[0001] This invention relates to a franking machine system for updating the credit available
in a franking machine for franking mail items and in particular to a system for updating
the credit available in a plurality of franking machines. The invention also relates
to a controller for use in such a system.
[0002] Commonly, franking machines for franking mail items are provided with means to store
a value of credit available for use in franking items and as franking takes place
the credit value is decremented to correspond to the remaining credit available for
use. When the credit has been decremented to a predetermined minimum value the franking
machine is rendered inoperative to carry further franking of items. For reasons of
security and to prevent fraudulent use of the franking machine, the part of the machine
for carrying out accounting functions and for storing data relating to the use of
the machine, including the value of credit available, is contained within a sealed
secure housing. Access to this part of the machine by the user is not authorised and
updating of the credit value available can only be carried out by the postal authority.
Previously it has been necessary for the user to take the machine, or at least that
part of the machine which carries out accounting functions and stores the credit value,
to the postal authority and upon payment by the user the postal authority accesses
the machine to enter a new value of credit and then reseals the machine. In order
to overcome the inconvenience of needing to physically transport a part of the franking
machine to the postal authority it has been proposed to accomplish the operation of
updating of credit on the users premises by transmission of coded data by telephone.
In such proposals, generally the franking machine is constructed to generate a sequence
of codes, one being used at each credit updating. The postal authority provides to
the user, via the telephone, data in encrypted form which includes the current code
held in the franking machine. After decryption of the data, the machine compares the
internal and entered codes and if they agree the credit value is updated.
[0003] Known methods of updating credit in franking machines have been based upon the postal
authority having access either directly or via a telephone line with each individual
franking machine licensed by the postal authority. While this is satisfactory for
users with only a single franking machine, for users who have a number of franking
machines the present methods are inconvenient and involve the user and the postal
authorities in a large volume of financial accounting.
[0004] According to one aspect of the invention a franking machine system comprises a plurality
of franking machines; a controller; first communication means between each said franking
machine and said controller; said controller including register means to register
a total value of credit available for the system and means operable to distribute
amounts of credit via said first communication means to selected franking machines
and to decrement said total value of credit registered by said register means by said
distributed amounts of credit.
[0005] Preferably the controller is provided with second communication means operable to
communicate with a remote resetting computer to effect updating of the total value
of credit in said register means.
[0006] According to another aspect of the invention a controller for a franking machine
system as claimed in any preceding claim includes electronic accounting and control
circuits; first register means for storing data relating to usage of each franking
machine in the system; second register means for storing total value of credit available
for distribution to said franking machines; communication means for communicating
with said franking machines; said electronic accounting and control circuits being
operable in response to a request for an amount of credit from one of said franking
machines to read data from registers in that franking machine, to check said data,
to transmit a credit update signal to that franking machine and to decrement said
register means by said amount of credit.
[0007] Preferably the communication means is operable to communicate with a resetting centre
computer to effect a credit update transaction whereby a new credit value is authorised
and including means to enter said new credit value in the second register means.
[0008] An embodiment of the invention will now be described by way of example with reference
to the drawings in which:-
Figure 1 shows a franking machine system having a plurality of franking machines coupled
to a common controller in which the controller is used for transactions with a postal
authority resetting centre
Figure 2 is a block schematic diagram of the common controller shown in Figure 1
Figure 3 is a flow diagram of operational steps in a transaction between the common
controller and a postal authority computer and
Figure 4 is a flow diagram of operational steps in a transaction between the common
controller and one of the franking machines.
[0009] Referring first to Figure 1, a franking machine system is shown having a postal authority
resetting centre 10, a company or other organisation 11 which, as illustrated, consists
for example of a main or head office 12 at one geographical location and branch offices
13 at other locations. The postal authority resetting centre is equipped with a computer
14 with suitable data storage connected by means of a modem 15 to a telephone or data
communications network 16. The main office 12 of the organisation has a plurality
of franking machines 17 connected by means of a local area network 18 to a controller
19. The controller 19 is connected by means of a modem 20 to the telephone or data
communications network 16. If the organisation also has branch offices 13, as illustrated
in Figure 1, these also may be equipped with franking machines 21. These franking
machines 21 are connected to communication lines 22 by means of modems 23. The modem
20 at the main office 11 is also connected to the lines 22. It will be appreciated
that the lines 22 may be public telephone network lines or private lines dedicated
to communication between different locations of the organisation. The franking machines
17, 21 have electronic accounting and control circuits such as in currently available
franking machines. In addition the franking machines are provided with input/output
ports to enable data to be input from the controller 19 to the accounting and control
circuits of the franking machines and to enable data to be output from the accounting
circuits of the franking machines to the controller 19. A suitable form of input/output
port and interface circuits has been described in our co-pending UK patent application
No. 8708031. It will be appreciated that the computer 14 at the postal authority resetting
centre is able to communicate via the telephone network with controllers located in
other organisations having a plurality of franking machines connected to controllers
or to individual franking machines.
