United States Patent [19] [11] Patent Number: 6,065,679

United States Patent [19] [11] Patent Number: 6,065,679
US006065679A
United States Patent [19]
[11] Patent Number:
Levie et al.
[45] Date of Patent:
[54] MODULAR TRANSACTION TERMINAL
4,454,414 6/1984 Benton .
[75] Inventors: Stephen Alan Levie, Burnsville;
Bradley Dale Brown, Minnetonka;
Gregory John Loxtercamp,
Minneapolis; Michael E. Hermansen,
Shorewood; Emmett E. O’Hare;
Ahmad Ghanbarzadeh, both of Eden
Prairie, all of Minn.
4,773,032
4,855,996
4,912,309
4,916,692
5,043,721
5,047,615
5,227,614
[73] Assignee: IVI Checkmate Inc.
5,266,789 11/1993 Anglin et al. .
6,065,679
*May 23, 2000
4,689,478 8/1987 Hale et al. .
[*] Notice:
9/1988
8/1989
3/1990
4/1990
8/1991
9/1991
7/1993
Uehara et al. ..................... 364/709.04
Douskalis ................................ 370/545
Danielson et al. .
Clarke et al. ........................... 370/451
May ........
340/825.44
Fukumoto ............................... 235/472
Danielson et al. ...................... 235/380
5,233,167 8/1993 Markman et al. .
This patent issued on a continued prosecution application filed under 37 CFR
1.53(d), and is subject to the twenty year
patent term provisions of 35 U.S.C.
154(a)(2).
5,331,136
5,331,544
5,371,348
5,386,106
5,420,605
5,488,558
7/1994 Koenck et al. .
7/1994 Lu et al. .
12/1994 Kumar et al. ...................... 235/472.01
1/1995 Kumar .................................... 235/472
5/1995 Vouri et al. .
1/1996 Ohki.
5,566,069 10/1996 Clark, Jr. et al. ....................... 364/420
[21] Appl. No.: 08/706,506
[22]
[51]
[52]
[58]
5,680,633 10/1997 Koenck et al. ......................... 235/472
Filed:
Sep. 6, 1996
Int. Cl." … G06K 7/10
U.S. Cl. ................................. 235/462.47; 235/472.01
Field of Search ..................................... 235/449, 472,
[56]
235/472.01, 462.47
References Cited
Primary Examiner—Donald Hajec
Assistant Examiner—Mark Tremblay
Attorney, Agent, or Firm—Nixon & Vanderhye P.C.
[57]
ABSTRACT
A modular terminal apparatus including a core unit inter
changeable with a plurality of communication modules.
U.S. PATENT DOCUMENTS
D. 330,722 11/1992 Je.
31 Claims, 16 Drawing Sheets
1 11
108
U.S. Patent
May 23, 2000
Sheet 1 of 16
6,065,679
U.S. Patent
May 23, 2000
Sheet 2 of 16
FIG. 3
72
6,065,679
U.S. Patent
May 23, 2000
Sheet 3 of 16
FIG. 4.
6,065,679
U.S. Patent
May 23, 2000
Sheet 4 of 16
FIG. 5
6,065,679
U.S. Patent
May 23, 2000
Sheet 6 of 16
6,065,679
3
º
3.
3
U.S. Patent
May 23, 2000
6,065,679
Sheet 7 of 16
126
14.6
U.S. Patent
May 23, 2000
Sheet 9 of 16
6,065,679
17O
FIG. 1 1A
174
174
174
1 OO
-
172
FIG. 1 1B
3O
17O
3O
170
170
172
FIG. 1 1 C
30
3O
1 OO
U.S. Patent
May 23, 2000
Sheet 10 of 16
6,065,679
1 O8
1 O8
y^
1 OO
FIG. 1 1D
FIG. 1 1 E
1 OO
FIG. 11 F
FIG. 11 G
U.S. Patent
May 23, 2000
Sheet 11 of 16
6,065,679
tr)
||
98
ÇWO
|
Z
ZWO
WOO
|
U.S. Patent
May 23, 2000
6,065,679
Sheet 12 of 16
O/IGNZ
WECJOW
U.S. Patent
May 23, 2000
Sheet 13 of 16
6,065,679
U.S. Patent
May 23, 2000
BBIÈHOSIO O/U
Sheet 14 of 16
6,065,679
U.S. Patent
May 23, 2000
6,065,679
Sheet 15 of 16
|
9
U.S. Patent
May 23, 2000
Sheet 16 of 16
6,065,679
LIBRARIES
APPLICATION
DIRECTOR PROCESS
NULL PROCESS
SMARTCASH
OS SYSTEM CALLS
KERNEL
DEVICE DRIVERS
HARDWARE INTERFACE ROUTINES
DISPLAY
/ |MAG STRIPE|| | | SMART CARDS
KEYBOARD
MODEM
SERIAL DEVICES
FIG. 1 7
6,065,679
1
2
In one embodiment, the core unit attaches a PIN pad
module for entry of a user’s PIN during a transaction.
In yet another embodiment, the core unit includes a first
electrical bus connector projecting from its bottom surface
and the PINpad and communication module includes a
second electrical bus connector projecting from its top
MODULAR TRANSACTION TERMINAL
FIELD OF THE INVENTION
The present invention relates generally to a transaction
terminal apparatus and method. More particularly, the
present invention relates to a modular transactional terminal
such as a modular point-of-sale terminal.
surface, the first and second electrical bus connectors
BACKGROUND OF THE INVENTION
Terminals such as point-of-sale terminals have many
applications. One of the most common is in retail transac
tions. Frequently upgrades to the software and/or hardware
10
are made. Moreover, merchants have different functional
configuration needs. Various approaches have been used to
provide for upgrades to the software/hardware and recon
figuration of terminals. However, this typically is a time
consuming process and often requires the purchase of new
15
and different hardware and software.
There is a need for a modular point-of-sale terminal which
readily allows upgrades to be made and the terminal to be
readily reconfigured with different functional capabilities.
The present invention solves these problems and other
problems associated with existing point-of-sale terminals.
SUMMARY OF THE INVENTION
20
mate one side of the core unit,
a smart card reader for reading smart cards, the smart
card reader being disposed proximate a front end of
25
The present invention relates to a modular terminal appa
ratus and method.
One embodiment of the invention relates to a terminal
apparatus, comprising:
a core unit including;
a processor and associated memory,
a keypad for inputting data, and
a display operatively interconnected to the processor for
displaying data;
30
nector of the core unit so as to create an electrical bus
35
of the core unit; and
40
various communications modules.
In one embodiment, the communication module includes
a modem apparatus, the modem apparatus enabling com
45
munication with a remote host.
50
55
In one embodiment, the communication module includes
a removable integral printer whereby information can be
printed, the integral printer being electrically interconnected
to the processor of the core unit by the electrical bus.
In one embodiment, the communication module includes
In one embodiment, the communication module is elec
trically interconnected to a battery pack.
core unit includes a smart card reader.
a time division multiplex (TDM) bus operatively coupled
between the processor and communications module to
enable control of the communications module by the
processor, the TDM bus having at least two different
data transfer rate channels multiplexed together in a
an electrical connection for interconnection to an electronic
In still another embodiment, the core unit includes a
communication protocol is used to communicate between
the processor of the core unit and the communication
circuitry of the communication module.
Another embodiment of the present invention relates to a
terminal apparatus, comprising:
a processor and associated memory;
a keypad, operatively coupled to the processor, for input
ting data to the associated memory;
a display, operatively coupled to the processor, for dis
playing data;
a communications module; and
60
cash register.
magnetic stripe reader and in yet another embodiment the
electrical connectors for interconnection to an elec
In one embodiment time division multiplexing (TDM)
arrangement. In one embodiment, at least one of the plural
ity of communication modules interconnected in the local
area network arrangement includes a modem apparatus, the
modem apparatus enabling communication with a remote
host.
the communication module including communication
control circuitry for interfacing with the processor of
the core unit by way of the electrical bus, the commu
nication control circuitry being electrically connected
to electrical components in the communication module
so as to allow control thereover by the processor of the
core unit, the communication module being inter
changeably connected to the bottom surface of the core
unit by fasteners whereby the core unit may be inter
changeably connected to different communication
modules, the communication module providing power
to the core unit, the communication module including
tronic cash register.
In yet another embodiment, the communication module
includes a network interface communication board enabling
a plurality of the core units and their associated communi
cation modules to be interconnected in a local area network
the terminal, and
a bottom surface including an electrical bus connector
projecting therefrom; and
a communication module including a top surface having
an electrical bus connector projecting therefrom and
electrically interconnectable to the electrical bus con
between the core unit and the communication module,
a communications module attachable to a bottom surface
the core unit and the communications module being
interconnected by an electrical bus enabling control of
the communications module by the processor of the
core unit, the core unit being interchangeable with
mechanically and electrically connecting to one another to
provide an electrical bus from the processor of the core unit
to electrical components in the communication module, the
core unit and communication module being attached to one
another by removable fasteners.
Yet another embodiment of the present invention relates
to a POS modular terminal apparatus, comprising:
a core unit including;
a processor and associated memory,
a key pad disposed on a top surface of the core unit for
entry of a user’s PIN during a transaction,
a display displaying information,
a magstripe reader for reading an encoded magstripe on
a card, the magstripe reader being disposed proxi
65
frame.
Another embodiment of the present invention relates to a
terminal apparatus, comprising:
6,065,679
4
FIG. 16 is a diagram showing one implementation of a
TDM bus having three tiers of bandwidth; and
FIG. 17 is a diagram showing representative interactions
between an application program and an operating system for
3
a display for displaying data;
a keypad for inputting data; and
a processor and associated memory, operatively coupled
to the display and keypad, for processing application
program functions in accordance with an operating
system display driver which allows a first application
program to exclusively control displayed elements
within a first portion of the display and a second
application program to exclusively control displayed
elements within a second portion of the display.
These and various other advantages and features of nov
elty which characterize the invention are pointed out with
particularity in the claims annexed hereto and forming a part
hereof. However, for a better understanding of the invention,
its advantages, and the objects obtained by its use, reference
should be made to the accompanying drawings and descrip
tive matter, which form a further part hereof, and in which
there is illustrated and described a preferred embodiment of
the modular transaction terminal in accordance with the
principles of the present invention.
DETAILED DESCRIPTION OF PREFERRED
EMBODIMENT(S)
10
15
the invention.
20
BRIEF DESCRIPTION OF THE DRAWINGS
In the drawings wherein corresponding reference numer
als generally indicate corresponding parts throughout the
several views;
FIG. 1 is an exploded perspective view in of a preferred
embodiment of a modular point-of-sale terminal apparatus
in accordance with the principles of the present invention,
the embodiment shown including a core unit;
FIG. 2 is an exploded view of a display assembly incor
porated within the core unit of FIG. 1;
FIG. 3 is an exploded view of a magnetic stripe reader
incorporated within the core unit of FIG. 1;
FIG. 4 is an exploded view of a core unit and a commu
nications module configured to interface with the core unit,
25
30
35
separate from one another;
FIG. 5 is an exploded view showing the mechanical and
electrical interface between the core unit and the commu
40
communications module is shown;
FIG. 6 is a bottom view of the communications module of
FIG. 4;
FIG. 7 is a perspective view of a printer module and an
assembled terminal comprising a the core unit and commu
nications module of FIG. 4, the printer is shown withdrawn
45
from the terminal;
FIG. 8 is an exploded view illustrating the inner compo
ments of the communications module of FIG. 4;
FIGS. 11A–11G illustrate various environments suitable
50
and a core bottom cover assembly 36.
As shown in FIG. 1, the core top cover assembly 32
includes a top cover 38 preferably constructed of a plastic
material. The top cover 38 includes a rectangular screen
opening positioned above a plurality of key openings. A
transparent display window 40 is mounted over the screen
opening of the top cover 38 while a key pad 42 is mounted
within the top cover 38. The key pad 42 is positioned such
that keys of the key pad 42 project through the key openings
of the top cover 38. The core top cover assembly 32 also
includes an overlay 44 affixed to the top surface of the top
cover 38. The overlay 44 typically includes defining key
As shown in FIGS. 1 and 2, the core PCB assembly 34
includes a core PCB 46 having a suitable bus structure, a
memory, and a processor which controls the operation of the
further includes an interface connector 48, such as a male 20
PIN electrical connector, for allowing the core unit 30 to
interface with an exterior modular component. Additionally,
the core PCB interconnects with a speaker (not shown) for
60
boards;
communication boards shown in FIG. 13;
assembly 32, a core printed circuit board (PCB) assembly 34
ing input data from the keys of the key pad 42. The PCB 46
55
FIG. 12 is a back view of the communications module
FIG. 14 is a more detailed block diagram of the main
printed circuit board shown in FIG. 13;
FIG. 15 is a more detailed block diagram of one of the
ules and PIN pad modules. The modular nature of the system
allows the system to be configured and customized to meet
the needs of any user.
FIG. 1 shows an exploded view of an exemplary core unit
30 constructed in accordance with the principles of the
present invention. Generally, the core unit 30 can be divided
into three sub-assemblies which include a core top cover
core unit 30. The core PCB 46 includes contacts for receiv
for using a modular transaction terminal constructed in
accordance with the principles of the present invention;
showing the various serial ports and power port;
FIG. 13 is a block diagram of the interconnection of a
main printed circuit board to one or more communication
apparatus in accordance with the principles of the present
invention. For the purposes of illustration, the modular
terminal is described throughout the specification in a point
of-sale environment and is often referred to as a point-of sale
terminal. However, it will be appreciated that the present
invention is not limited to the point-of-sale environment and
can be utilized to conduct a variety of alternative electronic
transactions within a wide range of fields.
As shown in FIGS. 1–10, the present invention relates
generally to a modular point-of-sale system having both
smart card and magnetic stripe capabilities. The system
includes a core unit that is capable of interfacing with a
variety of modular components. Preferably, the core unit
does not have any connectivity capabilities other than con
necting to the modular components. Exemplary modular
components include printer modules, local area network
functions and other related user information.
FIG. 9 is an exploded view of the core unit and a PIN pad
module configured to interface with the core unit;
FIG. 10 is an exploded view of the PIN pad module of
FIG. 9;
ferred embodiment of a modular transaction terminal/
(LAN), modem modules, workstation communication mod
the core unit and the communications module are shown
nications module of FIG. 4 prior to interconnection, the
bottom of the core unit is shown while the top of the
Referring now to the figures, there is illustrated a pre
65
generating an audio output.
The core PCB assembly 34 also includes a light pipe 50
affixed to the top side of the printed circuit board 46. The
light pipe 50 is preferably aligned upon the PCB 46 by a
plurality of tabs 52 that snap within a plurality of corre
sponding holes 54 in the PCB 46. The light pipe 50 and the
PCB 46 are securely connected by a pair of screws 56.
It will be appreciated that the light pipe 50 of the core
PCB assembly 34 defines a plurality of openings 57 for
6,065,679
6
5
allowing the keys of the key pad 42 to reciprocally engage
the key contacts of PCB 46. The light pipe 50 also defines
third parties from viewing the keypad 42 and display 60
while the core unit 30 is in use.
a rectangular liquid crystal display (LCD) cavity 58 posi
tioned above the openings 57. A glass LCD 60 is mounted
in the cavity 58. A pair of zebra connectors 62 are mounted
on opposite sides of the cavity 58 between the light pipe 50
and the LCD 60. Aplastic bezel 64 fits over the LCD 60. The
bezel 64 and the light pipe 50 are preferably interconnected
via a snap fit connection such that the LCD 60 and the zebra
strip connectors 62 are securely retained in the cavity 58.
The core bottom cover assembly 36 includes a bottom
cover 66 preferably constructed of plastic and configured to
mate with the top cover 38 of the core top cover assembly
32. A swipe style magnetic stripe reader (MSR) 68 is
mounted within the bottom cover 66. The MSR 68 includes
a MSR track 70 and a MSR head assembly 72. The MSR
track 70 preferably extends longitudinally along the length
of the bottom cover 66 and preferably is positioned adjacent
one side of the bottom cover 66. The track 70 is preferably
constructed of metal and functions to protect the casing from
excessive wear generated by the repeated swiping of mag
netic cards through the MSR 68. As shown in FIG. 1, the
track 70 is positioned adjacent to a right side of the bottom
FIGS. 4–7 illustrate a communications module 100 con
10
interface connector 102, such as a female 20 PIN connector,
15
20
cover 66. It will be appreciated that the SCR assembly is
configured to read smart cards, also known as integrated
circuit cards. The SCR assembly 80 includes a SCR PCB 82
snapped within the bottom cover 66. The MSR head assem
bly 72 is preferably connected to the SCR PCB 82 via
connector 84 while the SCR PCB 82 is preferably connected
the communications module 100, the interface connector 48
of the core unit 30 electrically interconnects with the inter
25
retain the core unit 30 on the communications module 100.
30
The housing of the communications module 100 prefer
ably defines an open ended slot 106 sized to receive a printer
module. The slot 106 is formed between a top portion of the
housing and the bottom of the core unit 30. A printer
connector 110 is located at an interior end of the slot 106 for
35
providing an electrical connection between the communica
tions module 100 and the printer module. When the printer
module is not in use, the slot 106 is preferably enclosed by
a plug member 112 that snaps within the slot 106 as shown
in FIG. 4.
40
An exemplary printer module 108 is shown in FIG. 7. The
printer module 108 preferably includes a casing 109 con
taining a printer mechanism and a printer PCB. The printer
module is also equipped with a printer roll cover 111.
45
100 is preferably equipped with a power plug receptacle 113
for connecting the module 100 to a power source. The power
source may be a conventional wall plug for in-line uses or
a battery pack for off-line uses. The communications module
100 also includes a plurality of connectors such as multi-PIN
serial ports 114 for allowing the communications module
100 to be readily connected to units such as electronic cash
registers, magnetic check readers, external printers, PIN
pads, bar code readers, cash drawers and other terminals.
The communications module 100 also includes phone line
connectors 116, such as phone jacks, for providing phone
50
55
As assembled, the interface connector 48 of the PCB 46
projects through an opening in the bottom cover 66 such that
the core unit can be readily interconnected with a variety of
modular accessories. Also, the top and bottom covers 38 and
66 cooperate to define a longitudinal slot 96 for receiving
magnetic cards into the MSR 68 and a transverse slot 98 for
receiving smart cards into the SCR assembly 80. In the
assembled embodiment shown FIG. 4, the longitudinal slot
96 extends along the right side of the core unit 30 while the
transverse slot 98 is formed at the end of the unit 30 opposite
from the LCD 60. It will also be appreciated that the core
unit 30 can be equipped with a privacy shield for preventing
face connector 102 of the communications module 100 to
provide an electrical interface between the module 100 and
the core unit 30. Screws 104 are preferably used to securely
to the core PCB 48 via a flex ribbon cable 86.
The bottom cover assembly 36 can also optionally include
a bottom door 88 for accessing an optional memory PCB 90
and an optional security PCB 92. The optional memory and
security PCB’s are preferably connected to the core PCB 48
via zebra strip connectors 94. The bottom door 88 and zebra
strips 94 allow the PCB’s 90 and 92 to be readily inter
changed with alternate memory and security PCB’s. In this
manner, the level of memory and security provided by the
core unit 30 can be tailored to a specific user 75 need without
requiring replacement of the core PCB 48.
