[go: up one dir, main page]
More Web Proxy on the site http://driver.im/

CN115994760A - Method and device for realizing third party payment service - Google Patents

Method and device for realizing third party payment service Download PDF

Info

Publication number
CN115994760A
CN115994760A CN202310282051.7A CN202310282051A CN115994760A CN 115994760 A CN115994760 A CN 115994760A CN 202310282051 A CN202310282051 A CN 202310282051A CN 115994760 A CN115994760 A CN 115994760A
Authority
CN
China
Prior art keywords
server
merchant
party payment
payment
challenge
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CN202310282051.7A
Other languages
Chinese (zh)
Other versions
CN115994760B (en
Inventor
施尚成
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Alipay Hangzhou Information Technology Co Ltd
Original Assignee
Alipay Hangzhou Information Technology Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Alipay Hangzhou Information Technology Co Ltd filed Critical Alipay Hangzhou Information Technology Co Ltd
Priority to CN202310282051.7A priority Critical patent/CN115994760B/en
Publication of CN115994760A publication Critical patent/CN115994760A/en
Application granted granted Critical
Publication of CN115994760B publication Critical patent/CN115994760B/en
Priority to PCT/CN2023/137961 priority patent/WO2024193119A1/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06QINFORMATION AND COMMUNICATION TECHNOLOGY [ICT] SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES; SYSTEMS OR METHODS SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES, NOT OTHERWISE PROVIDED FOR
    • G06Q20/00Payment architectures, schemes or protocols
    • G06Q20/08Payment architectures
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06QINFORMATION AND COMMUNICATION TECHNOLOGY [ICT] SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES; SYSTEMS OR METHODS SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES, NOT OTHERWISE PROVIDED FOR
    • G06Q20/00Payment architectures, schemes or protocols
    • G06Q20/08Payment architectures
    • G06Q20/20Point-of-sale [POS] network systems
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06QINFORMATION AND COMMUNICATION TECHNOLOGY [ICT] SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES; SYSTEMS OR METHODS SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES, NOT OTHERWISE PROVIDED FOR
    • G06Q20/00Payment architectures, schemes or protocols
    • G06Q20/38Payment protocols; Details thereof
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06QINFORMATION AND COMMUNICATION TECHNOLOGY [ICT] SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES; SYSTEMS OR METHODS SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES, NOT OTHERWISE PROVIDED FOR
    • G06Q20/00Payment architectures, schemes or protocols
    • G06Q20/38Payment protocols; Details thereof
    • G06Q20/40Authorisation, e.g. identification of payer or payee, verification of customer or shop credentials; Review and approval of payers, e.g. check credit lines or negative lists

Landscapes

  • Business, Economics & Management (AREA)
  • Accounting & Taxation (AREA)
  • Engineering & Computer Science (AREA)
  • Finance (AREA)
  • Strategic Management (AREA)
  • Physics & Mathematics (AREA)
  • General Business, Economics & Management (AREA)
  • General Physics & Mathematics (AREA)
  • Theoretical Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Management, Administration, Business Operations System, And Electronic Commerce (AREA)

Abstract

The embodiment of the specification provides a method and a device for realizing a third party payment service. The method implemented in the merchant server comprises: receiving a ordering request sent by a merchant client; obtaining currently available challenge questions; determining answer content corresponding to the currently available challenge questions; the challenge questions and the corresponding response contents are shared by the third party payment server and the merchant server; generating a payment request carrying the response content; and signing the payment request carrying the response content by using the private key of the merchant, and then sending the signed payment request to a third-party payment server. The embodiment of the specification can improve the security of the third party payment service.

