Currently, online purchase transactions on the Web suffer from lack of adequate security. Specifically, there are no cardholder authentication schemes that have been widely adopted on the Web. In a typical conventional online purchase transaction, the cardholder submits her credit card type, credit card number, expiration date, billing address, and shipping address, to the merchant. Merchants who participate in e-commerce often use an industry-standard protocol, such as Secure Sockets Layer (“SSL”), to encrypt the data exchanged between the customer's Web browser and the merchant's Web commerce server so that sensitive information such as a credit card number can be securely transmitted from the customer to the merchant. Furthermore, merchants also often register with a Certification Authority (“CA”), such as VeriSign, to enable customers to authenticate the merchant. However, the customer or cardholder is not currently authenticated in online purchase transactions. As such, the risk of customer fraud is significant—some reports have estimated that 20 to 40 percent of online purchase attempts are fraudulent and the Federal Trade Commission has reported that the combined losses to the credit card industry and to cardholders, from unauthorized use of credit cards, exceed $2 billion annually. Because customer liability for fraud is limited to $50 per card under federal law, merchants generally bear the costs of such fraud. When customer fraud does occur, credit card companies often impose a “chargeback” fee on the merchant for the fraudulent transaction. As such, the merchant often loses the initial transaction amount, the cost of the product, the shipping cost, the credit card transaction fee, as well as the chargeback amount.
In order to reduce the risk of customer fraud in online transactions, credit card companies have developed payer authentication schemes that would enable online merchants to protect themselves and minimize their losses due to online credit card fraud. For a cardholder authentication scheme to be adopted by a large user base, it should not be inconvenient, complex, or expensive. For example, in 1997, Visa and MasterCard launched a first generation cardholder authentication scheme called the Secure Electronic Transaction (“SET”) authentication protocol. This protocol was never widely adopted by banks because it was too cumbersome to implement or use. As exemplified by the SET experience, difficult integration issues with legacy software systems, large downloads, and long communication exchanges have discouraged merchants, consumers, and banks from participating in an authentication scheme.
A second generation of cardholder authentication schemes now being introduced represents the current state of the art prior to this application. For example, Visa is currently rolling out its “Verified by Visa” service which incorporates an online payer authentication protocol called Three-Domain Secure (“3-D Secure”) designed to authenticate a cardholder in substantially real time. With 3-D Secure, merchants install a plug-in software module which is activated when a cardholder enters her purchasing information and selects the “buy” button on the checkout page of the merchant's Web site. If the cardholder is enrolled in the “Verified by Visa” service, a pop-up window will appear on the cardholder's screen prompting her to enter a confidential authentication password. The authentication password is transmitted to the issuing bank, which is thus able to authenticate the cardholder and authorize the transaction for the merchant. Visa announced in September 2001 that online merchants who participate in “Verified by Visa” would face no liability for any transaction processed by the service. Other credit card companies have also developed their own services to minimize online credit card fraud. For example, in May 2001, MasterCard announced its Secure Payment Application (“SPA”) service, which combines a server based e-wallet and an applet downloaded onto the cardholder's PC to authenticate the cardholder.
Since all of the foregoing authentication schemes involve at least three parties, we shall for convenience refer to the class to which they belong as three party authentication methods (“3PAM”). In a 3PAM scheme the following four steps may be implemented: (1) the cardholder places an order on the merchant Web site; (2) the cardholder is authenticated by the issuing bank; (3) the issuing bank transmits a validation message to the merchant; and (4) the merchant informs the cardholder of the success of the purchase. While these four steps may be implemented over the Internet (in whole or in part), via, for example and without limitation, the Hypertext Transfer Protocol (“HTTP”) or HTTP combined with SSL (“HTTPS”), those skilled in the art will realize that some of these steps could also be performed on a separate proprietary network, for example and without limitation, owned by a credit card company such as Visa or MasterCard.