purpose, and which is to be recorded in the 2 afore-mentioned tables under control of the credit card transaction centre and the merchant web site server respectively. Using an account identifying number in place of the original credit account number enhances security, while providing the same functionality. And, the merchant web site will allow the registration accordingly.
User Sign Up
After the user registration procedure, if the same user visits the merchant web site again by means of an internet computer and desires to make a purchase, the user will have to do the sign up procedure. FIG.2 is a timing diagram which summarizes a user sign up procedure for effectuating a transaction and provides separate time lines 13, 14 and 15 for showing respectively, steps performed by a user internet computer, a merchant web site server and a credit card transaction centre. In the procedure, the user has to enter his service account number and password and, if the service account number and password being verified by the merchant web site server as valid, the merchant web site server will retrieve from the above-mentioned table of its own the credit account number which being associated with verified the service account number, in the manner as mentioned above, and submit it together with other necessary information including the merchant web site server's identification code, to the credit card transaction centre for approval of the transaction, in the confidential manner as mentioned above. The credit card transaction centre, will verify if the credit account number submitted is existing in the table specific to the merchant web site, and if it does exist, the credit card transaction centre will treat the user identity as authenticated without using the information for identity authentication and approve the transaction if it meets with other criteria such as within a predetermined credit limit. On the other hand, if the same user visits the merchant web site again and desires to use a service which requires identity authentication but for which no payment is necessary, the user will also have to enter the service account number and password and, if the service account number and password being verified by the merchant web site server as valid, the merchant web site server will treat the user identity as authenticated and provide the user the service as requested, without re-submitting to the credit card transaction centre any information for verification.
De-registration
A user is required to access the credit card transaction centre directly by means of an internet computer, and then submit his credit card information. After authenticating the submitted credit card information as valid, the credit card transaction centre will provide a list of merchant web sites the user has registered in the past, to the user's computer, for to be displayed thereby. To establish such a list, every time a merchant web site does a successful user registration with a user, the merchant web site has to inform the credit card transaction center which will record the identity of a merchant web site into the list corresponding to that user. Basically, the credit card transaction centre can assume a successful registration is done when it informs a merchant web site that a user credit card information being authentic in the user registration procedure. The user will be prompted to make a selection of which merchant web sites he desires to do de-registration. Then the credit card transaction centre will itself erase the user credit account number in all the tables specific to those selected merchant web sites in the above-mentioned secure data storage of its own, and further, it will inform the servers of those selected merchant web sites of the fact so that they will erase all service account records as well as the credit account numbers of the user in the above-mentioned tables under their respective control.
Other Alternatives
In the above embodiments, a debit account, rather than a credit account, may be used instead. Further, user credit card information may be submitted to a merchant's computer by means of a dual tone telephone, rather than to the merchant's web site server by means of an internet computer. Still further, a transaction may not necessarily be initiated by a user; it may be initiated by a merchant web site server for charging a registered user for monthly service fee or the like. Even still further, the credit card information may be stored in the user internet computer and submitted to the merchant web site server or credit card transaction centre when internet computer receives a specific command from the user. It should be noted that the above embodiments are given by way of example only, and it will be obvious to those skilled in the art that various changes and modifications may be made without departing from the spirit of the present invention.

Claims

1. A method for handling financial account information, comprising the steps of : causing by a payee apparatus, an authentication apparatus to obtain directly or indirectly first information for accessing a financial account, from a payer ; determining by said authentication apparatus, authenticity of said first information ; if said first information being determined as authentic, storing by said payee apparatus and said authentication apparatus, second information for identifying said financial account into two different storing means under their respective control ; thereafter retrieving from said storing means under said payee apparatus control, by said payee apparatus, said second information ; submitting by said payee apparatus, a transaction request to said authentication apparatus, together with said second information retrieved ; using by said authentication apparatus, said second information retrieved being existing in said storing means under said authentication apparatus control as a precondition for approving said request, without using said first information .
2. A method as claimed by claim 1, wherein said payer being a person.
3. A method as claimed by claim 1, wherein said payer being an internet computer.
4. Apparatus for handling financial account information, comprising : a first payee system, comprising : means for receiving first information for accessing an account, from a first payer ; means for submitting said first information to an authentication system ; means for receiving from said an authentication system, an indication as to authenticity of said first information ; means for storing second information for identifying said financial account, if said first information being indicated as authentic ; means for providing a service account identifier to said first payer or be under control thereof, if said first information being indicated as authentic and for associating said second information with said service account ; thereafter means for receiving from a payer, say, second payer, said service account identifier ; means for retrieving from said storing means, second information associated with the service account as identified by said service account identifier received ; means for creating a transaction request initiated by said second payer, and including said retrieved second information in said transaction request ; means for submitting said transaction request to said authentication system; said authentication system, comprising : means for authenticating said first information, basing on third information specific to said first payer ; means for storing said second information for identifying said account, if said first information being authentic ; means for receiving said transaction request ; means for using said retrieved second information in said transaction request being existing in said storing means of said authentication system as a precondition for approving said request, without using said first information .
5. Apparatus for handling financial account information as claimed in claim 4, wherein said apparatus comprising a plurality of payee systems, said first payee system being one of said plurality of payee systems each comprising a means for storing said second information ; said authentication system further comprising : means for receiving fourth information for accessing an account through an internet computer from a user ; means for authenticating said fourth information, basing on said third information specific to said first payer ; means for using said fourth information being authentic as a precondition for causing said computer to display a list of payee systems ; means for receiving a selection of at least one from said list, from said user ; means for requesting said at least one selected payee system to invalidate said second information in said storing means of said at least one selected payee system .
6. Apparatus for handling financial account information, comprising : means for causing an authentication system to obtain directly or indirectly, first information for accessing a financial account, from a payer ; means for receiving from said authentication system an indication as to authenticity of said first information ; means for storing second information for identifying said financial account, if said first information being indicated as authentic ; means for generating a transaction request, comprising ; means for retrieving said second information from said storing means ; means for submitting said transaction request to said authentication system, including said second information retrieved therein ; wherein said transaction request containing no said first information.
7. An apparatus as claimed by claim 6, wherein said first information including a password for accessing a credit account and said second information being the account number of said credit account.
8. An apparatus as claimed by claim 6, wherein said second information being a newly generated random number.
9. Apparatus for handling financial account information, comprising : means for receiving a signal from a payee system and being responsive to said signal for obtaining directly or indirectly, first information for accessing a financial account, from a payer ; means for authenticating said first information ; means for storing second information for identifying said account, if said first information being authentic ; means for approving a transaction request, comprising : means for receiving said transaction request from said payee system ; means for extracting from said transaction request, a third information; means for verifying said third information being consistent with said stored second information ; means for using a positive result of said verification as a precondition for generating a signal indicating approval of said transaction.
PCT/IB2004/000236 2003-12-12 2004-02-02 Apparatus for financial account information management and method therefor WO2005062215A1 (en)

