FORM 2
THE PATENTS ACT, 1970
(39 of 1970)
&
THE PATENTS RULES, 2003
COMPLETE SPECIFICATION
(See section 10, rule 13)
“SYSTEM AND METHOD OF COMMUNICATION
BETWEEN MULTIPLE ENTITIES TO ENABLE ONE TAP
TRANSACTION”
PAYU PAYMENTS PRIVATE LIMITED, PayU
Payments Private Limited., Unit NO: 701 (P), A-Wing, Eureka
Towers, Building No: 7, Mind Space, Malad (W), Mumbai –
400 064, India
The following specification particularly describes the invention and the manner in which
it is to be performed.
2
FIELD OF THE INVENTION:
[0001] The present invention relates to system and method for faster and safer online
transactions. More particularly, the present invention relates to system and method for
communication between one or more entities comprising first server, third party server, card
issuing authentication server and user device for performing one tap transaction.
BACKGROUND OF THE INVENTION:
[0002] Massive improvements in internet technology in last decade has changed the
paradigm of human lives in various aspects such as net-banking, online shopping, payment of
utility bills etc. Making people more and more dependent on such services so as to fulfill their
daily needs. In particular, to do an online transaction to avail any of the above services a user
may have to provide his debit/credit card details such as card number, expiry date etc., to a
merchant, through a secured connection. Said details from the merchant are passed to a server of
a secured payment gateway, for authorization. The payment gateway then passes these details to
an authorization party, which may be your bank, for authorization. The authorization party upon
verifying such details may then send authorization response to the server of the payment
gateway, which then sends the authorization to the merchant for completing the transaction.
[0003] In conventional technologies the user may have to enter the card parameters every
time he/she performs a transaction. That means if a user avails online services provided by
various vendors, he/she has to repeat the above steps on every transaction, which is a timeconsuming
process. An alternative solution to the above problem may be saving the card
parameters of the user at the payment gateway server or merchant server, such that they may be
used in all future transactions, without re-entering. However, this process looks very meek but
involves a lot of risk as the card details of the user always reside with the other party.
[0004] Thus, in order to mitigate such risk and make the process faster, their exist a need
of a system and method that not only eradicates the need of entering card details for each
transaction, but also save the card parameters with a third party in a secured manner, for all
future transactions.
3
SUMMARY OF THE INVENTION:
[0005] In an aspect, the present invention relates to a method for communication
between one or more entities comprising first server, third party server, card issuing
authentication server and user device for performing one tap transaction. The method includes
receiving, by the first server, card data of a user from the user device, said card data comprising
credentials which are to be stored and at least one credential which is not to be stored.
Encrypting, by the first server, the credentials which are to be stored using a first key, wherein
the first key is generated by and stored in a hardware security unit and then storing, by the first
server, said encrypted credentials in a secure database. The method of present invention further
includes encrypting, by the first server, at least one credential which is not to be stored into a
cipher text, using a second key, wherein the second key is generated by and stored in the
hardware security unit. Splitting, by the first server, said cipher text into first and second strings
of variable lengths. Once, the splitting is completed, storing, by the first server, exactly one of
the two strings obtained in the previous step, in the secure database and transmitting, by the first
server, the other of the two strings to the third-party server for storage. Said method may further
include receiving, by the first server, the stored string from the third-party server, in response to
a request to proceed with payment is received from the user device. Combining, by the first
server, the two strings in the right order into a single string and decrypting, by the first server,
said single string using the second key to retrieve the credentials not to be stored. Said method
then moves to the next step of receiving, by the user device, one time password from the card
issuing authentication server, in response to the authentication request of the credentials of the
user by the card issuing authentication server and automatically updating, by the user device,
said one time password into the card issuing authentication server to complete the authentication
request.
[0006] In another aspect of the present invention, the first server relates to a server of a
payment gateway, the third-party server relates to a server of a merchant and the card issuing
authentication server relate to a bank.
4
[0007] In yet another aspect, the card credentials which are to be stored include name of
the user, primary account number (PAN), expiry date and the at least one card credential which
is not to stored includes card verification value (CVV).
[0008] In still another aspect, the method includes performing authentication of the
credentials by the card issuing authentication server, prior to encryption.