Description

Method and device for realizing third party payment service
Technical Field
One or more embodiments of the present disclosure relate to network information technology, and in particular, to a method and apparatus for implementing a third party payment service.
Background
The third party payment is a network payment mode that a third party payment server with a certain strength and credit guarantee is used as a third party outside the two transaction parties and facilitates the two transaction parties to conduct transactions by being in butt joint with the Unionpay or the Internet.
In a third party payment service, in order to improve security, a mutual trust mechanism of a third party payment server and a merchant relies on an asymmetric encryption algorithm, specifically, a data sender in the third party payment server and the merchant, such as the merchant, needs to sign a service request by using its own private key, such as the merchant needs to sign a payment request by using its own private key, and a receiver, such as a payment service providing platform, should use a public key of the other party to check and sign to authenticate the identity of the two parties. However, the disclosure of the private key often occurs at present, so that the security of the third party payment service is greatly reduced, for example, an attacker steals the private key of the merchant and then acts as a legal merchant server to send a fake service information request (such as a request of transferring money, refund, downloading bill, etc.) to the third party payment server, and finally causes the funds loss and privacy leakage of the merchant and the end user thereof.
Disclosure of Invention
One or more embodiments of the present disclosure describe a method and an apparatus for implementing a third party payment service, which can improve security of the third party payment service.
According to a first aspect, there is provided a method for implementing a third party payment service, where the method is applied to a merchant server, and includes: receiving a ordering request sent by a merchant client;
Obtaining currently available challenge questions;
determining answer content corresponding to the currently available challenge questions; the challenge questions and the corresponding response contents are shared by the third party payment server and the merchant server;
generating a payment request carrying the response content;
and signing the payment request carrying the response content by using the private key of the merchant, and then sending the signed payment request to a third-party payment server.
Among the challenges that are currently available include:
and determining the challenge question carried in the information which is last sent to the merchant server by the third party payment server as the currently available challenge question.
Wherein after the signed payment request is sent to the third party payment server, further comprising:
receiving a back-end payment notification carrying a challenge question sent by the third party payment server; obtaining the next available challenge question from the backend payment notification;
determining answer content corresponding to the next available challenge questions;
generating a service information request carrying the response content;
and signing the business information request carrying the response content by using the private key of the merchant, and then sending the signed business information request to a third-party payment server.
Wherein the order request is an order request in an n+1th transaction processed by the third party payment server and corresponding to the merchant server; wherein N is a positive integer;
the challenge questions and their corresponding response content include: and the third party payment server processes information in the first N transactions corresponding to the merchant server.
Wherein the challenge problem includes: an external order number for the first transaction; wherein the first transaction is one of the first N transactions processed by the third party payment server and corresponding to the merchant server; the external order number is an order number generated by the third party payment server for the first transaction;
correspondingly, the response content corresponding to the challenge question comprises: an internal order number for the first transaction; wherein the internal order number is an order number generated by the merchant server for the first transaction.
Wherein, in each transaction processed by the third party payment server and corresponding to the merchant server, the IP address used by the merchant server is a dynamic IP address;
the challenge problems include: a question of an IP address used by the merchant server in a second transaction; wherein the second transaction is one of the first N transactions processed by the third party payment server and corresponding to the merchant server;
Correspondingly, the response content corresponding to the challenge question comprises: an IP address used by the merchant server in the second transaction.
According to a second aspect, there is provided a method for implementing a third party payment service, where the method is applied to a third party payment server, and includes:
receiving a payment request sent by a merchant server;
signature verification is carried out on the payment request by utilizing the public key of the merchant;
after the signature verification is successful, obtaining response content from the payment request;
determining currently available challenge questions corresponding to the answer content; the challenge question and the response content corresponding to the challenge question are only shared by the third party payment server and the merchant server;
verifying the response content using the determined challenge questions;
if the answer content verification is successful, the payment process is performed.
Wherein said determining currently available challenge questions corresponding to the answer content comprises:
and determining the challenge question carried in the information which is last sent to the merchant server by the third party payment server as the currently available challenge question corresponding to the response content.
Wherein the payment processing includes: the third party payment server sends a back-end payment notification carrying a challenge question to the merchant server;
After the payment processing, further comprising:
receiving a business information request sent by a merchant server;
signature verification is carried out on the business information request by utilizing the public key of the merchant;
after the signature verification is successful, obtaining response content from the service information request;
and verifying the response content obtained from the service information request by using the challenge question carried in the back-end payment notice, and providing the service requested by the service information request for the merchant server after the response content is verified successfully.
Wherein the payment request is a payment request processed by the third party payment server in an n+1th transaction corresponding to the merchant server; wherein N is a positive integer;
the challenge questions and the corresponding response contents thereof comprise: and the third party payment server processes information in the first N transactions corresponding to the merchant server.
Wherein the challenge problem includes: an external order number for the first transaction; wherein the first transaction is one of the first N transactions processed by the third party payment server and corresponding to the merchant server; the external order number is an order number generated by the third party payment server for the first transaction;
Correspondingly, the response content corresponding to the challenge question comprises: an internal order number for the first transaction; wherein the internal order number is an order number generated by the merchant server for the first transaction.
Wherein, in each transaction processed by the third party payment server and corresponding to the merchant server, the IP address used by the merchant server is a dynamic IP address;
the challenge problems include: a question of an IP address used by the merchant server in a second transaction; wherein the second transaction is one of the first N transactions processed by the third party payment server and corresponding to the merchant server;
correspondingly, the response content corresponding to the challenge question comprises: and the IP address used by the merchant server in the second transaction.
According to a third aspect, there is provided an implementation apparatus of a third party payment service, where the apparatus is applied to a merchant server, and includes: the ordering request receiving module is configured to receive an ordering request sent by a merchant client;
a challenge question determination module configured to obtain a currently available challenge question;
