[go: up one dir, main page]

US20150073995A1 - System and method for authorizing a financial transaction - Google Patents

System and method for authorizing a financial transaction Download PDF

Info

Publication number
US20150073995A1
US20150073995A1 US14/464,632 US201414464632A US2015073995A1 US 20150073995 A1 US20150073995 A1 US 20150073995A1 US 201414464632 A US201414464632 A US 201414464632A US 2015073995 A1 US2015073995 A1 US 2015073995A1
Authority
US
United States
Prior art keywords
payment
authorization
payment card
transaction
cryptogram
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Abandoned
Application number
US14/464,632
Inventor
Robert Hayhow
Igor Elkhinovich
Jeffrey Aaron Ecker
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Toronto Dominion Bank
Original Assignee
Toronto Dominion Bank
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Toronto Dominion Bank filed Critical Toronto Dominion Bank
Priority to US14/464,632 priority Critical patent/US20150073995A1/en
Assigned to THE TORONTO-DOMINION BANK reassignment THE TORONTO-DOMINION BANK ASSIGNMENT OF ASSIGNORS INTEREST (SEE DOCUMENT FOR DETAILS). Assignors: ECKER, JEFFREY AARON, ELKHINOVICH, IGOR, HAYHOW, ROBERT
Priority to CA3203930A priority patent/CA3203930A1/en
Priority to CA2863122A priority patent/CA2863122C/en
Publication of US20150073995A1 publication Critical patent/US20150073995A1/en
Priority to US17/376,031 priority patent/US12062044B2/en
Abandoned legal-status Critical Current

Links

Images

Classifications

    • GPHYSICS
    • G06COMPUTING OR CALCULATING; COUNTING
    • G06QINFORMATION AND COMMUNICATION TECHNOLOGY [ICT] SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES; SYSTEMS OR METHODS SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES, NOT OTHERWISE PROVIDED FOR
    • G06Q20/00Payment architectures, schemes or protocols
    • G06Q20/30Payment architectures, schemes or protocols characterised by the use of specific devices or networks
    • G06Q20/34Payment architectures, schemes or protocols characterised by the use of specific devices or networks using cards, e.g. integrated circuit [IC] cards or magnetic cards
    • G06Q20/341Active cards, i.e. cards including their own processing means, e.g. including an IC or chip
    • GPHYSICS
    • G06COMPUTING OR CALCULATING; COUNTING
    • G06QINFORMATION AND COMMUNICATION TECHNOLOGY [ICT] SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES; SYSTEMS OR METHODS SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES, NOT OTHERWISE PROVIDED FOR
    • G06Q20/00Payment architectures, schemes or protocols
    • G06Q20/38Payment protocols; Details thereof
    • G06Q20/40Authorisation, e.g. identification of payer or payee, verification of customer or shop credentials; Review and approval of payers, e.g. check credit lines or negative lists
    • G06Q20/401Transaction verification
    • GPHYSICS
    • G06COMPUTING OR CALCULATING; COUNTING
    • G06QINFORMATION AND COMMUNICATION TECHNOLOGY [ICT] SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES; SYSTEMS OR METHODS SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES, NOT OTHERWISE PROVIDED FOR
    • G06Q20/00Payment architectures, schemes or protocols
    • G06Q20/08Payment architectures
    • G06Q20/10Payment architectures specially adapted for electronic funds transfer [EFT] systems; specially adapted for home banking systems
    • GPHYSICS
    • G06COMPUTING OR CALCULATING; COUNTING
    • G06QINFORMATION AND COMMUNICATION TECHNOLOGY [ICT] SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES; SYSTEMS OR METHODS SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES, NOT OTHERWISE PROVIDED FOR
    • G06Q20/00Payment architectures, schemes or protocols
    • G06Q20/38Payment protocols; Details thereof
    • G06Q20/382Payment protocols; Details thereof insuring higher security of transaction
    • G06Q20/3821Electronic credentials
    • GPHYSICS
    • G06COMPUTING OR CALCULATING; COUNTING
    • G06QINFORMATION AND COMMUNICATION TECHNOLOGY [ICT] SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES; SYSTEMS OR METHODS SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES, NOT OTHERWISE PROVIDED FOR
    • G06Q20/00Payment architectures, schemes or protocols
    • G06Q20/38Payment protocols; Details thereof
    • G06Q20/382Payment protocols; Details thereof insuring higher security of transaction
    • G06Q20/3823Payment protocols; Details thereof insuring higher security of transaction combining multiple encryption tools for a transaction
    • GPHYSICS
    • G06COMPUTING OR CALCULATING; COUNTING
    • G06QINFORMATION AND COMMUNICATION TECHNOLOGY [ICT] SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES; SYSTEMS OR METHODS SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES, NOT OTHERWISE PROVIDED FOR
    • G06Q20/00Payment architectures, schemes or protocols
    • G06Q20/38Payment protocols; Details thereof
    • G06Q20/382Payment protocols; Details thereof insuring higher security of transaction
    • G06Q20/3829Payment protocols; Details thereof insuring higher security of transaction involving key management
    • GPHYSICS
    • G06COMPUTING OR CALCULATING; COUNTING
    • G06QINFORMATION AND COMMUNICATION TECHNOLOGY [ICT] SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES; SYSTEMS OR METHODS SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES, NOT OTHERWISE PROVIDED FOR
    • G06Q20/00Payment architectures, schemes or protocols
    • G06Q20/38Payment protocols; Details thereof
    • G06Q20/40Authorisation, e.g. identification of payer or payee, verification of customer or shop credentials; Review and approval of payers, e.g. check credit lines or negative lists
    • G06Q20/401Transaction verification
    • G06Q20/4012Verifying personal identification numbers [PIN]
    • GPHYSICS
    • G06COMPUTING OR CALCULATING; COUNTING
    • G06QINFORMATION AND COMMUNICATION TECHNOLOGY [ICT] SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES; SYSTEMS OR METHODS SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES, NOT OTHERWISE PROVIDED FOR
    • G06Q2220/00Business processing using cryptography