To assemble the core unit 30, the top and bottom covers
38 and 66 are interconnected by screws 93 such that the core
PCB assembly 34 is captured between the covers 38 and 66.
unit 30 are mechanically interconnected by inserting the
core unit 30 within the recessed upper face of the commu
nications module 100 such that the core unit 30 becomes
nested in the module 100. As the core unit 30 is inserted into
be mounted above the track 70 at a location offset from a
card reader (SCR) assembly 80 mounted within the bottom
connector 48 of the core unit 30. The interface connector 102
is preferably located within a recessed upper face of the
the bottom cover 66 by a bracket member 74 (shown in
FIGS. 1 and 3). It is preferred for the head assembly 72 to
inner side wall 76 of the bottom casing 66. In use, a magnetic
card is slid along the track 70 and between the head
assembly 72, and the side wall 76 thereby enabling the head
assembly 72 to read the magnetic strip of the magnetic card.
The core bottom cover assembly 36 also includes a smart
suitable for electrically interconnecting with the interface
module 100. The communications module 100 and the core
cover 66.
The MSR head assembly 72 is preferably mounted within
figured to interface with the core unit 30. The communica
tions module 100 and the core unit 30 together provide a
transaction terminal such as a point-of-sale terminal. The
standalone terminal and LAN workstation will be approxi
mately 4.75" in width, 8" in length, and 3.75" in height. With
an integrated printer attached, the length changes to about
11". The overall unit is lightweight for ease of portability.
The communications module 100 preferably includes an
As shown in FIGS. 5 and 6, the communications module
line access to an internal modem of the module 100 and also
for connecting the module 100 to an external phone. The
bottom of the module housing also defines a rectangular
60
recess 117 sized to receive smart cards. A slot 119 at one end
of the recess 117 allows smart cards to be inserted into an
optional secondary smart card reader mounted within the
module 100.
In a preferred embodiment shown in FIG. 12, the power
65
plug receptacle 113 is an alternating current (AC) power
jack. The 3-prong power jack 113 interfaces with a 12 Volt
(V) AC power supply with Table 1.
6,065,679
8
TABLE 3-continued
TABLE 1.
PIN
Name
Function
1
2
AC
AC
12 VAC (nominal).
12 VAC (nominal).
3
EGND
Earth ground.
The serial ports 114 include an RS485 port 180, COM1
182 and COM2 184 ports as well as an optional COM3 port
Name
Function
Input to jigsaw indicating that the
peripheral device is ready to
receive data.
10
5
6
Rx.D
TxD
Received data from a peripheral.
Transmitted data out to a peripheral.
7
8
Test
No connection.
No connection.
EGND
Earth ground.
186 shown in FIG. 12.
The RS485 port 180 supports external connections such
as a LAN or IBM electronic cash register (ECR) connection.
The POS Terminal has its own power supply and will not
draw power from the IBM ECR. This port has a 7 PIN
mini-pin connector including the following cables: LAN
15
include cables for interconnection to various devices such
terminated, LAN unterminated, IBM RS485 and others. The
LAN cable ends in a RJ11 connector (at LAN connection)
and is the same length as the other LAN cables. It is
The COM2 port is the RS232 port that does supply power.
This will support a PIN pad connection, including the SPP,
290, 290E, and POS Terminal PIN pad. These require a
powered port up to 150 mAmps, unregulated 7–14 volts.
This port has a 6 PIN mini-din connector. The cables might
20
recommended that LAN terminated cables be used for
workstations placed on each end of the LAN, in order to
reduce signal levels on the line. Unterminated cables can be
as: DB9 download/debugger cable; IVI Check Reader;
Magtek Check Reader; and Checkmate Check Reader. Full
duplex communication with transmit hardware flow control
is not available. The pinout for COM2 port 184 is shown in
Table 4.
used on all workstations in between. The IBM ECR cable is
the same cable as the PIN pad module cable, but has a mini
end. All communication through the RS485 port is restricted
to half-duplex. It does not provide power other than a low
current network bias supply attached to the internal +5 volt
supply. The pinouts for this RS485 port are shown in Table
Function
1
2
+5V
GND
RGND
5 Volts power.
Signal ground.
Reference signal ground via 100 ohms.
RT+
RT-
RS 4854.
RS 485–
LAN termination.
LAN termination.
EGND
Earth ground.
3
4
5
6
7
Shell
The COM1 port 182 is the RS232 port that does not
supply power. This will support devices that have their own
power source, including an external printer, an RS232 ECR,
or a check reader. This port has an 8 PIN mini-pin connector.
The cables might include cables for interconnection to
various devices such as: DB9 download/debugger cable;
Name
Function
1
PWR
Unregulated (7–14) VDC,
2
GND
Signal ground.
3
4
Rx.D
TxD
Receive data from a peripheral.
Transmit data to a peripheral.
5
GND
Signal ground.
6
TABLE 2
Name
PIN
150 milliamps max.
30
2.
PIN
TABLE 4
25
DIN connector instead of the RJ11 connector the terminal
Shell
No connection.
EGND
40
The COM3 port 186 is an optional RS232 port similar to
COM1 port 182. It may be used, like COM1 port 182, for
interfacing to devices such s a check reader or bar code
wand. A pinout for COM3 port 186 is shown in Table 5.
TABLE 5
45
PIN
Name
1
DCD
2
Rx.D
3
TxD
4
DTR
50
VeriFone P250 Printer; Citizen Printer; Silent Partner
5
GND
Printer; IVI Check Reader; Magtek Check Reader; Check
6
DSR
mate Check Reader. However, it can be used for alternate
7
RTS
8
CTS
attachments such as ECRs or other check readers. Full
duplex communication with transmit hardware flow control
is available through this interface. The pinout for COM1
port 182 is shown in Table 3.
55
Shell
TABLE 3
PIN
Name
1
GND
Function
Signal ground.
2
PAPER
Printer paper alarm; a high level on this
60
PIN indicates that printer paper supply
RTS
Output to device indicating that Jigsaw has
selected the RS232 interface and is ready
EGND
Function
Control line input from a
peripheral.
Serial data input from a
peripheral.
Serial data output to a
peripheral.
Control line output to a
peripheral.
Signal ground.
Control line input from a
peripheral.
Control line output to a
peripheral.
Control line input from a
peripheral.
Earth ground.
FIG. 8 is an exploded view illustrating the internal com
ponents of the communications module 100. As shown in
FIG. 8, the housing of the module 100 includes a top cover
118 positioned opposite from a bottom cover 120. The top
and bottom covers 118 and 120 preferable mate together and
are interconnected via screws 122. Positioned between the
is low or out.
3
Earth ground.
35
65
top and bottom covers 118 and 120 are an input/output PCB
124, a communications PCB 126, an optional modem PCB
128, and an optional secondary SCR assembly 130. It will be
6,065,679
9
10
The personal identification number (PIN) pads PCB 152
appreciated that the assembled terminal can function as a
wall mounted unit or a hand held unit. Additionally, the base
of the communications module 130 preferably includes
rubber feet for supporting the terminal on a structure such as
also includes a external connector 156 for providing an
interface between the personal identification number PCB
152 and a remote unit such as an electronic cash register,
terminal or other communication device. Preferably, the
a countertop.
The input/output PCB 124 includes a bus structure and
other components suitable for interfacing with the serial
ports 114 and power plug 113. The input/output PCB 124 is
mounted at a predetermined position within the housing
such that the ports 114 align with openings 132 defined by
the bottom of the housing. It will be appreciated that the
bottom of the housing includes a break-out panel 133
positioned adjacent to the openings 132. By punching out
the break-out panel 133 and replacing the input/output PCB
124 with a new input/output PCB having four serial ports
connection between the external connector 156 and the
10
15
(180,182, 184, 186), the communications capabilities of the
module 100 can be enhanced as required by a user.
The communications PCB 126 includes bus structure and
other components suitable for interfacing with the printer
connector 110, the interface connector 102, the input/output
PCB 124 the modem PCB 128, and the optional secondary
SCR assembly 130. It is preferred for the communications
PCB 126 to be mounted on the top cover 118 and oriented
such that the interface connector 102 extends substantially
vertically through an opening 134 defined by the top cover
118, and the printer connector 110 extends substantially
horizontally through an opening 136 defined by the top
cover 118. The input/output PCB 124 and the communica
tions PCB 126 are preferably interconnected via ribbon
cable 138.
The modem PCB 128 includes bus structure and other
20
a COunter.
The PIN pad module 148 allows the POS terminal to
operate as a PIN pad. It generally obtains power from a host
25
module shown has an RJ11 modular connector so that
30
35
40
The SCR assembly 130 is preferably connected to the
45
interfacing with the various makes of ECRs such as: IBM
4680; NCR 2127 (includes power pack); DB9 RS232
(includes power pack); and DB25 RS232 (includes power
pack). In one embodiment, these cables have a 3" straight
section, an 18" coiled section (expandable to 10 feet), and a
5 foot straight section. The two RS232 cables and NCR
cable will also support a power pack at the PC/ECR con
nector end. The IBM cable does not need a power connector.
PIN Pad to LAN Cables include a cable for connection to
50
a plurality of security access modules (SAM). If a user does
not require the secondary SCR assembly 130 or the SCR
assembly 130 is not intended to be used, the recess 117 is
preferably covered by bottom panel 146.
FIGS. 9 and 10 illustrate a PIN pad module 148 config
ured to interface with the core unit 30. The PIN pad module
148 includes a housing cover 149 having an open top side
150 configured to receive the core unit 30 such that the
bottom of the core unit 30 mates or nests within the top of
the housing cover 149. The PIN pad module 148 includes a
PIN pad PCB 152 including an interface connector 154
configured to connect with the interface connector 48 of the
core unit 30 when the core unit 30 is nested in the housing
cover 149. Screws 151 are used to securely connect the core
unit 30 and the PIN pad module 148 together.
is easy to connect without special tools, but cannot be taken
The PIN Pad Module to ECR cables includes cables for
systems.
assembly 130 is preferably mounted adjacent the slot 119 in
the bottom cover 120 such that when a smart card is snapped
within the receptacle 117 and pushed into the slot 119, the
card is read by the SCR assembly 130. The SCR assembly
130 can be readily interchanged and can have a variety of
configurations. In one exemplary embodiment, the SCR
assembly 130 is configured to accept both a smart card and
and does not cause a security risk (one cannot probe through
the port to access the secure processor). The RJ11 connector
out by hand (a screwdriver or similar tool is required to pop
out). The cable is attached from the back of the core unit.
nications PCB 126 via ribbon cable 142. The ribbon cable
communications PCB 126 via ribbon cable 144. The SCR
different cables can be attached. This allows a customer,
such as a bank, to mix and match cables as needed to connect
to different host devices. This also allows easy replacement
of cables if they break. The cable fits securely to the PIN pad
nectors 116. The modem PCB 128 is mounted in the bottom
connection allows the modem PCB 128 to readily be
replaced with an alternative modem board. For example, a
user may require an upgraded modem board or may need a
modem compatible with one of several different phone
device such as a terminal, electronic cash register (ECR), or
personal computer (PC). In one embodiment, this module
will have two different case options, one for bonded units
and one without bonding. The embodiment of the PIN pad
hardware suitable for interfacing with the phone line con
cover 120 such that the phone line connectors 116 align with
a pair of openings 140 defined by the bottom 120 of the
housing. The modem PCB 128 is connected to the commu
remote unit is provided via a coiled cord. It will be appre
ciated that the PIN pad module 148 functions to convert the
core unit 30 into a PIN pad for transferring data to the remote
unit and for receiving data from the remote unit.
It will be appreciated that the PIN pad resulting from the
combination of the core unit 30 and the PIN pad module 148
has a widened head portion that accommodates the LCD 60
and a narrow body portion sized to allow the device to be
manually held. The corners of the device are preferably
rounded and the housing is preferably constructed of a
durable fade resistant plastic material. Exemplary dimen
sions of one particular PIN pad embodiment will be approxi
mately 3.45" in width, 8" in length, and 1.75" in height. The
PIN pad can be wall mounted, stand mounted, or placed on
55
a LAN with power pack and connection to a LAN with DB9
RS232 and power pack.
A “Y” cable is needed for connecting the PIN pads
together on a LAN. The additional RS232 connection allows
the PIN pad to also connect to an ECR or PC.
OVERVIEW OF EXEMPLARY COMPONENTS
OF MODULAR SYSTEM
The overall features of the various components and fea
tures of the POS terminal will now be described. It will be
60
65
appreciated that the POS terminal may take on varying
configurations and that the following are but a few of those
possible configurations and are not to be construed as
limitations upon the scope of the invention.
Keypad
In the preferred embodiment, the keypad 42 is preferably
made up of a 19-key silicone rubber matte with carbon pills
which, when pressed, closes etched contacts on the main
logic board 46. Twelve keys comprise a telephone style
6,065,679
11
numeric pad. The numeric pad consists of keys 0 through 9,
plus a Clear and Enter key. One key has a dual function:
normal key entry and wake-up initiated from power down
mode. This is accomplished with a dual carbon pill and
separate circuit board etching. Four additional function keys
are available for initiating application specific functions.
Three soft keys are located directly under the display; these
keys correspond to software defined commands on the
display.
In the preferred embodiment, only the numeric and tele
phone style alpha characters are printed on the keys. The key
matte will have four different colors. Besides the operator
keys, the keypad will have an extra carbon contact which is
used in conjunction with a security tamper detecting circuit.
When the case is assembled, this contact is permanently
activated. If a security option board is installed within the
12
nication and other capabilities. It allows expansion of pro
cessor connected peripherals through 2 signal lines, one of
which is shared with the TDM bus 300. Some of the
advantages of this bus 302 are that multiple peripherals can
be directly interfaced through only 2 signals lines to the
processor, which reduces the number of interconnections
needed in the system and reduces overall electromagnetic
10
additional peripherals can be connected to the Com PCB
without disturbing the core design through modifications to
the software drivers for transactions on the byte bus 302.
An ASIC (Application Specific Integrated Chip) 304,
15
core unit 30, this contact becomes one of the switches in the
series circuit that is uses to detect case opening.
Display
The display 60 is preferably a bit mapped liquid crystal
interference (EMI) emissions by reducing the number of
EMI sources (e.g., signal lines). Another advantage is that
along with the processor, is the heart of the main PCB 46,
as shown in FIGS. 14 and 15. Virtually all communication
between functional circuit blocks occurs through the ASIC.
The ASIC is made up of the following major functional
blocks shown Table 8.
20
TABLE 8
display (LCD) panel. Font design and size as well as
graphical images have an open format as long as they fit
within the 128x32 pixel matrix provided. The display tech
Functional
nology used is based on a Super-Twist Nematic (STN)
transflective crystalline structure. A backlight is lightpiped
from an LED source on the main logic board 46 and
dispersed along the underside of the display. Contrast adjust
ments are made through the use of the main logic board’s
25
Description
Reset and
Power
Status
Generates power fault interrupts,
appropriate circuit activation is based on
voltage levels determined by the
communication module.
Display
processor.
The LCD 60 is preferably controlled by an LCD control
ler chip. This chip incorporates the display memory, scan
timing functions and segment drivers. It connects to the
Block
30
backlight control.
Keypad/Secu
rity CPU
I/F
UARTS
Provides direct parallel I/O interface
between the keyboard and display and an
optional security processor.
Six UARTs are provided with independent baud
rate generators. Optional circuit boards are
required to access all UARTs.
CPU Bus
Interfaces the CPU bus into the internal
application specific integrated circuit (ASIC) of the main
PCB 46 through an interface bus. Within the LCD controller
chip is memory that is accessed through the interface bus
and used by the controller to refresh the image on the LCD.
Each bit in this memory corresponds to one pixel in the
LCD. The controller can be written and read through the
35
interface bus.
Each character position within the display is capable of
displaying the standard ASCII character set. Other applica
40
tion defined character sets, not mentioned above, are down
loadable into the operating system. The display offers bit
mapped graphics for international languages and is backlit
for low lighting conditions. The display is flush rather than
tilted, since it will be used in a variety of environments, such
as wall mounted. The display is yellow/green in color with
sufficient character contrast so prompts are easy to read.
45
Iinterface
Unit (BIU)
ASIC bus. Responsible for converting word
wide CPU operations into byte wide
operations on the ASIC bus.
MMU/Memory Controls mapping of the CPU's 1MB logical
Protection
memory space into a 12MB physical memory
space. Also provides programmable write
protection on a 4K page basis.
Memory BIU Responsible for interfacing the ASIC
internal bus to the external memory
resources. Includes programmable chip
selects and memory bus timing.
Interrupt
Manages masking and grouping of internal
Controller
ASIC interrupt sources and drives the group
interrupts out to the CPU interrupt
controller.
Beeper
50
Magnetic
Stripe
Interface
multiplex (TDM)bus 300 and byte bus 302 to one or more
communication boards 124, 126, 128, and 130 is further
detailed in a block diagram shown in FIG. 13.
The TDM bus is a communication protocol assigning
bandwidth for moving information on signal lines. The
bandwidth is allocated and fixed at specific levels for the
entire time the TDM bus is in operation. The advantages of
this bus 300 include: scalability to different amounts and
types of I/O under a common platform, and a reduced
number of PINs being needed for interconnection to other
components in the system. The TDM bus uses multiple tiers
of bandwidth allocation to allocate a high bandwidth for
high speed signals and less bandwidth for low speed signala.
One particular implementation of this TDM bus is a three
tier system which is shown in FIG. 16.
The byte-bus 302 is a transaction based communication
scheme which allows for expandability of system commu
Provides a speaker on/off control.
Interface
Main PCB
The main PCB 46 interconnection through a time division
Display controller interface, contrast and
Interface
55
Translates analog signals from two separate
read channels using a digital signal
processor (DSP). The analog signal is
analyzed for peaks. Logical data is
translated from the peaks and transferred
into the system.
Smart Card
Reader
Specialized interface to a smart card
reader, providing for clocking and interface
Interface
between one of the standard ASIC UARTs and
TDM Channel
card reader option may share a common UART,
Time Division Multiplexor Channel. Its
the smart card. In some situations, the dual
function is to time slice the I/O
connections between boards and serially
transfer the information they contain. This
is a dual channel circuit used to pass
60
information between the Core, Modem, Com and
Printer boards.
65
Byte Bus
Bi-directional serial data channel between
Channel
the Com and Core boards.
Test Port
Manufacturing/service test access port based
Core to Com
on IEEE P1149.1 standard (JTAG).
This multi-pin interface connects the Core
6,065,679
14
other device; however, it will corrupt the returned keypad
information. Because the panel bus has a small amount of
capacitance, the ASIC scan outputs should not be changed
and re-sampled faster that 10 us.
Security PCBs
The main security board provides access control to the
user interface peripherals (keypad, display, etc.). There are
two different boards that can be added to the system for
security. Each security board is installed through a door on
TABLE 8-continued
Functional
Block
Interface
Description
module and the Com module. It includes the
TDM lines, power, ground, unregulated
voltage, high speed UART, NMI/Reset and
Wake-up line, Byte Bus, and Beeper.
10
Virtually all communication between functional circuit
blocks occurs through the ASIC.