a response content determination module configured to determine response content corresponding to the currently available challenge question; the challenge questions and the corresponding response contents are shared by the third party payment server and the merchant server;
A payment request processing module configured to generate a payment request carrying the answer content; and signing the payment request carrying the response content by using the private key of the merchant, and then sending the signed payment request to a third-party payment server.
According to a fourth aspect, there is provided an implementation apparatus of a third party payment service, where the apparatus is applied to a third party payment server, including:
the payment request receiving module is configured to receive a payment request sent by a merchant server;
the signature verification module is configured to verify the signature of the payment request by using the public key of the merchant;
the response content acquisition module is configured to acquire response content from the payment request after the signature verification is successful;
a challenge question acquisition module configured to determine a currently available challenge question corresponding to the answer content; the challenge question and the response content corresponding to the challenge question are only shared by the third party payment server and the merchant server;
a challenge and response verification module configured to verify the response content using the determined challenge questions;
and the payment processing module is configured to perform payment processing if the challenge and response verification module is successful in verifying the response content.
According to a fifth aspect, there is provided a computing device comprising a memory having executable code stored therein and a processor which, when executing the executable code, implements a method as described in any of the embodiments of the present specification.
The method and the device for realizing the third party payment service provided by the embodiments of the present specification have at least the following beneficial effects after being singly or respectively combined:
1. in the embodiment of the present disclosure, the challenge question and its corresponding response content are shared between the merchant server and the third party payment server, that is, the attacker cannot obtain the challenge question and/or the response content corresponding to the challenge question. Therefore, the embodiment of the specification utilizes the information difference between the attacker and the normal merchant, so that the security of the third-party payment server to the merchant authentication service is enhanced, and the third-party payment service cannot be performed by the counterfeited merchant even if the attacker steals the private key of the merchant, thereby greatly improving the security of the third-party payment service.
2. In the embodiment of the specification, authentication operation is performed on the third party payment service from two different dimensions, one dimension is signature verification based on public and private keys, and the other dimension is verification based on a challenge/response mechanism, so that the security of the third party payment service is greatly improved.
3. In the embodiment of the specification, the challenge question and the response content can be generated by using the information in the historical transaction of the merchant server processed by the third-party payment server, so that the third-party payment server and the merchant server can share the challenge question and the response content, and on the other hand, the attacker can be ensured to hardly or even cannot obtain the challenge question and the response content.
4. In the embodiment of the specification, a pair of challenge questions and response contents are generated by using the mapping relation between the external order number and the internal order number in one transaction, or a pair of challenge questions and response contents are generated by using the dynamic IP address used by the merchant server in one transaction, so that the method and the device are more in line with the characteristics of the three-party payment protocol and are easy for service realization.
Drawings
In order to more clearly illustrate the embodiments of the present description or the technical solutions in the prior art, the drawings that are required in the embodiments or the description of the prior art will be briefly described, and it is obvious that the drawings in the following description are some embodiments of the present description, and other drawings may be obtained according to these drawings without inventive effort for a person skilled in the art.
FIG. 1 is a schematic diagram of a system architecture to which one embodiment of the present description applies.
Fig. 2 is a flowchart of a method for implementing a third party payment service applied to a merchant server in one embodiment of the present description.
Fig. 3 is a flowchart of a method for implementing a third party payment service applied to a third party payment server in one embodiment of the present disclosure.
Fig. 4 is a flow chart of a method of implementing a third party payment service in one embodiment of the present description.
Fig. 5 is a schematic structural diagram of an implementation device of a third party payment service applied to a merchant server according to an embodiment of the present disclosure.
Fig. 6 is a schematic structural diagram of an implementation apparatus of a third party payment service applied to a third party payment server in one embodiment of the present disclosure.
Detailed Description
The following describes the scheme provided in the present specification with reference to the drawings.
It is first noted that the terminology used in the embodiments of the invention is for the purpose of describing particular embodiments only and is not intended to be limiting of the invention. As used in this application and the appended claims, the singular forms "a," "an," and "the" are intended to include the plural forms as well, unless the context clearly indicates otherwise.
It should be understood that the term "and/or" as used herein is merely one relationship describing the association of the associated objects, meaning that there may be three relationships, e.g., a and/or B, may represent: a exists alone, A and B exist together, and B exists alone. In addition, the character "/" herein generally indicates that the front and rear associated objects are an "or" relationship.
Depending on the context, the word "if" as used herein may be interpreted as "at … …" or "at … …" or "in response to a determination" or "in response to detection". Similarly, the phrase "if determined" or "if detected (stated condition or event)" may be interpreted as "when determined" or "in response to determination" or "when detected (stated condition or event)" or "in response to detection (stated condition or event), depending on the context.
For ease of understanding the methods provided in this specification, a description of the system architecture to which this specification relates and applies is first provided. As shown in fig. 1, the system architecture mainly includes four network nodes: a merchant client (corresponding to the merchant App in fig. 1), a merchant server, a third party payment platform application (corresponding to the platform App in fig. 1), and a third party payment server.
The method, the device and the system for realizing the third party payment service provided by the embodiment of the specification can be applied to various transaction scenes using the third party payment protocol. For example, business scenario 1: the merchant is a supermarket, and the user needs to pay by using a payment device when shopping in the supermarket, so referring to fig. 1, the merchant App can be a selling application program of the supermarket installed on a sales terminal (i.e., a POS machine), the merchant server can be a server of the supermarket, the platform App can be an application program of the payment device, and the third party payment server can be a server of the payment device. For another example, business scenario 2: the merchant is a merchant registered on the online shopping website, the user purchases the commodity of the merchant on the shopping website and needs to pay by using a payment device, so, referring to fig. 1, the merchant App can be a selling application program of the online shopping website, the merchant server can be a server of the online shopping website, the platform App can be an application program of the payment device, and the third party payment server can be a server of the payment device.
It should be understood that the number of merchant apps, merchant servers, platform apps, and third party payment servers in fig. 1 are merely illustrative. Any number may be selected and deployed as desired for implementation.