Definitions

  • This patent application relates to a system and method for authorizing a financial transaction.
  • this patent application describes a system and method for authorizing a financial transaction using a payment card.
  • a consumer might elect to use a payment terminal (e.g. point-of-sale (POS) terminal or pin-pad) and a magnetic-stripe payment card (e.g. credit card or debit card) to complete a financial transaction with a merchant (e.g. pay for a merchant's wares/services).
  • POS point-of-sale
  • a magnetic-stripe payment card e.g. credit card or debit card
  • the payment terminal prompts the consumer to interface a payment card with the payment terminal.
  • the payment terminal acquires an account number from the payment card and forwards particulars of the financial transaction (e.g. authorization amount, and account number associated) to the merchant's acquirer for online authorization.
  • a merchant might issue discount coupons to preferred consumers for redemption against the purchase price of the merchant's wares/services.
  • This approach requires the particulars of each coupon to be input to the payment terminal and the payment terminal to recalculate the authorization amount, thereby lengthening the payment process.
  • the merchant might offer its own branded payment card (a loyalty card) that allows consumers to collect loyalty points which can be redeemed against the purchase price of the merchant's wares/services.
  • the account number is input to the payment terminal, and the payment terminal queries a remote database with the account number to determine the number of loyalty points available, and recalculates the authorization amount based on the number of loyalty points that the customer wishes to redeem, thereby again lengthening the payment process.
  • This patent application discloses a payment terminal and associated method that dynamically adjusts the authorization amount of a financial transaction based on the account number provided by a payment card.
  • a method of authorizing a financial transaction that involves a payment terminal receiving, from a payment card interfaced with the payment terminal, application data in response to a predetermined authorization amount that is provided to the payment card by the payment terminal.
  • the application data comprises an account number uniquely associated with the payment card.
  • the payment terminal generates an adjusted authorization amount based on the account number and from a preliminary authorization amount received at the payment terminal, provides the payment card with the adjusted authorization amount, and receives a cryptogram from the payment card in response.
  • the payment terminal provides notification of authorization of a financial transaction for the adjusted authorization amount in accordance with a confirmation that the cryptogram received at the payment terminal from the payment card was generated by the payment card from the adjusted authorization amount and a cryptographic key uniquely associated with the payment card.
  • a payment terminal that includes a card interface for interfacing a payment card with the payment terminal, and a transaction processor coupled to the card interface.
  • the transaction processor is configured to receive, from a payment card interfaced with the card interface, application data in response to a predetermined authorization amount provided to the payment card by the payment terminal.
  • the application data comprises an account number uniquely associated with the payment card.
  • the transaction processor is also configured to generate an adjusted authorization amount based on the account number and from a preliminary authorization amount received at the payment terminal, provide the payment card with the adjusted authorization amount, receive a cryptogram from the payment card in response, and provide notification of authorization of a financial transaction for the adjusted authorization amount in accordance with a confirmation that the cryptogram received at the payment terminal from the payment card was generated by the payment card from the adjusted authorization amount and a cryptographic key uniquely associated with the payment card.
  • the payment terminal is configured with a range of issuer identification numbers
  • the transaction processor is configured to generate the adjusted authorization amount in accordance with a correlation between the account number and the range of issuer identification numbers.
  • the transaction processor may be configured to provide notification of authorization of the financial transaction by transmitting over a payment network a transaction authorization request for online authorization of the financial transaction.
  • the cryptogram may comprise an online cryptogram, and the transaction authorization request may include the adjusted authorization amount and the online cryptogram.
  • the transaction processor may be configured to provide the adjusted authorization amount by transmitting to the payment card an offline cryptogram request for offline authorization of the financial transaction.
  • the cryptogram may be included in an offline certificate, and the offline cryptogram request may include the adjusted authorization amount.
  • the transaction processor may be configured to provide notification of authorization of the financial transaction by confirming that the payment card generated the offline certificate from the adjusted authorization amount and the cryptographic key.
  • the transaction processor may be configured to provide notification of authorization of the financial transaction by validating the payment card and a bearer of the payment card, and initiating the authorization in accordance with an outcome of the validating.
  • the transaction processor may be configured to provide notification of authorization of the financial transaction by receiving a transaction authorization from the payment network in response to the online transaction authorization request.
  • the transaction authorization may provide a confirmation that the payment card generated the online cryptogram from the adjusted authorization amount and the cryptographic key.
  • the transaction processor may be further configured to provide notification of authorization of the financial transaction by transmitting the transaction authorization to the payment card, and receiving from the payment card confirmation that an issuer of the payment card generated the transaction authorization.
  • the vendor can offer preferred customers adjustments to the preliminary authorization amount without requiring re-configuration of the payment card or the card issuer server or re-introducing the payment card to the payment terminal.
  • FIG. 1 is a schematic view of the payment authorization network, depicting a payment terminal, and an payment card issuer server;
  • FIG. 2 is a schematic view of one of the payment terminals.
  • FIGS. 3 a and 3 b together comprise an EMV message flow diagram depicting the method for authorizing a financial transaction.
  • FIG. 1 is a schematic view of the payment authorization network, denoted generally as 100 .
  • the payment authorization network 100 comprises a payment terminal 200 , an acquirer server 270 and a payment card issuer server 300 , and is configured to process financial transactions initiated by a payment cardholder at one of the payment terminals 200 .
  • a “financial transaction” includes “online” transactions the particulars of which the merchant requests authorization in real-time, and “off-line” transactions the particulars of which the merchant requests authorization at a later time, such as the end of the business day.
  • the payment terminals 200 are typically deployed at a merchant's business premises, and are configured to communicate with a one of the acquirer servers 270 via a secure acquirer network 106 .
  • one or more of the payment terminals 200 may be implemented as an integrated point-of-sale (POS) terminal, or a pin-pad terminal that communicates with respective electronic cash register (ECR).
  • POS point-of-sale
  • ECR electronic cash register
  • Each acquirer server 270 is associated with a respective merchant, and is configured to communicate with the payment terminals 200 that are deployed at each merchant premises via each merchant's acquirer network 106 .
  • the acquirer servers 270 are also configured to communicate with the issuer server(s) 300 via a payment network 108 , such as VisaNet or the Mastercard Network.
  • Each issuer server 300 is associated with and administered by a respective financial institution.
  • the financial institution associated with the issuer server 300 issues payment cards to cardholders (or authorizes a third party to issue the payment cards).
  • Each issuer server 300 is configured to communicate with the acquirer servers 270 via the payment network 108 , and maintains a secure accounts database that includes a plurality of clusters each associated with a respective financial account.
  • Each cluster typically identifies an account number that is uniquely associated with the payment card 210 , the current value of a transaction counter internal to the payment card 210 , and credit/deposit entries to the associated financial account.
  • the payment card 210 uses an algorithm or counter to generate an unpredictable transaction counter number for each financial transaction, and the issuer server 300 uses a corresponding algorithm to determine the next transaction counter number of each payment card 210 .
  • the payment authorization network 100 is shown comprising only a single payment terminal 200 , a single acquirer server 270 and a single issuer server 300 , the payment authorization network 100 typically includes a plurality of the payment terminals 200 , a plurality of the acquirer servers 270 , and a plurality of the issuer servers 300 .
  • the payment terminal 200 includes an input device 202 , a display device 204 , and a computer processing unit 206 that is coupled to the input device 202 and the display device 204 .
  • the payment terminal 200 also includes a payment card interface 208 that is coupled to the computer processing unit 206 and is configured to communicate with a payment card 210 .
  • the input device 202 may be implemented as a keyboard, touchpad, touchscreen or other input device suitable for allowing a user of the payment terminal 200 to input data and/or commands that may be required to complete the financial transaction.
  • the display device 204 may be implemented as a liquid crystal display (LCD) panel, cathode ray tube (CRT) display, plasma display panel, or other display device suitable for displaying transaction information to the user.
  • LCD liquid crystal display
  • CRT cathode ray tube
  • plasma display panel or other display device suitable for displaying transaction information to the user.
  • the payment card 210 may be implemented as a plastic card that has a contact form factor and/or a contactless (e.g. ISO 14443 based) form factor.
  • the payment card interface 208 may comprise a physical port (e.g. smartcard reader) that allows the payment terminal 200 to communicate directly with the payment card 210 .
  • the payment card interface 208 may comprise a wireless interface that allows the payment terminal 200 to communicate with the payment card 210 via a wireless protocol, such as ISO 14443.
  • the payment card 210 may be implemented as software within a portable communications device, such as a smartphone, in which case the payment card interface 208 may be configured to communicate with the payment card 210 of the portable communications device using short-range communications protocols, such as Bluetooth and/or Near Field Communications (NFC) as examples.
  • short-range communications protocols such as Bluetooth and/or Near Field Communications (NFC) as examples.
  • the computer processing unit 206 includes a microprocessor 212 and a non-transient computer-readable medium 214 .
  • the non-transient computer-readable medium 214 may be provided as non-volatile electronic computer memory (e.g. FLASH memory) or optical or magnetic memory (e.g. compact disc, hard disk).
  • the non-transient memory 214 may maintain a loyalty card database 216 of payment cards for which the merchant would like to offer discounts. Alternately, the loyalty card database 216 may be maintained on an ECR associated with each payment terminal 200 , on a server (not shown) that serves the payment terminals 200 on the merchant's local area network, or on the acquirer server 270 .
  • the merchant may issue loyalty payment cards to its customers (or authorize a payment card issuer to do so). All such loyalty payment cards may have an Issuer Identification Number (IIN) that identifies the payment card as a loyalty payment card issued by that merchant. Accordingly, preferably the loyalty card database 216 is configured with the IINs of the merchant's loyalty payment cards.
  • IIN Issuer Identification Number
  • the merchant may assign the same discount rate to each loyalty payment card. Alternately, however, the merchant may have been assigned multiple ranges of IINs for its loyalty payment cards, and may prefer to assign different discount rates to different loyalty payment cards based on their respective IIN. For example, bearers of loyalty payment cards having an IIN between ‘xxa’ and ‘xxb’ may be entitled a 10% discount, and bearers of loyalty payment cards having an IIN between ‘xxc’ and ‘xxd’ may be assigned a 20% discount. Accordingly, preferably the loyalty card database 216 is configured with the respective discount rate associated with each IIN of the merchant's loyalty payment cards.
  • the non-transient memory 214 also includes computer processing instructions stored thereon which, when accessed from the memory 214 and executed by the microprocessor 212 , implement an operating system 218 and a transaction processor 220 .
  • the operating system 218 allows the payment terminal 200 to accept user input from the input device 202 and to control the display device 204 and the payment card interface 208 .
  • the transaction processor 220 is configured to receive, from a payment card 210 that is interfaced with the payment card interface 208 , application data in response to a predetermined authorization amount provided to the payment card by the payment terminal.
  • the application data comprises an account number that is uniquely associated with the payment card 210 .
  • the transaction processor 220 is also configured to generate an adjusted authorization amount based on the account number and from a preliminary authorization amount received at the payment terminal 200 , to provide the payment card 210 with the adjusted authorization amount, to receive a cryptogram from the payment card 210 in response, and to provide notification of authorization of a financial transaction for the adjusted authorization amount in accordance with a confirmation that the cryptogram received at the payment terminal 200 from the payment card 210 was generated by the payment card 210 from the adjusted authorization amount and a cryptographic key uniquely associated with the payment card 210 .
  • transaction processor 220 is typically implemented as computer processing instructions, all or a portion of the functionality of the transaction processor 220 may be implemented instead in electronics hardware, such as a field programmable logic gate array (FPGA) or a complex programmable logic device (CPLD).
  • FPGA field programmable logic gate array
  • CPLD complex programmable logic device
  • the payment card 210 may have a contact form factor and/or a contactless form factor, and may be implemented as a plastic smartcard, chip card or integrated circuit card that includes a built-in micro-controller and protected memory.
  • the micro-controller and protected memory together provide a secure self-contained computing environment for running cryptographic (e.g. data encryption standard (DES), triple-DES, advanced encryption standard (AES)) algorithms.
  • DES data encryption standard
  • AES advanced encryption standard
  • the plastic payment card 210 is implemented as a Europay Mastercard Visa (EMV) payment card that authenticates financial transactions with payment terminals 200 using the EMV standard.
  • EMV Europay Mastercard Visa
  • the payment card 210 may be implemented in software executing on a portable communications device, such as a smart phone, that is configured to implement payment card requirements of the EMV standard and to authenticate financial transactions with payment terminals 200 using the EMV standard.
  • the payment card 210 is configured with a personal identification number (PIN), a primary account number, expiry date and may also store one or more private cryptographic keys and corresponding public digital certificates.
  • the primary account number and private cryptographic key(s) are uniquely associated with the payment card 210 .
  • Each private cryptographic key and the public cryptographic key of the corresponding public digital certificate comprise an asymmetric cryptographic key pair.
  • Each public digital certificate is signed by the payment card issuer.
  • the payment card 210 may also be configured with a payment card cryptographic master key that is uniquely associated with the payment card 210 , and a public digital certificate of the issuer of the payment card 210 .
  • the PIN, account number, cryptographic key(s) and public certificate(s) may be stored in the protected memory of the payment card 210 prior to delivery of the payment card 210 to the intended user.
  • the payment card 210 is implemented in software executing on a portable communications device, the payment card 210 may be configured with the PIN, account number, expiry date, cryptographic key(s), and public certificate(s) when the payment card 210 is installed on the portable communications device.
  • the payment card 210 may be configured to generate the reference PIN, for example, from the cryptographic key(s) stored in the payment card 210 .
  • the payment authorization network 100 implements a method of authorizing a financial transaction.
  • a sample embodiment of the transaction authorizing method will be discussed with reference to FIGS. 3 a and 3 b .
  • the payment terminal 200 receives, from the payment card 210 that is interfaced with the payment terminal 200 , application data in response to a predetermined authorization amount that is provided to the payment card 210 by the payment terminal 200 .
  • the application data comprises an account number that is uniquely associated with the payment card 210 .
  • the payment terminal 200 generates an adjusted authorization amount based on the account number and from a preliminary authorization amount that is received at the payment terminal 200 , provides the payment card 210 with the adjusted authorization amount, and receives a cryptogram from the payment card 210 in response.
  • the payment terminal 200 provides notification of authorization of a financial transaction for the adjusted authorization amount in accordance with a confirmation that the cryptogram received at the payment terminal 200 from the payment card 210 was generated by the payment card 210 from the adjusted authorization amount and a private cryptographic key uniquely associated with the payment card 210 .
  • the payment terminal 200 is configured to implement the EMV standard (subject to the method implemented by the transaction processor 220 , as discussed above), and the payment card 210 is implemented as a plastic EMV payment card or as software (executing on a portable communications device) that is configured to implement the EMV standard.
  • the transaction particulars including the pre-discounted total payable amount (preliminary authorization amount) are input into the payment terminal 200 directly by the merchant or indirectly via the ECR.
  • the payment terminal 200 displays the preliminary authorization amount on the display device 204 , and prompts the customer to approve the displayed authorization amount via the input device 202 .
