Secure payment terminal

专利摘要:

公开号:ES2643420T9
申请号:ES04290614T
申请日:2004-03-05
公开日:2019-04-15
发明作者:Grégoire Mardinian；Gérard Compain
申请人:Ingenico Group SA；
IPC主号:

专利说明:

[0001] Secure payment terminal
[0002] The invention concerns the payment systems, and more particularly to the payment terminals.
[0003] The payment systems generally comprise boxes or cash registers. These boxes are now usually associated with payment terminals, which allow payment by bank card to be secured. There are also payment terminals used independently of any cash register. Certain terminals have one or more card readers, a display such as an LCD screen and a keyboard (or "pin-pad" in English) that allow the user to compose and validate a personal identification code. Other terminals do not have a keyboard, with the introduction of the personal identification code in a different peripheral. As an example, the company Ingenico sells a fixed terminal with the "Elite 510" brand, consisting of a first housing with a printer, a screen, a card reader, a keyboard and a second housing attached to the first and presenting a keyboard, a screen as well as an optional card reader. The second housing can be used by the client for the introduction of his personal identification code. The Ingenico company markets a portable terminal with the "Elite 730" brand, with a printer, a card reader, a keyboard and a screen. The terminal communicates by infrared link with its base.
[0004] You can consult the "Manuel de Paiement Electronique" of the bank card grouping for more details on the structure and operation of such terminals.
[0005] In payment terminals there are security requirements, to prevent any fraud, as specified in the VISA SPED specifications. These requirements refer to the physical design of the terminals. In addition, in the average in which the terminals can accept non-proprietary applications, the requirements refer to the design of the applications executed in these terminals. In particular, it is important to check that an application implanted in the terminal after its delivery by the manufacturer can not by a display on the terminal screen, prompt the user to enter on the keyboard his personal identification code and then collect this code.
[0006] Figure 1 shows a schematic view of the UNICAPT 16 architecture (registered trademark) used by the company Ingenico in payment terminals, such as the aforementioned Elite 510 and Elite 730 terminals. Figure 1 shows the secure part 2 of the terminal, which is attached to the display 6, the card reader 4 and the keyboard 8. This secure part 2 is made for example by a secure component of the type marketed with the reference DS5002 by the company DALLAS. An unsecure component 10 is linked by a link 16 with the protocol i2c to the secure part 2 of the terminal. This unsecured component 10 allows the download of applications represented schematically at 12 in Figure 1, in a memory 14 of component 10. An unsafe application 12 can not directly access the display and the keyboard. In other words, it is not allowed to an unsafe application to go directly to the display or to pick up directly from the keyboard information entered by the user. Any access of the unsafe application 12 to the display 4 and to the keyboard 6 is effected through the secure part 2 of the terminal. More specifically, a solution consists of authorizing the unsecured application 12 to display information in the display 4, but to lock the keyboard keys when such information is displayed; in this way, even if the unsafe application invites the user to enter their personal identification code on the keyboard, the code entered by the user with the keyboard will not be transmitted to the application. This solution guarantees the required security. However, it does not allow an application to collect data entered on the keyboard by the user.
[0007] Another solution is to establish a signature of the visualizations. The visualizations are authorized, for example by the owner of the terminal. The secure part of the terminal may allow an unsecured application to use the keyboard when the secure party verifies that the display transmitted to the display is an authorized display that presents a signature. This solution increases the development time of the applications; any modification of an unsecured application implies obtaining new signatures of the visualizations. This solution is described in US-A-5493613 or in US-A-6226749.
[0008] There is therefore a need for a payment terminal, which satisfies the security requirements, but which nevertheless allows for simple implementation and application execution.
[0009] The invention therefore proposes, in one embodiment, a payment terminal, which has a keyboard, a display and a card reader, a first software adapted to control the keyboard, the display and the card reader, a second software adapted to access the keyboard and the viewer through the first software, the first software being adapted to restrict the access of the second software to the keyboard or the display as soon as a card is received in the card reader.
[0010] It can also be provided that the terminal has one or more of the following characteristics:
[0011] - the first software is adapted to restrict the access of the second software to the keyboard and to the display as soon as a card is received in the card reader;
[0012] - the first software is adapted to restrict the access of the second software to the keyboard or to the display as soon as a card containing a given application is received in the card reader;
[0013] - the first software is adapted to restrict the access of the second software to the keyboard or to the display as soon as a given application of the card is selected by the terminal;
[0014] - the terminal has an unsafe state in which the second software freely accesses the keyboard and the display;
[0015] - the terminal goes into unsafe state at the expiration of a duration upon receipt of a card in the reader; - the terminal goes into an unsafe state when a card is removed from the reader,
[0016] - the terminal goes into unsafe state when the first software recognizes the introduction of a personal identification code on the keyboard;
[0017] - the keypad has a validation key and the terminal goes to the non-secure state when the validation key is activated;
[0018] - In the non-secure state, the second software freely accesses the card reader.
[0019] The invention still proposes a method of operating a payment terminal that has a keyboard, a display and a card reader, a first software adapted to control the keyboard, the display and the card reader, and a second software adapted to access to the keyboard and the viewer through the first software; the method comprises a step of restriction by the first software of the access of the second software to the keyboard or to the display as soon as a card is received in the card reader.
[0020] The method may comprise a step of reading the card received in the reader, the first software restricting the access of the second software to the keyboard or to the display when a given application is read on the card.
[0021] The method may still comprise a step of selecting an application of the card by the terminal, the first software restricting the access of the second software to the keyboard or to the display when a given application is selected by the terminal.
[0022] The method may also comprise a step of releasing the access of the second software to the keyboard and to the display.
[0023] Other features and advantages of the invention will become apparent on reading the detailed description that follows of the embodiments of the invention, given only by way of example and referring to the drawings, which show:
[0024] - figure 1, a schematic view of the architecture of a terminal of the state of the art;
[0025] - figure 2, a schematic view of the logical architecture of a terminal according to the invention;
[0026] - figure 3, a diagram of state of the terminal of figure 2.
[0027] The invention proposes a payment terminal, which operates according to a safe mode and according to an unsecured mode. The terminal features secure software that governs the terminal's keyboard, display and card reader. It also presents an unsecured software that accesses the keyboard and the viewer through the first software. In a secure mode, secure software restricts access by unsecured software to the keyboard or display. The terminal goes into safe mode as soon as a card is received in the reader. Thus, the terminal is safe, but it also allows the execution of secure applications.
