1301028 九、發明說明: 【發明所屬之技術領域】 本發明與交易系統和交易終端機相關,其被設計用來 儲存交易資料和尤其是但非限定於具有離線交易之專屬應 用程式。 【先如技術】 士在交易系統中使用客戶身份代表,例如智慧卡(例如個 人交易或具有積體電路晶片occ, integrated circuit chip)之身份證或其它形式的記憶體)之優點有賴於由Icc 所提供的安全性,由於此安全性,某些智慧卡被用來以電 子形式儲存貨幣金額,其被稱為,,電子錢包1統。在此系統 中’一父易終端機被用來從電子錢包扣除在智慧卡中的貨 幣金額’ &貨幣值是以離線模式儲存在終端機中,也就是 說,因為所傳送之貨幣金額包含購買物品或服務之所有的 :款二斤以此終端機不需連線至一主機系統以核准此付 认。=智慧卡中所扣除的金額被儲存在終端機中,且僅數 =傳^至主機電腦,作為此種交易批次的—部份。這樣的 女排能使終端機不須t f連線至主機系統(可能 束營業時傳送—次),而非在每次^ 在… 這樣類型之現有的離線交易應用之另一 客忠誠度機制中,佬用知+办μ —, 财使用冬慧、卡來健存,,酬金,,或紅利積點 紅利積點被儲存為儲存金額於智慧卡中,1 “ 的終端跡除金額,作為現金付款的—部ς或 樣的離4U於終端機中擷取,然後以批:欠模式再傳送至 1301028 一主機系統中,以減少卷查 的成本。 田、、各主機系統時所產生資料傳輸 用來製造這樣的離線糸 % * + t ^ ΤΓΓ ,μ '、/、、、先之典型既有技術包含驗證在 曰慧卡中的ICC,此乃藉由 能在用於交易中接收卡片之::cc卡之密碼系統’因而 既有的驗證方法需要終端機二確認:卡片的真實性。這樣 檢” 存达碼數值,一般稱為,’金 鑰,其被終端機用來確認智 ,,, 曰骞卞的真實性,通常此驗證是 由所明的交互驗證”程序所執行。 為了使這樣的交互驗證藉皮 矛序產生作用,通常假設在智 慧卡中的ICC包含一鉍您人1 也金鑰,而終端機試圖藉由與智慧 卡父換隨機數值而以演瞀法膏 宍π忐嘗试確涊此數值,此程序被稱 作交互驗證,因為卡片合因 曰同樣地g试來確認是否終端機有 一相對應的金输,亦即,兮炊*山撒® π & ^ ρ 4終鳊機是否為一真實的終端機。 父互驗€的%序只在終端機的秘密金鑰維持秘密時 有效,必須禁止對祕密金鑰未經授權的存取。需要終端機 月b防止竄改且通常能防止對該金鑰未經授權的存取。為達 此目的’一般業界的慣例是將此秘密金餘(或多個秘密禁鑰) 儲存在一防止竄改的裝置(例如置於終端機中的Icc卡), 其被程式化來執行所謂的安全存取模組(SAM,secuR Access Module),此SAM實體上是安全的且設計為不釋放 秘飨值或金鑰。此SAM通常被安裝在終端機的一特定槽中, SAM可以插入此槽且能從此槽中取出;一終端機可以有多個 SAM槽,能安裝多個sAM。 ’終端機 因此,如上所討論的,在這樣的既存系統中 1301028 中所擷取之離線交易必須傳送至主機系統,以使該系統能 確認交易。在電子錢包系統中,該系統必須以電子形式支 付廠商收集到的金額,而客戶忠誠度系統必須處理從智慧 卡中扣除或加至智慧卡之回饋金。然而,在電子錢包系統 中,如果主機系統無法接收離線交易資訊,則此交易無法 被處理且也不會付款給商家,或是在客戶忠誠度系統的情 况^中’顧客在離線模式下使用回饋金可以維持不被主機系 統記錄’、结果系統的記錄是那些回饋金尚未使用,而讓客 戶仍能使用該些回饋金。 因此,在現存的離、線交易系統中遺失儲存於終端機中 的離線交易會是很嚴重的問題。有時候遺失這樣的交易可 :藉由鍵人來自收據記錄之交易資料或是每次交易在終端 :列印出的收據來更正,這是費時費力、I易產生錯誤且 難以驗正其真實性的。 【發明内容】 因此,本發明的目的是要提供一個交易系統,其利用 AM記憶儲存之優點來至少改善前述問題。 含:因此’依據本發明的第一方面’提供一交易系統,包 一主機系統;以及 丄至少一個電子交易終端機’用來接收與客戶交易有關 之父易資料,以及透過電腦網路傳輸前述的交易資料至前 述伺服器’前述交易終端機包含—介面1以建立與用來 儲存至少-筆數位安全金錄之可移動式資料儲存裝置之資 j3〇l〇28 料通訊連結; 其中前述安全金*可在當前述 易終端機進行資料通訊連結時m 存裝置與前述交 而前述以終端機被規劃為寫人前:^易終端機存取, 儲存裝置’用來接下來由前述交易心易資料至前述資料 易終端機取出。 、、';鸲機或其它類似的交 在本發明之本方面或其它方面,入 來進行交易終端機之驗證王金鍮可以被設計 端機和客戶身份之交互驗證。77之驗證’或是交易終 資料儲存裝置最好包含一 ^ Θ 女王存取模組(SAM)。 叫來終端機最好包含記憶體,且更進—步地被規 述交易資料於前述記憶體中,而前述交易資料 被儲存於㈣資料儲存裝置和前述交易終端機中。 ^此’交易資料的第二備份被儲存於交易終端機的記 憶體中’喊得交易終端機在從資料儲存裝置或交易終端 機的記憶體中補償資料後,傳送交易資料至伺服器。通常 儲存在終端機記憶體中的交易資料的副本可以被視為交易 資料的主要副丨’而儲存在資料儲存裝置中的作為備份。 ^因此,本發明使得交易資料(而且尤其是來自離線交易 的又易貝料)藉由利用現存的資料儲存或記憶裝置之優點以 備援方式且節省成本的方式儲存’以致於在當終端機發生 錯誤時,交易資料仍然能從記憶裝置中補償。 不須使用SAM常用到的安全功能就可將交易資料儲存 至SAM和自SAM取出,而不須放棄sam既有的安全功能(例 1301028 如保護儲存在SAM中的密碼金鑰)。 交易終端機最好包含-外殼(例如卡慧卡收 納器),用來收納前述資料儲存裝置,其中前述資料儲存裝 置可以在前述外殼中被連接至前述介面。 交易終端機可以被規劃用來在交易資料藉由前述交易 ㈣Μ㈣輸至前述㈣器後’刪除前述資料儲存裝置 中之前述交易資料。 因此,-旦交易資料被成功地傳送至主機伺服器,就 不須再儲存在資料儲衫置巾,而可以從職置刪除,在 貝枓儲存裝置中的資料儲存位置就可以存放接下來的交易 資料。 在實知例中,交易終端機被規劃為在前述交易資料 成^地從前述資料儲存裝置傳送至前述交易終端機後,'刪 除貝枓儲存裝置中的交易資料。因此,在此實施例中,資 料儲存袭置中的資料儲存位置可以存放接下來的交易資 料。 、 、▲貝料#t存裝置最好被規劃為在當前述資料儲存裝置充 “又易貝料時’ I將舊的交易資料覆蓋而寫人新的交易資 料’其中最舊的交易資料會先被覆蓋。 交易終端機最好被規劃為只寫入在交易終端機所執行 ^與離線父易相關之交易資料,到前述資料儲存裝置中, 田又易終端機發生錯誤或無論何種原因無法傳送 存於終端機中或眘μ — m τ及貝枓儲存裝置(例如SAM)中的離線交易丨 主機系統時’資料儲存裝置可以從終端機移除然後插入另 1301028 中的交易資 -終端機中,其能取出儲存於資料儲存袈置 料,然後傳送至主機。 在一實施例中,介面被設計兔处也夕y 卞為犯與多個可拆式資料儲 存羞置建立資料通訊連結,其中笫一 紗+ 八Y弟儲存裝置可以被用來 :存前述數位安全金鍮’而前述交易終端機被規劃來寫入 則迷交易資料至第二資料儲存裝置,給接下來的前述交易 終端機或其它類似交易終端機擷取資料。1301028 IX. DESCRIPTION OF THE INVENTION: FIELD OF THE INVENTION The present invention relates to transaction systems and transaction terminals, which are designed to store transactional materials and, in particular, but not exclusively, proprietary applications with offline transactions. [Technology first] The use of customer identity representatives in trading systems, such as smart cards (such as personal transactions or ID cards with integrated circuit chips) or other forms of memory, depends on Icc. The security provided, due to this security, some smart cards are used to store the amount of money in electronic form, which is called, the electronic wallet. In this system, 'a parent-friendly terminal is used to deduct the amount of money in the smart card from the e-wallet' & monetary value is stored in the terminal in offline mode, that is, because the amount of money transmitted contains All purchases of goods or services: two jins of this terminal do not need to be connected to a host system to approve this payment. = The amount deducted from the smart card is stored in the terminal, and only the number = passed to the host computer as part of this transaction batch. Such a women's volleyball can enable the terminal to connect to the host system without tf (possibly when the business is transmitted - times), rather than in another guest loyalty mechanism of the existing offline trading application of this type.