JP2008204248A - Settlement system and settlement method - Google Patents

Abstract

<P>PROBLEM TO BE SOLVED: To reduce a risk that authentication information is leaked to ensure high security. <P>SOLUTION: This ia a settlement system which makes settlement in electronic commercial transactions. An authentication device 3 has a generation means 31 which receives a request for generating a one-time card ID from a first terminal 1 and generates a one-time card ID corresponding to terminal identification information included in the generation request concerned; and a transmission means 32 which identifies user identification information corresponding to the one-time card ID from an authentication storage means 34 and transmits the information to a settlement device 5. The settlement device 5 has a request reception means 51 which receives an authority request from a second terminal 2; an acquisition means 52 which acquires user identification information corresponding to a one-time card ID from an authentication server 3; and a conversion means 53 which converts the acquired user identification information to a credit card number by using a settlement storage means 55. <P>COPYRIGHT: (C)2008,JPO&INPIT

Description

  The present invention relates to a payment technique in electronic commerce, and more particularly to a payment technique using a credit card.

In recent years, there has been a problem of identity theft such as user IDs and passwords on the Internet, represented by phishing scams. For this reason, there is a need for a technique that ensures higher security and authenticates the legitimacy of the user. For example, Patent Document 1 describes a password authentication system that performs user authentication using a one-time password.
JP 2004-240637 A

  In the password authentication system described in Patent Document 1, the mobile phone performs user authentication using a one-time password acquired from an authentication server. However, in Patent Document 1, the mobile phone specifies a user ID and requests a one-time password from the authentication server. Then, the authentication server transmits a one-time password for the user ID to the requesting mobile phone. That is, when the user ID is leaked, it is synonymous with the leak of the one-time password at the same time.

  Therefore, a malicious third party can acquire a one-time password by sending the user ID to the authentication server as long as the user ID can be acquired. Accordingly, there is a possibility that a malicious third party logs in, for example, an online account and performs an unauthorized operation using the user ID and the one-time password that are illegally acquired.

  In electronic commerce where contracts and payments are made using a network, payment by credit card is widespread, but there is a risk of leakage of a credit card number on the network.

  The present invention has been made in view of the above circumstances, and an object of the present invention is to provide a payment technique that reduces the risk of leakage of authentication information such as a credit card number and ensures higher security.

  In order to solve the above-described problems, the present invention is a settlement system that performs settlement of electronic commerce including a settlement device and an authentication device. The authentication apparatus includes authentication storage means for storing the terminal identification information of the first terminal, the one-time card ID, and the user specifying information for specifying the user in association with each other, and the one-time card ID from the first terminal. Is generated, a one-time card ID corresponding to the terminal identification information included in the generation request is generated, and the generated one-time card ID is transmitted to the first terminal and stored in the authentication storage means. A generation unit and a transmission that receives an acquisition request for user identification information from the settlement apparatus, identifies user identification information corresponding to a one-time card ID included in the acquisition request from the authentication storage unit, and transmits the identification information to the settlement apparatus. Means. A settlement apparatus includes a settlement storage unit that stores a credit card number and user identification information in association with each other, a request reception unit that receives an authorization request including a one-time card ID input in a second terminal, and the request reception unit Acquisition means for acquiring user identification information corresponding to the one-time card ID received from the authentication server, and conversion means for converting the user identification information acquired by the acquisition means into a credit card number using the payment storage means And authorization means for determining whether settlement is possible based on the converted credit card number.

  The present invention also relates to a payment system for payment of electronic commerce, an authentication device for authenticating a user, a payment device for payment of a credit card, and payment support for supporting card payment of a plurality of credit card member stores. And a device. The authentication apparatus includes authentication storage means for storing the terminal identification information of the first terminal, the one-time card ID, the credit card number, and the card name information of the credit card in association with each other. A time card ID generation request is received, a one-time card ID corresponding to the terminal identification information included in the generation request is generated, the generated one-time card ID is transmitted to the first terminal, and the authentication storage means Receiving the credit card number acquisition request from the payment support device, and specifying the credit card number and the card name information corresponding to the one-time card ID included in the acquisition request from the authentication storage unit. And transmitting means for transmitting to the settlement support apparatus. The settlement support apparatus receives a request accepting unit that receives an authorization request including the one-time card ID input in the second terminal, and a credit card number and card name information corresponding to the one-time card ID accepted by the request accepting unit. Obtaining means for obtaining from the authentication server and transmitting to the settlement server. The settlement apparatus includes an authorization unit that determines whether settlement is possible based on the credit card number and card name information transmitted by the settlement support apparatus.

