US20080195551A1

Movatterモバイル変換

Info

Publication number: US20080195551A1
Application number: US12/104,069
Authority: US
Inventors: Joseph E. McIsaac; Leonid Braginsky; Mark Zand; David W. Jellison
Original assignee: INCOGNO Corp
Current assignee: Advanced Transactions LLC; OL Security LLC
Priority date: 2000-04-03
Filing date: 2008-04-16
Publication date: 2008-08-14
Also published as: US20170161736A1; US20080222046A1; US7376629B1

Abstract

A transaction system for performing secure transactions over a communication network includes (i) a merchant server system including a computer processor and associated memory, the merchant server system offering items for sale; (ii) a buyer system including a computer processor and associated memory, the buyer system being selectively couplable to the merchant server system over the communication network to initiate a transaction, wherein, during the transaction, the buyer system selects one or more of the items for purchase; (iii) a security server system including a computer processor and associated memory and an encryption device, the security server system receiving buyer information from the buyer system, encrypting the buyer information in an encryption key that prevents the merchant server system from decrypting the buyer information, and transferring the encrypted buyer information to the merchant server system; and (iv) a third server system including a computer processor and associated memory, the third server system being selectively couplable to the merchant server system, wherein the merchant server system transmits at least a portion of the encrypted buyer information to the third server system for processing during the transaction.

Description

CROSS-REFERENCED APPLICATIONS

This application claims the benefit from U.S. application Ser. No. 60/194,346, filed Apr. 3, 2000; U. S. application Ser. No. 60/254,056, filed Dec. 7, 2000; U.S. application Ser. No. 60/251,984, filed Dec. 7, 2000; and U.S. application Ser. No. 60/273,595, filed Mar. 5, 2001, the disclosures of which are hereby incorporated by reference into this application.

FIELD OF THE INVENTION

This invention relates generally to a method of and system for effecting anonymous and secure credit card purchases over the internet and more particularly to a method of and system for encrypting and distributing a purchaser's private information such that only parties authorized to receive the information receive it and are able to decrypt it.

BACKGROUND OF THE INVENTION

To make purchases using the Internet, buyers are required to disclose the buyer's name, address, shipping address, and credit card number to the merchant. Many would-be purchasers are uncomfortable with providing such information to the Web merchant, because they are concerned that their credit card numbers could be misused and that their privacy could be compromised As a result, such potential buyers choose not to use the Internet to make purchases or restrict their purchases to particular merchants whom they trust. The growth of e-commerce is restricted by these privacy and security concerns.

Likewise, businesses that make Internet purchases from other businesses using the Internet are required by present Internet order processing systems to reveal identifying and payment information to the selling business that may result in the compromise of information regarding the transaction that the buyer would prefer to remain private.

SUMMARY OF THE INVENTION

The growth of the Internet for consumer and commercial transactions creates a need to control what information is revealed to whom in the course of the transaction. In the case of Internet transactions that involve more than two parties (such as an e-commerce transaction involving a buyer, a seller, a merchant acquirer, and a delivery company), all participants will benefit from a technology solution that provides each party with only that kind and amount of information about the transaction that is required in order for the transaction to be completed.

The preferred solution to the Internet privacy problem will not require the buyer to take extra steps such as downloading software or browsing to a special Internet site in order to obtain alias identity. Most buyers will be unwilling to take such extra effort, and will prefer a solution that will enable them to browse directly to the merchant's Web site and to make private and secure purchases without the need to take any extra steps or precautions, and without noticeable latency

The preferred solution to the need to control the distribution of information among multiple parties to an Internet transaction will manage disclosure to each party such that each party receives only that information it needs to complete the transaction, without any need to establish any party as a trusted repository of the information of others.

The present invention provides a method and system for anonymous and secure Internet commerce under which each party to a transaction receives only the specific information it needs to know in order for the transaction to be completed, and by which the buyer can remain anonymous to the merchant. The invention enables the buyer to browse directly to the merchant's Web site without taking any extra or preliminary steps, and also enables the transaction to be consummated without disclosure of the buyer's name, address or credit card number to the merchant. The invention further enables the merchant to determine what specific information of the buyer will be disclosed to the merchant, and thus to offer the buyer a technological guarantee that it will not see any buyer information that is designated by the merchant as private to the buyer. Where the merchant is offering anonymity to the buyer, the invention provides a method and system by which the buyer's anonymity is protected, not only for purchases, but also for ordinary returns and chargebacks. In addition, the invention enables the buyer and seller to communicate privately by e-mail.