Reset Power Status
The following three signals are driven by the Comm
module to direct system operations:
15
Hard reset (HRST)
Power fail Interrupt (PFI)
Battery status (BSTAT)
HRST-This signal is activated whenever the unregu
lated power is below a level necessary to produce +5
volts. When power is applied, HRST will remain
20
active for a limited time after the +5 volts have
stabilized.
PFI—This signal activates trms prior to HRST. This
signal can be polled by the Core CPU.
BSTAT—This signal is only present on battery oper
ated products. It is passed to the Core unit through
the TDM port.
25
30
35
40
tions. Communications with the 80C186 is limited to a
bidirectional byte port in the ASIC.
Display
The display circuitry includes the access controls to the
external graphics display controller. Internal to the ASIC is
a register used to set the contrast voltage applied to the
display. Varying the settings of this register will proportion
ally adjust the intensity of the display image. Another
register in the ASIC controls the backlite illumination
around the display. The settings provided by this register can
turn the LED backlite on, off, or to incremental settings in
45
memory is incorporated into the non-intelligent PCB to store
secured information. This memory is powered by the battery
backed security circuit. When processor detects a tamper
condition, the OS will erase necessary memory within the
80C186 memory space.
The controls for both of these boards are generated by the
ASIC. These controls handle data exchanges between the
two processors and read/write operations to the serial
memory device.
Low Level Security Board
When opened, this tamper detection circuitry causes the
security board to erase all information it had in storage in a
small battery backed memory device it maintains, and
presents a tamper signal to the ASIC.
High Level Security Board
As previously described, the high level security board
controls peripherals and communicates directly with the
processor. Also, it stores keys and performs encryption/
decryption.
To better manage the power consumed by the terminal,
this board also allows the DS5002 to be programmed to turn
itself on. Awakening the DS5002 is done by the 80C186
processor.
50
between.
Audio Control
The audio control within the ASIC activates an external
beeper in the communication module. The beeper is a fixed
frequency device.
Keypad
The keypad circuit scans a matrix of 19 keys through a set
of row and column connections on the PCB. A depressed key
can be detected by activating one of the three ASIC row
drivers and reading back which of the 8 columns had gone
high. The columns are returned on the peripheral data bus.
By decoding the row and column positions, the processor
can determine which key is down. Since the data bus is used
by other panel circuitry, scanning the keyboard can only be
done with those devices off. Having another device active
while reading the keypad will not damage the keypad or
to the core through Zebra strip contacts. These contacts and
the board are held in place by the door. Connected through
these contacts and through special connections on the user
keypad matte and on the security board itself is a series
circuit whose purpose is to detect the opening of the case.
The first board, already referred to, includes a micropro
cessor. This board has the ability to control these peripherals
and communicate with the 80C186. It also performs tamper
detection and manufacturing testing.
The second security PCB is a “non-intelligent” board. It
provides tamper detection and manufacturing test, but it
does not control the peripherals (the peripherals remain
under the control of the 80C186). Additionally, a small serial
Panel Interface
The panel interface provides the controls for all of the user
interface peripherals. This includes the display, keypad, and
audio circuitry. The ASIC 304 provides an external periph
eral data bus to these devices as well and the security
processor board. Selection of a device on this bus is done
through the registers in the ASIC. All device selecting and
strobing is done manually by the processor using pro
grammed I/O. When securing the product, the optional
security board can take over the data bus. Once active, all
peripheral circuits are inaccessible to the 80C186. In this
mode, the security processor controls user interface func
the bottom side of the core module. This board is attached
55
60
65
The DS5002 and 80C186 share a bi-directional parallel
port through which all communications take place. This port
includes a set of hardware handshaking signals that respond
to the read and write operations done by the processors.
When opened, this tamper detection circuitry causes the
security board to erase all information it had in storage in
DS5002 and presents a tamper signal to the ASIC.
Transferring Data to One of the Panel Peripherals
The panel data bus consists of a bi-directional 8 bit path
which can be controlled by either the 80C186 or the
DS5002. Transactions on the bus are executed manually by
activating the controls necessary to select, enable or strobe
panel peripheral devices. All devices on the panel bus have
the ability to be both written and read.
PANEL Control Register
The panel control register provides low level controls to
peripherals attached to the panel bus. A number of these
controls are disabled when the ASIC is in the secured mode.
The settings held by this register can be read back by the
80C186. The values in the register are described in Table 9.
6,065,679
15
16
TABLE 9
TABLE 9-continued
KEYH ENB (Bit O)
This bit is used to enable keyhit interrupts to the 80C186.
When enabled, any high signal on the panel bus will result in a
keyhit interrupt. This interrupt is useful when the panel is in
protected mode and the DS5002 is shutoff. While in this mode,
the interface can be set with all of the keyscan active. If a
key is depressed, this interrupt is generated. Setting this
bit will enable the interrupt. A hardware reset clears this
bit.
IBF ENB (Bit 1)
The IBF enable is used to enable an interrupt generated by the
DS5002 when it reads data from the panel data register. When
set this interrupt source is enabled. A hardware reset clears
his bit. When the DS5002 is not present, this bit should
remain cleared to prevent unwanted interrupts from occurring.
OBF ENB (Bit 2)
The OBF enables is used to enable the interrupt generated by
he DS5002 writing to the panel data port. When set this
interrupt source is enabled. A hardware reset clears this bit.
When the DS5002 is not present, this bit should remain cleared
o prevent unwanted interrupts from occurring.
DATA ENB (Bit 3)
This bit is used to enable the panel data register onto the
panel bus. When set, the data register is driven out.
5K RST (Bit 4)
This bit controls the signal level driven by the ASIC's 5KRST
pin. When set, the DS5002 is held in a reset state. Hardware
reset will set this bit.
set and the ASIC is in a non-secured state. A hardware reset
will clear this bit.
10
Panel Data Path
15
is removed.
the DS5002 is selected. A hardware reset will cleared this bit.
DISP CS (Bit 10)
This bit controls the signal level driven by the ASIC’s DISCS
pin. This pin is attached to the display controller on the core
board. When this bit is high the controller is selected. This
control is used for both reading and writing the controller
registers.
PAN WR (Bit 11)
This bit controls the signal level driven by the ASIC’s PANWR
pin. Setting this bit will write data into the DS5002 RPC port
20
25
30
written to. When not secured, all bits are both read and
35
TABLE 10
40
Name
Function
Bit settings
76
45
50
MISC O
Keyscan and audio enable
OO
MISC 1
MISC 2
Unused
LCD contrast
O1
1 O
MISC 3
Backlite and readback pointer
11
KEYSCAN (Bit 0–2). (Misc 0)
These three bits provide the column selects for the 19 key
keypad matrix. Each bit ties to one of three ASIC PINs. Each
PIN, when enabled by setting its SCAN bit high, drives a high
evel to the column of keys it is attached to. When low, the
ASIC outputs tri-states. When a key is depressed, it will
return a high level to its appropriate panel data bus bit.
Reading the panel data port will return the depressed key
ocation.
55
KEYHENB (Bit 3) (Misc 0)
This bit enables key detection by the 80C186 when the panel
interface is secured. Typically, this feature is only enabled
by the DS5002 but since the dual processor mode shares these
ports, this bit is visible to the 80C186 when not secured.
60
AUDON (Bit 4) (Misc 0)
The bit controls the activation of the beeper. When set, the
ASIC will output a high level on the BEEPER PIN. This PIN is
attached to a drive transistor on the communication board whose
reset will clear this bit.
IBF OUT (Bit 14)
This bit controls the signal level driven by of the ASIC’s IBF
pin. The IBF OUT pin is only an output when the PMODE bit is
Embedded addressing provides a method of expanding
the registers available through the panel bus without adding
significant decoding requirement to both processors. The
register levels and bit assignments are decoded as follows in
Table 10.
controller writes and cleared for reads. A hardware reset will
clear this bit.
PAN ADD (Bit 13)
This bit controls the signal level driven by the ASIC’s PANADD
pin. This pin is used to select one of the multiple registers
in either the display controller or the DS5002. Prior to
activating either the PAN RD or PAN WR bits, this bit should be
set. While in secured mode, this bit is inoperative. A hardware
issued to either the display controller, MISC registers or the
DS5002. When the ASIC is secured, the panel data register
is attached directly to the DS5002 not to the other periph
erals. The panel data register must be enabled on the panel
bus using the DATA ENB bit in the panel control register.
MISC Control Register
This register is used to select features associated with
either the display or keypad operation. As noted below, this
register has four levels to it. Selecting a particular level is
done by specifying it using data bits 6 and 7 in the 16 bit port
data word. One half of this register is affected by the security
setting on the ASIC. If security is enabled, only the upper
eight bits of this register can be read-none of them can be
write-able
or it will enable read data or strobe write data from the
display controller. When accessing the display controller, the
PAN RD bit determines cycle, reading or writing data. This bit
acts as a strobe only. It not functionally related to the type
of operation.
PAN RD (Bit 12)
This bit controls the signal level driven by the ASIC’s PANRD
pin. This pin is used for reading data from the DS5002 and
defining the type of cycle being issued to the display
controller. When set, and 5002 CS bit is set (non-secured
mode), the DS5002 will output its data to the panel bus. When
accessing the display controller, this bit should be set for
The panel data register is used hold data to be written into
a peripheral on the panel bus. Since the mode of the panel
data bus can change, the selectable peripherals can vary as
follows. When the ASIC is un-secured, this data can be
T CAP (Bit 5)
This bit is used to reset an internal ASIC latch that captures
amper circuit transitions generated during product test.
During normal operations, this control will not be used since a
amper condition will remain latched until the backup battery
P MODE (Bit 8)
This bit specifies the operational mode of the ASIC IBF and OBF
pins. When this bit is high, and the ASIC is in its non-secured
mode, the OBF and IBF pins are driven by the ASIC. The OBF and
IBF pins' polarity are determined by bits 11 and 12 in this
register. When P MODE is low, the ASIC OBF and IBF pins are
inputs. In this mode, these pins can read and enabled as
interrupt sources.
5002 CS (Bit 9)
This bit controls the signal level driven by the ASIC's 5KCS
pin, which is used to select the DS5002. When this bit is high
OBF OUT (Bit 15)
This bit controls the signal level driven by the ASIC’s OBF
pin. When the PMODE bit is set, and the ASIC is in non-secured
mode, this pin becomes an output whose level is controlled by
this bit. The PIN driver is an open collector style output, an
external pull-up is used to establish the high state logic
level. A hardware reset will clear this port.
65
unction is to activate the self-oscillating beeper.
CONT [0 . . . 5] (Misc 2)
These bits set the viewing angle or contrast for the LCD.
KEYPTR [0 . . . 1] (Misc 3)
These bits select which keyscan register is read when the
PANRD3 register is accessed.
6,065,679
18
register are compared against the data transferred into the Rx
holding register. The DMA state machine looks for a match
in the holding register only when the protocol bit is set. Once
TABLE 10-continued
PTR
1O
Register
OO
Key scan and misc controls
O1
Audio volume
1O
Contrast setting
1 1
Not used
BK LITEI2 . . . 4] (Misc 3)
These bits select the mode of operation for the backlite
a match is found, all characters are transferred until another
10
character with the protocol bit is found; at that point,
character transfers are disabled and a DMA completion
interrupt is generated. The DMA control bits are found in the
upper byte of the secondary control register.
In the preferred embodiment, the UARTs are assigned the
following channels:
circuit.
SDI
This status bit indicates the security state of the panel
interface. When high, security has been breached.
PROG
This status
OBF IN
bit indicates panel buses mode of operation.
This status bit reflects the state of the OBF handshaking line
associated with the data port between the 80C186 and the
DS5002. When high, the DS5002 has data available for the
80C186. When the DS5002 is not installed, this bit provides the
return data path for information from the serial memory device
on the low security board.
UART 0 Tailgate/DCN (DMA) Direct connect to Comm and PIN
Pad core board
ASIC direct connection
TDM connect to Comm board
UART 3
Modem/AUX
TDM connect to Comm board
UART 4.
UART 5
Pin Pad
Printer
TDM connect to Comm and PIN Pad board
TDM connect to Comm board
20
The following data channels can be manually controlled
through the TDM registers:
IBF IN
This status bit reflects the state of the IBF handshaking line
associated with the data port between the 80C186 and the DS5002.
When high, the 80C186 has written data to the port.
UART 1 Core SCR
UART 2 Comm SCR
T CAP
This status bit reflects the state of the tamper capture
register. This register is used when testing the tamper circuit
on either the low level security board or the DS5002 security
board. This register is cleared by the TCAP ENB bit in the panel
control register.UARTs
SCR Core
SCR Comm
15 UART 1
UART 2
25
UART 3 Modem/AUX
UART 4 PIN Pad
UART 5 Printer
30
This section describes the six Universal Asynchronous
The TDM output register, when selected to drive these
lines, can place the associated UART output PIN in either a
high or low state.
Receiver/Transmitter (UART) channels within the ASIC.
Fractional Divider/Baud Rate Generation
control registers, status register and baud rate generator.
Data is transferred between RX and TX shifting functions
independently. This gives each channel full and half duplex
capabilities. All of the UARTs connect to the 80C186. Data
exchanges can be managed with either interrupts or polled
operations. Additionally, one UART can be programmed to
transfer data using the 80C186's direct memory access
clocks for the Standard and Smart Card baud rates. The first
Each channel includes a transmit shifter, receive shifter,
(DMA).
Three fractional dividers are supplied to create baud
35
the standard baud rates. Its output is brought into a divider
to supply all the standard baud rates. The fractional divider
should be programmed for the highest baud rate necessary.
This configuration will allow all standard baud rates. The
40
Each UART is able to detect framing status, parity, and
buffer overflow conditions on the data it has received. Status
is collected on a per-character basis. For these channels,
45
The fractional divider has two registers: an 8-bit schedule
and an 11-bit divider/fraction register. The divider value sets
period of the output signal. The fraction value is the denomi
nator of desired fraction. The values placed in the divider/
fraction register are one less than the value intended. The
50
schedule value indicates the numerator of the fraction.
55
output waveform toggles and inserts an extra PCLK in the
timing based on the schedule register. The bit pattern in the
schedule register should be evenly dispersed.
The resulting output frequency follows the following
UARTs 0,3–5 have transmit flow control which, when
enabled and CTS inactive, will prevent the transmit shifter
from loading data held in the TX holding register. Characters
being shifted will not be affected by CTS inactivation.
Disabling the transmitter will not truncate a character. The
RTS enable in the control register is a general purpose
control—it has no effect on the shifting circuitry.
At each Terminal Count (TC) of the fraction reg, the
UARTs (0,3,4,5) have a noise filter on the receive serial
line. This 3-of-5 vote filter will prevent serial line noise
glitches from starting a false character start bit.
second fractional divider (1) is used to generate the baud
rates for the core Smart Card UART (1). The third fractional
divider (2) is used to generate the baud rates for the Comm
module Smart Card UART (2). The outputs are used as the
x16 clock for the UARTs.
reading the holding register (16-bit wide) will clear the
status flags.
fractional divider (0) is used to generate the base clock for
The DMA function allows direct transfer of data between
formula:
a holding register of UART 0 and memory. The DMA can
only be attached to one shifter (80C186 programmable,
either Tx or Rx buffer). This restricts DMA operations to
half duplex exchanges only. DMA can support 8-bit and
Fin . M.,
F., = —
* - WITVII.x, S.T.
60
16-bit wide transfers on the receive and transmit. If 8 bit
transfers are executed on the receive, the per character status
information is lost.
Md = Divider
The DMA circuit has two compare registers which can be
used to enable or disable data transfers based on serial data
received. Only compare register 0 can adjust for frame size.
With data compare enabled, the 8-bit values loaded into the
Fin = Input Frequency = 12 Mhz
Mn = Fraction Denominator
65
Sched = Sum of the Schedule bits
6,065,679
19
20
Refilling takes two cycles before a match can be made. Once
the queue is enabled it cannot be disabled. DMA bus cycles
operate under the same constraints as the listed CPU cycles.
The Fraction/Divider register bit definitions are:
7:–0:
Divider Register
MMU/Protection Selects
This is the whole number part of the divisor. Its
The memory management unit (MMU) provides pro
grammable mapping of the CPU’s 1 Megabyte (MB) logical
value is one less than the intended value.
10:—8:
Fraction Register
The value placed in this register is one less than
the denominator of the fraction part of the
divisor.
10
The Schedule register bit definitions
7:-0. Schedule Register
The sum of set bits in this register is equal to the
numerator of the fraction part of the divisor. The number of
bits used by the scheduler circuit is equal to the denominator
of the fraction. The bits are used from the least significant bit
15
(LSB) on up. The set bits should be evenly spaced in the
used bit locations. For example, To generate standard baud
rates, an output of 115.2K*16=1843200 Hz. 12 Mhz/
1843200–6.51. Therefore, Md=6 (divisor reg-6–1=5 d (5
h)). If V is used as the fraction, then Mn=2 (fraction
reg-(denominator=2)–1 =1). The schedule register needs 1
one-bit in the lower 2 locations (Sched=1), therefore, the
schedule reg-xxxxxx01 (or xxxxxx10).
The resulting frequency is calculated as
20
tables must be initialized.
25
(12M*2)/(2*6+1)=1846154 with (1843200/1846154)
*100–99.84% accuracy (0.16% error).
Common Values
FD0, Standard Baud Rates: div/frac=105 h, sched=01 h
30
(0.16% error)
FD1, Smart Card Baud Rate: div/frac=505 h, sched=1 Fh
(0.13% error)
35
Memory read 8 bits
Memory read 16 bits
40
45
50
Code fetch 8 bits
Code fetch 16 bit queue match
Code fetch 16 bit queue mismatch
Table initialization takes place through independent I/O
ports to the mapper and protection circuits. A table pointer
is provided to index the 32 locations in each circuit. This
pointer can be set to any one of the 32 table entries. Each
write or read to the associated port will cause the pointer to
advance. The next port access will be to the advanced
location. Since this pointer is shared, the mapper and pro
tection tables must be initialized independently. It would be
fatal if an access to one table port was followed by an access
to the other. The resulting condition could produce incorrect
table information to be written. When the corrupt table is
used, the processor will lose its execution sequence.
A Map Control Register controls operations of the MMU.
The contents of this register are detailed in Table 12.
TABLE 12
55
MMU ENB (Bit O)
This bit is used to enable the memory management unit. Once
set, the chip selects, write protection and extended address
lines will activate as instructed by the contents of the MMU
tables.
0 wait states
0 wait states
0 wait states (odd or even)
2
0
0
2
DMA operations are not affected by the protection circuit.
These bus cycles can write into protected space without
experiencing NMI interrupts or the failure to store informa
tion.
TABLE 11
I/O 8 bits
I/O 16 bits
The MMU also provides protection tables that give the
operating system the ability to lock areas of memory from
write operations. These tables are also indexed by the upper
4 processor address lines. Like the mapping tables, there are
two protection tables. The one select bit in the map control
register selects both map and protection tables. Each bit in
a table entry corresponds to one of 16–4k byte segments
found in the indexed 64K space. When a protected area is
written to, the MMU will generate a non-maskable interrupt
(NMI) interrupt and block the write cycle from occurring.
CPU BIU
The CPU BIU is a circuit used to connect the 80C186 to
its memory and I/O. The data path components translate the
16-bit processor bus to the 8-bit memories. This translation
circuit includes a prefetch queue that fetches the contents of
the next memory location when a code fetch bus cycle is
executed. Since the memory interface is 8 bits, this queue
provides close to 16 bit performance. I/O devices within the
ASIC should only be accessed as 16 bit registers unless
otherwise specified.
