Dismiss
InnovationQ will be updated on Sunday, Oct. 22, from 10am ET - noon. You may experience brief service interruptions during that time.
Browse Prior Art Database

Method and System for Securing Electronic Payment Systems in Retail Stores

IP.com Disclosure Number: IPCOM000123860D
Original Publication Date: 1999-Jun-01
Included in the Prior Art Database: 2005-Apr-05
Document File: 5 page(s) / 183K

Publishing Venue

IBM

Related People

Prorock, T: AUTHOR

Abstract

Disclosed is a new method for securing EPS (Electronic Payment Systems) transactions in a retail store system. Conventional methods of securing EPS transaction data relies heavily on encryption. This encrypted data (e.g. credit card and PIN numbers) sent over a local area network is subject to data capture and open to possible decryption. The disclosed invention provides additional security to retail store systems by ensuring that the data contained in an EPS transactions is only received by the authorized file server attached to the store local area network. The disclosed solution prevents outside workstations connected to the store LAN from viewing/capturing packets containing the EPS information.

This text was extracted from an ASCII text file.
This is the abbreviated version, containing approximately 36% of the total text.

Method and System for Securing Electronic Payment Systems in Retail
Stores

   Disclosed is a new method for securing EPS (Electronic
Payment Systems) transactions in a retail store system.  Conventional
methods of securing EPS transaction data relies heavily on
encryption.  This encrypted data (e.g. credit card and PIN numbers)
sent over a local area network is subject to data capture and open to
possible decryption.  The disclosed invention provides additional
security to retail store systems by ensuring that the data contained
in an EPS transactions is only received by the authorized file server
attached to the store local area network.  The disclosed solution
prevents outside workstations connected to the store LAN from
viewing/capturing packets containing the EPS information.  Simply
stated, the solution involves a network hub that contains packet
detection logic and station detection logic associated with each hub
port.  This logic is then used to determine which end stations will
be allowed to view packets containing EPS data.

   A problem exists today in many supermarket/retail store
applications in that valuable consumer information(e.g. credit card
information) is transmitted in the clear across the store LAN (Local
Area Network) during EPS (Electronic Payment Systems) transactions.

   The problem with this information being in the clear is
that Sniffers, or even PC programs, can capture and analyze the EPS
data contained in the packets that flow over the store local area
network.

   In a typical store system design, information from each
EPS transaction must be packaged in a message and sent along
communication lines to the EPS Server, which is an application that
runs on the Store Active File Server.  The EPS Server communicates
with the EPS host to authorize the transaction.  Data contained in
the transaction message includes this and other data:
  o  header info: date, time merchant id, terminal id,
     operator id, and sequence # the 12/30/98
  o  payment method
  o  transaction type
  o  account # and expiration date
  o  encrypted PIN block
  o  purchase amount
  o  total amount (includes cash back)

   Even the encrypted PINs in the above message could be
captured, and fairly easily decrypted resulting in fraudulent use of
the consumers credit card.  This is evidenced by an Associated Press
article appearing in the 12/30/98 issue of USA Today, which reads:
"Last week, two industry groups-- the Internet Architecture Board and
the Internet Engineering Steering Group -- estimated that after an
initial purchase of equipment, hackers could break a 64 bit encrypted
message in less than a day for roughly $2,500 per message."

   Clearly, a more secure solution where the customers
personal information is protected is desirable.

   Disclosed is a solution that results in a secure method to
transmit customers EPS information and  prevents outside
workstations connected to the store LAN from view...