[0009] In yet another aspect, the step of performing authentication prior to encryption,
comprise transmitting, by the first server, the credentials to the card issuing authentication server,
verifying, by the card issuing authentication server, credentials received from the first server and
sending, by the card issuing authentication server, the onetime password to the user device. Said
method further includes receiving, by the card issuing authentication server, the same one time
password back from the user device and sending, by the card issuing authentication server, a
message to the first server indicating the authentication being positive or negative, wherein the
encryption is performed by the first server if the message indicates the authentication is positive.
[0010] In still another aspect, the encrypted credentials stored at the first server are
associated with a unique label for the user.
[0011] In yet another aspect, the present invention relates to a system for communication
between one or more entities comprising first server, third party server, card issuing
authentication server and user device for performing one tap transaction, the system comprising
said first server that further comprise a hardware security unit, a secure database and a receiver
configured to receive card data of a user from the user device, said card data comprising
credentials which are to be stored and at least one credential which is not to be stored. Said
system further includes a processing engine operatively coupled to the receiver such that the
processing engine is configured to encrypt the credentials, which are to be stored using a first
key, wherein the first key is generated by and stored in the hardware security unit and store the
encrypted credentials in the secure database which is operatively coupled with the processing
engine. Encrypt the at least one credential, which is not to be stored into a ciphertext, using a
second key, wherein the second key is generated by and stored in the hardware security unit.
The processing engine is also configured to split said ciphertext into first and second strings of
variable lengths and store exactly one of the two strings obtained from above, in the secure
5
database. The system further includes a transmitter which is operatively coupled to the
processing engine and is configured to transmit the other string to the third-party server for
storage. Said processing engine is further configured to receive the stored string from the thirdparty
server, in response to a request to proceed with payment is received from the user device
and combine the two strings in the right order into a single string. Said processing engine is also
configured to decrypt said single string using the second key to retrieve the credentials not to be
stored. The user device which is in communication with the card issuing authentication server
and the first server, includes a receiver configured to receive one time password from the card
issuing authentication server, in response to authentication request of the credentials of the user
by the card issuing authentication server and a processor configured to automatically update, said
one time password into the card issuing authentication server to complete the authentication of
the transaction.
[0012] In still another aspect, the card issuing authentication server is configured to
perform authentication of the credentials, prior to encryption.
[0013] In yet another aspect, the transmitter at the first server, is configured to transmit
the credentials to the card issuing authentication server and the card issuing authentication server
is further configured to verify credentials received from the first server, send, the onetime
password to the user device, receive, the same one time password back from the user device; and
in response send a message to the first server indicating the authentication being positive or
negative, wherein, if the message indicates the authentication being positive, the encryption is
performed by the first server.
[0014] In still another aspect, the present invention relates to system for communication
between one or more entities comprising first server, third party server, card issuing
authentication server and user device for performing one tap transaction. Said system
comprising the first server which further includes a receiver unit configured to receive card data
of a user from the user device, said card data comprising credentials which are to be stored and at
least one credential which is not to be stored, an encoder unit configured to encrypt the
credentials, which are to be stored using a first key, wherein the first key is generated by and
stored in a hardware security unit. A secure database configured to store the credentials
encrypted using the first key. Said encoder unit is further configured to encrypt the at least one
6
credential, which is not to be stored into a ciphertext, using a second key, wherein the second key
is generated by and stored in the hardware security unit. Said system further includes a splitter
unit configured to split said ciphertext, into first and second strings of variable lengths and store
exactly one of the two strings obtained from the above in the secure database. The system also
includes a transmitter unit that is configured to transmit the other string to the third-party server
for storage, wherein the receiving unit is configured to receive the second string from the thirdparty
server, in response to a request to proceed with payment is received from the user device.
It further includes a combining unit configured to combine, the two strings in the right order into
a single string and a decoder unit configured to decrypt, said single string using the second key to
retrieve the credentials not to be stored. The user device which is in communication with the
card issuing authentication server and the first server includes a receiver configured to receive
one time password from the card issuing authentication server, in response to authentication
request of the credentials of the user received by the card issuing authentication server and a
processor configured to automatically update, said one time password into the card issuing
authentication server to complete the transaction.
