HK1199131B

HK1199131B - Payment device with integrated chip

Info

Publication number: HK1199131B
Application number: HK14112442.3A
Authority: HK
Inventors: K‧瓦格纳; D‧斯隆; B‧拜恩
Original assignee: 维萨国际服务协会
Priority date: 2011-08-08
Filing date: 2012-08-08
Publication date: 2019-06-28

Description

Payment device with integrated chip

Cross reference to related applications

This application is a non-provisional application of U.S. provisional patent application No.61/521,233 filed 8/2011 and claiming priority from that application date, the entire contents of which are hereby incorporated by reference.

Background

In order for businesses and merchants to improve their goods and services offered to consumers, merchants may collect additional data, such as sensitive or personal data related to consumers (e.g., geographic location, profile information of users, transaction history, or any other data from users, etc.), as well as feedback data about the consumer's experience at the merchant, and analyze the data for future use. The consumer may be asked to later fill out a questionnaire or answer questions, and may be provided with an incentive to fill out the questionnaire to provide additional feedback. However, such methods present additional data that falls into the hands of a lawbreaker and is used for fraud or other undesirable purposes. In addition, the filling of questionnaires is often too time consuming and cumbersome for the consumer.

Further, when the consumer later provides additional data for their experience at the merchant, the consumer may have forgotten the relevant details of the experience. Further, the merchant may also be unable to identify transactions associated with the consumer's experience, making it difficult for the merchant to target areas of improvement.

Further, the merchant or employee thereof may have access to the additional data, as the additional data is in some cases collected by the merchant or employee of the merchant. It is possible that the merchant or its employees may distribute the additional data and/or tamper with and forge the additional data.

Embodiments of the present invention address these and other problems, individually and collectively.

Disclosure of Invention

Embodiments of the invention relate to payment applications, systems, and methods.

One embodiment of the invention is directed to a method comprising: receiving additional data from a portable consumer device for conducting a transaction, wherein the additional data is encrypted and associated with the transaction; generating, by an access device, an authorization request message including the encrypted additional data; transmitting the authorization request message including the encrypted additional data to a server computer; and receiving an authorization response message from the server computer. Other embodiments relate to an access device that can perform the method.

Another embodiment of the invention is directed to a method comprising: receiving, from an access device operated by a merchant, an authorization request message including encrypted additional data regarding a transaction; decrypting, by the server computer, the encrypted additional data associated with the transaction; storing the decrypted additional data associated with the transaction in a database; determining whether the merchant is eligible to receive the decrypted additional data; and transmitting an authorization response message to the access device. Other embodiments of the invention relate to a server computer that can perform the method.

Another embodiment of the invention is directed to a method comprising: generating, by the mobile communication device, a prompt regarding the additional data; receiving the additional data at the mobile communication device; and transmitting the encrypted data to a server computer. The prompt may be in response to an interaction with the access device during the transaction, or may otherwise be associated with the transaction. Other embodiments of the invention relate to a mobile communication device that can perform the method.

These and other embodiments are described in more detail below.

Brief Description of Drawings

FIG. 1 is a block diagram illustrating a system according to one embodiment of the invention. The system includes the use of a mobile communication device such as a telephone.

FIG. 2 is a flow diagram illustrating a method of conducting a transaction according to one embodiment of the invention. Fig. 2 may relate to the system of fig. 1.

FIG. 3 is a block diagram illustrating a system according to one embodiment of the invention. The system includes the use of a payment card.

FIG. 4 is a flow diagram illustrating a method of conducting a transaction according to one embodiment of the invention. Fig. 4 may relate to fig. 3.

FIG. 5 shows a block diagram of a system according to an embodiment of the invention. The system includes the use of a mobile communication device, such as a telephone, and the encrypted additional data is passed to the mobile gateway rather than through the access device.

FIG. 6 is a flow diagram illustrating a method of conducting a transaction according to one embodiment of the invention. Fig. 6 may be described with reference to fig. 5.

FIG. 7 illustrates a block diagram of an exemplary access device, in accordance with various embodiments of the invention.

FIG. 8 illustrates a block diagram of an exemplary server computer in an exemplary payment processing network, in accordance with embodiments of the present invention.

FIG. 9 illustrates an exemplary database according to various embodiments of the invention.

Fig. 10 illustrates a block diagram of an exemplary mobile communication device in accordance with various embodiments of the invention.

FIG. 11 illustrates a block diagram of an exemplary computer-readable medium.

Fig. 12(a) shows an exemplary payment card with an integrated chip according to embodiments of the present invention.

Fig. 12(b) shows a block diagram of an exemplary integrated chip of a payment card according to embodiments of the present invention.

FIG. 13 illustrates an exemplary computer device that can be used in a system according to one embodiment of the invention.

Detailed Description

Many merchants or businesses that offer products or services may wish to collate customer information and receive customer feedback to improve the products or services to expand business and revenue. Currently, users have means to comment and rate businesses and merchants, for example, to share their experiences with other users through websites. These review forums allow users to research merchants and businesses to help them determine which merchants to patronize based on reviews and ratings of other users. However, these forums may not be as beneficial to merchants as it is difficult for merchants to associate particular reviews with particular transactions and/or users. As such, merchants may not be able to find effective strategies to improve their business because they cannot target areas of improvement if they cannot associate certain negative reviews or ratings with certain transactions. In addition, since anyone can register a review account with an existing review website, merchants can create fake reviews to change their ratings, affecting users' trust in using the rating service and motivation to rate the merchant. Embodiments of the present invention address this and other problems.

Embodiments of the present invention provide such systems and methods: additional data (e.g., information relating to the user, user feedback, the user's evaluation of the merchant, etc.) may be associated with a particular transaction, may be received by a portable consumer device such as a mobile phone or payment card at the time of the transaction, encrypted, and transmitted to an access device such as a point of sale terminal (POS terminal). The encrypted additional data may be transmitted to a server computer operated by a payment processing network (e.g., VisaNet) or an entity other than the merchant. A server computer in the payment processing network may decrypt the encrypted additional data and store the additional data in a database. At some point in time, the server computer may retransmit the decrypted additional data to the merchant.

Since the additional data is encrypted and only decrypted in the payment processing network (or an entity other than the merchant) before being transmitted to the access device (e.g., POS terminal), illegal distribution of the additional data, merchant tampering, and/or counterfeiting may be prevented. For example, by using embodiments of the present invention, a merchant cannot forge ratings data (e.g., change unfavorable reviews to favorable reviews) in an effort to generate additional business. Additionally, because the additional data is collected while the particular transaction is being conducted, the additional data (e.g., feedback, profile information of the user, etc.) may be directly associated with the particular transaction. This may bind the particular transaction with additional data, thereby providing the merchant or another party with a better analysis. For example, a particular review may be tied to a particular purchase, as well as a particular payment account. If, for example, negative reviews were provided by the consumer within a particular time window associated with these purchases, this may indicate that poor customer service may be provided at this time.

In embodiments of the invention, payment transactions may be conducted using a portable consumer device used by a user. The portable consumer device may be a mobile communication device (e.g. handheld terminal, mobile phone, PDA) with a specific application or may be a payment card with an integrated chip (e.g. smart card).

Also in embodiments of the invention, the portable consumer device may interact with the access device. The access device may be a mobile POS terminal that the merchant may present to the user at the time of the transaction. As described below, the user may input the additional data into the access device, and the access device may generate and transmit an authorization request message including the encrypted additional data to the payment processing network.

Embodiments of the invention using a mobile payment application on a portable consumer device, such as a mobile communication device or card, may include an integrated chip for cryptographic operations for payment security purposes. This integrated chip may be used in payment applications for conducting transactions to secure payments, as well as to collect, encrypt, store, and retransmit additional data associated with a transaction to a payment processing network (or entity other than a merchant).

Embodiments of the invention further enable a payment processing network or other entity to bundle the decrypted additional data associated with a particular transaction of a merchant. The merchant may subscribe to a service from a payment processing network or other entity that receives decrypted additional data associated with the transaction and/or the corresponding user. By requiring merchant subscriptions in order to access the additional data, the security of the system is increased. Transaction-specific additional data may be used by merchants for marketing or business research purposes. The additional data may be user profile information or feedback associated with a particular transaction, such as ratings. Since the feedback is associated with a particular transaction, merchants can easily determine what users like and dislike and target specific areas of improvement in their business to increase revenue.

Embodiments of the invention provide a payment processing network with additional data relating to transactions conducted by portable consumer devices. As noted above, the additional data may be what the merchant wishes to obtain. The payment processing network may sell this additional data to the merchant associated with the transaction. Additional data associated with the transaction may include data such as feedback, ratings, geographic location, profile information, transaction history of the user, or any other data from the user that may not otherwise be available to the merchant at the time of the transaction. Other examples of additional data may include questionnaires. For example, in embodiments of the present invention, the consumer may be prompted to answer a questionnaire to provide preferences regarding what types of food the consumer likes, shopping, cars, music, and so forth. As such, in some embodiments, the additional data need not relate to the particular merchant with which the current transaction is being conducted. The additional data may also be valuable to entities other than merchants (e.g., merchants).