  • the payment card 210 After the customer (cardholder) interfaces a payment card 210 with the payment terminal 200 , the payment card 210 provides the payment terminal 200 with a Processing Options Data List (PDOL), at step S 302 , that identifies the data elements that the payment card 210 will require to authorize the financial transaction.
  • PDOL Processing Options Data List
  • the transaction processor 220 of the payment terminal 200 transmits to the payment card 210 a Get Processing Options command that includes the data specified in the PDOL.
  • the PDOL lists the authorization amount as one of the required data elements.
  • the transaction processor 220 sets the authorization amount datum of the Get Processing Options command to a predetermined authorization amount.
  • the predetermined authorization amount included in the Get Processing Options is hexadecimal zero.
  • the payment card 210 provides the payment terminal 200 with an Application File Locator (AFL) message that identifies the location(s) in the protected memory of the payment card 210 of various data elements that the payment terminal 200 may need to authorize the financial transaction.
  • AFL Application File Locator
  • the payment card 210 also provides the payment terminal 200 with an Application Interchange Profile (AIP) that identifies the capabilities of the payment card 210 , such as the type of offline data authentication (discussed below) that the payment card 210 supports.
  • AIP Application Interchange Profile
  • the transaction processor 220 transmits to the payment card 210 a Read Record command for the various data elements required by the payment terminal 200 .
  • the Read Record command requests the account number, expiry date and software application version of the payment card 210 .
  • the Read Record command may also request a public digital certificate of the payment card 210 and optionally also a public digital certificate of the issuer of the payment card 210 .
  • the payment card 210 responds to the payment terminal 200 , at step S 310 , with the account number and any other data requested by the Read Record command.
  • the payment card 210 may also provide the payment terminal 200 with a Card Risk Management Data Objects List (CDOL) that identifies the data elements that the payment card 210 may require to generate a cryptogram.
  • CDOL Card Risk Management Data Objects List
  • step S 312 the payment terminal 200 determines whether the payment card 210 is restricted from being used to authorize the financial transaction.
  • the payment terminal 200 may be configured with a loyalty card database 216 (or may be in communication with a loyalty card database 216 that is maintained on an ECR, on a server that serves the payment terminals 200 on the merchant's local area network, or on the acquirer server 270 ) of account numbers for which the merchant would like to offer discounts. Accordingly, at step S 314 the transaction processor 220 queries the loyalty card database 216 (whether stored internally or externally to the payment terminal 200 ) with the account number received from the payment card 210 to determine whether the cardholder is a preferred customer and, if so, the allowed discount (if any) to the preliminary authorization amount.
  • the payment terminal 200 may then validate the payment card 210 based on the type of offline data authentication, if any, identified in the AIP (received at step S 306 ). To do so, at step S 316 the transaction processor 220 may transmit to the payment card 210 a Generate Application Cryptogram command, requesting an offline cryptogram from the payment card 210 .
  • the transaction processor 220 If the AIP indicates that the payment card 210 supports Dynamic Data Authentication (DDA) or Combined Data Authentication (CDA), the transaction processor 220 generates an unpredictable number, and includes the unpredictable number in the offline cryptogram request. In response, the payment card 210 generates an offline cryptogram from the unpredictable number and a private cryptographic key of the payment card 210 , and provides the payment terminal 200 with the offline cryptogram, at step S 318 . At step S 320 , the transaction processor 220 validates the payment card 210 by using the public certificate of the payment card issuer to validate the public certificate of the payment card 210 (both received in response to the Read Record command at step S 310 ), and uses the public certificate of the payment card 210 to verify that the payment card 210 generated the offline cryptogram.
  • DDA Dynamic Data Authentication
  • CDA Combined Data Authentication
  • the payment terminal 200 receives from the payment card 210 (in response to the Read Record command at step S 310 ) signed static application data that is stored on the payment card.
  • the transaction processor 220 validates the payment card 210 , at step S 320 , by using the public certificate of the payment card issuer to verify that the payment card issuer signed the static application data.
  • the payment terminal 200 may then authenticate the bearer of the payment card 210 by prompting the customer (cardholder) to input a PIN into the payment terminal 200 via the input device 202 .
  • the transaction processor 220 transmits to the payment card 210 a Verify command that includes the PIN.
  • the payment card 210 uses the reference PIN that is stored in the protected memory of the payment card 210 (or generates the reference PIN) to validate the PIN received from the payment terminal 200 , and responds to the payment terminal 200 with a pass/fail validation message, at step S 324 , indicating whether validation of the PIN received from the payment terminal 200 passed or failed.
  • the transaction processor 220 assesses the risk associated with the financial transaction by comparing the adjusted/preliminary authorization amount against a floor limit established by the issuer of the payment card 210 .
  • the financial transaction authorizing method has been described thus far as comprising the sequence of processing restrictions (step S 312 ), payment card validation (steps S 316 to S 320 ), cardholder authentication (steps S 322 to S 324 ) and risk management (step S 326 ), the method is not limited to this particular sequence.
  • the financial transaction authorizing method may be effected by implementing the processing restrictions, payment card validation, cardholder authentication and risk management stages in any order.
  • the transaction processor 220 determines whether the financial transaction should be approved online, approved offline, or declined offline.
  • the transaction processor 220 determines, at step S 328 , that the financial transaction can be approved offline, at step S 330 the transaction processor 220 transmits to the payment card 210 a Generate Application Cryptogram command, requesting an offline Transaction Certificate (TC) from the payment card 210 .
  • TC Transaction Certificate
  • the CDOL (received from the payment card 210 at step S 310 ) lists the authorization amount as one of the data elements required by the payment card 210 to generate a cryptogram. Therefore, if the account number of the payment card 210 correlates with one of the IIN ranges stored in the loyalty card database 216 , the transaction processor 220 generates an adjusted authorization amount by discounting the preliminary authorization amount by the discount rate that is associated with the IIN range in the loyalty card database 216 .
  • the transaction processor 220 generates an unpredictable number and incorporates the adjusted authorization amount and the unpredictable number into the Generate Application Cryptogram command. Alternately, where the account number does not correlate with one of the IIN ranges stored in the loyalty card database 216 , the transaction processor 220 incorporates the preliminary authorization amount and the unpredictable number into the Generate Application Cryptogram command.
  • the payment card 210 determines whether the transaction can be approved offline, for example, by verifying that the number of consecutive transactions previously approved offline has not exceeded a predetermined limit.
  • the payment card 210 determines, at step S 332 , that the transaction can be approved offline, the payment card 210 generates an offline certificate TC from a cryptographic key of the payment card 210 and from a message authentication code that is generated from the Terminal Verification Results, the adjusted/preliminary authorization amount and unpredictable number received from the payment terminal 200 , the transaction date, the account number and a transaction counter internal to the payment card 210 .
  • the payment card 210 may generate the offline certificate TC by (i) generating a cryptographic session key from the payment card cryptographic master key and the transaction counter, (ii) applying the Terminal Verification Results, adjusted/preliminary authorization amount, unpredictable number, transaction date, account number and transaction counter and the session key as inputs to a cryptographic algorithm, (iii) signing the resulting offline cryptogram with a private cryptographic key of the payment card 210 , and (iv) incorporating the offline cryptogram into the offline certificate TC. Since the cryptographic session key is generated from the payment card cryptographic master key and the transaction counter, the cryptographic session key is uniquely associated with the payment card 210 .
  • the payment card 210 responds to the payment terminal 200 with the offline certificate TC, at step S 352 .
  • the payment terminal 200 uses the public certificate of the payment card 210 to confirm that the payment card 210 generated the offline cryptogram (and the offline certificate TC) from the adjusted/preliminary authorization amount and therefore that the payment card 210 authorized the transaction.
  • the payment terminal 200 then provides a notification, on the display device 204 , advising the customer that the financial transaction was authorized.
  • the transaction processor 220 determines, at step S 328 , that the financial transaction should be approved online, at step S 330 the transaction processor 220 transmits to the payment card 210 a Generate Application Cryptogram command, requesting an online cryptogram from the payment card 210 .
  • the transaction processor 220 generates an unpredictable number and incorporates the adjusted/preliminary authorization amount and the unpredictable number into the Generate Application Cryptogram command.
  • the payment card 210 Upon receipt of the online cryptogram request (or if the transaction processor 220 requested an offline certificate TC at step S 330 , but the payment card 210 determined, at step S 332 , that the transaction should not be approved offline), the payment card 210 generates an online Application Request Cryptogram (ARQC) from a cryptographic key of the payment card 210 and from a message authentication code that is generated from the Terminal Verification Results, the adjusted/preliminary authorization amount and unpredictable number received from the payment terminal 200 , the transaction date, the account number and the payment card internal transaction counter.
  • ARQC Application Request Cryptogram
  • the payment card 210 may generate the online cryptogram ARQC by (i) generating a cryptographic session key from the payment card cryptographic master key and the transaction counter, and (ii) applying the Terminal Verification Results, adjusted/preliminary authorization amount, unpredictable number, transaction date, account number and transaction counter (collectively the Issuer Authorization Data) and the session key as inputs to a cryptographic algorithm.
  • the cryptographic session key is generated from the payment card cryptographic master key and the transaction counter, the cryptographic session key is uniquely associated with the payment card 210 .
  • the payment card 210 responds to the payment terminal 200 with the online cryptogram ARQC, at step S 334 .
  • the transaction processor 220 generates an Authorization Request Message that includes the Issuer Authorization Data and the online cryptogram ARQC, and forwards the Authorization Request Message to the acquirer server 270 via the acquirer network 106 .
  • the acquirer server 270 directs the Authorization Request Message to the issuer server 300 , over the payment network 108 , for validation.
  • the issuer server 300 verifies that the payment card 210 generated the online cryptogram ARQC. To do so, the issuer server 300 may (i) recover the payment card's session key by applying the account number, payment card internal transaction counter and a card issuer cryptographic master key as inputs to a suitable cryptographic algorithm, (ii) decrypt the online cryptogram ARQC with the recovered session key, (iii) compute a message authentication code from the Issuer Authorization Data, and (iv) compare the computed message authentication code against the decrypted cryptogram.
  • the issuer server 300 also applies its prevailing risk management rules to the adjusted/preliminary authorization amount. Therefore, for example, the issuer server 300 may determine whether the financial account that is associated with the account number is still active and has sufficient credit/funds to complete the transaction (i.e. the adjusted/preliminary authorization amount is less than the credit/funds balance for the account). The issuer server 300 may also determine whether the transaction is consistent with the cardholder's history of transactions.
  • the issuer server 300 generates an authorization response code that indicates the outcome of the risk management analysis and the online cryptogram ARQC verification (i.e. whether the issuer approved or declined the transaction and whether the payment card 210 generated the online cryptogram ARQC from the adjusted/preliminary authorization amount and the cryptographic master key (session key) of the payment card 210 ), and generates an Application Response Cryptogram (ARPC) from a cryptographic key of the payment card 210 and from a message authentication code that is generated from the account number, authorization response code and online cryptogram ARQC.
  • the issuer server 300 may generate the cryptogram ARPC by applying the authorization response code, online cryptogram ARQC and session key (recovered from the account number and the card issuer cryptographic master key) as inputs to a suitable cryptographic algorithm.
  • the issuer server 300 generates an Authorization Response Message that includes the Issuer Authorization Data, authorization response code and cryptogram ARPC, and directs the Authorization Response Message to the acquirer server 270 via the payment network 108 .
  • the acquirer server 270 forwards the Authorization Response Message to the payment terminal 200 , via the acquirer network 106 .
  • the payment terminal 200 examines the authorization response code of the Authorization Response Message. If the authorization response code indicates that the card issuer authorized the transaction and that the payment card 210 generated the online cryptogram ARQC from the adjusted/preliminary authorization amount and the cryptographic master key (or session key) of the payment card 210 , at step S 348 the transaction processor 220 transmits to the payment card 210 a Generate Application Cryptogram command, requesting from the payment card 210 a Transaction Certificate (TC) confirming that the issuer server 300 generated the Authorization Response Message. The transaction processor 220 generates an unpredictable number and incorporates the Issuer Authorization Data and unpredictable number, authorization response code and cryptogram ARPC into the Generate Application Cryptogram command.
  • TC Transaction Certificate
  • the payment card 210 determines whether the issuer server 300 generated the cryptogram ARPC. To do so, the payment card 210 may (i) decrypt the cryptogram ARPC with the payment card's session key, (ii) compute a message authentication code from the account number, authorization response code and online cryptogram ARQC, and (iii) compare the computed message authentication code against the decrypted cryptogram.
  • the payment card 210 If the payment card 210 confirms that the issuer server 300 generated the cryptogram ARPC and therefore that the card issuer authorized the transaction, the payment card 210 generates the certificate TC from a cryptographic key of the payment card 210 and from a message authentication code that is generated from the Terminal Verification Results, the adjusted/preliminary authorization amount and unpredictable number received from the payment terminal 200 , the transaction date, the account number and the internal transaction counter.
  • the payment card 210 may generate the certificate TC by (i) generating a session key from the payment card cryptographic master key and the transaction counter, (ii) applying the Terminal Verification Results, adjusted/preliminary authorization amount, unpredictable number, transaction date, account number and transaction counter and the session key as inputs to a cryptographic algorithm, (iii) signing the resulting cryptogram with a private cryptographic key of the payment card 210 , and (iv) incorporating the cryptogram into the certificate TC. Since the cryptographic session key is generated from the payment card cryptographic master key and the transaction counter, the cryptographic session key is uniquely associated with the payment card 210 .
  • the payment card 210 responds to the payment terminal 200 with the certificate TC, at step S 352 .
  • the payment terminal 200 uses the public certificate of the payment card 210 to confirm that the payment card 210 generated the cryptogram (and the certificate TC) from the adjusted/preliminary authorization amount and therefore that the issuer server 300 authorized the transaction.
  • the payment terminal 200 then provides a notification, on the display device 204 , advising the customer that the financial transaction was authorized.
  • the transaction processor 220 transmits to the payment card 210 a Generate Application Cryptogram command, requesting from the payment card 210 an Application Authentication Cryptogram (AAC) confirming that the issuer server 300 generated the Authorization Response Message.
  • AAC Application Authentication Cryptogram
  • the transaction processor 220 generates an unpredictable number and incorporates the Issuer Authorization Data and unpredictable number into the Generate Application Cryptogram command.
  • the payment card 210 generates the cryptogram AAC from a cryptographic key of the payment card 210 and from a message authentication code that is generated from the Terminal Verification Results, the adjusted/preliminary authorization amount and unpredictable number received from the payment terminal 200 , the transaction date, the account number and the internal transaction counter.
  • the payment card 210 may sign the resulting cryptogram with a private cryptographic key of the payment card 210 .
  • the payment card 210 responds to the payment terminal 200 with the cryptogram AAC, at step S 352 .
  • the payment terminal 200 uses the public certificate of the payment card 210 to confirm that the payment card 210 generated the cryptogram AAC from the adjusted/preliminary authorization amount and therefore that the payment card 210 or the issuer server 300 declined the transaction.
  • the payment terminal 200 then provides a notification, on the display device 204 , advising the customer that the financial transaction was declined.
  • the payment terminal 200 provides a notification advising whether the financial transaction was authorized or declined. Since the payment terminal 200 generates the adjusted authorization amount based on the account number associated with the payment card 210 , and the payment card 210 generates the online or offline cryptogram from the adjusted authorization amount, the merchant can offer preferred customers adjustments to the preliminary authorization amount without requiring re-configuration of the payment card 210 or the card issuer server 300 .