OBJECTS OF THE INVENTION:
[0015] The main object, of the present invention is to provide a system and method for
facilitating one tap on-line transactions.
[0016] Yet another object, of the present invention is to provide a system and method for
encrypting and splitting the credential which is not to be stored into two parts, using a key.
[0017] Still another object, of the present invention is to provide a system and method for
sharing one part of encrypted credential which is not to be stored with the third-party server and
other being stored with the first server.
[0018] Yet another object, of the present invention is to retrieve, at the first server, the
encrypted part stored with the third-party server and combine the two parts and decrypt them for
all future transactions.
7
[0019] Still another object, of the present invention is to provide a system that auto
updates the OTP received from the card authentication server back to said server, to complete the
transaction.
BRIEF DESCRIPTION OF DRAWINGS:
[0020] The features of the present invention are set forth with particularity in the
appended claims. The invention itself, together with further features and attended advantages,
will become apparent from consideration of the following detailed description, taken in
conjunction with the accompanying drawings. One or more embodiments of the present
invention are now described, by way of example only, with reference to the accompanied
drawings wherein like reference numerals represent like elements and in which:
[0021] Fig. 1a describes a system for achieving one tap transaction, by way of block
diagram, according to various embodiments.
[0022] Figure 1b describes another embodiment of system of figure 1a, illustrating
multiple entities connected to each other, according to various embodiments.
[0023] Fig. 2 describes in detail the system of figure 1, by way of block diagram,
according to various embodiments.
[0024] Fig. 3 describes method step for performing one tap transaction, in accordance
with elements disclosed in figures 1 & 2, by way of a flow chart, according to various
embodiments.
[0025] Fig. 4 describes details of method step carried out in figure 3, by way of flow
chart, according to various embodiments.
[0026] Fig. 5 describes an alternative embodiment of system for performing one tap
transaction, by way of block diagram, according to various embodiments.
DETAILED DESCRIPTION OF DRAWINGS:
8
[0027] While the invention is susceptible to various modifications and alternative forms,
specific embodiment thereof has been shown by way of example in the drawings and will be
described in detail below. It should be understood, however that it is not intended to limit the
invention to the particular forms disclosed, but on the contrary, the invention is to cover all
modifications, equivalents, and alternative falling within the spirit and the scope of the invention
as defined by the appended claims.
[0028] Before describing in detail embodiments it may be observed that the novelty and
inventive step that are in accordance with the present invention reside in encryption and storage
of the card credential(s) which is not to be stored at one location and retrieving the same to
enable one tap transaction, the drawings are showing only those specific details that are pertinent
to understanding the embodiments of the present invention so as not to obscure the disclosure
with details that will be readily apparent to those of ordinary skill in the art having benefit of the
description herein.
[0029] The terms “comprises”, “comprising”, or any other variations thereof, are
intended to cover a non-exclusive inclusion, such that a setup, device that comprises a list of
components does not include only those components but may include other components not
expressly listed or inherent to such setup or device. In other words, one or more elements in a
system or apparatus proceeded by “comprises… a” does not, without more constraints, preclude
the existence of other elements or additional elements in the system or apparatus.
[0030] Turning to figure 1a, one preferred embodiment of the invention is shown. The
embodiment discloses a system 100 for performing one tap transaction, wherein said system 100
comprises a first server 102 which may be in communication with a user device 108, a thirdparty
server 104 and a card issuing authentication server 106, through web presence using
internet. Similarly, figure 1b describes another alternative embodiment of system 100, wherein
the first server 102 may communicate with the plurality of the user device 108a-108n, the thirdparty
server 104a-104n and the card issuing authentication server 106a-106n, through web
presence. Coming back to figure 1a, the first server 102 of the system 100 is configured to
receive “cardholder data” from the user device 108, wherein said cardholder data include
9
credentials which are to be stored and at least one credential which is not to be stored. In an
embodiment, the credentials which are to be stored include name of the user, primary account
number (PAN), expiry date and at least one card credential which is not to stored includes card
verification value (CVV). In the present disclosure, the term "cardholder data" is to be given a
wide meaning and includes any payment credentials that belong to a consumer, irrespective of
the form of the payment credentials or the type of account or system against which the consumer
transacts using those payment credentials.
