TOKEN AND PAYMENT SYSTEM FIELD OF INVENTION
The present invention relates to a payment system utilising tokens. Tokens may take the form of decremental cards, "smart" cards, credit cards or other suitable means, adapted to represent a sum of money, which are to be used in place of conventional paper note or coin money. BACKGROUND OF THE INVENTION
Many automated payment systems have been devised, comprising a portable device (herein termed a "token") which includes some means of representing a number or numbers, said number(s) representing a sum of money. This token is presented to a suitable Reader Means, which having validated the token, reduces (or decrements) the stored amount by a suitable value, and then authorises some sale or service. An example is the magnetically encoded cards used in the United Kingdom for public telephones, where the "value" is encoded on a magnetic stripe. The telephone equipment adjusts this value downwards, as a call proceeds. When the card has been exhausted (i.e. the stored value has decremented to zero), a new card must be purchased.
Such a simple system is inherently suitable only for low-value applications, due to both the vulnerability to damage of the magnetic stripe, and the small effort required to re-write it with any other values desired (i.e. effecting fraudulent alteration).
More sophisticated implementations have incorporated a VLSI silicon "chip" in the token, together with suitable data communication means. Many systems have been proposed for communicating between such tokens and the associated reading apparatus, including direct electrical contacts [many patents to Moreno, et al ] , microwaves [e.g. U.S. 4,506,148], and magnetic induction [co-pending applications]. The first of these options has been used in a similar public-telephone card system, in France.
Naturally, in designing such tokens, care must be taken to make the fraudulent alteration of the stored value as difficult as possible. In some implementations, this is done by having a series of storage "cells", each representing an equal increment of value. Means are provided for cancelling such cells, but not for initially setting them (this being done at the factory). An example is the use of an array of microscopic "fuses" on a VLSI chip. When such fuse is blown (by the Reader Means), it cannot be restored. Such a system is described in U.S. 4,256,955, wherein the value stored is represented by a count of the number of fuse-sites remaining un-blown. DISCUSSION OF THE PRIOR ART
The principal disadvantage of such prior art techniques is that if other than a very small value is required, the number of storage cells becomes very large.
It would be much more efficient if the cells could be re-written, and used in a "weighted" manner, similar to the successive digits used to represent a number in ordinary arithmetic. As an example, using binary numbers, to store a value of $600.00, by steps of 1 cent, requires 60000 steps of value. Using a fuse array (or similar once-only device) would require 60000 fuses, one for each cent. Using ordinary binary numbers, a mere 16 bits suffices.
However, the presence of a means of resetting the storage cells, implies the risk of fraudulent resetting thereof. Other prior-art designs have employed a microprocessor chip in the token, to enforce suitable security measures against fraudulent alteration. Such chips add significantly to the cost of tokens. This is a serious drawback, since many applications seek to utilise the token as a minimal-cost, disposable item. The cost of microprocessor chips precludes this.
Faced as they are with the need for a large number of storage sites to accurately represent monetary values, some prior art systems have fallen back on a system in which
the storage sites represent instances of use of the token, rather than an actual cash value. In effect, the monetary unit adopted is the price of the service concerned. An example is the "Multi Rider" bus tickets used in Perth, Western Australia, which are good for a fixed number of journeys, rather than a given sum.
The disadvantage of this system is the cash loss which occurs to the system operator following a price increase, since all tokens then in circulation continue to provide service at the old rate. With cash, not services, as the unit of measure, it is merely necessary for the system operator to reprogram the readers to the new price. SUMMARY OF THE PRESENT INVENTION
The present invention discloses employment of a property of modular arithmetic to construct a store of value from which value can only be withdrawn, but never replaced.
It is an objective of the present invention, to provide a decremental token having re-writeable storage means, so gaining the above-described advantages of small size, which nevertheless is not susceptible to fraudulent alteration. The method used depends upon the application of certain properties of "modular" arithmetic (that is, arithmetic in which the computations are performed in a fixed number of digits, rather than, as in ordinary hand arithmetic, allowing the numbers as many digits as necessary). In the following description, binary (baεe-2) arithmetic will be used. However, this is to be understood as exemplary only; the invention may be executed in any number-base desired, as will be understood by those skilled in the relevant arts.
According to the present invention, there is provided a portable token including a storage means adapted to store a representation of a monetary value, wherein said monetary value is represented as the difference between the highest number that can be represented in said storage means and the monetary value actually intended to be represented.
Conveniently, the storage means is re-writeable such as an Electrically Erasable Programmable Read-only Memory EEPROM or the like.