Landscapes

  • Business, Economics & Management (AREA)
  • Engineering & Computer Science (AREA)
  • Accounting & Taxation (AREA)
  • Physics & Mathematics (AREA)
  • Strategic Management (AREA)
  • General Business, Economics & Management (AREA)
  • General Physics & Mathematics (AREA)
  • Theoretical Computer Science (AREA)
  • Finance (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Microelectronics & Electronic Packaging (AREA)
  • Financial Or Insurance-Related Operations Such As Payment And Settlement (AREA)
  • Development Economics (AREA)
  • Economics (AREA)

Abstract

A method of authorizing a financial transaction involves a payment terminal receiving, from a payment card interfaced with the payment terminal, application data in response to a predetermined authorization amount provided to the payment card by the payment terminal. The application data comprises an account number uniquely associated with the payment card. The payment terminal generates an adjusted authorization amount based on the account number and from a preliminary authorization amount received at the payment terminal, provides the payment card with the adjusted authorization amount, receives a cryptogram from the payment card in response, and provides notification of authorization of a financial transaction for the adjusted authorization amount in accordance with a confirmation that the cryptogram received at the payment terminal from the payment card was generated by the payment card from the adjusted authorization amount and from a cryptographic key uniquely associated with the payment card.

Description

    CROSS-REFERENCE TO RELATED APPLICATIONS
  • This application claims priority under 35 U.S.C. §119 to, and is a non-provisional of, U.S. Provisional Patent Application No. 61/875,919, filed Sep. 10, 2013, which is hereby incorporated by reference in its entirety for all purposes. Any and all applications for which a foreign or domestic priority claim is identified in the Application Data Sheet as filed with the present application are also hereby incorporated by reference for all purposes under 37 CFR 1.57.
    • FIELD
  • This patent application relates to a system and method for authorizing a financial transaction. In particular, this patent application describes a system and method for authorizing a financial transaction using a payment card.
    • BACKGROUND
  • A consumer might elect to use a payment terminal (e.g. point-of-sale (POS) terminal or pin-pad) and a magnetic-stripe payment card (e.g. credit card or debit card) to complete a financial transaction with a merchant (e.g. pay for a merchant's wares/services). After the consumer approves the authorization amount, the payment terminal prompts the consumer to interface a payment card with the payment terminal. The payment terminal acquires an account number from the payment card and forwards particulars of the financial transaction (e.g. authorization amount, and account number associated) to the merchant's acquirer for online authorization.
  • To encourage repeat business, a merchant might issue discount coupons to preferred consumers for redemption against the purchase price of the merchant's wares/services. This approach requires the particulars of each coupon to be input to the payment terminal and the payment terminal to recalculate the authorization amount, thereby lengthening the payment process. Alternately, the merchant might offer its own branded payment card (a loyalty card) that allows consumers to collect loyalty points which can be redeemed against the purchase price of the merchant's wares/services. With this latter approach, the account number is input to the payment terminal, and the payment terminal queries a remote database with the account number to determine the number of loyalty points available, and recalculates the authorization amount based on the number of loyalty points that the customer wishes to redeem, thereby again lengthening the payment process.
    • SUMMARY
  • This patent application discloses a payment terminal and associated method that dynamically adjusts the authorization amount of a financial transaction based on the account number provided by a payment card.
  • In accordance with a first aspect of this disclosure, there is provided a method of authorizing a financial transaction that involves a payment terminal receiving, from a payment card interfaced with the payment terminal, application data in response to a predetermined authorization amount that is provided to the payment card by the payment terminal. The application data comprises an account number uniquely associated with the payment card.
  • The payment terminal generates an adjusted authorization amount based on the account number and from a preliminary authorization amount received at the payment terminal, provides the payment card with the adjusted authorization amount, and receives a cryptogram from the payment card in response. The payment terminal provides notification of authorization of a financial transaction for the adjusted authorization amount in accordance with a confirmation that the cryptogram received at the payment terminal from the payment card was generated by the payment card from the adjusted authorization amount and a cryptographic key uniquely associated with the payment card.
  • In accordance with a second aspect of this disclosure, there is provided a payment terminal that includes a card interface for interfacing a payment card with the payment terminal, and a transaction processor coupled to the card interface. The transaction processor is configured to receive, from a payment card interfaced with the card interface, application data in response to a predetermined authorization amount provided to the payment card by the payment terminal. The application data comprises an account number uniquely associated with the payment card.
  • The transaction processor is also configured to generate an adjusted authorization amount based on the account number and from a preliminary authorization amount received at the payment terminal, provide the payment card with the adjusted authorization amount, receive a cryptogram from the payment card in response, and provide notification of authorization of a financial transaction for the adjusted authorization amount in accordance with a confirmation that the cryptogram received at the payment terminal from the payment card was generated by the payment card from the adjusted authorization amount and a cryptographic key uniquely associated with the payment card.
  • In one implementation, the payment terminal is configured with a range of issuer identification numbers, and the transaction processor is configured to generate the adjusted authorization amount in accordance with a correlation between the account number and the range of issuer identification numbers.
  • The transaction processor may be configured to provide notification of authorization of the financial transaction by transmitting over a payment network a transaction authorization request for online authorization of the financial transaction. The cryptogram may comprise an online cryptogram, and the transaction authorization request may include the adjusted authorization amount and the online cryptogram.
  • The transaction processor may be configured to provide the adjusted authorization amount by transmitting to the payment card an offline cryptogram request for offline authorization of the financial transaction. The cryptogram may be included in an offline certificate, and the offline cryptogram request may include the adjusted authorization amount. The transaction processor may be configured to provide notification of authorization of the financial transaction by confirming that the payment card generated the offline certificate from the adjusted authorization amount and the cryptographic key.
  • The transaction processor may be configured to provide notification of authorization of the financial transaction by validating the payment card and a bearer of the payment card, and initiating the authorization in accordance with an outcome of the validating.
  • The transaction processor may be configured to provide notification of authorization of the financial transaction by receiving a transaction authorization from the payment network in response to the online transaction authorization request. The transaction authorization may provide a confirmation that the payment card generated the online cryptogram from the adjusted authorization amount and the cryptographic key.
  • The transaction processor may be further configured to provide notification of authorization of the financial transaction by transmitting the transaction authorization to the payment card, and receiving from the payment card confirmation that an issuer of the payment card generated the transaction authorization.
  • Since the payment terminal generates the adjusted authorization amount based on the account number associated with the payment card, and the payment card generates the cryptogram from the adjusted authorization amount, the vendor can offer preferred customers adjustments to the preliminary authorization amount without requiring re-configuration of the payment card or the card issuer server or re-introducing the payment card to the payment terminal.
    • BRIEF DESCRIPTION OF THE DRAWINGS
  • An exemplary payment authorization network, payment terminal, and method for authorizing a financial transaction will now be described, with reference to the accompanying drawings, in which:
  • FIG. 1 is a schematic view of the payment authorization network, depicting a payment terminal, and an payment card issuer server;
  • FIG. 2 is a schematic view of one of the payment terminals; and
  • FIGS. 3 a and 3 b together comprise an EMV message flow diagram depicting the method for authorizing a financial transaction.
    •  DETAILED DESCRIPTION Payment Authorization Network
  • FIG. 1 is a schematic view of the payment authorization network, denoted generally as 100. As shown, the payment authorization network 100 comprises a payment terminal 200, an acquirer server 270 and a payment card issuer server 300, and is configured to process financial transactions initiated by a payment cardholder at one of the payment terminals 200. As used herein, a “financial transaction” includes “online” transactions the particulars of which the merchant requests authorization in real-time, and “off-line” transactions the particulars of which the merchant requests authorization at a later time, such as the end of the business day.
  • The payment terminals 200 are typically deployed at a merchant's business premises, and are configured to communicate with a one of the acquirer servers 270 via a secure acquirer network 106. As non-limiting examples, one or more of the payment terminals 200 may be implemented as an integrated point-of-sale (POS) terminal, or a pin-pad terminal that communicates with respective electronic cash register (ECR).
  • Each acquirer server 270 is associated with a respective merchant, and is configured to communicate with the payment terminals 200 that are deployed at each merchant premises via each merchant's acquirer network 106. The acquirer servers 270 are also configured to communicate with the issuer server(s) 300 via a payment network 108, such as VisaNet or the Mastercard Network.
  • Each issuer server 300 is associated with and administered by a respective financial institution. The financial institution associated with the issuer server 300 issues payment cards to cardholders (or authorizes a third party to issue the payment cards). Each issuer server 300 is configured to communicate with the acquirer servers 270 via the payment network 108, and maintains a secure accounts database that includes a plurality of clusters each associated with a respective financial account. Each cluster typically identifies an account number that is uniquely associated with the payment card 210, the current value of a transaction counter internal to the payment card 210, and credit/deposit entries to the associated financial account. The payment card 210 uses an algorithm or counter to generate an unpredictable transaction counter number for each financial transaction, and the issuer server 300 uses a corresponding algorithm to determine the next transaction counter number of each payment card 210.
  • Although the payment authorization network 100 is shown comprising only a single payment terminal 200, a single acquirer server 270 and a single issuer server 300, the payment authorization network 100 typically includes a plurality of the payment terminals 200, a plurality of the acquirer servers 270, and a plurality of the issuer servers 300.
    • Payment Terminal
  • As shown in FIG. 2, the payment terminal 200 includes an input device 202, a display device 204, and a computer processing unit 206 that is coupled to the input device 202 and the display device 204. The payment terminal 200 also includes a payment card interface 208 that is coupled to the computer processing unit 206 and is configured to communicate with a payment card 210.
  • The input device 202 may be implemented as a keyboard, touchpad, touchscreen or other input device suitable for allowing a user of the payment terminal 200 to input data and/or commands that may be required to complete the financial transaction. The display device 204 may be implemented as a liquid crystal display (LCD) panel, cathode ray tube (CRT) display, plasma display panel, or other display device suitable for displaying transaction information to the user.
  • As will be discussed in greater detail below, the payment card 210 may be implemented as a plastic card that has a contact form factor and/or a contactless (e.g. ISO 14443 based) form factor. If the payment card 210 has a contact form factor, the payment card interface 208 may comprise a physical port (e.g. smartcard reader) that allows the payment terminal 200 to communicate directly with the payment card 210. If the payment card 210 has a contactless form factor, the payment card interface 208 may comprise a wireless interface that allows the payment terminal 200 to communicate with the payment card 210 via a wireless protocol, such as ISO 14443. Alternately, the payment card 210 may be implemented as software within a portable communications device, such as a smartphone, in which case the payment card interface 208 may be configured to communicate with the payment card 210 of the portable communications device using short-range communications protocols, such as Bluetooth and/or Near Field Communications (NFC) as examples.
  • The computer processing unit 206 includes a microprocessor 212 and a non-transient computer-readable medium 214. The non-transient computer-readable medium 214 may be provided as non-volatile electronic computer memory (e.g. FLASH memory) or optical or magnetic memory (e.g. compact disc, hard disk). The non-transient memory 214 may maintain a loyalty card database 216 of payment cards for which the merchant would like to offer discounts. Alternately, the loyalty card database 216 may be maintained on an ECR associated with each payment terminal 200, on a server (not shown) that serves the payment terminals 200 on the merchant's local area network, or on the acquirer server 270.
  • The merchant may issue loyalty payment cards to its customers (or authorize a payment card issuer to do so). All such loyalty payment cards may have an Issuer Identification Number (IIN) that identifies the payment card as a loyalty payment card issued by that merchant. Accordingly, preferably the loyalty card database 216 is configured with the IINs of the merchant's loyalty payment cards.
  • The merchant may assign the same discount rate to each loyalty payment card. Alternately, however, the merchant may have been assigned multiple ranges of IINs for its loyalty payment cards, and may prefer to assign different discount rates to different loyalty payment cards based on their respective IIN. For example, bearers of loyalty payment cards having an IIN between ‘xxa’ and ‘xxb’ may be entitled a 10% discount, and bearers of loyalty payment cards having an IIN between ‘xxc’ and ‘xxd’ may be assigned a 20% discount. Accordingly, preferably the loyalty card database 216 is configured with the respective discount rate associated with each IIN of the merchant's loyalty payment cards.
  • The non-transient memory 214 also includes computer processing instructions stored thereon which, when accessed from the memory 214 and executed by the microprocessor 212, implement an operating system 218 and a transaction processor 220. The operating system 218 allows the payment terminal 200 to accept user input from the input device 202 and to control the display device 204 and the payment card interface 208.
  • The operation of the transaction processor 220 will be discussed in greater detail below. However, it is sufficient at this point to note that the transaction processor 220 is configured to receive, from a payment card 210 that is interfaced with the payment card interface 208, application data in response to a predetermined authorization amount provided to the payment card by the payment terminal. The application data comprises an account number that is uniquely associated with the payment card 210.
  • The transaction processor 220 is also configured to generate an adjusted authorization amount based on the account number and from a preliminary authorization amount received at the payment terminal 200, to provide the payment card 210 with the adjusted authorization amount, to receive a cryptogram from the payment card 210 in response, and to provide notification of authorization of a financial transaction for the adjusted authorization amount in accordance with a confirmation that the cryptogram received at the payment terminal 200 from the payment card 210 was generated by the payment card 210 from the adjusted authorization amount and a cryptographic key uniquely associated with the payment card 210.
  • Although the transaction processor 220 is typically implemented as computer processing instructions, all or a portion of the functionality of the transaction processor 220 may be implemented instead in electronics hardware, such as a field programmable logic gate array (FPGA) or a complex programmable logic device (CPLD).
    • Payment Card
  • As discussed, the payment card 210 may have a contact form factor and/or a contactless form factor, and may be implemented as a plastic smartcard, chip card or integrated circuit card that includes a built-in micro-controller and protected memory. The micro-controller and protected memory together provide a secure self-contained computing environment for running cryptographic (e.g. data encryption standard (DES), triple-DES, advanced encryption standard (AES)) algorithms. Preferably, the plastic payment card 210 is implemented as a Europay Mastercard Visa (EMV) payment card that authenticates financial transactions with payment terminals 200 using the EMV standard. Alternately, the payment card 210 may be implemented in software executing on a portable communications device, such as a smart phone, that is configured to implement payment card requirements of the EMV standard and to authenticate financial transactions with payment terminals 200 using the EMV standard.
  • The payment card 210 is configured with a personal identification number (PIN), a primary account number, expiry date and may also store one or more private cryptographic keys and corresponding public digital certificates. The primary account number and private cryptographic key(s) are uniquely associated with the payment card 210. Each private cryptographic key and the public cryptographic key of the corresponding public digital certificate comprise an asymmetric cryptographic key pair. Each public digital certificate is signed by the payment card issuer. The payment card 210 may also be configured with a payment card cryptographic master key that is uniquely associated with the payment card 210, and a public digital certificate of the issuer of the payment card 210.
  • Where the payment card 210 is implemented as a plastic payment card, the PIN, account number, cryptographic key(s) and public certificate(s) may be stored in the protected memory of the payment card 210 prior to delivery of the payment card 210 to the intended user. Where the payment card 210 is implemented in software executing on a portable communications device, the payment card 210 may be configured with the PIN, account number, expiry date, cryptographic key(s), and public certificate(s) when the payment card 210 is installed on the portable communications device. Alternately, instead of the PIN being stored on the plastic payment card or in the software executing on a portable communications device (the “reference” PIN), the payment card 210 may be configured to generate the reference PIN, for example, from the cryptographic key(s) stored in the payment card 210.
    • Method of Authorizing a Financial Transaction
  • As discussed, the payment authorization network 100 implements a method of authorizing a financial transaction. A sample embodiment of the transaction authorizing method will be discussed with reference to FIGS. 3 a and 3 b. As will be explained, in this embodiment the payment terminal 200 receives, from the payment card 210 that is interfaced with the payment terminal 200, application data in response to a predetermined authorization amount that is provided to the payment card 210 by the payment terminal 200. The application data comprises an account number that is uniquely associated with the payment card 210.
  • The payment terminal 200 generates an adjusted authorization amount based on the account number and from a preliminary authorization amount that is received at the payment terminal 200, provides the payment card 210 with the adjusted authorization amount, and receives a cryptogram from the payment card 210 in response. The payment terminal 200 provides notification of authorization of a financial transaction for the adjusted authorization amount in accordance with a confirmation that the cryptogram received at the payment terminal 200 from the payment card 210 was generated by the payment card 210 from the adjusted authorization amount and a private cryptographic key uniquely associated with the payment card 210.