[0031] The set of credentials received by the first server 102 are then processed, wherein
processing of card credentials include encrypting the credentials and storing some part of the
encrypted credentials within the first server 102 and some part of the encrypted credential with
the third-party server 104, which is explained in detail in figure 2. The system 100 further
includes the card issuing authentication server 106 which is configured to receive the card
credentials provided to the first server 102, prior to encryption, wherein the card issuing
authentication server 106 is configured to test and confirm the authenticity of card credentials
thus received. Further, the card issuing authentication server 106 may communicate with the
user device to provide a one-time password (OTP) for an ongoing transaction. In an embodiment
of the present disclosure, the first server 102 may be a payment gateway server, the third-party
server 104 may be a merchant server and the card issuing authentication server 106 may be bank
server. Thus, those skilled in the art would appreciate that the above terms may be used
interchangeably in the present disclosure. Further, detailed embodiments of figure 1a and 1b
may be understood by referring to the disclosure of figure 2 as discussed below.
[0032] Figure 2 describes a system 200 which is a comprehensive embodiment of figure
1a and 1b. System 200 includes a remotely accessible third-party server 202 which may host an
e-commerce website (not shown). Said third-party server 202 is accessible to a user device 204
through web presence, wherein said user device 204 may include at least one of a laptop or
desktop computers, mobile phones, tablet computers, or the like devices which are in possession
of a user (not shown). In a preferred embodiment, the e-commerce website hosted by the thirdparty
server 202 may be an electronically accessible portal through which the merchant offers
goods or services for sale to the consumers, for example an online bookstore, media store,
10
hardware store, general retail store, facility for downloading software, or any other e-commerce
site through which the user can shop. System 200 further includes a first server 206 which is
connected to the third-party server 202 again through web presence using internet. The
connection between the first server 206, which is a payment gateway server and the third-party
server 202 that is the merchant server may also be by means of an application programming
interface (API) (not shown). Those skilled in art the art will appreciate that in order to have an
active relationship between the first server 206 and the third-party server 202, the third-party
server 202 is required to have previously registered or signed up with the first server 206. The
system 200 further describes a card issuing authentication server 208 which is connected to the
first server 206 and the user device 204 through web presence.
[0033] System 200 further illustrates techniques of communication between the first
server 206, the third-party server 202, the card issuing authentication server 208 and the user
device 204 so as to execute one tap transaction. As shown in figure 200, the first server 206
includes a receiver 210 that is configured to receive cardholder data of a user (not shown) from
the user device 204, wherein the cardholder data include credentials which are be stored and at
least one credentials which is not to be stored completely with the first server 206. Said server
206 further includes a processing engine 212 operatively coupled to said receiver 210, wherein
the processing engine 212 is configured to encrypt the credentials which are to be stored, using a
first key (not shown), wherein the first key is an AES-256 bit encryption key that is generated by
and stored in a hardware security unit 214 of the first server 206. The processing engine 212
then stores the encrypted credentials in a secure database 218 of the first server 206. In an
embodiment, the secure database 218 may be placed inside or outside the first server 206. In
another embodiment, the first server 206 is configured to share the card credentials with the card
issuing authentication server 208, prior to encryption. Specifically, a transmitter 216 of the first
server 206 transmits the card credentials to the card issuing authentication server 208 for
verification, as soon as it receives the same from the user device 204. The card issuing
authentication server 208 verifies the same and provides an intimation to the first server 206 and
the user device 204 in appropriate manner. The detailed process of the above discussed
verification which is performed prior to encryption, is illustrated later in the disclosure with
reference to other figures.
11
[0034] Coming back to the figure 2, once the above encrypted credentials are stored in
the first server 206, the processing engine 212 encrypts the at least one credential which is not to
be stored into a cipher text using a second key, wherein the second key is also an AES-256 bit
encryption key that is generated by and stored in the hardware security unit 214 of the first server
206. However, for a person with ordinary skills, it is explicitly disclosed that first key and the
second key are completely different from each other. Said processing engine 212 is further
configured to split the above obtained cipher text into first and second strings of variable length.