In the embodiments of the present disclosure, the processing methods in the merchant server and the third party payment server are mainly modified, and therefore, the following description will be made by using different embodiments.
Fig. 2 is a flowchart of a method for implementing a third party payment service applied to a merchant server in one embodiment of the present description. It will be appreciated that the method may be performed by any apparatus, device, platform, cluster of devices, having computing, processing capabilities. Referring to fig. 2, the method includes:
step 201: the merchant server receives an order request sent by a merchant client.
Step 203: the merchant server gets the challenge question currently available.
Step 205: the merchant server determining answer content corresponding to the currently available challenge questions; the challenge question and the response content corresponding to the challenge question are only shared by the third party payment server and the merchant server.
Step 207: the merchant server generates a payment request carrying the response content.
Step 209: the merchant server signs the payment request carrying the response content by using the private key of the merchant, and then sends the signed payment request to the third-party payment server.
Fig. 3 is a flowchart of a method for implementing a third party payment service applied to a third party payment server in one embodiment of the present disclosure. It will be appreciated that the method may be performed by any apparatus, device, platform, cluster of devices, having computing, processing capabilities. Referring to fig. 3, the method includes:
step 301: the third party payment server receives a payment request sent by the merchant server.
Step 303: the third party payment server verifies the signature of the payment request using the merchant's public key.
Step 305: and after the signature verification of the third-party payment server is successful, obtaining response content from the payment request.
Step 307: the third party payment server determines currently available challenge questions corresponding to the answer content; the challenge question and the response content corresponding to the challenge question are only shared by the third party payment server and the merchant server.
Step 309: the third party payment server verifies the answer content using the determined challenge questions.
Step 311: and if the third party payment server successfully verifies the response content, performing payment processing.
According to the method of the embodiment of the present disclosure shown in fig. 2 and fig. 3, in the implementation of the third party payment service, the existing three-party payment protocol flow is modified by means of a challenge/response manner, and when the merchant server sends a request to the third party payment server, the request carries response content corresponding to the challenge question sent before the third party payment server, and the challenge question and its corresponding response content are shared only in the merchant server and the third party payment server, that is, an attacker cannot obtain the challenge question and/or the response content corresponding to the challenge question. Therefore, the embodiment of the specification utilizes the information difference between the attacker and the normal merchant, so that the security of the third-party payment server to the merchant authentication service is enhanced, and the third-party payment service cannot be performed by the counterfeited merchant even if the attacker steals the private key of the merchant, thereby greatly improving the security of the third-party payment service.
The method shown in fig. 2 and 3 will be described in detail with reference to specific examples.
Step 201 is first performed: the merchant server receives an order request sent by a merchant client.
Here, if a purchase instruction for one commodity is input on the merchant client, the merchant server receives an order request sent from the merchant client.
Step 203 is next performed: the merchant server gets the challenge question currently available.
In one embodiment of the present disclosure, the third party payment server carries a challenge each time it sends a message to the merchant server; the merchant server carries a response content each time a message is sent to the third party payment server. In this way, in a round of interaction from the third party payment server to the merchant server and then from the merchant server to the third party payment server, a pair of interaction of challenge questions and response contents can be completed, so that verification based on a challenge/response mechanism can be realized.
One challenge question corresponds to one answer content. In each round of interaction of the third party payment server with the merchant server, the challenge questions and their corresponding response content typically used in one round of interaction are preferably not the same as the challenge questions and their corresponding response content used in the other round of interaction. Of course, the method of the embodiment of the present specification can be implemented even if the challenge questions and the corresponding response contents of each round of use are the same.
Thus, in this step 203, the merchant server may determine the challenge question carried in the information that the third party payment server last issued to the merchant server as the currently available challenge question, which is referred to as challenge question 1 for ease of description. Wherein the information may be a message or data, etc.
Step 205 is next performed: the merchant server determines response content 1 corresponding to the currently available challenge question 1; the challenge question 1 and its corresponding response content 1 are shared only by the third party payment server and the merchant server.
The specific content of the challenge questions and the specific content of the response are one important factor in security. In the present description embodiment, the content of each challenge question may be specified by a third party payment server with some unpredictability. Typically, an attacker cannot break the merchant server, although he can steal the private key of the merchant, that is, he cannot obtain the context of the merchant in a three-party payment protocol, such as historical transaction information. Thus, in one embodiment of the present disclosure, the third party payment server may trust the historical previous M transactions of the merchant server, in which the third party payment server and the merchant server do not need to perform verification based on the challenge question and the response content, and there may be no challenge/response requirement in the corresponding request and response; but the response sent by the third party payment server to the merchant server in the mth transaction contains 1 challenge question, and the merchant server is required to carry response content corresponding to the challenge question in the next sent request. In each transaction from the (m+1) th transaction, the third party payment server can take relevant information in each historical transaction before the merchant server as a challenge question, and accordingly, response content to the challenge question is relevant information in the historical transaction. M is a positive integer, and the value of M can be set according to the service requirement such as the security level, and the higher the security level is, the smaller the value of M is.
Assuming that the order request in step 201 is an order request in the n+1th transaction of the corresponding merchant server processed by the third party payment server; then challenge question 1 in step 203 and answer content 1 in step 205 may include: information in the first N transactions, such as information in the first transaction, etc., processed by the third party payment server corresponding to the merchant server. Wherein N is a positive integer.
As described above, the specific content of each pair of challenge questions and the specific content of the response may be information in the historical transaction of the merchant server processed by the third party payment server, and the specific implementation may include the following two ways:
the first mode is to use the external order number and the internal order number in one transaction historically as the challenge question and the corresponding response content respectively.
In this one mode, the challenge problem includes: an external order number for the first transaction; wherein the first transaction is one of the first N transactions processed by the third party payment server and corresponding to the merchant server; the external order number is an order number generated by the third party payment server for the first transaction;
Correspondingly, the response content corresponding to the challenge question comprises: an internal order number for the first transaction; wherein the internal order number is an order number generated by the merchant server for the first transaction.