  • An example transaction authorizing method will now be discussed in detail with reference to FIGS. 3 a and 3 b. In the following example, the payment terminal 200 is configured to implement the EMV standard (subject to the method implemented by the transaction processor 220, as discussed above), and the payment card 210 is implemented as a plastic EMV payment card or as software (executing on a portable communications device) that is configured to implement the EMV standard.
  • A customer attends at a payment terminal 200 of a merchant to complete a financial transaction (e.g. pay for wares and/or services) with the merchant. At step S300, the transaction particulars, including the pre-discounted total payable amount (preliminary authorization amount), are input into the payment terminal 200 directly by the merchant or indirectly via the ECR. The payment terminal 200 displays the preliminary authorization amount on the display device 204, and prompts the customer to approve the displayed authorization amount via the input device 202. The customer approves the displayed authorization amount, and the payment terminal 200 prompts the customer to interface a payment card 210 with the payment card interface 208 of the merchant's payment terminal 200.
  • After the customer (cardholder) interfaces a payment card 210 with the payment terminal 200, the payment card 210 provides the payment terminal 200 with a Processing Options Data List (PDOL), at step S302, that identifies the data elements that the payment card 210 will require to authorize the financial transaction.
  • At step S304, the transaction processor 220 of the payment terminal 200 transmits to the payment card 210 a Get Processing Options command that includes the data specified in the PDOL. Typically the PDOL lists the authorization amount as one of the required data elements. Although the payment terminal 200 was provided with the preliminary authorization amount at step S300, the cardholder might be entitled to a discount to the preliminary authorization amount based on the account number of the payment card 210. Since the actual authorization amount therefore is unknown at the stage, at step S304 the transaction processor 220 sets the authorization amount datum of the Get Processing Options command to a predetermined authorization amount. To comply with the EMV standard, preferably the predetermined authorization amount included in the Get Processing Options is hexadecimal zero.
  • At step S306, the payment card 210 provides the payment terminal 200 with an Application File Locator (AFL) message that identifies the location(s) in the protected memory of the payment card 210 of various data elements that the payment terminal 200 may need to authorize the financial transaction. At step S306, the payment card 210 also provides the payment terminal 200 with an Application Interchange Profile (AIP) that identifies the capabilities of the payment card 210, such as the type of offline data authentication (discussed below) that the payment card 210 supports.
  • Using the AFL, at step S308 the transaction processor 220 transmits to the payment card 210 a Read Record command for the various data elements required by the payment terminal 200. Typically, the Read Record command requests the account number, expiry date and software application version of the payment card 210. The Read Record command may also request a public digital certificate of the payment card 210 and optionally also a public digital certificate of the issuer of the payment card 210. The payment card 210 responds to the payment terminal 200, at step S310, with the account number and any other data requested by the Read Record command. At step S310, the payment card 210 may also provide the payment terminal 200 with a Card Risk Management Data Objects List (CDOL) that identifies the data elements that the payment card 210 may require to generate a cryptogram.
  • From the expiry date and application version of the software stored on the payment card 210 (as defined in the AIP), at step S312 the payment terminal 200 determines whether the payment card 210 is restricted from being used to authorize the financial transaction.
  • As discussed, the payment terminal 200 may be configured with a loyalty card database 216 (or may be in communication with a loyalty card database 216 that is maintained on an ECR, on a server that serves the payment terminals 200 on the merchant's local area network, or on the acquirer server 270) of account numbers for which the merchant would like to offer discounts. Accordingly, at step S314 the transaction processor 220 queries the loyalty card database 216 (whether stored internally or externally to the payment terminal 200) with the account number received from the payment card 210 to determine whether the cardholder is a preferred customer and, if so, the allowed discount (if any) to the preliminary authorization amount.
  • The payment terminal 200 may then validate the payment card 210 based on the type of offline data authentication, if any, identified in the AIP (received at step S306). To do so, at step S316 the transaction processor 220 may transmit to the payment card 210 a Generate Application Cryptogram command, requesting an offline cryptogram from the payment card 210.
  • If the AIP indicates that the payment card 210 supports Dynamic Data Authentication (DDA) or Combined Data Authentication (CDA), the transaction processor 220 generates an unpredictable number, and includes the unpredictable number in the offline cryptogram request. In response, the payment card 210 generates an offline cryptogram from the unpredictable number and a private cryptographic key of the payment card 210, and provides the payment terminal 200 with the offline cryptogram, at step S318. At step S320, the transaction processor 220 validates the payment card 210 by using the public certificate of the payment card issuer to validate the public certificate of the payment card 210 (both received in response to the Read Record command at step S310), and uses the public certificate of the payment card 210 to verify that the payment card 210 generated the offline cryptogram.
  • If the AIP indicates that the payment card 210 does not support DDA or CDA, but instead supports Static Data Authentication (SDA), the payment terminal 200 receives from the payment card 210 (in response to the Read Record command at step S310) signed static application data that is stored on the payment card. The transaction processor 220 validates the payment card 210, at step S320, by using the public certificate of the payment card issuer to verify that the payment card issuer signed the static application data.
  • The payment terminal 200 may then authenticate the bearer of the payment card 210 by prompting the customer (cardholder) to input a PIN into the payment terminal 200 via the input device 202. After the customer (cardholder) inputs a PIN into the payment terminal 200, at step S322 the transaction processor 220 transmits to the payment card 210 a Verify command that includes the PIN. The payment card 210 uses the reference PIN that is stored in the protected memory of the payment card 210 (or generates the reference PIN) to validate the PIN received from the payment terminal 200, and responds to the payment terminal 200 with a pass/fail validation message, at step S324, indicating whether validation of the PIN received from the payment terminal 200 passed or failed.
  • At step S326, the transaction processor 220 assesses the risk associated with the financial transaction by comparing the adjusted/preliminary authorization amount against a floor limit established by the issuer of the payment card 210.
  • Although the financial transaction authorizing method has been described thus far as comprising the sequence of processing restrictions (step S312), payment card validation (steps S316 to S320), cardholder authentication (steps S322 to S324) and risk management (step S326), the method is not limited to this particular sequence. The financial transaction authorizing method may be effected by implementing the processing restrictions, payment card validation, cardholder authentication and risk management stages in any order.
  • Based on the results of the processing restrictions, payment card validation, cardholder authentication and transaction floor limit check (collectively the Terminal Verification Results), at step S328 the transaction processor 220 determines whether the financial transaction should be approved online, approved offline, or declined offline.
  • If the transaction processor 220 determines, at step S328, that the financial transaction can be approved offline, at step S330 the transaction processor 220 transmits to the payment card 210 a Generate Application Cryptogram command, requesting an offline Transaction Certificate (TC) from the payment card 210. Typically, the CDOL (received from the payment card 210 at step S310) lists the authorization amount as one of the data elements required by the payment card 210 to generate a cryptogram. Therefore, if the account number of the payment card 210 correlates with one of the IIN ranges stored in the loyalty card database 216, the transaction processor 220 generates an adjusted authorization amount by discounting the preliminary authorization amount by the discount rate that is associated with the IIN range in the loyalty card database 216. The transaction processor 220 generates an unpredictable number and incorporates the adjusted authorization amount and the unpredictable number into the Generate Application Cryptogram command. Alternately, where the account number does not correlate with one of the IIN ranges stored in the loyalty card database 216, the transaction processor 220 incorporates the preliminary authorization amount and the unpredictable number into the Generate Application Cryptogram command.
  • At step S332, the payment card 210 determines whether the transaction can be approved offline, for example, by verifying that the number of consecutive transactions previously approved offline has not exceeded a predetermined limit.
  • If the payment card 210 determines, at step S332, that the transaction can be approved offline, the payment card 210 generates an offline certificate TC from a cryptographic key of the payment card 210 and from a message authentication code that is generated from the Terminal Verification Results, the adjusted/preliminary authorization amount and unpredictable number received from the payment terminal 200, the transaction date, the account number and a transaction counter internal to the payment card 210. The payment card 210 may generate the offline certificate TC by (i) generating a cryptographic session key from the payment card cryptographic master key and the transaction counter, (ii) applying the Terminal Verification Results, adjusted/preliminary authorization amount, unpredictable number, transaction date, account number and transaction counter and the session key as inputs to a cryptographic algorithm, (iii) signing the resulting offline cryptogram with a private cryptographic key of the payment card 210, and (iv) incorporating the offline cryptogram into the offline certificate TC. Since the cryptographic session key is generated from the payment card cryptographic master key and the transaction counter, the cryptographic session key is uniquely associated with the payment card 210.
  • The payment card 210 responds to the payment terminal 200 with the offline certificate TC, at step S352. The payment terminal 200 uses the public certificate of the payment card 210 to confirm that the payment card 210 generated the offline cryptogram (and the offline certificate TC) from the adjusted/preliminary authorization amount and therefore that the payment card 210 authorized the transaction. The payment terminal 200 then provides a notification, on the display device 204, advising the customer that the financial transaction was authorized.
  • If the transaction processor 220 determines, at step S328, that the financial transaction should be approved online, at step S330 the transaction processor 220 transmits to the payment card 210 a Generate Application Cryptogram command, requesting an online cryptogram from the payment card 210. The transaction processor 220 generates an unpredictable number and incorporates the adjusted/preliminary authorization amount and the unpredictable number into the Generate Application Cryptogram command.
  • Upon receipt of the online cryptogram request (or if the transaction processor 220 requested an offline certificate TC at step S330, but the payment card 210 determined, at step S332, that the transaction should not be approved offline), the payment card 210 generates an online Application Request Cryptogram (ARQC) from a cryptographic key of the payment card 210 and from a message authentication code that is generated from the Terminal Verification Results, the adjusted/preliminary authorization amount and unpredictable number received from the payment terminal 200, the transaction date, the account number and the payment card internal transaction counter. The payment card 210 may generate the online cryptogram ARQC by (i) generating a cryptographic session key from the payment card cryptographic master key and the transaction counter, and (ii) applying the Terminal Verification Results, adjusted/preliminary authorization amount, unpredictable number, transaction date, account number and transaction counter (collectively the Issuer Authorization Data) and the session key as inputs to a cryptographic algorithm.
  • Since the cryptographic session key is generated from the payment card cryptographic master key and the transaction counter, the cryptographic session key is uniquely associated with the payment card 210. The payment card 210 responds to the payment terminal 200 with the online cryptogram ARQC, at step S334.
  • At step S336, the transaction processor 220 generates an Authorization Request Message that includes the Issuer Authorization Data and the online cryptogram ARQC, and forwards the Authorization Request Message to the acquirer server 270 via the acquirer network 106. At step S338, the acquirer server 270 directs the Authorization Request Message to the issuer server 300, over the payment network 108, for validation.
  • At step S340, the issuer server 300 verifies that the payment card 210 generated the online cryptogram ARQC. To do so, the issuer server 300 may (i) recover the payment card's session key by applying the account number, payment card internal transaction counter and a card issuer cryptographic master key as inputs to a suitable cryptographic algorithm, (ii) decrypt the online cryptogram ARQC with the recovered session key, (iii) compute a message authentication code from the Issuer Authorization Data, and (iv) compare the computed message authentication code against the decrypted cryptogram.
  • At step S340, the issuer server 300 also applies its prevailing risk management rules to the adjusted/preliminary authorization amount. Therefore, for example, the issuer server 300 may determine whether the financial account that is associated with the account number is still active and has sufficient credit/funds to complete the transaction (i.e. the adjusted/preliminary authorization amount is less than the credit/funds balance for the account). The issuer server 300 may also determine whether the transaction is consistent with the cardholder's history of transactions.
  • The issuer server 300 generates an authorization response code that indicates the outcome of the risk management analysis and the online cryptogram ARQC verification (i.e. whether the issuer approved or declined the transaction and whether the payment card 210 generated the online cryptogram ARQC from the adjusted/preliminary authorization amount and the cryptographic master key (session key) of the payment card 210), and generates an Application Response Cryptogram (ARPC) from a cryptographic key of the payment card 210 and from a message authentication code that is generated from the account number, authorization response code and online cryptogram ARQC. The issuer server 300 may generate the cryptogram ARPC by applying the authorization response code, online cryptogram ARQC and session key (recovered from the account number and the card issuer cryptographic master key) as inputs to a suitable cryptographic algorithm.
  • At step S342, the issuer server 300 generates an Authorization Response Message that includes the Issuer Authorization Data, authorization response code and cryptogram ARPC, and directs the Authorization Response Message to the acquirer server 270 via the payment network 108. At step S344, the acquirer server 270 forwards the Authorization Response Message to the payment terminal 200, via the acquirer network 106.
  • At step S346, the payment terminal 200 examines the authorization response code of the Authorization Response Message. If the authorization response code indicates that the card issuer authorized the transaction and that the payment card 210 generated the online cryptogram ARQC from the adjusted/preliminary authorization amount and the cryptographic master key (or session key) of the payment card 210, at step S348 the transaction processor 220 transmits to the payment card 210 a Generate Application Cryptogram command, requesting from the payment card 210 a Transaction Certificate (TC) confirming that the issuer server 300 generated the Authorization Response Message. The transaction processor 220 generates an unpredictable number and incorporates the Issuer Authorization Data and unpredictable number, authorization response code and cryptogram ARPC into the Generate Application Cryptogram command.
  • At step S350, the payment card 210 then determines whether the issuer server 300 generated the cryptogram ARPC. To do so, the payment card 210 may (i) decrypt the cryptogram ARPC with the payment card's session key, (ii) compute a message authentication code from the account number, authorization response code and online cryptogram ARQC, and (iii) compare the computed message authentication code against the decrypted cryptogram.
  • If the payment card 210 confirms that the issuer server 300 generated the cryptogram ARPC and therefore that the card issuer authorized the transaction, the payment card 210 generates the certificate TC from a cryptographic key of the payment card 210 and from a message authentication code that is generated from the Terminal Verification Results, the adjusted/preliminary authorization amount and unpredictable number received from the payment terminal 200, the transaction date, the account number and the internal transaction counter. The payment card 210 may generate the certificate TC by (i) generating a session key from the payment card cryptographic master key and the transaction counter, (ii) applying the Terminal Verification Results, adjusted/preliminary authorization amount, unpredictable number, transaction date, account number and transaction counter and the session key as inputs to a cryptographic algorithm, (iii) signing the resulting cryptogram with a private cryptographic key of the payment card 210, and (iv) incorporating the cryptogram into the certificate TC. Since the cryptographic session key is generated from the payment card cryptographic master key and the transaction counter, the cryptographic session key is uniquely associated with the payment card 210.
  • The payment card 210 responds to the payment terminal 200 with the certificate TC, at step S352. The payment terminal 200 uses the public certificate of the payment card 210 to confirm that the payment card 210 generated the cryptogram (and the certificate TC) from the adjusted/preliminary authorization amount and therefore that the issuer server 300 authorized the transaction. The payment terminal 200 then provides a notification, on the display device 204, advising the customer that the financial transaction was authorized.
  • If the authorization response code indicates that the card issuer declined the transaction (or if, at step S328, the transaction processor 220 determined that the transaction should be declined offline), at step S348 the transaction processor 220 transmits to the payment card 210 a Generate Application Cryptogram command, requesting from the payment card 210 an Application Authentication Cryptogram (AAC) confirming that the issuer server 300 generated the Authorization Response Message. The transaction processor 220 generates an unpredictable number and incorporates the Issuer Authorization Data and unpredictable number into the Generate Application Cryptogram command.
  • The payment card 210 generates the cryptogram AAC from a cryptographic key of the payment card 210 and from a message authentication code that is generated from the Terminal Verification Results, the adjusted/preliminary authorization amount and unpredictable number received from the payment terminal 200, the transaction date, the account number and the internal transaction counter. The payment card 210 may sign the resulting cryptogram with a private cryptographic key of the payment card 210.
  • The payment card 210 responds to the payment terminal 200 with the cryptogram AAC, at step S352. The payment terminal 200 uses the public certificate of the payment card 210 to confirm that the payment card 210 generated the cryptogram AAC from the adjusted/preliminary authorization amount and therefore that the payment card 210 or the issuer server 300 declined the transaction. The payment terminal 200 then provides a notification, on the display device 204, advising the customer that the financial transaction was declined.
  • As will be apparent, therefore, based on the type of cryptogram received at the payment terminal 200, the payment terminal 200 provides a notification advising whether the financial transaction was authorized or declined. Since the payment terminal 200 generates the adjusted authorization amount based on the account number associated with the payment card 210, and the payment card 210 generates the online or offline cryptogram from the adjusted authorization amount, the merchant can offer preferred customers adjustments to the preliminary authorization amount without requiring re-configuration of the payment card 210 or the card issuer server 300.