One of the said strings is stored in the secure database 218 of the first server 206 with the help of
the processing engine 212, wherein the other part of the string is transmitted to the third-party
server 202, via the transmitter 216 of the first server 206, for storage. In this manner the card
credential which is not supposed to be stored at any single location is safely encrypted and is
stored at two distinct locations with outmost safety.
[0035] To complete any transaction, the processing engine 212 of the first server 206 is
configured to receive the string stored with the third-party server 202. Processing engine 212 is
configured to do so whenever it receives a request to proceed with payment from the user device
204. On successful retrieval of second string, the processing engine 212 combine the two strings
together in the correct order. In an embodiment, whenever the processing engine 212 receives a
request to proceed with payment from the user device 204, it smartly retrieves the first string
stored at the secure database 218 and the second string stored with third-party server 202 and
combines the two in correct order. The single string thus obtained is then decrypted by the
processing engine 212 using second key. Specifically, in an embodiment, the processing engine
212 is designed such that it may take a decision as to which key to be used, based on the type of
data. System 200 further illustrates that user device 204 may get in communication with the card
issuing authentication server 208 and third-party server 202 whenever required through web
presence using internet, wherein the first server 206 may be connected to the user device 204 via
third-party server 202. The user device 204 includes a receiver 220, which may be configured to
receive onetime password (OTP) from the card issuing authentication server 208, whenever
connection with it is established while making a transaction through the third-party server 202.
In particular, as discussed before the OTP may be received by the user device 204 in response to
12
authentication request of the card credentials of the user by the card issuing authentication server
208. The user device 204 further includes a processor 222 that may be configured to
automatically update the received OTP back to the card issuing authentication server 208, using
a transmitter 224, to complete any transaction.
[0036] Figure 3 describes detailed flow chart 300 that illustrates an embodiment of
present invention for performing one tap transaction, carried out using any of the systems
disclosed in figures 1-2 and 5. At step 302, the first server 206, receives card data of a user from
the user device 204, wherein the card data comprises credentials which are be stored with first
server 206 and at least one credential which is not to be stored at any single location. In an
exemplary embodiment, the first server 206 may receive the cardholder data, in this case the
consumer's PAN, expiry date and CVV, either directly from the user device 204 in the case
where the user device 204 is communicating with the third-party server 202 through a secure
website hosted by the third-party server 202, or alternatively from the third-party server 202 by
means of the API in the case where the consumer enters the cardholder data on the website
hosted by the third-party server 202.
[0037] At step 304, the first server 206 may encrypt at least one of the credentials which
are be stored with the first server 206. Said encryption is performed using a first key that resides
in the hardware security unit 214 of the first server 206. In an example, to perform encryption of
said credentials, the credentials are moved inside the hardware security unit 214. Once, the
encryption is completed the processing engine 212 pulls out the encrypted credentials from the
hardware security unit 214, wherein the first key still resides there. In step 306, the processing
engine 212 of the first server 206, stores the encrypted credentials in the secure database 218 of
the first server 206, for future reference. In an embodiment, said database 218 may be placed
inside the first server 206 or placed outside the first server 206 and may be remotely connected
to the first server 206. In step 308, the first server 206, encrypts at least one credential which is
not be stored at any single location. Specifically, the credential which is not to be stored include
“CVV” data of the user card. In an aspect of the present invention, the credential that is not to be
stored is encrypted by the processing engine 212 of the first server 206, into a cipher text by
using the second key. Similar to encryption performed in step 304, here also the data to be
13
encrypted is moved into the hardware security unit 214 where it is encrypted using the second
key. The encrypted cipher text is then pulled out of the hardware security unit 214 by the
processing engine 212.
