[go: up one dir, main page]

CN115994760A - Method and device for realizing third-party payment service - Google Patents

Method and device for realizing third-party payment service Download PDF

Info

Publication number
CN115994760A
CN115994760A CN202310282051.7A CN202310282051A CN115994760A CN 115994760 A CN115994760 A CN 115994760A CN 202310282051 A CN202310282051 A CN 202310282051A CN 115994760 A CN115994760 A CN 115994760A
Authority
CN
China
Prior art keywords
server
merchant
party payment
payment
transaction
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CN202310282051.7A
Other languages
Chinese (zh)
Other versions
CN115994760B (en
Inventor
施尚成
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Alipay Hangzhou Digital Service Technology Co ltd
Original Assignee
Alipay Hangzhou Information Technology Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Alipay Hangzhou Information Technology Co Ltd filed Critical Alipay Hangzhou Information Technology Co Ltd
Priority to CN202310282051.7A priority Critical patent/CN115994760B/en
Publication of CN115994760A publication Critical patent/CN115994760A/en
Application granted granted Critical
Publication of CN115994760B publication Critical patent/CN115994760B/en
Priority to PCT/CN2023/137961 priority patent/WO2024193119A1/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • GPHYSICS
    • G06COMPUTING OR CALCULATING; COUNTING
    • G06QINFORMATION AND COMMUNICATION TECHNOLOGY [ICT] SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES; SYSTEMS OR METHODS SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES, NOT OTHERWISE PROVIDED FOR
    • G06Q20/00Payment architectures, schemes or protocols
    • G06Q20/08Payment architectures
    • GPHYSICS
    • G06COMPUTING OR CALCULATING; COUNTING
    • G06QINFORMATION AND COMMUNICATION TECHNOLOGY [ICT] SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES; SYSTEMS OR METHODS SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES, NOT OTHERWISE PROVIDED FOR
    • G06Q20/00Payment architectures, schemes or protocols
    • G06Q20/08Payment architectures
    • G06Q20/20Point-of-sale [POS] network systems
    • GPHYSICS
    • G06COMPUTING OR CALCULATING; COUNTING
    • G06QINFORMATION AND COMMUNICATION TECHNOLOGY [ICT] SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES; SYSTEMS OR METHODS SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES, NOT OTHERWISE PROVIDED FOR
    • G06Q20/00Payment architectures, schemes or protocols
    • G06Q20/38Payment protocols; Details thereof
    • GPHYSICS
    • G06COMPUTING OR CALCULATING; COUNTING
    • G06QINFORMATION AND COMMUNICATION TECHNOLOGY [ICT] SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES; SYSTEMS OR METHODS SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES, NOT OTHERWISE PROVIDED FOR
    • G06Q20/00Payment architectures, schemes or protocols
    • G06Q20/38Payment protocols; Details thereof
    • G06Q20/40Authorisation, e.g. identification of payer or payee, verification of customer or shop credentials; Review and approval of payers, e.g. check credit lines or negative lists

Landscapes

  • Business, Economics & Management (AREA)
  • Accounting & Taxation (AREA)
  • Engineering & Computer Science (AREA)
  • Finance (AREA)
  • Strategic Management (AREA)
  • Physics & Mathematics (AREA)
  • General Business, Economics & Management (AREA)
  • General Physics & Mathematics (AREA)
  • Theoretical Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Management, Administration, Business Operations System, And Electronic Commerce (AREA)

Abstract

本说明书实施例提供了第三方支付业务的实现方法及装置。在商户服务器中实现的该方法包括:接收商户客户端发来的下单请求;得到当前可用的挑战问题;确定与该当前可用的挑战问题相对应的应答内容;其中,挑战问题及其对应的应答内容被第三方支付服务器与所述商户服务器所共享;生成携带所述应答内容的支付请求;利用商户的私钥对携带所述应答内容的支付请求进行签名,然后将签名后的支付请求发送给第三方支付服务器。本说明书实施例能够提高第三方支付业务的安全性。

Figure 202310282051

The embodiment of this specification provides a method and device for implementing a third-party payment service. The method implemented in the merchant server includes: receiving the order request sent by the merchant client; obtaining the currently available challenge question; determining the response content corresponding to the currently available challenge question; wherein, the challenge question and its corresponding The content of the response is shared by the third-party payment server and the merchant server; a payment request carrying the content of the response is generated; the private key of the merchant is used to sign the payment request carrying the content of the response, and then the signed payment request is sent to To the third party payment server. The embodiment of this specification can improve the security of the third-party payment service.

Figure 202310282051

Description

第三方支付业务的实现方法和装置Method and device for realizing third-party payment service

技术领域technical field

本说明书一个或多个实施例涉及网络信息技术,尤其涉及第三方支付业务的实现方法和装置。One or more embodiments of this specification relate to network information technology, and in particular to methods and devices for implementing third-party payment services.

背景技术Background technique

第三方支付是指具备一定实力和信誉保障的第三方支付服务器作为交易双方之外的第三方,通过与银联或网联对接而促成交易双方进行交易的网络支付模式。Third-party payment refers to a network payment mode in which a third-party payment server with certain strength and reputation guarantee acts as a third party other than the two parties to the transaction, and facilitates the transaction between the two parties through docking with UnionPay or NetsUnion.

在第三方支付业务中,为了提高安全性,第三方支付服务器和商户的互信机制依赖于非对称加密算法,具体来说,两者中的数据发送方比如商户需要使用自身的私钥签名业务请求比如商户需要使用自身的私钥签名支付请求,而接收方比如支付服务提供平台应当使用对方的公钥进行验签以认证双方的身份。但是,目前经常出现私钥泄露的情况,从而导致第三方支付业务的安全性大大降低,比如攻击者窃取了商户的私钥后扮演成合法的商户服务器来向第三方支付服务器发送伪造的业务信息请求(如转账、退款、下载账单等请求),并最终造成商户及其终端用户的资金损失和隐私泄漏。In the third-party payment business, in order to improve security, the mutual trust mechanism between the third-party payment server and the merchant relies on an asymmetric encryption algorithm. Specifically, the data sender of the two, such as the merchant, needs to use its own private key to sign the service request For example, the merchant needs to use its own private key to sign the payment request, and the receiver, such as the payment service provider platform, should use the other party's public key to verify the signature to authenticate the identities of both parties. However, at present, the private key is often leaked, which greatly reduces the security of the third-party payment service. For example, the attacker steals the private key of the merchant and pretends to be a legitimate merchant server to send forged business information to the third-party payment server. Requests (such as transfers, refunds, downloading bills, etc.), and ultimately cause financial losses and privacy leaks for merchants and their end users.

发明内容Contents of the invention

本说明书一个或多个实施例描述了第三方支付业务的实现方法和装置,能够提高第三方支付业务的安全性。One or more embodiments of this specification describe a method and device for implementing a third-party payment service, which can improve the security of the third-party payment service.

根据第一方面,提供了一种第三方支付业务的实现方法,其中,该方法应用于商户服务器,包括:接收商户客户端发来的下单请求;According to the first aspect, a method for implementing a third-party payment service is provided, wherein the method is applied to a merchant server, including: receiving an order request from a merchant client;

得到当前可用的挑战问题;Get currently available challenge questions;

确定与该当前可用的挑战问题相对应的应答内容;其中,挑战问题及其对应的应答内容被第三方支付服务器与所述商户服务器所共享;Determining the response content corresponding to the currently available challenge question; wherein, the challenge question and its corresponding response content are shared by the third-party payment server and the merchant server;

生成携带该应答内容的支付请求;Generate a payment request carrying the content of the response;

利用商户的私钥对携带该应答内容的支付请求进行签名,然后将签名后的支付请求发送给第三方支付服务器。Use the private key of the merchant to sign the payment request carrying the response content, and then send the signed payment request to the third-party payment server.

其中,所述得到当前可用的挑战问题,包括:Among them, the currently available challenge questions include:

将所述第三方支付服务器上一次发给所述商户服务器的信息中携带的挑战问题确定为所述当前可用的挑战问题。The challenge question carried in the information sent last time by the third-party payment server to the merchant server is determined as the currently available challenge question.

其中,在所述将签名后的支付请求发送给第三方支付服务器之后,进一步包括:Wherein, after sending the signed payment request to the third-party payment server, further include:

接收所述第三方支付服务器发来的携带挑战问题的后端支付通知;从该后端支付通知中得到下一次可用的挑战问题;Receive the back-end payment notification carrying the challenge question sent by the third-party payment server; obtain the next available challenge question from the back-end payment notification;

确定对应该下一次可用的挑战问题的应答内容;Determine the response to the challenge question that should be available next;

生成携带该应答内容的业务信息请求;Generate a service information request carrying the content of the response;

使用商户的私钥对携带该应答内容的业务信息请求进行签名,然后将签名后的业务信息请求发送给第三方支付服务器。Use the private key of the merchant to sign the service information request carrying the response content, and then send the signed service information request to the third-party payment server.

其中,所述下单请求是所述第三方支付服务器处理的、对应所述商户服务器的第N+1笔交易中的下单请求;其中,N为正整数;Wherein, the order request is an order request in the N+1th transaction corresponding to the merchant server processed by the third-party payment server; wherein, N is a positive integer;

挑战问题及其对应的应答内容包括:所述第三方支付服务器处理的、对应所述商户服务器的前N笔交易中的信息。The challenge question and its corresponding response content include: information in the first N transactions processed by the third-party payment server and corresponding to the merchant server.