There are three different levels of performance delivered
by the 80C186 processor. These levels are controlled by a
combination of the processors internal wait state circuitry
and the ASIC. The first level is established by the processors
internal wait state generator. After reset, this circuit forces
each bus cycle to have a minimum of 3 wait states. Perfor
mance will remain at this level until the application changes
the setting of the processor chip select registers. Once
disabled, the ASIC will control the length of the bus cycles.
Table 11 listed below indicates the different cycle lengths for
various 80C186 bus executions. Before enabling the ASIC
mapper and que circuits, the processor chip select registers
must be disabled from influencing bus cycle lengths.
address space to a 12 MB physical address space. The MMU
is built around a programmable lookup table that is indexed
by the upper 4 address lines from the processor. The contents
of this table create the extended address and provide selec
tions for the six devices connected to the eight bit memory
bus. The extended addressing provides up to 2 MB of linear
space for each of the six devices. From the 4 processor
address lines, 16 table entries are created. Each entry pro
vides 64K bytes of access to the device it selects and the
extended address selects one of 32–64K segments in that
device. The mapper has two of these programmable tables.
They are selected through the map control register. From
power up the MMU is disabled. While disabled, its outputs
are forced to select only the boot FLASH device and provide
access to its upper 64Ksegment. From power-up the mapper
tables are undefined, prior to enabling the MMU, these
wait
wait
wait
wait
60
states
states
states
states
A hardware reset will clear this bit.
65
It will take two cycles for the queue to fill after it has been
enabled. Eight bit code fetches force the queue to purge.
PTR LD (Bit 1)
This bit is used to preset the initialization table pointer. A
low to high transition on this bit will load the pointer with
the PTR bits from this register. Setting the PTR bits and
transitioning this bit can occur in the same output bus cycle.
MAP SEL (Bit 2)
This bit selects which of the two map and protection tables is
used. Low selects PTR entries 0–15, high, select 16–31. The
selected table is taken after this output cycle finishes. A
hardware reset clears this bit.
6,065,679
25
26
At power up, the TDM port is disabled. It should remain
disabled until the core application has determined the type of
device it is attached to. This can be done by reading the
TDM status register and branching on the setting of the
TINO input. If this input is high, the device attached has the
TDM circuitry and TDM port can be enabled If the input is
low, the TDM port must remain inactive. Without the TDM
port, the Core directly drives two of its UARTs out over the
TDM signals.
Operations of the TDM bus can be controlled through
TDM Control Register which is further detailed in Table 16
and a second TDM Control register detailed in Table 17.
The comm module detects an incoming frame by the recep
tion of the sync field. The pattern of this field is unique to the
high level idle state of the bus. The frame bit assignments are
as follows:
CORE SYNC
CORE ADD
CORE CMD
CORE DATA
CORE CHECK
10
:
TABLE 16
CTLO (Bit O)
This bit can be used as a general purpose output when the TDM
is disabled and the MODE and TDM ENB bits are low. The ASIC
TCLK PIN follows the setting of the bit. A hardware reset
clears this bit.
MODE, TDM ENB (Bit 1, 2)
The following defines the function of these two bits. A
hardware reset clears both of them.
FuncMODE TDM ENB FRAME
tion
bit
bit
PIN
TCLK
PIN
Man Out
Input
pulldown
pulldown
TDM
TDM
O
O
FRAME pulse TCLK pulse
BBD
PIN
TDMI
PIN
TDMO
PIN
PRN RXD SCR2 TXD
PRN RXD SCR2 TXD
O
O
TDMI
BBD
SCR2 RXD
SCR2 RXD
O
TDMO
MOD TLK (Bit 3)
Modem talk control.
RTC CLK (Bit 4)
Real Time Clock. On the slave/secondary ASIC, this signal is
used to clock data into an out of the RTC. Data is input to the
RTC on the rising edge of this control. Data is output from the
RTC on the failing edge.
RTC RST (Bit 5)
Real Time Clock reset. This signal resets and initializes the
RTC. When low the RTC is reset and it will ignore all other
control inputs.
RTC DOUT (Bit 6)
Real Time Clock data out. This open collector signal presents
data to the RTC. When low, a low is seen on the RTC bi
directional data PIN. When high, the data PIN is pulled up by a
resistor. Data written to the RTC must be presented before the
RTC CLK is raised.
CTL1 (Bit 7)
General purpose output. This control is output only able when
he MODE setting low.
MOD TST (Bit 8)
Modem Test control.
Status of the TDM can be obtained from a TDM status
register and a TDM Status register.
-continued
50
LINE CONDITION
LINE TURNAROUND
COMM READY
COMM TX Error
COMM DATA
COMM CHECK
LINE TRI-STATE
TABLE 1.7
ENB SCC, IPTR, EXT1-3
These controls are used to enable the interrupts from their
applicable source. When set, the interrupts are passed through
to the processor. A hardware reset will clear these bits.
Byte Bus
The byte bus is a clocked bi-directional interface used to
send high level command and status information between
the core and Comm modules. All bus operations through this
port are initiated by the core. A bus cycle begins by the core
transmitting to the comm module. As part of this cycle the
comm module returns a response. The bus cycle is made up
of 55 clocks. These clocks are associated with 32 bits of
information transmitted by the core. 18 of the bits are
returned by the comm, and 5 bits are for line coordination.
55
The definition of these bit assignments is detailed in Table
60
18.
TABLE 1.8
CORE SYNC
65
The sync field is used to enable the comm receiver to the
incoming frame information. This pattern is equivalent to a
81H.
6,065,679
27
TABLE 18-continued
TABLE 1.9
Byte
CORE ADD
The address field is used to select a byte bus peripheral.
This field can address up to eight devices.
Description
WRITE - Control port
CORE COMD
15–10
9, 8
7–0
The command field identifies the type of I/O operation that the
selected peripheral is to perform.
CORE DATA
The data field transfers data to the selected device.
CORE CHECK
The core check character is an 8-bit CRC used to validate the
10
data sent by the core. This check character is matched by the
12
command returned as a communication transmission error if it is
11
incorrect. This error code is returned in the same bus cycle.
15
20
These bits are used as padding to allow the core transmitter to
turn off and the comm transmitter to turn on. During this
interval, the information on the bus is invalid.
25
This bit indicates the comm ASIC is ready for another
transaction.
COMM TX ERROR
30
is good, the value of this bit can be used; if bad, the entire
operation is in question.
COMM DATA
Data returned by the comm is in response to either the prior
command or the general status. A valid check character must be
received before this information can be used.
COMM CHECK
The comm check character is an 8-bit CRC used to validate the
35
response from the comm module. If this check fails, a system
error response should be issued to the operator. Any attempt
soft reset command to the interface.
LINE TRI-STATE
40
release its drive on the bus. The core is able to start a bus
cycle whenever the bus is not busy.
45
50
55
The byte bus interface is a single 16-bit read/write port
within the 186's I/O space. It is used to access byte wide
peripherals within the communications module. A byte bus
transmission is initiated by the processor writing to the byte
bus I/O port. A complete write or read cycle to or from a
peripheral is executed within the byte bus cycle. The byte
bus front end has a five deep command first in first out
60
(FIFO) buffer for queuing up Byte Bus instructions. This
FIFO should be used only for consecutive writes to byte bus
peripherals. The byte bus port is defined as follows in Table
19.
RFU:
Data: Data returned from a byte bus peripheral.
Magnetic Stripe Reader
The magnetic card reader 68 is preferably a swipe style
magnetic card reader capable of reading cards encoded with
data conforming to ISO 7811-4 for IATA (Track 1, 210 BPI)
and ABA (Track 2, 75 BPI) tracks, and ISO 7811-5 for the
THRIFT track (Track 3, 210 BPI). Of the tracks listed, only
1 & 2; and Tracks 2 & 3.
Software and hardware will preferably support card swipe
speeds between 5 and 45 inches per second. The reader life
is roughly 300,000 passes. The only ongoing maintenance
required is periodic head cleaning to remove oxide buildup.
If a card is put in on top of the magstripe head, the head will
not be damaged and will still read future cards reliably. The
reader will also preferably have the ability to read high
coercivity magstripe cards.
The system/terminal can preferably have up to two IC
card readers. The Core unit 30 will preferably always have
the card reader 80. The second reader 130 can optionally be
added to the communication module 100. Both card readers
This is the end state to a bus cycle The comm module will
For a device in the comm module to request service one
of the four TDM interrupt sources can be programmed to
interrupt the core processor. This interrupt request is trans
ferred through the TDM port. In response, the main PCB
will have to query the comm peripheral to determine its
needs. The comm module cannot initiate a byte bus cycle
directly.
8
7–0
Tx error: The communication module reports a CRC
failure on the packet received from the core
module. No Byte Bus peripheral cycle was executed.
IC Card Reader
to recover from this error should assume that the last command
issued did not execute correctly. Recovery includes issuing a
CRC error: The CRC check failed on the packet
received from the communication module. The
returned data is invalid.
two can be installed in a product. Configurations are: Tracks
This bit informs the core that the transmission just sent did
not validate correctly. Before acting on this setting. The
comm check character must be validated. If the check character
10
9
LINE TURNAROUND
COMM READY
Tx FIFO full: The five deep FIFO is full and cannot
accept additional commands.
Byte Bus Idle: The byte bus cycle is complete. Data
has been written or can be read.
LINE CONDITION
The line conditioning bits force the level of the bi
directional line to a high state. This conditioning overcomes
a possible low level float state left by the check character
output. Once the line conditioning bits have been issued, the
pull-up on the bus will keep the line at a high level.
Conditioning is necessary since a constant high returned by the
comm module will generate error (check character failure). If
the line were left to float up, it might not return high by the
beginning of the comm module’s response.
Peripheral Address: A5–A0
Byte Bus Command: read, write or reset
Byte Bus Data: Data to be written to a byte bus
peripheral.
READ - Status port
65
80 and 130 will conform to the ISO 7816 specification. Card
clocking is set by the ASIC or manually clocked by the
microprocessor of the main board 46. Communication data
rates are adjustable to conform to the clock rate. For most
microprocessor cards, serial data is exchanged using a
typical asynchronous 10 or 11 bit format with parity. Detec
tion of improper parity is done by the hardware. If a parity
error is detected, the hardware can be configured to
re-transmit the same data. To ensure glitch free operations,
all driven card contacts are switched using a common clock
source. The affected signals are the power, clock, data and
reset. To power the card, the interface uses a disable-able
linear regulator. This regulator maintains a constant voltage
to the card and, at the same time, it checks for error
conditions. These conditions include overvoltage and
undervoltage, over current and over temperature. A fault
detected by the regulator is returned to the microprocessor.
Each card acceptor has a card insert contact. This contact
must be made before power can be applied to the card. If this
contact is broken while the card is powered, the hardware
will immediately turn off all driven card contacts including
the linear regulator. For diagnostic purposes, all driven
contacts can be readback. This permits detection of foreign
materials placed into the terminal. Since the two card readers
are independent, different card types can be read simulta
neously. Both card readers expect CR80 card form factors.
6,065,679
29
30
The embodiment of the POS terminal shown herein
this process is managed by the secondary/slave ASIC 306 on
includes a standard type of smart card reader, with a second
smart card reader option on the communication modules.
These smart card readers are preferably contact readers
the Communication (or Comm) board 126. When a row of
which do not read contactless cards. The standard Smart card
reader is located at the front of the core unit for easy card
insertion by the operator. The standard IC card reader has a
life of preferably about 200,000 inserts, while the second IC
card reader has a life of preferably about 10,000 inserts. The
standard card reader will accept the following card specifi
10
cations: Microprocessor cards (Contact, ISO position, T=0,
T=1, meets Europay/MasterCard/Visa (EMV)
specifications) and Serial memory cards. Preferably, the
smart card reader will read a number of serial memory cards,
including the following: Gemplus 416, Thompson ST1305
15
(without VPP), Gemplus GPM896, and Siemens E2PROM
serial memory cards.
The 2and smart card reader will accept the same micro
processor and serial memory cards specified for the standard
smart card reader. Preferably both the smart card readers
20
have a slight card securing mechanism (so the card does not
fall out or terminate transaction when the POS terminal is
bumped) and has a perceived “click” so customer knows his
card is inserted properly. It is a half insert reader with the
card visible at all times. It preferably includes error handling
25
software (following EMV and 7816 specifications) . The
POS terminal will withstand a drop from 48 inches onto the
card when card is inserted into POS terminal. The reader has
card power management according to the EMV specifica
tion. The card can be removed by a consumer without
special tools if power is lost.
The optional 2and smart card reader is located on the
30
bottom of the communication module. This will read a
standard size card. There is an optional security door that
covers this reader. This will be used by merchants who do
not want the 2and smart card reader accessible by consum
ers. The door can only be opened by inserting the tip of a
35
smart card into a small hole next to the reader. When both
smart card readers are installed, they can be read “simulta
neously” with non-multiplexed ports. Additionally, the 2and
SCR can also hold a plurity of SAMs which are multiplexed
to a UART through the byte bus and TDM bus.
40
Printer
The printer 108 is a user installable module that can be
optionally attached to the rear of the Communications
module 100. Although the printer 108 can employ a variety
of conventional printing techniques such as dot matrix or
laser printing, it is preferred for the printing process to be
done thermally. In the preferred embodiment, printed
receipts exit the module’s enclosure from the top of the unit.
A serrated tear bar, built into the printer enclosure, will assist
in removing forms. Within the printer module 108 is the
printing mechanism, printer drive circuit board, and a paper
roll. The enclosure is designed around a two piece ABS
plastic assembly. There is space within the enclosure for a
2-inch paper roll.
Motor and print head controls, as well as temperature
sensors, are part of the printer PCB. The comm board 126
45
50
receipts (assumes 2 copies of each receipt). The large paper
roll option is about twice as long and should print approxi
mately 250 receipts. They both have the same 2%" width
paper. To fit each size paper, there are two paper roll cover
options. These snap on easily for replacement purposes.
Since this is a thermal printer which can only print on one
ply paper, a second receipt copy will need to be printed for
the customer copy. The paper feed capability will be handled
through software. The typical duty cycle will be a 40 line
receipt (a 20 line receipt printed twice for a customer and
merchant copy).
In environments needing higher speed or other printing
functionality, an external printer can connected through an
RS232 port. In this case, the integrated printer need not be
present. The POS Terminal might also include a high speed
integrated printer.
Memory
The POS terminal memory is made up of a combination
of both static random access memory (SRAM) and Flash.
SRAM is generally used for data that changes (ie. batch data,
negative files, application working space). Flash memory is
generally used for the application code and operating sys
tem. This is done for performance reasons—Flash is fine
when reading data, but slower than SRAM when changing
data. Flash is less expensive than SRAM, which is why it is
preferred for constant data.
Since the operating system is in SRAM or flash memory,
it can be downloaded to a POS terminal remotely, without
having to physically replace EPROM chips. In one
embodiment, the operating system is approximately 128Kin
size, with the remaining memory available for applications
and data.
55
Memory can be configured to meet specific application
requirements. This configurable memory is in addition to the
memory present in the core PCB. In one embodiment,
memory is expandable up to 3.7 MB. For the unbonded POS
terminals, memory upgrades can be done by service tech
nicians in a depot environment. For bonded POS terminals,
the POS terminals must be sent back to the factory (or
service locations if they have bonding equipment).
has the control circuits that advance the motors and activate
and regulate the print dot thermal process. Power for the
printer comes from the communication module 100. The
printer PCB and comm board 126 are connected through a
card edge connector 110. If the printer mechanism fails
while it is printing, it can be removed without causing
damage to either the control or communication boards.
The printing process is preferably done one vertical
column of eight bits at a time. The activation and timing of
dots requires printing, the secondary ASIC serially shifts the
necessary data into the printer module print head and turns
on the print head power. The activation time varies based on
prior bit activity and the print head and ambient temperature
measurements. Upon completion, the print power is turned
off and the secondary ASIC advances the head to the next
column. This sequence continues until an entire row has
been printed. At the end of a row, the paper is advanced and
the printing process continues in the reverse direction.
The microprocessor of the core PCB 46 is involved with
issuing data to be printed and head activation duration. It
also controls head and platen advancement by clocking the
stepper motor drive circuits on the printer control board. The
temperature measurements are sent back to the core micro
processor as well as a head home sensor. In the embodiment
shown, there will be two paper roll options. The small paper
roll option is 82 feet long and will print approximately 125
60
65
Circuit Features
In the preferred embodiment, an audio transducer allows
for an audible beep, activated through software control and
used mainly for error conditions. This is not a full speaker
with multiple tones for use in modem communications. An
external speaker attachment might also be used. A real time
clock and battery is used in all communication modules
except the PIN pad module.
6,065,679
31
32
Connectivity
A local area network (LAN) capability allows connection
of several devices in a multi-LAN environment. The POS
Terminal might be used in a peer to peer LAN. The terminal
will be able to handle either positive or negative polarity. In
one embodiment, up to 31 devices can be connected within
3,000 feet of cable. Peripherals supported include external
PIN pad, external printer, check reader, bar code reader, and
signature capture device. The peripherals are preferably
connected through a RS232 serial interface. The POS ter
minal will support connectivity to the IBM 4683 ECR
10
UL 1950 Listed (U.S.)
C22.2, No. 950 (Canada)
TUV EN 60950 (European)
through either a RS232 or RS485 (high speed tailgate)
interface. It will attach to other ECRs, such as NCR 2127,
through a standard RS232 interface.
The POS terminal will support two types of ECR con
nectivity. In semi-integration connectivity the sale amount is
transferred from the ECR to eliminate duplication entry on
the POS terminal. The receipt information is also sent to the
ECR for printing. The terminal still handles all EFT com
munication. With total integration connectivity, the ECR
15
20
simply handles customer data entry functions, such as card
acceptance, confirmation of amount, and PIN entry.
The PIN pad version will be able to support an RS232
25
directly to the PIN pad, which processes the data, sends it off
to the host via the LAN, and returns a response back to the
ECR. A “Y” cable with power pack might be used for this
purpose.
ECR interface will be available for various Models of
30
ECRs including the IBM 4680, the NCR 2127, etc. The POS
terminal PIN pad will emulate the NCR 4430 PIN pad. In
one embodiment, it will emulate 12 of the total commands
available on the 4430, which are the most common PIN pad
35
functions.
A Multiple Emulation PIN Pad Application (MEPPA)
interface is also available. This includes both the Visa
command set for DUKPT and the extended command set for
40
The user or merchant should be able to attach and
45
needed to attach/disconnect the communication modules or
add memory using special handling techniques. If the unit is
50
back to the factory for upgrades or repairs. Also, through a
service contact, the modular pieces of the OS can be updated
through a remote communication link.
recommended to protect against lightning strikes in areas
prone to this.
Operating System
In the preferred embodiment, the operating system is
characterized by multi-tasking available at the application
level, a flexible development environment with Unix-like
interfaces and support for C language applications. Multiple
applications will be supported in the same terminal. The
different applications can be downloaded separately and are
protected from each other. The operating system supports
interchangability of terminals on the LAN.
The workstation will be designed to remember its last
default settings—address, printer, other peripherals, etc. On
power up, the terminal is designed to auto-install and
configure from the gateway. Memory overwrite protection
on 4K maps for static RAM is included.
