| CPC G06Q 20/4018 (2013.01) [G06Q 20/341 (2013.01); G06Q 20/3827 (2013.01); G06Q 20/3829 (2013.01); G06Q 20/409 (2013.01); G06Q 20/425 (2013.01)] | 26 Claims |
|
1. A method for servers of a commerce platform processing a transaction between a merchant and a customer of the merchant, the method comprising:
generating, at an ingress server of the servers of the commerce platform, an initial transaction message by generating a deterministic identifier for a card used in the transaction from card data received for the transaction and encrypting the received card data;
transmitting the initial transaction message from the ingress server to a payment server of the servers of the commerce platform;
updating, by the payment server in response to an initial authorization of the transaction determined by the payment server based at least in part on the deterministic identifier for the card, the initial transaction message with initial authorization data;
transmitting the updated initial transaction message from the payment server to an egress server of the servers of the commerce platform;
decrypting, by the egress server, the encrypted card data to populate a final transaction message;
after decrypting the encrypted card data by the egress server, storing the card data in data stores associated with one or more instances of the egress server for subsequent use of the card in transactions, the card data stored in an encrypted form and indexed in the data stores by the deterministic identifier;
communicating the final transaction message, by the egress server to an authorization system, for processing of the transaction by the authorization system based on the card data, the authorization system clearing the transaction using the card data and providing payment for the transaction in response to the clearing of the transaction, further comprising:
enforcing, by the ingress server, by the payment server, and by the egress server, an order of a flow of communications, from the ingress server to the payment server to the egress server, for the transaction, wherein the enforcing comprises:
blocking, by the payment server, one or more transaction messages that originate from systems other than the ingress server; and blocking, by the egress server, one or more transaction messages that originates from systems other than the payment server, and further blocking all messages that originate from a public network;
accessing, by a second instance of the egress server, the encrypted card data during a second transaction by generating the deterministic identifier from a primary account number (PAN) of the card supplied during the second transaction, wherein the deterministic identifier is generated using at least one one-way function that takes the PAN and a cryptographic salt selected from a set of cryptographic salts based on the PAN, and wherein the deterministic identifier is used to determine the index to access the encrypted card data from a data store of the second instance of the egress server; and
generating, by the second instance of the egress server, a second final transaction message for communication to the authorization system to complete the second transaction based at least in part on additional card data obtained by decrypting the accessed encrypted card data from the data store.
|