The present invention is in the field of payment systems.
Three forms of money in widespread use today throughout the world are cash, checks and payment cards (debit or credit). Each has distinct advantages, and distinct disadvantages. Cash is readily accepted, easy to use and anonymous, but it does not earn interest, it can be lost or stolen, and it is not always readily accessible. Checks are not always accepted, but they offer many advantages, since they do not have to be written until the time of payment. However, they must be physically presented and they are not anonymous. Payment cards are readily, but not always, accepted, and they offer many advantages over checks. If the card is a credit card, payment can be deferred, but the transaction is not anonymous. If the card is a debit card, payment has usually been made prior to its use, but it is anonymous. Accordingly, it is apparent that different types of money have different advantages to different persons in different situations. This may be one reason why all these forms of money are still in widespread use, and are even used by the same persons at different times.
As society and international commerce have become more dependent upon electronic transactions, money has also become more electronic. Many attempts have been made to come up with suitable forms of electronic money that mimic the physical world, or even create new forms of electronic money. However, despite the enormous need for such money, and efforts by some of the best minds and most successful companies in the world, electronic money has suffered many setbacks and been far slower to materialize than many had hoped or predicted. The reasons are many and varied, but some of the obvious reasons are security, ease of use/operation, and unwillingness of the public and/or commerce to make radical changes or embrace new technology and/or procedures. As a result, many efforts, including several potentially promising efforts, have met with failure.
Even though new forms of electronic money have been slow to develop or gain widespread acceptance, electronic payments have still moved forward. Many banks now offer some form of electronic checking. And payment cards have been used for electronic transactions in e-commerce and m-commerce (mobile commerce). Still, there is widespread concern about the safety of such transactions, and recent news stories have uncovered widespread fraudulent activity associated with use of traditional credit card numbers in e-commerce over the Internet. In addition, there is growing concern about consumer privacy, or lack thereof, due to widespread electronic profiling of consumers who make electronic payments.
Although the media has been quick to cover fraud associated with use of credit cards over the Internet, it is often overlooked, at least by the public and the media (but not the credit card companies), that the majority of fraudulent activity concerning credit cards is not associated with e-commerce activity. Most fraud occurs in the xe2x80x9cbrick and mortarxe2x80x9d world, and the numbers are daunting. Despite many attempts to combat unauthorized or fraudulent use of credit cards, it is estimated that credit card fraud now exceeds hundreds of millions, if not several billion, dollars per year. And this does not even count the cost of inconvenience to consumers, merchants and credit card issuer/providers, or the emotional distress caused to victims of such fraud, or the cost to society in terms of law enforcement and preventative activities.
Accordingly, there is a very real, long-felt need to reduce the amount of fraudulent activity that is associated with credit cards, and this need has only grown more acute as consumers and commerce search for better ways to purchase and sell goods and services via e-commerce and m-commerce. However, any solution needs to be something that is acceptable to the public at large. It should be easy to use. It should not be complicated or expensive to implement. Preferably, it should fit within the existing infrastructure, and not be something that requires a great deal of educational effort, or a radical change in behavior or habits of consumers. In other words, it should be user friendly, readily understandable and something that does not require a completely new infrastructure, which is a reason suggested by some as to why smart cards have not been widely accepted in the United States.
In addition, it is highly desirable that any solution to such problems be capable of widespread use, in many different platforms, for many different applications.
In U.S. Pat. No. 5,956,699 issued in September of 1999, Wong and Anderson were the first to introduce the methodology of a system for secure and anonymous credit card transactions on the Internet. This patent introduced a system which used an algorithm to use one""s own selected Personal Identification Number (PIN) as one""s own de facto digital signature. The algorithm instructs the cardholder how to insert one""s PIN into one""s valid credit card number before using it for any transactions on the Internet. The resultant scrambled up credit card number, which is tailored by the algorithm to having the same number of digits as before, is rendered useless on the Internet because the PIN insertion algorithm is changed automatically after every transaction. This methodology is not only capable of drastically reducing credit card fraud on the Internet, it is also capable of safeguarding one""s anonymity, and thus privacy, in credit card purchases on the Internet.