Each object is a sub-system of the OS. For example, a
particular DISPLAY or a download protocol are objects.
Furthermore, each object performs OS work through mem
is a member function that reads data from the selected
sc CARD object.
This approach allows various operating system models to
be built with different objects to fit within the same memory
constraint. Alternately, several memory constants can be
defined to allow families of operating system models. For
example, four OS models (one family) can be created that
act the same except for different download protocols, as well
55
60
within 15 minutes.
Processor
One embodiment of the POS terminal core unit has a
There is also a high security version of the core unit, which
as required (Canada-IC CS03 for auto dial, IC CS02 for
leased line and U.S.-FCC Part 68). A surge protector is
as another two models (a second family) that act the same
Telecommunications
80C186 processor which runs at 12 MegaHertz (MHz). It
has the capability of performing DES/RSA encryption and
has tamper detection and bonding (PIN pad only) options.
Terminal hardware shall be designed to be registered
under the rules for devices connecting to the public switched
telephone network in the U.S., Canada, and other countries
ber functions (alternately just functions). A member function
is an operation on an object: for example, read(sc CARD,.)
disconnect the integrated printer and battery pack without
needing a service technician. A service technician will be
The standard modem on the communication module sup
ports asynchronous communication. The enhanced commu
nication module supports synchronous communication. The
base modem handles at least 2400 baud, with fallback ability
to communicate at 300/1200. A typical 256K application
should be able to be remotely downloaded at 2400 bps
“CE” Mark (European)
The operating system (OS) consists of a set of objects.
Master Key Session Key. This emulation will allow the POS
Terminal PIN pad to connect to various existing terminals.
Visa is also a common protocol used to communicate with
RS232 “PC type” ECRs.
Modularity
bonded, the unit cannot be disconnected and must be sent
Electromagnetic Compatibility
Telco
handles EFT communication to the host. The POS Terminal
ECR connection and RS485 LAN connection at the same
time. This will allow the ECR to send transaction data
in one embodiment has a Dallas 5002 secure chip in addition
to the 80C186 processor. This might be used for environ
ments where very high security is required, such as PIN
encryption in Canada and some parts of Europe. This
version will generally have tamper detection and be bonded
for tamper evidence.
Agency Certifications
This POS Terminal will preferably be certifiable to meet
the following standards:
Safety
except one model can download with either protocol A or B,
and the other with either protocol C or D.
The preferred embodiment OS includes the following
identified classes of OS objects:
Input/output devices
keyboard
display
tone
clock calendar
65
ms card
sc card
modem I/O
6,065,679
33
34
-continued
call
call
serial I/O
printer
communication layer (e.g., network interface card (NIC))
debugger
diagnostics
downloader and protocol
2. OS Stub Function—-Function Table Jump Code
OS kernel.
user interface (e.g., director)
10
Each particular class of objects may have one or more
objects; for example, there may be two display objects
because there are two different types of display hardware.
Even with this difference, there can be some functions that
are the same for similar objects.
Other benefits accrue with this object approach. For those
familiar with the Object-Oriented methodology, encapsula
tion occurs as a by-product. Encapsulation hides the internal
workings and data from other object. It permits access only
through well defined external operations, i.e., member func
tions. Encapsulation reduces coupling, and hence increases
reliability.
Besides previous definitions for objects, classes, and
member functions, two other terms are defined, including
interface and vectoring:
Interface is the code and data structures set in place to
transfer to an OS object from the application or another
OS object, as well as return to original caller.
Vectoring is one means of transferring control. Vectoring
uses addresses pre-stored in the interrupt vector loca
tions starting at location zero. Vectoring OS accesses an
15
20
FctTable, using the function index (which is usually set to a
multiple of two for indexing near pointers). To make error
function table jump code.
25
Case (2.a) non-device input/output:
wait proc;
30
40
ax, OFCT INDEX FOR wait * 2:
In Ov
jmp
read endp;
go io proc;
as, OFCT INDEX_FOR read “2;
go io;
In Ov
bx, sp;
In Ov
shl
bx, word ptr SS:[bx+4],
bx, 2;
jmp
go io proc;
ObjectTable[bx];
3. Function Table Jump Code—"Actual OS Function
45
50
The function table jump code transfers to the actual OS
function by using the member function index into the
object’s FctTable. The function table jump code is required
to be at the start of each object, followed by its FctTable
containing near pointers (offsets) to every externalized
member function. This implies that all member functions of
an object are contained in one segment (64K maximum).
The function table jump code is:
non-existent member functions.
55
mov by, ax;
same object and are translated as near (16 bit) calls.
Inter-object calls are calls from one object to a different
object. Since each object will be linked separately, access to
other object’s member functions can not be done at link
time. Instead, they will be dynamically linked by vectoring
In Ov
jmp
ObjectTable+(OBJ INDEX_FOR os “4)];
wait endp;
Case (2b) device input/output:
read proc;
35
checking easier, near pointers to a dummy function, which
always return SYSERR, are stored in the FctTable for
Two types of calls within the OS can be done: intra-object
and inter-object calls. Intra-object calls are calls within the
becomes the object index. Then the address of the OS object
is determined by indexing into the ObjectTable with the
object index (modified for far pointer indexing, that is,
multiplied by four). In both cases, control transfers to the
indexing into the ObjectTable, using the object index (which
is usually set to a multiple of four for indexing far pointers).
To make error checking easier, far pointers to a dummy
object, which always return SYSERR, are stored in the
ObjectTable for non-existent objects.
A FctTable data structure is an array of near pointers
located within each object. Each near pointer is the offset of
one of the OS object’s member function. The member
function’s starting address is obtained by indexing into the
There are two cases depending whether the OS call is for
device input/output or not. If it not a device input/output call,
the object index is used as is. If it is a device input/output
call, the first parameter (the device descriptor number)
Table
The ObjectTable is an array of far pointers located in the
OS data area. Each far pointer is the starting address an OS
object, which consists mostly of an object’s member func
tions. The OS object’s starting address is obtained by
The OS stub function, representing the OS function, is
linked into the first object’s space with the OS library,
os fets.lib to satisfy the linker. On entry, a register is first
set to the index member function index.
address with a jump (JMP) instruction for performance
reasons, rather than an interrupt (INT) instruction.
Also defined are two data structures, ObjectTable and Fct
wait
read
jmp word ptr cs:[FctTable+bx];
4. Actual OS Function—-OS Code
60
The actual OS function is executed. Then the actual OS
to an OS function (and returning back to the preceding OS
function). This is accomplished as follows:
function returns to the previous OS code, which resumes by
popping any parameters off the stack.
1. OS Code—-OS Stub Function
The OS code first pushes any parameters on the stack.
Then it calls the “OS stub function”. For example, there
could be a wait() or read() OS function called:
65
The interface of vectoring to an OS function from an
application (and returning back to the application) is dis
cussed below in reference to Table 6.
6,065,679
35
36
TABLE 6
Application to OS Interface Example: read ( CARD, . . )
return status;
F012 : 345 6
int card read ( CARD . . . )
F012 : 0013
F012 : 0011
FO 1.2 : 00 0 7
FO 1.2 : 00 05
F012 : 00 00
Card- jmp ce: [FCtTable-bz ||
Object: mov ax, bx
|ApToos Exit
|ApToos Entry
jmp es: [OFctVecnbrº 4 || ––––––––––––
mov
xor
mov
mov
es,
dx,
ax,
br,
dx
dx
OFC tindex *2
OIndex * 4
read (ms CARD, ...)=>call read | -----------App Start
Application code and data
0 0 70 : 1 0 1 0
0 0 70 : 100 4
0 0 70 : 100 0
ObjectTable[0]
0 000 : 00 00
Table 6 shows a preferred method for the application to OS
interface, which is used in conjunction with the following
2. Application Stub Function--ApToQsentry
The application stub function, representing the OS
60 function, is linked into application space via the application
steps.
library, app.lib. Indexes to the object and member functions
1. Application Code—-Application Stub Function
are passed via registers and control is given to the common
The application code first pushes any parameters on the entry,
ApToQsBntry, of the operating system with an inter
stack. Then it calls the “application stub function”. The rupt vector.
A far indirect jump instruction (with some allied
application code is:
code) is used for performance, rather than an actual vectored
call read
interrupt instruction (INT OFctVectorNbr). The code is:
6,065,679
37
38
OsPunction proc;
In Ov
bx, OINDEX_FOR object + 4;
In Ov
XOjº
ax, OFCT INDEX_FOR function * 2;
dx, dx,
es, dx,
In Ov
jmp
OsPunction endp;
5
es:[OFctVector.Nbr t 4],
10
The interrupt vector address (OFctVectornbrº4), set at
terminal start up, transfers control to the operating system at
its common entry, ApToQSEntry.
3. ApToQsentry--Function Table Jump Code
ApTo Osentry is the common entry into the operating
system. Its module file also contains the common exit. This
single point design permits different hardware application/
OS modes, as well as easier implementation of certain
debugging techniques.
The responsibility of ApToQsÉntry is to give control to
the proper OS function. Table 7 shows sample ApTo Osentry
code in the C programming language. It will be appreciated
by those skilled in the art that assembly code could be used
for improved performance.
15
(modified for far pointer indexing, that is, multiplied by
four). Finally, control transfers to the function table jump
20
4. Function Table Jump Code—"Actual OS Function
The function table jump code transfer to the actual OS
function by using the member function index with the
object’s FctTable. The function table jump code is required
to be at the start of an object, follow by its FctTable
TABLE 7
//-------------------------------------------------------------------------
// ApToOsBntry - Application to OS vector entry to call a object member fet.
//-------------------------------------------------------------------------
int huge ApToOsBntry
{
//CAUTION: assumes registers bp, si, di, & ds pushed by prolog code.
Uint
IODeviceOIndex)
// If io call, object/dev idz/no.
{
Uint
Uint
OIndex = BX;
FIndex = AX;
// Passed in as far pointer idz.
// Passed in as near pointer idx.
// -----------------------------------------------------------------------
// Get actual object index if object is an i?o device.
// -----------------------------------------------------------------------
if (OIndex == 0)
{
if (IODeviceOIndex >= MAX OBJECTS)
{
goto exit;
// Device object does not exist.
}
OIndex = IODeviceOIndex * sizeof (void far *);
}
// -----------------------------------------------------------------------
// Save caller’s return in its proctab entry & set to return back here.
// -----------------------------------------------------------------------
proctab?currpid].paddr = *StackVoidPtr(2);
*StackVoidPtr(2)
= OsToApExit;
// -----------------------------------------------------------------------
// Restore regs, push address and goto object’s function table jump code.
// -----------------------------------------------------------------------
asm { pop dx, pop di; pop si; pop bp \;
*StackVoidPtr(0) = ObjectTable[OIndex / sizeof (void far *)];
asm { mov ds, dx, mov ax, FIndex; ret };
exit:
This ‘c’ code is designed to accomplish several tasks.
First, if the object is an input output device, the caller’s first
parameter (the device descriptor number) is used as the
actual object number, unless the device number is illegal. In
this case, return is made to the application caller with error;
otherwise the object number is converted to a far pointer
index.
Next, the application caller’s return address is saved in the
process table (proctab) entry corresponding to the current
OS process; and the caller’s return address on the stack is
overlaid by the common exit address, ApTo Osexit, in order
to regain control after the OS function completes.
Then the address of the OS object is determined by
indexing into the ObjectTable, using the object index
// Error: device object does not exist; return with error.
return SYSERR;
}
// -------------------------------------------------------------------
// Os?oApExit - Return to application caller after an OS call.
//
// On entry and exit, the stack (ss:sp) points to caller’s first parameter.
// -------------------------------------------------------------------
static void huge Os?oApExit(void )
{
//CAUTION: assumes registers bp, si, di, & ds pushed by prolog code.
code.
containing near pointers (offsets) to every externalized
member function. This implies that all member functions of
an object are contained in one segment (64K maximum).
The code is:
6,065,679
39
40
mov by, ax;
-continued
jmp word ptr cs:[FctTable+bx];
5. Actual OS Function—-ApToQsExit
The actual is OS function is executed. When it exits, it
returns to ApToQsexit.
6. ApToQsÉxit->Application Code
ApToOsBxit does any final bookkeeping processing.
Then ApTo Osexit returns to the application, which resumes
by popping any parameters off the stack.
Diagnostics
In the preferred embodiment, three levels of diagnostics
will be provided:
1. At power up, the operating system will automatically
perform a series of diagnostics such as checking RAM,
ROM, processor and configuration.
2. Diagnostics will be available from the director menu
for the operator to access when needed. This will
include diagnostics such as gathering statistics, keypad
test, and checking for security keys.
3. Several applications will also be available for service
and manufacturing personnel to load for advanced
diagnostic tests and troubleshooting.
10
smart cards such as EMV, MPCOS, PCOS, and SCOS cards.
An OS application has the following system functions
available. The OS functions include the system calls for the
XINU functions and OS supplemental functions, as well as
OS application library functions. The OS functions are
grouped functionally with a brief description, and later some
of the particularly interesting ones are listed again with a
detailed description.
The I/O functions are: close, control, getc, getcwait, init,
open, putc, read, and write. Note that a unique subset of
these functions is meaningful for each device. For example,
Device independent input routine.
Device independent output routine.
nic control
20
Put a character to the display device.
nic count
De-registers a higher level protocol from NIC data
link layer.
Change parameters or clear statistics of a NIC
physical device.
Check the number of packets waiting at a NIC message
type.
25
nic create
Initializes the NIC variables and creates NIC
processes.
nic
nic
nic
nic
nic read
Removes NIC support from the given device.
Return packet to the NIC buffer pool.
Get a buffer from the NIC buffer pool.
Registers a higher level protocol handler with the
NIC data link layer.
Read a packet from a message type of a NIC message
nic write
Sends a packet to the NIC process and waits for a
delete
freebuf
getbuf
open
type.
response.
30
OS Process System Calls
35
add stack space
Add system heap space for application process
stacks.
chprio
Create
40
getprio
Change the priority of a process.
Create a new process. The process stack size,
ssize, must be at least 256 bytes.
Return the process ID of the process currently
running.
Return the scheduling priority of a given process.
Rill
?eSulme
Terminate a process.
Resume a suspended process.
suspend
Suspend a process to keep it from executing.
getpid
45
OS Interprocess Single Message System Calls
50
receive
recwtim
send
sendf
sendn
55
cation.
Other application library functions, such as RAM Disk
and Indexed Files, are also available for linking with appli
cation programs.
OS Input/Output System Calls
putchar
read
write
nic close
functions, if used, will have their code linked into the
application space. To access these functions, the application
programmer links the OS application library with the appli
Device independent open routine.
Device independent character output routine.
15
associating the getc (get a character) function with the
keyboard is meaningful, whereas associating the putc (put a
character) function with the keyboard is not.
The OS supplemental functions provide further function
ality for the application and the OS Director, such as
date/time, downloading, and miscellaneous features.
Unlike the other OS functions, the OS application library
open
putc
Network Interface Circuitry Data Link Calls
based tools such as:
Borland C++ compiler
Paradigm debugger
Together C++ design tool
Extensive library routines, objects, and utilities are avail
able that make the new terminal “easy to program”. Soft
ware development kits will be provided for application
software development.
Smart card drivers will be utilized for various types of
Put a character to a device (same as putc).
Device independent character input routine.
Get character from the keyboard device.
Device independent character input routine with
timeout.
Software Libraries and Tools
The POS Terminal preferably uses “off the shelf” PC
fputc
getC
getchar
getcwait
Receive a (one word) message.
Receive a (one word) message with timeout.
Send a (one word) message to a process.
Force a message to be sent to a process, even if
doing so destroys a waiting message.
Send one word message to process. Do not force a
resched().
OS Interprocess Port (Mail) System Calls
60
get dir portid Get the Director port identification.
pcount
Return the number of messages currently waiting at a
port.
pcreate
close
control
fgetc
Device independent close routine.
Device independent control routine.
Get character from a device (same as getc).
65
pdelete
preceive
Create a new port. DMOS supports up to 32 ports.
The maximum number of message nodes on all ports at
any one time is 32.
Delete a port.
Get a message from a port.
6,065,679
41
42
OS Integrity System Calls
-continued
preset
psend
Reset a port.
Send a message to a port.
5
do cre check
do init same values
Calculate Cyclic Redundancy Code (CRC)
of one or more specified segments.
Initialize one or more data areas,
each to their same value.
OS Interprocess Semaphores System Calls
calc cre
chk chksum
Calculate CRC for a given string.
Check computed checksum of a block
with a checksum.
10
Return the count associated with a semaphore.
Create a new semaphore.
Delete a semaphore.
Reset semaphore count.
Signal a semaphore.
Signal a semaphore n times.
Block and wait until semaphore signal.
SCOUInt
Screate
sdelete
SreSet
signal
signaln
wait
set chksum
OS Download System Calls
15
get dial string
get dmld info
get terminal id
OS Memory Management System Calls
set baud rate
set dial string
20 set dmld info
set terminal id
Free a block of application heap space.
Free a block of application heap space (same as
freemem).
Get a block of application heap space.
Get a block of application heap space (same as
getmem).
Initialize the application’s heap space.
freemem
freestk
getmem
getstk
lheap init
OS Buffer Pool Management System Calls
get baud rate
Get the number of free buffers of a pool.
Delete a buffer pool.
Free a buffer and return it to a pool.
Get a free buffer from a pool.
Create a number of buffers for a buffer pool.
Initialize the entire buffer pool manager.
delpool
freebuf
getbuf
mkpool
poolinit
OS Time and Date System Calls
Get the Director download dial information.
Get the Director download information.
Get the Director download terminal information.
Set the Director download baud rate information.
Set the Director download dial information.
Set the Director download information.
Set the Director download terminal information.
Get the Director download baud rate information.
OS Security Calls
25
sec des decrypt
sec des encrypt
sec dukpt clear
30
sec dukpt init
bufcount
Compute and store the checksum of a block.
sec dukpt smid
sec get information
35
sec key clear
sec key set mgmt
sec key submit
sec mac data
sec PIN encrypt
Decrypts data with a key injected earlier.
Encrypts data with a key injected earlier.
Clears and resets the Derived Unique Key Per
Transaction security functions.
Initializes the Derived Unique Key Per Trans
action (DUKPT) key management system.
Returns the current SMID.
Gets information on the current state of the
security functions.
Erases the security key.
Sets the security key management mode.
Saves the given key information.
MAC’s data with a key submitted earlier.
Encrypts the PIN data using an account
number.
40 sec serial num submit Sets the serial number.
OS Miscellaneous Calls
datetos
day of year
get date
get ticks
get usecs
month day
set date
sleep
sleept
stodate
Convert a date and time to a formatted string.
Convert date to the day-of-year index.
45
Convert the current date and time to a formatted
string.
Get system clock in ticks (number of tenths of
a second).
Get system clock in microseconds.
Convert day-of-year index to the month and the day.
Set the current date and time from a formatted
string.
Go to sleep for n seconds.
Go to sleep for n ticks.
Convert a formatted string to a date and time
components.
set roll cmnds
50
55
60
get restarts
get system information
set startup mode
system control
Controls configuration memory area
(keypad type and Director password).
Get number of restarts since last startup.
Get DMOS system information.