The buyer begins the transaction by browsing to the Web site of the Internet merchant, where the buyer identifies any items it wishes to purchase and places them in a shopping cart. The buyer is not required to browse first to a third-party's Web site, nor is the buyer required to download any software.

After selecting the items it wishes to purchase from the merchant's Web site, the buyer clicks on a checkout button and is redirected to the security server system of the present invention, which resides on a different computer than that of the merchant. The security server system serves up one or more forms that are filled in by the buyer, consisting of one or more checkout forms, a payment instrument form, an email address form, and a delivery information form. Some or all of these data supplied by the buyer are encrypted using the public keys of those entities that need to know those items of information in order for the transaction to be completed and assembled into a protected information package that is then sent from the security server system to the merchant. Preferably, a public key security system such as RSA is used to encrypt the buyer's information.

The merchant receives the information package(s) and stores their data elements in an order management database in their encrypted form. The merchant does not possess the capability of decrypting information in the protected information package that is delivered to the merchant in encrypted form, although it does have the capability of reading any information that is passed to the merchant from the security server system in unencrypted form.

The merchant sends an encrypted payment authorization request to the merchant acquirer or to the issuing bank. The merchant acquirer or issuing bank decrypts the payment authorization request, processes that request, and sends a response to the merchant either authorizing or denying the transaction. The merchant can communicate with the buyer without knowing the real e-mail address of the buyer by using a secure mail feature of the present invention. In that situation, the merchant directs its e-mail to the buyer through the security server system. The security server system assigns alias identities to the merchant and the buyer. Only the merchant can communicate with the buyer using the secure mail feature.

In situations where the buyer is purchasing hard goods for delivery to his address, the merchant sends an encrypted delivery request to the delivery company containing the buyer's name and shipping address and an order number, or other appropriate information. The delivery company decrypts the delivery request and provides the merchant with a numerical identifier that it associates with the goods ordered by the buyer. The merchant, or a party providing fulfillment services on behalf of the merchant, receives the numerical identifier and places it on the package containing the goods ordered by the buyer. The delivery company picks up the package from the merchant or fulfillment party, translates the numerical identifier as necessary, and delivers the package to the buyer.

The invention also accommodates returns and chargebacks without comprising the anonymity of the buyer.

The invention satisfies the following objectives:

1. Buyers can make online purchases without disclosing their names, addresses, or payment instrument information to the seller.
2. Buyers are not required to go to third-party Web sites or to download software in order to make anonymous and secure purchases from the merchant. All the buyer has to do is to browse directly to the merchant's site and make a purchase by filling in a shopping cart and providing the standard items of information by completing standard forms served to the buyer.
3. Internet merchants can offer complete anonymity to privacy-sensitive buyers and eliminate the risk of loss from credit card theft and hacking.
4. Merchants using the invention can continue to offer personalization to their customers.
5. Merchants using the invention select the level of privacy that will be delivered to their customers—full anonymity or credit card privacy. In both cases, the merchant never receives, stores or transmits the customer's credit card information.
6. The invention provides a universal transaction interface through which merchants can deploy a wide range of new payment and security technologies (including smart cards, biometric identity verification, digital signatures, on-line checks, ATM cards, and person-to-person payments) without further changes to the merchant's order processing systems.
7. The invention permits e-mail communications without compromising the anonymity of the buyer.

According to one aspect of the invention, a transaction system for performing secure transactions over a communication network includes (i) a merchant server system including a computer processor and associated memory, the merchant server system offering items for sale; (ii) a buyer system including a computer processor and associated memory, the buyer system being selectively couplable to the merchant server system over the communication network to initiate a transaction, wherein, during the transaction, the buyer system selects one or more of the items for purchase; (iii) a security server system including a computer processor and associated memory and an encryption device, the security server system receiving buyer information from the buyer system, encrypting the buyer information in an encryption key that prevents the merchant server system from decrypting the buyer information, and transferring the encrypted buyer information to the merchant server system; and (iv) a third server system including a computer processor and associated memory, the third server system being selectively couplable to the merchant server system, wherein the merchant server system transmits at least a portion of the encrypted buyer information to the third server system for processing during the transaction.

According to another aspect of the invention, a system for performing secure transactions over a communication network includes (i) a merchant server system including a computer processor and associated memory, the merchant server system offering items for sale; (ii) a buyer system including a computer processor and associated memory, the buyer system being selectively couplable to the merchant server system over the communication network to initiate a transaction, wherein, during the transaction, the buyer system selects one or more of the items for purchase; (iii) a security server system including a computer processor and associated memory, the security server system being selectively couplable to the buyer system to receive buyer information from the buyer system in the course of the transaction, the buyer information including delivery address information and payment information; (iv) a delivery server system including a computer processor and associated memory; and (v) a payment processor server system including a computer processor and associated memory. The security server transmits the delivery address information to the delivery server system and the payment information to the payment processor server system

The security server system may encrypt the delivery address information into a first document and the payment information into a second document. The security server system may transmit the first and second document to the merchant server system, which transmits the first document to the delivery server system and the second document to the payment processor server system. The merchant server system is incapable of decrypting the first and second documents.