  The present invention is also a payment method for electronic commerce performed by a payment system having a payment device and an authentication device. The authentication device includes an authentication storage unit that stores terminal identification information of a first terminal, a one-time card ID, and user specifying information that specifies a user in association with each other, and the one-time from the first terminal Upon receipt of a card ID generation request, a one-time card ID corresponding to the terminal identification information included in the generation request is generated, and the generated one-time card ID is transmitted to the first terminal and stored in the authentication storage unit. A generating step for storing, receiving an acquisition request for user specifying information from the payment device, specifying user specifying information corresponding to a one-time card ID included in the acquisition request from the authentication storage unit, and transmitting the user specifying information to the payment device; And a transmission step. The payment apparatus includes a payment storage unit that stores a credit card number and user identification information in association with each other, and a request reception step of receiving an authorization request including a one-time card ID input in a second terminal; An acquisition step of acquiring user identification information corresponding to the one-time card ID received in the reception step from the authentication server, and converting the user identification information acquired in the acquisition step into a credit card number using the payment storage unit. A conversion step and an authorization processing step for determining whether settlement is possible based on the converted credit card number are performed.

  Further, the present invention provides an electronic commerce transaction performed by a payment system including an authentication device for authenticating a user, a payment device for payment of a credit card, and a payment support device for supporting card payment of a plurality of credit card member stores. It is a payment method. The authentication device includes an authentication storage unit that stores terminal identification information of a first terminal, a one-time card ID, a credit card number, and card name information of a credit card in association with each other, and the first terminal The one-time card ID generation request is received from the terminal, the one-time card ID corresponding to the terminal identification information included in the generation request is generated, the generated one-time card ID is transmitted to the first terminal, and the authentication is performed. A generation step of storing in the storage unit, and receiving a request for acquiring a credit card number from the payment support apparatus, and a credit card number and card name information corresponding to the one-time card ID included in the acquisition request from the authentication storage unit Specifying and transmitting to the settlement support apparatus. The settlement support apparatus receives a request request step for receiving an authorization request including the one-time card ID input in the second terminal, and a credit card number and card name information corresponding to the one-time card ID received in the request reception step. Obtaining from the authentication server and transmitting to the settlement server. The settlement apparatus performs an authorization processing step for determining whether settlement is possible based on the credit card number and the card name information transmitted by the settlement support apparatus.

  In the present invention, the risk of leakage of authentication information such as a credit card number can be reduced, and higher security can be ensured.

  Embodiments of the present invention will be described below.

<First Embodiment>
FIG. 1 is an overall configuration diagram of a payment system to which a first embodiment of the present invention is applied. The illustrated payment system includes a mobile phone (first terminal) 1 carried by a user, a terminal (second terminal) 2 such as a PC (Personal Computer), an authentication server 3, and at least one business server 4. And at least one settlement server 5 and a settlement support server 6. It is assumed that the mobile phone 1 is connected to the authentication server 3 via the mobile phone network 7 and the terminal 2 is connected to the business server 4 via the network 8 such as the Internet.

  The authentication server 3 of this embodiment shall provide a user authentication function in response to requests from a plurality of settlement servers 5 and a plurality of business servers 4. Note that the authentication server 3 may be configured by a plurality of servers.

  It is assumed that the user of this payment system uses the terminal 2 to access a website provided by a predetermined business server 4 to perform electronic commerce and make a payment with a credit card. In addition, the user acquires a disposable credit card number (hereinafter, “one-time card ID”) from the authentication server 3 using the mobile phone 1, and instead of inputting the credit card number, the acquired one-time card ID To the terminal 2 for settlement.

  The illustrated mobile phone 1 includes an instruction receiving unit 11 that receives a user instruction and a display unit 12 that displays various information / screens. It is assumed that the mobile phone 1 stores in advance a mobile phone ID (terminal identification information) such as a machine identification number in a storage device such as a memory (not shown). The memory or the like in which the mobile phone ID is stored may be an IC card that can be detached from the mobile phone 1.

  The illustrated terminal 2 includes an instruction receiving unit 21 that receives various instructions from the user, and a display unit 22 that displays various information / screens on the output device. In addition, the instruction | indication reception part 21 and the display part 22 shall have a function similar to a web browser.

  The business server 4 is a system owned by a company or an individual who sells products and services (hereinafter “products”) on the network, and provides a web site for electronic commerce such as online shopping. The user views a web page introducing products and the like, selects a product to purchase, designates a payment method, transmits personal information such as an address and a credit card number, and applies for purchase. The business server 4 shown in the figure includes a business processing unit 41 that performs various business processes such as providing a web page that introduces products and the like and a web page that specifies a settlement method to the terminal 2.

  The payment support server 6 is a system owned by a general member store that is a card payment service provider, and is connected to a plurality of credit card companies to support the credit card payment of the business server 4. Comprehensive merchants contract with credit card companies in a comprehensive manner, and provide credit card company settlement services to companies that meet certain conditions. The business server 4 of this embodiment is connected to the payment server 5 via the payment support server 6, but the business server 4 may be directly connected to the payment server 5 without going through the payment support server 6. Good.