In the three-party payment protocol, for each transaction, the merchant server generates an internal order number, and the third-party payment server generates an external order number, where the two order numbers point to the same transaction and have a mapping relationship. The attacker cannot obtain the two order numbers, but the merchant server and the third party payment server may share the two order numbers, which may be used as a hidden knowledge shared by the third party payment server and the merchant server. Therefore, based on such characteristics, in the first embodiment, the challenge question and the response content are obtained by using the mapping relation existing in the history transaction.
And secondly, obtaining the challenge problem and corresponding response content by utilizing the dynamic IP address used by the merchant server.
In the second mode, considering that the merchant server is usually deployed at the cloud, the IP address used by the merchant server is a dynamic value, so that the dynamic IP can be used as a hidden knowledge shared by the third party payment server and the merchant server, that is, the challenge question and the response content are obtained by using the dynamic IP.
Specifically, in the second mode, in each transaction processed by the third party payment server and corresponding to the merchant server, the IP address used by the merchant server is a dynamic IP address;
the challenge problems include: a question of an IP address used by the merchant server in a second transaction; wherein the second transaction is one of the first N transactions processed by the third party payment server and corresponding to the merchant server;
correspondingly, the response content corresponding to the challenge question comprises: and the IP address used by the merchant server in the second transaction.
Next, for steps 207 to 209: and the merchant server generates a payment request carrying the response content 1, signs the payment request carrying the response content 1 by using a private key of the merchant, and then sends the signed payment request to a third party payment server.
The steps 301 to 311 are then performed. Referring to the above description of steps 201 to 209, accordingly, in steps 301 to 311, the challenge question is a challenge question 1, the answer content is an answer content 1, and the specific implementation procedure of step 307 includes: and determining the challenge question 1 carried in the information which is last sent to the merchant server by the third party payment server as a currently available challenge question corresponding to the response content.
In step 311, the payment processing performed by the third party payment server includes: and the third party payment server sends a back-end payment notification carrying the challenge question to the merchant server.
Then, the merchant server receives a back-end payment notification carrying a challenge question sent by the third party payment server; the next available challenge questions are derived from the back-end payment notification, and the merchant server may determine response content corresponding to the next available challenge questions. For example, the next available challenge question (referred to as challenge question 2 for ease of description) may be an external order number in the second transaction generated by the third party payment server, and the response content (referred to as response content 2 for ease of description) corresponding to the next available challenge question may be an internal order number in the second transaction generated by the merchant server.
Next, if the merchant server needs to obtain the corresponding business service from the third party payment server, such as transferring money, refunding, downloading bill, etc., the merchant server performs the following steps: the merchant server generates a service information request carrying response content 2; the merchant server signs the service information request carrying the response content by using the private key of the merchant, and then sends the signed service information request to the third-party payment server.
Accordingly, if the third party payment server receives the service information request, the third party payment server performs the steps of: the third party payment server uses the public key of the merchant to carry out signature verification on the service information request; after the signature verification is successful, obtaining response content 2 from the service information request; and verifying the response content 2 obtained from the service information request by using the challenge question 2 carried in the back-end payment notification, namely verifying whether the response content 2 and the response content are order numbers in the same transaction with a mapping relation, and providing service requested by the service information request for the merchant server after the verification is successful, for example, realizing the services of transferring accounts, refunds, downloading bills and the like to the merchant server.
In the embodiment of the specification, the interactive flow and the processing operation of the challenge/response are newly added in the three-party payment protocol, and can be realized through the back-end SDK (Software Development Kit ) of the third-party payment server, so that the access modification cost to merchants is lower.
The following describes a flowchart of a method for implementing the third party payment service by cooperation of the parties in an embodiment of the present specification through processing performed by cooperation of the parties in the implementation system of the third party payment service shown in fig. 1. Referring to fig. 1 and 4, the method includes:
Step 401: the merchant App sends a request for ordering a transaction to the merchant server. Such as the order request being an order request for the 100 th transaction of the merchant server.
Step 403: aiming at the challenge question 1 carried in the response message sent last time by the third party payment server, the merchant server obtains the response content 1 corresponding to the challenge question 1.
The contents of challenge question 1 carried in the last sent response message are: the external order number in transaction 2 is historic. Then, in step 403, the response content 1 obtained by the merchant server is: the internal order number in transaction 2 is historic.
Step 405: the merchant server generates an internal order number for the transaction and falls into a repository, and carries the resulting response content 1 in the payment request, and signs the payment request using the merchant's private key.
Step 407: and the merchant server sends the signed payment request to the merchant App.
Step 409: and the merchant App sends the received payment request to the platform App.
Step 411: the platform App sends the received payment request to a third party payment server.
Step 413: the third party payment server verifies the signature of the payment request by using the public key of the merchant, and if the signature verification is successful, the response content 1 in the payment request is verified by using the challenge question 1 sent to the merchant server last time.
Step 415: after the answer content 1 is successfully verified, the third party payment server sends a front-end payment notification to the platform App.
Step 417: the third party payment server carries the challenge question 2 for the next time and the external order number corresponding to the transaction in the back-end payment notice, signs the back-end payment notice by using the private key of the third party payment server, and then sends the back-end payment notice to the merchant server.
Step 419: and the merchant server performs signature verification on the back-end payment notice by using the public key of the third-party payment server, changes the state of the order after verification is successful, and stores the external order number and the challenge question 2.
Step 421: the platform App returns a front-end payment notification to the merchant App.
Step 423: the merchant App sends a query order status request to the merchant server.
Step 425: the merchant server returns status information of the order to the merchant App.
Step 427: when the merchant server needs a service, the merchant server generates a service information request for requesting the service, carries response content 2 corresponding to the challenge question 2 sent last time by the third party payment server in the service information request, and signs the service information request by using a private key of the merchant.
Step 429: and the merchant server sends the signed service information request to a third-party payment server.
Step 431: and the third party payment server performs signature verification on the received service information request by using the public key corresponding to the merchant, and after verification is successful, the third party payment server verifies the response content 2 carried in the service information request by using the challenge question 2 sent last time.