[0038] In step 310, the processing engine 212 of the first server 206 splits the above
obtained cipher text into two strings of variable lengths. At step 312, the processing engine 212
of the first server 206 selects one of said strings randomly and stores the selected string in the
secure database 218 of the first server 206. However, in step 314 the first server 206 transmits
the other string to the third-party server 202, using the processing engine 212. It may be noticed
that the process performed in steps 308-314 not only securely saves the data i.e. CVV at distinct
location but also enhances security by encrypting and storing it at distinct locations. In step 316,
the first server 206 retrieves the string stored with the third-party server 202, in response to
receiving a request to proceed with payment, from the user device 204. It will be needless to say
that whenever a request of proceed to payment is transmitted from the user device 204 to the first
server 206, the first server 206 sends a message to the third-party server 202 for sharing the
string stored with it. Once, the first server 206 is in possession of both the strings, in step 318,
the processing engine 212 combines the two strings in the correct order to retrieve the original
string. Now, in step 320, said string is decrypted using the second key. In an example, to
perform this decryption, the processing engine 212 is configured to transmit the combined string
into the hardware security unit 214 where the second key is used to decrypt the said string.
Specifically, in an example the processing engine 212 is so configured that it can identify the key
required for decryption of data, based on the type of data.
[0039] In step 322, the user device 204, receives a onetime password (OTP) from the
card issuing authentication server 208. The user device 204 receives the onetime password
(OTP) from the card issuing authentication server 208 in response to the authentication request
of the credentials of the user by the card issuing authentication server 208. The process of
transaction is completed in step 324, in which the user device 204 updates the above received
OTP into the card issuing authentication server 208 to confirm the authenticity and complete the
transaction. In one aspect of the present invention, the cardholder data i.e. the credentials are
authenticated by the card issuing authentication server 208, prior to encryption. The detailed
14
process of authenticating the card credentials prior to encryption is described in detail in figure 4,
discussed later in this disclosure. The foregoing description has been presented for the purpose
of illustration and it is not intended to be exhaustive or to limit the invention to the precise forms
disclosed in above figures. Persons skilled in the relevant art can appreciate that many
modifications and variations are possible in light of the above disclosure. In particular, as
discussed before, figure 2 illustrates one embodiment of the present invention, however other
exemplary embodiment as discussed in figure 5 are possible. Figure 5 teaches that the method
steps of figure 3 may be performed by other elements/units such a receiver unit, encoder unit,
splitter unit, transmitter unit, combining unit, decoder unit etc. Hence, the method steps of figure
3 should not only be limited to the elements disclosed in figure 2 of the specification. In one or
more examples, the elements/units discussed in figure 2 and 5 may be implemented in the form
of a hardware, software or a combination thereof. Also, the processing unit discussed in the
present disclosure may be a specially designed processor, microprocessor or a ASIC configured
to carry out the method step of the present invention.
[0040] Figure 4, explains the method steps 400 of authentication of card credentials
performed by the card issuing authentication server 208, prior to encryption. In step 402, the
transmitter 216 of the first server 206 sends the card credentials to the card issuing authentication
server 208, immediately after receiving the same from the user device 204. The method by
which the first server 206 receives card credentials has already being explained in figure 3 and
thus need not be repeated. In step 404, card issuing authentication server 208 verifies the card
credentials thus received. In response to verification, the card issuing authentication server 208
sends a onetime password OTP to the user device 204, in step 406. In step 408, the user device
204 sends back the received OTP to the third-party server 202, which confirms that authenticity
of the user. Once, the authenticity of the user or in a way card credentials of the user is achieved,
in step 410, the card issuing authentication server 208 sends a message to the first server 206
confirming whether the authentication was positive or negative. In an exemplary embodiment,
the authentication message from the card issuing authentication server 208 is sent to the first
server 206 in both the cases whether the authentication is testified as positive or negative. Thus,
the first server 206 encrypts the card credentials only if the received message indicates
authentication being positive. In another embodiment of the present invention, if the
15
authentication is verified to be positive and in response the card credentials are encrypted the
first server 206 creates a unique label for the user which is associated with his/her card
credentials. The unique label thus created may be a numeric or alphanumeric code that is unique
for every cardholder data. In addition, this label is created for a user when he/she creates an
account for any third-party server 202 for the first time. However, for every subsequent
transaction the user is not required to enter all the card credentials, in fact he/she may enter the
label provided to him/her. Therefore, for all subsequent transactions the user only needs to enter
the label given to him wherein the based on the unique label the first server 206 identifies the
card credentials of said user and performs one or more of the steps of figure 3 to complete a
transaction.