  The settlement server 5 is a system owned by a credit card company and performs settlement of credit cards. The illustrated settlement server 5 includes a request receiving unit 51 that receives an authorization request transmitted from the business server 4, an acquisition unit 52 that acquires user identification information from the authentication server 3, and a conversion unit that converts user identification information into a credit card number. 53, an authorization processing unit 54 for confirming whether payment can be made with a designated credit card, and a payment table 55 described later.

  The authentication server 3 generates a one-time card ID and transmits it to the mobile phone 1, and transmits user identification information corresponding to the one-time card ID input from the terminal 2 to the settlement server 5. The authentication server 3 shown in the figure includes a generation unit 31 that receives a request from the mobile phone 1 and generates a one-time card ID, and a user identification corresponding to the one-time card ID that is received from the terminal 2 by receiving a request from the payment server 5. It has the transmission part 32 which transmits information to the payment server 5, the registration part 33 which performs user registration, and the authentication table 34 mentioned later.

  Next, the settlement table 55 of the settlement server 5 and the authentication table 34 of the authentication server 3 will be described.

  FIG. 2 is a diagram illustrating an example of the settlement table 55. The settlement table 55 shown in the figure includes a credit card number 551, credit card name information 552, credit card expiration date 553, user identification information 554, and various information necessary for card settlement (such as credit limit frame). Is set). The user specifying information 554 is information (code or the like) for associating the record of the authentication table 34 of the authentication server 3 with the record of the settlement table 55.

  FIG. 3 is a diagram illustrating an example of the authentication table 34. The illustrated authentication table 34 includes a user ID 341, a PIN (Personal Identification Number) 342, a mobile phone ID 343, a card brand code 344, user identification information 345, and a one-time card ID 346.

  The user ID 341 is identification information for identifying each user in the authentication server 3. The PIN 342 is a personal identification number arbitrarily set by the user. As the mobile phone ID 343, for example, it is conceivable to use the machine identification number of the mobile phone 1, the phone number of the mobile phone, user information stored in the IC memory of the mobile phone, and the like.

  The card brand code 344 is a code (identification code) for identifying a credit card company, and the first six digits of the credit card number correspond to the card brand code. As described above, the user specifying information 345 is information for associating with the record of the settlement table 55, and the same contents as the settlement table 55 are set for the same user. In the one-time card ID 346, the one-time card ID generated by the generation unit 31 is set.

  Note that after the user specifying information 554 is set on the payment server 5 side, the set information and the card brand code of the payment server 5 are notified to the authentication server 3. The registration unit 33 of the authentication server 3 generates a record in which the notified user identification information and card brand code are set, and adds the record to the authentication table 34. A method for setting other data items will be described later.

  The mobile phone 1, the terminal 2, the authentication server 3, the business server 4, the settlement server 5, and the settlement support server 6 described above all include a CPU 901, a memory 902, an external device such as an HDD as shown in FIG. A general-purpose computer system including a storage device 903, an input device 904 such as a keyboard and a mouse, an output device 905 such as a display and a printer, and a communication control device 906 for connecting to a network can be used. . In this computer system, the CPU 901 executes a predetermined program loaded on the memory 902, thereby realizing each function of each device.

  For example, the functions of the authentication server 3, the business server 4, the settlement server 5, and the settlement support server 6 are as follows. The CPU 901 of the authentication server 3 is a program for the authentication server 3, and the business server is a program for the business server 4. When the CPU 901 of 4 is a program for the settlement server 5, the CPU 901 of the settlement server 5 executes, and when the program is for the settlement support server 6, the CPU 901 of the settlement support server 6 executes the program.

It is assumed that the authentication table 34 of the authentication server 3 uses the memory 902 or the external storage device 903 of the authentication server 3. In addition, the payment table 55 of the payment server 5 uses the memory 902 or the external storage device 903 of the payment server 5. In addition, regarding the input device 904 and the output device 905, each device is provided as necessary.

  Next, the settlement process of this embodiment will be described with reference to FIGS. In this embodiment, in order to avoid the risk of leakage of credit card numbers on the network, the one-time card ID acquired using the mobile phone 1 is input from the terminal 2 instead of the credit card number.

  FIG. 5 is a sequence diagram of the settlement process. FIG. 6 shows an example of a card payment screen displayed on the output device of the terminal 2. FIG. 7 shows an example of various screens (screen transitions) displayed on the output device of the mobile phone 1.

  First, the instruction receiving unit 21 of the terminal 2 receives a user instruction, specifies a predetermined URL (Uniform Resource Locator), accesses the Web site of a desired business server 4, and purchases a desired product or service. Is transmitted (S11). For example, the user designates a product to be purchased by putting a desired product or the like into a shopping basket.

  Then, the business processing unit 41 of the business server 4 requests the terminal 2 to input settlement information (S12). Specifically, the business processing unit 41 transmits a payment screen for inputting payment information to the terminal 2. Note that the settlement method of the present embodiment is a settlement using a credit card. And the display apparatus of the terminal 2 displays the card payment screen shown, for example in FIG.