According to another aspect of the invention, a transaction system for performing secure transactions over a communication network includes (i) a merchant server system including a computer processor and associated memory, the merchant server system offering items for sale; (ii) a buyer system including a computer processor and associated memory, the buyer system being selectively couplable to the merchant server system over the communication network to initiate a transaction, wherein, during the transaction, the buyer system selects one or more of the items for purchase and transmits information regarding the one or more items to the merchant server system; (iii) a security server system including a computer processor and associated memory and an encryption device, the security server system receiving buyer information from the buyer system, encrypting the buyer information in an encryption key that prevents the merchant server system from decrypting the buyer information, and transferring the encrypted buyer information to the merchant server system; and (iv) a third server system including a computer processor and associated memory, the third server system being selectively couplable to the merchant server system, wherein the merchant server system transmits at least a portion of the encrypted buyer information to the third server system for processing during the transaction.

According to another aspect of the invention, a system for performing secure transactions over a communication network includes (i) a merchant server system including a computer processor and associated memory, the merchant server system offering items for sale; (ii) a buyer system including a computer processor and associated memory, the buyer system being selectively couplable to the merchant server system over the communication network to initiate a transaction, wherein, during the transaction, the buyer system selects one or more of the items for purchase and (iii) a security server system including a computer processor and associated memory and an encryption device, the security server system receiving buyer information from the buyer system and forming a merchant document including information regarding the item being purchased, encrypting the buyer information into a payment document including the buyer's payment information and encrypting the buyer information into an address document including the buyer's shipping address. The security server system transfers the buyer information to a first one of the merchant server system, a payment server system and a delivery server system, wherein the first system removes the document associated with the first system and transmits the remaining documents to a second one of the merchant server system, the payment server system and the delivery server system, wherein the second system removes the document associated with the second system and transmits the remaining document to a third one of the merchant server system, the payment server system and the delivery server system. The security server system encrypts the buyer information using an encryption key in which only the payment server system is capable of decrypting the payment document and only the delivery server system is capable of decrypting the address document.

According to yet another aspect of the invention, a method for performing secure transactions over a communication network includes:

A. establishing a connection between a buyer system and a merchant server system over the communications network to initiate a purchase transaction;

B. the buyer system selecting an item offered for sale by the merchant server system;

C. the buyer system transmitting buyer information to a security server system;

D. the security server system encrypting the buyer information using an encryption key that prevents the merchant server system from decrypting the encrypted buyer information;

E. the security server system transmitting the encrypted buyer information to the merchant server system;

F. the merchant server system transmitting at least a portion of the encrypted buyer information to a third server system for processing during the purchase transaction; and

G. the third server system decrypting the at least a portion of the encrypted buyer information before processing the information.

According to yet another aspect of the invention, a method for identifying a party includes, in a security server system including a computer processor and associated memory the security server system being selectively couplable to a second server system, including a computer processor and associated memory, over a communications network, performing the steps of

A. obtaining a plurality of identifying indicia from each of a plurality of parties;

B. performing a one-way hash function on each of the plurality of identifying indicia to form a plurality of hashed identifiers, wherein a particular output of the one-way hash function is unique to a particular input of the hash function;

C. forming an array of hashed identifiers for each of the plurality of parties, wherein each array includes a number of hashed identifiers that are unique to each party; and

- in the second server system, performing the steps of:

D. receiving an identifying indicium from a party;

E. performing the hash function on the indicium to form a hashed indicium;

F. parsing each of the arrays to determine if the hashed indicium coincides with a hashed identifier therein;

G. determining which, if any, of the arrays contains a coincidence between the hashed indicium and a hashed identifier;

- wherein, if only one coincidence occurs, the method comprises:

H. identifying a unique party from the plurality of parties based the coincidence between the hashed indicium and the hashed identifier; and

- wherein, if more than one coincidence occurs, the method comprises:

I. repeating steps D-G until one of the arrays contains a set of coincidences that none of the other arrays contain; and

J. identifying a unique party from the plurality of parties based on the set of coincidences.

BRIEF DESCRIPTION OF THE DRAWINGS

The foregoing and other objects of this invention, the various features thereof, as well as the invention itself may be more filly understood from the following description when read together with the accompanying drawings in which:

FIG. 1 is a schematic diagram of conventional information distribution in an online transaction;

FIG. 2 is a schematic diagram of the system for effecting anonymous credit card purchases in accordance with the present invention;

FIGS. 3A-3F are schematic diagrams showing different types of transactions hat may be carried out according to the present invention;

FIG. 4 is a schematic diagram showing the steps involved in a purchase transaction in accordance with the present invention;

FIG. 5 is a schematic diagram showing the steps involved in a return transaction in accordance with the present invention;

FIGS. 6A-6C are a schematic diagrams showing the steps involved in a chargeback transaction in accordance with the present invention;

FIG. 7 is a schematic diagram showing the steps involved in enabling private communication between a merchant and a buyer using alias email addresses in accordance with the present invention;

FIG. 8 is a schematic diagram showing the steps involved in the creation of an electronic wallet in accordance with the present invention;

FIG. 9 is a schematic diagram showing the steps involved in a purchase transaction using the electronic wallet in accordance with the present invention;

FIG. 10 is a schematic diagram showing the steps involved in a direct marketing fulfillment transaction in accordance with the present invention;

FIG. 11A is a schematic diagram showing the creation of a digest array in accordance with the present invention;

FIG. 11B is a schematic diagram showing the steps involved utilizing a digest array to identify a buyer in accordance with the present invention; and

FIGS. 12A-12B are schematic diagrams showing other types of purchase transaction schemes in accordance with the present invention.

DETAILED DESCRIPTION

FIG. 1 is a schematic diagram of a conventional online transaction in which abuyer12, during the course of the online transaction, provides certain information S to themerchant14. This information S includes the buyer's delivery address, payment information, such as a credit card number, and information about the item being purchased. n this conventional transaction, themerchant14 possesses and has access to all of the buyer's information. Themerchant14 distributes the buyer's delivery address information S₁to thedelivery firm16 and distributes the buyer's payment information S₂to thepayment processor18. When the payment is approved by thepayment processor18, the transaction is consummated and thedelivery firm16 picks up the item from themerchant14 or an agent of themerchant14 and delivers the item to thebuyer12. While this type of transaction has been generally successful in enabling buyers to purchase item from merchants, a potential security risk exists since at least one party other than the buyer has possession of all of the buyer's private information.

FIG. 2 shows a diagram of a system100 for enabling secure online transactions in which the merchant either never possesses all of the buyer's information or possesses the information in a form that it cannot read in accordance with a preferred embodiment of the present invention. The system100 includesbuyer system110,merchant server system120,security server system130, a paymentprocessor server system140, including merchantacquirer server system142 andbank server system144, anddelivery server system160, all connected to acommon communications network170. Preferably, thebuyer system110,merchant server system120,security server system130, merchantacquirer server system142,bank server system144 anddelivery server system160 are each a personal computer such as an IBM PC or IBM PC compatible system or an APPLE® MacINTOSH® system or a more advanced computer system such as an Alpha-based computer system available from Compaq Computer Corporation or SPARC® Station computer system available from SUN Microsystems Corporation, although a main frame computer system can also be used. Preferably, thecommunications network170 is a TCP/IP-based network such as the Internet or an intranet, although almost any well known LAN, WAN or VPN technology can be used.

In one preferred embodiment of the invention, thebuyer system110 is an BM PC compatible system operating an operating system such as the Microsoft Windows® operating system, andmerchant server system120,security server system130, merchantacquirer server system142,bank server system144 anddelivery server system160 are configured as web servers providing access to information such as web pages in HTML format via a protocol such as the HyperText Transport Protocol (http). Thebuyer system110 includes software to allow viewing of web pages, commonly referred to as a web browser, thus being capable of accessing web pages located onmerchant server system120 andsecurity server system130. Alternatively,buyer system110 can be any wired or wireless device that can be connected to a communications network, such as an interactive television system, such as WEBTV, a personal digital assistant (PDA) or a cellular telephone. In this preferred embodiment,merchant server system120 is an e-tail system offering a plurality of items for sale over the Internet.

While the specific steps involved in the secure transaction system of the present invention are described in detail below,FIGS. 3A-3E are schematic diagrams showing various forms of transactions that are achievable with the present invention. Each ofFIGS. 3A-3E shows the transfer of information after the buyer has selected an item to purchase from the merchant server system and has proceeded to the checkout process.