[0010] As is usual, the franking machines 17, 21 each contain electronic accounting circuits
and registers for maintaining a record of credit available for franking with that
machine and a record of franking transactions. For these purposes a descending register
registers the value of credit available for franking and the value is decremented
for each franking transaction carried out by a user. An ascending register registers
the accumulated value of franking used by the machine and a further register registers
the count of items franked by the machine. The registers are duplicated in order to
store multiple copies of each data value for reasons of maintaining the data in a
secure manner. The accounting and control circuits are housed in secure sealed housings
to prevent fraudulent use of the franking machines.
[0011] Usually when it is desired to enter credit in a franking machine, the postal resetting
authority updates the value of credit held in the descending register by the amount
of additional credit purchased and at the same time reads the current values held
in the ascending register and the item count register. However in the present franking
machine system, the controller 19 acts as a master in respect of remote credit updating.
Credit purchased by the organisation is set into the controller by the computer 14
at the postal authority resetting centre and this credit is subsequently distributed
to the individual franking machines 17, 21 by the controller. Similarly the readings
of the registers of the individual franking machines are read out by the controller
and subsequently the data is transmitted by the controller to the postal authority
computer 14. Thus updating of credit for use in the plurality of franking machines
by the postal authority computer and the transmitting of data relating to usage of
the franking machines is effected as a single transaction by the controller. Credit
transfer from the controller to any franking machine 17, 21 in the system may be carried
out in response to a request by a user of a particular franking machine or transfer
of a preset credit amount may be initiated automatically when the descending register
of the franking machine has descended to a preset low credit value.
[0012] Transmission of data between the controller and the postal authority computer and
between the controller and the franking machines is carried out with suitable transmission
protocols. For example if the controller is busy transacting a credit update or other
data transfer with the postal authority computer, transaction requests from the franking
machines to the controller are ignored. When the transaction with the postal authority
computer is completed, transaction requests from the franking machines are accepted
by the controller one at a time. Suitable clash avoidance techniques and messages
are utilised in communication between the controller and the franking machines.
[0013] Referring now to Figure 2, the controller 19 comprises a micro-controller 24 containing
program and working memories as well as control and arithmetic logic and input/output
circuits. The program memory stores the application software code for carrying out
the required operations of the controller. Dual non-volatile memories 25, 26 contain
status registers for the controller as well as registers for storing all the credit
and franking usage values of the system in accordance with the last transaction between
the controller and any franking machine. A real time clock 27 is provided to enable
transaction dates to be stored with the register values. A keyboard and associated
circuit 28 enables a user to enter commands to the micro-controller. One such command
may be to cause register values to be read and displayed on a digital display 29.
Another command would cause the controller to enter remote resetting mode in which
a request is transmitted to the postal authority computer for the issue of additional
credit to the controller. A further command could be used to cause the controller
to output data to a printer. Parameters of the franking machine system may be set
in the controller at the time of installation by means of a set of manually operable
switches 30. One such parameter is the number of franking machines connected in the
system. Other parameters may include the mode of connection to each franking machine.
If the parameters of the system are changed at any time, for example by the addition
of further licensed franking machines, the switches 30 are reset to reflect the new
parameters. Input/output circuits 31 are provided to enable the micro-controller 24
to communicate either directly or by means of a local area network 18 with the franking
machines 17. Further input/output circuits 32 are provided to enable the micro-controller
24 to communicate via the modem 20 with the postal authority computer 14 and with
other franking machines 21 connected via lines 22. Commonly available modems use a
standard known as RS232 and hence the circuits 32 are arranged to conform to this
standard to interface with commonly available modems. All external connections 33,
34, 35 from the input/output circuits 31, 32 are protected by means of protection
circuits 36. These protection circuits provide protection from damage to the micro-controller
24 and the memories 25, 26 due to the application of excess voltage to the external
connections. Such excess voltage may result from un0intentional electrostatic discharge
or may be as a result of fraudulent attempts to interfere with the contents of the
memories. Suitable protection circuits are described in our co-pending application
referred to hereinbefore. The electronic modules of the controller 19 are powered
from a power supply 37 receiving power from the electricity mains. The power supply
37 is provided with suppression circuits to prevent mains borne interference from
causing mal-operation of the controller. In addition the power supply 37 is provided
with under and over voltage detection circuits to ensure that in the event of either
condition, the micro-controller enters a routine whereby all circuits are set to a
state such that data is not lost or corrupted. All the circuit modules forming the
controller 19 are contained within a secure enclosure 38 which is sealed by means
approved by the postal authority to prevent unauthorised access to the circuit modules.