  The card payment screen of FIG. 6 includes a credit card number input field 601, a card name information input field 602, a card expiration date input field 603, and a send button 604.

  Here, the user acquires the one-time card ID to be entered in the credit card number input field 601 from the authentication server 3 using the mobile phone 1. That is, the instruction receiving unit 11 of the mobile phone 1 receives a user instruction, specifies a predetermined URL, accesses the authentication server 3, and transmits a request for issuing a one-time card ID (S13).

  It is assumed that the one-time card ID issuance request includes the PIN, the card brand code, and the mobile phone ID stored in the memory of the mobile phone 1 or the like. For example, the generation unit 31 of the authentication server 3 sequentially transmits a menu screen 701, a PIN input screen 702, and a card brand input screen 703 as shown in FIG. The mobile phone 1 displays each screen, receives a user instruction, selects a one-time card ID (screen 701), inputs a PIN (screen 702), and selects a card brand (screen 703). The instruction receiving unit 11 also transmits the mobile phone ID stored in the memory or the like of the mobile phone 1 when transmitting each piece of information to the authentication server 3.

  The generation unit 31 of the authentication server 3 refers to the authentication table 34, extracts all card brand codes corresponding to the mobile phone IDs transmitted from the mobile phone 1, and uses the names of the extracted card brand codes as card brands. Assume that the input screen 703 is set.

  The generation unit 31 of the authentication server 3 receives the one-time card ID issuance request from the mobile phone 1, and a record having the PIN, card brand code, and mobile phone ID specified in the issuance request exists in the authentication table 34 It is determined whether or not to do so. If it exists in the authentication table 34, the generation unit 31 generates a one-time card ID by a predetermined algorithm, and stores the generated one-time card ID in a corresponding record in the authentication table 34 (S14). When the target record does not exist in the authentication table 34, the generation unit 31 transmits an error message to the mobile phone 1.

  FIG. 8 shows an example of the number system of the one-time card ID generated by the generation unit 31. The generation unit 31 generates a one-time card ID that passes a predetermined check of a credit card number performed on the business server 4 side. As the credit card number check performed on the business server 4 side, a digit number check, a card brand code check, a check digit, and the like can be considered. For this reason, the generation unit 31 of the present embodiment generates a one-time card ID having the same number of digits (16 digits) as the credit card number, and the mobile phone in S13 is the same as the credit card number in the first six digits of the 16 digits. Set the card brand code sent from 1. The generation unit 31 uses the last 16 digits of the 16 digits for the check digit. Therefore, the generation unit 31 generates the remaining 9 digits out of 16 digits using a predetermined algorithm so as to be a unique number that does not overlap with other numbers.

  As the check digit check performed on the business server 4 side, for example, the odd-numbered digit (or even-numbered digit) of the credit card number is doubled and 9 is subtracted when the value becomes 10 or more. Then, the sum of the numbers in each digit is calculated, and if the result is a multiple of 10, it may be determined that the number is a correct number, and if it is not a multiple of 10, it is determined to be an invalid number. In such a check, the generation unit 31 performs the above weighting on the 6-digit card brand code and the generated 9-digit 15-digit number so that the sum of the numbers becomes a multiple of 10. Calculate the check digit and add it to the last digit.

  Then, the generation unit 31 transmits a screen including the generated one-time card ID to the mobile phone 1 (S15). The display unit 12 of the mobile phone 1 displays, for example, a one-time card ID display screen 704 shown in FIG. 7 on the output device.

  The user inputs the one-time card ID displayed on the mobile phone 1 in the credit card number input field 601 of the card settlement screen (see FIG. 6) displayed on the terminal 2 in S12. Also, the user inputs a predetermined code for identifying that the number input in the credit card number input field 601 is a one-time card ID into a part of the card name information input field 602. In the present embodiment, it is assumed that a predetermined code is input in the name portion, and an actual surname embossed on the credit card is input in the last name portion. In addition, the user inputs an actual expiration date embossed on the credit card in the expiration date input field 603. After completing the input, the user clicks the send button 604. Thereby, the instruction receiving unit 11 of the mobile phone 1 transmits the payment information input by the user on the card payment screen to the business server 4 (S16).

  The business server 4 transmits an authorization request including the accepted payment information to the predetermined payment server 5 via the payment support server 6 of the general member store (S17). The payment support server 6 refers to the upper six digits of the card brand code included in the payment information, and distributes the authorization request of the business server 4 to the payment server 5 of the corresponding credit card company.

  Upon receiving the authorization request, the request receiving unit 51 of the settlement server 5 determines whether or not a predetermined code is included in the card name information. And when the predetermined | prescribed code is contained, the request | requirement reception part 51 considers the number input as a credit card number to be a one-time card ID. In this case, the acquisition unit 52 transmits the one-time card ID to the authentication server 3 and requests user specifying information corresponding to the one-time card ID (S18).