Before discussing the various embodiments in greater detail, a number of terms will be described to provide a better understanding of the invention.

As used herein, a "portable consumer device" may include any suitable device that may be used to conduct financial transactions. The portable consumer device may be in any suitable form. For example, suitable portable consumer devices may be hand-held, small-sized, such that they may be placed in a consumer's purse and/or pocket (e.g., pocket-sized). They may include smart cards, key fob devices (such as the Speedpass marketed by Exxon-Mobil corporation)^TM) And so on. Other examples of portable consumer devices include mobile communication devices, payment cards, security cards, access cards, smart media, transponders, and the like. The portable consumer device may also optionally have features such as a magnetic stripe if the portable consumer device is in the form of a debit, credit or smart card. Such portable consumer devices may operate in a contact or non-contact mode.

As used herein, a "mobile communication device" (or "mobile device") may include any suitable electronic device capable of electronic communication. The exemplary electronic device can be transported to a merchant location and/or can be moved to a different location within the merchant location. As discussed below, the mobile communication device may include a computing device and further may be used to capture images of products at one or more merchant locations. Examples of mobile devices include smart phones, tablets, laptops, personal digital assistants, and so on.

As used herein, a "payment card" may include a card with an integrated chip. It may be able to communicate with an access device. The payment card may include payment data such as an account identifier, a security code, a card verification value, a dynamic card verification value, and a validity period. Additional information that may be stored on the payment card may include personal data, such as a photograph or other identifying information, that identifies the authorized user of the payment card. The payment card may also be a debit device (e.g., a debit card), a credit device (e.g., a credit card), or a stored value device (e.g., a stored value card). They may include smart cards, credit or debit cards (with magnetic strips), and the like.

As used herein, an "access device" may be any suitable device for communicating with a merchant computer or payment processing network, and for interacting with a payment device, a user computer device, and/or a user mobile device. The access device may generally be located at any suitable location, such as at a merchant's location. The access device may be in any suitable form. Some examples of access devices include POS devices, cellular phones, PDAs, Personal Computers (PCs), tablet PCs, handheld specialized readers, set-top boxes, Electronic Cash Registers (ECRs), Automated Teller Machines (ATMs), Virtual Cash Registers (VCRs), self-service terminals, security systems, access systems, websites, and so forth. The access device may use any suitable contact or contactless mode of operation to transmit data to or receive data from the payment device and/or the user mobile device, or to be associated with them. In certain embodiments, where the access device may comprise a POS terminal, any suitable POS terminal may be used and may include a reader, a processor, and a computer readable medium. The reader may include any suitable contact or contactless mode of operation. For example, an exemplary card reader may include a Radio Frequency (RF) antenna, an optical scanner, a barcode reader, or a magnetic stripe reader to interact with a payment device and/or a mobile device.

As used herein, "transaction data" may include data relating to a transaction. In some embodiments, the transaction data may include data included in the authorization request message, included in the authorization response message, and/or generated by processing of the authorization message. For example, the transaction data may include a unique transaction identifier, transaction date and time, account number, transaction category code (e.g., credit card, debit card, ATM, prepaid, etc.), merchant code (e.g., MVV, DBA, etc.), ATM code, acquirer processor code, issuer code (e.g., BIN, etc.), issuer processor code, authorization category code (e.g., approval, decline, etc.), one or more error codes, transaction amount (e.g., settlement amount), cardholder or account holder information (e.g., name, date of birth, address, telephone number, etc.), Card Verification Value (CVV), expiration date, loyalty account information, and other information related to the transaction.

The "additional data" may include data that is not normally included in the transaction and is not normally transmitted with the transaction data in the authorization request message. Examples of additional data may include feedback, ratings, geographic location, personal information (e.g., images) of the user, a shopping profile of the user, an authentication message (e.g., cardholder) of the user, a device ID, or other data associated with the transaction and/or the user. The additional data may be collected from the user at the time of the transaction and may be encrypted. Further, in some embodiments, the additional data is created and entered exclusively by the user at the time of the transaction.

To prevent tampering or forgery of the additional data, the additional data may be encrypted. Encryption allows merchants, issuers, acquirers, and other entities to verify the identity of the source of the information (e.g., that the additional data came from a valid user) without allowing other parties, such as merchants, to tamper with the data.

An "authorization request message" may include an electronic message sent to a payment processing network and/or the issuer of the payment card to request authorization for the transaction. Authorization request messages according to some embodiments may conform to ISO8583, a standard of systems that exchange electronic transaction information associated with payments made by consumers using payment devices or payout accounts. The authorization request message may include an issuer account identifier that may be associated with the payment device or the payment account. The authorization request message may also include additional data elements corresponding to "identification information," including, by way of example only: a service code, CVV (card verification value), dCVV (dynamic card verification value), validity period, and the like.

The "authorization response message" may be an electronic message reply to the authorization request message. The authorization response message may be generated by the issuer financial institution or the payment processing network. The authorization response message may include, by way of example only, one or more of the following status indicators: approval-the transaction is approved; decline-transaction not approved; or call center-in response to holding more information, the merchant must call a free authorized telephone number. The authorization response message may also include an authorization code, which may be a code indicating approval of the transaction that the credit card issuing bank returned to the merchant's access device (e.g., POS device) in response to the authorization request message in the electronic message (either directly or through the payment processing network). The code may serve as a credential for authorization. As noted above, in some embodiments, the payment processing network may generate or forward an authorization response message to the merchant.

As used herein, a "payment processing network" may include a network for supporting and providing authorization services, exception file services, and clearing and settlement servicesData processing subsystems, networks, and operations. An exemplary payment processing network may include VisaNet^TM. Such as VisaNet^TMSuch payment processing networks are capable of processing credit card transactions, debit card transactions, and other types of commercial transactions. In particular, Visanet^TMIncluding a VIP system (Visa integrated payment system) that processes authorization requests and a Base II system that performs clearing and settlement services.

As used herein, an "acquirer computer" may be an entity that processes electronic payment transactions on behalf of or in cooperation with an acquirer to process electronic payment transactions.

As used herein, an "issuer computer" may be an entity that processes electronic payment transactions on behalf of or in cooperation with an issuer to process electronic payment transactions. The issuer processor may include data processing subsystems, networks, and operations for supporting and providing various services such as web gateways, risk management, plan management, authorization, exception documentation, and clearing and settlement services.

As used herein, a "server computer" may include a powerful computer or cluster of computers. For example, the server computer may be a mainframe, a microcomputer cluster, or a server group serving as one unit. In one example, the server computer may be a database server coupled to a web server. The server computer may be coupled to one or more databases and may include any hardware, software, other logic, or combination of the preceding for servicing requests from one or more client computers. The server computer may include one or more computing devices and may use any of a variety of computing structures, layouts, and compilations for servicing requests from one or more client computers.

FIG. 1 is a block diagram illustrating a system for conducting transactions according to one embodiment of the present invention. The system 10 includes a user 30 with a portable consumer device such as a mobile device 36, an access device 34, a merchant computer 22, an acquirer computer 24, a payment processing network (e.g., VisaNet) 26, and an issuer computer 28. One or more of these components may be operably coupled together. The system 10 may also include an evaluation server 29 that includes an evaluation database 31. The evaluation server 29 and the evaluation database 31 may be operated by another entity outside the payment processing network 26 or may be operated internally by the payment processing network 26. Further details regarding each of these components are provided below.

In one embodiment of the invention, the user 30 may wish to conduct a transaction. At some point during the transaction, the access device 34 may provide a prompt to the user 30 for additional data associated with the transaction. A prompt regarding the rating 36(a) may be displayed on the access device 34. The user 30 may then enter the rating into the mobile device 36 or the access device 34. For example, the user 30 may select a rating between 1 and 5 stars for the transaction, and the user 30 may select a4 star rating for the transaction. Information regarding the 4-star rating may be entered into the access device 34 or the mobile device 36. If additional data is not entered into the mobile device 36, the access device 34 may transmit the rating information to the mobile device 36.

Upon receipt, the mobile device 36 may encrypt the rating and may transmit the encrypted rating 36(b) to the access device 34. The mobile device 36 may communicate with the access device 34 in a wired or wireless (e.g., contactless) mode.

In other embodiments of the invention, the prompt for the rating 36(a) may be any suitable prompt for additional data not normally included in a conventional payment transaction. Other examples of additional data include user feedback, geographic location, authentication messages, and so forth.