佬用知+办μ —, use the financial use of winter wisdom, card to save,, rewards, or bonus points, the bonus points are stored as the stored amount in the smart card, 1 “end of the terminal, except for the amount, as a cash payment The 4U is taken from the terminal and then transferred to the 1301028 host system in the batch: under mode to reduce the cost of the inspection. Data transmission for the field and each host system To make such an offline 糸% * + t ^ ΤΓΓ , μ ', /,,, and the first typical prior art includes verifying the ICC in the 曰慧卡, by receiving the card in the transaction: : cc card cryptosystem 'Therefore, the existing verification method requires terminal 2 to confirm: the authenticity of the card. This checks the value of the stored code, generally referred to as the 'key, which is used by the terminal to confirm wisdom, , the authenticity of 曰骞卞, usually this verification is Executed by the explicit interaction verification program. In order to make such interactive verification work, it is usually assumed that the ICC in the smart card contains a key to you, and the terminal tries to use wisdom and wisdom. The card parent changes the random value and tries to confirm the value by deducting 宍 忐. This program is called interactive verification, because the card is similarly tried to confirm whether the terminal has a corresponding gold input. That is, the 兮炊*山撒® π & ^ ρ 4 final machine is a real terminal. The % mutual order of the parent mutual test is valid only when the secret key of the terminal is kept secret, and the secret must be prohibited. Unauthorized access by the key. Terminals are required to prevent tampering and usually prevent unauthorized access to the key. For this purpose, the general industry practice is to make this secret (or more) The secret key is stored in a tamper-proof device (such as an Icc card placed in the terminal), which is programmed to execute a so-called secure access module (SAM, secuR Access Module), which is secure on the SAM entity. Designed to not release secret values Or the key. This SAM is usually installed in a specific slot of the terminal, the SAM can be inserted into the slot and can be taken out of the slot; a terminal can have multiple SAM slots and can install multiple sAMs. As discussed above, offline transactions retrieved in 1301028 in such an existing system must be transmitted to the host system to enable the system to confirm the transaction. In an electronic wallet system, the system must be collected electronically by the vendor. Amount, and the customer loyalty system must process the credits deducted from the smart card or added to the smart card. However, in the electronic wallet system, if the host system cannot receive offline transaction information, the transaction cannot be processed and is not processed. Will pay to the merchant, or in the case of the customer loyalty system ^ 'Customer use feedback in offline mode can maintain the record is not maintained by the host system', the result of the system record is that those feedback money has not been used, so that customers can still Use these rewards. Therefore, the loss of offline transactions stored in the terminal in the existing off-line trading system is a serious problem. Sometimes such a transaction can be lost: it can be corrected by the key person's transaction data from the receipt record or the receipt of the transaction at the terminal: printed receipt. This is time-consuming and laborious, I am prone to errors and it is difficult to verify its authenticity. of. SUMMARY OF THE INVENTION Accordingly, it is an object of the present invention to provide a transaction system that utilizes the advantages of AM memory storage to at least ameliorate the aforementioned problems. Including: 'in accordance with the first aspect of the present invention', a transaction system is provided, including a host system; and at least one electronic transaction terminal is configured to receive parental information relating to customer transactions and to transmit the foregoing through a computer network Transaction data to the aforementioned server 'the aforementioned transaction terminal includes interface 1 to establish a communication link with the portable data storage device for storing at least a pen digital security record; wherein the foregoing security Gold* can be used when the