Claims (20)

1. A method of authorizing a financial transaction comprising:
a payment terminal receiving, from a payment card interfaced with the payment terminal, application data in response to a predetermined authorization amount provided to the payment card by the payment terminal, the application data comprising an account number uniquely associated with the payment card;
the payment terminal generating an adjusted authorization amount based on the account number and from a preliminary authorization amount received at the payment terminal;
the payment terminal providing the payment card with the adjusted authorization amount, and receiving a cryptogram from the payment card in response; and
the payment terminal providing notification of authorization of a financial transaction for the adjusted authorization amount in accordance with a confirmation that the cryptogram received at the payment terminal from the payment card was generated by the payment card from the adjusted authorization amount and a cryptographic key uniquely associated with the payment card.
2. The method according to claim 1, wherein the payment terminal is configured with a range of issuer identification numbers, and the generating an adjusted authorization amount comprises the payment terminal generating the adjusted authorization amount in accordance with a correlation between the account number and the range of issuer identification numbers.
3. The method according to claim 2, wherein the cryptogram comprises an online cryptogram, and the providing notification of authorization of a financial transaction comprises the payment terminal transmitting over a payment network a transaction authorization request for online authorization of the financial transaction, the transaction authorization request including the adjusted authorization amount and the online cryptogram.
4. The method according to claim 2, wherein the cryptogram is included in an offline certificate, the providing the adjusted authorization amount comprises the payment terminal transmitting to the payment card an offline cryptogram request for offline authorization of the financial transaction, the offline cryptogram request including the adjusted authorization amount, and the providing notification of authorization of a financial transaction comprises the payment terminal confirming that the payment card generated the offline certificate from the adjusted authorization amount and the cryptographic key.
5. The method according to claim 1, wherein the providing notification of authorization of a financial transaction comprises the payment terminal validating the payment card and a bearer of the payment card, and initiating the authorization in accordance with an outcome of the validating.
6. The method according to claim 5, wherein the card bearer validating comprises the payment terminal transmitting a personal identification number to the payment card, and receiving from the payment card a validation of the personal identification number.
7. The method according to claim 3, wherein the providing notification of authorization of a financial transaction comprises the payment terminal receiving a transaction authorization from the payment network in response to the online transaction authorization request, the transaction authorization providing a confirmation of the payment card generating the online cryptogram from the adjusted authorization amount and the cryptographic key.
8. The method according to claim 7, wherein the providing notification of authorization of a financial transaction comprises the payment terminal transmitting the transaction authorization to the payment card, and receiving from the payment card confirmation that an issuer of the payment card generated the transaction authorization.
9. The method according to claim 1, wherein the cryptogram comprises an online cryptogram, and the providing the adjusted authorization amount comprises the payment terminal transmitting to the payment card a cryptogram request requesting the online cryptogram from the payment card, the cryptogram request including the adjusted authorization amount.
10. The method according to claim 1, wherein the payment terminal receives the preliminary authorization amount from an electronic cash register.
11. A computer-readable medium comprising computer processing instructions stored thereon for execution by a payment terminal, the computer processing instructions, when executed by the payment terminal, causing the payment terminal to perform the method of claim 1.
12. A payment terminal comprising:
a card interface for interfacing a payment card interfaced with the payment terminal; and
a transaction processor coupled to the card interface, the transaction processor being configured to:
(i) receive, from a payment card interfaced with the card interface, application data in response to a predetermined authorization amount provided to the payment card by the payment terminal, the application data comprising an account number uniquely associated with the payment card;
(ii) generate an adjusted authorization amount based on the account number and from a preliminary authorization amount received at the payment terminal, provide the payment card with the adjusted authorization amount, and receive a cryptogram from the payment card in response; and
(iii) provide notification of authorization of a financial transaction for the adjusted authorization amount in accordance with a confirmation that the cryptogram received at the payment terminal from the payment card was generated by the payment card from the adjusted authorization amount and a cryptographic key uniquely associated with the payment card.
13. The payment terminal according to claim 12, wherein the payment terminal is configured with a range of issuer identification numbers, and the transaction processor is configured to generate the adjusted authorization amount in accordance with a correlation between the account number and the range of issuer identification numbers.
14. The payment terminal according to claim 13, wherein the cryptogram comprises an online cryptogram, and the transaction processor is configured to provide notification of authorization of a financial transaction by transmitting over a payment network a transaction authorization request for online authorization of the financial transaction, the transaction authorization request including the adjusted authorization amount and the online cryptogram.
15. The payment terminal according to claim 13, wherein the cryptogram is included in an offline certificate, the transaction processor is configured to provide the adjusted authorization amount by transmitting to the payment card an offline cryptogram request for offline authorization of the financial transaction, the offline cryptogram request including the adjusted authorization amount, and the transaction processor is configured to provide notification of authorization of a financial transaction by confirming that the payment card generated the offline certificate from the adjusted authorization amount and the cryptographic key.
16. The payment terminal according to claim 12, wherein the transaction processor is configured to provide notification of authorization of a financial transaction by validating the payment card and a bearer of the payment card, and initiating the authorization in accordance with an outcome of the validating.
17. The payment terminal according to claim 16, wherein the transaction processor is configured to authenticate the bearer of the payment card by transmitting a personal identification number to the payment card, and receiving from the payment card a validation of the personal identification number.
18. The payment terminal according to claim 14, wherein the transaction processor is configured to provide notification of authorization of a financial transaction by receiving a transaction authorization from the payment network in response to the online transaction authorization request, the transaction authorization providing a confirmation of the payment card generating the online cryptogram from the adjusted authorization amount and the cryptographic key.
19. The payment terminal according to claim 18, wherein the transaction processor is configured to provide notification of authorization of a financial transaction by transmitting the transaction authorization to the payment card, and receiving from the payment card confirmation that an issuer of the payment card generated the transaction authorization.
20. A method of authorizing a financial transaction comprising:
a payment terminal receiving, from a payment card interfaced with the payment terminal, application data in response to a predetermined authorization amount provided to the payment card by the payment terminal, the application data comprising an account number uniquely associated with the payment card;
the payment terminal generating an adjusted authorization amount based on the account number and from a preliminary authorization amount received at the payment terminal, and transmitting to the payment card a cryptogram request requesting an online cryptogram from the payment card, the cryptogram request including the adjusted authorization amount;
the payment terminal receiving the online cryptogram from the payment card in response to the cryptogram request, and transmitting over a payment network a payment authorization request for online authorization of a financial transaction for the adjusted authorization amount, the payment authorization request including the online cryptogram; and
the payment terminal receiving a transaction authorization from the payment network in response to the payment authorization request, the transaction authorization providing a confirmation of the payment card generating the online cryptogram from the adjusted authorization amount and a cryptographic key uniquely associated with the payment card.
US14/464,632 2013-09-10 2014-08-20 System and method for authorizing a financial transaction Abandoned US20150073995A1 (en)

Priority Applications (4)

Application Number Priority Date Filing Date Title
US14/464,632 US20150073995A1 (en) 2013-09-10 2014-08-20 System and method for authorizing a financial transaction
CA3203930A CA3203930A1 (en) 2013-09-10 2014-09-10 System and method for authorizing a financial transaction
CA2863122A CA2863122C (en) 2013-09-10 2014-09-10 System and method for authorizing a financial transaction
US17/376,031 US12062044B2 (en) 2013-09-10 2021-07-14 System and method for authorizing a financial transaction

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
US201361875919P 2013-09-10 2013-09-10
US14/464,632 US20150073995A1 (en) 2013-09-10 2014-08-20 System and method for authorizing a financial transaction

Related Child Applications (1)

Application Number Title Priority Date Filing Date
US17/376,031 Continuation US12062044B2 (en) 2013-09-10 2021-07-14 System and method for authorizing a financial transaction

Publications (1)

Publication Number Publication Date
US20150073995A1 true US20150073995A1 (en) 2015-03-12

Family

ID=52626515

Family Applications (2)