According to a specific aspect of the invention, there is provided in the "token", as many storage bits as the baεe-2 logarithm of the maximum value is required to store. As in the earlier instance, 16 bits would suffice to represent $600.00 by steps of 1 cent (since 2 to the power
16 - 65536, or $655.36 by steps of $0.01).
There is further provided according to the invention, a buffer means, being adapted so as to receive data read from said storage means, or to present data to said storage means, to be written back thereto.
There is further provided an adder means, arranged to accept two numbers, one from said buffer means, and the other from the reader means aforesaid. The adder means is arranged to compute the binary sum (in ordinary binary arithmetic) of the two numbers presented, and to replace the sum so computed in said buffer means, replacing the number originally present. Alternatively, said adder means may receive its input numbers directly from said reader means and from said storage means, without the need to pass through said buffer means.
There is further provided an overflow detector means, so adapted as to record the presence or otherwise of a "carry" (in the usual arithmetic meaning of that term) from the most significant bits computed by said adder means.
As manufactured, said storage means shall contain binary zero. Value is represented as its binary complement, that is, if said storage means contains the binary number M, * N represented in N bits, the value so represented is 2 -M-l, in whatever monetary units have been chosen. It may be seen that the initially manufactured state represents a value of
2N-1 units.
The token is utilised by having said reader means present a value, Q, to said adder means, said value Q being
represented in ordinary arithmetic notation, not in the "complement" notation aforesaid. Said adder means then computes the sum of the number Q, and whatever value was previously stored in said storage means. Said sum is then placed in said buffer means.
If said overflow detector means does not detect a carry-out from the most-significant bit-position of said adder means, the new sum is written back to said storage means (replacing the number previously stored), and a signal
10 (A) is sent to said reader means, confirming this. If however, a carry-out was detected, the sum is not written to said storage means, but is discarded. A different signal, (B), is then sent to said reader means, informing it of this action.
15 Given the above action in regard to carry-out, it will be found that the ordinary operation of binary addition will ensure that the value represented in said storage means, can only be reduced, never increased. When the storage means holds its maximum binary value (i.e. all
20 ones), no further additions are possible, and the token is exhausted, i.e. its stored quantity represents zero value.
Equivalently, the system may be regarded as representing the stored value as the difference between the highest positive number which the storage means can accept
25 (in the binary case, all ones), and the value it is actually intended to represent. As an example, in 16-bit binary arithmetic, reckoning in cents, consider the following case: Highest value possible « $655.36
Binary: 1111,1111,1111,1111
30 Available credit «= $ 35.27
Binary: 0000,1101,1100,0111 Representation in store Binary: 1111,0010,0011,1000 Transaction charges = $ 17.05
Binary: 0000,0110,1010,1001 -t- Amount remaining after addition
Binary: 1111,1000,1110,0001 Difference from max. = $ 18.22
Binary: 0000,0111,0001,1110
Consider now an invalid transaction, where we attempt to withdraw more credit than is available. Value represented « $ 18.22
Binary: 1111,1000,1110,0001 Attempted charge « $ 22.34
Binary: 0000,1000,1011,1010 Result of addition Binary: 1,0000,0001,1001,1011
Observe how, in this illegal case, the result is too large to represent in 16 bits. When such a computation is performed on a practical 16-bit adder, the 17th bit appears in the carry circuit and serves, as described above, to invalidate the transaction.
Further, any attempt to "reduce" the stored value past zero, to a value numerically less (i.e. a larger monetary value) than its previous value, will likewise generate a carry-out, as will any attempt to "increment" the stored value by supplying a 2-s complement negative quantity from the reader means.
When the token is first issued, it is merely necessary to add to it a value such as to leave in the ■* storage means (which was manufactured as all-zero) whatever value it is desired to issue. This may either be done at the factory, or at the point-of-issue, as convenient.
In use, the "A" signal referred to above, may be understood by said reader means as confirming that the required amount of value has been issued, while signal "B indicates that the amount required exceeds the stored
"credit", or is otherwise invalid, and cannot be issued
VARIATIONS AND EXTENSIONS
Any of the well-known error control mechanisms (parity, cyclic-redundancy coding, etc.) may be applied to said storage means and/or to the communication channel to said reader means if desired, to reduce the risk of circuit failures falsely appearing as excessive stored "credit".
If desired, some form of personalisation may be added, to prevent a thief from utilising a stolen token.
This might comprise a further number stored in said storage means, which is initially compared to a password entered by the user, and transmitted by said reader means. Such a comparison may readily be performed by a simple modification to the said adder means, as hereinafter described.