Step 433: after the answer content 2 is successfully verified, the third party payment server sends a business response to the merchant server, the business response provides the requested business service to the merchant server, and the business response carries the challenge question 3 for the next time.
In one embodiment of the present disclosure, there is provided an apparatus for implementing a third party payment service, where the apparatus is applied to a merchant server, referring to fig. 5, the apparatus includes:
an order request receiving module 501 configured to receive an order request sent by a merchant client;
a challenge question determination module 502 configured to obtain a currently available challenge question;
a answer content determination module 503 configured to determine answer content corresponding to the currently available challenge questions; the challenge questions and the corresponding response contents are shared by the third party payment server and the merchant server;
A payment request processing module 504 configured to generate a payment request carrying the answer content; and signing the payment request carrying the response content by using the private key of the merchant, and then sending the signed payment request to a third-party payment server.
In one embodiment of the present specification apparatus shown in fig. 5, the challenge question determination module 502 is configured to determine a challenge question carried in information last sent by the third party payment server to the merchant server as the currently available challenge question.
In one embodiment of the apparatus of the present specification shown in fig. 5, it may further include: a business service request module (not shown in fig. 5);
a business service request module configured to perform:
receiving a back-end payment notification carrying the next challenge question sent by the third-party payment server; obtaining the next available challenge question from the backend payment notification;
determining answer content corresponding to the next available challenge questions;
generating a service information request carrying the response content;
and signing the business information request carrying the response content by using the private key of the merchant, and then sending the signed business information request to a third-party payment server.
An embodiment of the present disclosure proposes an implementation apparatus for a third party payment service, where the apparatus is applied to a third party payment server, see fig. 6, and the apparatus includes:
a payment request receiving module 601 configured to receive a payment request sent from a merchant server;
a signature verification module 602 configured to verify the payment request with a public key of the merchant;
a response content acquisition module 603 configured to obtain response content from the payment request after the signature verification is successful;
a challenge question obtaining module 604 configured to determine a currently available challenge question corresponding to the answer content; the challenge question and the response content corresponding to the challenge question are only shared by the third party payment server and the merchant server;
a challenge and response verification module 605 configured to verify the response content using the determined challenge questions;
the payment processing module 606 is configured to perform payment processing by the payment processing module 606 if the challenge and response verification module 605 verifies the response content successfully.
In the embodiment of the present description apparatus shown in fig. 6, the challenge question obtaining module 604 is configured to determine a challenge question carried in the information that the third party payment server last issued to the merchant server as a currently available challenge question corresponding to the answer content.
In the embodiment of the apparatus of the present specification shown in fig. 6, further comprising: a service providing module (not shown in fig. 6);
the payment processing module 606 is configured to send back-end payment notifications carrying the next challenge questions to the merchant server;
the service providing module is configured to perform:
receiving a business information request sent by a merchant server;
signature verification is carried out on the business information request by utilizing the public key of the merchant;
after the signature verification is successful, obtaining response content from the service information request;
and verifying the response content obtained from the service information request by using the challenge question carried in the back-end payment notice, and providing the service requested by the service information request for the merchant server after the verification is successful.
In one embodiment of the apparatus of the present specification shown in fig. 5 and 6, the order request is an order request in an n+1th transaction corresponding to the merchant server, which is processed by the third party payment server; wherein N is a positive integer;
the challenge questions and the corresponding response contents thereof comprise: and the third party payment server processes information in the first N transactions corresponding to the merchant server.
In one embodiment of the apparatus of the present specification shown in fig. 5 and 6, the challenge problem includes: an external order number for the first transaction; wherein the first transaction is one of the first N transactions processed by the third party payment server and corresponding to the merchant server; the external order number is an order number generated by the third party payment server for the first transaction;
correspondingly, the response content corresponding to the challenge question comprises: an internal order number for the first transaction; wherein the internal order number is an order number generated by the merchant server for the first transaction.
In one embodiment of the apparatus of the present specification shown in fig. 5 and 6, in each transaction processed by the third party payment server and corresponding to the merchant server, the IP address used by the merchant server is a dynamic IP address;
the challenge problems include: a question of an IP address used by the merchant server in a second transaction; wherein the second transaction is one of the first N transactions processed by the third party payment server and corresponding to the merchant server;
correspondingly, the response content corresponding to the challenge question comprises: and the IP address used by the merchant server in the second transaction.
An embodiment of the present specification provides a computer-readable storage medium having stored thereon a computer program which, when executed in a computer, causes the computer to perform the method of any of the embodiments of the specification.
An embodiment of the present specification provides a computing device including a memory having executable code stored therein and a processor that, when executing the executable code, performs a method of any of the embodiments of the present specification.
It should be understood that the structures illustrated in the embodiments of the present specification do not constitute a particular limitation on the apparatus of the embodiments of the present specification. In other embodiments of the specification, the apparatus may include more or less components than illustrated, or certain components may be combined, or certain components may be split, or different arrangements of components. The illustrated components may be implemented in hardware, software, or a combination of software and hardware.
In this specification, each embodiment is described in a progressive manner, and identical and similar parts of each embodiment are all referred to each other, and each embodiment mainly describes differences from other embodiments. In particular, for the device embodiments, since they are substantially similar to the method embodiments, the description is relatively simple, and reference is made to the description of the method embodiments in part.
Those skilled in the art will appreciate that in one or more of the examples described above, the functions described in the present invention may be implemented in hardware, software, a pendant, or any combination thereof. When implemented in software, these functions may be stored on or transmitted over as one or more instructions or code on a computer-readable medium.
The foregoing embodiments have been provided for the purpose of illustrating the general principles of the present invention in further detail, and are not to be construed as limiting the scope of the invention, but are merely intended to cover any modifications, equivalents, improvements, etc. based on the teachings of the invention.