其中,所述挑战问题包括:第一交易的外部订单号;其中,第一交易是所述第三方支付服务器处理的、对应所述商户服务器的前N笔交易中的一笔交易;外部订单号是由所述第三方支付服务器针对所述第一交易生成的订单号;Wherein, the challenge question includes: the external order number of the first transaction; wherein, the first transaction is one of the first N transactions processed by the third-party payment server and corresponding to the merchant server; the external order number is an order number generated by the third-party payment server for the first transaction;

相应地,该挑战问题对应的应答内容包括:所述第一交易的内部订单号;其中,内部订单号是由所述商户服务器针对所述第一交易生成的订单号。Correspondingly, the response content corresponding to the challenge question includes: an internal order number of the first transaction; wherein, the internal order number is an order number generated by the merchant server for the first transaction.

其中,在所述第三方支付服务器处理的、对应所述商户服务器的各笔交易中,所述商户服务器使用的IP地址为动态IP地址;Wherein, in each transaction processed by the third-party payment server and corresponding to the merchant server, the IP address used by the merchant server is a dynamic IP address;

所述挑战问题包括:对第二交易中所述商户服务器使用的IP地址的提问;其中,第二交易是所述第三方支付服务器处理的、对应所述商户服务器的前N笔交易中的一笔交易;The challenge question includes: a question about the IP address used by the merchant server in the second transaction; wherein, the second transaction is one of the first N transactions processed by the third-party payment server and corresponding to the merchant server transaction;

相应地,该挑战问题对应的应答内容包括:在所述第二交易中所述商户服务器使用的IP地址。Correspondingly, the response content corresponding to the challenge question includes: the IP address used by the merchant server in the second transaction.

根据第二方面提供了一种第三方支付业务的实现方法,其中,该方法应用于第三方支付服务器,包括:According to the second aspect, a method for implementing a third-party payment service is provided, wherein the method is applied to a third-party payment server, including:

接收商户服务器发来的支付请求;Receive the payment request from the merchant server;

利用商户的公钥对支付请求进行签名验证;Use the merchant's public key to verify the signature of the payment request;

签名验证成功后,从该支付请求中得到应答内容;After the signature verification is successful, get the response content from the payment request;

确定与该应答内容相对应的当前可用的挑战问题;其中,挑战问题及其对应的应答内容仅被第三方支付服务器与所述商户服务器所共享;Determine the currently available challenge question corresponding to the answer content; wherein, the challenge question and its corresponding answer content are only shared by the third-party payment server and the merchant server;

利用所确定的挑战问题对该应答内容进行验证;Validate the content of the response using the identified challenge questions;

如果应答内容验证成功,则进行支付处理。If the verification of the response content is successful, payment processing is performed.

其中,所述确定与该应答内容相对应的当前可用的挑战问题,包括:Wherein, the determination of currently available challenge questions corresponding to the answer content includes:

将所述第三方支付服务器上一次发给所述商户服务器的信息中携带的挑战问题确定为与该应答内容相对应的当前可用的挑战问题。The challenge question carried in the last information sent by the third-party payment server to the merchant server is determined as the currently available challenge question corresponding to the response content.

其中,所述进行支付处理包括:所述第三方支付服务器向所述商户服务器发送携带挑战问题的后端支付通知;Wherein, the performing payment processing includes: the third-party payment server sends a back-end payment notification carrying a challenge question to the merchant server;

在所述进行支付处理之后,进一步包括:After said payment processing, further include:

接收商户服务器发来的业务信息请求;Receive business information requests from merchant servers;

利用商户的公钥对该业务信息请求进行签名验证;Use the merchant's public key to verify the signature of the business information request;

签名验证成功后,从该业务信息请求中得到应答内容;After the signature verification is successful, get the response content from the business information request;

利用在所述后端支付通知中携带的挑战问题对从该业务信息请求中得到的应答内容进行验证,在对应答内容验证成功后,向商户服务器提供所述业务信息请求所请求的业务服务。Verify the response content obtained from the business information request by using the challenge question carried in the back-end payment notification, and provide the business service requested by the business information request to the merchant server after the verification of the response content is successful.

其中,所述支付请求是所述第三方支付服务器处理的、对应所述商户服务器的第N+1笔交易中的支付请求;其中,N为正整数;Wherein, the payment request is a payment request in the N+1th transaction corresponding to the merchant server processed by the third-party payment server; where N is a positive integer;

所述挑战问题及其对应的应答内容包括:所述第三方支付服务器处理的、对应所述商户服务器的前N笔交易中的信息。The challenge question and its corresponding response content include: information in the first N transactions processed by the third-party payment server and corresponding to the merchant server.

其中,所述挑战问题包括:第一交易的外部订单号;其中,第一交易是所述第三方支付服务器处理的、对应所述商户服务器的前N笔交易中的一笔交易;外部订单号是由所述第三方支付服务器针对所述第一交易生成的订单号;Wherein, the challenge question includes: the external order number of the first transaction; wherein, the first transaction is one of the first N transactions processed by the third-party payment server and corresponding to the merchant server; the external order number is an order number generated by the third-party payment server for the first transaction;

相应地,该挑战问题对应的应答内容包括:所述第一交易的内部订单号;其中,内部订单号是由所述商户服务器针对所述第一交易生成的订单号。Correspondingly, the response content corresponding to the challenge question includes: an internal order number of the first transaction; wherein, the internal order number is an order number generated by the merchant server for the first transaction.

其中,在所述第三方支付服务器处理的、对应所述商户服务器的每一笔交易中,所述商户服务器使用的IP地址为动态IP地址;Wherein, in each transaction processed by the third-party payment server and corresponding to the merchant server, the IP address used by the merchant server is a dynamic IP address;

所述挑战问题包括:对第二交易中所述商户服务器使用的IP地址的提问;其中,第二交易是所述第三方支付服务器处理的、对应所述商户服务器的前N笔交易中的一笔交易;The challenge question includes: a question about the IP address used by the merchant server in the second transaction; wherein, the second transaction is one of the first N transactions processed by the third-party payment server and corresponding to the merchant server transaction;

相应地,该挑战问题对应的应答内容包括:所述第二交易中所述商户服务器使用的IP地址。Correspondingly, the response content corresponding to the challenge question includes: the IP address used by the merchant server in the second transaction.

根据第三方面,提供了一种第三方支付业务的实现装置,其中,该装置应用于商户服务器,包括:下单请求接收模块,配置为接收商户客户端发来的下单请求;According to a third aspect, there is provided a device for implementing a third-party payment service, wherein the device is applied to a merchant server, and includes: an order request receiving module configured to receive an order request sent by a merchant client;

挑战问题确定模块,配置为得到当前可用的挑战问题;a challenge question determination module configured to obtain currently available challenge questions;

应答内容确定模块,配置为确定与该当前可用的挑战问题相对应的应答内容;其中,挑战问题及其对应的应答内容被第三方支付服务器与所述商户服务器所共享;The response content determination module is configured to determine the response content corresponding to the currently available challenge question; wherein, the challenge question and its corresponding response content are shared by the third-party payment server and the merchant server;

支付请求处理模块,配置为生成携带所述应答内容的支付请求;利用商户的私钥对携带所述应答内容的支付请求进行签名,然后将签名后的支付请求发送给第三方支付服务器。The payment request processing module is configured to generate a payment request carrying the response content; use the merchant's private key to sign the payment request carrying the response content, and then send the signed payment request to a third-party payment server.

根据第四方面,提供了一种第三方支付业务的实现装置,其中,该装置应用于第三方支付服务器,包括:According to the fourth aspect, there is provided a device for implementing a third-party payment service, wherein the device is applied to a third-party payment server, including:

支付请求接收模块,配置为接收商户服务器发来的支付请求;The payment request receiving module is configured to receive the payment request sent by the merchant server;

签名验证模块,配置为利用商户的公钥对支付请求进行签名验证;The signature verification module is configured to use the merchant's public key to perform signature verification on the payment request;

应答内容获取模块,配置为在签名验证成功后,从该支付请求中得到应答内容;The response content acquisition module is configured to obtain the response content from the payment request after the signature verification is successful;

挑战问题获取模块,配置为确定与该应答内容相对应的当前可用的挑战问题;其中,挑战问题及其对应的应答内容仅被第三方支付服务器与所述商户服务器所共享;The challenge question obtaining module is configured to determine the currently available challenge question corresponding to the answer content; wherein, the challenge question and its corresponding answer content are only shared by the third-party payment server and the merchant server;

挑战及应答验证模块,配置为利用所确定的挑战问题对该应答内容进行验证;The challenge and response verification module is configured to use the determined challenge question to verify the content of the response;

支付处理模块,配置为如果所述挑战及应答验证模块对应答内容验证成功,则该支付处理模块进行支付处理。The payment processing module is configured to perform payment processing if the challenge and response verification module successfully verifies the response content.

根据第五方面,提供了一种计算设备,包括存储器和处理器,所述存储器中存储有可执行代码,所述处理器执行所述可执行代码时,实现本说明书任一实施例所述的方法。According to a fifth aspect, there is provided a computing device, including a memory and a processor, wherein executable code is stored in the memory, and when the processor executes the executable code, the method described in any embodiment of this specification is implemented. method.

本说明书各个实施例提供的第三方支付业务的实现方法及装置,单独或者各自组合后,至少具有如下的有益效果:The methods and devices for implementing third-party payment services provided by the various embodiments of this specification, individually or in combination, at least have the following beneficial effects:

1、在本说明书实施例中,挑战问题及其对应的应答内容是在商户服务器及第三方支付服务器中所共享的,也就是说,攻击者无法获取到该挑战问题和/或该挑战问题对应的应答内容。因此,本说明书实施例利用了攻击者和正常商户的信息差,以此来增强第三方支付服务器对商户认证服务的安全性,即使攻击者盗取了商户的私钥也无法仿冒商户来进行第三方支付业务,从而大大提高了第三方支付业务的安全性。1. In the embodiment of this specification, the challenge question and its corresponding response content are shared between the merchant server and the third-party payment server, that is to say, the attacker cannot obtain the challenge question and/or the corresponding answer to the challenge question. content of the response. Therefore, the embodiment of this specification utilizes the information difference between the attacker and the normal merchant to enhance the security of the third-party payment server for the authentication service of the merchant. The third-party payment service greatly improves the security of the third-party payment service.