Set the startup mode for the terminal.
Configure the internals of the system.
set slip cmnds
visa recw
visa send
OS Configuration Calls
config control
format
fprintf
printf
65
Format a string according to a format mask.
Formatted output conversion to a device.
Formatted output conversion to the display device.
Set printer command characters for roll printer.
Set printer command characters for slip printer.
Read into a buffer using the VISA II message
protocol.
Write from a buffer using the VISA II message
protocol.
One of the more interesting sets of software library class
or object are those related to the display driver. The display
driver object performs the display activity for the OS. It
operates in tandem on two conceptual levels: the upper and
lower. The upper level contains the external interface display
functions and executes the application or operating system
requests for writing characters to the display along with
statusing and mode setting. The lower level outputs charac
ters to the hardware display, as well as handling cursor
movement, contrast, and back lighting control.
Briefly as shown in FIG. 17, an application’s display call,
as are all OS system calls, resolves to an OS app.lib function
that uses an interrupt vector to “bridge” from application
space to OS space. Once within this space, the OS kernel
vectors the display call to the display driver object, then to
6,065,679
45
characters: up/down arrow (“V1'), up arrow ("\2’), down
arrow ("\3’), left arrow ("\4'), right arrow (“V5’), and arrow
body block(*\6’). The rest of the other non-printing charac
46
If the pointer sparm ptr is not NULLPTR, the dsp
parameters structure pointed to by sparm ptr specifies how
the screen is to be defined (see below), and the length of the
ters are treated as spaces.
Each screen is organized by columns and lines. Their
maximum values are dependent on the character size and the
inter-character spacing. The 5x7 character set, with one
pixel spacing in both directions, allows a total of 84 char
acters (21 columns by 4 lines), while the 5×9 character set
allows a total of 63 (21 columns by 3 lines).
The cursor position is determine by its column and line.
Both column and line start at one and go up to their
respective maximum. The upper left position of any screen
10
This screen has two lines of 21 columns each. The second
screen is at the bottom, uses a 5x7 character set with one
is always (1, 1).
Each time a character is output to the display, the posi
tioning of the next character is adjusted. By default, the
positioning is rightward one character, then to beginning of
the next line when at the end of a line, and finally to
beginning of screen when at the end of the last line. If wrap
is turned off, the positioning does not goes to the next line;
instead it re-positions to the same character just displayed.
Optionally, the cursor is display in the currently selected
screen. For this to occur, a routine must be provided when
the screen is opened. Then a control call is used to have it
displayed. The cursor can be displayed as either a horizontal
or vertical line, or both. The cursor can be positioned where
it is displayed when the screen is opened.
A typical flow of control through the display object is as
dsp parameters structure is pointed to by splen ptr.
If the splen ptr is NULLPTR, but sparm ptr is not, then
sparm ptr is a pointer to an integer representing a standard
configuration. Currently, there is one standard configuration,
whose integer is one. If this is selected, two screen are
created: One screen is at the top, using a 5×9 character set
with three horizontal spaces between lines, including an
optional cursor, and one vertical space between columns.
15
horizontal space between lines and one vertical space
between columns. This second screen has one line of 21
columns with the ability to display both a horizontal and
vertical cursor
20
5. Process X repeats step four and possibly step three until
it displaying is completed.
object id
DISPLAY
sparm ptr
splen ptr
*sparm ptr
NULLPTR
Implies opening of a standard
Structure
Display parameters structure
*splen ptr
Integer
*sparm ptr
Integer
Length of display parameters
Open the entire display as two
SC ?eeinS.
splen ptr
NULLPTR
Implies opening of a standard
SC ?eein.
Return
Value
return value
integer
Meaning
35
Screen index used selecting
BAD PARM
screen in control().
Device screen overlaps or
mismatch in size.
BAD USER
40
45
Device screen owned by another
process.
Display Screen Parameters
The following structure defines the display parameters
used to open a generalized screen for the display.
struct dsp parameters
{
50
int
int
int
int
x start point
y_start point
x length
y length
// X start coordinate
// Y start coordinate
// X size of screen
// Y size of screen
int char set selection // Char set select
55
the newly created screen, and a screen index (one through
four) is returned; otherwise, an error is returned.
60
(characters). This implies three lines of 21 columns each.
65
If the pointer sparm ptr is NULLPTR, the entire display
is assigned to the calling process. For this case, the default
character set is 5×9 with one horizontal pixel space between
lines, and one vertical pixel space between columns
Also the cursor option is not selected, so no cursor can be
displayed.
Opens the entire display as one
Structure.
30
int display open(int object id, struct dsp parameters
*sparm ptr, *splen ptr );
Description
Assign part or all of the device, represented by the
object id, to the calling process, clear any previous data,
and create a screen for the hardware display. If the desig
nated portion of the display is free, the calling process owns
NULLPTR
for a screen.
below.
Display open
Synopsis
Specified object or device
SC ?eein.
6. Process X closes the selected screen (display close) to
release it for use by other processes.
7. During the same time frame, process X may do the
same calls for using up to three more screens. Note that
it will have to do step 3 to select an alternate screen.
8. During the same time frame, processes A, B, and/or C
may do the same calls.
Some routines are only available for calls from other
operating system objects, as well private calls within the
display driver object itself, including Display access and
Display io. Each of these functions is briefly described
Meaning
SC ?eein.
25
1. Process zero initializes the display (display access) on
2. Process X opens a screen of the device (display open).
3. Process X optionally executes control call (display
control).
4. Process X calls an output function (display write/
display putc) which places the data on display.
Value
identification.
follows:
start up.
Parameter
//
(range:0–127)
(range:0–31)
(range:1–128)
(range:1–32)
(range:0—user)
default values:1-5x7, 2-5×9
int line space
int char space
// Y inter-line space (range:0–127)
// X inter-char space (range:0–31)
int line cursor
int char cussor
// line cursor option (range:0–1)
// char cursor option (range:0–1)
int line cursor space // line cursor space (range:0–31)
int char cursor space // char cursor space (range:0–127)
Display open example
struct dsp parameters s1_parameters||=
{ 0, 0, 128, 24, 2, 2, 1, TRUE, FALSE, 1, 0};
struct dsp parameters s2 parameters||=
{ 0, 24, 128, 8, 1, 1, 1, TRUE, TRUE, 0, 0 };
// . .
void open example()
6,065,679
47
48
-continued
-continued
Uint size sp1 = sizeof (s2 parameters);
Uint size sp2 = sizeof (s2 parameters);
Requires parm ptr to not be a NULLPTR, see below.
£Requires both parm ptr and parm2 ptr to not be NULLPTR, see below.
Uint screen 1;
Uint screen 2;
Parameter
For Function
Uint screen option = 1;
parm ptr
GET DISPLAY SIZE
//------------------------------------------------------------------------
// Open entire display as one screen.
INSTALL CHAR SET
MOVE CSR
10
SET BACKLITE
SET CONTRAST
open (DISPLAY, &screen option, NULLPTR );
SET SCREEN
15
screen_2 = open(DISPLAY, s2 parameters, &size sp1);
screen_1 = open(DISPLAY, s1 parameters, &size sp2);
parm2 ptr
All other functions
character set index.
Pointer set to NULLPTR.
GET DISPLAY_SIZE
Pointer to integer to return
INSTALL CHAR SET
Pointer to integer of
maximum lines.
20
// Select screen 2 to do display within screen 2.
character set size.
//------------------------------------------------------------------------
control( DISPLAY, SET SCREEN, &screen 2, NULLPTR);
// Select screen 1 to do display within screen 1.
Pointer to integer screen
index from open ().
UNINSTALL CHAR SET Pointer to integer of a
//------------------------------------------------------------------------
// . . .
//------------------------------------------------------------------------
Pointer to integer contrast
value
// Open the display (open main screen last for it to be selected).
--
Pointer to integer backlight
value
//------------------------------------------------------------------------
//---
Pointer to integer number
of columns value.
// Open entire display as two default screens.
// . . .
Pointer to char array of a
character set.
// . . .
//------------------------------------------------------------------------
// . . .
//------------------------------------------------------------------------
Pointer to integer to return
imax. COIllimits.
//------------------------------------------------------------------------
open(DISPLAY, NULLPTR, NULLPTR );
Value and Meaning
25 Return
MOVE CSR
Pointer to integer number
All other functions
of lines value.
Pointer set to NULLPTR.
For Function
Value and Meaning
INSTALL CHAR SET
Character set index to use
//------------------------------------------------------------------------
control( DISPLAY, SET SCREEN, &screen 1, NULLPTR);
return value
in an open screen.
// .
};
30
Display control
Synopsis
int display control(int object id, int function, void far
*parm ptr, void far *parm2 ptr );
Description
a screen. For all functions with error BAD CMD, this
35
Perform a function to set a mode or return a status. The
control function for the device, represented by the object
id, is done possibly using parameters referenced via the
pointers parm ptr and parm2 ptr.
For all other functions without error an OK implies
function completed without error. For all functions with
error BAD USER, this means a non-owner is trying to use
40
means illegal function or parameters.
New Character Set Install Example
The first step is to define a character array for the
character set; see example below. The first five bytes define
its characteristics: the number of characters in the characters
set, the first legal index, and the character size in pixels. For
the example below, there is just one character (an ‘S’). You
must specified two bytes for the length, the least significant
Parameter
Value
Meaning
object id
DISPLAY
Specified object or device
function
CHECK DEV STATUS
CLEAR SCREEN
identification.
Get the device’s status.
Clear the selected screen
and set cursor home.
byte first. The first legal index is 83 (0x53) because that is
45
CSR OFF
CSR ON
CURSOR HOME
Do not display cursor.
Display cursor if option
selected on open.
Set cursor to top left
position in selected screen.
INSTALL CHAR SET;
Return selected screen’s
column and row size.
Install a character set.
MOVE CSR;
Set cursor to requested spot
RESET
SET BACKLITEf
Reset the display device.
Set display’s backlight to
GET DISPLAY SIZE:
50
55
in selected screen.
SET CONTRAST+
SET SCREENf
requested value.
Get display’s contrast to
requested value.
Set (select) a screen that
this process opened.
control call to install the character set.
60
WRAP ON
acter set within the selected screen.
Do not wrap a line to next
line.
If cursor at end of line,
move to next line.
char set index=control( DISPLAY, INSTALL
CHAR SET, dsp char set special, sizeof dsp_
char set special ));
Then execute an open command to use the special char
UNINSTALL CHAR SET; Uninstall a character set.
WRAP OFF
the value of an ASCII ‘S’. Of course, you could change the
‘S’ value to zero and set the first legal index also to zero.
Finally, the size of a character is six pixels wide and ten
pixels long.
After this, the character set is specified. Because the
display hardware outputs bytes vertically, the characters
must be rotated 90 degrees clockwise. Also, due to how
memory is accessed, the most significant byte must stored in
memory first. In this example, the bytes must be swapped.
Note: A possible future project will be to automate the
generation of user defined character sets.
Once the array has been generated, execute the following
65
display parameters.char set selection=char-set
index; open(DISPLAY, &display parameters, sizeof{
display parameters) );
6,065,679
character set example
char dsp char set special[] =
{
1, /=DSP MAX CHARACTERS & Oxff, ?/Low byte of # characters
in set.
0, ?/=DSP MAX CHARACTERS / Ox100//High byte of #
characters in set.
83//=DSP FIRST CHAR INDEX,
//First
legal
character
code index.
6, ?/=DSP CHAR X SIZE,
//Horizontal char size in
10,?}=DSP CHAR Y SIZE,
//Vertical char size in
pixels.
pixels.
//---------------------------------------------------------
// Character set values:
//---------------------------------------------------------
// Characters rotated 90 degrees Chars rotated
// clockwise and bytes swapped. 90 degrees. |appear on
Characters as they
display.
//---------------------------------------------------------
Ox8E,0x00,
Ox11,0x01,
Ox11,0x01,
Ox11,0x01,
OxE2,0x00,
};
/
//
//
//
/
//
//
//
//
10001110b,0b
00010001b,1b
00010001b,1b
00010001b,1b
11100010b,0b
|
|
|
|
|
|
|
|
|
0.10001110b
100010001b
100010001b
100010001b
0.11100010b
|
|
|
|
0.1110b
10001b.
10000b
10000b
0.1110b
00001b
00001b
10001b
01110b
Display putc
-
Synopsis
int display putc(int object id, charch );
count
integer
Number of characters
Return
Value
Meaning
return value
OK
Function completed
characters to be written.
Output one character, ch, to the device, represented as
-
Pointer to buffer of
35 buffer
Description
-
-continued
pointer
-
-
to be written.
object id. The calling process is never blocked.
40
Parameter
-
Value
Meaning
object id device identification.
DISPLAY
Specified object or
ch
character
Character to be
-
-
-
without error
-
to use the screen.
BAD
USER
BAD CMD
45
without error
Count is less than
Zejto Oj in Ojºe
output.
Return
Non-owner attempting
characters than screen
-
Value
Meaning
OK
Function completed
BAD USER
Non-owner attempting
can hold.
-
Display close
50 Synopsis
to use the screen.
int display close(int object id);
Description
Display write
Releases control of the currently selected screen, repre
Synopsis
55 sented by the object id, that was previously opened by the
int display write(int object id , char far *buffer, int calling process. This portion of the display is available as a
count );
portion of a screen that may be opened by a process for its
Description
llSè.
Write the count characters from buffer to the device,
represented as object id. Once the function returns, the 60
buffer may be reused. The calling process is never blocked.
Parameter
Value
Meaning
object id
DISPLAY
Specified object or
Return
Value
Meaning
return value
OK
Function completed
device identification.
Parameter
Value
Meaning
object id
DISPLAY
Specified object or
device identification.
65
6,065,679
52
3. Check guarantee
4. ECR integration
The same host may process for all these functions, but it
eliminates the need to control multiple applications with
-continued
without error.
BAD USER
Non-owner attempting
to close screen.
different combinations of features.
Security
The core unit with all module configurations can be used
for PIN entry by the consumer. It will support DES and
public key for encryption of secure data and handle Unique
Display access
Synopsis
int huge display access(int object id, int fet type );
Description
The protected display accesso function is used to indi
cate that the object, represented by the object id, exists or to
initially construct the display object by allocating and ini
tializing the display DCB. The particular function is deter
mined by fet type.
10
15
Key Per Transaction and Message Authentication (MAC).
There are several levels of security available:
Basic security—Single processor, no tamper detection or
bonding
Tamper detection switches—One switch that detects
when top enclosure is separated from the main board
and another switch that detects when the bottom enclo
Parameter
Value
Meaning
object id
DISPLAY
Specified object or
OBJ EXISTS
Request for device
OBJ CONSTRUCT
Request to construct
sure or “trap door” is opened. If either of the switches
is activated, the operating system will clear all required
20
device identification.
fet type
object’s existence.
the device object.
cannot be bonded to the other communication modules.
25
Return
Value
Meaning
return value
OK
Function completed
BAD USER
Non-null process
without error.
trying to construct device.
30
Display io
Synopsis
void huge display io(int parameter);
Applications
Various applications will be developed for use with the
POS terminal of the present invention. For example, net
work applications will be developed such as retail/restaurant
applications on VISANET, GPS, and NOVUS. These appli
cations will include standard credit, debit, and check autho
35
Second processor—A Dallas 5002 chip is added to handle
security functions. All encryption keys are held
securely in this chip and cannot be accessed by the
80C186 application processor. All communication
from the keypad and display is handled by the Dallas
5002 processor. The application processor and security
processor can be downloaded separately from each
other. If tampering is detected, the Dallas 5002 memory
is immediately deleted and the O/S will not allow the
application to run. The security processor option is
appropriate if a private key is needed for PIN encryp
tion or for software downloads. The second IC reader
40
rization capabilities, along with an American Express Plural
Interface Processing (PIP) option. A single application will
support retail and restaurant functionality. In some
embodiments, to save on memory, different application files
will be used for the gateway, LAN workstation, and stan
dalone environments. The user interface will be essentially
the same in all configurations and on all networks.
Preferably, the applications will be developed using object
oriented programming. Additional applications might
include storing and transporting applications on a smart
card, storing and transporting a batch file, and diagnostics.
Applications are preferably loaded in 64K blocks due to
flash requirements. Multiple applications might also run
together on the POS terminal, including such applications
as: Credit/debit card application; Electronic purse applica
tion; Frequent shopper application; Check guarantee appli
cation; Customer survey; EBT program; specialized trans
actions such as Petroleum card applications, etc. There
would probably be only 2–3 of the above applications used
at once, but the list indicates some possibilities. Each
application would likely communicate to a different host.
Multiple applications might also include different func
tions requested by a customer. For example, the customer
could choose from the following functions:
1. Visa/MasterCard acceptance
2. American Express acceptance
memory.
Bonding—Ultrasonic bonding provides tamper evidence
if someone tries to open up the case. The core unit can
be bonded to the PIN pad cable module. The core unit
can also be used for this purpose.
The second processor option will generally be used with
the tamper switch and bonding options. Two daughter board
configurations will be available for the higher security
options: One configuration will have tamper detection logic,
the other will have both tamper detection and the second
processor.
45
Once a tamper switch has been activated, the service
organization will have to reload applications and keys before
redeploying the unit. If the unit was bonded, this would need
to go back to the factory (or Service organization if they
have bonding equipment)
It is recommended that applications put all secure infor
50
mation (ie. keys) in SRAM rather than flash. Since tamper
55
detection does not protect against re-downloading a
“dummy” application, MACing is used for PIN pad appli
cations. A “trap door” in the core unit bottom cover will
allow the tamper detection switches, security processor, or
additional memory to be added after initial assembly. It will
have an optional privacy shield that can snap on around
keypad area.
The way the PIN pad conceals an entered PIN is through
encrypting it. Encryption takes normal readable data called
60
plain text (or clear text) and scrambles it into an unreadable
65
form called cipher text. The process of converting cipher
text back into its original plain text is called decryption. The
encrypted PIN is secure from an attacker because they are
unable to read it. Many algorithms can be designed for
encrypting text.
An encryption algorithm may be written that transposes
each character by one (i.e. ‘a’ becomes ‘b’ and ‘b’ becomes
6,065,679
53
‘c’, etc.). This algorithm relies on the secrecy of its method
for its security. If an attacker knows that every character gets
transposed by one, they can determine the plain text.
Other algorithms can be written that combine data, called
a key, with the plain text in such a way as to produce cipher
text. One such algorithm may exclusive-OR the plain text
with the key to produce the cipher text. The method of
54
sec des decrypt returns the following:
5 Return
encrypting the data may be provided to the public (i.e. XOR
the data with key), but if they do not know the key, they will
be unable to learn the plain text. Algorithms that depend on
the secrecy of a key are more secure than those that depend
on the secrecy of the algorithm itself.
Meaning
OK
INVALID ID
KEY NOT LOADED
Operation completed successfully
key id is out of range
key id has not been loaded with
INVALID PARAM
Pointer to buf is NULL
sec key submit()
10 OVER1 MILLION
Over one million DUKPT keys have been
generated
The Data Encryption Standard (DES) algorithm is one
such algorithm. DES has become the standard encryption
scheme in the banking community. This algorithm requires
a 56 bit key for encrypting and decrypting data. Generally
int sec des encrypt (Uchar key id, Des Data far *buf)
15
the 56 bit key is expanded to a 64 bit (8 byte) key with the
extra bits indicating the parity of the individual bytes. This
document will refer to all keys as has having 64 bits,
although the DES algorithm will only make use of 56 of the
bits. The DES algorithm encrypts 64 bits of data at a time.