above-mentioned easy terminal device performs data communication connection, and the above-mentioned terminal device is planned to be written before: the terminal is accessed by the terminal, and the storage device is used for the next transaction. The data is taken out to the above information and the terminal is taken out. , '; Downtime or other similar intersections In this aspect or other aspects of the invention, the verification of the transaction terminal is entered. Wang Jinxi can be designed to interactively verify the identity of the terminal and the client. The verification of 77 or the final data storage device preferably includes a ^ 女王 Queen Access Module (SAM). Preferably, the calling terminal includes a memory, and the transaction data is further described in the memory, and the transaction data is stored in the (4) data storage device and the transaction terminal. ^ The second backup of the 'transaction data is stored in the memory of the transaction terminal'. The transaction terminal transmits the transaction data to the server after compensating the data from the memory of the data storage device or the transaction terminal. A copy of the transaction data normally stored in the terminal's memory can be considered as the primary deputy of the transaction data and stored as a backup in the data storage device. ^ Therefore, the present invention enables transaction data (and especially from offline transactions) to be stored in a redundant and cost-effective manner by utilizing the advantages of existing data storage or memory devices so that the terminal is in a terminal When an error occurs, the transaction data can still be compensated from the memory device. Transaction data can be stored to and retrieved from the SAM without the security features commonly used by SAM, without having to relinquish sam's existing security features (eg, 1301028, such as protecting the cryptographic key stored in SAM). Preferably, the transaction terminal includes a housing (e.g., a card holder) for receiving the data storage device, wherein the data storage device can be coupled to the interface in the housing. The transaction terminal can be programmed to delete the aforementioned transaction data in the aforementioned data storage device after the transaction data is transferred to the aforementioned (4) device by the aforementioned transaction (4) (4). Therefore, once the transaction data is successfully transmitted to the host server, it does not need to be stored in the data storage towel, but can be deleted from the job, and the data storage location in the Bellow storage device can store the next data. Transaction information. In a known example, the transaction terminal is arranged to 'delete the transaction data in the Bellows storage device after the transaction data is transferred from the data storage device to the transaction terminal. Therefore, in this embodiment, the data storage location in the data storage attack can store the next transaction data. ▲, ▲ 贝料#t storage device is best planned to be used when the above data storage device is filled with “easy to be used”, I will overwrite the old transaction data and write new transaction data. The oldest transaction data will be It is best to be covered first. The transaction terminal is preferably planned to write only the transaction data executed by the transaction terminal and the offline parent-friendly transaction. In the above data storage device, the Tianyiyi terminal has an error or for whatever reason. When it is not possible to transfer the offline transaction/host system stored in the terminal or in the μμm and 枓 storage devices (such as SAM), the data storage device can be removed from the terminal and then inserted into the transaction resource-terminal in another 1301028. In the machine, it can be taken out and stored in the data storage device and then transferred to the host. In an embodiment, the interface is designed to be a rabbit and is guilty of establishing a data communication link with a plurality of detachable data storage devices. , wherein the one yarn + eight Y brother storage device can be used to: store the aforementioned digital security money 'and the aforementioned transaction terminal is planned to write the transaction data to the second data storage device, for the next The aforementioned transaction terminal or other similar transaction data capture terminals.