[0041] Figures 5 discloses another embodiment of a first server 500 that can
communicate with the other servers and devices illustrated in figure 2. Figure 5, describes that
the first server 500 includes a receiver unit 502 configured to receive card data of a user of the
user device 204. Said card data comprising credentials which may be stored and at least one
credential which is not to be stored at a single location. Once, the first server 206 is in
possession of the card credentials the step of authentication (as discussed in detail in figure 4),
prior to encryption, may be performed. The first server 500 further includes an encoder unit 504
configured to encrypt the credentials, which are to be stored, using the first key, wherein the first
key is generated by and stored in a hardware security unit 506. A secure database 508 is now
used to store the credentials encrypted using the first key. Said encoder unit 504 is further
configured to encrypt the at least one credential, which is not to be stored into a cipher text, using
the second key. The second key is also generated by and stored in the hardware security unit
506. A splitter unit 510 present in the first server 500, splits said cipher text, into first and second
strings of variable lengths and stores one of the two strings obtained from the above in the secure
database 508 of the first server 500. For the other part of the string, the first server 500, uses a
transmitter unit 512 to transmit the other string to the third-party server 202 for storage, wherein
the receiving unit 502 is also configured to receive the second string from the third-party server
202, in response to a request to proceed with payment is received from the user device 204.
[0042] Now, when the first server 500 has received the string stored with the third-party
16
server 202, a combining unit 514 is used to combine, the two strings in the right order into a
single string. Further, a decoder unit 516 of the first server may be used to decrypt, the above
obtained single string, using the second key to retrieve the credentials not to be stored. After the
decryption of encrypted data is performed the user device 204 receives one time password from
the card issuing authentication server 208, in response to authentication request of the credentials
of the user received by the card issuing authentication server. Said user device 204 now
performs the final step of the process to enable a successful transaction by automatically
updating, said one time password into the card issuing authentication server 208.
[0043] Although the present invention has been described in considerable detail with
reference to figures and certain preferred embodiments thereof, other versions are possible.
Therefore, the spirit and scope of the present invention should not be limited to the description of
the preferred versions contained herein.
17
We claim:
1. A method for communication between one or more entities comprising first server, third party
server, card issuing authentication server and user device for performing one tap transaction, the
method comprising:
receiving, by the first server, card data of a user from the user device, said card data
comprising credentials which are to be stored and at least one credential which is not to be
stored;
encrypting, by the first server, the credentials which are to be stored using a first key,
wherein the first key is generated by and stored in a hardware security unit;
storing, by the first server, said encrypted credentials in a secure database;
encrypting, by the first server, at least one credential which is not to be stored into a
ciphertext, using a second key, wherein the second key is generated by and stored in the
hardware security unit,
splitting, by the first server, said ciphertext into first and second strings of variable
lengths;
storing, by the first server, exactly one of the two strings obtained in the previous step, in
the secure database;
transmitting, by the first server, the other of the two strings to the third-party server for
storage;
receiving, by the first server, the stored string from the third-party server, in response to a
request to proceed with payment is received from the user device;
combining, by the first server, the two strings in the right order into a single string;
decrypting, by the first server, said single string using the second key to retrieve the
credentials not to be stored;
receiving, by the user device, one time password from the card issuing authentication
server, in response to the authentication request of the credentials of the user by the card issuing
authentication server; and
automatically updating, by the user device, said one time password into the card issuing
authentication server to complete the authentication request.
2. The method as claimed in claim 1, wherein the first server relates to a server of a
payment gateway, the third-party server relates to a server of a merchant and the card issuing
authentication server relate to a bank.
3. The method as claimed in claim 1, wherein the card credentials which are to be stored
include name of the user, primary account number (PAN), expiry date and the at least one card
credential which is not to stored includes card verification value (CVV).
4. The method as claimed in claim 1, further comprising:
18
performing authentication of the credentials by the card issuing authentication server, prior to
encryption.
5. The method as claimed in claim 4, wherein the step of performing authentication prior to
encryption, comprises:
transmitting, by the first server, the credentials to the card issuing authentication server;
verifying, by the card issuing authentication server, credentials received from the first
server; and
sending, by the card issuing authentication server, the onetime password to the user
device;
receiving, by the card issuing authentication server, the same one time password back
from the user device;
sending, by the card issuing authentication server, a message to the first server indicating
the authentication being positive or negative,
wherein the encryption is performed by the first server if the message indicates the
authentication is positive.
