Application program, information processing system, and information processing method
The application program enhances security in electronic payment systems by wirelessly communicating with a card's circuit unit to obtain and authenticate information, using one-time codes and write passwords, addressing insufficient security in existing systems.
Patent Information
- Authority / Receiving Office
- JP · JP
- Patent Type
- Applications
- Current Assignee / Owner
- PAYPAY CO LTD
- Filing Date
- 2024-11-26
- Publication Date
- 2026-06-05
Smart Images

Figure 2026092455000001_ABST
Abstract
Description
Technical Field
[0001] The present invention relates to an application program, an information processing system, a server device, and an information processing method.
Background Art
[0002] There is disclosed a server that performs authentication by comparing a card identifier of a card with a card identifier in a database (see, for example, Patent Document 1).
Prior Art Documents
Patent Documents
[0003]
Patent Document 1
Summary of the Invention
Problems to be Solved by the Invention
[0004] In the above technology, the security may not be sufficient.
[0005] The present invention has been made in consideration of such circumstances, and one of the objectives is to provide an application program, an information processing system, a server device, and an information processing method that can improve security more.
Means for Solving the Problems
[0006] One aspect of the present invention is an application program that, when a card used for payment is brought close to a terminal device equipped with a computer, uses the communication unit of the terminal device to wirelessly communicate with the communication unit of a circuit unit including a communication unit and a storage unit that stores information contained in the card, obtains related information related to the card and authentication information used for authenticating the card, transmits the related information and authentication information to a server device to perform the authentication, and determines whether or not to associate the card with the application program based on the authentication result obtained from the server device. [Effects of the Invention]
[0007] According to one aspect of the present invention, it is possible to provide an application program, an information processing system, a server device, and an information processing method that can further improve security. [Brief explanation of the drawing]
[0008] [Figure 1] This diagram shows an example of a configuration for implementing an electronic payment service. [Figure 2] This is a sequence diagram (part 1) illustrating the general flow of electronic payments. [Figure 3] This is a sequence diagram (part 2) illustrating the general flow of electronic payments. [Figure 4] This is a configuration diagram of the payment server 100 according to the embodiment. [Figure 5] This figure shows an example of the contents of user information 172. [Figure 6] This figure shows an example of the contents of merchant / store information 176. [Figure 7] This is a diagram showing the configuration of card server 200. [Figure 8] This figure shows an example of the contents of authentication information 260. [Figure 9] This figure shows an example of a scenario in which authentication processing takes place. [Figure 10] This is a diagram to explain the authentication process. [Figure 11] This is a sequence diagram focusing on the second authentication process. [Figure 12] This is a sequence diagram focusing on the first authentication process. [Figure 13] This figure shows an example of authentication result information 270. [Figure 14] This sequence diagram shows an example of the processing flow for a new one-time code and a new write password. [Figure 15] This is a sequence diagram focusing on the first authentication process. [Figure 16] This is a sequence diagram focusing on the second authentication process. [Figure 17] This is a diagram illustrating the processing of modified examples. [Modes for carrying out the invention]
[0009] The following describes embodiments of the application program, information processing system, server device, information processing method, and information processing device of the present invention with reference to the drawings. Various devices such as the "server" mentioned below, which provide services to users or perform internal analysis, may be implemented by a distributed group of devices, and the operators of each device may be different. Furthermore, the owner of the hardware of the devices (the provider of the cloud server) and the operator that actually operates them may also be different. The application program and the payment server work together to provide an electronic payment service. In the following description, the application program will be referred to as the payment app. The electronic payment service is a service that supports payment for the purchase of goods and services at a store. A store is, for example, a physical store (real store) that exists in the real world, but may also include a virtual store for e-commerce. A virtual store may include one provided by an entity different from the operator of the electronic payment service. In that case, when settling a purchase at a virtual store, the user may be directed to the interface screen of the electronic payment service. In the electronic payment service, a store is treated as belonging to, for example, a merchant (brand), and processing such as payment when a purchase is made at a store is mainly carried out between the user and the merchant. Alternatively, payment and other processing may be conducted between the user and the store.
[0010] [Electronic payment service] FIG. 1 is a diagram showing an example of the configuration of an electronic payment system that realizes an electronic payment service. The electronic payment service is realized centering around a payment server 100. An electronic payment system that realizes an electronic payment service includes, for example, one or more credit cards C, one or more user terminal devices 10, one or more first store terminal devices 50, one or more second store terminal devices 70, a payment server 100, and a card server 200 (server device). These devices communicate with each other via, for example, a network NW. The network NW includes, for example, the Internet, a LAN (Local Area Network), a wireless base station, a provider device, and the like. Some or all of the functional configurations included in the electronic payment system may be distributed among a plurality of devices in an arbitrary form or integrated into an arbitrary device.
[0011] In the present embodiment, it is described that a credit card C is used, but in addition to (or instead of) the credit card C, other electronic payment cards such as a debit card may be targeted.
[0012] [User Terminal Device] The user terminal device 10 is, for example, a portable terminal device such as a smartphone or a tablet terminal. The user terminal device 10 is a computer device having at least an optical reading function, a communication function, a display function, an input reception function, and a program execution function. In the following description, the configurations for realizing these functions are referred to as a camera, a communication device, a touch panel, a CPU (Central Processing Unit), etc., respectively. In the user terminal device 10, the payment application 20 is executed by a processor such as a CPU, and it operates to provide an electronic payment service to the user in cooperation with the payment server 100. The payment application 20 is installed in the user terminal device 10 from, for example, an application store, and controls a camera, a communication device, a touch panel, etc.
[0013] [First Store Terminal Device] The first store terminal device 50 is installed, for example, in a store. The first store terminal device 50 is a computer device having at least a product price acquisition function, an optical reading function, a program execution function, and a communication function. The first store terminal device 50 may include a so-called POS (Point of Sale) device, and the product price acquisition function and optical reading function may be realized by the POS device. The store code image 60 is placed in the store and is a code image such as a QR code (registered trademark) printed on paper or plastic media. The store code image 60 may also be displayed on a display placed in the store (which may be the display of a terminal device such as a smartphone).