After the access device 34 receives the encrypted data, it generates an authorization request message 34(a) that includes the encrypted rating 36 (b). The authorization request message 34(a) with the encrypted evaluation 36(b) is then transmitted from the access device 34 to the merchant computer 22, which merchant computer 22 transmits it to the acquirer computer 24 and to the server computer in the payment processing network 26.

A server computer in the payment processing network (e.g., VisaNet) 26 may delete the encrypted rating 36(b) from the authorization request message 34(a) and may decrypt the encrypted rating. The payment processing network 26 may then generate a second authorization request message 26(a) without the encrypted evaluation 36 (b). The second authorization request message 26(a) includes typical transaction data for authorization and is then transmitted to the issuer computer 28. The issuer computer 28 then determines whether to approve or deny the transaction.

In response, the issuer computer 28 generates an authorization response message 28(a), approves or denies the transaction, and transmits the authorization response message 28(a) to the payment processing network 26.

The payment processing network 26, after deleting the encrypted additional data 36(a) from the authorization request message 34(a) and decrypting it, may determine whether the merchant requested the evaluation information. The merchant may have subscribed to a "subscription service" to receive decrypted additional data (e.g., ratings) associated with the transaction.

In some embodiments, the payment processing network 26 may generate and transmit the subscription query 26(c) to the ratings server computer 29 or other entity coupled to the ratings database 31. If the rating server computer 29 determines that the merchant is a subscriber and, therefore, is eligible to receive decrypted additional data, the decrypted rating and associated transaction ID29(a) are stored in the rating database 31. In other embodiments, it may be desirable to store the data even if the merchant is not subscribed to, as other parties may wish to access the data. Other transaction data may be stored and associated with the decrypted rating, including an account identifier, a merchant ID, transaction details (e.g., a product purchased or a service received), and a transaction amount. The evaluation server computer 29 may generate and transmit a subscription response 29(b) to the payment processing network 26 to confirm whether the merchant is a subscriber.

Although the evaluation server 29 and the evaluation database 31 are shown as being located outside of the payment processing network 26, in other embodiments of the invention the evaluation server 29 and the evaluation database 31 may be present in the payment processing network 26.

When the server computer in the payment processing network 26 receives the subscription response 29(b) with confirmation that the merchant is subscribed to and thus eligible to receive the decrypted additional data (e.g., the decrypted rating), the payment processing network 26 merges the decrypted rating 36(c) with the authorization response message 28(a) from the issuer computer 28 to generate a modified authorization response message 26 (b). The authorization response message 26(b) includes the decrypted rating 36(c) and is transmitted through the acquirer computer 24 and to the merchant computer 22. The merchant computer 22 may delete the decrypted rating 36(c) from the authorization response message 26(b) and store it with the transaction data in a local database (not shown) for future analysis. It may also forward the authorization response message 26(b) to the access device 34.

In some embodiments of the invention, the decrypted rating may be transmitted directly from the payment processing network 26 to the merchant computer 22 and may be transmitted separately from the authorization response message.

Fig. 2 is a flow chart illustrating a method of conducting a transaction according to an embodiment of the invention described above. The user 30 may own the mobile device 36 to conduct transactions with the merchant 22 at the access device 34.

In step a1, the user 30 initiates a payment transaction with the merchant at the access device 34. For example, user 30 may take an item to a checkout counter at a retail store to initiate a transaction to purchase the item.

In step a2, the user 30 may be requested to present the mobile device 36 for payment by the access device 34. For example, after all items are scanned and transaction details (including a total) are displayed on the access device 34, the access device 34 may request a form of payment to complete the transaction to purchase the items.

In step a3, the user 30 presents the mobile device 36 for making a payment. The mobile device 36 may communicate with the access device 34 by tapping or touching the mobile device on the access device 34, or holding the mobile device 36 in the vicinity of the access device 34, so that they may communicate with each other wirelessly or by other non-contact means.

In step a4, user 30 may be prompted to provide additional data such as ratings or other feedback. The prompting may occur before or after the transaction begins. The additional data may also include additional payments, individual users, or other additional data associated with the transaction. In some embodiments, the user 30 may receive a prompt on the access device 34 to cause the mobile device 36 to interact with the access device 34. The user's mobile device 36, when in contact with the access device 34, may communicate with the access device 34 to display a prompt into the mobile device 36. The mobile device 36 may communicate with the access device 34 through contactless means (e.g., wireless communication).

In step a5, additional data (e.g., ratings) from the user 30 is encrypted by the mobile device 36, and the encrypted data is transmitted to the access device 34.

In step a6, the access device 34 receives the encrypted additional data from the user's portable consumer device (e.g., mobile device 36) and generates an authorization request message for transmission to the payment processing network 26. The authorization request message may include transaction data typically contained in the authorization request message. The transaction data may include payment information (e.g., payment card identifier, card verification value, etc.). In embodiments of the invention, the encrypted additional data (e.g., rating) is bundled with and included in the transaction data in the authorization request message transmission. In this manner, additional data can be collected in a secure manner without increasing the number of messages required for transmission or reception. In this manner, only minimal additional requirements are imposed on the computing resources in the system. In addition, it enables an existing system to perform the method according to the invention with no, or minimal, modifications.

In step a7, the payment processing network (e.g., VisaNet) 26 receives the authorization request message with the encrypted additional data (e.g., rating). The payment processing network 26 initiates authorization of the transaction using the transaction data from the authorization request message. In addition, the encrypted additional data (e.g., rating) may optionally be deleted from the authorization request message and decrypted, associated with the particular transaction using the transaction ID, and stored in the database with the associated transaction. The payment processing network 26 also determines whether the merchant subscribes to receive decrypted additional data (e.g., ratings) from the payment processing network 26. In other variations of the invention, the payment processing network 26 may communicate with another entity that includes a server computer (e.g., the ratings server 29 of fig. 1) and a database (e.g., the ratings database 31 of fig. 1) to determine whether the merchant is subscribed to and thus eligible to receive decrypted additional data associated with the transaction.

In step A8, after receiving the authorization request message including the encrypted additional data, the payment processing network 26 (e.g., VisaNet) deletes the encrypted additional data and generates an authorization request message without the encrypted additional data. The authorization request message without the encrypted additional data is transmitted to the issuer computer 28. The issuer computer 28 determines whether to authorize the transaction and generates an authorization response message indicating whether the transaction is approved or denied.

In step a9, the issuer computer 28 transmits an authorization response message to the payment processing network 26, where the authorization response message contains an indication that the transaction is approved or denied.

In step a10, the payment processing network 26 generates an authorization response message to be transmitted to the merchant computer 22. If it is determined in step a7 that the merchant is a subscriber, the payment processing network 203 bundles the decrypted additional data with the authorization response message. The payment processing network 26 then transmits the authorization response message to the merchant computer 22 along with the decrypted additional data (e.g., rating). If the merchant is not a subscriber, the payment processing network 26 will generate and transmit an authorization response message to the merchant computer 22 without the decrypted data.

The decrypted additional data is deleted from the authorization response message and stored at the merchant computer for analysis and use by the merchant. The authorization response message without the decrypted additional data is forwarded to the access device 34 for display to the user 30 and the transaction is complete.

FIG. 3 is a block diagram illustrating a system for conducting transactions according to one embodiment of the present invention. The system 30 includes a user 30 with a payment card 32. The access device 34, merchant computer 22, acquirer computer 24, payment processing network (e.g., VisaNet) 26, and issuer computer 28 may all be operatively coupled together. The system 10 may also include an additional data server 40 and an additional data database 42. Further details regarding each of these components are provided below.

In one embodiment of the invention, the user 30 may wish to conduct a transaction. At some point during the transaction, the access device 34 may prompt the user 30 for additional data associated with the transaction. A prompt for additional information 46(a) may be displayed on the access device 34. The user 30 may then enter additional information into the access device 34. For example, the user 30 may provide additional information, such as authentication data (e.g., a password), to the access device 34. It may be useful to encrypt additional information, such as a password, so that the merchant cannot obtain the password. This may increase the security level in the event that the merchant or an employee of the merchant is deemed to be unreliable.

In other embodiments, the prompt may come from the payment card 32 for display on the access device 34. The access device 34 then sends the collected additional data to the payment card 32 so that it can be encrypted.

Upon receipt, the payment card 32 may encrypt the additional information and may transmit the encrypted additional data 46(b) to the access device 34. The payment card 34 may communicate with the access device 34 in a wired or wireless (e.g., contactless) mode.

In other embodiments of the present invention, the prompt for additional information 46(a) may be any suitable prompt for additional data not normally included in a conventional payment transaction. Other examples of additional data include user feedback, geographic location, authentication messages, and so forth.