[0014] The flow diagram of Figure 3 shows the sequence of steps carried out when it is desired
to effect a transaction with the postal authority resetting centre computer. The sequence
is initiated by the user keying in a command on the controller keyboard 28 for the
controller to enter the remote resetting mode and keying in a personal identity number.
The controller stores personal identity numbers in the memories 25, 26 and the micro-controller
compares the entered number with those stored in the memories. If the entered number
is found to be an authorised number, the controller may automatically dial the telephone
number of the resetting centre to make a connection with the computer at the centre.
The computer 14 at the resetting centre then requests the controller to transmit the
serial numbers of all the franking machines in the system, corresponding register
values, transaction dates, a transaction identification code and any other data required
for recording and checking with existing data held by the resetting centre computer.
The controller encrypts this data and transmits it together with the serial number
of the controller to the computer 14. The computer utilises the controller serial
number to read a secure encryption key unique to that controller from a secure look
up table. The encrypted data is checked for errors in transmission and if any error
has occurred a fault error message is returned to the controller for display on the
display 29 and the transaction request is aborted. If the transmission is without
error an acknowledgement is returned to the controller. The computer 14 utilises the
encryption key read from the table and an algorithm using a first random table to
decrypt the encrypted data. The computer checks and records the register values from
the controller. If these values do not have the correct relationship with those values
currently held by the computer a fault error message is returned to the controller
and the transaction request is aborted. If the values are acceptable the controller
is instructed to display a request for the user to enter a value of new postage credit
payment required. This new value is checked against authorised limits and account
status and if this is found to be acceptable the computer utilises the encryption
key to encrypt a data block to be returned to the controller. This data block contains
a new transaction identification code generated by a pseudo-random number generator
such as a linear feed shift register, the new postage credit payment value and checking
data. The controller on receipt of this encrypted data block, decrypts it and updates
its registers including updating the descending register with the current new value
of credit available for distribution to the franking machines in the system. Time
limits are preset for the various interactive sequences of the computer 14 and the
controller 19 and tests are carried out to determine if these time limits are exceeded
for any of the sequences. If any time limit is exceeded the transaction is terminated.
During critical sequences of the transaction, power fail flags (P/F) are used to ensure
that satisfactory operation is completed when power is restored.
[0015] A similar sequence of operations is utilised to carry out a credit update transaction
between the controller and any selected one of the franking machines in the system.
Similar levels of security apply to transactions between the controller and the franking
machines and to transactions between the controller and the resetting centre computer.
However it will be appreciated that different algorithms and secure keys are utilised
in encrypting and decrypting for the two kinds of transaction.
[0016] The sequence of operations for updating the credit value of a franking machine by
the controller is shown in Figure 4. The franking machine requiring credit updating
transmits a transaction request to the controller. The initiation of the transaction
request may be by manual intervention of a user or may be effected automatically upon
the descending register of the franking machine being decremented to as preset minimum
credit value. If the controller is not busy carrying out another transaction it reads
the registers of the franking machine and from receipt of the serial number of the
machine, the controller looks up a secure franking machine key unique to that particular
franking machine. The data relating to register contents is encrypted by the franking
machine prior to transmission to the controller and is decrypted by the controller
utilising the secure franking machine key and an algorithm using a second random table.
The register values received by the controller are checked against values currently
held by the controller and the new received values are recorded. The controller then
verifies that the request for credit update key on the franking machine is set. The
controller may be programmed to issue preset amounts of credit to the franking machines
or to issue amounts of credit as requested through the franking machines. The amount
of credit required for the transaction is checked against the total amount of credit
available for distribution by the controller. If the amount is available the secure
key is utilised by the controller to encrypt a data block containing the value of
credit update, a new transaction identification code generated by a pseudo random
number generator and checking data. This is transmitted to the franking machine which
is thereby enabled to update its descending register. If the amount of credit required
by the transaction is not available for distribution by the controller an error message
is transmitted to the franking machine for display to the user and a transaction request
message is displayed on display 29 of the controller to alert a user to the need to
obtain new credit from the postal resetting authority. As will be seen from the flow
diagram, error messages are generated in response to a checking step indicating an
error.