[0028] Figure 2 shows a schematic view of the logical architecture of a terminal according to the invention. In the figure, the keyboard controller 20, the display controller 22 and the reader controller 24 are represented. The software executed in the terminal comprises a secure software, represented at 26 in FIG. 2; it is typically the software implanted originally by the terminal manufacturer. The secure software 26 directs the different controllers, as represented in Figure 2 by continuous traces joining the secure software 26 and the controllers 20, 22 and 24. The representation of Figure 2 is a representation of the software architecture and talking in property, the software directs the controllers 20, 22 and 24. For language abuse, it is also said that the software directs the screen, the display or the keyboard, although there is a software interface that is the corresponding controller.
[0029] The softwares executed in the terminal also comprise unsecured software, represented at 28 in Figure 2. It can be, for example, software downloaded by the user of the terminal. Unsafe software directs keyboard and display controllers 20 and 22 through secure software 26, as represented in figure 2 by interrupted traces that join the unsafe software 28 to the controllers 20 and 22 through the secure software 26.
[0030] The terminal has at least two operating modes, as represented by the state diagram of Figure 3. In a secure mode 30, the secure software 26 restricts access of the unsecured software to the keyboard controller 20, to the display controller 22 or to both. The restriction depends on the desired level of security; you can let visualize messages in the visualizer but block the introduction in the keyboard; You can also prevent the display in the display while authorizing the introduction on the keyboard. Finally, it is possible to prevent any unsecured software from accessing the keyboard and the display. In an application with a personal identification code, it may be sufficient to block the access of an unsecured keyboard software to prevent this software from collecting a code entered by a user; It is also possible to prevent the access of the unsecured software to the screen in order to avoid any invitation to the user to enter his code.
[0031] The terminal has a second operating mode 32, unsecuredly qualified. In this unsafe mode, unsafe software 28 freely addresses the keyboard controller 20 and the display controller 22. This allows an application to address itself freely to the display and keyboard, without particular limitations in the development of the application. The development of the application or its modification can therefore be carried out in a simpler way than in the state of the art.
[0032] The terminal goes from unsafe mode to safe mode as soon as a card is received in the reader, as represented by arrow 34 in figure 2. In the case of a card reader with memory, the passage from unsafe mode to Safe mode can be made from the detection of the presence of a card in the reader; you can also switch from unsafe mode to safe mode as soon as the memory card reading protocol has recognized a valid card. In the case of a magnetic track reader, the passage from the unsafe mode to the safe mode can take place as soon as a track is read by the reader. If the terminal has several card readers - of different types or of the same type - the passage from the unsafe mode to the secure mode can take place as soon as a card is read in one of the readers.
[0033] The transition from the unsafe mode to the secure mode can also take place when a card containing at least one specific application is read in the reader.
[0034] Thus, the first secure software 26 is adapted to restrict the access of the second unsecured software 28 to the keyboard or to the display according to the type of card inserted in the card reader or according to the type of application selected on the card. The cards can in fact contain several different applications that the terminal can select. By application, it is understood softwares or repertoires embarked on the card, such as softwares (repertoires) of debit type, credit, fidelity, repertoires, etc ...
[0035] Thus, if a card containing a banking application is inserted in the card reader, the first software can restrict the access of the second software to the keyboard and to the display. If a card simply contains a customer loyalty application, the first software can restrict only keyboard access and allow viewing. The card reading protocol reads the memory of the card inserted in the card reader and can identify the type of application contained in the card. This reading is interpreted by the first software that then adapts according to the restriction of access of the second software to the keyboard or to the visualizer. The restriction can be adapted only after the selection by the terminal of one of the applications of the card. Switching to secure mode when a card is received in the reader guarantees security: an unsecured application can not invite the cardholder to enter their personal identification code when the card is in the terminal, or collect this code. To the extent that users know that the personal identification code should only be entered on the keyboard when the card is in the reader, the payment terminal is secure.
[0036] The passage from safe mode 30 to unsafe mode 32 can be effected in different ways. In the example of figure 3, the passage through the arrow 36 is represented when the card is removed from the reader. This solution is especially adapted to card readers with memory. It ensures that as long as the card is in the reader, the terminal remains in safe mode. It can also be foreseen that the terminal will go into secure mode after recognition by the secure software of a personal identification code. In this case, the security lies in the hypothesis that the user does not enter his personal identification code twice in a row. It can also be provided that the keyboard has a validation key and that the terminal goes into unsafe mode after validation from the keyboard; in this case, the security rests on the hypothesis that any introduction of the personal identification code is followed by a validation from the keyboard. This is equivalent to switching from safe mode to unsafe mode in an action on a given keyboard key. You could also switch to unsafe mode when a key sequence (and not just a single key) is activated on the keyboard. You could also switch to unsecured mode at the expiration of a duration (fixed or programmable) after passing to secure mode; This leaves the question of time for the secure software to collect the personal identification code. More generally, the passage from safe mode to unsafe mode depends on the desired level of security and the hypotheses of behavior of the cardholder.
[0037] On power-up, the terminal can be started in one or the other of the modes. You can especially start in safe mode and go to unsafe mode if it is found that the reader does not contain a card. This solution avoids eventual problems in case of starting with a card inserted in the reader.
[0038] The terminal of Figures 2 and 3 allows great freedom in the design, development or modification of non-proprietary or non-secure applications. However, it ensures a high level of security.
[0039] From the hardware point of view, the terminal of Figures 2 and 3 can be realized in any way. A hardware architecture similar to that of Figure 1 can be used, but any other hardware architecture is possible. The security of the terminal can be based solely on software solutions, described in Figure 2, or also on a combination of software and hardware means.
[0040] Naturally, the present invention is not limited to the embodiments described by way of example; thus, more states than those shown in figure 3 can be provided. It can also be foreseen that the change of state of the terminal is effected in another way than that represented in figure 3. Thus, it could be passed back to the unsafe mode. after reading a card and after having identified that the card is not a protected card; this solution will allow the use of the terminal for reading and writing on cards managed by unsecured software 28 and not necessarily recognized by secure software. It can be envisaged, especially in this case, that unsafe software can also direct reader control 24 in unsafe mode.
[0041] It can be foreseen, as in the state of the art, signature solutions of the visualizations. In other words, the restriction put into practice by secure software is not necessarily as in the example a total prohibition, but can be based on a signature or authorization mechanism.
[0042] List of references
[0043] 2 safe part
[0044] 4 viewer
[0045] 6 card reader
[0046] 8 keyboard
[0047] 10 unsafe component
[0048] 12 application
[0049] 14 memory of the unsafe component 16 connection
[0050] 20 keyboard control
[0051] 22 display control
[0052] 24 reader control
[0053] 26 secure software
[0054] 28 unsafe software
[0055] 30 safe mode
[0056] 32 unsafe mode
[0057] 34 card reading
[0058] 36 card withdrawal

