The present invention relates to methods and systems of permitting a financial transaction using the internet.
3-D Secure is an XML-based protocol designed to be an additional security layer for online transactions using a payment card (e.g., a credit card or debit card). The protocol ties the financial authorization process to an online authentication. This authentication is based on a three-domain model, the three domains being i) an acquirer domain (i.e., the online merchant and the merchant's bank, referred to as the “acquirer” bank), ii) an issuer domain supported by a server of the bank which issued the payment card, and iii) an interoperability domain supported by an access control server (ACS) for the issuing bank, which supports a 3-D Secure authentication web page for the issuing bank.
When a card holder who is interacting with an online merchant wants to make a payment, he makes a payment request to the merchant domain, including entering his full credit card details. In response to the payment request, a Merchant Plug In (MPI) component is activated. The MPI talks to the issuer domain to check if the card is enrolled for 3-D Secure. If the card is not enrolled, this means that either the bank that issued the card is not yet supporting 3-D Secure or it means that the card holder has not yet been registered for the service.
If the card is enrolled, the MPI will redirect the card holder to the 3-D Secure authentication web page for the ACS associated with the issuing bank. The card holder will then identify himself. There are several methods in which this can be done. For example, in some implementations the card holder is required to enter a pre-agreed password into the 3-D Secure authentication web page (typically, the card holder selected the password the first time that he used the 3-D Secure system). In another system, a one-time passcode (OTP) is generated by the ACS, and transmitted by an SMS message to a pre-registered mobile phone owned by the card holder, or transmitted by email to an email address owned by the card holder. The card holder enters the OTP into the 3-D Secure authentication page.
Following the authentication, the interoperability domain transmits a reply to the MPI. The message includes a field called a Universal Cardholder Authentication Field (UCAF) storing a value which only the card issuer is able to generate, because generating it requires data which is kept confidential. In some systems this value is referred to as an AAV (Accountholder Authorization Value) and in other systems this value is referred to as a CAVV (Cardholder Authentication Verification Value). An AAV is generated by the interoperability domain (more exactly the AAV is typically generated by an applet issued by the ACS and running on the card holder's computer, and the AAV is transmitted by the applet to the ACS), and incorporates information specific to both the transaction and the cardholder's identity, thereby binding the cardholder to a particular transaction.
The MPI evaluates the reply and, if it indicates that the authentication was successful, allows the transaction to proceed to a separate authorization process in which the acquiring domain communicates with the issuing bank to ask the bank to authorize the transaction. As part of this process, the acquiring domain transmits the AAV to the issuing bank. The transaction could still fail for lack of funds or other reasons.
In certain countries, standards exist governing internet commerce, and compatibility with the standard can give provide certain advantages. The 3-D Secure process is compatible with some of these standards, and accordingly is able to benefit from such advantages.
There are disadvantages to at least some known 3-D Secure systems, however. Firstly, the card holder is required to enter a considerable amount of information: first the full card details (typically at least including a 16 digit number, and card expiry date, and often other data such as a CVC code); then, the card holder is required to enter the password/OTP required by the 3-D Secure authentication page. If the card holder's computer is a mobile device with a small screen, transferring the OTP from the SMS program to the 3-D Secure authentication page may be relatively difficult. Furthermore, card holders may be disconcerted when redirected to the 3-D Secure authentication page, which tends to have a different look and feel. This leads some card holders to suspect that fraudulent activity may be occurring. These problems result in card holders being reluctant to complete the online purchase, and a proportion of online purchases may fail due to card holders who decline or fail to follow the procedure.
To alleviate such problems, MasterCard International Incorporated provides the MasterPass® system. In this system, a card holder sets up one or more “digital wallets” on a wallet-hosting server. There are two forms of wallet-hosting server. One is a server operated by an organisation which is not itself a card issuer, but which is a trusted partner of the card issuer (in existing implementations, the organisation may be MasterCard International Incorporated itself). The other form is a server operated by a card issuer (conventionally, a wallet on such a server is referred to as a “partner-hosted wallet”). Both the server(s) operated by MasterCard International Incorporated, and the servers operated by card issuers use the same APIs (developed by MasterCard International Incorporated), so that the user sees no difference in using the two forms of wallet-hosting server.
A card holder registers his or her payment card with a digital wallet. Having done this, the card holder can interact with a participating online merchant. At the check-out stage, the online merchant displays a button on the merchant website which the card holder can click on in order to make a payment using the card holder's digital wallet. The online merchant then redirects the user to a “switch” operated by MasterCard International Incorporated. Using a cookie located on the card holder's computer, the “switch” is able to determine which wallet-hosting server hosts a wallet associated with the card holder. The switch then establishes a connection between the card holder's computer and the appropriate wallet-hosting system, which presents the card holder with a MasterPass sign-in page (e.g., as a pop-up window), where there is an authentication process (e.g., entry of a pre-agreed password). This log-in process may use the same login credentials (e.g., password) which the user also uses to obtain access to other online banking activities.
Following the authentication process, if more than one digital wallet has been created for a given card holder, the card holder chooses the digital wallet he or she would like to use. If more than one payment card is associated with the digital wallet, he or she chooses one of the payment cards. He or she may further confirm a shipping address he or she wishes to use (e.g., by selecting from previously entered addresses). The wallet-hosting system then securely transfers the card holder's payment and shipping information to the online merchant's domain. The merchant's domain submits the card holder's payment information to the acquiring bank as under the 3D Secure system, for a separate authorization process in which the acquiring domain communicates with the issuing bank to ask the bank to authorize the transaction. Thus, in contrast to the 3-D Secure system, the card holder is not required to enter their card details (except at the stage of initially registering with the wallet-hosting system), and the online transaction process is streamlined with only a single redirection, and consistent branding for the entire payment process, irrespective of the online merchant.
In a variant of the above system (“advanced checkout”), it is known to integrate the MasterPass system with the 3-D Secure system such that, instead of the wallet-hosting server itself authenticating the card holder, it establishes a connection with an ACS associated with card-issuing bank, which performs a card holder authentication (using a fixed password or a OTP), and transmits an AAV to the wallet-hosting server, which in turn passes it to the merchant. The use of the 3-D Secure system means that the advanced checkout variant complies with those legal standards with which 3-D Secure system complies, and thus the advanced checkout variant benefits from the advantages of the 3-D Secure system. However, the advanced checkout variant suffers from the disadvantages of the 3-D Secure system. Firstly, undesirable redirection of the card holder to an ACS occurs. Secondly, in the case that the ACS uses an OTP, inputting the OTP may be relatively complicated. Note that the operator of wallet-hosting domain cannot control whether the ACS of the issuer bank uses a OTP.