則述父易資料較佳的是儲存在前述資料儲存裝置,並 且係儲存於包含一固定空間的檔案中,而前述資料儲存裝 置被規劃為當記錄在前述檔案中的交易編號達到或超過一 7界值時,前述資料儲存裝置會回傳一狀態給前述交易終 端機,提示前述交易終端機將儲存於前述交易終端機中的 任何資料上傳至前述伺服器中,然後清除儲存於前述交易 、、;端機的離線交易資料或儲存於前述資料儲存裝置中之任 何前述交易資料之冗餘備份,以致於前述交易終端機和前 述資料儲存裝置可以保留更多的交易資料,而不漏失任何 t前儲存於前述資料儲存裝置中的交易資料。 依據本發明的第二方面,提供一個電子交易終端機, 用來接收與客戶交易相關的交易資料,並用來透過電腦網 路傳送前述交易資料至一主機伺服器中,前述終端機包含: 一介面,用以建立與用來儲存至少一組數位安全金输 之可拆式資料儲存裝置的資料通訊連結; 其中前述安全金鑰可以藉由前述交易終端機存取,在 當前述資料儲存裝置在與前述交易終端機進行資料通訊 11 β〇1〇28 打,而前述交易終端機被規 資料儲存裝置,其令 mi料到前述 料可以接著…,逑-貝料儲存裝置中的前述交易資 筏者猎由别述父易終端機 擷取。 八匕類似乂易終端機來 前述交易終端機最好包含 ^ °己匕體且被規劃為可以宫入 刖述父易資料至前述紀掊 〇 J以冩入 C 口己隱體和别述資料儲存 以各別交易紀錄的形式。 η置,最好疋 组,更好 、,最f為夕組數位安全金鑰中的一 更好的疋用來驗證客戶的身份。 料、雨2可以被設計來與多個可拆式f料儲存裝置建立資 肖’其中—第—資料健存裝置可以被前述交易緣 文王i鑰,而刖述父易終端機被規 劃為可以寫入前诫六旦次士丨, 月J这又易貝料到在前述交易終端機中的交易 紀錄,並且寫入一第-咨 弟一貝料儲存裝置,給接下來的前述交 易、、端機或其它類似的交易終端機擷取資料。 /依據本發明的第三方面,提供一種方法,用來在一交 易系統中,於傳送至一主機伺服器之前,儲存交易資料, 包含: 藉由父易終端機將前述交易資料寫入被設計給前述终 細機用來儲存一數位安全金鑰並與前述交易終端機進行資 料通吼連結的一資料儲存裝置·, 其中前述交易資料可以接著被前述交易終端機或其它 類似交易終端機擷取資料。 此方去可以包含在當前述交易資料被成功地藉由前述 12 1301028 交易終端機傳送至前沭 .w 边機伺服器時,刪除前述資料m + 裝置中的則述交易資料。 、科储存 此方法可以包含將只與在前述交易終端 離線交易相關的交县次刺 斤執伃之 關的又易貝料,寫入前述資料儲存裝 【實施方式】 依據本發明的一較佳音#也丨&六且金μ R 1主貫她例的父易糸統以圖形s 圖1中的10。车蛴1n 4人 圃小顯不於 糸、、先10包含一主機伺服器12和多 付款終端機14的吝倔丄η . /式為 夕個父易終端機,其藉由一電腦網路 如網際網路)連接5主她^ 例 J逋接至主機伺服器12。每一付款 設計為允許裳卢茲士“ 挪機14破 午客戶猎由付款卡片、忠誠卡或類似 行交易。 下月來進 苓考圖2,每一付款終端機14有一處理器π,其被連 接至非揮發記憶體(NVM)18和隨機存取記憶體(RAM)19、_ 鍵^ 2〇、一收據列印機22、和一 SAM收納器24。SAM收 、、内器24提供付款終端機與SAM之間的介面,其為智慧卡 ° 化式’例如符合國際標準7816Partl至Part3的(例如 痛又用於手機中用戶身份模組(SIM)之型式)。 付款終端機14也包含一卡片收納器26,例如符合國際 仏準7816 Partl至Part3的。此卡片收納器26包含,舉例而 a ’用於符合Europay-Mastercard-Visa(EMV)標準規範之信 用卡支付系統的電子匯票擷取終端機其中一種型式。卡片 收納器26可以被設計為能接受,,無接觸” ICC卡,其使用 &、線電頻率(RF)傳送技術(例如符合國際標準1444規範 者)’用來在終端機和這樣的ICC卡片之間通訊。 13 1301028 付款終端機14包含(當使用時卜SAM 28,其被安裝在 SAM收、A益24中。SAM 28有-積體電路晶片3〇,其具有 一内建的防竄改安全功能’用來保護晶片的數位内容;晶 片30包3處理早π 32、内含編碼作為晶片作業系統之應 用軟體的唯讀記憶體(職)34、揮發式ram %、非揮發記 憶體(NVM)38(例如電子可抹除及可程式化唯讀記憶體 (EEPROM)),其包含編碼為可執行下述功能和相關資料之軟 體程式,和I/O單元4〇。 此系統也包含多個客戶身份,每一個皆為包含一積體 電路晶片44之智慧卡42的形式。ICC 44包含-處理器單元 46,被連接至R0M區48,其包含編碼在晶片44中執行付 款功能之應用軟體、以及一 RAM區5〇、一輸入/輸出單元 52(用來與付款終端機14之卡片收納器%連接)。 虽一客戶智慧卡42被用於付款終端機14用來付款或其 匕形式的客戶交易,會產生一筆交易紀錄並儲存於付款终 端機的NVM18t,接著傳送至主機電腦伺服器12,用 於結算、調解等用途。 此交易紀錄也被傳送至SAM 28中記錄。在sam Μ中 執行的為儲存於SAM 28的NVM 38中的軟體程式,此軟體 程式被規劃為能接受並記錄該交易。SAM 28接收來自交易 終端機的交易資料,並啟動如下功能:⑴尋找在sam 28 之NVM 38中下一個可用的記憶體位置,(2)記錄該交易於 該位置,以及⑶更新索引以提示下個交易可用的記憶體區 域位置。 1301028 每個交易都备舌帝 1 Θ重覆以上步驟,直到SAM 28用盡於其 NVM 38中的儲在处 ^ #二間’當這個情況發生時,索引會更新指 向至SAM之μ a _ iVi 中之交易紀錄區起始的記憶體位置, 這意謂下一筆交# 入匆會破記錄在此NVM 38中交易紀錄區域 的起始位置,因而罗# 1Preferably, the parental information is stored in the data storage device and stored in a file containing a fixed space, and the data storage device is planned to have a transaction number of at least 7 when recorded in the foregoing file. At the threshold, the data storage device returns a status to the transaction terminal, prompting the transaction terminal to upload any data stored in the transaction terminal to the server, and then clear and store the transaction in the transaction, Redundant backup of the offline transaction data of the terminal or any of the foregoing transaction data stored in the foregoing data storage device, so that the transaction terminal and the aforementioned data storage device can retain more transaction data without missing any t Transaction data stored in the aforementioned data storage device. According to a second aspect of the present invention, an electronic transaction terminal is provided for receiving transaction data related to a customer transaction, and for transmitting the transaction data to a host server through a computer network, the terminal device comprising: an interface a data communication link for establishing a detachable data storage device for storing at least one set of digital security data; wherein the security key can be accessed by the transaction terminal, when the data storage device is The transaction terminal performs data communication 11β〇1〇28, and the aforementioned transaction terminal is regulated by the data storage device, so that the mi material can be fed to the foregoing material, and the aforementioned transaction asset in the 逑-before storage device Hunting is taken from the other readers. The gossip-like terminal device to the aforementioned transaction terminal preferably includes a ^ 匕 匕 且 and is planned to enter the 父 父 父 至 至 至 至 至 至 至 至 至 至 至 至 至 至 冩 冩 冩 冩 冩 冩 冩 冩 和Store in the form of separate transaction records. η, preferably 疋 group, better, most f is a better one of the oxime digital security keys used to verify the identity of the customer. Material, rain 2 can be designed to establish a capital with multiple detachable f-storage devices. The - data-health device can be identified by the aforementioned transaction, and the parent-end terminal is planned to be Before writing, the six-year-old sergeant, the month J, is easy to feed the transaction record in the aforementioned transaction terminal, and writes a first-consultant one-piece material storage device, to the next transaction, The terminal or other similar transaction terminal captures the data. According to a third aspect of the present invention, there is provided a method for storing transaction data before being transmitted to a host server in a transaction system, comprising: writing the aforementioned transaction data by a parent terminal to be designed a data storage device for storing a digital security key and performing data communication with the transaction terminal device, wherein the transaction data can be subsequently retrieved by the aforementioned transaction terminal or other similar transaction terminal data. The party can be included in the transaction data when the transaction data is successfully transmitted to the front-end server by the aforementioned 12 1301028 transaction