权利要求:
Claims (12)
[1]
1. A payment terminal, which has a keyboard (20), a display (22) and a card reader (24), a first software (26) adapted to control the keyboard (20), the display (22) and the card reader (24), a second software (28) adapted to access the keyboard (20) and the display (22) through the first software, said terminal having at least the following two states:
• an unsafe state in which the second software freely accesses the keyboard and the display;
• a secure state in which the access of the second software to the keyboard or to the display is prohibited or subjected to an authorization mechanism by the first software;
and said terminal being characterized in that it implements means for detecting the presence of a card in said card reader, said detection of the presence of a card in said card reader said said terminal of said card. unsafe state to the aforementioned safe state.
[2]
2. The terminal of claim 1, characterized in that, in said secure state, the access of the second software to the keyboard or to the display is prohibited or subjected to an authorization mechanism by the first software when a given application is identified in the memory of the card detected in the card reader.
[3]
3. The terminal of claim 2, characterized in that, in said secure state, the access of the second software to the keyboard or to the display is prohibited or subjected to an authorization mechanism by the first software when said given application identified in the said memory of said card detected in the card reader is selected by the terminal.
[4]
4. The terminal of claim 1, characterized in that the terminal goes into the unsafe state at the expiration of a duration after said detection of the presence of said card in the reader.
[5]
5. The terminal of claim 1, characterized in that the terminal goes into the non-secure state when said card is removed from the reader.
[6]
6. The terminal of claim 1, characterized in that the terminal goes into the non-secure state when the first software recognizes the introduction on the keypad of a personal identification code.
[7]
7. The terminal of claim 1, characterized in that the keyboard has a validation key and that the terminal goes to the non-secure state when the validation key is activated.
[8]
8. The terminal of claim 1, characterized in that in the non-secure state, the second software freely accesses the card reader.
[9]
9. A procedure for operating a payment terminal that has a keyboard (20), a display (22) and a card reader (24), a first software (26) adapted to control the keyboard (20), the display (22) and the card reader (24), a second software (28) adapted to access the keyboard (20) and the display (22) through the first software, whose first software allows to restrict access to the keyboard or the display of the second software in a secure state, characterized in that the method comprises:
• a step of detecting the presence of a card in the card reader, by passing said detection of the presence of a card in the card reader said terminal from an unsafe state to said safe state.
[10]
The method of claim 9, characterized in that it comprises a step of reading the memory of the card detected in the reader and why the aforementioned stage of prohibition or submission to an authorization mechanism by the first software of the Access of the second software to the keyboard or to the display is put into practice when a given application is identified in said memory of the card.
[11]
11. The method of claim 10, characterized in that it comprises a step of selecting an application of the card by the terminal and why the aforementioned stage of prohibition or submission to an authorization mechanism by the first access software. of the second software to the keyboard or to the display is put into practice when said given application identified in said memory of the card is selected by the terminal.
[12]
The method of one of claims 9 to 11, characterized in that it comprises a step of free access of the second software to the keyboard and to the display.