Applications Claiming Priority (4)

Application Number Priority Date Filing Date Title
GB0328806.5 2003-12-12
GB0328806A GB0328806D0 (en) 2003-12-12 2003-12-12 Apparatus for account info management and method therefor
GB0329882.5 2003-12-24
GB0329882A GB0329882D0 (en) 2003-12-24 2003-12-24 Apparatus for account information management and method therefor

Publications (1)

Publication Number Publication Date
WO2005062215A1 true WO2005062215A1 (en) 2005-07-07

Family

ID=34712698

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/IB2004/000236 WO2005062215A1 (en) 2003-12-12 2004-02-02 Apparatus for financial account information management and method therefor

Country Status (1)

Country Link
WO (1) WO2005062215A1 (en)

Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US5988497A (en) * 1996-05-30 1999-11-23 Mci Communications Corporation Method for authenticating credit transactions to prevent fraudulent charges
US6047268A (en) * 1997-11-04 2000-04-04 A.T.&T. Corporation Method and apparatus for billing for transactions conducted over the internet

Patent Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US5988497A (en) * 1996-05-30 1999-11-23 Mci Communications Corporation Method for authenticating credit transactions to prevent fraudulent charges
US6047268A (en) * 1997-11-04 2000-04-04 A.T.&T. Corporation Method and apparatus for billing for transactions conducted over the internet

Similar Documents

Publication Publication Date Title
US9123044B2 (en) Generation systems and methods for transaction identifiers having biometric keys associated therewith
US7933835B2 (en) Secure money transfer systems and methods using biometric keys associated therewith
CA2878813C (en) System and method for verifying a financial instrument
RU2438172C2 (en) Method and system for performing two-factor authentication in mail order and telephone order transactions
US20060173776A1 (en) A Method of Authentication
US20120290482A1 (en) System and method for identity verification and management
US20020032663A1 (en) Apparatus and method for performing secure network transactions
CN109218298A (en) A kind of application data access method and system
AU2001271968A1 (en) System and method for verifying a financial instrument
KR20190107601A (en) Method and system for the generation of user-initiated federated identities
KR20010087564A (en) User authentification system and the method using personal mobile device
GB2476054A (en) Voice authentication of bill payment transactions
WO2005062215A1 (en) Apparatus for financial account information management and method therefor
JP2002024534A (en) Contents selling intermediation system, contents selling intermediary server and contents selling intermediation method
WO2000046724A1 (en) Method for authorizing access to a secure online financial transaction system

Legal Events

Date Code Title Description
AK Designated states

Kind code of ref document: A1

Designated state(s): AE AG AL AM AT AU AZ BA BB BG BR BW BY BZ CA CH CN CO CR CU CZ DE DK DM DZ EC EE EG ES FI GB GD GE GH GM HR HU ID IL IN IS JP KE KG KP KR KZ LC LK LR LS LT LU LV MA MD MG MK MN MW MX MZ NA NI NO NZ OM PG PH PL PT RO RU SC SD SE SG SK SL SY TJ TM TN TR TT TZ UA UG US UZ VC VN YU ZA ZM ZW

AL Designated countries for regional patents

Kind code of ref document: A1

Designated state(s): BW GH GM KE LS MW MZ SD SL SZ TZ UG ZM ZW AM AZ BY KG KZ MD RU TJ TM AT BE BG CH CY CZ DE DK EE ES FI FR GB GR HU IE IT LU MC NL PT RO SE SI SK TR BF BJ CF CG CI CM GA GN GQ GW ML MR NE SN TD TG

121 Ep: the epo has been informed by wipo that ep was designated in this application
122 Ep: pct application non-entry in european phase