2、在本说明书实施例中,从两个不同的维度对第三方支付业务进行了认证操作,一个维度是基于公私钥的签名验证,另一个维度是基于挑战/应答机制的验证,因此,大大提高了第三方支付业务的安全性。2. In the embodiment of this specification, the third-party payment service is authenticated from two different dimensions. One dimension is the signature verification based on the public and private keys, and the other dimension is the verification based on the challenge/response mechanism. Therefore, greatly The security of the third-party payment service is improved.

3、在本说明书实施例中,可以利用第三方支付服务器处理过的商户服务器的历史交易中的信息来生成挑战问题及应答内容,一方面能够保证第三方支付服务器及商户服务器能够共享该挑战问题及应答内容,另一方面能够保证攻击者很难甚至无法获得挑战问题及应答内容。3. In the embodiment of this specification, the information in the historical transactions of the merchant server processed by the third-party payment server can be used to generate challenge questions and response content. On the one hand, it can ensure that the third-party payment server and the merchant server can share the challenge questions and answer content, on the other hand, it can ensure that it is difficult or even impossible for the attacker to obtain the challenge question and answer content.

4、在本说明书实施例中,利用一笔交易中的外部订单号及内部订单号之间的映射关系来生成一对挑战问题及应答内容,或者利用商户服务器在一笔交易中使用的动态IP地址来生成一对挑战问题及应答内容,更加符合三方支付协议自身的特点,易于业务实现。4. In the embodiment of this specification, use the mapping relationship between the external order number and the internal order number in a transaction to generate a pair of challenge questions and answer content, or use the dynamic IP address used by the merchant server in a transaction Address to generate a pair of challenge questions and answer content, which is more in line with the characteristics of the tripartite payment agreement itself, and is easy to implement.

附图说明Description of drawings

为了更清楚地说明本说明书实施例或现有技术中的技术方案,下面将对实施例或现有技术描述中所需要使用的附图作简单地介绍,显而易见地,下面描述中的附图是本说明书的一些实施例,对于本领域普通技术人员来讲,在不付出创造性劳动的前提下,还可以根据这些附图获得其他的附图。In order to more clearly illustrate the technical solutions in the embodiments of this specification or the prior art, the following will briefly introduce the drawings that need to be used in the description of the embodiments or the prior art. Obviously, the accompanying drawings in the following description are For some embodiments of this specification, those skilled in the art can also obtain other drawings based on these drawings without creative work.

图1是本说明书一个实施例所应用的系统架构的示意图。FIG. 1 is a schematic diagram of a system architecture applied by an embodiment of the present specification.

图2是本说明书一个实施例中应用于商户服务器的第三方支付业务的实现方法的流程图。Fig. 2 is a flowchart of a method for implementing a third-party payment service applied to a merchant server in an embodiment of this specification.

图3是本说明书一个实施例中应用于第三方支付服务器的第三方支付业务的实现方法的流程图。Fig. 3 is a flow chart of a method for implementing a third-party payment service applied to a third-party payment server in an embodiment of this specification.

图4是本说明书一个实施例中第三方支付业务的一种实现方法的流程图。Fig. 4 is a flow chart of a method for implementing a third-party payment service in an embodiment of this specification.

图5是本说明书一个实施例中应用于商户服务器的第三方支付业务的实现装置的结构示意图。Fig. 5 is a schematic structural diagram of a device for realizing a third-party payment service applied to a merchant server in an embodiment of this specification.

图6是本说明书一个实施例中应用于第三方支付服务器的第三方支付业务的实现装置的结构示意图。Fig. 6 is a schematic structural diagram of a device for implementing a third-party payment service applied to a third-party payment server in an embodiment of this specification.

具体实施方式Detailed ways

下面结合附图,对本说明书提供的方案进行描述。The solutions provided in this specification will be described below in conjunction with the accompanying drawings.

首先需要说明的是,在本发明实施例中使用的术语是仅仅出于描述特定实施例的目的,而非旨在限制本发明。在本发明实施例和所附权利要求书中所使用的单数形式的“一种”、“所述”和“该”也旨在包括多数形式,除非上下文清楚地表示其他含义。First of all, it should be noted that the terminology used in the embodiments of the present invention is only for the purpose of describing specific embodiments, rather than limiting the present invention. As used in the embodiments of the present invention and the appended claims, the singular forms "a", "said" and "the" are also intended to include the plural forms unless the context clearly indicates otherwise.

应当理解,本文中使用的术语“和/或”仅仅是一种描述关联对象的关联关系,表示可以存在三种关系,例如,A和/或B,可以表示:单独存在A,同时存在A和B,单独存在B这三种情况。另外,本文中字符“/”,一般表示前后关联对象是一种“或”的关系。It should be understood that the term "and/or" used herein is only an association relationship describing associated objects, which means that there may be three relationships, for example, A and/or B, which may mean that A exists alone, and A and B exist simultaneously. B, there are three situations of B alone. In addition, the character "/" in this article generally indicates that the contextual objects are an "or" relationship.

取决于语境,如在此所使用的词语“如果”可以被解释成为“在……时”或“当……时”或“响应于确定”或“响应于检测”。类似地,取决于语境,短语“如果确定”或“如果检测(陈述的条件或事件)”可以被解释成为“当确定时”或“响应于确定”或“当检测(陈述的条件或事件)时”或“响应于检测(陈述的条件或事件)”。Depending on the context, the word "if" as used herein may be interpreted as "at" or "when" or "in response to determining" or "in response to detecting". Similarly, depending on the context, the phrases "if determined" or "if detected (the stated condition or event)" could be interpreted as "when determined" or "in response to the determination" or "when detected (the stated condition or event) )" or "in response to detection of (stated condition or event)".

为了方便对本说明书提供的方法进行理解,首先对本说明书所涉及和适用的系统架构进行描述。如图1中所示,该系统架构中主要包括四种网络节点:商户客户端(对应图1中的商户App)、商户服务器、第三方支付的平台应用端(对应图1中的平台App)、第三方支付服务器。In order to facilitate the understanding of the methods provided in this specification, the system architecture involved and applicable in this specification is described first. As shown in Figure 1, the system architecture mainly includes four network nodes: merchant client (corresponding to the merchant App in Figure 1), merchant server, and third-party payment platform application (corresponding to the platform App in Figure 1) , Third-party payment server.

本说明书实施例提出的第三方支付业务的实现方法、装置及系统可以应用于各种利用三方支付协议的交易场景中。比如,业务场景1:商户是一个超市,用户在该超市内购物时,需要使用“支付宝”进行支付,因此,参见图1,商户App可以是销售终端(即POS机)上安装的该超市的售卖应用程序、商户服务器可以是该超市的服务器,平台App可以是“支付宝”的应用程序、第三方支付服务器可以是“支付宝”的服务器。再如,业务场景2:商户是一个线上购物网站上注册的商家,用户在该购物网站上购买该商家的商品,需要使用“支付宝”进行支付,因此,参见图1,商户App可以是该线上购物网站的售卖应用程序、商户服务器可以是该线上购物网站的服务器,平台App可以是“支付宝”的应用程序、第三方支付服务器可以是“支付宝”的服务器。The method, device and system for realizing the third-party payment service proposed in the embodiments of this specification can be applied to various transaction scenarios using the third-party payment protocol. For example, business scenario 1: the merchant is a supermarket, and users need to use "Alipay" to pay when shopping in the supermarket. Therefore, see Figure 1, the merchant App can be the supermarket's app installed on the sales terminal (ie POS machine). The sales application program and the merchant server can be the server of the supermarket, the platform app can be the "Alipay" application program, and the third-party payment server can be the "Alipay" server. For another example, business scenario 2: The merchant is a merchant registered on an online shopping website. Users need to use "Alipay" to pay for the merchant's products on the shopping website. Therefore, as shown in Figure 1, the merchant App can be the The vending application program and merchant server of the online shopping website can be the server of the online shopping website, the platform App can be the application program of "Alipay", and the third-party payment server can be the server of "Alipay".

应该理解,图1中的商户App、商户服务器、平台App及第三方支付服务器的数目仅仅是示意性的。根据实现需要,可以选择和布设任意数目。It should be understood that the numbers of merchant Apps, merchant servers, platform Apps and third-party payment servers in FIG. 1 are only illustrative. Any number can be selected and arranged according to implementation requirements.

在本说明书实施例中,主要是修改了商户服务器及第三方支付服务器中的处理方法,因此,下面通过不同的实施例分别说明。In the embodiment of this specification, the processing methods in the merchant server and the third-party payment server are mainly modified, so different embodiments are described below.

图2是本说明书一个实施例中应用于商户服务器的第三方支付业务的实现方法的流程图。可以理解,该方法也可以通过任何具有计算、处理能力的装置、设备、平台、设备集群来执行。参见图2,该方法包括:Fig. 2 is a flowchart of a method for implementing a third-party payment service applied to a merchant server in an embodiment of this specification. It can be understood that the method can also be executed by any device, device, platform, or device cluster that has computing and processing capabilities. Referring to Figure 2, the method includes:

步骤201:商户服务器接收商户客户端发来的下单请求。Step 201: The merchant server receives an order request from the merchant client.

步骤203:商户服务器得到当前可用的挑战问题。Step 203: The merchant server obtains currently available challenge questions.