[0014] [Second store terminal device] The second store terminal device 70 is used by the operator of the affiliated store. The second store terminal device 70 is a smartphone, tablet, personal computer, etc. The affiliated store interface 72 operates on the second store terminal device 70. The affiliated store interface 72 may be an affiliated store application or a browser. The affiliated store interface 72 accepts coupon settings etc. from the affiliated store operator and transmits them to the payment server 100. The second store terminal device 70, which is a smartphone, has the function of displaying a code image corresponding to a store code image by running the affiliated store application, or reading a code image displayed by the user terminal device 10.
[0015] [Payment Server] The payment server 100 implements electronic payment based on payment information received from the user terminal device 10 or the first store terminal device 50. The first store terminal device 50 may include a POS device and a merchant server, in which case payment information is transmitted from the POS device to the payment server 100 via the merchant server. In the following description, this distinction will not be made, and it will be assumed that payment information is transmitted from the first store terminal device 50.
[0016] Figures 2 and 3 are sequence diagrams illustrating the general flow of electronic payments. There may be two patterns for electronic payments: Pattern 1 and Pattern 2.
[0017] In the case of Pattern 1 shown in Figure 2 (hereinafter referred to as User Scan), the user terminal device 10, with the payment application 20 running, decodes the store code image 60 using its optical reading function (S1). The store code image 60 contains information about the store URL (Uniform Resource Locator). This store URL is an electronic payment service domain to which information that can identify the store has been added, and is associated with the merchant ID and store ID, etc., at the payment server 100 (described later). The payment application 20 sends the first payment information, including the store URL and account ID, to the payment server 100 (S2). The payment server 100 searches for store information (described later) from the merchant ID and store ID corresponding to the store URL, obtains the merchant name and store name information (S3), and sends it to the payment application 20 (S4). The user enters the payment amount into the user terminal device 10 on the screen where the merchant name and store name are displayed (S5). The user terminal device 10 then generates second payment information, including at least the payment amount, and sends it to the payment server 100 (S6). The payment server 100 performs electronic payment based on the received second payment information (S7). The payment server 100 then sends a payment completion notification (information for displaying the payment completion screen) to the payment application 20 (S8), and the payment application 20 displays the payment completion screen (S9). If the store code image 60 is displayed on a display placed in the store, the store code image 60 may include payment amount information as well as the store URL. In this case, the procedure for the user to enter the payment amount is omitted, and the payment amount information is included in the first payment information and sent to the payment server 100. Merchant name and store name information may be included and displayed on the payment completion screen.
[0018] In the case of Pattern 2 shown in Figure 3 (hereinafter referred to as Store Scan), when the payment app 20 is launched, when a payment operation is performed in the payment app 20, when it is time for an automatic update (for example, every minute), and at other times, the payment app 20 sends a request to the payment server 100 to issue a one-time code (S11). The payment server 100 generates a one-time code (S12) and sends it to the payment app 20 (S13). The payment app 20 displays a code image such as a QR code or barcode that was generated based on the one-time code (S14). The user holds the display surface of the user terminal device 10 over the first store terminal device 50 (presents it), and the first store terminal device 50 decodes the code image using its optical reading function and obtains the one-time code, etc. (S15). Then, the first store terminal device 50 generates payment information including the one-time code, payment amount, merchant ID, store ID, etc., and sends it to the payment server 100 (S16). The payment amount information is obtained in advance by barcode scanning or manual input. Based on the received information, the payment server 100 identifies the user corresponding to the one-time code and performs the electronic payment (S17). The payment server 100 then sends a payment completion notification to the payment app 20 (S18), and the payment app 20 displays a payment completion screen (S19).
[0019] Furthermore, electronic payment may be performed using only one of the above patterns. Also, the "account ID" explained in Figure 2 may be other information that can be used as user identification information (for example, a phone number). In addition, the issuance of a one-time code may be omitted during store scanning, and the payment app 20 may display a code image generated based on the user's account ID. In that case, the payment server 100 will identify the user corresponding to the account ID instead of identifying the user corresponding to the one-time code.
[0020] [Payment Server Functional Configuration] Figure 4 is a diagram of the configuration of the payment server 100. The payment server 100 includes, for example, a communication unit 110, a content provision unit 120, a payment processing unit 130, an information management unit 140, and a storage unit 170. Components other than the communication unit 110 and the storage unit 170 are realized, for example, by a hardware processor such as a CPU executing a program (software). Some or all of these components may be realized by hardware (including circuitry) such as LSI (Large Scale Integration), ASIC (Application Specific Integrated Circuit), FPGA (Field-Programmable Gate Array), GPU (Graphics Processing Unit), and SOC (System On Chip), or by the cooperation of software and hardware. The program may be stored in advance on a storage device such as an HDD (Hard Disk Drive) or flash memory (a storage device equipped with a non-transient storage medium), or it may be stored on a removable storage medium such as a DVD or CD-ROM (a non-transient storage medium) and installed on the storage device when the storage medium is inserted into the drive device.
[0021] The storage unit 170 can be an HDD, flash memory, RAM (Random Access Memory), etc. The storage unit 170 may also be a NAS (Network Attached Storage) device that the payment server 100 can access via the network. The storage unit 170 stores information such as user information 172, content information 174, merchant / store information 176, and authentication result information 270 (described later). Some of this information may also be stored in the storage unit of the user terminal device 10. Details of each piece of information will be described later.
[0022] The communication unit 110 is a communication interface for connecting to a network NW. The communication unit 110 is, for example, a network interface card.
[0023] The content provider unit 120, for example, has the functionality of a web server and provides information (content) for displaying various screens of the electronic payment service to the user terminal device 10. The content provider unit 120 reads the necessary content from the content information 174 as appropriate and provides it to the user terminal device 10. The user terminal device 10 accepts various inputs from the user while the content is being played by the payment application 20 and transmits the aforementioned payment information to the payment server 100. The above content may also be generated by the payment application 20. In this case, the content provider unit 120 provides the payment application 20 with the information necessary for generating the content.
[0024] The payment processing unit 130 performs payment processing based on payment information transmitted by the user terminal device 10 or the first store terminal device 50. The payment processing unit 130 performs payment processing while referring to the user information 172.