terminal. The method of storing the method may include writing the above-mentioned data storage device to the above-mentioned data storage device, which is only related to the offline transaction of the transaction terminal in the foregoing transaction terminal. [Embodiment] A preferred sound according to the present invention #也丨&六和金μ R 1 The master of her case is the parent of the figure 以 Figure 10 in Figure 1. The rut 1n 4 people 圃 显 显 、 、 、 、 、 、 、 、 、 、 、 、 、 、 、 、 、 、 、 、 、 、 、 、 、 、 、 、 、 、 、 、 、 、 、 For example, the Internet connection is connected to the host server 12. Each payment is designed to allow the singer Luzs to "travel the payment card, loyalty card or similar transaction. Next month, see Figure 2, each payment terminal 14 has a processor π, which It is connected to a non-volatile memory (NVM) 18 and a random access memory (RAM) 19, a _ key 2, a receipt printer 22, and a SAM container 24. The SAM receiver and the internal device 24 provide The interface between the payment terminal and the SAM, which is a smart card, for example, conforms to the international standard 7816Partl to Part3 (for example, the pain is also used in the form of a Subscriber Identity Module (SIM) in the mobile phone). The payment terminal 14 also A card holder 26 is included, for example, in accordance with International Standards 7816 Partl to Part 3. This card container 26 includes, for example, a 'electronic money order for a credit card payment system that complies with the Europay-Mastercard-Visa (EMV) standard specification撷Take one of the types of terminals. The card holder 26 can be designed to accept, non-contact "ICC cards, which use & line frequency (RF) transmission technology (eg, in accordance with international standard 1444 specifications)" At the terminal and this Communication between the ICC card. 13 1301028 Payment terminal 14 includes (when used, SAM 28, which is installed in SAM, A benefit 24. SAM 28 has - integrated circuit chip 3〇, which has a built-in tamper-proof security function' To protect the digital content of the wafer; the wafer 30 package 3 processes the early π 32, the read-only memory (the job) 34 containing the application software as the wafer operating system, the volatile ram %, the non-volatile memory (NVM) 38 ( For example, electronic erasable and programmable read-only memory (EEPROM), which includes software programs that can be used to perform the following functions and related materials, and I/O units 4. The system also includes multiple customer identities. Each is in the form of a smart card 42 containing an integrated circuit chip 44. The ICC 44 includes a processor unit 46 coupled to the ROM area 48, which includes application software encoded in the wafer 44 for performing payment functions, and A RAM area 5, an input/output unit 52 (for connection to the card holder % of the payment terminal unit 14). Although a customer smart card 42 is used by the payment terminal unit 14 for payment or in the form of a customer Transaction, a transaction record will be generated and stored in The NVM 18t of the payment terminal is then transferred to the host computer server 12 for settlement, mediation, etc. This transaction record is also transmitted to the SAM 28 record. The sam file is executed in the NVM 38 stored in the SAM 28. Software program, the software program is planned to accept and record the transaction. SAM 28 receives the transaction data from the transaction terminal and activates the following functions: (1) looking for the next available memory location in the NVM 38 of sam 28, (2) Record the transaction at the location, and (3) update the index to indicate the location of the memory location available for the next transaction. 1301028 Each transaction is repeated 1 Θ repeat the above steps until SAM 28 is exhausted from its NVM 38 In the middle of the store ^ #二间' When this happens, the index will update to the memory location of the transaction record area in the μ a _ iVi of SAM, which means that the next one will be broken Record the starting position of the transaction record area in this NVM 38, thus Luo # 1
叩復盍先前記錄於該位置的交易紀錄。SAM 2 8可以容納的交η ^ 夂易-人數(亦即在SAM中最舊的交易被覆蓋叩Restore the transaction records previously recorded at that location. The SAM 2 8 can accommodate the η ^ 夂 - number of people (that is, the oldest transaction in the SAM is covered
'可乂被°己錄於SAM中的交易次數)取決於在終端機 14肊傳廷其批次的交易資料到主機之前,有可能發生的的 又易人數每一批次通常藉由一批次號碼來辨識,其可以 用夕種方式來扣疋(例如藉由為每一新批次指定一遞增的序 唬’或疋依據第一筆交易的日期和時間),每當一批次上傳 成功 新批次又開始,而終端機14會發出一指令給SAM 28藉由更新SAM中新批次的號碼,來標記一新批次的開 始0 若付款終端機14失效而記錄在其NVM中的交易遺 失,則SAM 28可以從該付款終端機移除,然後插入其它付 款終端機14,此第二付款終端機14可以被程式化來查詢 SAM 28,以擷取儲存於SAM 28之NVM 38中的交易資料, 然後將資料傳送至主機伺服器12,取代在受損之付款終端 機14中的原始交易。The number of transactions that can be recorded in the SAM depends on the number of transactions that can occur in the batch machine 14 before it is sent to the host. The secondary number is identified, which can be deducted in the form of an evening (for example, by assigning an incremental sequence to each new batch or by the date and time of the first transaction), whenever a batch is uploaded The successful new batch starts again, and the terminal 14 issues an order to the SAM 28 to mark the start of a new batch by updating the number of the new batch in the SAM. 0 If the payment terminal 14 fails and is recorded in its NVM If the transaction is lost, the SAM 28 can be removed from the payment terminal and then inserted into another payment terminal 14, which can be programmed to query the SAM 28 for retrieval of the NVM 38 stored in the SAM 28. The transaction data in the transaction is then transferred to the host server 12 in place of the original transaction in the compromised payment terminal 14.
可以選擇性地在每一次付款終端機14開始新的一批交 易時,也將變化(例如從舊的批次交易至新的批次)記錄於 S A Μ 2 8中’這使付付款終端機14能從S A Μ中,自記錄於 SAM 28中的最後一批次的起始處開始回復交易,並使SAM 15 1301028 能重覆使用SAM 28中的NVM 38空間,其被更早批次中之 交易所使用’該批次已成功地上傳且不再需要備份於sam 28中0 圖3A為一流程圖,(從” A”開始)顯示當終端機14以 離線方式運作時(例如未連接至主機伺服器12時),在正常 狀況下於終端機14中處理一筆交易(丁χη),儲存交易至samOptionally, when each payment terminal 14 starts a new batch of transactions, the changes (eg, from the old batch transaction to the new batch) are recorded in SA Μ 28 8 'This makes the payment terminal 14 can start the transaction from SA , from the beginning of the last batch recorded in SAM 28, and enable SAM 15 1301028 to reuse the NVM 38 space in SAM 28, which is in the earlier batch The exchange uses 'this batch has been successfully uploaded and no longer needs to be backed up in sam 28 0 Figure 3A is a flow chart, starting from "A") shows when the terminal 14 is operating offline (eg not connected) When the host server 12 is turned on, a transaction (Ding χ) is processed in the terminal device 14 under normal conditions, and the transaction is stored to sam.
28中的流程。在此流程圖中,Idx代表一筆交易兀之識別號 碼’Stanidx是一特定交易批次的第一筆,而Endidx為一特 疋父易批次的最後"筆。 在由任意狀況的號碼(例如在終端機中所擷取的交易號 碼或某曰的時間)所決定的時間間隔内’終端機14開始傳送 交易(亦即上傳交易)至主機伺服器12中,在成功上傳流程 的終點,終端機傳送-個”開始新批次”指令至讀,以 區分在上傳前於SAM中操取和上傳後於sam中所掘取的交 易。此”開始新批次,’流程也圖示於圖3A中。Process in 28. In this flow chart, Idx represents the identification number of a transaction, 'Stanidx is the first stroke of a particular transaction batch, and Endidx is the last " pen of a special parent batch. In the time interval determined by the number of any status (for example, the transaction number retrieved in the terminal or the time of a certain time), the terminal device 14 starts transmitting the transaction (that is, uploading the transaction) to the host server 12, At the end of the successful upload process, the terminal transmits a "start new batch" command to read to distinguish the transactions traversed in sam after being uploaded and uploaded in SAM before uploading. This "start new batch," process is also illustrated in Figure 3A.
圖不於圖1中事件的程序之更詳細地說明如下: 當—新的SAM第—次插入終端機14時,終端機Η 始在SAM 28中的一薪也μ A Η 斤托-人(步驟66),作為起始流程的一 份。以下的說明假設第一 ^ ” 弟-人開始新批次,,流程66、67 68和69都已完成,因 0日 阳以更通用的狀況,從” Α”(步驟5 開始,其中SAM 28被 於作為交易流程的一部份,用來 錄一筆交易: 步驟5 3 :使用去風τ日土 者展現智慧卡42給終端機14; 步驟54:交易(例如朴士Α ^ 付开人父易或回饋點數或折價券交 16 1301028 發生,可能伴隨更新卡片42中的資料; 步驟55 ·交易資料記錄至終端機14中的交易紀錄 (“TLOG” ); 步驟56 ·終端機14傳送交易資料至sam 28中,用來 更新SAM 28中的交易紀錄(“ SL〇G”); 步驟57 ·在SAM 28中的記錄應用程式已預先設定用來 儲存SLOG的記憶體容量,此記憶體空間被分割為由MaxIdx 所顯示之交易紀錄的最大數量。SAM應用程式也有一些其它 資料儲存元件(程式中的變數),其名稱和定義如下: • Idx為寫入SLOG之最後一筆交易的位置;在一新的 SAM中,Idx的起始值為〇。 • Startldx為目前批次寫入讥㈨之第一筆交易紀錄的 位置。 • Endldx為該批次寫入SL〇G之最後一筆交易紀錄的位 置。 • Batch#代表一批次。 • Batch Directory 為在 SAM 中的位置,包含 Batch# 的清單’而由一 Batch#所代表之每一批次有_對應的 Start Idx和Endldx,指出該批次之第一和最後一筆交易紀 錄的位置。 因此’在此步驟中,檢查目前批次之I dx是否指向 Max Idx(例如SLOG中的最後一筆紀錄); 步驟58 :若是,則將Idx指回Sl〇G的頂端,亦即,設 定Idx=l並繼續步驟6〇 ; 17 1301028 步驟59 :若否,(例如Idx未指向SL〇G中的最後一筆 紀錄),增加Idx指向到下一紀錄位置,然後繼續步驟6Q ; 步驟60 :將目前的交易寫入slog中由Idx所指示的紀 錄位置;將Endldx設定為Idx,指示此批次的最後一筆交 易在此; 步驟61:檢查目前批次的最後一筆交易是否與其它批 -人重i,此乃藉由檢查目前批次的End丨dx是否等於在批次 目錄中之其它任意批次(一第二批次)的StartIdx ; 步驟62 :若是,則第二批次不再有效,且其批次目錄 的項目會從批次目錄中移除,然後程序會繼續於步驟63, 否則直接至步驟63 ; 步驟63 :終端機14檢查是否發生任何上傳(依據定義 上傳情況的參數); 步驟64:若是(且符合上傳情況),則終端機起始上傳 動作然後繼續步驟65,否則回到”a”(步驟53); 步驟65:檢查上傳是否成功; 步驟66 :若是(但也若此為SAM 28第一次插入終端 機),則終端機14告知SAM 28開始一新的批次,然後繼續 步驟67,否則,到圖3B中的,,D,,; 步驟67 : SAM 28以新的批次項目更新批次目錄,並設 定新批次的Endldx和Start Idx為Idx+1(例如前批次的Ηχ 或一新的SAM弟一次插入終端機之I dx,在此狀況I dx為 0),當 Idx〈Max Idx 時;或在 idx = Max Idx 時,設定 start Idx 和 Endldx 為 1 ; 18 1301028 步道68 ·· SAM 28,藉由比較新批次之EndIdx與在批次 目錄中其它批次之Startldx,檢查Endldx是否覆蓋鄰近(其 它)批次之第一筆紀錄; 步驟69:若是且另一批次有—與目前EndIdx值相等的 Startldx,則其它批次項目會從批次目錄中移除,而在其 它批次中的資料會被視為不再有效,而在該批次的紀錄會 被新批次的紀錄所覆蓋,然後回到步驟53;否則,回到步 驟53。 少 圖3b為一流程圖,暴貝示若從m終端機上_ 交易被發現(在圖3A中的步驟65)失敗,依據本實施例所發 的现私&清况必須使父易資料從第一付款終端機的讓 28取出’傳至一第二付款終端冑14。通常顯示於圖3B的 流料在當發現上傳的失敗是起因於第一付款終端機之失 效日守使用。 在特定終端機和主機伺服器12之間資料傳輸的失敗會 等同於終端機的失效,在這樣的情況1 SM移轉 個::Γ終端機用以上傳交易資料’是略過失效的- 式,而不需等待在第一終端機和主機词服器以 間貝科傳送的復原。 必須注意較,在圖心所顯示的流程,使用者可以 达擇那一個批次要從SAM 28中 問(在步謂要被上傳的批次是::最用者被詢 者會败L 疋企马被後批次(因為使用 、=通d立即嘗試回復未從終端機14上傳的批 右否,則終端機Η會從SAM中摘取一批次清單,並顯 19 1301028 示孩β單給使用者選擇。因此,在這兩種情況,終端機14 最後會傳送(步驟8〇)被選擇的Batch#至SAM 28,且在步驟 90,接著傳送一,,Get Τχη”請求給SM 28。在步驟1〇〇中, "十數N在其後被設定為Start Idx,在子流程11 〇中,在 立即批次中的每一交易N被從SAM 28中上傳至終端機14, 而N增加,直到N等於Endldx。 必y員庄思的是,因為終端機丨4以一批次識別碼(見圖 3A)標記在SAM中所記錄之每―交易批次的起始,所以_ 28可以被規劃來追踪多個批次,其取決於在讓μ中可用 於記錄交易之記憶體/資料儲存的容量。因此,在從 上傳期間’終端機14可以被程式化來讓使用者選擇前次嘗 口式攸SAM上傳之批次(在_些更早從終端機14失敗的上傳 之後),然後重新嘗試該筆之前從 28的失敗上傳。 、在本發明範圍内㈣正可以由習知技術之人輕易達 j ’因而’必須注意的是,本發明未限定於上述作為說明 乾例之特定實施例。 【圖式簡單說明】 實二了使本發明更清楚㈣,較佳實施例將參考附圖以 實例加以說明,其中·· 圖1為依本發明的一較佳眚 ^ 示圖; 权隹實施例之父易系統的概要表 之系、L2為圖1系統之具有SAM之付款終端機和客戶身份 圖3A為一流程圖,顯+田;土士 η 貝不用來儲存圖1系統中付款終端 20 1301028 機之交易貢料的流程, 圖3B為一流程圖,顯示從一安全存取模組中擷取交易 資料存至圖1系統之付款終端機的流程。 【主要元件符號說明】 10 系統 12 伺服器 14 付款終端機 16 電腦網路 17 處理器 18 非揮發記憶體 19 隨機存取記憶體 20 鍵盤 22 收據列印機 24 SAM收納器 26 卡片收納器 28 安全存取模組 30 積體電路晶片 32 處理單元 34 唯讀記憶體 36 揮發式隨機存取記憶體 38 非揮發記憶體 40 I/O單元 42 智慧卡 44 積體電路晶片 21 1301028 46 處理器單元 48 唯讀記憶體區 50 隨機存取記憶體區 52 輸入/輸出單元The procedure of the event not shown in Fig. 1 is explained in more detail as follows: When the new SAM is first inserted into the terminal 14, the terminal starts to have a salary in the SAM 28 as well. Step 66), as a part of the initial process. The following description assumes that the first ^" brother-person starts a new batch, and the processes 66, 67 68, and 69 are all completed, because the 0-day yang is in a more general condition, starting from "Α" (Step 5, where SAM 28 Used as part of the transaction process to record a transaction: Step 5 3: Use the detour to show the smart card 42 to the terminal 14; Step 54: Transaction (eg, Pu Shizhen ^ Fu Kaifu Easy or reward points or discount coupons 16 1301028 occur, may accompany the information in the update card 42; Step 55 · Transaction data is recorded to the transaction record in the terminal 14 ("TLOG"); Step 56 · Terminal 14 transmits the transaction The data is sent to sam 28 to update the transaction record in SAM 28 ("SL〇G"); Step 57: The recording application in SAM 28 has preset the memory capacity for storing the SLOG, this memory space Divided into the maximum number of transaction records displayed by MaxIdx. The SAM application also has some other data storage components (variables in the program) whose names and definitions are as follows: • Idx is the location of the last transaction written to the SLOG; a new one In SAM, the starting value of Idx is 〇. • Startldx is the location of the first transaction record written to 目前(9) in the current batch. • Endldx writes the location of the last transaction record of SL〇G for the batch. Batch# represents a batch. • Batch Directory is the location in SAM, including the list of Batch#, and each batch represented by a Batch# has _ corresponding Start Idx and Endldx, indicating the number of the batch. The location of the first and last transaction records. So 'In this step, check if the current batch I dx points to Max Idx (for example, the last record in the SLOG); Step 58: If yes, then Idx is returned to Sl〇G The top, that is, set Idx=l and continue to step 6〇; 17 1301028 Step 59: If no, (for example, Idx does not point to the last record in SL〇G), increase Idx to point to the next record position, and then continue Step 6Q; Step 60: Write the current transaction to the record location indicated by Idx in the slog; set Endldx to Idx, indicating that the last transaction of the batch is here; Step 61: Check the last transaction of the current batch Whether with other batches - person weight i, by checking whether the current batch of End丨dx is equal to the StartIdx of any other batch (a second batch) in the batch catalog; Step 62: If yes, the second batch is not Re-valid, and the items of its batch catalog will be removed from the batch catalog, then the program will continue to step 63, otherwise go directly to step 63; Step 63: The terminal machine 14 checks if any upload occurs (according to the definition of the upload situation) Step 64: If yes (and meets the upload situation), the terminal initiates the upload action and then proceeds to step 65, otherwise returns to "a" (step 53); Step 65: checks if the upload is successful; Step 66: If yes ( But if this is the first time the SAM 28 is plugged into the terminal, the terminal 14 informs the SAM 28 to start a new batch, and then proceeds to step 67, otherwise, to FIG. 3B, D,,; SAM 28 updates the batch catalog with the new batch project and sets the new batch of Endldx and Start Idx to Idx+1 (for example, the previous batch of Ηχ or a new SAM brother once inserted into the terminal I dx, here Condition I dx is 0) when Idx <Max Idx; or at idx = M For ax Idx, set start Idx and Endldx to 1; 18 1301028 Trail 68 ·· SAM 28, check if Endldx overwrites the adjacent (other) batch by comparing the new batch's EndIdx with the other batches of Startldx in the batch catalog First record of the second; Step 69: If and another batch has - Startldx equal to the current EndIdx value, the other batch items will be removed from the batch directory, and the data in other batches will be It is considered to be no longer valid, and the record in the batch will be overwritten by the record of the new batch, and then return to step 53; otherwise, return to step 53. Less Figure 3b is a flow chart. If the transaction is found from the m terminal (the transaction is found in step 65 in Figure 3A), the current private & From the first payment terminal, the '28' is passed to a second payment terminal 胄14. The stream normally shown in Figure 3B is used when the failure to find the upload is due to the failure of the first payment terminal. The failure of data transmission between the specific terminal and the host server 12 will be equivalent to the failure of the terminal. In this case, the SM moves:: The terminal is used to upload the transaction data 'is skipped invalid' Without waiting for the recovery of the transfer between the first terminal and the host word server. It must be noted that in the process shown in the figure, the user can select which batch to ask from the SAM 28 (the batch to be uploaded in the step is:: the most used subject will be defeated L 疋After the enterprise is rejected by the batch (because the use, = pass d immediately try to reply to the batch that has not been uploaded from the terminal 14 right, the terminal will pick up a batch list from the SAM, and show 19 1301028 The user is selected. Therefore, in both cases, the terminal 14 finally transmits (step 8) the selected Batch# to SAM 28, and in step 90, then transmits a , Get Τχ η request to the SM 28 In step 1〇〇, "10 is subsequently set to Start Idx, and in subroutine 11, each transaction N in the immediate batch is uploaded from the SAM 28 to the terminal 14, And N increases until N equals Endldx. It must be said that because terminal 丨4 marks the start of each “transaction batch” recorded in the SAM with a batch identification code (see Figure 3A), _ 28 can be planned to track multiple batches, depending on the capacity of the memory/data storage that can be used to record transactions in μ Therefore, during the upload period, the terminal device 14 can be programmed to let the user select the batch of the previous attempted 攸 SAM upload (after some of the earlier failed uploads from the terminal device 14), and then try again. The present invention has been previously uploaded from a failure of 28. Within the scope of the present invention, (4) can be easily reached by a person skilled in the art. Thus, it must be noted that the present invention is not limited to the specific embodiments described above as illustrative examples. BRIEF DESCRIPTION OF THE DRAWINGS The present invention will be more clearly described in the following, and the preferred embodiments will be described by way of example with reference to the accompanying drawings in which: FIG. 1 is a preferred embodiment of the invention; The summary table of the parent-friendly system, L2 is the payment terminal with SAM and the customer identity of the system of Fig. 1. Figure 3A is a flow chart, display + Tian; Tusi η Bei is not used to store the payment terminal in the system of Figure 1. 20 1301028 The flow of the transaction tribute of the machine, FIG. 3B is a flow chart showing the flow of extracting the transaction data from a secure access module to the payment terminal of the system of FIG. 1. [Key component symbol description] 10 system 12 server 14 Terminals16 Computer network17 Processor18 Non-volatile memory 19 Random access memory 20 Keyboard 22 Receipt printer 24 SAM storage 26 Card storage 28 Security access module 30 Integrated circuit chip 32 Processing unit 34 Read-only memory 36 Volatile random access memory 38 Non-volatile memory 40 I/O unit 42 Smart card 44 Integrated circuit chip 21 1301028 46 Processor unit 48 Read-only memory area 50 Random access memory area 52 input / output unit
22twenty two