  The transmitting unit 32 of the authentication server 3 refers to the authentication table 34, extracts user specifying information corresponding to the accepted one-time card ID, and transmits it to the settlement server 5 (S19). After transmitting the one-time card ID, the transmission unit 32 deletes the one-time card ID from the authentication table 34 or adds a used flag to the one-time card ID. Make it unusable. Thereby, even if the one-time card ID is leaked, unauthorized use can be prevented.

  The conversion unit 53 of the payment server 5 specifies a credit card number corresponding to the user specifying information transmitted by the authentication server 3 from the payment table 55, and converts the user specifying information into a credit card number (S20). Then, the authorization processing unit 54 performs an authorization process for confirming whether payment is possible with the converted credit card number (S21). That is, the authorization processing unit 54 determines that the credit card number is a valid credit card if the converted credit card number, the card name information of the payment information transmitted from the business server 4, and the expiration date exist in the payment table 55. To do. The authorization processing unit 54 checks whether the card name information matches the card name information in the settlement table 55 for a portion other than the predetermined code.

  Further, the authorization processing unit 54 checks whether or not there is a vacancy for the purchase amount from the credit limit frame (not shown) of the credit card number in the settlement table 55. Note that the purchase price is included in the authorization request in S17 together with the settlement information.

  The authorization processing unit 54 transmits the result of the authorization process (settlement OK, settlement NG) to the business server 4 via the settlement support server 6 (S22). The business processing unit 41 of the business server 4 transmits a payment acceptance completion screen corresponding to the result of the authorization process to the terminal 2.

  Note that if the card name information of the authorization request received by the payment server 5 in S17 does not include a predetermined code, the credit card number included in the authorization request is an actual credit card number, so that the authorization processing unit 54 Advances to the authorization processing of S21 without performing the processing of S18 to S20.

  Next, user registration processing to the authentication server 3 will be described.

  Assume that the user performs user registration in the authentication server 3 in advance.

  FIG. 9 is a sequence diagram of user registration processing with the authentication server 3. FIG. 10 shows an example of various screens (screen transitions) displayed on the output device of the mobile phone 1.

  The instruction receiving unit 11 of the mobile phone 1 receives a user instruction, specifies a predetermined URL, accesses the authentication server 3, and displays, for example, a registration initial screen 51 shown in FIG. 10 on the output device (S41). Then, the instruction receiving unit 11 of the mobile phone 1 receives a user instruction and transmits an initial menu selection instruction to the authentication server 3. The registration unit 33 of the authentication server 3 receives an initial menu selection instruction and transmits an initial menu screen to the mobile phone 1 (S42).

  And the display part 12 of the mobile telephone 1 displays the initial menu screen 52 shown, for example in FIG. 10 on an output device (S43). The user selects “new user registration” using the input device and clicks the send button.

The instruction receiving unit 11 of the mobile phone 1 receives a user instruction and transmits a new user registration request to the authentication server 3. And the registration part 33 of the authentication server 3 transmits a user specific information input screen to the mobile telephone 1 (S44).
And the display part 12 of the mobile telephone 1 displays the user specific information input screen 53 shown, for example in FIG. 10 on an output device (S45). The user inputs user identification information notified in advance from the settlement server 5 and clicks a transmission button. The instruction receiving unit 11 of the mobile phone 1 transmits the input user identification information to the authentication server 3. Then, the registration unit 33 of the authentication server 3 transmits a PIN input screen to the mobile phone 1 (S46).
And the display part 12 of the mobile telephone 1 displays the PIN input screen 54 shown, for example in FIG. 10 on an output device (S47). The user inputs an arbitrary PIN (password) and clicks the send button. The instruction receiving unit 11 of the mobile phone 1 transmits the input PIN to the authentication server 3 (S48).

  Note that the instruction receiving unit 11 of the mobile phone 1 transmits the various information to the authentication server 3 (S42, S44, S46, S48) or transmits the PIN (S48). It is assumed that the mobile phone ID stored in the above is transmitted together.

  The registration unit 33 of the authentication server 3 specifies the record of the user specifying information received from the mobile phone 1 in S46 from the authentication table 34, and sets the PIN and mobile phone ID received from the mobile phone 1 in the specified record (S49). ). Then, the registration unit 33 transmits a registration completion screen to the mobile phone 1 (S50). And the display part 12 of the mobile telephone 1 displays the registration completion screen 55 shown, for example in FIG. 10 on an output device (S51).

  As described above, in this embodiment, it is possible to reduce the risk of credit card leakage and provide a credit card settlement with higher security. That is, in this embodiment, it is possible to make a credit card payment without inputting an actual credit card number into the terminal 2. As a result, even if the communication content is wiretapped between the terminal 2 and the network 8 of the business server 4 and the credit card information is leaked, it is a one-time card ID that cannot be used once it is used. Unauthorized use of the card can be prevented.