FIG. 3A shows a transaction in which thebuyer system110 provides a set of information S to thesecurity server system130. As set forth above the information S includes the buyer's delivery address information, payment information and optionally, information about the item being purchased, such as a stock number, etc. The security server system, which is operated separately from the merchant, is dedicated to collecting the buyer's information and protecting the buyer's information as encrypted documents. In the transaction ofFIG. 3A, two encrypted documents are created from the buyer's information S: a delivery document E₁that can only be decrypted by the participatingdelivery server system160 and a payment document E₂that can only be decrypted by the participating paymentprocessor server system140. Once encrypted, the documents E₁and E₂are then transmitted to themerchant server system120 for storage and processing. At no time can themerchant server system120 decrypt the documents, but themerchant server system120 can use them for a full range of services, including all credit card transaction types (e.g. authorization, settlement, void, chargeback) and for shipping and returns. Thus, themerchant server system120 can never see the personal information S of the buyer, but is not hindered in its service offering.

FIG. 3B shows a transaction where the buyer's delivery address information S₁and payment information S₂are transmitted to thesecurity server system130 while the purchase item information S3 is transmitted directly to themerchant server system120. Thesecurity server system130 encrypts the information S₁and S₂to form encrypted documents E₁and E₂which are transmitted to themerchant server system120 Themerchant server system120 then transmits the encrypted delivery document E₁, which includes the buyer's delivery address information, to thedelivery server system160 and transmits the encrypted payment document E₂, which includes the buyer's payment information, to the paymentprocessor server system140. Thedelivery server system160 and the paymentprocessor server system140 then decrypt their respective documents and the transaction can then be carried out without the merchant ever having possession of the buyer's deliver address information or payment information.

FIG. 3C shows a transaction in which transfer of information between thebuyer system110, thesecurity server system130 and themerchant server system120 is the same as that shown inFIG. 3B. However, in this transaction, the encrypted delivery document E₁is transmitted from themerchant server system120 to a intermediatedelivery server system162 which decrypts the document E₁and transmits the decrypted information S₁to thedelivery server system160. Likewise, the encrypted payment document E₂is transmitted from themerchant server system120 to an intermediatepayment server system146 which decrypts the document E₂and transmits the decrypted information S₂to the paymentprocessor server system140.

FIG. 3D shows a fork-type transaction in which thebuyer110 provides its information S to thesecurity server system130. The security server system then separates the information into separate documents and distributes the delivery address information S₁to thedelivery server system160, the payment information S₂to the payment processor server system and the purchase item information S₃to themerchant server system120. In this transaction, even though the buyers information is not encrypted, thesecurity server system130 ensures that each server system receives only the information necessary for it to enable the purchase transaction.

FIG. 3E shows an encryption pipe-type transaction, in which thebuyer110 provides its information S to thesecurity server system130. Thesecurity server system130 encrypts the information to form an encrypted document E₁, which includes the buyer's delivery address information and an encrypted document E₂, which includes the buyer's payment information. The encrypted documents E₁and E₂are then transmitted to themerchant server system120, which transmits both encrypted documents to thedelivery server system160, which retains the encrypted delivery document E₁and transmits the remaining encrypted payment document E₂to the paymentprocessor server system140.

FIG. 3F shows an encryption pipe-type transaction, in which thebuyer110 provides its delivery address information S₁and its payment information S₂to the security server system and order information S₃, particularly information regarding the item being purchased by the buyer, to themerchant server system120. Thesecurity server system130 encrypts the information S₁and S₂to form an encrypted document E₁and E₂, respectively. The encrypted documents E₁and E₂are then transmitted to themerchant server system120, which transmits both encrypted documents to thedelivery server system160, which retains the encrypted delivery document E₁and transmits the remaining encrypted payment document E₂to the paymentprocessor server system140.

In a preferred embodiment of the invention, the buyer's private information, including delivery address information and payment information, is not disclosed to themerchant server system120. The buyer provides this information directly to thesecurity server system130 which encrypts the delivery address information into a delivery document and encrypts the payment information into a payment document. These documents are encrypted using a key which enables only thedelivery server system160 to decrypt the delivery document and which enables only the paymentprocessor server system140 to decrypt the payment document. These documents are transmitted by thesecurity server system130 to themerchant server system120, which then transmits the delivery document to thedelivery server system160 and the payment document to the paymentprocessor server system140. The paymentprocessor server system140 is able to decrypt the payment document to authorize the payment and thedelivery server system160 is able to decrypt the delivery document to provide delivery of the purchased item to the buyer. In order to enable thedelivery server system160 to deliver the item from the merchant, the delivery server system provides themerchant server system120 with an address signature code which preferably is a bar code that corresponds to an order number on the merchant server system. The delivery address information of the buyer is stored in the delivery server system and is “tagged” with the address signature. The merchant server system labels the package containing the item with the address signature. When the delivery firm associated with thedelivery server system160 picks up the package from the merchant, it reads the address signature to determine the address to which the package will be delivered.