6. The method as claimed in claim 1, wherein the encrypted credentials stored at the first
server are associated with a unique label for the user.
7. A system for communication between one or more entities comprising first server, third
party server, card issuing authentication server and user device for performing one tap
transaction, the system comprising:
said first server comprising:
a hardware security unit;
a secure database;
a receiver configured to receive card data of a user from the user device,
said card data comprising credentials which are to be stored and at least one credential
which is not to be stored;
a processing engine operatively coupled to the receiver and configured to:
encrypt the credentials, which are to be stored using a first key,
wherein the first key is generated by and stored in the hardware security
unit;
store the encrypted credentials in the secure database which is
operatively coupled with the processing engine;
encrypt the at least one credential, which is not to be stored into a
ciphertext, using a second key, wherein the second key is generated by and stored in the
hardware security unit;
19
split said ciphertext into first and second strings of variable
lengths;
store exactly one of the two strings obtained from above, in the
secure database; and
a transmitter operatively coupled to the processing engine and configured
to:
transmit the other string to the third-party server for storage, wherein the
processing engine is further configured to:
receive the stored string from the third-party server, in response to
a request to proceed with payment is received from the user device;
combine the two strings in the right order into a single string; and
decrypt said single string using the second key to retrieve the
credentials not to be stored;
said user device in communication with the card issuing authentication server and
the first server, the user device comprising:
a receiver configured to receive one time password from the card issuing
authentication server, in response to authentication request of the credentials of the user
by the card issuing authentication server; and
a processor in the user device configured to automatically update, said one
time password into the card issuing authentication server to complete the authentication of the
transaction.
8. The system as claimed in claim 7, wherein the first server relates to a server of a payment
gateway, the third-party server relates to a server of a merchant and the card issuing
authentication server relates to a bank server.
9. The system as claimed in claim 7, wherein the card credentials which are be stored
include name of the user, primary account number (PAN), expiry date and the at least one card
credential which is not to stored include card verification value (CVV).
10. The system as claimed in claim 7, wherein the card issuing authentication server is
configured to perform authentication of the credentials, prior to encryption.
11. The system as claimed in claim 10, wherein the transmitter at the first server, is
configured to transmit the credentials to the card issuing authentication server; and
the card issuing authentication server, is configured to:
verify credentials received from the first server;
send, the onetime password to the user device;
receive, the same one time password back from the user device; and
20
in response send a message to the first server indicating the authentication being
positive or negative,
wherein, if the message indicates the authentication being positive, the encryption
is performed by the first server.
12. The system as claimed in claim 7, wherein the encrypted credentials stored at the first
server are associated with a unique label for the user.
13. A system for communication between one or more entities comprising first server, third
party server, card issuing authentication server and user device for performing one tap
transaction, the system comprising:
said first server comprising:
a receiver unit configured to receive card data of a user from the user
device, said card data comprising credentials which are to be stored and at least one credential
which is not to be stored;
an encoder unit configured to encrypt the credentials, which are to be
stored using a first key, wherein the first key is generated by and stored in a hardware security
unit;
a secure database configured to store the credentials encrypted using the
first key;
the encoder unit is further configured to encrypt the at least one credential,
which is not to be stored, into a ciphertext, using a second key, wherein the second key is
generated by and stored in the hardware security unit;
a splitter unit configured to split said ciphertext, into first and second
strings of variable lengths, and store exactly one of the two strings obtained from the above in
the secure database; and
a transmitter unit configured to transmit the other string to the third-party
server for storage;
the receiving unit configured to receive the second string from the thirdparty
server, in response to a request to proceed with payment is received from the user device;
a combining unit configured to combine, the two strings in the right order
into a single string; and
a decoder unit configured to decrypt, said single string using the second
key to retrieve the credentials not to be stored;
said user device in communication with the card issuing authentication server and
the first server, the user device comprising:
a receiver configured to receive one time password from the card issuing
authentication server, in response to authentication request of the credentials of the user received
by the card issuing authentication server; and
a processor configured to automatically update, said one time password
into the card issuing authentication server to complete the transaction.