Claims (15)

1. The method for realizing the third party payment service is applied to a merchant server and comprises the following steps: receiving a ordering request sent by a merchant client;
obtaining currently available challenge questions;
determining answer content corresponding to the currently available challenge questions; the challenge questions and the corresponding response contents are shared by the third party payment server and the merchant server;
Generating a payment request carrying the response content;
and signing the payment request carrying the response content by using the private key of the merchant, and then sending the signed payment request to a third-party payment server.
2. The method of claim 1, wherein the obtaining the currently available challenge questions comprises:
and determining the challenge question carried in the information which is last sent to the merchant server by the third party payment server as the currently available challenge question.
3. The method of claim 1, wherein after the sending the signed payment request to a third party payment server, further comprising:
receiving a back-end payment notification carrying a challenge question sent by the third party payment server; obtaining the next available challenge question from the backend payment notification;
determining answer content corresponding to the next available challenge questions;
generating a service information request carrying the response content;
and signing the business information request carrying the response content by using the private key of the merchant, and then sending the signed business information request to a third-party payment server.
4. A method according to any one of claims 1 to 3, wherein the order request is an order request in an n+1th transaction corresponding to the merchant server, processed by the third party payment server; wherein N is a positive integer;
The challenge questions and their corresponding response content include: and the third party payment server processes information in the first N transactions corresponding to the merchant server.
5. The method of claim 4, wherein the challenge question comprises: an external order number for the first transaction; wherein the first transaction is one of the first N transactions processed by the third party payment server and corresponding to the merchant server; the external order number is an order number generated by the third party payment server for the first transaction;
correspondingly, the response content corresponding to the challenge question comprises: an internal order number for the first transaction; wherein the internal order number is an order number generated by the merchant server for the first transaction.
6. The method of claim 4, wherein the IP address used by the merchant server is a dynamic IP address in each transaction processed by the third party payment server corresponding to the merchant server;
the challenge problems include: a question of an IP address used by the merchant server in a second transaction; wherein the second transaction is one of the first N transactions processed by the third party payment server and corresponding to the merchant server;
Correspondingly, the response content corresponding to the challenge question comprises: an IP address used by the merchant server in the second transaction.
7. The method for realizing the third party payment service is applied to a third party payment server and comprises the following steps:
receiving a payment request sent by a merchant server;
signature verification is carried out on the payment request by utilizing the public key of the merchant;
after the signature verification is successful, obtaining response content from the payment request;
determining currently available challenge questions corresponding to the answer content; the challenge question and the response content corresponding to the challenge question are only shared by the third party payment server and the merchant server;
verifying the response content using the determined challenge questions;
if the answer content verification is successful, the payment process is performed.
8. The method of claim 7, wherein the determining currently available challenge questions corresponding to the answer content comprises:
and determining the challenge question carried in the information which is last sent to the merchant server by the third party payment server as the currently available challenge question corresponding to the response content.
9. The method of claim 7, wherein the conducting payment processing comprises: the third party payment server sends a back-end payment notification carrying a challenge question to the merchant server;
After the payment processing, further comprising:
receiving a business information request sent by a merchant server;
signature verification is carried out on the business information request by utilizing the public key of the merchant;
after the signature verification is successful, obtaining response content from the service information request;
and verifying the response content obtained from the service information request by using the challenge question carried in the back-end payment notice, and providing the service requested by the service information request for the merchant server after the response content is verified successfully.
10. The method of any of claims 7 to 9, wherein the payment request is a payment request processed by the third party payment server in an n+1th transaction corresponding to the merchant server; wherein N is a positive integer;
the challenge questions and the corresponding response contents thereof comprise: and the third party payment server processes information in the first N transactions corresponding to the merchant server.
11. The method of claim 10, wherein the challenge question comprises: an external order number for the first transaction; wherein the first transaction is one of the first N transactions processed by the third party payment server and corresponding to the merchant server; the external order number is an order number generated by the third party payment server for the first transaction;
Correspondingly, the response content corresponding to the challenge question comprises: an internal order number for the first transaction; wherein the internal order number is an order number generated by the merchant server for the first transaction.
12. The method of claim 10, wherein in each transaction processed by the third party payment server corresponding to the merchant server, the IP address used by the merchant server is a dynamic IP address;
the challenge problems include: a question of an IP address used by the merchant server in a second transaction; wherein the second transaction is one of the first N transactions processed by the third party payment server and corresponding to the merchant server;
correspondingly, the response content corresponding to the challenge question comprises: and the IP address used by the merchant server in the second transaction.
13. The device for realizing the third party payment service is applied to a merchant server and comprises the following components: the ordering request receiving module is configured to receive an ordering request sent by a merchant client;
a challenge question determination module configured to obtain a currently available challenge question;
a response content determination module configured to determine response content corresponding to the currently available challenge question; the challenge questions and the corresponding response contents are shared by the third party payment server and the merchant server;
A payment request processing module configured to generate a payment request carrying the answer content; and signing the payment request carrying the response content by using the private key of the merchant, and then sending the signed payment request to a third-party payment server.
14. The device for realizing the third party payment service is applied to a third party payment server and comprises the following components:
the payment request receiving module is configured to receive a payment request sent by a merchant server;
the signature verification module is configured to verify the signature of the payment request by using the public key of the merchant;
the response content acquisition module is configured to acquire response content from the payment request after the signature verification is successful;
a challenge question acquisition module configured to determine a currently available challenge question corresponding to the answer content; the challenge question and the response content corresponding to the challenge question are only shared by the third party payment server and the merchant server;
a challenge and response verification module configured to verify the response content using the determined challenge questions;
and the payment processing module is configured to perform payment processing if the challenge and response verification module is successful in verifying the response content.
15. A computing device comprising a memory having executable code stored therein and a processor, which when executing the executable code, implements the method of any of claims 1-12.
CN202310282051.7A 2023-03-20 2023-03-20 Method and device for realizing third party payment service Active CN115994760B (en)