The foregoing description has assumed binary (radix-2) arithmetic. However the invention may be implemented in any radix desired, provided the difference representation of the stored value is faithfully maintained. That is, if said storage means be adapted to hold N digits, each taking values between 0 and M-l (i.e. a radix-M system), the value represented in said storage means is understood as MN - X - 1, where X is the 'apparent' value in said storage means. The terms overflow and carry-out have their conventional, mathematical meanings in such a case.
In practical systems, it may be convenient to implement said adder means as a bit (or digit) serial circuit, comprising a single-digit adder, and an auxiliary storage means capable of holding a single binary bit. Successive digits of the incoming numbers are shifted through such an adder, and said auxiliary storage means holds the carry (if any) from each digit position to the next. In this case, when the addition is complete, said auxiliary storage means itself serves the function of said overflow detector means, holding the overflow bit when the addition operation is concluded.
If said storage, buffer, and addition means, together with suitable control means, be integrated together on a single VLSI "chip", fraudulent increase of the stored value will be almost impossible, as it would require access to the internal circuitry of the chip. BRIEF DESCRIPTION OF THE DRAWINGS
A preferred embodiment will be described, with reference to the accompanying Figures, wherein :
Fig. 1 shows the general arrangement of the system.
Fig. 2 shows a detailed internal arrangement of the token of the present invention.
Fig. 3 shows the general arrangement of a prior art option pad. DETAILED DESCRIPTION OF THE PREFERRED EMBODIMENT
The preferred embodiment includes the password protection feature described above (this may of course, be omitted if not required). Error-checking is provided on transmitted messages, using the well-known CRC-16 code. Further details of this technique are described by International Business Machines (IBM) in their publication "Synchronous Data Link Control", order no. GA27-3093-2.
For simplicity, it will be assumed that communication between the reader and token is by direct electrical contact. Any other known system (e.g. those referred to above) may be used instead.
In this embodiment, both the monetary credit and the password, are represented as 16-bit binary numbers.
Operation commences when the token is presented to (brought into electrical contact with) the reader. Some external means (e.g. a keypad) informs the reader of the amount of monetary value (credit) to be withdrawn from the token, and also provides the password. The reader then prepares and transmits a message, in the format shown below, to the token.
Message Format from Reader
1. Charge Amount 16 bits
2. Password 16 bits
3. CRC-16 Check sum 16 bits. The initial application of electrical power to the token, causes its internal circuits to be placed in a reset
(initialised) condition. This causes the storage means (SM) to read its contents (32 bits) into the buffer means (BM), and also resets the bit counter (BC), the carry bit (CY) and the CRC Register (CR) .
The receiver presents the received data, together with a clock signal synchronised to that data, at one input of the adder means, serial adder (SA). In its simplest embodiment, the receiver merely accepts data and clock I directly from electrical contacts driven by the reader.
The bit counter is required to divide the incoming message into 3, 16-bit fields (charge amount, password, and CRC), for a total of 48 bits. A 6-bit binary counter is used, wherein the lower 4 bits count bits within a field, 0 and the high 2 bits designate the current field. These fields are as follows :
1. First, the required credit amount is processed. The amount to be charged is shifted in from the receiver, and simultaneously the existing stored 5 amount is shifted from the buffer means. The serial adder here functions as a simple adder, and the 16-bit binary sum is shifted back into the left end of the buffer means. When this field is complete, the carry bit will be clear if sufficient 0 credit exists to cover the new charge, and set if not. Simultaneously with the above operations, the CRC Register commences to compute the CRC result.
2. The receiver now supplies the 16 password bits. In this field, the serial adder operates differently, 5 now comparing the bits from the buffer means and the receiver. In this mode, the serial adder copies the bits from the receiver to its output, from where they are shifted into the buffer means. If the bits differ, the carry becomes set, 0 otherwise it retains its previous value. As before, the CRC Register continues operations in parallel with the above. Note that there is no means, in this second field, for the carry bit to be cleared, once set. Hence, should it be set as 5 this field commences (denoting insufficient credit available), it will remain set. It follows that a set carry at the end of this field, indicates that the transaction may not proceed.
3. The receiver finally supplies the remaining 16 CRC check-bits. During this field, the buffer means does not shift, and the serial adder and carry bit are inoperative. The CRC Register continues to evaluate the CRC algorithm. At the end of this field, a correct CRC is indicated by a certain constant result (see the IBM publication referred to above) in the CRC Register.
