The present invention relates generally to systems and methodologies for conducting electronic commerce and more particularly to methods, apparatuses, and systems for conducting online transactions utilizing biometric authentication.
According to current practices, consumers typically carry multiple single-purpose cards, tags, passes, and tokens which allow them to identify themselves to or present account information to retailers, service providers, financial institutions, government agencies, and other organizations. These single-purpose devices may contain combinations of encoded personal, account, and/or security information in order to identify a user and to authorize the user to conduct a particular transaction. Data on these devices may be encoded on a variety of media types such as magnetic stripes, bar codes, chips, and/or embossed or printed data. The creation of standards for many encoding formats has contributed to the proliferation of certain card and device types.
For example, data may be encoded on magnetic stripe cards using a proprietary methodology or by employing an “open” or “standard” encoding pattern. Magnetic stripe cards have been embraced by financial institutions, merchants, and consumers ever since standards for such cards were adopted by the industry in the 1970s. A magnetic stripe is encoded with bit patterns, which correspond to three tracks of ASCII characters. Credit cards and other bank cards typically use only tracks 1 and 2. Track 3 is a read/write track, but its usage is not standardized among financial institutions and is seldom used. The majority of magnetic cards in circulation conform to International Standards Organization (ISO) standards for magnetic cards.
Magnetic stripe technology is widely used throughout the world and remains the dominant technology in the United States for transaction processing and access control. One drawback associated with magnetic stripe technology is the limited amount of information that it can hold. Other technologies such as bar code and smart chip cards are also widely used in large part because they can hold more information than magnetic stripe cards.
Another drawback of magnetic stripe technology is that it provides little in the way of card authentication. The data on the stripe can be easily read by a card reader and potentially “skimmed” and then copied onto a fraudulent card. Because of the static nature of the magnetic stripe, bank issuers are not able to distinguish card data originating from a genuine card from card data read from a copied (cloned) card during an “online” authorization.
Smart cards provide a distinct advantage in that they offer the ability to provide authentication in connection with a transaction. Card authentication can be performed by the reader terminal and/or the issuer's systems using dynamic techniques that distinguish genuine cards from clones. A smart card generally includes an embedded semi-conductor device which is programmed before issue with the account holder's information. This data is protected through secure encryption methods, making it difficult to fraudulently replicate a smart card. The integrated circuits within smart cards in general have continued to improve with miniaturization, low power requirements, the addition of strong encryption capability, and tamper-proof standards for crypto-processor chips.
There are three general categories of smart cards: contact, contactless, and hybrid smart cards. A contact smart card requires that the user insert the smart card into a smart card reader with a direct connection to a conductive micro-module on the surface of the card. It is via these physical contact points, that transmission of commands, data, and card status takes place.
A contactless smart card requires only close proximity to a reader. Both the reader and the card have antennas and it is via this contactless link that the two communicate via radio frequency (RF) when in close proximity. Most contactless cards typically receive power for on-card electronic functions via this electromagnetic signal. The range is typically two to three inches for non-battery powered cards, and this is ideal for applications such as mass transit which requires a very fast card interface.
The third category of smart cards is known as hybrid smart cards. These cards typically have a dual interface enabling both contact and contactless communication with the card's chip.
As stated, RF communication is used in connection with both contactless and hybrid smart cards. RF and Radio Frequency Identification (RFID) technologies come in a variety of forms, each of which may be tailored for use in different types of environments. These technologies differ in, for example, the frequency bands they employ, which in turn influences the rate of data transfer between the tag and reader. Consequently, different data transfer rate requirements influence the types of solutions that RFID services can and should be expected to provide. RFID technology is typically used for POS payments, electronic toll collection, access control, and numerous other applications.
Contactless applications are particularly attractive to the retail payments segment where speed, convenience, and security are essential. Contactless payment systems are used successfully around the globe and offer a number of advantages to issuers, retailers, and consumers. Contactless payments allow issuers to penetrate the cash payment market, enjoy increased customer transaction volume, reduce fraud, and utilize the existing transaction processing infrastructure. Retailers realize benefits due to improved operational efficiency and lower operating costs. Consumers enjoy the convenience of faster transaction times and the ability to integrate multiple payment and loyalty accounts on one device.
American Express, MasterCard, and Visa have agreed on a single contactless payment standard in the United States, ISO/IEC 14443, and are implementing a contactless payment approach that leverages the existing payments infrastructure. As a result, merchants can easily add a contactless RF reader to their existing POS systems and immediately begin accepting contactless payment. MasterCard and Visa have also been working jointly over the last few years to develop specifications that define a set of requirements for security and interoperability between chip cards and terminals on a global basis, regardless of the manufacturer, the financial institution, or where the card is used.
As a result of the increased move towards standardization, improving technology and more demanding security and authorization requirements, smart cards are slowly replacing the magnetic stripe card as the dominant technology for conducting financial transactions. The enhanced ability of smart cards to secure confidential information and the ability of POS systems to authenticate the chip cards makes them an attractive alternative to magnetic stripe cards. Also, the reduction of fraudulent transactions achieved by smart cards results in lower risk, and lower fees for the consumer and the merchant.
Another important trend in consumer-related electronics is the increased speed and the reduced size of available electronic components which has contributed to the proliferation of powerful wireless devices. Mobile devices including personal digital assistants (PDAs) and cellular phones now number over one billion worldwide. The capability of wireless devices has been augmented by their ability to connect to the Internet and also to exchange data over short ranges with other wireless devices or readers.
Common short-range communications network standards defined by the International Electrical and Electronic Engineers association (IEEE) include 802.11a, 802.11b, and 802.11g. Many mobile devices employ these IEEE network standards to establish wireless LAN (WLAN) connectivity. Various other short-range technologies currently in use for device-to-device communication include Bluetooth and infra-red. One major short-range infra-red (IR) communications network protocol is defined by the Infra-red Device Association (IrDA), and is known as the IrDA standard. Wireless devices with integrated RFID proximity chips or Near Field Communication (NFC) technology may also provide users the ability to transfer information to a reader device.
With reference to the aforementioned fraud concerns as well as the general inconvenience of having to carry a large number of cards, tags and tokens, it would be beneficial to be able to conduct consumer and other financial transactions in a different manner. Although a completely cashless society is unlikely at least for the foreseeable future, it would be desirable to provide consumers with the ability to conduct more transactions without the need for cash.
The short-range data transmission capability of wireless devices, coupled with electronic wallet software operating on the devices, could allow users to carry out various transactions using a personal trusted device (PTD) that is loaded with the user's payment, identification, and/or other credentials. Unfortunately, there remain various obstacles to solutions using PTDs or other portable devices for conducting financial transactions. One primary hurdle to the broad-based deployment of such a solution is the difficulty in providing for the convenient, efficient, and secure distribution of credentials into wireless devices such that only those authorized to conduct the transactions may do so and only to the extent of their authorization.
Various possible solutions present a variety of drawbacks. Allowing the user to manually enter his or her personal information or account data that was previously stored on magnetic stripe, bar code, or chip cards directly into the wireless device leaves open the possibility that the data could be lost or used by an unauthorized party to make fraudulent transactions. Banks and other organizations in turn are reluctant to allow manual importation of sensitive information into wireless devices, owing primarily to security risks. Accordingly, there is a need for a solution which provides for the secure importation of financial and other personal information into wireless devices.
Since there is such a large number of credential issuers, mobile operators, and wireless end-users world-wide, there is also a need for a credential issuance and management system that is readily accessible by such a broad and diverse set of users. There is also a need for a system and method through which credential issuers can securely and rapidly target specific wireless devices for the distribution of the appropriate credentials over public and private networks.