步骤205:商户服务器确定与该当前可用的挑战问题相对应的应答内容;其中,挑战问题及其对应的应答内容仅被第三方支付服务器与所述商户服务器所共享。Step 205: The merchant server determines the response content corresponding to the currently available challenge question; wherein, the challenge question and its corresponding response content are only shared by the third-party payment server and the merchant server.

步骤207:商户服务器生成携带所述应答内容的支付请求。Step 207: The merchant server generates a payment request carrying the response content.

步骤209:商户服务器利用商户的私钥对携带所述应答内容的支付请求进行签名,然后将签名后的支付请求发送给第三方支付服务器。Step 209: The merchant server uses the merchant's private key to sign the payment request carrying the response content, and then sends the signed payment request to the third-party payment server.

图3是本说明书一个实施例中应用于第三方支付服务器的第三方支付业务的实现方法的流程图。可以理解,该方法也可以通过任何具有计算、处理能力的装置、设备、平台、设备集群来执行。参见图3,该方法包括:Fig. 3 is a flow chart of a method for implementing a third-party payment service applied to a third-party payment server in an embodiment of this specification. It can be understood that the method can also be executed by any device, device, platform, or device cluster that has computing and processing capabilities. Referring to Figure 3, the method includes:

步骤301:第三方支付服务器接收商户服务器发来的支付请求。Step 301: The third-party payment server receives the payment request from the merchant server.

步骤303:第三方支付服务器利用商户的公钥对支付请求进行签名验证。Step 303: The third-party payment server uses the merchant's public key to verify the signature of the payment request.

步骤305:第三方支付服务器签名验证成功后,从该支付请求中得到应答内容。Step 305: After the signature verification of the third-party payment server is successful, the response content is obtained from the payment request.

步骤307:第三方支付服务器确定与该应答内容相对应的当前可用的挑战问题;其中,挑战问题及其对应的应答内容仅被第三方支付服务器与所述商户服务器所共享。Step 307: The third-party payment server determines currently available challenge questions corresponding to the answer content; wherein, the challenge questions and corresponding answer content are only shared by the third-party payment server and the merchant server.

步骤309:第三方支付服务器利用所确定的挑战问题对该应答内容进行验证。Step 309: The third-party payment server uses the determined challenge question to verify the content of the response.

步骤311:第三方支付服务器如果对应答内容验证成功,则进行支付处理。Step 311: If the third-party payment server successfully verifies the response content, it will perform payment processing.

根据上述图2、图3所示的本说明书实施例的方法可以得到,在第三方支付业务的实现中,通过挑战/应答的方式对现行的三方支付协议流程进行了改造,在商户服务器向第三方支付服务器发送请求时,会在该请求中携带第三方支付服务器之前发来的挑战问题所对应的应答内容,并且,该挑战问题及其对应的应答内容是仅在商户服务器及第三方支付服务器中所共享的,也就是说,攻击者无法获取到该挑战问题和/或该挑战问题对应的应答内容。因此,本说明书实施例利用了攻击者和正常商户的信息差,以此来增强第三方支付服务器对商户认证服务的安全性,即使攻击者盗取了商户的私钥也无法仿冒商户来进行第三方支付业务,从而大大提高了第三方支付业务的安全性。According to the method of the embodiment of this specification shown in Fig. 2 and Fig. 3 above, it can be obtained that in the realization of the third-party payment service, the current third-party payment agreement process is transformed through the challenge/response mode, and the merchant server sends the third-party When the third-party payment server sends a request, it will carry the response content corresponding to the challenge question sent by the third-party payment server in the request, and the challenge question and its corresponding response content are only shared between the merchant server and the third-party payment server. In other words, the attacker cannot obtain the challenge question and/or the answer content corresponding to the challenge question. Therefore, the embodiment of this specification utilizes the information difference between the attacker and the normal merchant to enhance the security of the third-party payment server for the authentication service of the merchant. The third-party payment service greatly improves the security of the third-party payment service.

下面结合具体的实施例对图2、图3所示的方法进行详细说明。The methods shown in FIG. 2 and FIG. 3 will be described in detail below in conjunction with specific embodiments.

首先执行步骤201:商户服务器接收商户客户端发来的下单请求。First, step 201 is executed: the merchant server receives an order request from the merchant client.

这里,如果在商户客户端上输入了对一个商品的购买指令后,商户服务器则会接收到商户客户端发来的下单请求。Here, if a purchase instruction for a product is input on the merchant client, the merchant server will receive an order request from the merchant client.

接下来执行步骤203:商户服务器得到当前可用的挑战问题。Next, step 203 is executed: the merchant server obtains currently available challenge questions.

在本说明书一个实施例中,第三方支付服务器每次向商户服务器发送一条信息时,都会携带一个挑战问题;商户服务器每次向第三方支付服务器发送一条信息时,都会携带一个应答内容。这样,从第三方支付服务器到商户服务器再从商户服务器到第三方支付服务器的一轮交互中,则可以完成一对挑战问题及应答内容的交互,从而可以实现基于挑战/应答机制的验证。In an embodiment of this specification, each time the third-party payment server sends a message to the merchant server, it will carry a challenge question; every time the merchant server sends a message to the third-party payment server, it will carry a response content. In this way, in a round of interaction from the third-party payment server to the merchant server and then from the merchant server to the third-party payment server, the interaction of a pair of challenge questions and answer content can be completed, so that verification based on the challenge/response mechanism can be realized.

一个挑战问题对应一个应答内容。在第三方支付服务器与商户服务器的各轮交互中,较佳地,通常在一轮交互中使用的挑战问题及其对应的应答内容与在其他轮交互中使用的挑战问题及其对应的应答内容不相同。当然,即使各轮使用的挑战问题及其对应的应答内容相同,也可以实现本说明书实施例的方法。A challenge question corresponds to an answer content. In each round of interaction between the third-party payment server and the merchant server, preferably, the challenge question used in one round of interaction and its corresponding answer content are the same as the challenge question used in other rounds of interaction and its corresponding answer content Are not the same. Of course, even if the challenge questions used in each round and the corresponding answer content are the same, the method in the embodiment of this specification can also be implemented.

因此,在本步骤203中,商户服务器可以将第三方支付服务器上一次发给商户服务器的信息中携带的挑战问题确定为当前可用的挑战问题,为便于描述记为挑战问题1。其中,信息可以是消息或者数据等。Therefore, in this step 203, the merchant server may determine the challenge question carried in the last information sent by the third-party payment server to the merchant server as the currently available challenge question, which is denoted as challenge question 1 for ease of description. Wherein, the information may be a message or data or the like.

接下来执行步骤205:商户服务器确定与该当前可用的挑战问题1相对应的应答内容1;其中,挑战问题1及其对应的应答内容1仅被第三方支付服务器与所述商户服务器所共享。Next, step 205 is executed: the merchant server determines the answer content 1 corresponding to the currently available challenge question 1; wherein, the challenge question 1 and the corresponding answer content 1 are only shared by the third-party payment server and the merchant server.

挑战问题的具体内容以及应答的具体内容是安全性的一个重要因素。在本说明书实施例中,每一个挑战问题的内容可以由第三方支付服务器指定,具有一定的不可预测性。通常,攻击者虽然能够盗取商户的私钥,但是无法攻破商户服务器,也就是说攻击者无法获取商户在三方支付协议中的上下文环境比如历史交易信息。因此,在本说明书一个实施例中,第三方支付服务器可以信任商户服务器的历史前M笔交易,在该前M笔交易中,第三方支付服务器与商户服务器无需进行基于挑战问题及应答内容的验证,对应请求和响应中可以没有挑战/应答的要求;但是第M笔交易中第三方支付服务器发给商户服务器的响应中将包含1个挑战问题,并需要商户服务器在下一次发来的请求中携带对应该挑战问题的应答内容。从第M+1笔交易开始的每一笔交易中,第三方支付服务器可以将该商户服务器此前的各个历史交易中的相关信息作为挑战问题,相应地,对该挑战问题的应答内容也是历史交易中的相关信息。M为正整数,M的数值可以根据业务的需要比如安全级别来设定,安全级别越高,M值越小。The specific content of the challenge questions and the specific content of the responses is an important factor of security. In the embodiment of this specification, the content of each challenge question can be specified by the third-party payment server, which has a certain degree of unpredictability. Usually, although the attacker can steal the merchant's private key, they cannot break through the merchant's server, that is to say, the attacker cannot obtain the merchant's context in the three-party payment agreement, such as historical transaction information. Therefore, in one embodiment of this specification, the third-party payment server can trust the previous M transactions of the merchant server, and in the first M transactions, the third-party payment server and the merchant server do not need to perform verification based on the challenge question and the response content. , there may be no challenge/response requirement in the corresponding request and response; however, the response sent by the third-party payment server to the merchant server in the Mth transaction will contain a challenge question, which needs to be carried in the next request sent by the merchant server Responses to the challenge questions. In each transaction starting from the M+1th transaction, the third-party payment server can use the relevant information in the previous historical transactions of the merchant server as a challenge question, and correspondingly, the content of the answer to the challenge question is also a historical transaction related information in . M is a positive integer, and the value of M can be set according to the needs of the business, such as the security level. The higher the security level, the smaller the value of M.

假设上述步骤201中的下单请求是第三方支付服务器处理的、对应商户服务器的第N+1笔交易中的下单请求;那么步骤203中的挑战问题1及步骤205中的应答内容1可以包括:所述第三方支付服务器处理的、对应所述商户服务器的前N笔交易中的信息,比如第一笔交易中的信息等等。其中,N为正整数。Assume that the order request in step 201 above is the order request in the N+1th transaction of the corresponding merchant server processed by the third-party payment server; then the challenge question 1 in step 203 and the response content 1 in step 205 can be Including: information in the first N transactions processed by the third-party payment server and corresponding to the merchant server, such as information in the first transaction and so on. Wherein, N is a positive integer.