After the access device 34 receives the encrypted additional data, it generates an authorization request message 34(a) including the encrypted additional data 46 (b). The authorization request message 44(a) with the encrypted additional information 46(b) is then transmitted from the access device 34 to the merchant computer 22, which the merchant computer 22 transmits to the acquirer computer 24 and to the server computer in the payment processing network 26.

The server computer in the payment processing network (e.g., VisaNet) 26 may delete the encrypted additional information 46(b) from the authorization request message 44(a) and may decrypt the encrypted additional data. The payment processing network 26 may then generate a second authorization request message 48(a) without the encrypted additional data 46 (b). The second authorization request message 48(a) includes typical transaction data for authorization, which is then transmitted to the issuer computer 28. The issuer computer 28 then determines whether to approve or deny the transaction.

In response, the issuer computer 28 generates an authorization response message 48(b), approves or declines the transaction, and transmits the authorization response message 48(b) to the payment processing network 26.

The payment processing network 26, after deleting the encrypted additional data 34(a) from the authorization request message 44(a) and decrypting it, may determine whether the merchant requested additional information. The merchant may have subscribed to a "subscription service" to receive additional data associated with the transaction.

In certain embodiments, the payment processing network 26 may generate and transmit the subscription query 40(c) to the additional data server computer 40 or other entity coupled to the additional data database 42. If the additional data server computer 40 determines that the merchant is subscribed to, and therefore eligible to receive, the decrypted additional data, then the decrypted additional data and associated transaction ID40(b) are stored in the additional data database 42. Other transaction data may be stored and associated with the decrypted additional data, including an account identifier, merchant ID, transaction details (e.g., purchased product or received service), and transaction amount. The additional data server computer 40 may generate and transmit a reservation response 40(c) to the payment processing network 26 to confirm whether the merchant is reserved.

Although the additional data server computer 40 and the additional data database 42 are shown as being located outside of the payment processing network 26, they may be present in the payment processing network 26 in other embodiments of the invention.

When a server computer in the payment processing network 26 receives the subscription response 40(c) with confirmation of the merchant subscription and thus being eligible to receive decrypted additional data (e.g., the decrypted rating), the payment processing network 26 merges the decrypted additional data 46(c) with the authorization response message 48(b) from the issuer computer 28 to generate a modified authorization response message 48 (c). In other embodiments, other entities including the payment processing network may generate authorization response messages on behalf of the issuer. The authorization response message 48(b), including the decrypted additional data 46(c), is transmitted through the acquirer computer 24 and to the merchant computer 22. Merchant computer 22 may delete the decrypted additional data 36(c) from authorization response message 48(c) and store it in a local database (not shown) for future analysis. It may also forward an authorization response message 48(c) to the access device 34.

Fig. 4 is a flow chart illustrating a method of conducting a transaction according to an embodiment of the invention described above corresponding to fig. 3. The user 30 may have a payment card 32 to conduct a transaction with a merchant at an access device 34.

In step B1, the user 30 initiates a payment transaction with the merchant at the access device 34. For example, the user 30 may have just run out of a meal at a restaurant and be ready to pay a meal fee, and thus ask the waiter for a purchase order.

In step B2, the user 30 may be presented with a bill, and an access device 34, such as a mobile merchant POS terminal, where the payment card 32 is requested.

In step B3, the user 30 presents the payment card 32 for making a payment. In some embodiments, the payment card 32 may communicate with the access device 34 by tapping or touching the payment card 32 on the access device 34, or inserting the payment card 32 into the access device. Where the payment card 32 is a contactless payment card with an integrated chip, B3 may include holding the payment card 32 with an integrated chip in the vicinity of the access device so that they may communicate with each other wirelessly or by other contactless means.

In step B4, the user 30 may be prompted for additional data, such as geographic location, preferences, user images, shopping profiles, or other additional data associated with the transaction. The additional data may also include additional payment information, personal user information, etc., or other additional data associated with the transaction. In some embodiments, the additional data may be obtained directly from the payment card 32 without prompting the user (e.g., the geographic location data may be transmitted through the payment card or the mobile device, encrypted, and sent to the access device). In some embodiments, the user 30 may receive a prompt on the access device 34 to enter additional data and then interact with the access device 34 with the payment device 32 so that the user's payment card 32, when in contact with the access device 34, may communicate with the access device 34 to receive the additional data from the access device 34. The payment card 32 may communicate with the access device 34 through contactless means (e.g., wireless communication).

In step B5, the additional data entered by the user 30 on the access device 34 and received by the payment card 32 is encrypted by the payment card 32 and the encrypted additional data is transmitted to the access device 34. The user's payment card 32 is encrypted and the encrypted additional data is transmitted to the access device 34. No data from the user 30 or the user's payment card 32 is stored at the access device 34.

In step B4, the access device 34 transmits the additional data to the payment card 32. In step B5, the access device 34 receives the encrypted data from the payment card 32. These steps may coincide with a standard request for a password from the payment card 32, and subsequent transmission of the password from the card 32 to the access device 34. In the password request, terminal data (e.g., unpredictable numbers of the terminal and transaction amount) may be transferred from the access device 34 to the payment card 32. The processor in the payment card 32 may then generate a password using the application transaction counter and terminal data on the payment card. This password is then transmitted from the payment card to the access device 32. By combining the transmission of the additional data to the card with the request for the password, and by combining the transmission of the encrypted additional data with the transmission of the password, the additional data encryption process can be efficiently incorporated into the pre-existing communication process without creating an additional communication process.

Further details regarding known interaction protocols between payment cards and access devices (e.g., payment terminals) may be found in U.S. patent application No.11/536,307, filed on 28.9.2006, which is incorporated herein by reference in its entirety.

In step B6, the access device 34 receives the encrypted additional data from the user's payment card 32 and generates an authorization request message for transmission to the payment processing network 26. The authorization request message may include transaction data typically contained in the authorization request message. The transaction data may include user information (e.g., name, billing address, mobile device identifier, etc.), as well as payment information (e.g., payment card identifier, card verification value, etc.). In embodiments of the invention, the encrypted additional data is bundled with and included in the transaction data in the authorization request message transmission.

In step B7, the payment processing network (e.g., VisaNet) 26 receives the authorization request message with the encrypted additional data. The payment processing network 26 initiates authorization of the transaction using the transaction data from the authorization request message. In addition, the encrypted additional data is deleted from the authorization request message and decrypted, associated with the particular transaction using the transaction ID, and stored in the database with the associated transaction. The payment processing network 26 also determines whether the merchant subscribes to receive the decrypted additional data from the payment processing network 26. In other variations of the invention, the payment processing network 26 may communicate with another entity that includes a server computer (e.g., the additional data server 40 of fig. 3) and a database (e.g., the additional data database 42 of fig. 3) to determine whether the merchant is subscribed to and thus eligible to receive decrypted additional data associated with the transaction.

In step B8, after receiving the authorization request message including the encrypted additional data, the payment processing network 26 (e.g., VisaNet) deletes the encrypted additional data and generates an authorization request message without the encrypted additional data. The authorization request message is transmitted to the issuer computer 28. The issuer computer 28 determines whether to authorize the transaction and generates an authorization response message indicating whether the transaction is approved or denied.

In step B9, the issuer computer 28 transmits an authorization response message to the payment processing network 26, where the authorization response message contains an indication that the transaction is approved or denied. In other embodiments, the payment processing network 26 may generate and transmit an authorization response message on behalf of the issuer.

In step B10, the payment processing network 26 generates an authorization response message to be transmitted to the merchant computer 22. If it is determined in step B7 that the merchant is a subscriber, the payment processing network 26 bundles the decrypted additional data with the authorization response message. The payment processing network 26 then transmits the authorization response message to the merchant computer 22 along with the decrypted additional data. If the merchant is not a subscriber, the payment processing network 26 will generate and transmit an authorization response message to the merchant computer 22 without the decrypted additional data.

The decrypted additional data is deleted from the authorization response message and stored at the merchant computer for analysis and use by the merchant. In step B11, the authorization response message without the decrypted additional data is forwarded to the access device 34 for display to the user 30 and the transaction is complete. In some embodiments, an authorization response message may be transmitted from the access device 34 back to the payment card.

FIG. 5 shows a block diagram of a system according to an embodiment of the invention. The system 50 includes a user 30 with a portable consumer device such as a mobile device 36. The access device 34, merchant computer 22, acquirer computer 24, payment processing network (e.g., VisaNet) 26, and issuer computer 28 may be operatively coupled together. The mobile device 36 may be enabled to communicate with the payment processing network 26 through the mobile gateway 27. The system 50 may also include an evaluation server computer 29 that includes an evaluation database 31 therein. The evaluation server computer 29 and the evaluation database 31 may be operated by another entity outside the payment processing network 26 or may be operated internally by the payment processing network 26.