FIG. 4 is a schematic diagram which specifically shows this transfer of information between thebuyer system110,merchant server system120,security server system130, merchantacquirer server system142,bank server system144 anddelivery server system160 in accordance with the present invention. In each ofFIGS. 4-10, a vertical bar in the column below each of the

systems

110,120,130,142,144 and160 indicates an action performed by the associated system. Furthermore, tasks shown in a solid line indicate data transmitted “in the clear” or unencrypted, tasks shown in dotted dashed lines indicate tasks performed by thesecurity server system130 or tasks performed under the direction ofsecurity server system130 and tasks shown in dotted lines indicate a transfer of encrypted data.

The package of information is transmitted to themerchant server system120 as items in an XML document, including encrypted documents E₁and E₂, and unencrypted documents and one or more digest arrays. The XML tags are not encrypted so that the XML document can be parsed by themerchant server system120. Themerchant server system120 receives the XML document and parses out the discrete items,step222. The items are stored in the merchant server systems order processing system,step224. Themerchant server system120 sends the encrypted payment document E₂to the participating merchantacquirer server system142,step226, which decrypts the document and transmits it to thebank server system144,step228, for authorization. Instep230, if the payment information is approved, thebank server system144 transmits a payment authorization response to merchantacquirer server system142, which transmits a payment authorization document tomerchant server system120,step232.

Once the payment information has been approved and the merchant server system has received the payment authorization document, themerchant server system120 transmits the encrypted delivery document E₁and an order number todelivery server system160,step234. Thedelivery server system160 decrypts the delivery document E₁,step236, assigns an address signature to the order and transmits the address signature to themerchant server system120, which notifies thebuyer system110 that the order has been successfully processed via the merchant server system website,step236. The address signature is similar to a tracking number, but uniquely identifies a shipping address as opposed to just a package. Instep240, the merchant server system produces a label with the address signature only, since it does not have access to the buyer delivery address information, and transmits a delivery request to thedelivery server system160. Thedelivery server system160 matches the delivery request to the address signature which includes the buyer's delivery address information. Thedelivery server system160 transmits a request to thesecurity server system130,step242, for the security server system to notify the buyer of the delivery tracking number information via the security server system'ssecure email component132,FIG. 7.Security server system130 transmits the delivery tracking number information to the buyer via itssecure email component132,step244. Instep246, themerchant server system120 transmits the encrypted payment document E₂, as well as the payment authorization document, to the merchantacquirer server system142, which decrypts the payment document E₂and transmits a settlement request to thebank server system144,step248. Based on the payment authorization document, the bank approves the settlement request and transmits payment, in the form of a settlement response, to themerchant server system120,step250. Instep252, the delivery firm associated with thedelivery server system160 picks up the package from the merchant firm associated with themerchant server system120, matches the address signature on the label provided by themerchant server system120 to the delivery address information contained in the delivery document E₁and delivers the package to the buyer.

Accordingly, the invention enables a purchase transaction to be completed without disclosing any of the buyers private information to themerchant server system120. By encrypting the buyer's delivery address information into a discrete delivery document that includes only the buyer's delivery address information in a form which only thedelivery server system160 can decrypt, thesecurity server system120 ensures that only the delivery server system obtains information pertaining to the delivery of the purchased item. Furthermore, by encrypting the buyer's payment information into a discrete document that includes only the buyer's payment information in a form which only the paymentprocessor server system140 can decrypt, thesecurity server system120 ensures that only the paymentprocessor server system140 obtains information pertaining to the payment of the purchased item. Since these discrete documents are encrypted before they are transmitted to themerchant server system120, the merchant server system cannot access the buyer's information. This example transfers the pertinent information similar to the transaction shown inFIG. 3A.

FIG. 5 is a schematic diagram which shows a transfer of information between thebuyer system110,merchant server system120,security server system130, merchantacquirer server system142,bank server system144 anddelivery server system160 in a situation where the buyer returns a purchased product to the merchant for a refund. Instep300, thebuyer system110 informs themerchant server system120, either by telephone or email, that the buyer would like to return a product. Themerchant server system120 validates the request,step302, and initiates a digest request,step304, in which the customer provides information about the order,step306, so that the merchant can identify the order,step308. The use of the digest array to identify a buyer is discussed in greater detail below with reference toFIG. 11B. Alternatively, order receipts and other proofs of purchase can be used to authenticate thebuyer system110 without drawing on a digest array created during the initial order. If the buyer is successfully authenticated, themerchant server system120 approves the return,step310 and transmits the encrypted payment document from the initial transaction to the merchantacquirer server system142 for a credit authorization,step312. The merchantacquirer server system142 authorizes the credit and transmits a credit authorization to themerchant server system120,step314. Themerchant server system120 then transmits a return material authorization (RMA) number in an email to thebuyer system110 through thesecure email component132 of thesecurity server system130,