如上所述,每一对挑战问题的具体内容以及应答的具体内容可以是第三方支付服务器处理的、商户服务器的历史交易中的信息,具体的实现可以包括如下两种方式:As mentioned above, the specific content of each pair of challenge questions and the specific content of the response can be the information in the historical transactions of the merchant server processed by the third-party payment server, and the specific implementation can include the following two methods:

方式一、利用历史上一笔交易中的外部订单号及内部订单号来分别作为挑战问题及对应的应答内容。Method 1. Use the external order number and internal order number in a previous transaction as the challenge question and the corresponding answer content respectively.

在该方式一中,挑战问题包括:第一交易的外部订单号;其中,第一交易是所述第三方支付服务器处理的、对应所述商户服务器的前N笔交易中的一笔交易;外部订单号是由所述第三方支付服务器针对所述第一交易生成的订单号;In the first method, the challenge question includes: the external order number of the first transaction; wherein, the first transaction is one of the first N transactions processed by the third-party payment server and corresponding to the merchant server; The order number is an order number generated by the third-party payment server for the first transaction;

相应地,该挑战问题对应的应答内容包括:所述第一交易的内部订单号;其中,内部订单号是由所述商户服务器针对所述第一交易生成的订单号。Correspondingly, the response content corresponding to the challenge question includes: an internal order number of the first transaction; wherein, the internal order number is an order number generated by the merchant server for the first transaction.

在三方支付协议中,针对每一笔交易,商户服务器会生成一个内部订单号,第三方支付服务器会生成一个外部订单号,该两个订单号指向同一笔交易,具有映射关系。攻击者无法获得该两个订单号,但是商户服务器与第三方支付服务器可以共享该两个订单号,该两个订单号可以作为第三方支付服务器与商户服务器共享的一个隐蔽知识。因此,基于此种特点,在该方式一中,利用了此种历史交易中存在的映射关系来得到挑战问题及应答内容。In the three-party payment protocol, for each transaction, the merchant server will generate an internal order number, and the third-party payment server will generate an external order number. The two order numbers point to the same transaction and have a mapping relationship. The attacker cannot obtain the two order numbers, but the merchant server and the third-party payment server can share the two order numbers, and the two order numbers can be used as a hidden knowledge shared by the third-party payment server and the merchant server. Therefore, based on this characteristic, in the first method, the mapping relationship existing in such historical transactions is used to obtain the challenge question and the answer content.

方式二、利用商户服务器使用的动态IP地址来得到挑战问题及对应的应答内容。Method 2: Use the dynamic IP address used by the merchant's server to obtain the challenge question and the corresponding response content.

在该方式二中,考虑到商户服务器通常部署在云端,商户服务器使用的IP地址是一个动态值,因此可以作为第三方支付服务器与商户服务器共享的一个隐蔽知识,即,利用该动态IP得到挑战问题及应答内容。In the second method, considering that the merchant's server is usually deployed in the cloud, the IP address used by the merchant's server is a dynamic value, so it can be used as a hidden knowledge shared by the third-party payment server and the merchant's server, that is, using this dynamic IP to get the challenge Questions and answers.

具体地,在该方式二中,所述第三方支付服务器处理的、对应所述商户服务器的每一笔交易中,所述商户服务器使用的IP地址为动态IP地址;Specifically, in the second method, in each transaction processed by the third-party payment server and corresponding to the merchant server, the IP address used by the merchant server is a dynamic IP address;

所述挑战问题包括:对第二交易中所述商户服务器使用的IP地址的提问;其中,第二交易是所述第三方支付服务器处理的、对应所述商户服务器的前N笔交易中的一笔交易;The challenge question includes: a question about the IP address used by the merchant server in the second transaction; wherein, the second transaction is one of the first N transactions processed by the third-party payment server and corresponding to the merchant server transaction;

相应地,该挑战问题对应的应答内容包括:所述第二交易中所述商户服务器使用的IP地址。Correspondingly, the response content corresponding to the challenge question includes: the IP address used by the merchant server in the second transaction.

接下来对于步骤207至步骤209:商户服务器生成携带所述应答内容1的支付请求,利用商户的私钥对携带所述应答内容1的支付请求进行签名,然后将签名后的支付请求发送给第三方支付服务器。Next, for steps 207 to 209: the merchant server generates a payment request carrying the response content 1, signs the payment request carrying the response content 1 with the merchant’s private key, and then sends the signed payment request to the first Three-party payment server.

接下来执行上述步骤301至步骤311。参见上述对步骤201至步骤209的说明,相应地,在步骤301至步骤311中,挑战问题是挑战问题1,应答内容是应答内容1,并且步骤307的具体实现过程包括:将所述第三方支付服务器上一次发给所述商户服务器的信息中携带的挑战问题1确定为与该应答内容相对应的当前可用的挑战问题。Next, the above steps 301 to 311 are executed. Referring to the above description of steps 201 to 209, correspondingly, in steps 301 to 311, the challenge question is challenge question 1, the answer content is answer content 1, and the specific implementation process of step 307 includes: the third party The challenge question 1 carried in the last message sent by the payment server to the merchant server is determined to be the currently available challenge question corresponding to the response content.

在步骤311中,第三方支付服务器进行的支付处理包括:所述第三方支付服务器向所述商户服务器发送携带挑战问题的后端支付通知。In step 311, the payment processing performed by the third-party payment server includes: the third-party payment server sends a back-end payment notification carrying a challenge question to the merchant server.

接下来,商户服务器接收所述第三方支付服务器发来的携带挑战问题的后端支付通知;从该后端支付通知中得到下一次可用的挑战问题,商户服务器可以确定对应该下一次可用的挑战问题的应答内容。比如,该下一次可用的挑战问题(为便于描述,称为挑战问题2)可以是第三方支付服务器生成的第二笔交易中的外部订单号,对应该下一次可用的挑战问题的应答内容(为便于描述,称为应答内容2)可以是商户服务器生成的第二笔交易中的内部订单号。Next, the merchant server receives the back-end payment notification carrying the challenge question sent by the third-party payment server; the next available challenge question is obtained from the back-end payment notification, and the merchant server can determine the next available challenge question. The answer to the question. For example, the next available challenge question (referred to as challenge question 2 for ease of description) can be the external order number in the second transaction generated by the third-party payment server, corresponding to the answer content of the next available challenge question ( For the convenience of description, it is called the response content 2) It can be the internal order number in the second transaction generated by the merchant server.

接下来,如果商户服务器需要从第三方支付服务器处获取相应的业务服务时,比如转账、退款、下载账单等业务服务,商户服务器执行如下步骤:商户服务器生成携带应答内容2的业务信息请求;商户服务器使用商户的私钥对携带所述应答内容的业务信息请求进行签名,然后将签名后的业务信息请求发送给第三方支付服务器。Next, if the merchant server needs to obtain corresponding business services from the third-party payment server, such as business services such as transfer, refund, and bill download, the merchant server performs the following steps: the merchant server generates a business information request with response content 2; The merchant server uses the merchant's private key to sign the service information request carrying the response content, and then sends the signed service information request to the third-party payment server.

相应地,如果第三方支付服务器接收到业务信息请求,那么第三方支付服务器执行如下步骤:第三方支付服务器利用商户的公钥对该业务信息请求进行签名验证;签名验证成功后,从该业务信息请求中得到应答内容2;利用在所述后端支付通知中携带的挑战问题2对从该业务信息请求中得到的应答内容2进行验证,即验证两者是否是具有映射关系的同一笔交易中的订单号,验证成功后,向商户服务器提供业务信息请求所请求的业务服务,比如实现向商户服务器的转账、退款、下载账单等业务。Correspondingly, if the third-party payment server receives the business information request, then the third-party payment server performs the following steps: the third-party payment server uses the merchant's public key to perform signature verification on the business information request; Get the response content 2 in the request; use the challenge question 2 carried in the back-end payment notification to verify the response content 2 obtained from the business information request, that is, verify whether the two are in the same transaction with a mapping relationship After the verification is successful, provide the business service requested by the business information request to the merchant server, such as realizing the transfer to the merchant server, refund, downloading bills and other services.

在本说明书实施例中,在三方支付协议中新增了交互流程和挑战/应答的处理操作,这些都可以通过第三方支付服务器的后端SDK(:Software Development Kit,软件开发工具包)来实现,因此对商户的接入改造成本较低。In the embodiment of this specification, the interaction process and challenge/response processing operations are added to the three-party payment protocol, which can be realized through the back-end SDK (: Software Development Kit) of the third-party payment server , so the cost of access transformation for merchants is relatively low.

下面通过图1所示的第三方支付业务的实现系统中各方配合执行的处理,来说明在本说明书一个实施例中各方配合实现的第三方支付业务的方法的流程图。参见图1、图4,该方法包括:In the following, the flow chart of the method for implementing the third-party payment service in an embodiment of this specification will be described through the cooperation of all parties in the system for implementing the third-party payment service shown in FIG. 1 . Referring to Fig. 1, Fig. 4, this method comprises:

步骤401:商户App向商户服务器发送一笔交易的下单请求。比如该下单请求是商户服务器的第100笔交易的下单请求。Step 401: The merchant App sends an order request for a transaction to the merchant server. For example, the order request is an order request for the 100th transaction of the merchant server.

步骤403:针对第三方支付服务器上一次发来的响应消息中携带的挑战问题1,商户服务器得到对应该挑战问题1的应答内容1。Step 403: For the challenge question 1 carried in the last response message sent by the third-party payment server, the merchant server obtains the response content 1 corresponding to the challenge question 1.