Application Number Title Priority Date Filing Date
US14/464,632 Abandoned US20150073995A1 (en) 2013-09-10 2014-08-20 System and method for authorizing a financial transaction
US17/376,031 Active 2035-03-08 US12062044B2 (en) 2013-09-10 2021-07-14 System and method for authorizing a financial transaction

Family Applications After (1)

Application Number Title Priority Date Filing Date
US17/376,031 Active 2035-03-08 US12062044B2 (en) 2013-09-10 2021-07-14 System and method for authorizing a financial transaction

Country Status (2)

Country Link
US (2) US20150073995A1 (en)
CA (2) CA3203930A1 (en)

Cited By (25)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN105022976A (en) * 2015-07-27 2015-11-04 飞天诚信科技股份有限公司 Method and device for reading record in smart card
US20170103396A1 (en) * 2015-10-13 2017-04-13 Mastercard International Incorporated Adaptable messaging
WO2018031856A1 (en) * 2016-08-12 2018-02-15 Mastercard International Incorporated Cryptographic authentication and tokenized transactions
US20190108511A1 (en) * 2017-10-05 2019-04-11 The Toronto-Dominion Bank System and method of session key generation and exchange
US20190188705A1 (en) * 2017-10-03 2019-06-20 The Toronto-Dominion Bank System and method for clearing point-of-sale terminal pre-authorizations
WO2020190929A1 (en) * 2019-03-20 2020-09-24 Capital One Services, Llc Nfc mobile currency transfer
CN113169873A (en) * 2018-10-02 2021-07-23 第一资本服务有限责任公司 System and method for password authentication of contactless cards
US20210342816A1 (en) * 2020-04-30 2021-11-04 Capital One Services, Llc Intelligent card unlock
US20220067687A1 (en) * 2020-09-03 2022-03-03 Mastercard International Incorporated Contactless payment relay attack protection
US20220108322A1 (en) * 2020-10-07 2022-04-07 Mastercard International Incorporated Systems and methods for use in biometric-enabled network interactions
CN114331454A (en) * 2021-12-24 2022-04-12 中国农业银行股份有限公司 Counter transaction data processing method and device, electronic equipment and storage medium
US11394721B2 (en) * 2017-01-17 2022-07-19 Visa International Service Association Binding cryptogram with protocol characteristics
US20220245630A1 (en) * 2013-12-02 2022-08-04 Mastercard International Incorporated Method and system for secure authentication of user and mobile device without secure elements
US11481779B2 (en) * 2014-03-12 2022-10-25 The Toronto-Dominion Bank System and method for authorizing a debit transaction without user authentication
EP4177810A1 (en) * 2016-04-18 2023-05-10 Bancontact Payconiq Company Method and device for authorizing mobile transactions
WO2023093876A1 (en) * 2021-11-29 2023-06-01 沈阳泉安科技有限公司 Authorization device-based transaction method and system
US20230252452A1 (en) * 2019-12-24 2023-08-10 Capital One Services, Llc Secure authentication based on identity data stored in a contactless card
US11928666B1 (en) 2019-09-18 2024-03-12 Wells Fargo Bank, N.A. Systems and methods for passwordless login via a contactless card
AU2022283686B2 (en) * 2016-04-01 2024-04-04 Visa International Service Association System and method employing reduced time device processing
US12099995B2 (en) 2016-04-22 2024-09-24 Wells Fargo Bank, N.A. Systems and methods for providing a code to a user device
US12159275B1 (en) 2015-03-19 2024-12-03 Wells Fargo Bank, N.A. Systems and methods for smart card mobile device authentication
US20250117786A1 (en) * 2023-10-04 2025-04-10 The Toronto-Dominion Bank Authorization network and a method for authorizing a preliminary transaction value
US12450591B1 (en) 2020-09-16 2025-10-21 Wells Fargo Bank, N.A. Systems and methods for contactless card activation via unique activation codes
US12493868B1 (en) 2020-12-01 2025-12-09 Wells Fargo Bank, N.A. Systems and methods for information verification using a contactless card
US12499433B1 (en) * 2015-03-27 2025-12-16 Wells Fargo Bank, N.A. Systems and methods for contactless smart card authentication

Families Citing this family (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
JP2018081520A (en) * 2016-11-17 2018-05-24 東芝テック株式会社 Information processing apparatus and program
WO2019195676A1 (en) * 2018-04-05 2019-10-10 Visa International Service Association Smart device system and method of use
GB202405471D0 (en) * 2024-04-18 2024-06-05 Mastercard International Inc Transaction settlement

Citations (15)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20050033688A1 (en) * 2002-07-09 2005-02-10 American Express Travel Related Services Company, Inc. Methods and apparatus for a secure proximity integrated circuit card transactions
US20060059040A1 (en) * 2004-08-25 2006-03-16 First Data Corporation Systems and methods of data transfer in a distributed computer network
US7024395B1 (en) * 2000-06-16 2006-04-04 Storage Technology Corporation Method and system for secure credit card transactions
US20070106602A1 (en) * 2005-10-20 2007-05-10 Exxonmobil Research And Engineering Company Card purchase transaction processing
US20080133351A1 (en) * 2006-10-24 2008-06-05 Brigette White Method and apparatus for reward messaging, discounting and redemption at the point of interaction
US20090070171A1 (en) * 2007-09-10 2009-03-12 Barbara Patterson Host capture
US20100038421A1 (en) * 2003-06-03 2010-02-18 Koninklijke Philips Electronics N.V. Secure card terminal
US20110244799A1 (en) * 2010-03-31 2011-10-06 Roberts David A Systems and methods for operating transaction terminals
US20110276420A1 (en) * 2008-09-17 2011-11-10 Robert White Cash card system
US20120011070A1 (en) * 2010-07-09 2012-01-12 Master Card International Incorporated Apparatus and Method for Combining Cryptograms for Card Payments
US20130085835A1 (en) * 2011-09-30 2013-04-04 Coupons.Com Incorporated Applying mobile digital coupons at the point of sale
US20130132283A1 (en) * 2011-11-23 2013-05-23 Robert Hayhow System and method for processing an online transaction request
US20130185167A1 (en) * 2010-09-21 2013-07-18 Mastercard International Incorporated Financial transaction method and system having an update mechanism
US20140039990A1 (en) * 2012-08-06 2014-02-06 Randolph Ken Georgi Universal transaction associating identifier
US20140074568A1 (en) * 2012-05-30 2014-03-13 One Inc. Universal Recognition Platform

Family Cites Families (51)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US5945653A (en) * 1997-06-26 1999-08-31 Walker Asset Management Limited Partnership System and method for establishing and executing functions to affect credit card accounts and transactions
US7630926B2 (en) * 1999-08-19 2009-12-08 E2Interactive, Inc. Inserting value into customer account at point of sale using a customer account identifier
US7103575B1 (en) 2000-08-31 2006-09-05 International Business Machines Corporation Enabling use of smart cards by consumer devices for internet commerce
US7318049B2 (en) * 2000-11-17 2008-01-08 Gregory Fx Iannacci System and method for an automated benefit recognition, acquisition, value exchange, and transaction settlement system using multivariable linear and nonlinear modeling
US6842743B2 (en) 2000-12-01 2005-01-11 Matsushita Electric Industrial Co., Ltd. Transparent secure electronic credit card transaction protocol with content-based authentication
US7292999B2 (en) 2001-03-15 2007-11-06 American Express Travel Related Services Company, Inc. Online card present transaction
WO2005029284A2 (en) * 2003-09-17 2005-03-31 Abendroth John C Club membership for discounted buying
EP1828998A2 (en) 2004-02-05 2007-09-05 A Little World Private Limited Inter-operable, multi-operator, multi-bank, multi-merchant mobile payment method and a system therefor
US20110010238A1 (en) * 2004-03-01 2011-01-13 Richard Postrel Method and system for issuing, aggregating and redeeming merchant rewards
FI20045376L (en) * 2004-03-05 2005-09-06 Osuma Finland Oy Loyalty card and related devices
CN101048794A (en) 2004-08-18 2007-10-03 万事达卡国际股份有限公司 Method and system for authorizing a transaction using a dynamic authorization code
US7742942B2 (en) 2005-06-22 2010-06-22 Excentus Corporation System and method for discounting fuel
US20060293952A1 (en) * 2005-06-22 2006-12-28 Nicholson G R Debit card incentive system and method
GB0518963D0 (en) * 2005-09-16 2005-10-26 Eagle Eye Solutions Ltd Transaction apparatus,systems and methods
CN102968604B (en) * 2005-09-28 2016-06-15 维萨国际服务协会 Reduce the equipment of the interaction time of contactless transaction, system and method
US20070168260A1 (en) * 2005-09-30 2007-07-19 Mastercard International Incorporated Payment apparatus and method
US8090654B2 (en) * 2006-03-17 2012-01-03 Mastercard International Incorporated Techniques for transaction adjustment
EP1843288A1 (en) 2006-04-05 2007-10-10 Elca Informatique S.A. System for securing electronic transactions over an open network
US10115112B2 (en) * 2006-08-31 2018-10-30 Visa U.S.A. Inc. Transaction evaluation for providing rewards
US9846866B2 (en) 2007-02-22 2017-12-19 First Data Corporation Processing of financial transactions using debit networks
US9098851B2 (en) * 2008-02-14 2015-08-04 Mastercard International Incorporated Method and apparatus for simplifying the handling of complex payment transactions
US10755268B2 (en) 2008-05-09 2020-08-25 Verient, Inc. Apparatus and methods for payment transactions using near field communication
US20090281871A1 (en) * 2008-05-12 2009-11-12 Terrence Patrick Tietzen Method, system, and computer program for providing a loyalty engine for automated cause management
US8788350B2 (en) 2008-06-13 2014-07-22 Microsoft Corporation Handling payment receipts with a receipt store
US9704161B1 (en) * 2008-06-27 2017-07-11 Amazon Technologies, Inc. Providing information without authentication
US8219489B2 (en) * 2008-07-29 2012-07-10 Visa U.S.A. Inc. Transaction processing using a global unique identifier
US20100057580A1 (en) * 2008-08-28 2010-03-04 Radha Raghunathan Unified payment card
US20100106570A1 (en) * 2008-10-28 2010-04-29 Cristian Radu Systems and methods for enrollment and participation in a loyalty program
US10354321B2 (en) 2009-01-22 2019-07-16 First Data Corporation Processing transactions with an extended application ID and dynamic cryptograms
US8370258B2 (en) * 2009-04-28 2013-02-05 Mastercard International Incorporated Apparatus, method, and computer program product for recovering torn smart payment device transactions
US8266031B2 (en) 2009-07-29 2012-09-11 Visa U.S.A. Systems and methods to provide benefits of account features to account holders
US8505813B2 (en) * 2009-09-04 2013-08-13 Bank Of America Corporation Customer benefit offer program enrollment
US8572394B2 (en) 2009-09-04 2013-10-29 Computer Associates Think, Inc. OTP generation using a camouflaged key
US9940619B2 (en) * 2010-07-13 2018-04-10 Dfs Services Llc Processing non-traditional transactions on a traditional payment network
WO2012012445A2 (en) 2010-07-19 2012-01-26 Universal Commerce, Inc. Mobile system and method for payments and non-financial transactions
US20120197708A1 (en) 2011-01-31 2012-08-02 Mullen Jeffrey D Systems and methods for social networking mechanisms for powered cards and devices
US20120215605A1 (en) * 2011-02-22 2012-08-23 Marqeta, Inc. System and method for providing a user with a single payment card on which prepaid and/or reward balances are tracked for multiple merchants
US20130103487A1 (en) * 2011-04-15 2013-04-25 Solutran Smart card with product substantiation system and method
US9547861B2 (en) * 2011-05-11 2017-01-17 Mark Itwaru System and method for wireless communication with an IC chip for submission of pin data
US10380605B2 (en) 2011-06-20 2019-08-13 Ncr Corporation System and method for associating discounts with payment options
CN110111087B (en) 2011-08-30 2024-01-02 欧威环公司 System and method for authorizing transactions utilizing unpredictable passwords
FI20115945A0 (en) * 2011-09-28 2011-09-28 Onsun Oy payment
US20130124287A1 (en) 2011-11-14 2013-05-16 Visa International Service Association Systems and methods to provide discount at point of sales terminals
CA2771395C (en) 2011-11-23 2015-11-24 The Toronto Dominion Bank System and method for processing an online transaction request
US8630954B2 (en) * 2011-12-15 2014-01-14 Visa International Service Association System and method of using load network to associate product or service with a consumer token
US20130238408A1 (en) 2012-03-08 2013-09-12 Mastercard International Incorporated Systems and methods for attaching loyalty program data to an electronic payment scheme
US10535064B2 (en) 2012-03-19 2020-01-14 Paynet Payments Network, Llc Systems and methods for real-time account access
FR2993382B1 (en) 2012-07-13 2015-07-03 Oberthur Technologies SECURE ELECTRONIC ENTITY FOR THE AUTHORIZATION OF A TRANSACTION
PE20160442A1 (en) 2012-08-21 2016-04-29 Seglan S L METHOD AND SYSTEM TO ENABLE TICKETING / MOBILE PAYMENTS WITHOUT CONTACT THROUGH A MOBILE APPLICATION
CA3126471A1 (en) 2012-10-17 2014-04-17 Royal Bank Of Canada Virtualization and secure processing of data
CA2834272A1 (en) 2013-11-25 2014-02-04 Mobi724 Solutions Inc. Mobile couponing system and method