[0025] [User information] Figure 5 shows an example of the contents of User Information 172. User Information 172 is an example of user registration information. User Information 172 includes, for example, user URL, account ID, telephone number, password, as well as information such as email address, user ID, name, address, date of birth, registration date, charge balance, credit payment settings, credit payment limit, credit payment amount, available credit payment amount, payment method settings, bank account, credit card number, charge history information, and payment history information. The user URL is used for money transfer processing between users. When registering for a new electronic payment service, registration of a telephone number and password is mandatory. The account ID is issued to the user by the payment server 100, and the user ID is an ID that the user can set at will (or does not have to set). Similarly, the email address and name, address, and date of birth are also information that the user can set at will (or does not have to set). The registration date is the date the user registered for the electronic payment service (the date the account was created). Hereafter, the user instance (electronic payment account) to which this information is associated will be referred to as an account.
[0026] The charge balance is information indicating the balance of electronic money set by the user by sending money to their account in advance. Methods of sending money include sending from an ATM (Automatic Teller Machine) of a designated provider (bank) and sending from a registered bank account. The credit payment setting indicates whether or not the user has completed the settings to enable electronic payments via credit card using the payment app 20, and is set to either "Completed" or "Not Completed". The credit payment limit is the monthly limit for available credit payments, the credit payment amount is the amount already used for credit payments in the current month, and the available credit payment amount is the amount available for credit payments in the current month, calculated by subtracting the credit payment amount from the credit payment limit. While the diagram shows only one credit payment limit, in reality there are also daily limits, and the lower of these may be set as the credit payment limit. Further details on credit payments will be described later. The payment method setting indicates whether the user will use electronic payment with the charge balance or payment by credit card at that time. The bank account and credit card number information, respectively, refers to the bank account or credit card number (account number, card number) to which funds can be deposited into the electronic payment service. The charge history information is a record of when the user has previously sent money to the electronic payment service to increase the charge balance. The payment history information shows the details of each payment made by the user (date and time, store ID of the store where the purchase was made, payment amount, payment method, etc.).
[0027] [Franchise / Store Information] Figure 6 shows an example of the contents of the merchant / store information 176. The merchant / store information 176 includes, for example, a first table 176A in which the merchant ID and store ID are associated with the store URL, a second table 176B in which the merchant name and sales amount (as described above) are associated with the merchant ID, and a third table 176C in which the store name is associated with the store ID. In addition to this information, the merchant / store information 176 may also include information such as the merchant or store category, the store's location, and payment patterns.
[0028] The Information Management Unit 140 acquires information provided by other server devices, terminal devices, and the card server 400. Based on the information acquired from the user terminal device 10 and the second store terminal device 70, the Information Management Unit 140 manages user information 172 and merchant / store information 176. The Information Management Unit 140 performs operations such as adding, editing, and deleting new records for user information 172 and merchant / store information 176.
[0029] [Electronic payment] When the payment processing unit 130 obtains payment information from the user terminal device 10 or the first store terminal device 50, it refers to the user information 172 to obtain the user's "payment method setting". For users whose "payment method setting" is set to "charge balance", the payment processing unit 130 performs electronic payment as follows: For example, the payment processing unit 130 performs electronic payment by decreasing the charge balance, which is managed in association with the user ID, and increasing the value of the merchant's sales proceeds item. For example, the value of the merchant's sales proceeds item is not used as electronic money itself, but rather the amount corresponding to the value of the sales proceeds item is transferred to the bank account in a cycle according to the agreement between the merchant and the electronic payment service.
[0030] The payment processing unit 130 performs electronic payment as follows for users whose "settings information" is set to "credit payment (credit payment using code information)". Credit payment is a payment method that is carried out in cooperation with a credit card company, which is a separate entity from the operator of the electronic payment service. The operator of the electronic payment service acts as the donor and allows electronic payment that does not depend on the charge balance within the credit payment limit. In order to use the credit payment service, it may be required to obtain a credit card provided by the operator of the electronic payment service. The amount used by credit payment is settled in a lump sum for the month on the payment date of the following month, for example, by withdrawal from a bank account. In this case, the payment processing unit 130 performs a provisional settlement by adding the settlement amount to the amount used by credit payment and subtracting the same amount from the available credit payment limit. When the closing date arrives, it processes the payment for the current month to be withdrawn on the payment date of the following month as described above, or requests the operator of the credit card company to perform the said process. If the settlement amount exceeds the available credit payment limit at the time of provisional settlement, an error notification is sent back to the payment app 20.
[0031] [Card Server] Figure 7 is a diagram of the configuration of the card server 200. The card server 200 is, for example, a server device managed by the issuer of credit card C. The card server 200 includes, for example, a communication unit 210, an authentication processing unit 220, and a storage unit 250. The authentication processing unit 220 is implemented, for example, by a hardware processor such as a CPU executing a program (software). Some or all of these components may be implemented by hardware (including circuitry) such as LSIs, ASICs, FPGAs, GPUs, and SOCs, or by the cooperation of software and hardware. The program may be stored in advance in a storage device such as an HDD or flash memory (a storage device with a non-transient storage medium), or it may be stored in a removable storage medium such as a DVD or CD-ROM (a non-transient storage medium) and installed in the storage device when the storage medium is mounted in a drive device.
[0032] The storage unit 250 can be an HDD, flash memory, RAM, etc. The storage unit 250 may also be a NAS device accessible by the card server 200 via a network. The storage unit 250 stores information such as authentication information 260 and authentication result information 270. Some of this information may also be stored in the storage unit of the user terminal device 10. Details of the authentication information 260 will be described later.
[0033] The communication unit 210 is a communication interface for connecting to a network NW. The communication unit 110 is, for example, a network interface card.
[0034] The authentication processing unit 220 performs a first authentication process and a second authentication process (details will be described later). The authentication processing unit 220 may perform either the first authentication process or the second authentication process.
[0035] [Authentication Information] Figure 8 shows an example of the contents of authentication information 260. Authentication information 260 stores, for example, a write password, code information (one-time code), and credit card information in association with each other.
[0036] Credit card information may include, for example, the credit card number and / or the security code. In addition to the above, credit card information may also include the user's name and expiration date. Credit card information is not limited to information that can identify the credit card. Code information is information used for authentication that is stored in the storage unit C4 of credit card C. The write password is the password that the payment application 20 uses to write the code information to the storage unit C4. Authentication information 260 may also include a URL (for example, a one-time URL: one-time Uniform Resource Locator) in addition to this information.