比如上一次发来的响应消息中携带的挑战问题1的内容是:历史第2笔交易中的外部订单号。那么,本步骤403中,商户服务器得到的应答内容1是:历史第2笔交易中的内部订单号。For example, the content of challenge question 1 carried in the response message sent last time is: the external order number in the second transaction in history. Then, in step 403, the response content 1 obtained by the merchant server is: the internal order number in the second transaction in history.

步骤405:商户服务器生成本笔交易的内部订单号并落库,并且将得到的应答内容1携带在支付请求中,以及使用商户的私钥对该支付请求进行签名。Step 405: The merchant's server generates the internal order number of this transaction and saves it, and carries the obtained response content 1 in the payment request, and uses the merchant's private key to sign the payment request.

步骤407:商户服务器将签名后的支付请求发送给商户App。Step 407: The merchant server sends the signed payment request to the merchant App.

步骤409:商户App将接收到的支付请求发送给平台App。Step 409: The merchant App sends the received payment request to the platform App.

步骤411:平台App将接收到的支付请求发送给第三方支付服务器。Step 411: The platform App sends the received payment request to the third-party payment server.

步骤413:第三方支付服务器利用商户的公钥对支付请求的签名进行验证,如果签名验证成功,则利用上一次发给商户服务器的挑战问题1验证支付请求中的应答内容1。Step 413: The third-party payment server uses the merchant's public key to verify the signature of the payment request. If the signature verification is successful, it uses the last challenge question 1 sent to the merchant server to verify the response content 1 in the payment request.

步骤415:在应答内容1验证成功后,第三方支付服务器向平台App发送前端支付通知。Step 415: After the verification of response content 1 is successful, the third-party payment server sends a front-end payment notification to the platform App.

步骤417:第三方支付服务器将用于下一次的挑战问题2以及对应本次交易的外部订单号携带在后端支付通知中,并利用第三方支付服务器的私钥对该后端支付通知签名后发送给商户服务器。Step 417: The third-party payment server carries the next challenge question 2 and the external order number corresponding to this transaction in the back-end payment notification, and signs the back-end payment notification with the private key of the third-party payment server sent to the merchant server.

步骤419:商户服务器利用第三方支付服务器的公钥对后端支付通知进行签名验证,验证成功后,变更订单的状态,并落库外部订单号以及保存挑战问题2。Step 419: The merchant server uses the public key of the third-party payment server to verify the signature of the back-end payment notification. After the verification is successful, change the status of the order, store the external order number and save the challenge question 2.

步骤421:平台App向商户App返回前端支付通知。Step 421: The platform App returns the front-end payment notification to the merchant App.

步骤423:商户App向商户服务器发送查询订单状态请求。Step 423: The merchant App sends a request for querying order status to the merchant server.

步骤425:商户服务器向商户App返回订单的状态信息。Step 425: The merchant server returns the status information of the order to the merchant App.

步骤427:当商户服务器需要一种业务服务时,商户服务器生成请求该服务的业务信息请求,将第三方支付服务器上一次发来的挑战问题2对应的应答内容2携带在业务信息请求中,并利用商户的私钥对该业务信息请求签名。Step 427: When the merchant server needs a business service, the merchant server generates a business information request requesting the service, carries the response content 2 corresponding to the challenge question 2 sent by the third-party payment server last time in the business information request, and Use the merchant's private key to request a signature for the business information.

步骤429:商户服务器将签名后的业务信息请求发送给第三方支付服务器。Step 429: The merchant server sends the signed service information request to the third-party payment server.

步骤431:第三方支付服务器利用商户对应的公钥对接收到的业务信息请求进行签名验证,验证成功后,利用上一次发送的挑战问题2对业务信息请求中携带的应答内容2进行验证。Step 431: The third-party payment server uses the public key corresponding to the merchant to verify the signature of the received business information request. After the verification is successful, it uses the challenge question 2 sent last time to verify the response content 2 carried in the business information request.

步骤433:在应答内容2验证成功后,第三方支付服务器向商户服务器发送业务响应,通过该业务响应向商户服务器提供所请求的业务服务,并且业务响应中携带用于下一次的挑战问题3。Step 433: After the verification of the response content 2 is successful, the third-party payment server sends a business response to the merchant server, provides the requested business service to the merchant server through the business response, and carries the next challenge question 3 in the business response.

在本说明书的一个实施例中,提供了一种第三方支付业务的实现装置,其中,该装置应用于商户服务器,参见图5,该装置包括:In one embodiment of this specification, a device for implementing a third-party payment service is provided, wherein the device is applied to a merchant server, see Figure 5, the device includes:

下单请求接收模块501,配置为接收商户客户端发来的下单请求;The order request receiving module 501 is configured to receive the order request sent by the merchant client;

挑战问题确定模块502,配置为得到当前可用的挑战问题;A challenge question determination module 502 configured to obtain currently available challenge questions;

应答内容确定模块503,配置为确定与该当前可用的挑战问题相对应的应答内容;其中,挑战问题及其对应的应答内容被第三方支付服务器与所述商户服务器所共享;The answer content determination module 503 is configured to determine the answer content corresponding to the currently available challenge question; wherein, the challenge question and its corresponding answer content are shared by the third-party payment server and the merchant server;

支付请求处理模块504,配置为生成携带所述应答内容的支付请求;利用商户的私钥对携带所述应答内容的支付请求进行签名,然后将签名后的支付请求发送给第三方支付服务器。The payment request processing module 504 is configured to generate a payment request carrying the response content; use the private key of the merchant to sign the payment request carrying the response content, and then send the signed payment request to a third-party payment server.

在图5所示的本说明书装置的一个实施例中,挑战问题确定模块502被配置为将所述第三方支付服务器上一次发给所述商户服务器的信息中携带的挑战问题确定为所述当前可用的挑战问题。In an embodiment of the device of this specification shown in FIG. 5 , the challenge question determination module 502 is configured to determine the challenge question carried in the information sent by the third-party payment server to the merchant server last time as the current Available challenge questions.

在图5所示的本说明书装置的一个实施例中,可以进一步包括:业务服务请求模块(图5中未示出);In an embodiment of the device of this specification shown in FIG. 5 , it may further include: a business service request module (not shown in FIG. 5 );

业务服务请求模块,配置为执行:A business service request module, configured to execute:

接收所述第三方支付服务器发来的携带下一次挑战问题的后端支付通知;从该后端支付通知中得到下一次可用的挑战问题;receiving the back-end payment notification carrying the next challenge question sent by the third-party payment server; obtaining the next available challenge question from the back-end payment notification;

确定对应该下一次可用的挑战问题的应答内容;Determine the response to the challenge question that should be available next;

生成携带该应答内容的业务信息请求;Generate a service information request carrying the content of the response;

使用商户的私钥对携带所述应答内容的业务信息请求进行签名,然后将签名后的业务信息请求发送给第三方支付服务器。Use the private key of the merchant to sign the service information request carrying the response content, and then send the signed service information request to the third-party payment server.

本说明书一个实施例提出了一种第三方支付业务的实现装置,其中,该装置应用于第三方支付服务器,参见图6, 该装置包括:An embodiment of this specification proposes a device for realizing a third-party payment service, wherein the device is applied to a third-party payment server, see Figure 6, the device includes:

支付请求接收模块601,配置为接收商户服务器发来的支付请求;The payment request receiving module 601 is configured to receive the payment request sent by the merchant server;

签名验证模块602,配置为利用商户的公钥对支付请求进行签名验证;The signature verification module 602 is configured to use the merchant's public key to perform signature verification on the payment request;

应答内容获取模块603,配置为在签名验证成功后,从该支付请求中得到应答内容;The response content acquisition module 603 is configured to obtain the response content from the payment request after the signature verification is successful;

挑战问题获取模块604,配置为确定与该应答内容相对应的当前可用的挑战问题;其中,挑战问题及其对应的应答内容仅被第三方支付服务器与所述商户服务器所共享;The challenge question obtaining module 604 is configured to determine the currently available challenge question corresponding to the answer content; wherein, the challenge question and its corresponding answer content are only shared by the third-party payment server and the merchant server;

挑战及应答验证模块605,配置为利用所确定的挑战问题对该应答内容进行验证;The challenge and response verification module 605 is configured to use the determined challenge question to verify the content of the response;

支付处理模块606,配置为如果挑战及应答验证模块605对应答内容验证成功,则支付处理模块606进行支付处理。The payment processing module 606 is configured to perform payment processing if the challenge and response verification module 605 succeeds in verifying the content of the response.

在图6所示的本说明书装置的实施例中,挑战问题获取模块604被配置为将所述第三方支付服务器上一次发给所述商户服务器的信息中携带的挑战问题确定为与该应答内容相对应的当前可用的挑战问题。In the embodiment of the device of this specification shown in FIG. 6 , the challenge question acquisition module 604 is configured to determine the challenge question carried in the information sent by the third-party payment server to the merchant server last time as the content of the answer. Corresponds to currently available challenge questions.

在图6所示的本说明书装置的实施例中,进一步包括:服务提供模块(图6中未示出);In the embodiment of the device of this specification shown in FIG. 6, it further includes: a service providing module (not shown in FIG. 6);

支付处理模块606被配置为向所述商户服务器发送携带下一次挑战问题的后端支付通知;The payment processing module 606 is configured to send a back-end payment notification carrying the next challenge question to the merchant server;

服务提供模块被配置为执行:The service provider module is configured to execute:

接收商户服务器发来的业务信息请求;Receive business information requests from merchant servers;

利用商户的公钥对该业务信息请求进行签名验证;Use the merchant's public key to verify the signature of the business information request;

签名验证成功后,从该业务信息请求中得到应答内容;After the signature verification is successful, get the response content from the business information request;

利用在所述后端支付通知中携带的挑战问题对从该业务信息请求中得到的应答内容进行验证,验证成功后,向商户服务器提供所述业务信息请求所请求的业务服务。Verify the response content obtained from the business information request by using the challenge question carried in the back-end payment notification, and provide the business service requested by the business information request to the merchant server after the verification is successful.