The DES algorithm’s security is only as good as the
security of the key. Key management describes the system
used in distributing and maintaining keys. The more often a
key is changed the less likely that an attacker could discover
the key, and if they had, the less information they would
20
25
have access to. Both the sender and the receiver must know
the same key in order to decrypt (or encrypt) the transmitted
data. The transfer of the key between parties must be done
in a secure environment. If the key is changed often this can
be a problem.
The basic DES algorithm can be used in several different
ways or modes. The two modes used by the PIN pad are
35
The DES algorithm encrypts 64 bits of data using a 64 bit
INVALID PARAM
Pointer to buf is NULL
OVER1 MILLION
Over one million DUKPT keys have been
generated
verify the integrity of a series of data. Applications down
loaded to the terminal are verified using the MAC. If the
MAC that the terminal calculates does not match the MAC
sent in the application, the application is cleared. The MAC
function may be used to insure the integrity of any set of
50
data. Some of the available MAC functions include:
int sec mac data (Uchar key id, char far *buf ptr, int
len, Des Data far *mac ptr)
include:
intsec des decrypt (Uchar key id, Des Data far *buf)
55
between 0 and 31, APP MASTER KEY, APP
WORKING KEY, or VISA DUKPT KEY. It specifies
which key is used to decrypt the data. A key must have been
submitted to this key id before the sec des decrypt func
tion is called or else an error is returned. The process will be
blocked if security is being used by another process. The buf
parameter is a pointer to a structure containing a buffer for
the 8 byte binary data to be decrypted. The 8 byte binary
result is placed in this buffer.
Operation completed successfully
key id is out of range
key id has not been loaded with
The Message Authentication Code (MAC) is used to
45
(only 56 bits of which are used) key. The DES algorithm is
The sec des decrypt function decrypts the data passed
in the Des Data buf, with the key injected earlier and
identified as key id. The decrypted data replaces the data in
buf. The data in buf is treated as binary 8 byte data and no
conversion is performed. The key id parameter is a number
OK
INVALID ID
KEY NOT LOADED
Applications can use the public encrypt and decrypt func
tions which in turn call the private functions which encrypt
or decrypt the data.
loaded into the terminal.
design so that the same algorithm is used for both encryption
and decryption. The DES algorithm requires frequent bit
manipulations. The DES engine functions available for use
Meaning
40
checksum, or Message Authentication Code (MAC), chang
ing. The new MAC can only be calculated if the key is
known. The MAC is used to provide some measure of
security in knowing that an unaltered application has been
Return
sec key submit()
CBC mode, on the other hand, takes all of the data and
computes, in essence, a cipher text checksum. This is useful
to protect the integrity of the data. An attacker is still able to
read data but may not alter it without the cipher text
between 0 and 31, APP MASTER KEY, APP
WORKING KEY, or VISA DUKPT KEY. It specifies
which key is used to encrypt the data. A key must have been
submitted to this key id before the sec des encrypt func
tion is called or else an error is returned. The process will be
blocked if security is being used by another process. The buf
parameter is a pointer to a structure containing a buffer for
the 8 byte binary data to be encrypted. The 8 byte binary
result is placed in this buffer.
sec des encrypt returns the following:
30
Electronic Code Book (ECB) mode and Cipher Block
Chaining (CBC) mode. In ECB mode, the DES algorithm is
used to encrypt or decrypt each individual block of data.
This is similar to looking up the cipher text form of a block
of plain text in a code book. PIN encryption uses ECB mode.
The sec des encrypt function encrypts the data passed
in the Des Data buf, with the key injected earlier and
identified as key id. The encrypted data replaces the data in
buf. The data in buf is treated as binary 8 byte data and no
conversion is performed. The key id parameter is a number
60
The sec mac data function will use the key submitted
earlier and identified by key id to MAC the data. The
function will MAC len bytes of the data contained in the
buffer pointed to by buf ptr. The 8 bytes of data in mac ptr
are used as the initial MAC value when calculating the
MAC. The MAC of the len of buf ptr replaces the initial
MAC value in mac ptr. In this way, data may be MAC’d
over several calls to sec mac data. The first call will pass
mac ptr containing zeros (or some other initial value).
65
Subsequent calls to sec mac data then continue the gen
eration of the MAC by passing the MAC from the previous
sec mac data call in mac ptr. The key id parameter
determines which key is used when MACing data. The
process will be blocked if the security functions are being
used by another process. The buf ptr parameter is a pointer
6,065,679
56
55
to a buffer containing the data to be MAC’d. The data will
be treated as binary when MAC’d. The len parameter defines
the number of bytes in the buffer to be MAC’d. Note: the
MAC function operates in 8 byte increments. If the length is
not divisible by 8, the remainder will be filled with zero
and its encrypted form is injected into the PIN pad. The plain
text AWK is used to MAC the application.
DUKPT management changes the key after every trans
action. An initial key is injected into the terminal along with
Security Management Information Data (SMID) in a secure
before that block is MAC’d. Care must be taken if the
original MAC was not calculated in this manner also. Note:
the application may still pad the data in a different manner
and pass the data in multiples of 8 bytes to sec mac data.
The mac ptr parameter is a pointer to a structure containing
a buffer that will contain the accumulated MAC. The accu
mulated MAC is combined with the passed data and
encrypted to create a new accumulated MAC which replaces
the one passed. The MAC should be initialized to zero to
begin MAC-ing. The result is in 8 byte binary format.
Sec mac data returns the following:
Return
Meaning
OK
INVALID ID
KEY NOT LOADED
Operation completed successfully
The specified key ID is not valid
The key specified has not been loaded
using sec key submit
Either the buf ptr parameter or the
mac ptr parameter is a NULLPTR
INVALID PARAM
environment. The SMID contains the ID of the terminal, a
10
1 million keys have been generated (i.e. 1 million
transactions), the PIN Pad initial key must be reloaded. Each
15
20
25
The sec mac data function is initially called with the
mac ptr parameter pointing to a structure containing Zeros.
30
35
40
45
Per Transaction.
In Fixed key management, only one key is used. This key
must be injected into the terminal in a secure environment.
This is the simplest method, but the most risky. Should an
attacker discover the key, all is lost.
50
several keys. One key is injected into the terminal in a secure
environment. This key is the Master key. Other keys may
then be injected into the terminal in a non secure environ
ment if they are encrypted with the Master key first. When
the terminal receives these keys they are decrypted with the
Master key to obtain the actual plain text key. The Master
key may also be called a key encrypting key or KEK. This
is the number of the key submitted (0 to 31). In addition the
55
level (Fixed Key or MK/TK), or any combination. The only
restriction is the number of key storage areas (IDs) available.
If a KEK is changed, all keys that depend on that key are
cleared. In other words, if the Master key is changed, then
all Transactions keys that were encrypted with that Master
key are erased. This also applies to the AMK and AWK. In
addition, if either the AMK or the AWK is changed, the
application will be cleared.
The keys must be stored in OS data memory (i.e. inde
pendent from the application). The stored keys must be
Master Key/Transaction Key (MK/TK),management uses
60
two stage method allows the transaction keys (or working
keys) to be changed regularly.
master key (AMK) must be injected in the clear. The
application working key (AWK) is encrypted with the AMK
AWK is used for calculating the MAC for applications that
are downloaded into the PIN pad. The DUKPT management
mode also has its own key. These pre-assigned keys have a
key ID that is not in the range of 0 to 31.
Doubling the length of the keys to 16 binary hexadecimal
bytes increases the security. The security functions will
accept either double length or single length keys. To provide
for maximum flexibility, no structure has been defined for
the 32 keys that can be stored. The key structure can be
determined by the application when the keys are submitted.
When submitting a key, the key is assigned a key ID which
key may have a KEK assigned to it. These means that the
application can have a single level of keys, or a multiple
(DUKPT), and Non-Reversibly Transformed Unique Key
The application MAC keys have been pre-defined to
follow the MK/TK management method. The application
key generated provides no information of past keys or of
future keys. These means that if an attacker were to learn the
current key they would only have access to one transaction.
Non-Reversibly Transformed UKPT also changes the key
after every transaction. This method uses data from the
transaction itself to create the new key. Because of this both
parties must keep a record of the history of transactions in
order to determine the current key. This requires a lot of
overhead and is usually not used because of this.
The security functions will support 32 keys that can be
used in either fixed key or MK/TK mode by the application.
The keys are referred to by key IDs 0 through 31. In
addition, several keys have been assigned that have special
purposes. The application master key (AMK) is used as the
master key for the application working key (AWK). The
This is the initial accumulated MAC. After each call the new
accumulated MAC will be written into the mac ptr param
eter. The application is responsible for ensuring that the
current accumulated MAC is passed to the function for
updating with each call. The accumulated MAC is the
resultant MAC after all MACing has been completed. This
MAC may be compared to the MAC calculated when the
data was originally MAC’d. If they are different then the
data has been corrupted. The MAC functions will be used
when downloading an application to verify its validity. If the
MAC does not equal the MAC originally generated then the
application will be erased.
The security of the DES algorithm is only as strong as the
security of its keys. To limit the probability of a key being
discovered it is best to change keys often. This presents a
problem in that both parties must agree and know what key
to use. Several key management schemes are in use by PIN
pads. These are: Fixed Transaction Keys, Master Key/
Transaction Keys, Derived Unique Key Per Transaction
key set ID, and a transaction counter. The initial key is
assigned by a third party and is derived from the key set ID
and the terminal ID encrypted with a base key not known to
the terminal. The DUKPT method uses the initial key and
the transaction counter to generate the current key. This
method allows for 1 million different keys to be used. After
65
erased if the terminal is tampered with. An array of key flags
will also be stored. These flags will indicate whether or not
the key has been injected and also whether or not it is a
double length key. These flags can be used to review the
status of the loaded keys. The flag byte is defined as follows:
Bit 7—Set if the key has been loaded
Bit 6—Set if the key is double length (16 bytes)
Bits 0–Set to the KEK ID for the key.
A director menu option will allow the user to see which
keys have been loaded. The function called by the director
will use the key flags to determine their status. Several key
management functions will be available, including:
int sec get information (struct security info *sec
info ptr, Uint si size)
6,065,679
58
57
The sec get information function fills the passed
security info structure with information on the current state
of the security functions. The struct security info is defined
sec key set mgmnt mode returns a status.
as follows:
// This is the structure for holding security
// information.
10
struct security info (
Uchar
key info|32]:
Uchar
Uchar
awk info;
amk_info;
Uchar
char
char
char
dukpt key;
dukpt status;
key mgmnt mode;
serial num|17|:
15
};
The key info array contains the key flags described
above.
20
sec get information returns a status.
Return
Meaning
OK
SYSERR
The structure was loaded successfully
The pointer to the structure was a
NULLPTR
25
Meaning
Key management mode change complete.
int sec key submit (Uchar key id, Uchar kek id, char
far *key data)
The sec key submit function saves the given key infor
mation under the passed key ID. This function also associ
ates a key with its key encryption key (KEK). This function
must be performed before any functions requiring a key ID
are performed. The key id parameter determines under
which key ID the key information is stored. Valid numbers
are 0 through 31. In addition, the APP MASTER KEY or
APP WORKING KEY may be specified. The process will
be blocked if the security functions are being used by
another process. The kek id parameter defines the key ID of
the key encryption key to be used to decrypt the key being
submitted. If no key encryption key is required, NO KEK
should be used. The key encryption key must have been
submitted before a key, using it as a key encryption key, is
submitted. The key data parameter is a pointer to a NULL
terminated string containing the ASCII hex key data. The
string length must be 16 or 32 characters (single or double
length). Note: Any keys which were previously submitted
30
int sec key clear (Uchar key id)
The sec key clear function erases the security key with
the given ID. Any keys having the key id as a KEK is
recursively cleared also. The key id parameter specifies
which key to clear. The key id may be a number from 0 to
31. Note that the application master and working keys (IDs
APP MASTER KEY and APP WORKING KEY) can
not be cleared. The process will be blocked if the security
functions are being used by another process.
sec key clear returns a status.
Return
OK
with key id as a kek id are cleared from memory. If the
APP MASTER KEY is submitted, the application and all
other keys are cleared from memory after this operation. The
kek id parameter is ignored for the APP MASTER KEY
and APP WORKING KEY keys. Defaulting to the
NO KEK for the APP WORKING KEY and AWK for
the APP MASTER KEY.
35
40
sec key submit returns the following:
Return
Meaning
OK
INVALID KEY
Key was successfully submitted.
The length of the key is not 16 or 32
characters.
INVALID ID
The key id or kek id parameter is out of
range.
Return
KEY NOT LOADED
Meaning
45
OK
INVALID ID
Key management mode change complete.
Invalid key ID was given.
int sec key set mgmnt mode (enum mgmnt modes
mode)
Sets the security key management mode to be used by the
PIN pad. This function is not used internally but the flag is
needed by some applications and is included here for
compatibility with the MEPPA application. The mode
parameter selects what key management mode to use. The
enumerated type is defined as follows:
int sec serial num submit(char *ser num ptr)
50
55
MK TK KEY_MODE, VISA UKPT MODE,
FIXED KEY MODE
MK TK KEY MODE
VISA UKPT MODE
KEYED MK TK MODE
Fixed key mode
Master key/Transaction key mode
VISA unique key per transaction mode
Keyed Master key/Transaction key mode
Sets the serial number stored in security dcb. This func
tion is included for compatibility with 290E applications.
The ser num ptr parameter is a pointer to a NULL termi
nated ASCII string containing the serial number. The serial
number may be up to 16 digits in length.
sec serial num submit returns a status.
enum mgm.nt modes {FIXED KEY MODE,
KEYED MK TK MODE} Where:
The key encryption key has not been
loaded.
Return
Meaning
OK
SYSERR
Serial number was updated.
The length of passed security number is
60
65
too large.
The sec key submit function is used to inject keys at
any time.
The DUKPT management mode changes the key used to
encrypt the PIN after every transaction. The key ID and the
terminal ID along with a transaction counter are used to
generate each key. The transaction counter will allow up to
6,065,679
59
60
sec dukpt Smid returns the following:
1 million transactions before the initial key must be
reloaded. Only one DUKPT initial key is allowed to be in
use at a time. Some DUKPT functions are:
void sec dukpt clear (void)
Clears and resets the derived unique key per transaction
security functions. The DUKPT functions must be
re-initialized before the VISA DUKPT KEY is used. The
process will be blocked if the security functions are being
used by another process.
5 Return
int sec dukpt init (Uchar key id, char far *init key,
Smid Data far *smid)
The sec dukpt init function initializes the Derived
Unique Key Per Transaction (DUKPT) key management
10
Meaning
KEY NOT LOADED
Completed successfully
The DUKPT system has not been
initialized with the sec dukpt init
OVER1 MILLION
The DUKPT system has encrypted more than
OK
function.
1 million transactions and must be re
system by internally storing the initial key, the key serial
number (SMID) and resetting the DUKPT transaction
counter. The key id parameter is used to select which
method is used. Currently, only VISA DUKPT is supported
and the parameter must be set to VISA DUKPT KEY. The
process will be blocked if the security functions are being
used by another process. The init key parameter is a pointer
to a NULL terminated ASCII hex string containing the 16
character initial key to be used (only single length keys are
valid). The smid parameter is a pointer to a NULL termi
nated ASCII hex string containing the 20 character key serial
number (SMID) to be used. Leading ‘F's must be prepended
to pad the SMID to 20 characters.
sec dukpt init returns the following:
initialized
15
20
25
INVALID PARAM
Buff pointer passed is a NULLPTR
To use DUKPT, the initial key must be injected using the
sec dukpt init function. This resets the transaction counter
and stores the initial key and SMID. Next the encrypt
function is used as normal. To update the transaction counter
the sec dukpt Smid function must be used. This will also
return the SMID used for the encrypt just performed (before
the transaction counter was updated). This SMID should be
sent along with the encrypted data to the host.
Smid Data is a structure defined as follows:
// This is the data structure for SMID Data.
30
Return
Meaning
OK
INVALID KEY
INVALID SMID
INVALID ID
DUKPT system initialized correctly
The initial key is invalid
The smid parameter is invalid
Unsupported DUKPT type
typedef struct {
char data[21];
} Smid Data;
35
The PIN entered by the customer is not just encrypted on
int sec dukpt smid (Smid Data far *buff)
its own. The entered PIN (4 to 12 digits) is expanded into a
The sec dukpt smid function returns the current SMID,
and calculates a new derived unique key per transaction
64 bit block as follows:
Bits
1–4
O
5–8
9–12
13–16
17–20
21–24
25–28
29–32
33–36
37–40
41–44
45–48
49–52
53–56
57–60
61–64
PIN
PIN
PIN
PIN
PIN
PIN
PIN
PIN
PIN
PIN
PIN
PIN
PIN
OxF
0xF
Of
Of
Of
Of
Of
Of
Of
Of
0xF
OxF
0xF
OxF
0xF
0xF
OxF
0xF
Len
50
SMID and key. This function is used to increment the
transaction counter. The process will be blocked if the
security functions are being used by another process. The
The account number is reduced to a 64 bit block using the
12 right most digits (not including the check digit) as
follows:
Bits
1–4
5–8
9–12
13–16
17–20
21–24
25–28
29–32
O
O
O
O
A1
A2
A3
A4
A5
A6
A7
A8
A9
A10
A11
A12
buff parameter is a pointer to a structure containing a buffer The two blocks are exclusive OR’d together and encrypted
that is 21 characters in length. The buffer receives the ASCII 65 using DES in ECB mode. The result is the encrypted PIN
NULL terminated string containing the SMID, pre-padded block. The PIN security functions include:
with ‘F’ if necessary.
int sec PIP encrypt (Pin Data far *p data)
6,065,679
61
62
The sec PIP encrypt function encrypts the PIN data
using the account number passed in the Pin Data structure.
The encrypted PIN is stored in the PIN block array in the
Pin DAta structure. The process will be blocked if the
security functions are being used by another process. The
p data parameter is a pointer to a Pin DAta structure
The terminal will assume that a security breach will not
originate from the application (after all, the application has
been MAC’d indicating that it will not breach the security).
This must be assumed as there is always a chance that the
application could access/alter critical parts of the OS even
with extensive firewalling, as they both reside in the same
defined as follows:
// This is the data structure for encrypt PIN.
// PIN block will be returned for all keys.
//smid will be filled for DUKPT keys.
// All strings are NULL terminated ASCII either numeric
processor.
10
not valid.
When the downloader receives the EDIR it will store the
MAC contained in the extended download information
// or hex.
typedef struct {
15
//Encryption key number
Uchar key;
char acct?20];
//ASCII Account:#, no check
char PINT13]:
char PIN block[17];
//ASCII The encrypted PIN
char smid[21];
//ASCII hex key serial number
//ASCII PIN number
20
sec PIN encrypt returns the following:
25
Return
Meaning
OK
OVER1 MILLION
PIN encrypted successfully
Over 1 million encryptions have been
record (EDIR) and then initialize the MAC routines using
the sec mac data function with the APP WORKING
KEY ID and an accumulated mac of all zeroes. Each record
// digit
// block
} Pin Data;
The downloader on the terminal will MAC incoming
application data. It is critical that this always takes place.