  Further, in this embodiment, the authentication server 3 does not issue a one-time card ID unless the user inputs a PIN (password) set in advance with his / her mobile phone. That is, by performing two-factor authentication based on property authentication and knowledge authentication, more advanced user authentication can be realized. Furthermore, even if the loss of the mobile phone 1 and the leakage of the PIN overlap, by issuing a one-time card ID issuance stop notification to the authentication server 3 to issue the one-time card ID Therefore, the risk of issuing spoofing by a third party can be eliminated as much as possible.

  Further, in the present embodiment, the business server 4 that provides the electronic commerce web site does not change the existing process even if the credit card number of the settlement information transmitted by the terminal 2 is a one-time card ID. The authorization request is transmitted to the settlement server 5 in the same manner as when the credit card number is transmitted. That is, since there is no system change cost on the business server 4 side, the system introduction load and cost can be reduced.

<Second Embodiment>
FIG. 11 is an overall configuration diagram of a payment system to which the second embodiment of the present invention is applied. In the payment system of this embodiment, the payment support server 6A acquires the credit card number and the card name information corresponding to the one-time card ID from the authentication server 3 and transmits them to the payment server 5.

  The settlement system shown in the figure includes a settlement support server 6A having a request reception unit 65 that receives an authorization request transmitted by the business server 4, and an acquisition unit 66 that acquires a credit card number and card name information from the authentication server 3. The settlement server 5A is different from the settlement system of the first embodiment shown in FIG. 1 in that it has an authorization processing unit 54 and a settlement table 55A.

  12 and 13 show an example of the settlement table 55A and the authentication table 34A of the present embodiment. The settlement table 55A shown in FIG. 12 is different from the settlement table 55 shown in FIG. 2 in that it does not have user specifying information. The authentication table 34A shown in FIG. 13 differs from the authentication table 34 shown in FIG. 3 in that it has card name information 347 and a credit card number 348 instead of the user specifying information.

  After the credit card information (record) is registered in the settlement table 55A on the settlement server 5 side, the registered credit card number 551, the card name information 552, and the card brand code of the settlement server 5 are The authentication server 3 is notified. The registration unit 33 of the authentication server 3 generates a record in which each notified information is set, and adds the record to the authentication table 34A.

  Other than the above, the second embodiment is the same as the first embodiment, and a description thereof will be omitted here.

  Next, the settlement process of this embodiment will be described with reference to the sequence diagram of FIG.

  The processing from S61 to S66 shown in the drawing is the same as the processing from S11 to S16 in the first embodiment shown in FIG. In S67, the business server 4 transmits an authorization request including the accepted payment information to the payment support server 6 of the general member store.

  The request receiving unit 65 of the payment support server 6 that has received the authorization request determines whether or not a predetermined code is included in the card name information of the payment information, and if the predetermined code is included, The number entered as the card number is regarded as a one-time card ID. In this case, the acquisition unit 66 of the settlement support server 6 transmits the card name information including the one-time card ID and a predetermined code to the authentication server 3, and the credit card number and the card name corresponding to the one-time card ID. Information is requested (S68).

  The transmission unit 32 of the authentication server 3 specifies the card name information 347 corresponding to the received one-time card ID from the authentication table 34A. And the transmission part 32 discriminate | determines whether the specified card name information and parts other than the predetermined | prescribed code of the received card name information correspond. If the portions other than the predetermined code match, the transmitting unit 32 determines that the user is a valid user, and extracts the credit card number 348 and the card name information 347 corresponding to the accepted one-time card ID from the authentication table 34A. And transmitted to the settlement support server 6 (S69).

  After transmitting the one-time card ID, the transmission unit 32 deletes the one-time card ID from the authentication table 34 or adds a used flag to the one-time card ID. Make it unusable. If the portion other than the predetermined code does not match, the transmitting unit 32 determines that the user is an unauthorized user and transmits an error message to the settlement support server 6.

  The acquisition unit 66 of the payment support server transmits an authorization request including the actual credit card number 348 and card name information 347 acquired from the authentication server 3 and the expiration date transmitted by the business server 4 to the payment server 5 (S70). ). Note that the acquisition unit 66 refers to the first six digits of the card brand code of the acquired credit card number and transmits an authorization request to the payment server 5 of the corresponding credit card company.

  The authorization processing unit 54 of the payment server 5 confirms whether or not payment is possible with the credit card number, the card name information, and the expiration date credit card included in the authorization request transmitted by the payment support server 6. (S71). That is, the authorization processing unit 54 determines that the credit card is valid when each piece of information included in the authorization request exists in the settlement table 55. Further, the authorization processing unit 54 checks whether or not there is a vacancy for the purchase amount from the credit limit frame (not shown) of the credit card number in the settlement table 55. The purchase amount is included in the authorization request in S67 and S70 together with the settlement information.