在图5、图6所示的本说明书装置的一个实施例中,下单请求是所述第三方支付服务器处理的、对应所述商户服务器的第N+1笔交易中的下单请求;其中,N为正整数;In one embodiment of the device of this specification shown in Fig. 5 and Fig. 6, the order request is the order request in the N+1th transaction corresponding to the merchant server processed by the third-party payment server; wherein , N is a positive integer;

所述挑战问题及其对应的应答内容包括:所述第三方支付服务器处理的、对应所述商户服务器的前N笔交易中的信息。The challenge question and its corresponding response content include: information in the first N transactions processed by the third-party payment server and corresponding to the merchant server.

在图5、图6所示的本说明书装置的一个实施例中,所述挑战问题包括:第一交易的外部订单号;其中,第一交易是所述第三方支付服务器处理的、对应所述商户服务器的前N笔交易中的一笔交易;外部订单号是由所述第三方支付服务器针对所述第一交易生成的订单号;In one embodiment of the device of this specification shown in Fig. 5 and Fig. 6, the challenge question includes: the external order number of the first transaction; wherein, the first transaction is processed by the third-party payment server and corresponds to the A transaction in the first N transactions of the merchant server; the external order number is the order number generated by the third-party payment server for the first transaction;

相应地,该挑战问题对应的应答内容包括:所述第一交易的内部订单号;其中,内部订单号是由所述商户服务器针对所述第一交易生成的订单号。Correspondingly, the response content corresponding to the challenge question includes: an internal order number of the first transaction; wherein, the internal order number is an order number generated by the merchant server for the first transaction.

在图5、图6所示的本说明书装置的一个实施例中,在所述第三方支付服务器处理的、对应所述商户服务器的每一笔交易中,所述商户服务器使用的IP地址为动态IP地址;In one embodiment of the device of this specification shown in Fig. 5 and Fig. 6, in each transaction processed by the third-party payment server and corresponding to the merchant server, the IP address used by the merchant server is dynamic IP address;

所述挑战问题包括:对第二交易中所述商户服务器使用的IP地址的提问;其中,第二交易是所述第三方支付服务器处理的、对应所述商户服务器的前N笔交易中的一笔交易;The challenge question includes: a question about the IP address used by the merchant server in the second transaction; wherein, the second transaction is one of the first N transactions processed by the third-party payment server and corresponding to the merchant server transaction;

相应地,该挑战问题对应的应答内容包括:所述第二交易中所述商户服务器使用的IP地址。Correspondingly, the response content corresponding to the challenge question includes: the IP address used by the merchant server in the second transaction.

本说明书一个实施例提供了一种计算机可读存储介质,其上存储有计算机程序,当所述计算机程序在计算机中执行时,令计算机执行说明书中任一个实施例中的方法。An embodiment of the present specification provides a computer-readable storage medium on which a computer program is stored, and when the computer program is executed in a computer, the computer is instructed to execute the method in any one of the embodiments in the specification.

本说明书一个实施例提供了一种计算设备,包括存储器和处理器,所述存储器中存储有可执行代码,所述处理器执行所述可执行代码时,实现执行说明书中任一个实施例中的方法。An embodiment of this specification provides a computing device, including a memory and a processor, wherein executable code is stored in the memory, and when the processor executes the executable code, the implementation of any one of the embodiments in the specification is implemented. method.

可以理解的是,本说明书实施例示意的结构并不构成对本说明书实施例的装置的具体限定。在说明书的另一些实施例中,上述装置可以包括比图示更多或者更少的部件,或者组合某些部件,或者拆分某些部件,或者不同的部件布置。图示的部件可以以硬件、软件或者软件和硬件的组合来实现。It can be understood that, the structure shown in the embodiment of the present specification does not constitute a specific limitation on the device of the embodiment of the present specification. In other embodiments of the specification, the above-mentioned apparatus may include more or less components than those shown in the illustrations, or combine certain components, or separate certain components, or arrange different components. The illustrated components may be realized in hardware, software, or a combination of software and hardware.

本说明书中的各个实施例均采用递进的方式描述,各个实施例之间相同相似的部分互相参见即可,每个实施例重点说明的都是与其他实施例的不同之处。尤其,对于装置实施例而言,由于其基本相似于方法实施例,所以描述的比较简单,相关之处参见方法实施例的部分说明即可。Each embodiment in this specification is described in a progressive manner, the same and similar parts of each embodiment can be referred to each other, and each embodiment focuses on the differences from other embodiments. In particular, as for the device embodiment, since it is basically similar to the method embodiment, the description is relatively simple, and for relevant parts, please refer to part of the description of the method embodiment.

本领域技术人员应该可以意识到,在上述一个或多个示例中,本发明所描述的功能可以用硬件、软件、挂件或它们的任意组合来实现。当使用软件实现时,可以将这些功能存储在计算机可读介质中或者作为计算机可读介质上的一个或多个指令或代码进行传输。Those skilled in the art should be aware that, in the above one or more examples, the functions described in the present invention may be implemented by hardware, software, pendants or any combination thereof. When implemented in software, the functions may be stored on or transmitted over as one or more instructions or code on a computer-readable medium.

以上所述的具体实施方式,对本发明的目的、技术方案和有益效果进行了进一步详细说明,所应理解的是,以上所述仅为本发明的具体实施方式而已,并不用于限定本发明的保护范围,凡在本发明的技术方案的基础之上,所做的任何修改、等同替换、改进等,均应包括在本发明的保护范围之内。The specific embodiments described above have further described the purpose, technical solutions and beneficial effects of the present invention in detail. It should be understood that the above descriptions are only specific embodiments of the present invention and are not intended to limit the scope of the present invention. Protection scope, any modification, equivalent replacement, improvement, etc. made on the basis of the technical solution of the present invention shall be included in the protection scope of the present invention.

Claims (15)

1. The method for realizing the third party payment service is applied to a merchant server and comprises the following steps: receiving a ordering request sent by a merchant client;
obtaining currently available challenge questions;
determining answer content corresponding to the currently available challenge questions; the challenge questions and the corresponding response contents are shared by the third party payment server and the merchant server;
Generating a payment request carrying the response content;
and signing the payment request carrying the response content by using the private key of the merchant, and then sending the signed payment request to a third-party payment server.
2. The method of claim 1, wherein the obtaining the currently available challenge questions comprises:
and determining the challenge question carried in the information which is last sent to the merchant server by the third party payment server as the currently available challenge question.
3. The method of claim 1, wherein after the sending the signed payment request to a third party payment server, further comprising:
receiving a back-end payment notification carrying a challenge question sent by the third party payment server; obtaining the next available challenge question from the backend payment notification;
determining answer content corresponding to the next available challenge questions;
generating a service information request carrying the response content;
and signing the business information request carrying the response content by using the private key of the merchant, and then sending the signed business information request to a third-party payment server.
4. A method according to any one of claims 1 to 3, wherein the order request is an order request in an n+1th transaction corresponding to the merchant server, processed by the third party payment server; wherein N is a positive integer;
The challenge questions and their corresponding response content include: and the third party payment server processes information in the first N transactions corresponding to the merchant server.
5. The method of claim 4, wherein the challenge question comprises: an external order number for the first transaction; wherein the first transaction is one of the first N transactions processed by the third party payment server and corresponding to the merchant server; the external order number is an order number generated by the third party payment server for the first transaction;
correspondingly, the response content corresponding to the challenge question comprises: an internal order number for the first transaction; wherein the internal order number is an order number generated by the merchant server for the first transaction.
6. The method of claim 4, wherein the IP address used by the merchant server is a dynamic IP address in each transaction processed by the third party payment server corresponding to the merchant server;
the challenge problems include: a question of an IP address used by the merchant server in a second transaction; wherein the second transaction is one of the first N transactions processed by the third party payment server and corresponding to the merchant server;
Correspondingly, the response content corresponding to the challenge question comprises: an IP address used by the merchant server in the second transaction.
7. The method for realizing the third party payment service is applied to a third party payment server and comprises the following steps:
receiving a payment request sent by a merchant server;
signature verification is carried out on the payment request by utilizing the public key of the merchant;
after the signature verification is successful, obtaining response content from the payment request;
determining currently available challenge questions corresponding to the answer content; the challenge question and the response content corresponding to the challenge question are only shared by the third party payment server and the merchant server;
verifying the response content using the determined challenge questions;
if the answer content verification is successful, the payment process is performed.
8. The method of claim 7, wherein the determining currently available challenge questions corresponding to the answer content comprises:
and determining the challenge question carried in the information which is last sent to the merchant server by the third party payment server as the currently available challenge question corresponding to the response content.
9. The method of claim 7, wherein the conducting payment processing comprises: the third party payment server sends a back-end payment notification carrying a challenge question to the merchant server;
After the payment processing, further comprising:
receiving a business information request sent by a merchant server;
signature verification is carried out on the business information request by utilizing the public key of the merchant;
after the signature verification is successful, obtaining response content from the service information request;
and verifying the response content obtained from the service information request by using the challenge question carried in the back-end payment notice, and providing the service requested by the service information request for the merchant server after the response content is verified successfully.
10. The method of any of claims 7 to 9, wherein the payment request is a payment request processed by the third party payment server in an n+1th transaction corresponding to the merchant server; wherein N is a positive integer;
the challenge questions and the corresponding response contents thereof comprise: and the third party payment server processes information in the first N transactions corresponding to the merchant server.
11. The method of claim 10, wherein the challenge question comprises: an external order number for the first transaction; wherein the first transaction is one of the first N transactions processed by the third party payment server and corresponding to the merchant server; the external order number is an order number generated by the third party payment server for the first transaction;
Correspondingly, the response content corresponding to the challenge question comprises: an internal order number for the first transaction; wherein the internal order number is an order number generated by the merchant server for the first transaction.
12. The method of claim 10, wherein in each transaction processed by the third party payment server corresponding to the merchant server, the IP address used by the merchant server is a dynamic IP address;
the challenge problems include: a question of an IP address used by the merchant server in a second transaction; wherein the second transaction is one of the first N transactions processed by the third party payment server and corresponding to the merchant server;
correspondingly, the response content corresponding to the challenge question comprises: and the IP address used by the merchant server in the second transaction.
13. The device for realizing the third party payment service is applied to a merchant server and comprises the following components: the ordering request receiving module is configured to receive an ordering request sent by a merchant client;
a challenge question determination module configured to obtain a currently available challenge question;
a response content determination module configured to determine response content corresponding to the currently available challenge question; the challenge questions and the corresponding response contents are shared by the third party payment server and the merchant server;
A payment request processing module configured to generate a payment request carrying the answer content; and signing the payment request carrying the response content by using the private key of the merchant, and then sending the signed payment request to a third-party payment server.
14. The device for realizing the third party payment service is applied to a third party payment server and comprises the following components:
the payment request receiving module is configured to receive a payment request sent by a merchant server;
the signature verification module is configured to verify the signature of the payment request by using the public key of the merchant;
the response content acquisition module is configured to acquire response content from the payment request after the signature verification is successful;
a challenge question acquisition module configured to determine a currently available challenge question corresponding to the answer content; the challenge question and the response content corresponding to the challenge question are only shared by the third party payment server and the merchant server;
a challenge and response verification module configured to verify the response content using the determined challenge questions;
and the payment processing module is configured to perform payment processing if the challenge and response verification module is successful in verifying the response content.
15. A computing device comprising a memory having executable code stored therein and a processor, which when executing the executable code, implements the method of any of claims 1-12.
CN202310282051.7A 2023-03-20 2023-03-20 Method and device for realizing third-party payment service Active CN115994760B (en)