[0037] [overview] This embodiment relates to credit card authentication. Credit card authentication verifies whether the credit card belongs to a user who is authorized to use it.
[0038] [Credit Card] Credit card C includes a circuit unit C1 as shown in Figure 1. The circuit unit C1 is, for example, an integrated circuit chip (IC chip). The circuit unit C1 includes, for example, a communication unit C2, a control unit C3, and a storage unit C4. The communication unit C2 communicates with the communication unit of the user terminal device 10. As a result, the circuit unit C1 communicates with the payment application 20 to send and receive information. The control unit C3 works in cooperation with, for example, the communication unit C2 and the storage unit C4 to perform communication-related processing, information reading processing, and information writing processing. The storage unit C4 reads stored information and writes information to store information.
[0039] The memory unit C4 stores information related to credit cards, code information, etc. For example, information processing between the circuit unit C1 and the payment application 20 uses a predetermined format (e.g., NDEF: NFC Data Exchange Format). The code information is, for example, a one-time code that changes with each authentication process, as described later, but is not limited to this. This one-time code is written using a write password, as described later. The one-time code is information written in a different area from the EMV area where, for example, the credit card number (credit card identification information) and expiration date are written.
[0040] Credit card information is an example of "related information." Credit card number (credit card identification information) and / or security code are other examples of "related information." Information different from related information (for example, information different from the card number and security code) is authentication information. For example, code information is an example of "authentication information."
[0041] Related information is stored in the first memory area of memory unit C4. Authentication information is stored in a second memory area of memory unit C4, which is different from the first memory area. The first memory area is a basic area designated for storing credit card numbers and other information in credit card payments, such as the EMV area. The second memory area is a different area from the first memory area, and is, for example, an extended area where desired information can be stored. The information stored in the second memory area (code information) is information stored in the second memory area that is not provided to the user.
[0042] [Overview of Authentication Process] The payment app 20 has an electronic payment wallet function that manages multiple electronic payment methods and enables electronic payments using the payment method selected by the user. The payment app 20 may also be an application program that omits the above-described electronic payment function and has the wallet function.
[0043] When a credit card C to be used for payment is brought close to the user terminal device 10, the payment application 20 uses the communication unit of the user terminal device 10 to wirelessly communicate with the communication unit C2 included in the credit card C and the communication unit C2 of the circuit unit C1, which includes the storage unit C4 where the information is stored. The payment application 20 obtains information about the credit card C (related information) and code information used for authenticating the credit card C (authentication information such as a one-time code). The payment application 20 sends the information about the credit card C and the code information (authentication information) to the card server 200 to perform authentication, and based on the authentication result obtained from the card server 200, it determines whether or not to associate the credit card C with the payment application 20.
[0044] The authentication performed by the card server 200 described above may be an authentication process using a one-time code, as described later, or it may be any other authentication process. In the authentication process, it is sufficient that the information stored in the second memory area is used for authentication, and the content of the authentication is not limited.
[0045] When the payment application 20 obtains a positive authentication result from the card server 200, it associates and manages information about credit card C (such as the credit card number and security code) with the payment application 20. This allows credit card C to be managed as an electronic payment method selectable in the payment application 20's wallet function. The payment application 20 then executes the electronic payment using credit card C when the user selects a payment method using credit card C. This enables the user to make electronic payments using credit card C within the wallet function.
[0046] Figure 9 shows an example of a scenario in which authentication processing takes place. When a user brings credit card C close to the user terminal device 10, the payment application 20 works in cooperation with the card server 200, as described later, to perform authentication processing for credit card C. If authentication is successful, the payment application 20 registers credit card C as a credit card C that can be used with the wallet function. The payment application 20 then displays screen IM1 on the display unit of the user terminal device 10, which contains information indicating that credit card C has been registered as a payment method.
[0047] After registration, the user operates the payment app 20 to activate the wallet function and display screen IM2. Screen IM2 displays a list of electronic payment methods registered in the wallet function. When the user selects the registered credit card C from the list, the payment app 20 uses the information about the credit card C it manages to execute the electronic payment. For example, the payment app 20 communicates wirelessly with a terminal device installed in the store to provide information about credit card C and execute the electronic payment.
[0048] When registering credit card C, authentication may begin even before the payment app 20 is launched, as described above. For example, when registering credit card C, authentication may begin after launching the payment app 20 and performing the prescribed operations, or logging into the payment app 20 may be a condition for starting the authentication process.
[0049] The authentication process may also be performed, for example, when the user terminal device 10 is replaced. For example, if the user terminal device 10 is replaced and the wallet function of the payment application 20 is available on this user terminal device 10, the payment application 20 may request the user to re-authenticate. For example, the payment application 20 may notify the user of information indicating that re-authentication is required on the display unit, or information indicating that the user should bring credit card C closer to the user terminal device 10. When the user brings credit card C closer to the user terminal device 10, the payment application 20 may perform the authentication process in cooperation with the card server 200, and if authentication is successful, make credit card C available for use with the wallet function.
[0050] The authentication process may be performed after credit card C has been registered in the wallet function. In addition to the above, the authentication process may also be performed when the service content of credit card C changes. For example, the payment application 20 may perform the above authentication process when it receives notification from the card server 200, with or without the payment server 100, that a change in the service has occurred. A change in the service may be a change in the amount of payment that can be made with credit card C (such as an increase in the upper limit). In this case, the display unit of the user terminal device 10 will show that re-authentication is required, and the user will be requested to bring credit card C closer to the user terminal device 10. For example, it may be performed at predetermined intervals, or it may be performed when the payment application 20 receives an instruction from the card server 200 to perform the authentication process.
[0051] The authentication process may be executed when a pre-set condition is met when using credit card C. The pre-set condition may be, for example, attempting to use credit card C for a predetermined payment (e.g., payment of a predetermined amount or payment at a predetermined store). The pre-set condition may also be that a predetermined use of an electronic payment service occurs, such as charging an electronic payment service using credit card C.
[0052] In addition, in the following processes, the processes that the card server 200 would normally execute may be executed by the payment server 100, and the processes that the payment server 100 would normally execute may be executed by the card server 200. The payment application 20 may also send and receive various information with the card server 200 via the payment server 100.