  The authorization processing unit 54 transmits the result of the authorization process (settlement OK, settlement NG) to the settlement support server 6 (S72). The settlement support server 6 delivers the result of the authorization process to the business server 4 (S73). The business processing unit 41 of the business server 4 transmits a payment acceptance completion screen corresponding to the result of the authorization process to the terminal 2 (S74).

  If the card name information of the authorization request received by the settlement support server 6 in S67 does not include a predetermined code, the credit card number included in the authorization request is an actual credit card number. 65 transmits the authorization process to the settlement server 5 without performing the processes of S68 and S69 (S70).

  In the second embodiment described above, the settlement support server 6 accesses the authentication server 3 and converts the card name information including the one-time card ID and a predetermined code into the original credit card number and card name information. To the settlement server 5. Thereby, even if the credit card number of the payment information transmitted from the terminal 2 is the one-time card ID, the payment server 5 makes the same authorization request as before without changing the existing processing. That is, since there is no system change cost on the settlement server 5 side, the system introduction load and cost can be reduced.

  Further, in the second embodiment, similarly to the first embodiment, it is possible to reduce the risk of credit card leakage and provide a credit card settlement with higher security. Further, in the second embodiment, as in the first embodiment, if the user does not input a PIN (personal identification number) set in advance with his / her mobile phone, the authentication server 3 will have a one-time card ID. Therefore, more advanced user authentication can be realized. Further, in the second embodiment, similarly to the first embodiment, since there is no system change cost on the business server 4 side, the system introduction load and cost can be reduced.

  In addition, this invention is not limited to said embodiment, Many deformation | transformation are possible within the range of the summary. For example, in the first and second embodiments, the one-time card ID numbering system includes a six-digit card blank and code, a nine-digit unique number, and a one-digit check digit as shown in FIG. It was. However, the present invention is not limited to this. For example, the first 8 digits of the one-time card ID are the same as the first 8 digits of the credit card number, the remaining 7 digits are generated as unique numbers, and the last 1 digit is a check digit. It may be used as

  Moreover, it is good also as providing card name information in the authentication table 34 of the said 1st Embodiment. Thereby, the acquisition part 52 of the payment server 5 can transmit one-time card ID to the authentication server 3, and can acquire card name information with user specific information. In this case, the settlement server 5 sets the user identification information in the settlement table 55 and then notifies the authentication server 3 of the card name information together with the user identification information.

1 is a diagram illustrating an overall configuration of a payment system to which a first embodiment of the present invention is applied. It is a figure which shows an example of a payment table. It is a figure which shows an example of an authentication table. It is a figure which shows the hardware structural example of each apparatus. It is a sequence diagram of a payment process. It is an example of the card payment screen of the terminal in the payment process. It is an example of the screen transition of the mobile telephone in a payment process. It is an example of the number system of a one-time card ID. It is a sequence diagram of a user registration process to the authentication system. It is an example of the screen transition of the mobile telephone in a user authentication process. It is a figure which shows the whole structure of the payment system to which the 2nd Embodiment of this invention was applied. It is a figure which shows an example of a payment table. It is a figure which shows an example of an authentication table. It is a sequence diagram of a payment process.

Explanation of symbols

  1: mobile phone, 11: instruction receiving unit, 12: display unit, 2: terminal, 21: instruction receiving unit, 22: display unit, 3: authentication server, 31: generating unit, 32: transmitting unit, 33: registering unit 34: Authentication table, 4: Business server, 41: Business processing unit, 5: Payment server, 51: Request receiving unit, 52: Acquisition unit, 53: Conversion unit, 54: Authorization processing unit, 55: Payment table, 6 : Payment support server, 65: request reception unit, 66: acquisition unit

Claims (9)