[0017] The modems provided with the resetting computer, the controller and the franking
machines for communicating via the telephone system may be stand alone devices connected
by cables to the computer, controller and franking machines respectively or may be
constructed as circuits housed internally of the computer, controller and franking
machines.
[0018] While the franking machine system described hereinbefore utilises the public telephone
system to provide communication between the controller and the resetting computer
it will be appreciated that other methods of communication may be used. For example
a transportable memory unit such as described in our UK Patent application 8510096
and corresponding US Patent application Serial No. 853928 could be used. The memory
unit would be written with data by the resetting computer for updating credit in the
controller and accounting data relating to the use of the franking machines controlled
by the controller would be written into the memory unit for transmission to the resetting
computer. Similarly a transportable memory unit could be utilised as a communication
device between the controller and the franking machines.
1. A franking machine system characterised in that it comprises a plurality of franking
machines (17,21); a controller (19); first communication means (18,20,22,23) between
each said franking machine (17,21) and said controller (19); said controller including
register means (25,26) to register a total value of credit available for the system
and means (24) operable to distribute amounts of credit via said first communication
means (18,20,22,23) to selected franking machines (17, 21) and to decrement said total
value of credit registered by said register means (25,26) by said distributed amounts
of credit.
2. A franking machine system as claimed in claim 1 further characterised in that second
communication means (15,16,20) is provided operable to communicate between the controller
(19) and a remote resetting computer (14) to effect updating of the total value of
credit in said register means (25,26).
3. A franking machine system as claimed in claim 2 further characterised in that said
second communication means (15,16,20) includes a modem (20) connected to the controller
(19).
4. A franking machine system as claimed in claim 1, 2 or 3 further characterised in
that the first communication means (18,20,22,23) comprises a local area network (18)
interconnecting at least a group of said franking machines (17) and said controller
(19).
5. A franking machine system as claimed in claim 1, 2 or 3 further characterised in
that said first communication means (18,20,22,23) includes further modems (23,20)
) connected respectively to at least some of the franking machines (21) and to said
controller (19); and communication lines (22) for connecting the further modem (20)
connected to the controller (19) with the further modems (23) connected to the franking
machines (21).
6. A franking machine system as claimed in claim 5 further characterised in that the
modem (20) connected to the controller (19) is common to the first communication means
(20,22,23) and second communication means (15,16,20).
7. A franking machine system further characterised in that each franking machine (17,21)
includes means to transmit a credit update request signal to the controller (19);
and in that said controller (19) is operative in response to receipt of said request
signal from any one of said franking machines (17,21) to transmit a credit update
signal to that franking machine from which the request signal was transmitted; and
each franking machine (17,21) is operative in response to receipt of a credit update
signal to enter a new value of credit in a descending credit register.
8. A franking machine system as claimed in claim 8 further characterised in that each
franking machine (17,21 ) includes detection means operative in response to the value
of credit in its descending credit register being equal or below a preset level to
operate said means to transmit a credit update request signal.
9. A controller for a franking machine system as claimed in any preceding claim characterised
by the provision of electronic accounting and control circuits (24); first register
means (25,26) for storing data relating to usage of each franking machine (17,21)
in the system; second register means (25,26) for storing total value of credit available
for distribution to said franking machines (17,21); communication means (18,20,22,23)
for communicating with said franking machines (17,21); said electronic accounting
and control circuits (24) being operable in response to a request for an amount of
credit from one of said franking machines (17,21) to read data from registers in that
franking machine, to check said data, to transmit a credit update signal to that franking
machine (17,21) and to decrement said register means by said amount of credit.
10. A controller as claimed in claim 9 further characterised by communication means
(15,16,20) operable to communicate with a resetting centre computer (14) to effect
a credit update transaction whereby a new credit value is authorised and including
means to enter said new credit value in the second register means (25,26).
11. A franking machine system as claimed in claim 1 or 2 further characterised in
that the first communication means (20,22,23) includes a transportable memory unit.
12. A franking machine system as claimed in claim 2 further characterised in that
the second communication means (15,16,20) includes a transportable memory unit.