[0053] [Explanation of Authentication Process] The payment application 20 performs either or both of the following: a first authentication process using a written password, and a second authentication process using a one-time code. Figure 10 is a diagram illustrating the authentication process.
[0054] (First authentication process) (0) The first one-time code is written to credit card C (storage unit C4) using the first write password, and information related to credit card C is also stored there. (1) When a credit card C is brought close to the user terminal device 10, the payment application 20 uses the communication unit of the user terminal device 10 to wirelessly communicate with the communication unit C2 included in the credit card C and the circuit unit C1 which includes a storage unit C4 that can write information using a write password (setting password) that has been set when writing information.
[0055] The payment application 20 communicates with credit card C to obtain information about credit card C and sends the obtained information about credit card C to the card server 200. At this time, the first one-time code (code information) obtained along with the information about credit card C may also be sent to the card server 200. The payment application 20 obtains a first write password associated with the information about credit card C from the card server 200. The payment application 20 obtains the first write password from the card server 200.
[0056] (Second authentication process) (2) The payment application 20 obtains the first one-time code (one-time code) stored in the memory unit C4. The payment application 20 sends the obtained first one-time code to the payment server 100 and requests a second authentication process to determine whether the first one-time code matches the one-time code associated with the information of credit card C. The payment server 100 determines whether the one-time code in the user's authentication information 173 matches the first one-time code and performs authentication. In this process, authentication is considered to have been successful.
[0057] (3) After the first and second authentication processes, the payment server 100 issues a second write password and a second one-time code. The payment server 100 manages the second write password and the second one-time code in the authentication information 173, associating them with the user's identification information or information related to credit card C. (4) The payment app 20 uses the issued second write password to write the second one-time code to the memory unit C4 of credit card C. (5) As a result, the second one-time code is written to the memory unit C4 of credit card C in place of the first one-time code. The write password required for writing becomes the second write password.
[0058] As described above, security is enhanced by the execution of the first and second authentication processes. For example, security is improved because the one-time code and the write password are changed with each authentication process.
[0059] If the above authentication is successful, the payment app 20 or card server 200 registers that credit card C is a credit card that can be used with the wallet function. In this case, for example, the payment app 20 or card server 200 manages information about credit card C, such as the number and security code of credit card C, by associating it with the identification information of the user terminal device 10, the payment app 20, or the user's identification information, and further associating it with information indicating that the wallet function is available. The information about credit card C may be information obtained by the payment app 20 from the storage unit C4, information obtained by manual input by the user, or information obtained by imaging credit card C.
[0060] The first and second authentication processes will be explained in detail below. Figure 11 is a sequence diagram focusing on the second authentication process. Figure 12 is a sequence diagram focusing on the first authentication process.
[0061] Figure 11 is a sequence diagram showing an example of the flow of processing (second authentication process) performed by the electronic payment system. The memory unit C4 of credit card C stores a one-time code written using a write password. Assume that the user brings credit card C close to the user terminal device 10 in order to register credit card C with the wallet function.
[0062] The payment application 20 retrieves information about credit card C and a one-time code stored in the storage unit C4 of credit card C (S100), and transmits the retrieved information about credit card C and the one-time code to the card server 200 (S102). Next, the card server 200 retrieves the information about credit card C and the one-time code transmitted by the payment application 20 (S104).
[0063] Next, the card server 200 determines whether the authentication of the one-time code has been successful (S106). For example, the card server 200 determines whether the one-time code associated with the information of credit card C stored in the authentication information 260 matches the acquired one-time code, and if they match, it determines that authentication has been successful. This process is an example of the process in which "the server device refers to the information associated with the related information and the authentication information stored in the storage unit, and authenticates the correspondence between the related information and the authentication information transmitted from the application program." The card server 200 may also notify the payment application 20 of the result of the process.
[0064] If authentication fails, the card server 200 performs a second process (S108). This second process may include, for example, notifying the payment application 20 that authentication failed, or suspending the use of credit card C. The above authentication may also be performed by the payment application 20. In this case, the payment application 20 obtains a one-time code associated with information about credit card C from the card server 200.
[0065] Next, the card server 200 stores the authentication result in its storage unit (S109). For example, the card server 200 stores the information about credit card C in association with the authentication result. This makes it possible to verify the authentication result for each user retrospectively.
[0066] Figure 12 is a sequence diagram showing an example of the flow of processing (first authentication process) performed by the electronic payment system. In Figure 12, the user is holding (tapping) credit card C close to the user terminal device 10, and the credit card C and the payment application 20 are in a state where communication is possible.
[0067] The payment application 20 sends a request to the card server 200 to send a write password along with information about credit card C (S150). Next, the card server 200 receives the information about credit card C and the request for the write password (S152). Next, the card server 200 refers to the authentication information 260 to obtain the write password associated with the information about credit card C and sends the obtained write password to the payment application 20 (S154). The write password may also be held in the user terminal device 10.
[0068] The payment app 20 obtains the transmitted write password (S156). The user taps / brings credit card C close to the user terminal device 10 (S158).
[0069] Next, the payment application 20 verifies the validity of the write password (S160). For example, the payment application 20 checks whether it can write information to the storage unit C4 using the write password (performs an authentication process to determine whether the write password is the set password). Next, the payment application 20 determines whether the validity has been verified (S162). If the validity cannot be verified, the payment application 20 performs the first process (S164). If the payment application 20 has performed the process to verify validity a predetermined number of times but has been unable to verify validity, as the first process, it displays on the display unit of the user terminal device 10 that the authentication of credit card C could not be verified, or notifies the card server 200 that the validity could not be verified. The card server 200 may also suspend the use of credit card C in response to the notification from the payment application 20.
[0070] If legitimacy is confirmed, the payment application 20 notifies the card server 200 of information indicating that legitimacy has been confirmed (S166). Next, the card server 200 stores the authentication result in its memory unit (S167). For example, the card server 200 stores information about credit card C in association with the authentication result. This makes it possible to retrospectively verify the authentication results for each user.
[0071] The card server 200 generates authentication result information 270 that associates information about credit card C with the authentication results, as described above. Figure 13 shows an example of authentication result information 270. Authentication result information 270 is information that shows the result of the first authentication process and the result of the second authentication process for each credit card (information about the credit card).
