System and method for the protection of consumer financial data utilizing dynamic content shredding
Abstract
Consumer Point-of-Sale (POS) systems are becoming a major target for financial data loss within the commerce ecosystem. Privileged information, such as account numbers, card information, and transaction data are the primary targets during these data breaches. This information, while resident on a point-of-sale system, can be in plain text and susceptible to theft. The intent of this document is to present a unique solution that reduces the attack surface for these types of “hacks”, and protects consumer data through specialized cryptographic operations including data level encryption with a cryptographic bitsplitting algorithm. This makes the data useless to those who would take the data unlawfully. The invention allows for the efficient and effective processing of financial data while converting the data to a useless state for those who would obtain it unlawfully.
Claims
exact text as granted — not AI-modifiedWhat is claimed is:
1 . A computer-implemented method of protecting electronic financial transaction data, the method comprising:
providing a first network-based computing device including at least one processor and memory storing instructions, the at least one processor executing the instructions to perform the operations of:
performing a dynamic key exchange between said first network-based computing device operating in an encryption endpoint mode and a second network-based computing device operating in a decryption endpoint mode;
receiving at said first network-based computing device electronic transaction information associated with a financial transaction and including at least a personal account number in non-persistent memory;
executing a computer software-implemented data protection module at said first network-based computing device to (i) encrypt at least a portion of said electronic financial transaction data, (ii) remove said electronic financial transaction data from said non-persistent memory, (iii) apply cryptographic bitsplitting to break said encrypted electronic financial transaction data into a predetermined number of discrete data splits; (iv) store said predetermined number of discrete data splits across a plurality of distinct memory locations, and (v) generate metadata including routing and limited transaction information and excluding said encrypted portion of electronic financial transaction data; and
transferring said plurality of discrete data splits and said metadata to said second network-based computing device operating in a decryption endpoint mode.
2 . The method of claim 1 , wherein said operation of performing a dynamic key exchange further comprises:
generating public/private key pairs for said first network-based computing device operating in an encryption endpoint mode and said second network-based computing device operating in a decryption endpoint mode; exchanging public keys between said first network-based computing device and said second network-based computing device; and generating a shared symmetric key configured for use in block cypher encryption at said first network-based computing device.
3 . The method of claim 2 , wherein said shared symmetric key is configured to expire after a predetermined amount of time.
4 . The method of claim 2 , further comprising the step of storing said shared symmetric key within a secure data container at each of said first network-based computing device and said second network-based computing device.
5 . The method of claim 1 , wherein said first network-based computing device further comprises a credit card reader.
6 . The method of claim 1 , wherein said first network-based computing device further comprises a computer implementing a merchant POS system.
7 . The method of claim 1 , wherein said operation of executing a computer software-implemented data protection module at said first network-based computing device to encrypt at least a portion of said electronic financial transaction data further comprises encrypting said portion using an AES-256 block cipher.
8 . The method of claim 1 , wherein said operation of executing a computer software-implemented data protection module at said first network-based computing device to apply cryptographic bitsplitting to break said encrypted electronic financial transaction data into a predetermined number of discrete data splits further comprises applying an information dispersal algorithm to said portion of said electronic financial transaction data.
9 . The method of claim 1 , wherein said metadata further comprises one or more of an identification of an issuing bank, a transaction total, an identification of a merchant, a listing of the last four digits of a purchaser's account number, and a hash-based message authentication code.
10 . The method of claim 1 , wherein said step of transferring said plurality of discrete data splits and said metadata to said second network-based computing device operating in a decryption endpoint mode further comprises transferring said plurality of discrete data splits and said metadata through one or more intermediate data transfer points.
11 . A computer-implemented method of protecting electronic financial transaction data, the method comprising:
providing a first network-based computing device including at least one processor and memory storing instructions, the at least one processor executing the instructions to perform the operations of:
performing a dynamic key exchange between said first network-based computing device operating in an decryption endpoint mode and a second network-based computing device operating in an encryption endpoint mode;
receiving a plurality of discrete data splits and metadata from said second network-based computing device operating in an encryption endpoint mode, wherein said discrete data splits and metadata further comprise discrete portions of data corresponding to a single electronic financial transaction data set that has been processed by said second network-based computing device to (i) encrypt at least a portion of said electronic financial transaction data, (ii) apply cryptographic bitsplitting to break said encrypted electronic financial transaction data into said discrete data splits, and (iii) generate said metadata, wherein said metadata includes routing and limited transaction information and excludes said encrypted portion of electronic financial information;
executing a computer software-implemented data protection module at said first network-based computing device to decrypt said electronic financial transaction data; and
process a financial transaction corresponding to said electronic financial transaction data set.
12 . The method of claim 11 , wherein said operation of executing a computer software-implemented data protection module at said first network-based computing device to decrypt said electronic financial transaction data further comprises consolidating said discrete data splits into a single encrypted data file.
13 . The method of claim 12 , wherein said operation of executing a computer software-implemented data protection module at said first network-based computing device to decrypt said electronic financial transaction data further comprises decrypting at least a portion of said single encrypted data file.
14 . The method of claim 13 , wherein decrypting at least a portion of said single encrypted data file further comprises using an AES-236 block cipher.
15 . The method of claim 13 , further comprising the step of storing said unencrypted data sets in memory for processing by said first network-based computing device.
16 . The method of claim 11 , wherein said operation of performing a dynamic key exchange further comprises:
generating public/private key pairs for said first network-based computing device operating in a decryption endpoint mode and said second network-based computing device operating in an encryption endpoint mode; exchanging public keys between said first network-based computing device and said second network-based computing device; and generating a shared symmetric key configured for use in block cypher decryption at said first network-based computing device.
17 . The method of claim 16 , wherein said shared symmetric key is configured to expire after a predetermined amount of time.
18 . The method of claim 16 , further comprising the step of storing said shared symmetric key within a secure data container at each of said first network-based computing device and said second network-based computing device.
19 . The method of claim 11 , wherein said metadata further comprises one or more of an identification of an issuing bank, a transaction total, an identification of a merchant, a listing of the last four digits of a purchaser's account number, and a hash-based message authentication code.
20 . The method of claim 11 , wherein said step of receiving a plurality of discrete data splits and metadata from said second network-based computing device operating in an encryption endpoint mode further comprises receiving said plurality of discrete data splits and said metadata through one or more intermediate data transfer points.Cited by (0)
No later patents cite this yet.
References (0)
No backward citations on record.