In one embodiment of the invention, the user 30 may wish to conduct a transaction. The user 30 may use the mobile communication device 36 to interact with the access device 34. The access device 34 and the mobile communication device 36 may communicate via short-range (e.g., less than 5 feet, preferably less than 0.5 feet) contactless communication protocols (e.g., short-range RF, Bluetooth)^TMIR, etc.) or may operate in a contact mode. The access device 34 generates an authorization request message 34 (a). The authorization request message 34(a) is then sent from the access device 34 to the merchant computer 22 for transmission to the acquirer computerMachine 24 and to a payment processing network 26.

The payment processing network 26 may then provide a prompt to the mobile device 36 of the user 30 communicating through the mobile gateway 27 regarding additional data associated with the transaction. For example, the mobile device 36 may display a prompt for additional data, such as an evaluation of the transaction. A prompt for the rating 36(a) may be displayed on the mobile device 36 and the user 30 may enter the rating into the mobile device 36. For example, the user 30 may select a rating between 1 and 5 stars for the transaction, and the user 30 may select a4 star rating for the transaction. The mobile device 36 may encrypt the rating and may transmit the encrypted rating 36(b) to the payment processing network 26 via the mobile gateway 27. The mobile device 36 may communicate with a server computer in the payment processing network 26 using a long range communication protocol. For example, the mobile device 36 may include an antenna that would enable it to communicate with a server computer in the payment processing network 26 through a cellular telecommunications network.

In other embodiments of the invention, the prompt for the rating 36(a) may be a prompt for additional data not normally included in the transaction data, such as user feedback, geographic location, authentication messages, or other user data.

The payment processing network (e.g., VisaNet) 26 may decrypt the encrypted rating. The payment processing network 26 may then forward the authorization request message 26(a), which includes typical transaction data for authorization, and transmit it to the issuer computer 28, where the issuer computer determines approval or denial of the transaction. In response, the issuer computer 28 generates an authorization response message 28(a), approves or denies the transaction, and transmits the authorization response message 28(a) to the payment processing network 26. In other embodiments, the payment processing network 26 may generate and send an authorization response message on behalf of the issuer.

The payment processing network 26, after receiving the encrypted additional data 36(b) from the mobile device 36 and decrypting it, may determine whether the merchant is subscribed to receive the decrypted additional data, such as the rating, associated with the transaction. The payment processing network 26 may generate and transmit a subscription query 26(c) to the ratings server 29 or other entity coupled to the ratings database 31. If the ratings server computer 29 determines that the merchant is subscribed and is therefore eligible to receive decrypted additional data, the decrypted ratings and associated transaction ID29(a) are stored in the ratings database 31. In some embodiments, the additional data is stored and/or processed regardless of whether an active subscriber subscribes to such additional data. Other transaction data may be stored and associated with the decrypted rating, including an account identifier, merchant ID, transaction details (e.g., product purchased or service received), and transaction amount. The evaluation server 29 may generate and transmit a subscription response 29(b) to the payment processing network 26 to confirm whether the merchant subscribes.

In other embodiments of the invention, the evaluation server 29 and the evaluation database 31 may be operated by the payment processing network, so that the determination of whether a merchant is a subscriber may be made within the payment processing network.

When the payment processing network 26 receives the subscription response 29(b) with confirmation that the merchant subscribes and is therefore eligible to receive decrypted additional data, such as an evaluation, the payment processing network 26 transmits the decrypted additional data (e.g., the evaluation) directly to the merchant computer 22. The decrypted additional data may be transmitted separately from the authorization response message 26 (b). The payment processing network 26 forwards the authorization response message 26(b) to the access device 34 via the acquirer computer 24 and the merchant computer 22. The decrypted rating 36(c) may be stored and used by the merchant computer 22 for analysis.

Fig. 6 is a flow chart illustrating a method of conducting a transaction according to an embodiment of the invention described above corresponding to fig. 5. The user 30 may own the mobile device 36 to conduct transactions with the merchant 22 at the access device 34.

In step C1, the user 30 initiates a payment transaction with the merchant at the access device 34. For example, user 30 may take an item to a checkout counter at a retail store to initiate a transaction to purchase the item. After all items have been scanned and transaction details (including totals) are displayed on the access device 34, the access device 34 may begin processing the transaction.

In step C2, the access device generates an authorization request message for transmission to the payment processing network 26. The authorization request message may include transaction data typically contained in the authorization request message. The transaction data may include payment information (e.g., payment card identifier, card verification value, etc.). The payment processing network (e.g., VisaNet) 26 receives the authorization request message.

In step C3, after the payment processing network receives the authorization request message from the access device 34, the payment processing network 26 transmits a prompt to the mobile device 36 of the user 30 to request additional data. For example, the mobile device 36 may operate an application that is activated when a transaction is initiated with the access device 34 such that after the payment processing network 26 receives the authorization request message, the mobile device 26 receives a prompt from the payment processing network 26 to display to the user 30 to request additional data, such as an evaluation of the transaction.

In step C4, the user 30 enters additional data into the mobile device 36. The additional data may also include additional payments, individual users, or other additional data associated with the transaction. Additional data (e.g., ratings) from the user 30 is encrypted by the mobile device 36 and the encrypted additional data is transmitted to the payment processing network 26, bypassing the merchant computer 22 and the access device 34. The encrypted additional data may pass through the mobile gateway 27.

In step C5, the payment processing network 26 initiates authorization of the transaction using the transaction data from the authorization request message. In addition, the encrypted additional data (e.g., ratings) received from the mobile device 36 is decrypted, associated with the particular transaction using the transaction ID, and stored in the database with the associated transaction. The payment processing network 26 also determines whether the merchant subscribes to receive decrypted additional data (e.g., ratings) from the payment processing network 26. In other variations of the invention, the payment processing network 26 may communicate with another entity including a server computer (e.g., the ratings server 29 of fig. 5) and a database (e.g., the ratings database 31 of fig. 5) to determine whether the merchant is subscribed to and thus eligible to receive decrypted additional data associated with the transaction.

In step C6, after receiving the authorization request message, the payment processing network 26 (e.g., VisaNet) prepares the authorization request message for forwarding to the issuer computer 28. The issuer computer 28 determines whether to authorize the transaction and generates an authorization response message indicating that the transaction is approved or denied. In other embodiments, the payment processing network 26 may operate on behalf of an issuer.

In step C7, the issuer computer 28 transmits an authorization response message to the payment processing network 26, where the authorization response message contains an indication that the transaction is approved or denied.

In step C8, the payment processing network 26 generates an authorization response message to be transmitted to the merchant computer 22. If it is determined in step A5 that the merchant is a subscriber, the payment processing network 26 may bundle the decrypted additional data with the authorization response message. In other embodiments, the decrypted additional data may be sent to the merchant computer 22 without being present in the authorization response message. The payment processing network 26 then transmits the authorization response message to the merchant computer 22 along with the decrypted additional data (e.g., rating). If the merchant is not a subscriber, the payment processing network 26 will generate and transmit an authorization response message to the merchant computer 22 without the decrypted additional data.

The decrypted additional data is deleted from the authorization response message and stored at the merchant computer for analysis and use by the merchant. In step C9, the authorization response message without the decrypted additional data is then forwarded to the access device 34 for display to the user 30 and the transaction is complete. In some embodiments, the authorization response message may be returned to the mobile device 36 (e.g., through the mobile gateway 27 or through the access device 34).

While the embodiments of the invention described with reference to fig. 5-6 include encrypting the additional data in the mobile device and then transmitting the encrypted data to the central server computer, in these embodiments, such encryption is not necessary. For example, if the additional data is an evaluation, this additional data may be transmitted to an operation review website (e.g., Yelp)^TM) The central server of (1). The additional data may be linked to the actual transaction data so that the review website can verify that the posted reviews are bound to actual transactions and are not posted by people who have not made actual transactions.

The following provides a description of certain devices (and components of such devices) that may be used in the systems and methods described above. These devices may be used, for example, to receive, transmit, process, and/or store data relating to any of the functions described above. The devices described below may have only some of the components described below, or may have additional components, as will be appreciated by those skilled in the art.

Referring to fig. 7, an exemplary access device 34 is shown. The exemplary access device 34 is shown as including a number of hardware elements and software modules (301-310). However, it should be understood that this is provided for illustrative purposes only, and that each of the modules and associated functionality may be provided and/or performed by the same or different components.

The access device 34 includes a processor 301, a system memory 302 (which may include volatile and/or non-volatile memory such as, for example, buffer memory, RAM, DRAM, ROM, flash memory, or any other suitable combination of memory devices), and an external communication interface 303. It may also include a display 304, a non-contact element 305, an input element 306, and a printer 307, all operatively coupled to the processor 301. In other embodiments, the access device 34 may also have a contact element (not shown) for contact-based transactions, wherein the access device 34 contacts the portable consumer device.