steps

316,318. The buyer sends the item back to the merchant through the delivery firm using the RMA, steps320,322. The merchant server system requests a credit settlement from thebank server system144,step324. The bank server system transmits the credit settlement to themerchant server system120,step326 and thebank server system144 provides the appropriate credit to the buyer's credit card,step328.

FIGS. 6A,6B and6C are schematic diagrams which show a transfer of information between thebuyer system110,merchant server system120,security server system130, merchantacquirer server system142 andbank server system144 in the case of a buyer-initiated chargeback. A chargeback occurs when the buyer informs the bank that it will not pay for a charge resulting from a transaction. Instep350,FIG. 6A, thebuyer system110 initiates the chargeback by informing thebank server system144 that the charge will not be honored. Thebank server system144 reviews the request,step352 and instructs the merchantacquirer server system142 to search for the payment document associated with the request,step354. The merchantacquirer server system142 transmits a report to the merchant server system including the nature of the complaint,step356. The report only identifies the specific transaction to themerchant server system120. At this point, the merchant server system only possesses information about the specific transaction and does not posses any of the buyer's personal information. Themerchant server system120 and thebuyer system110 communicate with each other anonymously through the secure email component of thesecurity server system130, steps358-364. The merchant server system then transmits a chargeback response to the merchantacquirer server system142,step366. The merchantacquirer server system142 transmits the request to thebank server system144,step368, and the bank server system issues a chargeback credit to the buyer's credit card,step370.

The process shown inFIG. 6B is similar to the process shown inFIG. 6A, with the difference being that thesecurity server system130 creates the report to themerchant server system120 rather than the merchantacquirer server system142. This enables thesecurity server system130 to either encrypt or withhold private information of the buyer from the merchant server system. The process shown inFIG. 6C is also similar to the process shown inFIG. 6A, with the difference being that themerchant server system120 receives the chargeback request directly from thebank server system144 without any intervention from the merchantacquirer server system144 or thesecurity server system130.

Thesecurity server system130 is also capable of enabling private email communications between parties, in particular between thebuyer system110 and themerchant server system120.Security server system130 includes asecure email component132,FIG. 7, with which both thebuyer system110 and the merchant server system register. Thesecure email component132 receives the buyer system's true email address and assigns a buyer alias email address to the buyers true address. Likewise, thesecure email component132 receives the merchant server system's true email address and assigns a merchant alias address to the merchant's true address. All email transactions between thebuyer system110 and themerchant server system120 pass through thesecure email component132. In this way, the neither party possesses the other party's true email address and all communication takes place through the secure email component with the alias email addresses.

FIG. 7 is a schematic diagram which shows this process. Instep402, the merchant server system identifies a buyer to which it will send an email message. The message is created,step404, and sent to the buyer's alias email address via the merchant's SMTP server. The email is directed to thesecure email component132 by the buyer's alias address,step406, where it is validated by thesecure email component132. Validation involves ensuring that a particular merchant is authorized to send email to a particular buyer with the buyer's alias email address. If the validation is rejected, the message is returned to the merchant's true email address,step408. If the validation is approved, thesecure email component132 rewrites the SMTP header on the email message, changing the buyer's alias email address to the buyers true email address, and the merchant's true email address to the merchant's alias email address. The message is then sent to thebuyer system110 via the secure email component's SMPT server,step410. If thebuyer system110 replies to the merchant's email message, the reply is sent via the buyer's SMTP server to the merchant's alias email address,step412. The message is then validated in the same manner as the original email message from themerchant server system120. If validation fails, the message is returned to the buyer's true e-mail address without having been delivered to themerchant server system120,step414. If validation does not fail, thesecure email component132 rewrites the SMTP header on the mail message, changing the merchant's alias to the merchant's true e-mail address, and the buyer's true e-mail address to the buyer's alias email address. The message is then sent via the secure email component's SMTP server to the merchant's true e-mail address (MTMA).