After the issuance of U.S. Pat. No. 5,956,699, Wong et al. also invented an anonymous electronic card for generating personal coupons useful in commercial and security transactions, a method for implementing anonymous credit card transactions using a fictitious account name, as well as methods for generating one-time unique numbers that can be used in credit card transactions in the brick and mortar world, e-commerce, m-commerce and in many other applications.
The present invention seeks to provide new methods for generating and processing Secure Card Numbers (SCN) that can be used in all types of transactions in which a conventional credit card account number is accepted. In addition, the present invention conforms to the existing standards for PIN encryption as promulgated by the American Bankers Association (ABA), the American National Standards Institute (ANSI), the International Standards Organization (ISO), and the Federal Information Processing Standards (FIPS) Publications of the National Institute of Standards and Technology (NIST). Because the methodology is well suited for use in hardware and software applications, it has widespread applicability to many different types of transactions.
The present invention is related to the concept of customer one-time unique purchase order numbers (xe2x80x9cCouponsxe2x80x9d) as described in U.S. Ser. No. 09/640,044. An algorithm is executed that uses a user account number, a customer sequence number, a customer permutated user key, and a Transaction Information Block (TIB) as input variables to form an SCN that is correlated with a sequence number. Combining a user key with a user account number, a user insertion key correlated with the customer sequence number, and then encrypting the result using the Triple Data Encryption Standards (TDES), forms the customer permutated user key. A random number generator generates the user insertion key that is correlated with the sequence number. The TIB may provide several pieces of information, including the conditions under which the SCN will be valid (i.e., the SCN type), additional account indentification information, and the status of the device used for SCN generation. The sequence number can be changed after each SCN is generated and a new SCN can then be generated using a new user insertion variable correlated to the changed sequence number.
After an SCN is generated, it is transferred with a first entity identifier to a second entity (which can actually be several entities), which then transfers the information to a money source. An individual SCN is verified as being valid by the money source by duplicating the generation of the customer permutated user key for the specified first entity and the specified sequence number, and then comparing it to the customer permutated user key which is embedded in the provided SCN. Additionally, the money source verifies that the specified SCN type is valid given the specific conditions of the transaction. Once verified as valid, each SCN passes through a life cycle in accordance with conventional credit card processing practices and with its SCN type, in which it may be used for various types of transactions before being retired. If a preselected number of SCNs are received by the money source and determined to be invalid (either consecutively or within a predetermined timeframe), then an invalid user account number condition is set to prevent further attempts to verify SCNs for that first entity.
A user key can be entered into an input device which validates the user key by comparing it to a stored user key. If the entered user key is valid, the user can generate an SCN. The sequence number changes each time a user key is entered into the input device.
The present invention is generally directed to a method for providing one or more secure transactions between a first entity and at least one additional entity in which a Secure Card Number (xe2x80x9cSCNxe2x80x9d) is generated for the first entity, then transferred with a first entity identifier to a second entity and then transferred to a money source that verifies that the transaction is valid by use of the first entity identifier and the SCN. The SCN includes a Transaction Information Block used for invoking one or more restrictions on use of the SCN (xe2x80x9cTIBxe2x80x9d), a Counter Block, and an encrypted Personal Identification Number (xe2x80x9cPINxe2x80x9d) Block. The SCN can be transferred to the money source in an account number while the first entity identifier is transferred to the money source in a non-account data field or the first entity identifier can be transferred to the money source as an account number while the SCN is transferred to the money source in a non-account data field.
In a first, separate aspect of the present invention, the TIB can be used by the money source to determine which of multiple account numbers associated with the first entity should be used for the first transaction. The money source can also use the TIB to determine whether the device which generated the SCN has a changed status condition, such as a low battery condition or an invalid user entry status. A low battery condition can be determined by a diagnostic program or by extrapolation from an empirical record (or counter) of the number of transactions presented for authorization, and the transaction counter used for this purpose can be collected from firmware used to generate SCNs or from software behind the money source firewall.
In another, separate aspect of the present invention, a set of valid SCNs are pre-calculated and stored on an electronic card.
Accordingly, it is a primary object of the present invention to provide a method for generating and processing customer Secure Card Numbers for use in transactions where conventional credit card numbers are accepted.
This and further objects and advantages will be apparent to those skilled in the art in connection with the detailed description of the preferred embodiment set forth below.