A payment system for payment of electronic commerce having a payment device and an authentication device,
The authentication device
Authentication storage means for storing the terminal identification information of the first terminal, the one-time card ID, and the user specifying information for specifying the user in association with each other;
A one-time card ID generation request is received from the first terminal, a one-time card ID corresponding to the terminal identification information included in the generation request is generated, and the generated one-time card ID is transmitted to the first terminal. Generating means for transmitting and storing in the authentication storage means;
A transmission unit that receives an acquisition request for user identification information from the payment apparatus, identifies user identification information corresponding to a one-time card ID included in the acquisition request from the authentication storage unit, and transmits to the payment apparatus; Have
The settlement device
Payment storage means for storing the credit card number and the user identification information in association with each other;
Request accepting means for accepting an authorization request including the one-time card ID input in the second terminal;
Obtaining means for obtaining user identification information corresponding to the one-time card ID accepted by the request accepting means from the authentication server;
Conversion means for converting the user identification information acquired by the acquisition means into a credit card number using the payment storage means;
And an authorization means for determining whether or not settlement is possible based on the converted credit card number. The payment system according to claim 1,
The request accepting means of the settlement apparatus accepts the one-time card ID or credit card number input at the second terminal and accepts the card name information input at the second terminal, and a part of the card name information When a predetermined code exists in the terminal, it is determined that a one-time card ID is input at the second terminal. The payment system according to claim 2,
The authorization unit of the payment apparatus determines whether or not payment is possible based on the converted credit card number and a part other than the predetermined code in the card name information received by the request reception unit. A featured payment system. The payment system according to claim 2,
The authentication storage means of the authentication device further has card name information,
The transmission means specifies user identification information and card name information corresponding to the one-time card ID included in the acquisition request from the authentication storage means, and transmits the identification information to the settlement apparatus.
The acquisition unit of the payment apparatus acquires card name information from the authentication server together with user identification information,
The authorization system determines whether or not settlement is possible based on the converted credit card number and the acquired card name information. A settlement system for settlement of electronic commerce,
An authentication device for authenticating a user, a payment device for payment of a credit card, and a payment support device for supporting card payment of a plurality of credit card member stores,
The authentication device
Authentication storage means for storing the terminal identification information of the first terminal, the one-time card ID, the credit card number, and the card name information of the credit card in association with each other;
A one-time card ID generation request is received from the first terminal, a one-time card ID corresponding to the terminal identification information included in the generation request is generated, and the generated one-time card ID is transmitted to the first terminal. Generating means for transmitting and storing in the authentication storage means;
A credit card number acquisition request is received from the payment support device, a credit card number and card name information corresponding to the one-time card ID included in the acquisition request is specified from the authentication storage means, and transmitted to the payment support device Transmission means for
The settlement support device
Request accepting means for accepting an authorization request including the one-time card ID input in the second terminal;
Obtaining a credit card number and card name information corresponding to the one-time card ID accepted by the request accepting means from the authentication server, and sending to the settlement server;
The settlement device
A payment system comprising: authorization means for determining whether or not payment is possible based on a credit card number and card name information transmitted by the payment support apparatus. The payment system according to claim 5,
The request accepting means of the settlement support apparatus accepts the one-time card ID or credit card number input at the second terminal and further accepts the card name information input at the second terminal, A payment system, characterized in that, when a predetermined code is present in a part, it is determined that a one-time card ID has been input at a second terminal. The payment system according to claim 1 or 5, wherein
The authentication storage means further includes an identification code of a credit card company,
The payment system according to claim 1, wherein the generation unit of the authentication device acquires a corresponding identification code from the authentication storage unit and generates a one-time card ID with the acquired identification code set as a head portion. An electronic commerce payment method performed by a payment system having a payment device and an authentication device,
The authentication device includes an authentication storage unit that stores terminal identification information of a first terminal, a one-time card ID, and user specifying information that specifies a user in association with each other,
A one-time card ID generation request is received from the first terminal, a one-time card ID corresponding to the terminal identification information included in the generation request is generated, and the generated one-time card ID is transmitted to the first terminal. A generation step of transmitting and storing in the authentication storage unit;
A transmission step of accepting an acquisition request for user identification information from the payment apparatus, identifying user identification information corresponding to a one-time card ID included in the acquisition request from the authentication storage unit, and transmitting the identification information to the payment apparatus; Done
The payment apparatus includes a payment storage unit that stores a credit card number and user identification information in association with each other,
A request accepting step for accepting an authorization request including the one-time card ID input in the second terminal;
An acquisition step of acquiring user identification information corresponding to the one-time card ID received in the request reception step from the authentication server;
A conversion step of converting the user identification information acquired in the acquisition step into a credit card number using the payment storage unit;
An authorization processing step of determining whether settlement is possible based on the converted credit card number. An electronic commerce payment method performed by a payment system having an authentication device for authenticating a user, a payment device for payment of a credit card, and a payment support device for supporting card payment of a plurality of credit card member stores,
The authentication device includes an authentication storage unit that stores terminal identification information of a first terminal, a one-time card ID, a credit card number, and card name information of a credit card in association with each other,
A one-time card ID generation request is received from the first terminal, a one-time card ID corresponding to the terminal identification information included in the generation request is generated, and the generated one-time card ID is transmitted to the first terminal. A generation step of transmitting and storing in the authentication storage unit;
A credit card number acquisition request is received from the payment support apparatus, a credit card number and card name information corresponding to the one-time card ID included in the acquisition request is specified from the authentication storage unit, and transmitted to the payment support apparatus A transmission step, and
The settlement support device
A request accepting step for accepting an authorization request including the one-time card ID input in the second terminal;
Obtaining a credit card number and card name information corresponding to the one-time card ID accepted in the request accepting step from the authentication server, and transmitting to the settlement server;
The settlement device
A payment method comprising: performing an authorization processing step for determining whether or not payment is possible based on the credit card number and card name information transmitted by the payment support apparatus.

Images