类似技术:

---

公开号 | 公开日 | 专利标题

---

ES2643420T3|2017-11-22|Secure payment terminal

---

ES2502341T3|2014-10-03|Secure payment system in a wireless communications network

---

US6669100B1|2003-12-30|Serviceable tamper resistant PIN entry apparatus

---

ES2403039T3|2013-05-13|System and method of code identification

---

US6957338B1|2005-10-18|Individual authentication system performing authentication in multiple steps

---

ES2844348T3|2021-07-21|Smart card with means of verification

---

ES2432503T3|2013-12-03|Procedure and execution control device for internal functions and protected applications integrated in microcircuit cards for mobile terminals

---

US6273335B1|2001-08-14|System and method for locking and unlocking an application in a smart card

---

EP2368205B1|2013-03-13|Method for using a captcha challenge to protect a removable mobile flash memory storage device

---

JP4409056B2|2010-02-03|LSI, LSI mounted electronic device, debugging method, LSI debugging device

---

JPH0734215B2|1995-04-12|IC card

---

KR100914905B1|2009-08-31|Smart Card Having Function of One Time Password Generation and Electronic Banking System Using That

---

ES2393220T3|2012-12-19|Method and system for increasing security in the development of electronic signatures by means of a chip card

---

US7246375B1|2007-07-17|Method for managing a secure terminal

---

WO2007033100A1|2007-03-22|Secure credit card and method and apparatus for utilizing the same

---

ES2699731T3|2019-02-12|Method and system for games

---

ES2707504T3|2019-04-03|Device for processing data from a contactless smart card, procedure and corresponding computer program

---

ES2336543T3|2010-04-14|DATA PROCESSING WITH A KEY.