The access device 34 may include software modules, such as a calculation module 308, that use the transaction data to calculate transaction amounts, such as subtotals, taxes, discounts, and totals for the transaction. This transaction data may also be used to generate a receipt, executed by the receipt generation module 309. Further, the printer 307 may print a receipt or other related transaction data, such as a coupon.

The access device 34 may also include a contactless element 305 that communicates with a suitable portable consumer device. The access device 34 may receive information from a user through an input element 306, such as a keypad. Any received information may be transmitted to an appropriate module within computer 300 (e.g., via data bus 350).

The access device 34 may also receive additional data from a payment card, portable consumer device, or mobile device that communicates through the contactless element 305. The received information, transaction information, and additional data may be used to generate an authorization request message in a suitable data format that conforms to the transmission protocol so that the message may be sent to the issuer or payment processing network. The authorization request message may be generated by authorization request generation software module 310 and may then be passed to external communication interface 303 for transmission. As such, the access device 34 is able to generate an authorization request message that, in some embodiments, includes the encrypted additional data. The access device 34 may then transmit the authorization request message to a server computer operated by the payment processing network, the acquirer, and/or the issuer. The external communication interface 303 may receive the authorization response message or transmit the authorization request message to the issuer, acquirer, or payment processing network. As such, the access device may also receive authorization response messages from server computers operated by the payment processing network, the issuer, and/or the acquirer.

Referring to fig. 8, an exemplary server computer 200 in the payment processing network 26 is shown. The exemplary server computer 200 is shown to include a number of hardware and software modules (201) and 211.

The exemplary server computer 200 includes a processor 201, a system memory 202 (which may include any combination of volatile and/or non-volatile memory such as, for example, cache memory, RAM, DRAM, ROM, flash memory, or any other suitable memory device), and an external communication interface 203. Further, one or more of the modules 204 and 211 may be disposed within one or more of the components of the system memory 202, or may be disposed externally.

The communication module 204 may be configured or programmed to receive and generate electronic messages. When an electronic message is received by the server computer 200 through the external communication interface 203, it may be passed to the communication module 204. The communication module 204 may identify and resolve relevant data based on the particular messaging protocol used in the system 10. The received information may include, for example, identification information, transaction information, and/or any other information that the payment processing network 26 may use to authorize financial transactions or perform settlement and clearing processes. The communication module 204 may then transmit any received information to the appropriate module within the server computer 200 (e.g., via the data bus 250). The communication module 204 may also receive information from one or more of the modules in the server computer 200 and generate an electronic message in a suitable data format that conforms to the transmission protocol used in the system 10 so that the message may be sent to one or more components within the system 10. (to the issuer computer 28 or the merchant computer 22). The electronic message may then be passed to the external communication interface 203 for transmission. The electronic message may, for example, include an authorization response message (e.g., for transmission to the merchant conducting the transaction) or may be an authorization request message to be transmitted or forwarded to the issuer.

The database query module 205 may be programmed or configured to perform some or all of the functions associated with retrieving information from one or more databases. In this regard, the database query module 205 may receive a request from one or more of the modules of the server 200 (such as the communication module 204, the authorization module 208, or the settlement module 209) for information that may be stored in one or more of the databases. The database query module 205 may then determine and query the appropriate database.

The report generation module 207 may be programmed or configured to perform some or all of the functions associated with generating a report of information or categories of information about a user, an account, one or more transactions, or about any other entity of the system 10. This may include, for example, identifying patterns (such as patterns indicative of fraudulent one or more transactions), generating one or more alerts that may be sent (e.g., through communication module 204 and external communication interface 203) to one or more entities in system 10 (including users, merchants, or issuers). The report generation module may also request information from one or more of the databases, for example, through the database query module 205.

The authorization module 208 may be configured or programmed to perform some or all of the functions associated with authorizing a financial transaction associated with an authorization request message.

The payment processing network 26 may further include a decryption module 210, and the decryption module 210 may receive the encrypted additional data and decrypt the additional data. In some embodiments of the invention, the additional data may be an evaluation of the transaction. The payment processing network 26 may also include an evaluation module 211 to parse, process, and interpret the decrypted evaluation. For example, some evaluations may be a numerical range of 1 to 10, or 1 to 5 stars. In addition, the evaluation module is not limited to evaluation, and the payment processing network 26 may also include other modules for processing other types of additional data that may be encrypted/decrypted.

Fig. 9 shows an exemplary evaluation database 31, or additional data database 42. The ratings database 31 may include a look-up table of various fields 2202- & 2218. Each field may include data relating to the transaction and/or user, such as transaction ID2202, account identifier (e.g., PAN) 2204, rating of the transaction (or other additional data) 2206, merchant ID2210, payment data (e.g., payment card information) 2212, transaction amount 2214, and/or transaction data (e.g., items purchased, services provided) 2208.

As shown in fig. 9, additional data such as evaluations, authentication data, surveys, etc. may be stored in the database along with the actual transaction data. By doing so, the additional data is more meaningful and realistic.

Fig. 10 shows a block diagram of components of an exemplary mobile device 36. The exemplary mobile device 36 shown in fig. 10 may include a computer readable medium 36(b) residing within a body (or housing) 36(h), or the computer readable medium 36(b) may be separate from the device. The computer-readable medium 36(b) may be in the form of a memory that stores data. The memory may store information such as financial information, transit information (e.g., as in a subway or train transit), access information (e.g., access badges), serial numbers, mobile account information, and any other suitable information. In general, any of this information may be transmitted by the mobile device 36 (such as to the access device 34) by any suitable method, including using the antenna 36(a) or the contactless element 36 (g). The body 36(h) may be in the form of a plastic substrate, housing, or other structure.

In some embodiments, the mobile device 36 may also include a contactless element 36(g), which contactless element 36(g) is typically a semiconductor chip (or other data storage element) and is implemented using a form of associated wireless transmission (e.g., data transmission) element, such as an antenna, for long-range communications. The contactless element 36(g) may be coupled to (e.g., embedded within) the mobile device 36, and data or control instructions transmitted over a cellular network may be applied to the contactless element 36(g) through a contactless element interface (not shown). The contactless element interface is used to exchange data and/or control instructions between the mobile device circuitry and the optional contactless element 36(g), or between another device having a contactless element (e.g., a POS terminal or payment device). The contactless element 36(g) is capable of transmitting and receiving data using a short-range wireless communication function. As noted above, the mobile device 36 may include components that may act as an interrogator device (e.g., receive data) and a device that is interrogated (e.g., transmit data). As such, the mobile device 36 is capable of communicating and transmitting data or control instructions over a cellular network (or any other suitable wireless network, e.g., the Internet or other data network) and over close range communications.

The mobile device 36 may also include a processor 36(c) (e.g., a microprocessor) for processing the functions of the telephone 36 and the display 36(d) to enable the consumer to view telephone numbers and other information and messages. The mobile device 36 may also include an input element 36(e) for a user to input information into the device, a speaker 36(f) for a user to hear voice communications, music, etc., and a microphone 36(i) for a user to transmit her (his) voice through the mobile device 36. The mobile device 36 may also include an antenna 36(a) for wireless data transmission.

Fig. 11 illustrates an exemplary non-transitory computer readable medium 36(b) of the mobile device 36. The computer-readable medium 36(b) may include a plurality of software modules. The mobile device 36 may execute an operating system 3600 in operable association with the communication module 3602. The operating system 3600 may enable the communication module 3602 to activate mobile communication functions on the mobile device, e.g., enable Wi-Fi or telecommunications connectivity. Further, the operating system 3600 may also be linked to mobile applications 3604 to enable the mobile device to run applications to perform tasks. The mobile application 3604 according to embodiments of the present invention may also include a plurality of software modules including, but not limited to, a transaction module 601, a payment card module 602, an evaluation module 603, and an encryption module 604. The transaction module 601 may process transaction details when the mobile device is being used to conduct a transaction. The payment card module 602 may store and manage payment cards (e.g., credit cards, debit cards, bank accounts) used to pay for transactions made. The evaluation module 603 may display and receive the evaluation or, alternatively, in other embodiments, additional data associated with the transaction. The evaluation module 603 may then send the collected evaluation to the encryption module 1302 for encryption and then transmit it to the payment processing network 26 or the access device 34. The encryption module 604 (as well as any other encryption modules described herein) may encrypt the additional data described above using any suitable encryption process, including DES, AES, and the like.

Fig. 12(a) shows an example of a payment device 32 "in the form of a card. As shown, the payment device 32 "includes a plastic substrate 32 (m). In some embodiments, an integrated chip 32(o) (e.g., a contactless chip) for connecting with the access device 34 may be present on or embedded within the plastic substrate 32 (m). Consumer information 32(p) such as account number, expiration date, and/or user name may be printed or embossed on the card. The magnetic strips 32(n) may also be located on the plastic substrate 32 (m). In some embodiments, the payment device 32 "may include a microprocessor and/or memory chip in which user data is stored.