Priority Applications (2)

Application Number Priority Date Filing Date Title
CN202310282051.7A CN115994760B (en) 2023-03-20 2023-03-20 Method and device for realizing third-party payment service
PCT/CN2023/137961 WO2024193119A1 (en) 2023-03-20 2023-12-11 Implementation method and device for third-party payment service

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202310282051.7A CN115994760B (en) 2023-03-20 2023-03-20 Method and device for realizing third-party payment service

Publications (2)

Publication Number Publication Date
CN115994760A true CN115994760A (en) 2023-04-21
CN115994760B CN115994760B (en) 2023-08-25

Family

ID=85993701

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202310282051.7A Active CN115994760B (en) 2023-03-20 2023-03-20 Method and device for realizing third-party payment service

Country Status (2)

Country Link
CN (1) CN115994760B (en)
WO (1) WO2024193119A1 (en)

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2024193119A1 (en) * 2023-03-20 2024-09-26 支付宝(杭州)信息技术有限公司 Implementation method and device for third-party payment service
WO2025108025A1 (en) * 2023-11-21 2025-05-30 支付宝(杭州)信息技术有限公司 Third-party payment

Citations (12)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20050256806A1 (en) * 2004-05-12 2005-11-17 Alan Tien Method and system to facilitate securely processing a payment for an online transaction
US20080222049A1 (en) * 2007-02-05 2008-09-11 First Data Corporation Digital Signature Authentication
WO2009002980A2 (en) * 2007-06-25 2008-12-31 Visa U.S.A. Inc. Cardless challenge systems and methods
CN103020825A (en) * 2012-12-05 2013-04-03 福建省派活园科技信息有限公司 Safety payment authentication method based on software client
US20140279522A1 (en) * 2013-03-15 2014-09-18 Mastercard International Incorporated Means of authenticating a consumer using demand deposit account data
US20150161366A1 (en) * 2013-12-09 2015-06-11 Mastercard International Incorporated Methods and systems for leveraging transaction data to dynamically authenticate a user
CN104767613A (en) * 2014-01-02 2015-07-08 腾讯科技(深圳)有限公司 Signature verification method, device and system
US20160140547A1 (en) * 2012-02-28 2016-05-19 Google Inc. System and method for providing transaction verification
US20190139039A1 (en) * 2016-04-05 2019-05-09 Samsung Electronics Co., Ltd. Electronic payment method and electronic device using id-based public key cryptography
US10819522B1 (en) * 2020-01-03 2020-10-27 BlockGen Corp. Systems and methods of authentication using entropic threshold
CN113379406A (en) * 2021-05-20 2021-09-10 大河(深圳)信息有限公司 Transaction method between merchant terminal and third-party payment platform
CN115760082A (en) * 2022-11-23 2023-03-07 中国银联股份有限公司 Digital payment processing method, device, equipment, system and medium

Family Cites Families (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2020055401A1 (en) * 2018-09-12 2020-03-19 Visa International Service Association Checkout with mac
CN115994760B (en) * 2023-03-20 2023-08-25 支付宝(杭州)信息技术有限公司 Method and device for realizing third-party payment service

Patent Citations (12)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20050256806A1 (en) * 2004-05-12 2005-11-17 Alan Tien Method and system to facilitate securely processing a payment for an online transaction
US20080222049A1 (en) * 2007-02-05 2008-09-11 First Data Corporation Digital Signature Authentication
WO2009002980A2 (en) * 2007-06-25 2008-12-31 Visa U.S.A. Inc. Cardless challenge systems and methods
US20160140547A1 (en) * 2012-02-28 2016-05-19 Google Inc. System and method for providing transaction verification
CN103020825A (en) * 2012-12-05 2013-04-03 福建省派活园科技信息有限公司 Safety payment authentication method based on software client
US20140279522A1 (en) * 2013-03-15 2014-09-18 Mastercard International Incorporated Means of authenticating a consumer using demand deposit account data
US20150161366A1 (en) * 2013-12-09 2015-06-11 Mastercard International Incorporated Methods and systems for leveraging transaction data to dynamically authenticate a user
CN104767613A (en) * 2014-01-02 2015-07-08 腾讯科技(深圳)有限公司 Signature verification method, device and system
US20190139039A1 (en) * 2016-04-05 2019-05-09 Samsung Electronics Co., Ltd. Electronic payment method and electronic device using id-based public key cryptography
US10819522B1 (en) * 2020-01-03 2020-10-27 BlockGen Corp. Systems and methods of authentication using entropic threshold
CN113379406A (en) * 2021-05-20 2021-09-10 大河(深圳)信息有限公司 Transaction method between merchant terminal and third-party payment platform
CN115760082A (en) * 2022-11-23 2023-03-07 中国银联股份有限公司 Digital payment processing method, device, equipment, system and medium

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2024193119A1 (en) * 2023-03-20 2024-09-26 支付宝(杭州)信息技术有限公司 Implementation method and device for third-party payment service
WO2025108025A1 (en) * 2023-11-21 2025-05-30 支付宝(杭州)信息技术有限公司 Third-party payment

Also Published As

Publication number Publication date
CN115994760B (en) 2023-08-25
WO2024193119A1 (en) 2024-09-26

Similar Documents

Publication Publication Date Title
US10643207B2 (en) Authentication of card-not-present transactions
AU2010306566B2 (en) Anti-phishing system and method including list with user data
CN110226177B (en) Method for providing payment gateway services using UTXO-based protocol and server utilizing same
RU2563163C2 (en) Remote variable authentication processing
JP2024170442A (en) COMPUTER-IMPLEMENTED SYSTEM AND METHOD FOR PERFORMING TRANSFERS VIA A BLOCKCHAIN NETWORK
US11315109B2 (en) Transaction processing method and apparatus
RU2565368C2 (en) Token-based transaction authentication
US8225387B2 (en) Method and system for access authentication
US10972273B2 (en) Securing authorization tokens using client instance specific secrets
AU2016351543A1 (en) Server based biometric authentication
CN115994760B (en) Method and device for realizing third-party payment service
CN106779716A (en) Authentication method, apparatus and system based on block chain account address
CN101331788B (en) Authentication for service server in wireless internet and settlement using the same
CN110070357B (en) Data processing method, device and system
US10762558B1 (en) System, method, and computer program for authorizing a payment using gesture data
US10592898B2 (en) Obtaining a signature from a remote user
WO2024108143A1 (en) Systems and methods for secure payments via an alternative communication protocol
TWI759838B (en) A graphical code generation method, apparatus, mobile device, service platform, and computer-readable storage medium
WO2018113508A1 (en) Ciphertext-based identity verification method
CN113807830A (en) Aggregation payment method and device used in double off-line scene, receiving end and payment end
WO2021121030A1 (en) Resource transfer method, settlement terminal, and server node
CN111340479A (en) Business processing method and device
US20240242206A1 (en) User verification with digital tag
CN116308834A (en) Accounting information processing method, device, computer equipment and storage medium
CN117078263A (en) Resource transfer method, device, computer equipment and storage medium

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant
CP03 Change of name, title or address

Address after: 310000 Zhejiang Province, Hangzhou City, Xihu District, Xixi Road 543-569 (continuous odd numbers) Building 1, Building 2, 5th Floor, Room 518

Patentee after: Alipay (Hangzhou) Digital Service Technology Co.,Ltd.

Country or region after: China

Address before: 310000 801-11 section B, 8th floor, 556 Xixi Road, Xihu District, Hangzhou City, Zhejiang Province

Patentee before: Alipay (Hangzhou) Information Technology Co., Ltd.

Country or region before: China

CP03 Change of name, title or address