---

ES2673187T3|2018-06-20|Non-authentic card detection procedure with microprocessor, microprocessor card, card reader terminal and corresponding programs

---

US7886967B2|2011-02-15|Apparatus and method of entering an authorization code into a chip card terminal

---

JP2007072777A|2007-03-22|Transaction system

---

ES2231516T3|2005-05-16|SECURITY OF ACCESS BY SECRET CODE TO A DATA PROCESSING MEDIA.

---

ES2688838T3|2018-11-07|Procedure of self-detection of an attempt to hack a corresponding electronic payment card, card, terminal and program

---

KR100232086B1|1999-12-01|A secure memory card

---

JP2006012104A|2006-01-12|Authentication system

同族专利:

---

公开号 | 公开日

---

ES2643420T3|2017-11-22|

---

FR2852717B1|2005-06-03|

---

EP1460593B1|2017-07-12|

---

EP1460593B9|2019-03-06|

---

EP1460593A1|2004-09-22|

---

PL1460593T3|2018-01-31|

---

FR2852717A1|2004-09-24|

引用文献:

---

公开号 | 申请日 | 公开日 | 申请人 | 专利标题

---

---

CA2078020C|1992-09-11|2000-12-12|Rodney G. Denno|Combination pin pad and terminal|

---

WO1997005551A1|1995-07-31|1997-02-13|Verifone, Inc.|Method and apparatus for operating resources under control of a security module or other secure processor|US7171560B2|1998-06-22|2007-01-30|Semtek Solutions, Inc.|Method and apparatus for securing and authenticating encoded data and documents containing such data|

---

US7543151B2|1996-02-15|2009-06-02|Semtek Innovative Solutions Corporation|Method and apparatus for securing and authenticating encoded data and documents containing such data|

---

US7309012B2|2004-09-07|2007-12-18|Semtek Innovative Solutions, Inc.|Secure magnetic stripe reader for handheld computing and method of using same|

---

US7506812B2|2004-09-07|2009-03-24|Semtek Innovative Solutions Corporation|Transparently securing data for transmission on financial networks|

---

US8769275B2|2006-10-17|2014-07-01|Verifone, Inc.|Batch settlement transactions system and method|

---

US9123042B2|2006-10-17|2015-09-01|Verifone, Inc.|Pin block replacement|

---

US8355982B2|2007-08-16|2013-01-15|Verifone, Inc.|Metrics systems and methods for token transactions|

---

EP2201475B1|2007-10-10|2020-07-29|Gilbarco Inc.|System and method for controlling secure and non-secure content at dispenser or retail device|

---

US9361617B2|2008-06-17|2016-06-07|Verifone, Inc.|Variable-length cipher system and method|

---

US8144940B2|2008-08-07|2012-03-27|Clay Von Mueller|System and method for authentication of data|

---

US8251283B1|2009-05-08|2012-08-28|Oberon Labs, LLC|Token authentication using spatial characteristics|

---

FR2955683B1|2010-01-25|2012-08-17|Ingenico Sa|PORTABLE ELECTRONIC PAYMENT TERMINAL SUITABLE FOR EXECUTING UNCERTIFIED PROGRAMS|

---

US8605044B2|2010-02-12|2013-12-10|Maxim Integrated Products, Inc.|Trusted display based on display device emulation|

---

EP2775421B1|2013-03-05|2019-07-03|Wincor Nixdorf International GmbH|Trusted terminal platform|

---

FR3038422B1|2015-07-03|2017-07-28|Ingenico Group|SECURING A VALIDATION OF A CHARACTER SEQUENCE, METHOD, DEVICE AND CORRESPONDING COMPUTER PROGRAM PRODUCT|

法律状态:

优先权:

---

申请号 | 申请日 | 专利标题

---

FR0303297|2003-03-18|

---

FR0303297A|FR2852717B1|2003-03-18|2003-03-18|SECURE PAYMENT TERMINAL|

---