As indicated and shown in fig. 12(a), the payment device 32 "may include a magnetic stripe 32(n) and an integrated chip 32 (o). In some embodiments, both the magnetic stripe 32(n) and the integrated chip 32(o) may be in the payment device 32 ". In some embodiments, either the magnetic stripe 32(n) or the integrated chip 32(o) may be present in the payment device 32 ".

As shown in fig. 12(b), the integrated chip 32(o) according to embodiments of the present invention may also include a plurality of software modules, including, but not limited to, a payment data module 1306, an evaluation module 1308, a contactless module 1304, and an encryption module 1302. The encryption module may have similar functionality as encryption module 604 in fig. 11. The contactless module 1304 may enable the payment card 32 to wirelessly communicate with the access device 34 so that holding the payment card in proximity to the access device enables communication for conducting transactions. The payment data module 1306 may store and manage payment data (e.g., credit card, debit card, bank account) for making payments for transactions made. Additional data module 1308 can receive additional data associated with the transaction. The additional data module 1308 may then send the collected additional data to the encryption module 1302 for encryption and then transmit it to the access device 34.

FIG. 13 illustrates an exemplary computer device in which embodiments may be implemented, according to embodiments of the invention. Any of the computer systems described above (e.g., client computers, server computers on a payment processing network, computer devices at a merchant, etc.) may be implemented using system 400. A computer system 400 is shown including hardware elements that may be electrically coupled via a bus 424. The hardware elements may include one or more Central Processing Units (CPUs) 402, one or more input devices 404 (e.g., a mouse, a keyboard, etc.), and one or more output devices 406 (e.g., a display device, a printer, etc.). Computer system 400 may also include one or more storage devices 408. By way of example, storage 408 may include devices such as disk drives, optical storage devices, solid state storage devices such as random access memory ("RAM") and/or read only memory ("ROM"), which may be programmable, flash updateable, and/or the like.

The computer system 400 may additionally include a computer-readable storage media reader 412, a communication system 414 (e.g., modem, network card (wireless or wired), infrared communication device, etc.), and a working memory 418 that may include RAM and ROM devices as described above. In some embodiments, the computer system 400 may also include a processing acceleration unit 416, which may include a DSP, a special purpose processor, and/or the like.

The computer-readable storage media reader 412 may also be connected to a computer-readable storage medium 410 (and optionally in conjunction with storage device 408), which comprehensively represents remote, local, fixed, and/or removable storage devices plus storage media for temporarily and/or more permanently containing, storing, transmitting, and retrieving computer-readable information. The communication system 414 may allow data to be exchanged with a network and/or any other computer described above with reference to the system 400.

The computer system 400 may also include software elements, shown as being currently located within the working memory 418, including an operating system 420 and/or other code 422, such as an application program (which may be a client application program, a web browser, a mid-tier application program, an RDBMS, etc.). It should be understood that alternative embodiments of computer system 400 may have many variations of those described above. For example, customized hardware might also be used and/or particular elements might be implemented in hardware, software (including lightweight software such as applets), or both. Further, connections to other computing devices, such as network input/output devices, may also be used.

Embodiments of the present invention have many advantages. In embodiments of the invention, user feedback or additional data about the transaction and/or merchant is prevented from being tampered with by the merchant by encrypting the feedback at the time of the transaction before being transmitted to the merchant. This is done by having the user enter additional data (e.g., ratings) on the mobile device (or information may be generated from the mobile device in some other way), where it is encrypted. The encrypted additional data is then sent to a payment processing network (e.g., VisaNet) as additional data specific to the transaction, either through an authorization request message from the merchant or through some other means (e.g., directly from the mobile device).

One example of such additional data is a rating of the merchant (e.g., 0-5 stars) showing the purchasing experience. At payment time, the mobile payment application may display a menu on the mobile device display where the user may enter or select 0 to 5 stars. In other embodiments, the user may use a payment device, such as a smart card, which may initiate a menu or other prompt regarding data to display on the merchant POS terminal when communicating with the merchant POS terminal.

One advantage is that this additional data (e.g., rating) may be meaningful to the merchant accepting the payment transaction, but to prevent the merchant from tampering with the additional data, the additional data is encrypted, and the payment processing network controls access to the decrypted additional data. The merchant is only allowed access to the decrypted additional data by subscribing to receive the data.

The user would benefit from providing additional data such as evaluating his or her experience and sharing the evaluation with other users for future reference where and with whom to conduct the transaction. There are existing means (e.g., Yelp, TripAdvisor, Google title, and other similar services) that allow users to rate and share their ratings with other users. However, in current existing services, user ratings are not fully protected from merchant tampering or for merchant protection. Encrypting the additional data (e.g., ratings) in case the merchant ensures security and protects the authenticity of the user ratings, thus encouraging users to provide feedback and trust that their (and other users') feedback will be accurate and not tampered with.

In embodiments of the invention, the merchant may benefit from the rating associated with a single transaction, which may be encrypted to ensure that it is not modified in transit, thus making the merchant confident that the rating was provided by the actual consumer, and not by a person who is registered with the review service and provides fraudulent ratings, as this person is never the nearest customer or is not the customer at all.

Other advantages of embodiments of the invention relate to merchants. Additional data, such as feedback or ratings from the user, may be meaningful to the merchant. In existing user feedback services (e.g., Yelp), user ratings are minimally useful to merchants because, depending on the details provided by the user in the reviews, the merchants may or may not be able to determine the particular transaction to which the rating or review refers. In embodiments of the present invention, data (e.g., ratings) provides more detail to merchants because user ratings are directly associated with a particular transaction, as opposed to ratings or reviews that merchants may see in Yelp, or other rating services. This data is therefore valuable to merchants because it can be used in more targeted marketing and/or improvement to the business of merchants to increase revenue.

Other advantages of embodiments of the invention relate to payment processing networks. The payment processing network may operate a subscription service in which merchants are provided with various levels of access to the collected decrypted additional data (e.g., ratings), the highest level of subscription providing the original ratings received at the time of the transaction, and lower levels of subscription providing batch processed data that may associate merchant terminal IDs with ratings but not with individual purchases. In this manner, merchants are encouraged to subscribe to services provided by the payment processing network, increasing revenue for the payment processing network.

Embodiments of the present invention also establish relationships between users, merchants, and payment processing networks by providing protection, offers, and advantages to all parties during a transaction. Furthermore, enforcing the relationship with the user also establishes the user's loyalty to the merchants and the payment processing network, thus increasing the duplicate traffic with merchants and other merchants (subscribers) and the revenue of the merchants and the payment processing network.

Embodiments of the present invention may use existing techniques and systems for payment processing with no or minimal changes. In existing payment processing systems and methods, the authorization request message may contain a supplemental data field (e.g., field 55), where encrypted additional data elements (e.g., ratings) may be stored. As such, the merchant POS terminal may transmit the authorization request message to the payment processing network along with the encrypted additional data contained in field 55. The payment processing network may be allowed to (1) understand field 55 or other supplemental data field, (2) decrypt the encrypted additional data, and (3) store and/or send back the decrypted additional data in the generated authorization response message, depending on the merchant's subscription status. The subscription status of the merchant may be determined by looking up the merchant identifier in a table or database in the payment processing network.

In other embodiments of the invention, additional data may be collected from the user during the transaction. Examples of the additional data will be described below.

The user or mobile device may provide where the transaction was last conducted. This may enable merchants, and/or other interested parties to collect data and track patterns where users conduct transactions and how they relate to the types of transactions conducted.

The mobile device may provide a photograph of its registered user or account holder of the payment device used in the transaction, allowing the merchant to immediately authenticate the person conducting the transaction to ensure that the mobile device has not been stolen. The photos may be digitally signed by an integrated chip in the mobile device or smart card so that the integrity of the photos is protected and cannot be replaced with new photos in case of theft. The signature on the photo may be used to verify the photo at the POS terminal using suitable software and display it on the POS terminal.

In embodiments of the invention, the payment processing network may include systems and processes to manage, encrypt/decrypt, and sell received data. This may be performed by a server computer comprising a processor and a computer readable medium comprising code executable by the processor.

In other embodiments of the invention, the payment processing network may be associated with a publisher of the ratings, such as Yelp, tripad visor, Google (Latitude), Yahoo, Microsoft, Facebook, or other entity. This may be beneficial so that the user can go anywhere and see how the merchant rates through multiple locations based on the user's preferences. Further, the ratings data may be used by such sites to verify that the reviews are actually associated with a genuine purchase transaction. This may make the comments more realistic and reliable.