[0072] For example, if the second authentication process is successful and the first authentication process fails, it is possible that the IC chip on credit card C has been forged. For example, it is possible that the one-time code for credit card C has been illegally obtained, and a forged IC chip with this one-time code written to it is being used. As described above, by storing the results of the first and second authentication processes, the legitimacy of credit card C can be managed.
[0073] The card server 200 determines whether the card (credit card C) used by the user is counterfeit based on the authentication result information 270. For example, the card server 200 generates authentication result information 270 that associates the results of the first authentication process and the second authentication process with information about credit card C (or user identification information), and determines whether it is counterfeit by referring to the generated authentication result information 270. If the card server 200 determines that it is counterfeit, it may notify the terminal device of the credit card administrator of an alert. For example, the card server 200 may generate a blacklist by referring to the authentication result information 270. For example, a credit card for which the second authentication process in the authentication result information 270 is successful but the first authentication process fails may be blacklisted as a counterfeit credit card C. In this way, the card server 200 can perform blacklist management using the authentication process and the results of the authentication process.
[0074] Figure 14 is a sequence diagram showing an example of the processing flow for a new one-time code and a new write password. In the sequence diagram of Figure 12, after authentication is successful, the card server 200 issues a new one-time code and a new write password, and sends the issued new one-time code and new write password to the payment application 20 (S180).
[0075] The payment application 20 obtains the new one-time code and new write password transmitted in S180, and uses the new write password to write the new one-time code to the storage unit C4 for storage (S182). At this time, the payment application 20 may, if necessary, control the storage unit C4 to a writable state using the write password obtained in S156 of Figure 12, and write the new one-time code using the new write password. If it is not necessary to use the write password obtained in S156 of Figure 12, the payment application 20 writes the new one-time code to the storage unit C using the new write password. Through this process, the storage unit C4 of the credit card C stores the new one-time code (S184). The issuance of the new one-time code or write password described above may be performed by the payment application 20. The payment application 20 may obtain the new one-time code or write password from the card server 200, or it may generate it itself. This one-time code and write password are also shared with the card server 200.
[0076] Next, the payment application 20 determines whether the process of writing a new one-time code was successful (S186). If the process is unsuccessful, the payment application 20 executes a third process (S188). The third process is, for example, the payment application 20 displaying on the display unit of the user terminal device 10 that authentication of credit card C could not be confirmed, or notifying the card server 200 that the process was unsuccessful. The card server 200 may also suspend the use of credit card C in response to the notification from the payment application 20.
[0077] If the process is successful, the payment application 20 sends information to the card server 200 indicating that the process was successful (S190). Next, the card server 200 receives the information indicating that the process was successful, executes the fourth process, and notifies the payment application 20 that the authentication process is complete (S192). The fourth process is the process in which the card server 200 registers a new one-time code and a new write password in the authentication information 260. The card server 200 may overwrite the one-time code and write password registered in the authentication information 260 with a new one-time code and a new write password, or it may register the new one-time code and a new write password as the one-time code and a new write password to be used in the future. The new one-time code and a new write password may be registered in the authentication information 260 after the process of S180 described above. This new one-time code and a new write password are information that will be used in the next authentication process after the said authentication process.
[0078] Furthermore, the fourth process may include a process in which the card server 200 confirms or confirms that both (or one) of the first and second authentication processes have been completed, and that the authentication process for credit card C has been completed.
[0079] When the payment application 20 receives notification from the card server 200 that the authentication process has been completed, it displays information indicating that the authentication process has been completed on the display unit of the user terminal device 10 (S194). For example, information indicating that the credit card C has been registered in the wallet function is displayed. This completes one routine of the authentication process, and in the next authentication process, the newly registered one-time code and new write password are used to execute the first and second authentication processes.
[0080] As described above, electronic payment systems can improve security by performing either or both of the first and second authentication processes.
[0081] [Variations in the order of processing] The second authentication process may be executed after the first authentication process. Figure 15 is a sequence diagram centered on the first authentication process, and Figure 16 is a sequence diagram centered on the second authentication process.
[0082] [Sequence Diagram (1)] Figure 15 is a sequence diagram showing an example of the flow of processing (first authentication process) performed by the electronic payment system. The memory unit C4 of credit card C stores a one-time code written using a write password. Assume that the user brings credit card C close to the user terminal device 10 in order to register credit card C with the wallet function. At this time, information about credit card C (and the one-time code) is acquired by the payment application 20.
[0083] The payment application 20 sends a request to the card server 200 to send a write password along with information about credit card C (S150). A one-time code may also be sent at this time. Next, the card server 200 receives the information about credit card C and the request for the write password (S152). Next, the card server 200 refers to the authentication information 260 to obtain the write password associated with the information about credit card C and sends the obtained write password to the payment application 20 (S154). The write password may be stored in the user terminal device 10.
[0084] The payment app 20 obtains the transmitted write password (S156). The user taps / brings credit card C close to the user terminal device 10 (S158).
[0085] Next, the payment application 20 verifies the validity of the write password (S160). For example, the payment application 20 checks whether it can write information to the storage unit C4 using the write password. Next, the payment application 20 determines whether or not the validity has been verified (S162). If the validity cannot be verified, the payment application 20 executes the first process (S164). If the payment application 20 has performed the process of verifying validity a predetermined number of times but has not been able to verify the validity, as the first process, it displays on the display unit of the user terminal device 10 that the authentication of credit card C could not be verified, or notifies the card server 200 that the validity could not be verified. The card server 200 may also suspend the use of credit card C in response to the notification from the payment application 20.
[0086] If legitimacy is confirmed, the payment application 20 notifies the card server 200 of information indicating that legitimacy has been confirmed (S166). This process may be omitted. In this case, the card server 200 may recognize that legitimacy has been confirmed when the one-time code described in Figure 16 is transmitted. The process in S167 may also be performed as described above.
[0087] Figure 16 is a sequence diagram showing another example of the flow of processing (second authentication process) performed by the electronic payment system. In Figure 16, the user has tapped credit card C on the user terminal device 10, and credit card C and the payment application 20 are in a state where they can communicate.