The downloader can then clear the application if its MAC is
30
processed by the DUKPT system.
DUKPT must be re-initialized.
KEY NOT LOADED
Specified key has not been loaded with
INVALID PARAM
data
P data pointer passed does contain valid
sec key submit()
Sec. PIP encrypt requires the entered PIN and the
account number before it can be used. Care must be taken to
40
the user must be sure that it is cleared else where.
The preferred embodiment terminal features a single
processor. Thus the security code and the application code
will reside in the same processor. The application will have
the ability to display any message that is desired and to
receive any key presses the customer enters. This opens up
the possibility for an application to prompt the customer to
enter a PIN and to then pass the entered PIN on to an attacker
in the clear. The only way to prevent this is to verify that the
application does not contain any rogue code that might do
this. Once the code has been proven to be valid and “clean’,
application master key (AMK) and application working key
(AWK), the user may download applications without deal
ing with the AMK and AWK while still having a terminal
secure from casual application downloading. Should more
security be needed, the AMK and AWK may be changed by
the user.
35
not leave the PIN in the clear in memory. The sec PIN
encrypt function will clear the PIN entry in the structure but
the downloader receives will be MAC’d using the sec
mac data function with the accumulated mac. Upon
completion of the download the downloader will compare
the accumulated MAC against the MAC received in the
EDIR. If they do not match, the application is cleared.
Otherwise downloading completes as normal. The data is
MAC’d in its compressed form. The MAC does not include
the EDIR or the NDCB packet headers.
The terminal preferrably will initially only have the
default AMK and AWK keys loaded. By having default
The first keys injected into the terminal must be injected
in the clear (plain text) in a secure area. This needs to be
done before an application has been loaded into the terminal,
so that the key is independent from the application. At
minimum the capability of injecting the AMK and AWK
before the application must exist.
Keys injected in the clear are normally injected using a
key loading device (KLD). The director will have a menu
option to Inject Keys. This may be password protected.
When the Inject Keys option is selected, the sec key inject
45
function will be called. The function will then monitor the
director selected port for messages from a KLD (or similar)
50
device at standard baud rates with 7 bits, even parity, one
start bit, and one stop bit. Once the first keys have been
injected, the application can take over the injecting of further
keys. The keys injected by the application normally will
have been encrypted using one of the keys first injected into
it must be MAC’d so that it would be obvious if it was
the terminal and not in the clear.
tampered with after approval. The terminal must insure that
the application it receives has the proper MAC and therefore
is a valid application before the application is initiated.
The application will have access to the following func
tions which will be included in the bridge. These functions
are described in detail above.
int sec des decrypt (Uchar key id, Des Data far *buf)
int sec des encrypt (Uchar key id, Des Data far *buf)
void sec dukpt clear (void)
int sec dukpt init (Uchar key id, char far *init key, Smid Data far
int sec
int sec
int sec
int sec
dukpt smid (Smid Data far *buff)
key clear (Uchar key id)
key set mgmnt mode (enum mgmnt modes mode)
key submit (Uchar key id, Uchar kek id, char far *key data)
6,065,679
63
64
-continued
int sec mac data (Uchar key id, char far *buff, int len, Des Data far
*mac)
int sec get information (struct security info *sec info ptr, unsigned
int si size)
int sec serial num submit (char *ser num_ptr)
int sec PIN encrypt (Pin Data far *p data)
10
The security class or object must include several operat
ing system support functions. These functions support the
object interaction in the operating system. These functions
include the following.
void sec key inject (void)
This function will be called by the director ‘Inject Keys’
menu option. The Inject Keys menu option will be under the
parameters option in the director. This Inject Keys option
may be password protected. When called, the function will
operate as described in the Key Injection section above.
PIN pad module 148. The POS terminal is operatively
connected to an electronic cash register 170 (ECR) which
has electronic funds transfer (EFT) software and handles all
host communication. The POS terminal connects to the ECR
15
sale amount is transferred to the POS terminal for display on
the POS terminal to the customer. The customer confirms the
20
void sec key display status (void)
The sec key display status function is also called from
the director. This menu option will be under the diagnostics
menu. It indicates which keys have been loaded into the
terminal on the display.
PC Utility
A PC Utility will support full downloads of applications
and parameters. Downloads will be supported over phone
lines, locally, or over the LAN. The PC Utility can also
download the operating system, since it is stored in flash
ROM. The O/S and software should support download of the
application when required, initiated by either the host or the
As illustrated in FIG. 11B, multiple POS terminals are
interconnected as workstations in a LAN environment with
25
172 for external communications with a remote host. The
30
35
40
45
172 provides external communications with an external host
for verification of any transactions conducted. The external
printer 174 is typically attached for added printing capability
such as higher speed printing.
3. LAN–ECR semi-integrated
As illustrated in FIG. 11C in a variation of the above
50
55
environment, the POS terminals interface to an ECR 170 for
transfer of sale amount and use of the ECR printer. Host
communication is still handled by the POS terminal func
tioning as the gateway terminal 172. In this environment, no
external printer is required since the ECR printer is used,
although additional external printers might be utilized.
A plurality of the POS terminals might be connected to
each other in a local area network (LAN). The ECR might
be connected either directly to a POS terminal or through the
60
local network controller which communicates with the net
worked POS terminals via one of the POS terminals which
serves as a network gateway.
intended to be construed as a limitation on the field of use
of the invention.
4. POS Terminal Offline
FIG. 11D illustrates an environment in which there is no
1. PIN Pad Module-electronic Cash Register (ECR) Inte
In this environment as illustrated in FIG. 11A, the POS
through a POS terminal which has a communications mod
ule including a modem and serves as the gateway terminal.
A POS terminal with its PIN pad module is clerk activated
and may be passed to the customer for PIN entry or an
optional PIN pad may be used. Magnetic stripe or integrated
circuit (IC) cards can be read. The gateway POS terminal
in different user environments. A few of these different user
terminal includes a core unit 30 which interconnects with a
environments with POS terminals networked together and
when ECR integration is not needed. The POS terminal
workstations in different lanes have no modem or commu
nications module but communicate with a remote host
The modular POS terminal allows for many different uses
grated
communications module 100, and an external printer 174. It
will be appreciated that only the POS terminal used as the
gateway 172 needs a communications module equipped with
a modem PCB. An external PIN pad might be used for
convenience.
The aforementioned environment is used for multi-lane
EXEMPLARY USER ENVIRONMENTS
environments will now be discussed. It will be appreciated
that the environments are purely exemplary and are not
one of the POS terminals functioning as a gateway terminal
POS terminal workstations each include a core unit 30, a
application file (256K) should take within 15 minutes
(compression will be used to reduce download time). A
communication module having ISDN capability or utilizing
a diskette might be used for large downloads. These
approaches will be looked at more closely if customers
begin moving toward higher memory configurations.
The PC Utility will also be used for key creation and key
injection into the PIN pad module. It might support common
key systems such as DUKPT, Master Key, Session Key,
Fixed Key. A preferred embodiment of the invention also
supports RACAL.
For secure downloading of an application, MACing is
used. A specific encryption key for MACing is stored in the
POS terminal or PIN pad module. The same key is used
when downloading an application to create a MAC value.
When a new application is downloaded, the MAC value is
compared against the MAC key received in the EDIR to
ensure that the code did not change during transmission and
that the application was sent by an approved source.
sale amount, selects payment type, and enters his/her PIN on
the key pad of the POS terminal. A receipt is printed on the
ECR printer.
2. Local Area Network (LAN)
terminal (gateway if on LAN). The application can request
this download to occur. If no application is loaded, a
terminal operator would have to manually start the down
load through the director. Remote download of a typical
170 through an appropriate ECR interface such as an RS485
interface (IBM 4680 tailgate), an RS232 interface (most
other ECRs), etc. A retail clerk operates the ECR 170. The
access to telephone lines. In this environment, the POS
65
terminal includes a core unit 30, a communications module
100 with battery pack 176 as a power source, a second IC
card reader incorporated within the communications module
6,065,679
65
100, and a charging stand (not shown). An integrated printer
66
What is claimed is:
1. A modular Point-Of-Sale (POS) terminal apparatus
108 is optional. This user environment is suited where small
comprising:
a core unit comprising a printed wiring board including a
processor and associated basic memory, a keypad for
inputting data, an integral display for displaying data
from the processor, and plural hardware-based inter
faces that, in use, support optional modules which may
cash transactions are done (ie. Outside food stands, news
paper stands, buses, flea markets). These environments need
portability and cannot access phone lines. The merchant
does not need to do authorization online because of small
transaction amounts and use of integrated circuit (IC) cards.
This configuration might be used in other environments
simply because of the unreliability of the telecommunica
tions systems.
be connected to said core unit, said core unit hardware
10
Transactions may be stored in a second IC card (“retailer
card”) or in POS terminal memory for later transfer to a host.
module,
a hardware-based smart card module interface for, in
PINs may or may not be used in this environment. The clerk
enters the sale amount, then hands the device to the customer
for inserting his/her card and PIN entry if any.
15
5. POS Terminal Online
Illustrated in FIG. 11E is an environment where the POS
terminal is used online. In this environment, the POS
Terminal includes a core unit 30, a standard communication
module 100 including modem, and integrated printer 108.
Optional elements are an external high speed printer as
opposed to an integrated printer, an external PIN pad, and a
20
second IC/smart card reader. When IC cards are used as bank
cards or for larger electronic purse transactions, online
authorization is needed periodically; i.e., when the transac
tion exceeds a certain amount or number of times used daily.
This is advantageous when IC cards are used in conjunction
with magstripe cards for bank cards. The POS terminal does
not need to be portable in many retail sites where placed at
point of sale. The clerk enters sale amount on the POS
terminal and then gives the customer the POS terminal for
card insert and PIN entry on the key pad of the POS
Terminal, or an external PIN pad can be attached when
preferred. A second IC card reader can be used to store keys
and encrypt data sent to the host.
6. POS Terminal Online—ECR semi-integrated
25
30
35
40
45
7. POS Terminal—Online IC Terminal/Portable
As illustrated in FIG. 11G, in this environment the POS
55
for their food.
according to claim 1, wherein the communication unit has an
input/output module retained between the top cover and the
bottom cover, the input/output module interconnecting to the
communication unit printed wiring board and providing a
plurality of serial ports; a modem module retained between
the top cover and the bottom cover, the modem module
interconnecting to the communication unit printed wiring
board and providing communication interface with a phone
line connector; and a Smart Card Reader (SCR) module
60
retained between the top cover and the bottom cover, the
SCR module interconnecting to the communication unit
printed wiring board.
65
claim 1, wherein the core unit printed wiring board further
includes an interface connector coupled to said fifth
hardware-based interface for, in use, connecting to the
interface connector of the communication unit printed wir
ing board.
6. A Point-Of-Sale (POS) terminal apparatus according to
the structure and function of the invention, the disclosure is
illustrative only, and changes may be made in detail, espe
cially in matters of shape, size, and arrangement of the parts
within the principles of the invention to the full extent
indicated by the broad general meaning of the terms in
which the appended claims are expressed.
according to claim 1, wherein the communication unit has a
modem module retained between the top cover and the
bottom cover, the modem module interconnecting to the
communication unit printed wiring board and providing
communication interface with a phone line connector.
5. A modular Point-Of-Sale (POS) terminal apparatus
50
RF, IR, etc., a battery pack 176, and a charging stand (not
shown). An integrated printer is optional. This environment
It is to be understood, that even though numerous char
acteristics and advantages of the invention have been set
forth in the foregoing description, together with details of
ing to the communication unit printed wiring board, said
SCR module being functionally connected to said core unit
4. A modular Point-Of-Sale (POS) terminal apparatus
POS terminal.
requires portability in addition to the ability to handle large
transaction amounts which require periodic online authori
zation. Typical environments would be restaurants, tempo
rary retail sites, arenas, etc. For example, orders might be
taken and paid for while a person is standing in line waiting
3. A modular Point-Of-Sale (POS) terminal apparatus
Smart Card Reader (SCR) module retained between the top
hardware-based smart card module interface via said inter
face connector.
core unit 30 and a standard communications module 100.
terminal includes a core unit 30, a portable communications
module 100 with wireless communication capability such as
2. A modular Point-Of-Sale (POS) terminal apparatus
according to claim 1, wherein the communication unit has an
input/output module retained between the top cover and the
bottom cover, the input/output module interconnecting to the
communication unit printed wiring board and providing a
plurality of serial ports.
cover and the bottom cover, the SCR module interconnect
terminal. In this environment, the POS terminal includes a
This environment is typical with older ECRs that can’t
handle EFT or when the retail operator chooses to separate
the EFT function from the ECR and have it handled by the
uses, supporting a smart card module,
a hardware-based memory interface for, in use, sup
porting an expansion memory module,
a hardware-based security module interface for, in use,
supporting a security module, and
a hardware-based data exchange interface for providing
data exchange with a communication unit printed
wiring board; and a communication unit including:
a top cover having an opening facing the core unit;
said communication unit printed wiring board
including an interface connector extending
through the opening to connect to the core unit
hardware-based data exchange interface; and
a bottom cover, wherein the top cover and the bottom
cover define a housing capable of retaining plural
optional modules.
according to claim 1, wherein the communication unit has a
FIG. 11F illustrates the same user environment as shown
in FIG. 11E except the POS terminal interfaces to an ECR
170 for transfer of sale amount and receipt printing by the
ECR. All host communication is still handled by the POS
based interfaces including:
a hardware-based magnetic stripe card reader interface
for, in use, supporting a magnetic stripe card reading
6,065,679
67
7. A Point-Of-Sale (POS) terminal apparatus according to
68
keypad interface circuitry for interfacing with said
keypad,
a processor bus interface unit,
said hardware-based memory interface including memory
management and write-protection circuitry,
a memory bus interface unit,
a programmable interrupt controller,
said hardware-based magnetic stripe card reader interface,
claim 6, wherein the core unit has a bottom side, and the
interface connector of the core unit is disposed on the bottom
side of the core unit.
8. A modular terminal apparatus as in claim 1 wherein
said communication unit printed wiring board includes a
first communication interface coupled to said interface con
nector for data exchange with the core printed wiring board
hardware-based data exchange interface, multiple further
communication interfaces for data exchange with said exter
nally connected peripheral devices, and further communi
cation interfaces for data exchange with said plural optional
10
modules.
9. A modular terminal apparatus as in claim 8 further
including an input/output/power printed wiring board
coupled to at least one of said core unit printed wiring board
and said communication unit printed wiring board, said
input/output/power printed wiring board including a power
supply that supplies power to at least some of said above
mentioned components, and an electrical connection
arrangement for electrically connecting to said externally
connected peripheral devices.
10. A modular terminal apparatus as in claim 1 wherein
said core unit hardware-based memory interface is config
ured to interface with static random access memory and
flash memory.
11. A modular terminal apparatus as in claim 10 wherein
said processor executes an operating system that is down
loadable into said static random access memory and/or flash
memory.
12. A modular terminal apparatus as in claim 1 wherein
one of said plural optional modules is a LAN module that
allows said terminal apparatus to communicate over a local
15
said core unit housing accepts a security module for
insertion into said housing access door and for coupling
to said hardware-based security module interface, said
security module including at least a secure memory;
and
25
said core unit further includes a tamper-resistant mecha
nism that detects when said access door is opened and
triggers erasure of said secure memory in response to
said detection.
30
35
40
22. A modular terminal apparatus as in claim 21 further
including a battery backed security circuit disposed on said
security module.
23. A modular terminal apparatus as in claim 21 wherein
said secure memory stores cryptographic keys, and said
security module performs encryption/decryption based on
said keys.
24. A modular terminal apparatus as in claim 21 wherein
said security module includes tamper detection circuitry.
25. A modular terminal apparatus as in claim 1 wherein
said core unit includes a housing providing a tamper
resistant barrier, and said core unit further includes a tamper
detection circuit that detects when said tamper-resistant
barrier has been breached.
45
50
26. A modular terminal apparatus as in claim 1 wherein
said core unit further includes a security module coupled to
said hardware-based security module interface, said security
module encrypting a personal identification number inputted
via said keypad.
27. A modular terminal base unit capable of being con
nected to optional modules adding or enhancing function
ality to said modular terminal base unit, said modular
terminal base unit comprising:
a processor,
a memory,
55
60
based interfaces.
20. A modular terminal apparatus as in claim 19 wherein
said application specific integrated circuit includes:
reset and power status circuitry,
display interface circuitry for interfacing with said
display,
said hardware-based security module interface,
said hardware-based data exchange interface,
a time division multiplexor channel, and
a byte bus channel.
21. A modular terminal apparatus as in claim 1 wherein:
said core unit includes a housing containing at least said
processor, said display, said keypad, and said core unit
hardware-based interfaces, said housing including an
access door;
20
area network.
13. A modular terminal apparatus as in claim 1 wherein
said keypad comprises a 19-key keypad comprising:
a twelve-key telephone style numeric pad,
three soft keys located adjacent the display, said soft keys
corresponding to software-defined commands on the
display, and
four additional function keys for initiating application
specific functions.
14. A modular terminal apparatus as in claim 1 wherein
said keypad includes a security tamper resisting circuit that,
in use, detects opening of the housing.
15. A modular terminal apparatus as in claim 1 wherein
said display comprises a bit-mapped liquid crystal display
panel.
16. A modular terminal apparatus as in claim 1 wherein
said core unit printed wiring board further includes a time
division multiplexed bus and a byte bus for communicating
with said communication unit printed wiring board.
17. A modular terminal apparatus as in claim 16 wherein
said byte bus provides a transaction based data communi
cation allowing for terminal communication expandability.
18. A modular terminal apparatus as in claim 16 wherein
said byte bus interfaces to the processor through only two
signal lines.
19. A modular terminal apparatus as in claim 1 wherein
said core unit printed wiring board includes an application
specific integrated circuit providing said core unit hardware
said hardware-based smart card interface,
a display,
a keypad, and
an application-specific integrated circuit coupled to at
least said processor, said application-specific integrated
circuit including display interface circuitry interfacing
with said display, keypad interface circuitry interfacing
with said keypad, a processor bus interface interfacing
with said processor, memory interface circuitry inter
facing with said memory, a magnetic stripe card reader
interface, a smart card reader interface, a security
module interface, and at least one further communica
tion interface for data exchange with at least one
65
external device.
28. A modular terminal base unit as in claim 27 further
including:
6,065,679
69
a housing containing at least said processor, said display,
said keypad, said memory and said application specific
integrated circuit, said housing including an access
door;
a security module for insertion into said housing access
door and coupling to said security module interface,
said security module including at least a secure
memory; and
a tamper-resistant mechanism that detects when said
access door is opened and triggers erasure of said
secure memory in response to said detection.
70
29. A modular terminal base unit as in claim 28 further
including a battery backed security circuit disposed on said
security module.
30. A modular terminal base unit as in claim 28 wherein
said security module memory stores cryptographic keys, and
said security module performs encryption/decryption based
on said cryptographic keys.
31. A modular terminal base unit as in claim 28 wherein
said security module includes tamper detection circuitry.
Was this manual useful for you? yes no
Thank you for your participation!

* Your assessment is very important for improving the work of artificial intelligence, which forms the content of this project

Download PDF

advertisement