At the conclusion of Field-3, the combination of a clear carry bit, and a valid CRC, indicate that the transaction is valid. The buffer means contents are re-written to the storage means, and the "A" signal is sent to the reader, to authorise the transaction. Should either of the above tests fail, no write operation occurs, and the "B" signal is sent to the reader, so invalidating the transaction. SERIAL ADDER DESIGN
As has been seen, the serial adder performs two functions in the first two input fields, those of addition and comparison respectively. It is idle in the third field,
Especially in a VLSI "chip" implementation, a PLA (Programmed Logic Array) is a very suitable implementation for this element. Suitable PLA coding is given below : Recvd, Buffer Carry Field : Adder Output Data Means In 1 : Sum Carry
L L L X : L L
L X H H : L H
L L H L : H L
L X L L : H L
L H X H L H
L H H X L H
H H X H H H
H H H L L H
H L L L L H
H L L H : H L
H L H X : H H
PASSWORD CONTROL
In addition to the 32 storage means bits described (16 each credit and password), there is provided a 33rd password-control (PC) bit in the storage means. Like all c other bits, this bit is set to zero as initially manufactured. This bit has the following effects : 1. When zero, it inhibits the password comparison, in effect causing any password entered, to appear valid. 10 2. When one, it inhibits any write operations to the password field of the storage means. It does not affect writes to the credit field.
Whenever a write is made to the password field, the PC bit is also written with a one. This ensures that the ις first write made to the token, will set the initial credit value (by adding to the zero initially stored), and will load the password supplied, whatever it may be. Once this is done, no further alterations to the stored password are possible, neither can the stored credit be increased. 2 Further operations serve only to reduce the stored value. FACTORY INITIALISATION
As has been seen, it is necessary to ensure that tokens are despatched from the factory, with all storage cells reset to zero. Further, it will be necessary to _,. provide for factory testing of tokens, and of semiconductor "chips" used therein. Clearly, it is necessary to prevent unauthorised access to such test circuits, since they could provide an avenue for re-use of a token.
An effective method is to provide a "test mode", in
30 which write operations are performed to the storage means, whether or not the transaction is valid. For testing, the "B" output is still asserted on an invalid transaction, so permitting the validation circuitry to be proved out. This "test mode" permits, at the conclusion of tests, for
35 all-zeros to be written to the storage means. Further in test mode, zero, not one, will normally be written to the password control bit.
Before the token reaches the market, this test mode must be disabled. One known method is to use a microscopic fuse (similar to the data-storage elements used in the prior art cited above); however these are awkward to produce on conventional MOS fabrication lines, and can cause reliability problems.
An alternative irreversible method, also well known, is the so-called "option pad", illustrated in Fig. 3.
The 3 large squares denote 3 contact-pad sites at the edge of a semiconductor "chip". The outer two are normal ground and V+ (supply voltage) pads, while the central pad implements the option. Note the arrangement of interdigitated metallic combs in the centre pad, and also the resistor between that pad and the V+ point.
While the chip is being tested (i.e. test mode is active), contact probes are applied to the two outer pads, to operate the chip. The resistor pulls the central pad towards V+, so asserting the signal test mode, and conditioning the internal logic accordingly.
With testing complete, the chip is placed in a suitable package, and the connecting wires are attached.
This latter process is commonly performed by some form of cold welding. The ground wire is now connected not to the left, but to the centre pad (the left pad being left vacant). The cold weld now spans several of the interdigitated fingers, so shorting the test mode signal to ground, and placing the internal logic in its normal operation mode. It is impractical to reverse this operation, without access to the micro-structure of the chip, to remove the welded connection.
The present invention contemplates many applications.
For example, the present invention can be utilised at a toll collection point, for example the entrance to the
Sydney Harbor Bridge. As is known, the Bridge entrance comprises 8 entrances and each car passing therethrough must
stop, pay a toll, wait for verification of payment, and then proceed. This causes immense delays and traffic congestion on approaches to the Bridge. Similar problems are evident in many other parts of the world.
_ Utilising the present invention, and other inventions herein referred to, each Bridge lane may be fitted with an antenna structure for radiating a magnetic field. Information data can be imposed over the field. A driver having a token in the car can drive into a Bridge
-0 lane, and at a desirable speed. As the token passes through the magnetic field, it can be interrogated, have a value or
Bridge toll deducted from the representative value of the token, and upon verification, the driver can receive a response that the toll has been paid. If the token is not 1 . b_ valuable enough for the toll, various means can be used to inform or prosecute the driver. This type of system can also be used at the entrance to vehicle parking stations and stadiums by incorporating the verification step into a boom gate or turnstile activator. Other examples include _n activation of vending machines, hire of a video or game, payment of rail and bus fares or for any purpose where a fee must be paid for services.
The token of the present invention, and the payment system of the present invention can be modified or adapted _ in many ways, all of which are intended to be incorporated within the scope of this disclosure, as would be known to a skilled addressee.
0
5