In other embodiments, the electronic wallet may be used with a mobile communication device or other device, with embodiments of the present invention. A wallet may be used to conduct transactions. Electronic wallets may be used in a variety of transactions including, but not limited to, e-commerce, social networking, funds transfer/personal payments, mobile commerce, near field payments, gaming, and/or the like. For example, a user may participate in electronic commerce through an electronic wallet for retail purchases, digital merchandise purchases, and utility fee payments. The user may also purchase game programs or game scores from a gaming website using, for example, an electronic wallet, and transfer funds to friends via a social network. Further, the user may also use an e-wallet on a smart phone to make retail purchases, purchase digital goods, make NFC/RF payments at a point of sale (POS) terminal, for example.

In an exemplary transaction involving an electronic wallet, the consumer may submit an indication of a purchase or transfer. For example, a consumer may visit a merchant website (e.g., facebook.com, amazon.com, etc.) and request to purchase goods from the website, transfer funds to friends, and/or the like. The merchant website may determine whether the e-wallet is authorized on its website and may provide a list of payment options. If the merchant has registered with the e-wallet server, the e-wallet server may authorize the merchant to collect consumer credentials for logging into the e-wallet, and the merchant website may prompt the consumer to log into the e-wallet. Otherwise, the merchant website may request that the consumer provide payment details (e.g., credit card, debit card, PayPal account) in place of the payment option.

The consumer may authorize submission of their wallet consumer credentials, such as, but not limited to, a wallet/user ID, a password, and/or the like. For example, the consumer may enter a wallet/user ID and password into a pop-up window provided from the merchant website and/or the e-wallet server. In another example, the consumer may authorize the merchant website to provide consumer credentials (e.g., pre-stored in HTML5, cookies, etc.) to the e-wallet server. In yet another example, the consumer may authorize the e-wallet server through a remote component (e.g., Java applet, etc.) running on the merchant website to provide the consumer credentials to the e-wallet server for verification.

When the consumer submits the consumer credentials to log into the electronic wallet, the merchant website may forward the consumer credentials and transaction details to the electronic wallet server, which may determine the validity of the consumer credentials. If the consumer's credentials are invalid, the electronic wallet server may deny the payment request and send a notification of the denial to the merchant website. In other embodiments, the e-wallet server may process a payment from the e-wallet if the credential provided by the consumer is valid. For example, the electronic wallet server communicates with the consumer's bank account associated with the electronic wallet and requests a funds transfer for the indicated amount. The electronic wallet server may then store the transaction record.

In some embodiments, after processing the payment, the e-wallet server sends a payment confirmation notification to the merchant website, which in turn completes the order and stores the transaction record in a database. The merchant website may provide the consumer with a confirmation page that includes confirmation of the transaction.

The foregoing description is by way of illustration only and not limiting. Many variations of the invention will become apparent to those skilled in the art upon reading the present disclosure. The scope of the invention should, therefore, be determined not with reference to the above description, but instead should be determined with reference to the pending claims along with their full scope or equivalents.

It should be understood that the invention as described above may be implemented in the form of control logic using computer software in a modular or integrated manner. Based on the present invention and the principles provided herein, those of ordinary skill in the art will know and appreciate other ways and/or methods to implement the present invention using hardware and a combination of hardware and software.

Any of the software components or functions described herein may be implemented as software code executed by a processor using any suitable computer language, such as, for example, Java, C + + or Perl using, for example, conventional or object-oriented techniques. The software code may be stored as a series of instructions, or commands, on a computer readable medium, such as a Random Access Memory (RAM), a Read Only Memory (ROM), a magnetic medium, such as a hard drive or floppy disk, or an optical medium, such as a CD-ROM. Any such computer-readable media may reside on a single computing device and may exist on different computing devices within a system or network.

One or more features from any embodiment may be combined with one or more features of any other embodiment without departing from the scope of the invention.

References to "a" or "the" are intended to mean "one or more" unless specifically stated.

Claims

1. A method for associating additional data with an authorization request, comprising:

receiving, by an access device, additional data, the additional data being unencrypted and associated with a transaction;

providing, by the access device, the additional data to a portable consumer device;

receiving, by the access device from a portable consumer device for conducting the transaction, encrypted additional data based on encrypting the additional data;

generating, by the access device, an authorization request message including the encrypted additional data;

transmitting the authorization request message including the encrypted additional data to a server computer; and

an authorization response message is received from the server computer.

2. The method of claim 1, further comprising:

generating, by the access device, a prompt to retrieve the additional data; and

displaying the prompt at the access device;

wherein receiving the additional data occurs through the prompt based on an interaction with the prompt at the access device.

3. The method of claim 1, wherein the portable consumer device displays a prompt for obtaining the additional data.

4. The method of claim 1, wherein the encrypted additional data is generated by the portable consumer device using an encryption process that encrypts the additional data, and wherein the portable consumer device transmits the encrypted additional data from the portable consumer device to the access device.

5. The method of claim 1, wherein the additional data received by the access device includes a rating associated with the transaction.

6. The method of claim 1, wherein the additional data received by the access device comprises transaction profile data of a user, indicates a geographic location, comprises an image, or comprises an authentication message.

7. An access device, comprising:

a processor; and

a non-transitory computer readable medium, wherein the non-transitory computer readable medium comprises code executable by the processor to implement a method comprising:

receiving additional data, the additional data being unencrypted and associated with a transaction;

providing the additional data to a portable consumer device;

receiving, from a portable consumer device for conducting the transaction, encrypted additional data based on encrypting the additional data;

generating an authorization request message including the encrypted additional data;

an authorization response message is received from the server computer.

8. The access device of claim 7, wherein the method further comprises generating a prompt for obtaining the additional data; and displaying the prompt at the access device, wherein receiving the additional data occurs through the prompt based on interaction with the prompt at the access device.

9. The access device of claim 7, wherein the additional data received by the access device includes a rating associated with the transaction.

10. A method for associating additional data with a transaction, comprising:

receiving, by a server computer from an access device associated with a merchant during a transaction, an authorization request message including an account number and encrypted additional data relating to a transaction involving the merchant;

requesting, by the server computer, authorization for the transaction by sending a request message to an issuer computer, wherein the request message includes an account number included in the received authorization request message;

decrypting, by the server computer, the encrypted additional data included in the authorization request message associated with the transaction;

storing the decrypted additional data associated with the transaction in a database;

receiving, by the server computer from the issuer computer, an authorization response message indicating authorization of the transaction;

determining whether the merchant is eligible to receive the decrypted additional data associated with the transaction;

modifying, by the server computer, the authorization response message by inserting the decrypted additional data into the authorization response message based on determining that the merchant is eligible to receive the decrypted additional data associated with the transaction; and

transmitting the modified authorization response message with the decrypted additional data inserted thereto to the access device.

11. The method of claim 10, further comprising:

deleting the encrypted additional data from the authorization request message;

generating the request message based on information in the authorization request message, wherein the request message is different from the authorization request message, and wherein the request message is sent to the issuer computer based on generating the request message.

12. The method of claim 10, wherein the encrypted additional data received by the access device includes a rating associated with the transaction.

13. The method of claim 10, wherein the encrypted additional data received by the access device indicates a geographic location at which the transaction was conducted.

14. A server computer, comprising:

a processor; and

receiving, from an access device associated with a merchant during a transaction, an authorization request message including an account number and encrypted additional data relating to a transaction involving the merchant;

decrypting the encrypted additional data included in the authorization request message associated with the transaction;

15. A method for associating additional data with a transaction, comprising:

communicating, by a mobile communication device, with an access device of a merchant to interact with the access device for conducting a transaction;

generating, by the mobile communication device, a prompt for additional data in response to the mobile communication device interacting with the access device, the prompt associated with the transaction conducted with the access device;

receiving the additional data at the mobile communication device through the prompt, wherein the additional data is unencrypted and associated with the transaction;

generating, by the mobile communication device, encrypted additional data by encrypting the additional data received through the prompt; and

transmitting, by the mobile communication device, the encrypted additional data to a server computer of a payment processing network.

16. The method of claim 15, wherein the additional data received at the mobile communication device through the prompt includes a rating, and wherein the rating is provided at a review website.

17. The method of claim 15, wherein the mobile communication device interacts with the access device for the communication using a short range communication protocol, and wherein the encrypted additional data is transmitted to the server computer using a long range communication protocol.

18. A mobile communication device, comprising:

a processor; and

generating a prompt for additional data in response to the mobile communication device interacting with the access device, wherein the prompt is associated with the transaction conducted with the access device during the transaction;

receiving the additional data through the prompt, wherein the additional data is unencrypted and associated with the transaction;

generating encrypted additional data via encrypting the additional data received through the hint; and

transmitting the encrypted additional data to a server computer of a payment processing network.