Note: Descriptions are shown in the official language in which they were submitted.
` ` : :
~ 9 8
FIELD ~ND BACKGROUND OF THE INV~NTIO~
This invention relates to a security system which protects
against misuse and counterfeiting associated with banking
transactions in particular, such as manuaL or automatic dis-
pensing of money, by using identificands, such as credit cards~
check cards, ma~hine-read cards and the like~ which bear
identification and card use data which can be read visually
and by machine, and by utilizing an individual distinguishing
device, such as a personal identification number (PIN), to
check whether the user is entitled to use the identi~icand.
As the system of the invention ls not limited to the
use of a card, but can also employ a key, a coded token, or
the like, the generic term "identi~icand" consequently is
used herelna~ter or the element usable with the system, and
includes either a card of the mentioned type, a coded token,
or a key, or the like.
In systems oE this general type, the intention is to
protect the identi~icand from misuse and countereiting~ and ;
. such systPms have been the subject of many previous proposals,
patented and others~se. Thus, some known systems of cash
dispensing may use, for example, the account number as an
identification and, for protection, a personal referen~e n~mber
~or personal iden~i~ica~ion n~mber which correlates with the
¦account number~ The user has ~o insert his card into a
l~verifying means~ such as a machine~ and "key in" his personal
2.
^~ 9~
reference number (PIN) in crder to prove or check his right
Ito use the iden~ifieand. Obviously, in such a case, evidence
of tampering cannot be checked9 so that it is easy for a
potential criminal to counterfeit ca~ds if he is able to
decipher the correlation between the accoun-t number and ~he
identification number. Decîphering is made easier by the
fact that, in all ~nown machine cards, ~he personal identification~
number (PI~) entered on the identificand can bQ easily determined
either visually or by machine reading, re~ardless of whether
LO ~ it ls encoded Ir printed
Moreover, the identificands car~y still other data whlch
might be of interest to a crimi.nal, namely, use data. Use
data includes the expiration ti.me or date, the amount of money
available to the rightful owner o~ the ~denti~icand, such as
a card, and the conditions of use of the identificand. Not
only the ri~ht~ul owner of the card, but also a potential
criminal, can easily change~ to his or her advantage~ thi~ ¦
use data~ especially i~ the use data is recorded on a magnetic
strip, known to ~he art as "magstrip'l,on the card, such
2G magstxips being characteristic of machine-read cards on~y~ ¦
WhiLe the state of this art is eontained in volumes of
technical literature, it is su~ficient to mentio~, in particular,
German Offenlegun~sschrift No. 1~945~777, Uni~ed S~a~es patent
Nos. 3,891,830, 3,868,057, 3 7 934,1~2, and 3,702,4~4, and also
1. British Paten~ No. 1~197~183D All the machine-read cards
covered b~ the prior axt technical literature, however~ have
3.
., I I
~the dis-dv Itage that th~ personaL identification number (PIW),
even if not always easily deciphered, can be determined, and
furthermore, the machine~read cards can also b~ misused b~ the
rightful owner by changing the use dat~ In other woxds, the
inormation contained in thase cards is externally accessible
to either the rightful owner or to a potential criminal
SUM~ARY OF THE INVENTIO~ 1-
Accordingly, the objective of the invention is to provide
a security system safeguarded against misuse and counter- ¦
-~0 feiting~ especially in the processing of banking transactions~
where the known disadvantages, mentioned above~ are eliminated~
It is a further objective o the invention to permit the
identificand to be used for both machine-xead and conventional
applications.
In accordance with the foregoing, the basic or underlying
concept of the present invention is that all or part of the
in~ormation to be stored in the identificand, and which is
to be protected against misuse or counterfeiting, is fed into
memories which can ba loaded only o~e time and permanently and,
in addition, the fed-in information cannot be determined from
outside tha ident~ficand or, in othex words, is not accessî~le
external1~. In order to be able to utili3e these identiicands,
¦the identificands further include in~ernal memories and means
to compare data, transmitted ~rom the exteriox, wi~h ~h stored
data, and which are readabla only within the identificand, for
example, for the purpose of checking identity and right of
¦use or entitlement. In identificands embodying the inYention
and or use with machines, ~here are included9 in the
¦identificanA, further memories and circuitry elements which
ma~e possibla communication with the machine, for example,
through input~output devices for connection to the machine
either electrically, magneticall y9 or otherwqse~
It is known from the prior art that memories have been
develope.d in which only one entry can be made and from which
nothing can be erased However3 such memories can and must be
readable from outside (see U.S~ Paten~ Mo. 3,702,464 covering
a ROS M~102Y). With the present invention, the system and the
data protected in the identificand cannot be determined ~rom
the exterior and so the system does n~t requira further
secxecy measures. With the present invention, the potential
criminal, or the rightful user attempting to misuse the
identificand, may know all the specific~ but still will not
be able to misuse the identificand or to b~eak into the- ¦
system with succe~s.
. '. I
As the invenl:ion requires a num~er G~ memories and con~rol
circuits, it is practical to combine all o~ these elements
into one integrated circuit ~IC3 or "chip" incorporated in
the identificand. Such integrated circuits, moreover, încrease
protection against tampering with the identificands themselves
since 9 without considerable difficulty and expense9 a criminal
would hardly e able to de~erm ne the layout of an IC and cupy it.
..
3 ~ -
As a further security measure, the invention assuxes that~
when the identificand is first initiaLi~ed~ f~x example, by
assigning a "neutral't identificand to a client through
entering the account number and a personal identification
¦designation, such as a personal identification number (PIN),
¦no misuse is possible Prior to ~his~ during manufacture, a
¦protective code is entered into the identi~icand9 and this code
can be read only under certain conditions, and only once.
Additionally, as an essential feature, the client is free to
select his own personal identification number (PIN), and this
number can then bs completely independent of other data in the
identificand.
The system o the inven~ion has many advantages over
curren~ systems and current caxds, Thus, the system o~ the
invention permîts conventional as well as machine-xead cards
~o be used. FurthermorP, misuse of the system, by modifying
or changing the use data, is as impossible by the rightful
owner of the card as by an unauthorized parson. As ~he usPr
himself is free to determine his own personal i~entifica~ion
number tPDN), there is no need for additional safeguards in
the system in order to maintain assigned code numbers secret.
Furth~rmore, an identiication card of the system of the present
invention can be used with checking facilities used with
existing credit caxds as weLl as being used with detection or
authenticity checkîng apparatus developed by the present
inventor.
rn checRing the ident~ficand, there are three thlngs to be checked:
~1~ whether the user is identical with the rightful owner of the card;
(~2) whether the account number has been altered in any respect; and
~3) whether or not the card is an authorized card.
This third check results inherently from the first and second checks. The
three checks can 6e made with a device which is about the size, weight and
cost of an ordinary pocket-type electronic calculator, such as presently in
widespread use.
An object of the invention is to provide an improved security
sy~stem protecting, against misuse and counterfeiting associated with banking
transactions in particular.
Another object of the invention is to provide such a security
system eliminating the known disadvantages of known security systems.
A further object of the invention is to provide such a security
system in which the identificand can be usled for both machine-read and
con~entional applications.
Thus, in accordance with one broad aspect of the invention, there
is ~rovided, in a system, secured against misuse and counterfeiting, for
effecting transactions, such as manual or mechanical delivery of ccmmodities,
services and money while using identificands, such as credit cards, check
cards, cards for automatic mac~ines, coded tokens, keys and the like, provided
~ith indentification data, processing data, or both which are readable
visually, by a machine, or both, and while using a personal identifying design-
ationj such as a personal ;dentification number (PIN~, for verifying the
entltlemen~ of the user of the identificand: the improvement comprising,
in combination, an identificand having integrally incorporated therein
memories for entry and storage of information therein, including a personal
identifying designation; at least the memory for entry
,
-7-
. .
- ~,
: . ~ . . .
'
. . : '
, ' '
and storage of the personal identifying designation being chargeable only
once via gate means which is then made lnoperable, and at least the contents
of the memory for the personal identifying designation being available only
to data processing means within the identificand; verifying means operable
to receive said identificand and apply an input thereto; said data processing
means being activated in response to an input from said verifying means to
effect checking of the identity and entitlement of a user of said identificand;
and input-output means included in said identificand for establishing
communication between said identificand and said verifying means; said
identificand including means preventing output from at least said memory for
the personal identifying designation to said verifying means.
rn accordance with another broad aspect of the invention there is
provided, for use in a system secured against misuse and counterfeiting,
an identificand having integrally incorporated therein memories for entry
and storage of information therein, including a personal identifying design-
ation; at least the memory for entry and storage of the personal identifying
designation being chargeable only once via gate means t~hich is then made
inoperable, and at least the contents of the memory or the personal identify-
ing designation being available only to circuitry within the identificand;
components included in said identificand and activated, responsive to an
input to said identificand, to effect checking of the identity and entitle-
ment of a user of said identificand; and input-output means included in said
identificand for establishing communication between said identificand and a
verifying means; said identificand including means preventing external access
to information stored in said memories except through said input-output means
when in communication with a verifying means.
For an understanding of the principles of the invention, reference is
made to the following description of typical embodiments ~hereof as illustrated
in the accompanying drawings.
-7a-
~,3 ` '~ . ` :.
BRIEF DESC~IPTION OF THE DRAWIN~S
In the Drawings: ¦
Fig. 1 is a somewha~ diagrammatic plan view of an
identi~icand, used with the system o the invention,
in the orm of a card or the like;
Fig. 2 is a block diagram of the integra~ed circuit
(IC) o the identiicand shown in Fig. l;
Fig. 3 is a block diagram of the IC shown in Fig. 1
expanded to include further integrated circui~ry;
Figs, 4 and 5 are pexspect:ive views o~ simple checking
devices or verifiers usable ~ith the identiicand
of the invention system;
Fig. 6 is a flow chart of the checlcing of identificands;
Fig. 7 is a block diagram o~ an identiEicand orming
part of the system of the present invention and a machine,
in which the identificand is inserted, and aLso embody-
ing the present invention; and
Fig. 8 is a f~ow chart of the machine checking process,
related to Fig. 7, -
~ DETAlL~ DESGEIPTIO~ OF TRE PREFEEF~ EMBODIU~TS
- ~ Referrîng first to Fig. 1, this fi~ure shows an identi-~icand 1 designed to be a credit card or Eurocheque card.
The identiicand 1 carries, in the area 2~ the nams of th~
owner, in the area 3, printed identi~ication or accoun~ !
numbers, in the area 4, a photo of the owner9 and, in the area
.
~ ~ ~
5, the signature o the owner. The area 3 is planned ~or
a shorter side of the card so that th~ accounk number remains
readable when the card is introduced into a verifier or checking
device.
S I In addition, ~he card 1 comprises an integrated circuit (IC)
in area 6 and, in area 7, internal connectors for the power
suppLy, as well as for data input and output. The integrated
circuit or IC is invisibly implanted in the card, as b~ being
enclosecl between outer layers of plastic or the like, such
construction of cards with an innex in~ormatlon-carrying layer
and outer closing layexs of plastic or the li~e being well-
known to those skilled in the art.
A certain area surrounding the IC, indicated at 8~ is
maintained ree of conductive Imaterial so that, when the
card is introduced into a machine verifier, checks can be
made as ~o whether or not there are connections to the circuitry
o the card from a simulated circuit outside the machine~ As
the to~al counter~eiting of a card with an identica~ IC cannot
be regarded as feasible, in view of the hi~h financial invest-
ment~kYw-llow requirements and risk conditions, this st2p serves
to preven~ a po~ential criminal, even if he knows the mann~r
in which the IC operates, from constructing a substitute
Icircuit from discre~e components and connec~ing such substi~ute
~circui~, for example, with wires, to a card which, in ~his
instan~e, works as an adapter. The machine furthermore checks
whether connections of other kinds have been made across the
; , . ' `: ' ' ` ` `' . ' 7 .
area 8 or the like surrounding the integrated circuit or IC.
Fig. 2 is a block diagram o~ the IC 6, and all the
individual parts illustrated in Fig. 2 are actually integra~ed
into one monolithic circuit~ such as the well-known "chip".
Ths power supply and the data input and output are fed through
connectors 9, which may be either galvanic type connectors
or inductivs-type connectors I the feed is inductive, the
connectors 9 are supplemented by the necQssary converters~
The integrated circuit, or IC, comprises ths
-10 processing unit ( PU) 10, which is a special microprocessor~ ¦
which is controlled by a predetermined program stored in program
memory 11. The PU 10 and the program memory 11 may, in a
modifica~ion, be hard wired log:Lc within the integrated circui~
. The power is fed through integrated power supply 12,
in which the outside power is converted into electrical values
necessary for operation o~ ~PU L0. A consisten~ly high outside
power supply is essential or the programming uni~ 19 of the
IC to be able to pxogram the memories 13 through 17. For
this reason, a chec:k is made, in power supply unit 1~, as
to whe~her the powe~r supply is high enough to activa~e .PU 10
consistently, and whether such power supply is indeed su~icient
to destxoy the IC in the case o~ cards which have been programmed
to self-destruct wh~n misused. ~hen the power supply is too
¦low, the IC will not operate~
10.
r '; ~ - I
I The self-destruct device in the IC can7 for example
¦be implemented by swi~ching changes in the programming of
gate 24. Normally, this gate remains open, and the use
Idata can be read from memory 16. If, during the process
of identification checking, it becomes necessary to bar use
of the identificand, gate 24 will be closed automatically 50
that use data can no longer be readO PU 10 will, for example,
operate only when use data can be read.
The self-destruct effect can be triggered by the card
itself through a corresponding controL of the program memory
11, as w~ll as through a trigg~lring signal from the ex~erior.
In machine-read cards, such a triggering signal can be generated
by the machine when additional checks in the machine demand
such destruction.
All data in~u~ and output occurs through the input/output
unit or device 18. PU 10 is programmed to perorm all of the
functions described above When the supply v~ltage is appl~ed
from the outside, the microprocessor of PU 10 starts running
automatically and checks, as a first step, whether the supply
~0 voltage is high enouOh.
1 l
After this, PU 10 performs further functîons through
da~a inpu~, and which will-be described la~er. After rhecking
the personal identification number (PIN) and other inormation~
¦ the output of return signals is supplied through input/output
29 unit or evi e 18. 11.
All the parts of the IC described above are integrated
in one piece or "chip" during manufacture. The required
memory units 13 through 17 are RRO~ls (~rogrammable Read Only
¦ Memories) and, during manuacture, can be integrated in~o
the IC either as a whole or in parts, or can be preformed
as separate ICs.
These PROM~ are fed various data at different times in
the steps described hereinafter, to create a personalized
identi~ication card from a "neutral" oner The memories
13 through 17 are treated in varioùs ways~ Some can be
programmed only through gates 20 through 24r These progxam- ¦
ming-block circuits can be activated so that no later changes
to the contents o these memories can be made. The memories
difer individually as to their readability, for example,
only certain predetermined memories can be read from the outside
of the card and others cannot be read rom outside the card~ !
When, why and which parts are programmable or readable is
explained hereinafter
As already s~ated, the memory par~ o~ ~he integrated
circuit or IC comprises the memories 13 thxough 17. ~lemory
13 contains the protective code safeguarding the card on its
way be~ween the factory and the place of issuance, and is
programmable onl~ as long as gate 20 is open and can be read
only ln~ernall~, through gate 21.
~ -
Memory 14 stores the personal reference number (PIN),
which can be entered only when gate 22 is open. This number
cannot be read from the card, but can bP made available in
PU lO for comparison pt~poses.
~lemory 15 stores data for the identification o the
respective card or the account owner. In~o memory 15~ there
is fed the accoun~ number 7 or other information, including
alpha-numerical information, or the identification of the
account owner. It is only after such programming that the
identificand is correlated to the individual client. This
part of the memory is progr~mmable only when gate 23 is open
and, after programming, gate 23 is destroyed or made inoperable~ i
Despite thls, memory 15 remains readable to PU lO.
Memory 16 stoxes use data~ such as the length of the time
period, the limit of the period, and per diem limits. This
data can be entered through ~ate 24 only at the time thP card
is issued, for exc~mple, at initializing of the card.
Into memor~ 17, there is stored, for each use data, such
¦as calendar date, number of mistrials allowed for inpu~ of
¦the personal reference number or PIN, account transactions, etc.
I I
The sntire procedure of initializing and using the card
¦will now be described~ using~ as an example, a monetary
¦ application.
1~.
~ ~ ~ao~
The last step in manufactuxe of the card is to enter~ -
into memoxy 13~ a protective code in the foxm of a numeral,
created ;n a random generator. At the same time, this protective
code is printed on a separate sllp. After the protective
code input, gate 20 is destroyed so that a change o the pro~ective;
code, or entering of another digit into memory 13, is no longer
possible~ The printed slip is secretly and automaticaLly
sealed into an envelope. The cards and envelopes are stored
and handled separately. Up to this point~ the cards are still
"neutral". Upon issuance of a card to a customer, the "neutral1'
card is ~Imarried~ to the envelope bearing the same serial
number on the outside. Then the envelope is opened, preferabL~
by the customer himself, and the visually readable protec~ive
code is learned.
L5 The card is then introduced into the coding device or
encoder at the place of issuance, so that the data specific
to the customer can be entered. To effect this, the customer
irst enters the protective code number, through the input/
output unit or device 18~ into PU 10, where a comparison is
made with the protective code stored in memory 130 If the
result is negative, then, after a pradetermined number of
n~gative trials, self-destruction o the IC is triggered. If
the result is positive 9 then the IC 6 transmits a "go'~ signal
to the encoder 50 that the other data can be entered~
2~ l, Initiallyg the client o~ customer secretly enters the
¦personal referencQ rlumber or PIN which he himsel~ has chossn,
. ~ . . t ` I
~ 8 0~ ~
and which is then again transerred to PU 10 and ~rom ~here
ls stored in memory 14 through gate 22. ~fter such s~oring,
ga~e 22 is automa~ic211y destroyed so that the PIN cannot
be changed.
Following this, the data tc be used for the identification
o the client or customer is fed into the XC Thus, the account
number o~ the client is fed into memory 15 through gate 23,
after which gate ~23 is automatically destroyed so that this
data cannot be changed.
- 10 The conditions of use are ed into memory 16 through gate
24, and gate 24 is therea~tex automaticalLy destroyed. As
a last step, the account start-up status can be fed into memory
17. AEter storage of this last: data, output gate 21 o~ memory
13 is des~royed so that the card cannot be initia~ized a
second time with the protectiv~ code, since a check of such
protective code is no longer possible. The card is now ready -
~o hand over to the client or c~stomer.
If, a~ter expiration, a card is to be revalidated by being re~
initialiæed, furthex protecti~e codes are available which will be
treated in a like manner. Thus, memory 13, together with gates 20
and 21, is provided several times~ or is multiplicated~ When the
time limit for a card has expired~ or the amount of money or
credit has been used up, the client goes to his bank with the
Icard. The bank may hold, in addition to the first envelo~e,
more sealed envelopes correlated to the customer's card, and
which contain a second~ third, etc., protective codeO This
,1 . - .
~ 3g~ .
arrangement is shown in Fig. 3.
¦ The ca~d is now, as already described in connection with
the first protective code, initialized again ater the input
of the second protective code. At such second i m tiali~ing,
gate 26 is destroyed so that no further data can be entered
in the first transaction memory 17.
Now, gate 30 is opened by special programming so that
transactions can be entered into "Account 2", memory 29 through
gate 30. Gates 27 and 28 coxrespond, in their unctions, to
gates 20 and 21, and the prot~ctive code-memory 41 corresponds
to the protective code-memory 13. The second and all ur~h~r
protective code memories are programmed, during the last step
of manufacture, with protective code 2, code 3~ etc. This
extension of fur~her protective codes and further account
memories allows for a longer life and more economical utiliza-
tion of the electronic parts of the card.
.
To use the card~ it is introduced into the reader,
veriier or machine, whers the supply voltage is initia~ly
checked as to needed value, particularly as ~o the possibili~y
of self-destruction of the IC, if this is required~
Vexification of the user as to his ownership/user
identity is effected through input o the personal reerence
¦number or PIN and comparison thereof with the PI~ stored in PU 10
: ~ :.
~ 9 ~
The PIN thus cannot be read from outside. If the feedback
is positive9 the account number can be checked nex~, whexeby,
at the nth mistrial, the IC is automatically destroyed. In add-
ition~ the number of mistrials is entered on the card.
With conventionaL cards, the account number is printed
on the face of the card so that it can be rea~ and then fed
into the checking device. However, with the present inve~tion,
the checking of the accou~t number takes place in the IC of
the card Ltself, In this check, with the present invention~
at the nth mistrial, an alarm is triggered since one has to
assume that the account number printed on the caxd has been
changed to effect, for example, a debit to a diferent account
Here again, the number of mistrials will be recorded.
In addition to, and/or in combination with, the a~ore-
mentioned checks, further verification measures are taken,
~which require an arrangement of the function andlor memory
circults, and which cannot be carried out by conventional
integrated circuits, that is~ which have not been designed for
this particular purpose~ This prevents criminals from simula~-
ing a "go" si~nal by using conventional ICs in a counterfeit
card without going through the above-mentioned additional
checks.
After completion of aLl of these checks, the operation
i~sel can be started~ or example, dispensing of money~ If
the desired transaction is no~ allowed because the credit limi~
~ '3
¦would be exceede~, that is, that too much money has been
Irequested, the customer will automatically receive appropria~e
¦messages. The check as to whether a transaction is allowed
lor not is effected in PU 10. If the account number on the
card is also to be raadabLe by the verifying machine, program
memory 11 has to contain a corresponding program
The recording of transactions is ef~ected in memory 17~ by
accumulating all transactions in succession, so that a reading
can be taken at any time. Since the old transaction balances
cannot be erased when new entries are made, the entire listing
of the acco~lt is available. Thus, account statements can be
. prepareda
The invention is neither limited to banking transactions
nor limited to the utilization of identi~icands in the orm
of cards. Thus~ through the invention system, for example,
entry into restricted areas can be protected by admitting only
predetermined per;ons who bear genuins, valid and unfalsiied
identificands, th~reby, proving themselves the rightful owners
of these identificands
Furthermore, ths identificands can be utilized to permit
physical access to installations only by entitled persons,
or to give certain personnel authorized access to information
~(data) for storage or retrieval purposes.
,
18.
109~
A special advantage is that, since use data is stored
in an unalterable way, users are given prescribed boundaries
to enable the system to be used in any potential "off-line"
applications.
Figs. 4 and 5 illustrate two examples of a simple
checking device or veriying identi~icands using t'ne system
of the present invention, and which identiicands work in
the same manner as Eurocheque cards or credit cards. These
simpli~ied checking devic~s, shown in Figs. 4 and 5, check
the identity o the user/ownPr and determine whether the
account num~er, printed on the outside, has been modified or
not. The devices generally check the legitimacy of the
card which, by implication, ch~ck whe~her or not the necessary
IC is i~stalled therein.
The two illustrated devices difer only in the display
31 of the device shown in Fig. 4 and which, b~ comparing the
identificationfaccount numbers, displays the number read
automatically from the card so that it can be checked ~is-
ually against the account number 3 printed on a~ exposed
portion of the card 1. In the example shown in Fig. 5~ there
is no display 31 of the account number~
The checking opexation, which compares the number printed
lon the outside of the card 1, and which, in this case~ is
¦manually entered on keyboard 32 by the clerk, is effected
l internally in the caxd through IC 6. ~ependîng on the result
of the comparison~ IC 6 transmi~s a signal to the checking
device, such as a verifier or reader, indicating '~got' or
"correct" in position 33, or "alarm~' or "incorrect" in position
34.
The signals in positions 33 and 34 serve, in the same
way, to compare the personal reference number or PIN~ Switch
35 puts the device into operation, while erase key 36 ter-
minates check entries or wrong inputs.
.
In the simple identificand check which is possible
with the verifying means shown in Figs. 4 and 5, the IC .
could be made to self-dest~uct after a predatermined number
of mistrials in the input of the personaL identi~ication
number (PX~) or the identificationlaccount number. The
electr;cal power required for such a sel~-destruct mechanîsm
is ~vailable in the checking device or veri~ying means.
With reference to the verifying devices shown in Figs.
4 and 5, Fig. 6 is a self-explanatory flow chart illustrating
¦the checking of identificands as applied in the case of
- ~ ......................... I
conventional credit or ~urocheque cards, or other non-
machine uses, Thus, the identificand is introuduced into the
¦chec~ing device or vexifying means and the PIN is entered
¦in the checking deviceO A signal from tha identificand IC
then indicates whether the PIN is correct or not. If incorrect~
an alarm is provided. IE coxrect~ a "go" signal is provided. ~,
The account o~ identification number, entered into the
checking device, is then readout from the IC of the identi~icand
to provide either a "correct" or "yes" signal or a "incorrect"
or "no" signal~ In the latter case, an alarm is gi~en, ~n
- the former case, i~ there is a "yes" or "correc~" signal, a
elease signal is provided
Fig~ 7 is a block diagram illustrating a machine serving
to store transactions in the identificand, and Fig~ 8 i.s a
flow chart o~ the operation of the machine of Fig. 7u Tha
machine shown in Fig, 7 incLudes, as a checking device, the
reader 37 into which the identificand 1 is to be inserted,
Reader 37 provides iden~ificand 1 with power and sends da~a
toand receives dat;e from the identificand. The process- ¦
ing unlt PU L0, w~th the program memory 11, in identificand 1,
contro~s the machine. Data input ~s entexed on the built-in
keyboard 38~
During the checking operation, messages and alarms can
b~ transmitted outside and, upon completion of the checking
process, a "gl" signal can be transmitted to the opera. ons part
` ` : t ~:
- .~
.
of the machine to effect the desired transaction. Besides
the transaction data stored in the identificand, such storage
is provided in the machine in data memoxy 39. This data
storage device is either physically transported, at times,
to the host eomputer location and the information contained
read out into the host computer for further processing or9
in "on-line" operations, is processed by a host computer~
j
In addition, the machine shown in Fig. 7 contains a
checking device 40 which ascertains whether or not there are
connections to the outside o the reader or the machine from
the area where the IC of the icLentificand is placed and by which
the IC o~ the identificand is placed on legitimate cards.
The system is thus protected against criminals who might try
to substitute the essential functions of the IC in the id~nti-
icand with a simulation circuit composed of discrete components
outside the identificand. The identificand also ~an be
confiscated by the machine or o~herwise.
Introduction o~ the identiicand into a machine can be
arranged in such a manner that, after the identificand is
linserted by a user, a 1ap or cover can ba closed, either
¦manually by the user or automatically. The flap or cover is
so designed that it can~ through a locking action, interrupt
or physically cut any possible connections to the identiîcand
Furthermore, such a 1ap or cover, combined with a shield
¦surrounding the reader part o the machine, protec~s the
identificand, nserted in the machine, from any connections
9 ~
which do not depend on leads, such as electromagnetic or
mechanical waves. This locking device is so designed that
¦the machins can work only when the hinged ~lap or cover is
¦tightly closed and stops when the flap or cover is open.
. Il I
~ Further checking is then done in a manner simil~r to
¦that employed for the simplified checking devices or verifying
Imeans shown in ~igs. 4 and 5, and wherein, the personal
¦identification n~mber or PIN is entered into the machine. The
IPIN is transmitted into the identificand and then checked
i~3ternally for con~ormity.
The identificand transmits merely a conformity/non-
con~ormity signal. If the PIN has been entered incorrectly,
it is indicated. The input cam be repeated n times. In
prac~ice, usually ~hree attemp~s are allowed~ After the nth
input, an alarm signal is transmitted, the ~C in the identil~cand
is eLectrically destroyed, and a record of the m~stxials is
made in the idantificand.
If the p~;sonal identification number or PIN hes been
entered correctly, thP user identiying data, stored i~ the
¦memories, wilL then be transmitted. Likewise~ the use and
jtransaction data will be read and stored in the machine. ~~er
¦this data is read from the identiicand, the desired transastion
jcan be entered into the machine. ~11 of this is indicated in
the flow ehar~ of Fig, 3.
.
By means of the use and/or transaction data, it is
verified whether the desired transaction can be permitted~ If
the ~ransaction is not allowed or permitted, then a signal will
be given to this effect, and a different transaction information
has ~o be entered into ths machine. If the transaction is
permissible~ the transaction data will then be stored in the
identificand, in the machine and/or transmitted to the main
central processing unit Following this, a '-gol' signal is
given by the checking device of the machine and the transaction
is processed.
In l'o~f-line'l opera-tions, the data s~orage device is
exhcang~d at given times for empties, and the recorded infor-
mation is fed into ~he host computer for processing. As a
result, the host computer maintains iles on ~he account of
the identiicand's owner so that, depending upon the cycles
of data storage device e~change, the central office can ke~p
up-to-date records.
It should be lmdexstood that the individual elements of
the system of ~he invention, such as identificands, encoders,
chec~ing devices and machines, can also be used in other systems.
Consequently, the patentable novelty of the present invention
resides not only in the invention system but also in the
individual elements o~ the system both per se or in co~bination.
~nile speci~ic embodiments of the invention have been
shown and described in detail to illustrate the apptication o~ thP
1 24.
.
principles of the invention, it will be understood that the
inve~tion may be embodied otherwise without departing from
such principLes.
~5.