[0088] The payment application 20 retrieves the one-time code stored in the memory unit C4 of the credit card C (S100) and sends the retrieved one-time code to the card server 200 (S102). Next, the card server 200 retrieves the one-time code sent by the payment application 20 (S104). At this time, information about the credit card C or other identification information is attached to the one-time code and sent in association with it. The other identification information is information to identify that the one-time code corresponds to the request information in S150 of Figure 15. Also, if a one-time code has been sent in S150 of Figure 15, the processing in S100-S104 may be omitted.
[0089] Next, the card server 200 determines whether the one-time code authentication is successful (S106). The card server 200 determines, for example, whether the one-time code associated with the information about credit card C stored in the authentication information 260 matches the acquired one-time code, and if they match, determines that authentication is successful. If authentication fails, the card server 200 performs a second process (S108). The second process may, for example, notify the payment application 20 that authentication has failed or suspend the use of credit card C. The above authentication may also be performed by the payment application 20. In this case, the payment application 20 obtains a one-time code associated with the information about credit card C.
[0090] If authentication is successful, the card server 200 issues a new one-time code and a new write password, and sends the issued new one-time code and new write password to the payment application 20 (S180).
[0091] The payment application 20 obtains the new one-time code and new write password transmitted in S180, and uses the new write password to write the new one-time code to the storage unit C4 for storage (S182). At this time, the payment application 20 may, if necessary, control the storage unit C4 to a writable state using the write password obtained in S156 of Figure 15, and write the new one-time code using the new write password. If it is not necessary to use the write password obtained in S156 of Figure 15, the payment application 20 writes the new one-time code to the storage unit C using the new write password. Through this process, the storage unit C4 of the credit card C stores the new one-time code (S184). The issuance of the new one-time code or write password described above may be performed by the payment application 20. The payment application 20 may obtain the new one-time code or write password from the card server 200, or it may obtain it itself.
[0092] Next, the payment application 20 determines whether the process of writing a new one-time code was successful (S186). If the process is unsuccessful, the payment application 20 executes a third process (S188). The third process is, for example, the payment application 20 displaying on the display unit of the user terminal device 10 that authentication of credit card C could not be confirmed, or notifying the card server 200 that the process was unsuccessful. The card server 200 may also suspend the use of credit card C in response to the notification from the payment application 20.
[0093] If the process is successful, the payment application 20 sends information to the card server 200 indicating that the process was successful (S190). Next, the card server 200 receives the information indicating that the process was successful, executes the fourth process, and notifies the payment application 20 that the authentication process is complete (S192). The fourth process is the process in which the card server 200 registers a new one-time code and a new write password in the authentication information 260. The card server 200 may overwrite the one-time code and write password registered in the authentication information 260 with a new one-time code and a new write password, or it may register the new one-time code and new write password as the one-time code and new write password to be used in the future. The new one-time code and new write password may be registered in the authentication information 260 after the process of S160 described above. This new one-time code and new write password are information to be used in the next authentication process after the said authentication process.
[0094] Furthermore, the fourth process may include a process in which the card server 200 confirms or confirms that both (or one) of the first and second authentication processes have been completed, and that the authentication process for credit card C has been completed.
[0095] When the payment application 20 receives notification from the card server 200 that the authentication process has been completed, it displays information indicating that the authentication process has been completed on the display unit of the user terminal device 10 (S194). For example, information indicating that credit card C has been registered in the wallet function is displayed. This completes one routine of the authentication process, and in the next authentication process, the newly registered one-time code and new write password are used to execute the first and second authentication processes.
[0096] Furthermore, in the first and second authentication processes described above, the processes performed by the payment application 20 may be performed by the card server 200, and the processes performed by the card server 200 may be performed by the payment application 20. For example, as mentioned above, the verification of the validity of the write password may be performed by the card server 200. For example, the determination of the one-time code match and the issuance of a new one-time code and a new write password may be performed by the payment application 20. In addition, some or all of the authentication information 260 may be held in the user terminal device 10.
[0097] For example, when a card to be used for payment is brought close to the user terminal device 10, the payment application 20 uses the communication unit of the user terminal device 10 to wirelessly communicate with the communication unit of the card and the communication unit of the circuit unit including the storage unit where the information is stored, and obtains related information and authentication information associated with the card. The payment application 20 may refer to the information stored in the storage unit of the user terminal device 10 that associates the related information and the authentication information, authenticate the correspondence between the obtained related information and the authentication information, and determine whether or not to associate the card with the application program based on the result of the authentication.
[0098] Either the first or second authentication process described above may be omitted. For example, the second authentication process may be omitted, and the first authentication process may be executed. In this case, the process of determining whether the one-time code matches or issuing a new one-time code is omitted.
[0099] As described above, electronic payment systems can improve security by performing either or both of the first and second authentication processes.
[0100] [Differentiation] In addition to the one-time code, the memory unit C4 of credit card C may also store a URL (for example, a one-time URL: one-time Uniform Resource Locator).
[0101] Figure 17 is a diagram illustrating the processing of a modified example. (0#) Credit card C (storage unit C4) stores information about credit card C, and also has a first one-time URL and a first one-time code written to it using a first write password. When credit card C is tapped on the user terminal device 10, the user terminal device 10 reads the first one-time URL and accesses the destination of the first one-time URL. For example, the user terminal device 10 may access the card server 200, or it may access the payment application 20 as in this process.
[0102] (0##) The user terminal device 10, for example, reads the first one-time URL, launches the payment application 20 installed on the user terminal device 10, and displays the specified interface screen. If the user is not logged into the payment application 20, the payment application 20 displays a login screen on the display unit and prompts the user to log in. If the user is already logged in, the payment application 20 executes the first authentication process and the second authentication process.
[0103] The first authentication process in (1) and the second authentication process in (2) are the same as the process shown in Figure 10 above.
[0104] (3#) After the first and second authentication processes, the card server 200 issues a second write password, a second one-time URL, and a second one-time code. The card server 200 manages the second one-time URL, the second write password, and the second one-time code in the authentication information 260, associating them with information about credit card C. (4#) The payment application 20 uses the issued second write password to write the second one-time URL and second one-time code to the memory unit C4 of credit card C. (5) As a result, the memory unit C4 of credit card C will be filled with the second one-time code and the second one-time URL instead of the first one-time code and the first one-time URL.