Patent Citations (15)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US7024395B1 (en) * 2000-06-16 2006-04-04 Storage Technology Corporation Method and system for secure credit card transactions
US20050033688A1 (en) * 2002-07-09 2005-02-10 American Express Travel Related Services Company, Inc. Methods and apparatus for a secure proximity integrated circuit card transactions
US20100038421A1 (en) * 2003-06-03 2010-02-18 Koninklijke Philips Electronics N.V. Secure card terminal
US20060059040A1 (en) * 2004-08-25 2006-03-16 First Data Corporation Systems and methods of data transfer in a distributed computer network
US20070106602A1 (en) * 2005-10-20 2007-05-10 Exxonmobil Research And Engineering Company Card purchase transaction processing
US20080133351A1 (en) * 2006-10-24 2008-06-05 Brigette White Method and apparatus for reward messaging, discounting and redemption at the point of interaction
US20090070171A1 (en) * 2007-09-10 2009-03-12 Barbara Patterson Host capture
US20110276420A1 (en) * 2008-09-17 2011-11-10 Robert White Cash card system
US20110244799A1 (en) * 2010-03-31 2011-10-06 Roberts David A Systems and methods for operating transaction terminals
US20120011070A1 (en) * 2010-07-09 2012-01-12 Master Card International Incorporated Apparatus and Method for Combining Cryptograms for Card Payments
US20130185167A1 (en) * 2010-09-21 2013-07-18 Mastercard International Incorporated Financial transaction method and system having an update mechanism
US20130085835A1 (en) * 2011-09-30 2013-04-04 Coupons.Com Incorporated Applying mobile digital coupons at the point of sale
US20130132283A1 (en) * 2011-11-23 2013-05-23 Robert Hayhow System and method for processing an online transaction request
US20140074568A1 (en) * 2012-05-30 2014-03-13 One Inc. Universal Recognition Platform
US20140039990A1 (en) * 2012-08-06 2014-02-06 Randolph Ken Georgi Universal transaction associating identifier

Non-Patent Citations (1)

* Cited by examiner, † Cited by third party
Title
Title: Implementing Electronic Card Payment Systems; Author:Cristian Radu; Publisher: Artech House, 2003; ISBN 1580538037, 9781580538039; Pertinent pages: 267 *

Cited By (50)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20220245630A1 (en) * 2013-12-02 2022-08-04 Mastercard International Incorporated Method and system for secure authentication of user and mobile device without secure elements
US12499445B2 (en) 2013-12-02 2025-12-16 Mastercard International Incorporated Method and system for secure authentication of user and mobile device without secure elements
US12093954B2 (en) * 2013-12-02 2024-09-17 Mastercard International Incorporated Method and system for secure authentication of user and mobile device without secure elements
US11481779B2 (en) * 2014-03-12 2022-10-25 The Toronto-Dominion Bank System and method for authorizing a debit transaction without user authentication
US12288206B1 (en) 2015-03-19 2025-04-29 Wells Fargo Bank, N.A. Systems and methods for smart card mobile device authentication
US12159275B1 (en) 2015-03-19 2024-12-03 Wells Fargo Bank, N.A. Systems and methods for smart card mobile device authentication
US12499433B1 (en) * 2015-03-27 2025-12-16 Wells Fargo Bank, N.A. Systems and methods for contactless smart card authentication
CN105022976A (en) * 2015-07-27 2015-11-04 飞天诚信科技股份有限公司 Method and device for reading record in smart card
US20170103396A1 (en) * 2015-10-13 2017-04-13 Mastercard International Incorporated Adaptable messaging
AU2024204620B2 (en) * 2016-04-01 2025-11-06 Visa International Service Association System and method employing reduced time device processing
US12135775B2 (en) 2016-04-01 2024-11-05 Visa International Service Association System and method employing reduced time device processing
AU2022283686B2 (en) * 2016-04-01 2024-04-04 Visa International Service Association System and method employing reduced time device processing
EP4177810A1 (en) * 2016-04-18 2023-05-10 Bancontact Payconiq Company Method and device for authorizing mobile transactions
US12099995B2 (en) 2016-04-22 2024-09-24 Wells Fargo Bank, N.A. Systems and methods for providing a code to a user device
RU2741321C2 (en) * 2016-08-12 2021-01-25 Мастеркард Интернэшнл Инкорпорейтед Cryptographic authentication and tokenized transactions
WO2018031856A1 (en) * 2016-08-12 2018-02-15 Mastercard International Incorporated Cryptographic authentication and tokenized transactions
CN109716373A (en) * 2016-08-12 2019-05-03 万事达卡国际公司 Cipher authentication and tokenized transaction
US11301844B2 (en) 2016-08-12 2022-04-12 Mastercard International Incorporated Cryptographic authentication and tokenized transactions
US11394721B2 (en) * 2017-01-17 2022-07-19 Visa International Service Association Binding cryptogram with protocol characteristics
US12218953B2 (en) 2017-01-17 2025-02-04 Visa International Service Association Binding cryptogram with protocol characteristics
US11127005B2 (en) * 2017-10-03 2021-09-21 The Toronto-Dominion Bank Network and method for clearing point-of-sale terminal pre-authorizations
US20190188705A1 (en) * 2017-10-03 2019-06-20 The Toronto-Dominion Bank System and method for clearing point-of-sale terminal pre-authorizations
US10657529B2 (en) * 2017-10-03 2020-05-19 The Toronto-Dominion Bank System and method for clearing point-of-sale terminal pre-authorizations
US20210174362A1 (en) * 2017-10-05 2021-06-10 The Toronto-Dominion Bank System and method of session key generation and exchange
US11769148B2 (en) * 2017-10-05 2023-09-26 The Toronto-Dominion Bank System and method of session key generation and exchange
US20190108511A1 (en) * 2017-10-05 2019-04-11 The Toronto-Dominion Bank System and method of session key generation and exchange
US10956905B2 (en) * 2017-10-05 2021-03-23 The Toronto-Dominion Bank System and method of session key generation and exchange
US11469898B2 (en) 2018-10-02 2022-10-11 Capital One Services, Llc Systems and methods for message presentation using contactless cards
US12166892B2 (en) 2018-10-02 2024-12-10 Capital One Services, Llc Systems and methods for message presentation using contactless cards
CN113169873A (en) * 2018-10-02 2021-07-23 第一资本服务有限责任公司 System and method for password authentication of contactless cards
EP3861500A4 (en) * 2018-10-02 2022-07-27 Capital One Services, LLC CONTACTLESS CARD CRYPTOGRAPHIC AUTHENTICATION SYSTEMS AND METHODS
US10984416B2 (en) 2019-03-20 2021-04-20 Capital One Services, Llc NFC mobile currency transfer
WO2020190929A1 (en) * 2019-03-20 2020-09-24 Capital One Services, Llc Nfc mobile currency transfer
US11941608B1 (en) 2019-09-18 2024-03-26 Wells Fargo Bank, N.A. Systems and methods for a transaction card having a customer-specific URL
US12014354B1 (en) 2019-09-18 2024-06-18 Wells Fargo Bank, N.A. Systems and methods for a transaction card having a cryptographic key
US11928666B1 (en) 2019-09-18 2024-03-12 Wells Fargo Bank, N.A. Systems and methods for passwordless login via a contactless card
US12182798B1 (en) 2019-09-18 2024-12-31 Wells Fargo Bank, N.A. Systems and methods for activating a transaction card
US20230252452A1 (en) * 2019-12-24 2023-08-10 Capital One Services, Llc Secure authentication based on identity data stored in a contactless card
US20240202701A1 (en) * 2020-04-30 2024-06-20 Capital One Services, Llc Intelligent card unlock
US11823175B2 (en) * 2020-04-30 2023-11-21 Capital One Services, Llc Intelligent card unlock
US20210342816A1 (en) * 2020-04-30 2021-11-04 Capital One Services, Llc Intelligent card unlock
US12488327B2 (en) 2020-09-03 2025-12-02 Mastercard International Incorporated Contactless payment relay attack protection
US20220067687A1 (en) * 2020-09-03 2022-03-03 Mastercard International Incorporated Contactless payment relay attack protection
US11704649B2 (en) * 2020-09-03 2023-07-18 Mastercard International Incorporated Contactless payment relay attack protection
US12450591B1 (en) 2020-09-16 2025-10-21 Wells Fargo Bank, N.A. Systems and methods for contactless card activation via unique activation codes
US20220108322A1 (en) * 2020-10-07 2022-04-07 Mastercard International Incorporated Systems and methods for use in biometric-enabled network interactions
US12493868B1 (en) 2020-12-01 2025-12-09 Wells Fargo Bank, N.A. Systems and methods for information verification using a contactless card
WO2023093876A1 (en) * 2021-11-29 2023-06-01 沈阳泉安科技有限公司 Authorization device-based transaction method and system
CN114331454A (en) * 2021-12-24 2022-04-12 中国农业银行股份有限公司 Counter transaction data processing method and device, electronic equipment and storage medium
US20250117786A1 (en) * 2023-10-04 2025-04-10 The Toronto-Dominion Bank Authorization network and a method for authorizing a preliminary transaction value

Also Published As

Publication number Publication date
CA3203930A1 (en) 2015-03-10
US12062044B2 (en) 2024-08-13
CA2863122A1 (en) 2015-03-10
US20210342835A1 (en) 2021-11-04
CA2863122C (en) 2023-08-22

Similar Documents

Publication Publication Date Title
US12062044B2 (en) System and method for authorizing a financial transaction
US11308467B2 (en) System and method for deriving a primary numeric value and a secondary numeric value from an authorized request
US12008553B2 (en) Session data network and method of processing session data
US10354321B2 (en) Processing transactions with an extended application ID and dynamic cryptograms
US11127005B2 (en) Network and method for clearing point-of-sale terminal pre-authorizations
US20180068293A1 (en) Method and system for allowing offline peer-2-peer transactions using exchangeable provisioned tokens
US20130041823A1 (en) Payment Card with Integrated Chip
US11580508B2 (en) Contactless message transmission
US12430632B2 (en) Portable device loading mechanism for account access
CN108352018A (en) Method and system for the credit in social networks
US10628881B2 (en) Processing transactions with an extended application ID and dynamic cryptograms
CN108352986A (en) Method and system for enhancing password authentication in cloud-based systems
US20250117786A1 (en) Authorization network and a method for authorizing a preliminary transaction value
CA2771395C (en) System and method for processing an online transaction request
CA3008501C (en) Emv-session data network and method of processing emv-session data
CA3215444A1 (en) Authorization network and a method for authorizing a preliminary transaction value
US20190311363A1 (en) Ledger update network and method of updating a ledger
CA2981307C (en) System and method for clearing point-of-sale terminal pre-authorizations
CA3000435A1 (en) Ledger update network and method of updating a ledger
WO2019134024A1 (en) Systems and methods for device-present electronic commerce transaction checkout

Legal Events

Date Code Title Description
AS Assignment

Owner name: THE TORONTO-DOMINION BANK, CANADA

Free format text: ASSIGNMENT OF ASSIGNORS INTEREST;ASSIGNORS:HAYHOW, ROBERT;ELKHINOVICH, IGOR;ECKER, JEFFREY AARON;REEL/FRAME:033585/0262

Effective date: 20140722

STPP Information on status: patent application and granting procedure in general

Free format text: RESPONSE TO NON-FINAL OFFICE ACTION ENTERED AND FORWARDED TO EXAMINER

STPP Information on status: patent application and granting procedure in general

Free format text: FINAL REJECTION MAILED

STCV Information on status: appeal procedure

Free format text: NOTICE OF APPEAL FILED

STCV Information on status: appeal procedure

Free format text: APPEAL BRIEF (OR SUPPLEMENTAL BRIEF) ENTERED AND FORWARDED TO EXAMINER

STCV Information on status: appeal procedure

Free format text: EXAMINER'S ANSWER TO APPEAL BRIEF MAILED

STCV Information on status: appeal procedure

Free format text: BOARD OF APPEALS DECISION RENDERED

STCV Information on status: appeal procedure

Free format text: REQUEST RECONSIDERATION AFTER BOARD OF APPEALS DECISION

STCV Information on status: appeal procedure

Free format text: BOARD OF APPEALS DECISION RENDERED AFTER REQUEST FOR RECONSIDERATION

STCB Information on status: application discontinuation

Free format text: ABANDONED -- AFTER EXAMINER'S ANSWER OR BOARD OF APPEALS DECISION