FIG. 9 is a schematic diagram of a transaction according to the present invention which includes the use of the electronic wallet described above. Instep502, thebuyer system110 establishes a connection with themerchant server system120 over thenetwork170. Thebuyer system110 places items in its shopping cart,step504 and, when ready to checkout, logs into its wallet which is stored on themerchant server system120 using its user name and password,step506. Themerchant server system120 then asks if the buyer would like to follow an automatic checkout procedure,step508. If no changes are to be made to the buyer system's information, the buyer system will choose this procedure. The process then proceeds to step528, to continue the transaction, wherein steps528-552 are identical to steps228-252 ofFIG. 4.

If thebuyer system110 does not select the automatic checkout, themerchant server system120 transmits the wallet information to thesecurity server system130,step510. The security server system decrypts the wallet information,step512, and transmits a form to thebuyer system110 with a prompt to make any necessary changes to the information, steps514,516. Thesecurity server system130 encrypts the updated information into the delivery document E₁and payment document E₂,step518. The new protected information package is assembled,step520, and transmitted to themerchant server system120 to update the buyer's wallet information. The transaction then proceeds with steps522-552, which are identical to steps222-252 ofFIG. 4.

Thesecurity server system130 of the present invention is also capable of enabling themerchant server system120 to conduct a direct marketing fulfillment process while keeping the buyer system's information private.FIG. 10 is a schematic diagram showing the steps involved in this process. Instep600, themerchant server system120 develops a target list of buyer's to which it will send direct marketing material. Since all of the buyer information in the possession of the merchant server system is encrypted, this target list is also encrypted. However, since the different encrypted documents associated with each buyer system or parsable by themerchant server system120, it is able to provide a list to thesecurity server system130 which includes the encrypted delivery address information of its buyers to thesecurity server system130,step602. Thesecurity server system130 decrypts the buyer list,step604, and transmits the buyer list to afulfillment server system172,step606. Thefulfillment server system172 receives the direct marketing pieces from the merchant server system,step608, labels them with the delivery address information received from thesecurity server system130,step610, and sends the labeled pieces to the delivery firm associated with thedelivery server system160,step612. The delivery firm then delivers the direct marketing pieces to the buyers. This process enables the merchant server system to cause direct marketing pieces to be delivered to buyers without the need for themerchant server system120 to possess the actual delivery address information of the buyers.

FIG. 11A is a schematic diagram showing the process involved in the creation of a digest array, which occurs when the buyer system's information is first input to thesecurity server system130. When the security server system receives the buyer's information, such as in steps210-214 ofFIG. 4, the information S₁-S_n, in addition to being encrypted into documents that can only be decrypted by a predetermined intended party, is passed through ahashing function174 such as the Secure Hash Algorithm (SHA), which creates a hash output D₁-D_n, corresponding to the information S₁-S_n. The digest array is stored on themerchant server system120 for future reference.

If thebuyer system110 needs to contact the merchant server system regarding a particular order, the merchant server system can match the buyer with the particular order by using the digest array. For example, in the return process shown inFIG. 5, the buyer provides information to themerchant server system120 and the merchant server system searches its digest array to match the buyer with the particular order. As shown inFIG. 11B, the buyer system discloses certain portions of information, such as itsname180, the last 4 digits of its credit card182 and itszip code184. This information is passed through hashingfunction174 to form hash outputs186 corresponding to the

information

180,182 and184. Themerchant server system120 searches the digestarray188 until the information provided by the buyer enables a match in the digestarray188 that enables the merchant server system to identify the particular order.

Accordingly, the present invention provides a method of and system for enabling online transactions in which the merchant does not have access to the buyer's private delivery address information and payment information. The security server system encrypts the delivery address information to form a delivery document which can be decrypted only by the delivery server system. The security server system also encrypts the payment address information to form a payment document which can be decrypted only by the payment processor server system. The delivery document and the payment document are provided by the security server system to the merchant server system, which, in turn, distributes the documents to the respective server systems for processing during the course of an online transaction. While, in the example ofFIG. 4, the transaction carried out is in the form of the combination encryption pipe/fork transaction shown inFIG. 3A, it will be understood that the system can be utilized to carry out any or all of the transaction types shown inFIGS. 3A-3E. Furthermore, the system and method of the present invention can be utilized to carry out transactions which take the form of a token passing ring, such as is shown inFIG. 12A, wherein encrypted documents may be passed among all of the parties in thering190 and a distributive ring, such as is shown inFIG. 12B, wherein a head party introduces encrypted documents into thering194, which documents are then passed among the other parties of thering194.

The invention may be embodied in other specific forms without departing from the spirit or essential characteristics thereof. The present embodiments are therefore to be considered in respects as illustrative and not restrictive, the scope of the invention being indicated by the appended claims rather than by the foregoing description, and all changes which come within the meaning and range of the equivalency of the claims are therefore intended to be embraced therein.