Priority Applications (2)

Application Number Priority Date Filing Date Title
CN202310282051.7A CN115994760B (en) 2023-03-20 2023-03-20 Method and device for realizing third party payment service
PCT/CN2023/137961 WO2024193119A1 (en) 2023-03-20 2023-12-11 Implementation method and device for third-party payment service

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202310282051.7A CN115994760B (en) 2023-03-20 2023-03-20 Method and device for realizing third party payment service

Publications (2)

Publication Number Publication Date
CN115994760A true CN115994760A (en) 2023-04-21
CN115994760B CN115994760B (en) 2023-08-25

Family

ID=85993701

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202310282051.7A Active CN115994760B (en) 2023-03-20 2023-03-20 Method and device for realizing third party payment service

Country Status (2)

Country Link
CN (1) CN115994760B (en)
WO (1) WO2024193119A1 (en)

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2024193119A1 (en) * 2023-03-20 2024-09-26 支付宝(杭州)信息技术有限公司 Implementation method and device for third-party payment service

Citations (12)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20050256806A1 (en) * 2004-05-12 2005-11-17 Alan Tien Method and system to facilitate securely processing a payment for an online transaction
US20080222049A1 (en) * 2007-02-05 2008-09-11 First Data Corporation Digital Signature Authentication
WO2009002980A2 (en) * 2007-06-25 2008-12-31 Visa U.S.A. Inc. Cardless challenge systems and methods
CN103020825A (en) * 2012-12-05 2013-04-03 福建省派活园科技信息有限公司 Safety payment authentication method based on software client
US20140279522A1 (en) * 2013-03-15 2014-09-18 Mastercard International Incorporated Means of authenticating a consumer using demand deposit account data
US20150161366A1 (en) * 2013-12-09 2015-06-11 Mastercard International Incorporated Methods and systems for leveraging transaction data to dynamically authenticate a user
CN104767613A (en) * 2014-01-02 2015-07-08 腾讯科技(深圳)有限公司 Signature verification method, device and system
US20160140547A1 (en) * 2012-02-28 2016-05-19 Google Inc. System and method for providing transaction verification
US20190139039A1 (en) * 2016-04-05 2019-05-09 Samsung Electronics Co., Ltd. Electronic payment method and electronic device using id-based public key cryptography
US10819522B1 (en) * 2020-01-03 2020-10-27 BlockGen Corp. Systems and methods of authentication using entropic threshold
CN113379406A (en) * 2021-05-20 2021-09-10 大河(深圳)信息有限公司 Transaction method between merchant terminal and third-party payment platform
CN115760082A (en) * 2022-11-23 2023-03-07 中国银联股份有限公司 Digital payment processing method, device, equipment, system and medium

Family Cites Families (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US12069182B2 (en) * 2018-09-12 2024-08-20 Visa International Service Association Checkout with MAC
CN115994760B (en) * 2023-03-20 2023-08-25 支付宝(杭州)信息技术有限公司 Method and device for realizing third party payment service

Patent Citations (12)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20050256806A1 (en) * 2004-05-12 2005-11-17 Alan Tien Method and system to facilitate securely processing a payment for an online transaction
US20080222049A1 (en) * 2007-02-05 2008-09-11 First Data Corporation Digital Signature Authentication
WO2009002980A2 (en) * 2007-06-25 2008-12-31 Visa U.S.A. Inc. Cardless challenge systems and methods
US20160140547A1 (en) * 2012-02-28 2016-05-19 Google Inc. System and method for providing transaction verification
CN103020825A (en) * 2012-12-05 2013-04-03 福建省派活园科技信息有限公司 Safety payment authentication method based on software client
US20140279522A1 (en) * 2013-03-15 2014-09-18 Mastercard International Incorporated Means of authenticating a consumer using demand deposit account data
US20150161366A1 (en) * 2013-12-09 2015-06-11 Mastercard International Incorporated Methods and systems for leveraging transaction data to dynamically authenticate a user
CN104767613A (en) * 2014-01-02 2015-07-08 腾讯科技(深圳)有限公司 Signature verification method, device and system
US20190139039A1 (en) * 2016-04-05 2019-05-09 Samsung Electronics Co., Ltd. Electronic payment method and electronic device using id-based public key cryptography
US10819522B1 (en) * 2020-01-03 2020-10-27 BlockGen Corp. Systems and methods of authentication using entropic threshold
CN113379406A (en) * 2021-05-20 2021-09-10 大河(深圳)信息有限公司 Transaction method between merchant terminal and third-party payment platform
CN115760082A (en) * 2022-11-23 2023-03-07 中国银联股份有限公司 Digital payment processing method, device, equipment, system and medium

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2024193119A1 (en) * 2023-03-20 2024-09-26 支付宝(杭州)信息技术有限公司 Implementation method and device for third-party payment service

Also Published As

Publication number Publication date
WO2024193119A1 (en) 2024-09-26
CN115994760B (en) 2023-08-25

Similar Documents

Publication Publication Date Title
US11449862B2 (en) System and method using interaction token
US8239325B2 (en) Method and system to verify the identity of a user
CN107545419B (en) Remittance processing method, system and computer readable storage medium
US11924347B2 (en) Identity authentication and validation
US9582799B2 (en) Token based transaction authentication
US20210117944A1 (en) Alternative email-based website checkouts
US20180330342A1 (en) Digital asset account management
US20110099107A1 (en) Method for money transfer using a mobile device
US20240303635A1 (en) Token-based off-chain interaction authorization
CN101072384A (en) Mobile phone payment method and system based on mobile phone bank
CN111784347B (en) Resource transfer method and device
CN115994760B (en) Method and device for realizing third party payment service
CN111242614A (en) Wallet account asset retrieving method, collection guarantee method, equipment and storage medium
US20200242573A1 (en) Cryptographic transactions supporting real world requirements
US10762558B1 (en) System, method, and computer program for authorizing a payment using gesture data
US12106288B2 (en) Authentication system and method
US10592898B2 (en) Obtaining a signature from a remote user
WO2021121030A1 (en) Resource transfer method, settlement terminal, and server node
US12026714B2 (en) Payer-controlled payment processing
US20230070039A1 (en) Merchant universal payment identifier system
WO2024026220A1 (en) Systems and methods for transacting over a network
AU2015200688B2 (en) Token based transaction authentication
CN117132277A (en) Secure payment method, apparatus, electronic device and readable storage medium
WO2022159105A1 (en) Interaction channel balancing
CN113807830A (en) Aggregation payment method and device used in double off-line scene, receiving end and payment end

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant