BOSTON, September 26, 2013 - The methods and systems described herein provide for processing payments at a retail location whose infrastructure has been significantly removed from PCI scope. A request for processing payments may be sent from a point of sale lane to a back office server in communication with a credit card terminal. A user may use the credit card terminal to enter in secure payment information which is securely transmitted to a remote authorization service for authorization. Through this method, the credit card terminal and sensitive payment information may be securely isolated from the remaining infrastructure at the retail location.

Cross reference to related appliation

This application is a continuation of U.S. patent application Ser. No. 13/302,045, filed Nov. 22, 2011, which is herein incorporated by reference in its entirety.

Background

Retailers, such as grocery stores, department stores, and restaurants, process thousands of credit card, debit card, and gift card transactions per day. One requirement for doing so is compliance with the Payment Card Industry Data Security Standard, also known as “PCI DSS,” or simply “PCI”. Ensuring that a retailer's payment processing computers, cash registers, back office servers, and credit card terminals comply with PCI can be time consuming and expensive. Various technical and non-technical standards and practices must be abided by for PCI compliance, and the retail location can be subject to frequent assessments and auditing.

Components of a retail system which handle secure payment information, also known as “cardholder data”, must meet the requirements of PCI. These components may be referred to as “within PCI Scope”. Components that do not handle secure payment information may be referred to as “outside PCI scope”. Similarly information whose processing and transmission would mandate that the hardware and software infrastructure handling said information fall within PCI scope may be referred to a “PCI scope information”, whereas information whose processing would not subject the underlying infrastructure to PCI scope may be referred to as “non-PCI scope information”.

Typically, a retail location which has more than one point of sale location, such as numerous check-out lanes at a department store or grocery store, generally has the following payment processing infrastructure: a cash register which provides a user the ability to sum the total amount of purchases for the transaction; a credit cart terminal for inputting payment card information; and a back office server that manages the various cash registers and credit card terminals, and which is relied upon for the processing of payment transactions.

Restaurants may also similarly have multiple point of sale locations for effectuating the processing of payment transactions. Rather than a check-out lane, a waiter may take your payment card to a kiosk for processing the transaction. Said kiosks may similarly have a computer that may act as an electronic cash register and a credit card terminal. Sometimes, rather than a kiosk, a restaurant may have mobile wireless credit card terminals which a user may use to process a payment transaction.

In standard setups, the entirety of the retail location's payment system infrastructure must be within PCI scope, including the cash registers, the credit card terminals, and the back office computer systems. Often, the back office computer systems track transaction processing and are responsible for communicating with a remote authorization service in order to authorize the transaction. Since in traditional setups all of these items fall within PCI Scope, a retailer can be expected to spend substantial amounts of resources, time, and money in assuring PCI compliance across the entire system.

Summary

Applicant has appreciated that available technology for processing payment transactions requires that retailers spend valuable resources and time on PCI compliance. Traditional systems and methods for processing payment transactions focus on securing and monitoring every aspect of a retailer's payment processing infrastructure, from the credit card terminals, to the cash registers, to the back office servers, and the network itself. Applicant has further appreciated that no available technology exists for transitioning existing multiple lane (“multi-lane”) payment processing infrastructure into setups which remove the majority of the payment processing infrastructure from PCI scope; thereby substantially reducing costs and overhead on PCI compliance. Applicant has discovered that by effectively isolating a credit card terminal at a retail location, and substantially managing payment processing by a server at a location remote to a retail location in direct contact with a credit card terminal, substantial reductions in PCI compliance costs may be obtained.

Applicant has further appreciated that sensitive data, including information typically stored on payment cards, should be securely transmitted, stored, and processed.

In accordance with one embodiment of the invention, a back office server at a retail location may be in communication with a plurality of point of sale lanes and credit card terminals to effectuate the processing of payment transactions. The back office server may also communicate with a remotely located customer relationship management server to facilitate the use of customer loyalty programs, analytics, and receipt storage, tracking, and access. The plurality of credit card terminals are in direct communication with a remotely located payment processing server. The connection allowing communication between the credit card terminals and the back office server may be limited to a single port, such as a single isolated TCP/IP or UDP port. The remotely located payment processing server is responsible for communicating with an authorization server which may authorize or decline a particular payment processing transaction. The credit card terminal may communicate with the payment processing server over the public Internet, over a Virtual Private Network, or any form of wide area network. Communications may be additionally secured by firewalls disposed at either the retail location or remote location, or both. Additional security mechanisms, such as hardware monitoring devices which assure and prevent network tampering, may also be disposed at either the retail location, remote location, or both.

In some embodiments of the invention, a back office server at a retail location may be in communication with a single point of sale lane and a single credit card terminal to effectuate the processing of payment transactions. The single credit card terminal may be in direct communication with a remotely located payment processing server.

In accordance with a further embodiment of the invention, a method for processing payments is provided, the method comprising: receiving a request to process a payment transaction; determining that the request is associated with one of a plurality of credit card terminals at a retail location; receiving, by the determined credit card terminal, secure payment information; sending, by the determined credit card terminal, secure payment information to a remotely located server for authorization; and receiving, by the credit card terminal, an authorization from a remotely located server.

In some embodiments, a method for processing payments is provided, the method comprising: receiving a request to process a payment transaction; determining that the request is associated with a credit card terminal at a retail location; receiving, by the determined credit card terminal, secure payment information; sending, by the determined credit card terminal, secure payment information to a remotely located server for authorization; and receiving, by the credit card terminal, an authorization from a remotely located server. In accordance with a further embodiment of the invention, a method for processing payment transactions wherein the request to process a payment is received from a single point of sale lane at a retail location is provided. In accordance with a further embodiment of the invention, a method for processing payment transactions wherein the request to process a payment is received from a single electronic cash register at a retail location is provided.

In accordance with a further embodiment of the invention, a method for processing payment transactions further comprising the step of sending a request to a determined credit card terminal to initiate receipt of secure payment information is provided. In accordance with a further embodiment of the invention, a method for processing payment transactions wherein the request to process a payment is received from one of a plurality of point of sale lanes at a retail location is provided. In accordance with a further embodiment of the invention, a method for processing payment transactions wherein the request to process a payment is received from one of a plurality of electronic cash registers at a retail location is provided.

In accordance with a further embodiment of the invention, a method for processing payment transactions further comprising the additional steps of: determining that one of a plurality of point of sale lanes at a retail location is associated with an authorization; and sending the authorization to the determined point of sale lane is provided. In accordance with a further embodiment of the invention, a method for processing payment transactions comprising the additional steps of: determining that one of a plurality of electronic cash registers at a retail location is associated with the authorization; and sending the authorization to the determined electronic cash register is provided.

In some embodiments of the invention, a method for processing payment transactions further comprising the additional steps of: determining that a point of sale lane at a retail location is associated with an authorization; and sending the authorization to the determined point of sale lane is provided. In accordance with a further embodiment of the invention, a method for processing payment transactions further comprising the additional steps of determining that an electronic cash register at a retail location is associated with the authorization; and sending the authorization to the determined electronic cash register is provided.

In accordance with a further embodiment of the invention, a method for processing payment transactions wherein secure payment information is sent to a remotely located server through a firewall is provided.

In accordance with a further embodiment of the invention, a method for processing payment transactions wherein determining a credit card terminal associated with a request is based, at least in part, on a ticket associated with the request is provided. In accordance with a further embodiment of the invention, a method for processing payment transactions wherein determining a credit card terminal associated with a request is based, at least in part, on a table listing the associations of credit card terminals.

In accordance with a further embodiment of the invention, a method for processing payment transactions further comprising storing non-PCI scope payment transaction information in a database. In some embodiments, such non-PCI scope payment transaction information may be stored at the retail location. In some embodiments, such non-PCI scope payment transaction information may be stored at a remote location. In some embodiments, such non-PCI scope payment transaction information may be stored at both a retail location or remote location.

In accordance with a further embodiment of the invention, a method for processing payments is provided. A request to process a payment transaction is received by a back office server. The back office server determines that the request is associated with one of a plurality of credit card terminals at a retail location. The back office server sends a request to the determined credit card terminal to initiate the receipt of secure payment information to be applied to the requested transaction. The determined credit card terminal receives the request and initiates the receipt of secure payment information. The secure payment information is received by the credit card terminal, and may comprise credit card information, debit card information, associate personal identification number (PIN) information, gift card information, or loyalty program information. The credit card terminal sends the secure payment information to a remotely located payment processing server. The payment processing server manages the request and contacts a remotely located authorization server to authorize the payment. The remotely located payment processing server receives an authorization for the payment transaction, and sends the authorization to the credit card terminal. The credit card terminal receives the authorization from the remotely located server. The credit card terminal communicates the authorization, without sending secure payment information, to the back office server. The back office server determines that the authorization is associated with one of a plurality of point of sale lanes at the retail location. The back office server then communicates the authorization to one of a plurality of point of sale lanes at the retail location.

In accordance with a further embodiment of the invention, a method for processing payment transactions wherein a back office server operates in listening mode awaiting a request to process a payment transactions is provided.

In accordance with a further embodiment of the invention, a method for processing payment transactions further comprising the additional steps of: determining, based at least in part on payment information, that a customer belongs to a loyalty program; and applying loyalty program information to a requested transaction. The step of determining that a customer belongs to a loyalty program may be performed at a remotely located server, or at a back office server at a retail location.

In accordance with a further embodiment of the invention, a method for processing payment transactions further comprises determining, based at least in part on payment information, a token for a customer. The token may be used as a universal identifier for a customer which does not contain PCI scope information.

In accordance with a further embodiment of the invention, a method for processing payment transactions further comprises storing receipt information for the payment transaction. Receipt information may be stored at a remote location, or at a back office server.

In accordance with a further embodiment of the invention, a system for processing payment transactions is provided, the system comprising: at least one processing unit communicatively coupled to a memory unit capable of storing processor-executable instructions, wherein upon execution of the processor-executable instructions, the at least one processing unit: receives a request to process a payment transaction, and determines that the request is associated with one of a plurality of credit card terminals at a retail location; and a determined credit card terminal comprising at least one processing unit communicatively coupled to a memory unit capable of storing processor-executable instructions, wherein upon execution of the processor executable instructions, the at least one processing unit: receives secure payment information, sends secure payment information to a remotely located server for authorization, and receives an authorization from a remotely located server.

In accordance with a further embodiment of the invention, at least one non-transitory compute readable medium is provided, encoded with a plurality of instructions that, when executed, perform a method for processing payment transactions. The method may comprise: receiving a request to process a payment transaction; determining that the request is associated with one of a plurality of credit card terminals at a retail location; receiving, by the determined credit card terminal, secure payment information; sending, by the determined credit card terminal, secure payment information to a remotely located server for authorization; and receiving, by the credit card terminal, an authorization from a remotely located server.

In accordance with some embodiments of the invention, any embodiment which may involve a plurality of credit card terminals, point of sale lanes, or electronic cash registers may alternatively involve a single credit card terminal, point of sale lane, or electronic cash register. In some embodiments, there may be a single credit card terminal but a plurality of point of sale lanes or electronic cash registers. In some embodiments, there may be a single point of sale lane but a plurality of credit card terminals and electronic cash registers. In some embodiments, there may be a single electronic cash register but a plurality of credit card terminals and point of sale lanes.

Patent History

Classifications