[0105] The above example explains the use of a write password in the first authentication process. However, instead of (or in addition to) the write password, a read password for reading information stored in the memory unit C4 may be used, or any other password set for the circuit unit C may be used. If a read password is used, the first authentication process may be deemed successful if either or both of the credit card information and the one-time code can be read. If the above information cannot be read, the second authentication process cannot be performed. Therefore, the second authentication process is executed only when the first authentication process is successful (when the information can be read).
[0106] In the above process, it may be a condition that the user is logged in to and using the payment application 20, or even if this condition is not met, if the user is logged in, the user information registered with the payment server 100 may be provided to the card server 200, and the card server 200 may use the user information for authentication. For example, it may be determined whether the user's name matches the name registered with the payment server 100 and the name registered with the card server 200.
[0107] Furthermore, although the above example describes the use of a payment application 20 for an electronic payment service for authentication processing, the application program is not limited to the payment application 20, and other application programs may also perform the processing of this embodiment.
[0108] According to the embodiments described above, when a card used for payment is brought close to a terminal device equipped with the computer, the computer uses the communication unit of the terminal device to wirelessly communicate with the communication unit of the circuit unit including the communication unit and the storage unit where the information is stored, to obtain related information related to the card and authentication information used for authenticating the card, transmits the related information and authentication information to a server device to perform the authentication, and determines whether or not to associate the card with an application program based on the authentication result obtained from the server device, thereby improving security.
[0109] Although embodiments for carrying out the present invention have been described above using examples, the present invention is not limited in any way to these embodiments, and various modifications and substitutions can be made without departing from the spirit of the present invention. [Explanation of Symbols]
[0110] 10. User terminal device 20 Payment Apps 100 Payment Servers 120 Content Provision Department 130 Payment Processing Unit 140 Information Management Department 200 card servers 220 Authentication Processing Unit 260 Authentication Information 270 Authentication Result Information
Claims
1. On the computer, When a card used for payment is brought close to a terminal device equipped with the computer, the communication unit of the terminal device is used to wirelessly communicate with the communication unit included in the card and the communication unit of the circuit unit including the storage unit where the information is stored. The system obtains related information associated with the card and authentication information used to authenticate the card. The server device is instructed to transmit the relevant information and the authentication information to perform the authentication, and based on the authentication result obtained from the server device, it is instructed to determine whether or not to associate the card with the application program. Application program.
2. The aforementioned related information is either or both of the card number and the card's security code. The aforementioned authentication information is different from the card number and security code. The application program according to claim 1.
3. The aforementioned related information is information stored in the first storage area of the storage unit, The authentication information is information stored in a second storage area different from the first storage area of the storage unit. The application program according to claim 1.
4. The aforementioned application program manages multiple electronic payment methods and enables electronic payments using the payment method selected by the user. To the aforementioned computer, When a positive authentication result is obtained from the server device, the relevant information of the card is associated with the application program and managed accordingly. When the user selects a payment method using the card and makes an electronic payment, the electronic payment is executed using the relevant information. An application program according to any one of claims 1 to 3.
5. The aforementioned card is either a credit card or a debit card. An application program according to any one of claims 1 to 3.
6. The server device is a server device that manages the card, The aforementioned related information and authentication information are transmitted to the server device via a service server that provides services in cooperation with the application program, or without going through the service server. The application program according to claim 5.
7. The memory unit of the circuit can write information using a set password that is configured when writing information. On the computer, The server device is made to obtain a write password associated with the relevant information. An authentication process is executed to determine whether the aforementioned write password is the configured password. Based on the authentication result obtained from the server device and the result of the authentication process for the write password, the system determines whether or not to associate the card with the application program. An application program according to any one of claims 1 to 3.
8. The application program described in claim 1, The server device comprises, The server device refers to the information stored in the memory unit, which associates the related information with the authentication information, authenticates the correspondence between the related information and the authentication information transmitted from the application program, and transmits the authentication result to the application program. Information processing system.
9. On the computer, When a card used for payment is brought close to a terminal device equipped with the computer, the communication unit of the terminal device is used to wirelessly communicate with the communication unit included in the card and the communication unit of the circuit unit including the storage unit where the information is stored. The system obtains related information associated with the card and authentication information used to authenticate the card. The system references the information that associates the related information stored in the memory unit with the authentication information, and authenticates the correspondence between the acquired related information and the authentication information. Based on the authentication result, determine whether or not to associate the card with the application program. Application program.
10. When an application program is brought close to a terminal device equipped with the computer, it uses the communication unit of the terminal device to wirelessly communicate with the communication unit included in the card and the communication unit of the circuit unit including the storage unit where the information is stored, and obtains related information and authentication information associated with the card from the application program. The system refers to the information stored in the memory unit that associates the related information with the authentication information, authenticates the correspondence between the related information and the authentication information transmitted from the application program, and transmits the authentication result to the application program. Server device.
11. Computers When a card used for payment is brought close to a terminal device equipped with the computer, the communication unit of the terminal device is used to wirelessly communicate with the communication unit included in the card and the communication unit of the circuit unit including the storage unit where the information is stored. The system obtains related information associated with the card and authentication information used to authenticate the card. The server device is instructed to transmit the relevant information and the authentication information to perform the authentication, and based on the authentication result obtained from the server device, it is instructed to determine whether or not to associate the card with the application program. Information processing methods.
12. Computers When a card used for payment is brought close to a terminal device equipped with the computer, the communication unit of the terminal device is used to wirelessly communicate with the communication unit included in the card and the communication unit of the circuit unit including the storage unit where the information is stored. The system acquires related information associated with the card and authentication information used to authenticate the card. The system references the information that associates the related information stored in the memory unit with the authentication information, and authenticates the correspondence between the acquired related information and the authentication information. Based on the authentication result, it is determined whether or not to associate the card with the application program. Information processing methods.
13. Computers When an application program is brought close to a terminal device equipped with the computer, it uses the communication unit of the terminal device to wirelessly communicate with the communication unit of the card and the communication unit of the circuit unit including the storage unit where the information is stored, and retrieves the relevant information related to the card and the card itself from the application program. The system refers to the information stored in the memory unit that associates the related information with the authentication information, authenticates the correspondence between the related information and the authentication information transmitted from the application program, and transmits the authentication result to the application program. Information processing methods.