Payment cards such as credit cards, debit cards and/or pre-paid cards are ubiquitous, and for decades such cards have included a magnetic stripe on which the relevant account number and other data is stored. Traditionally, to consummate a purchase transaction with such a payment card, the card is swiped through a magnetic stripe reader in a retail store that is part of the point-of-sale (POS) terminal. The reader reads the account number from the magnetic stripe, and that account number is then used to route a transaction authorization request initiated by the POS terminal. In many cases, in order to authenticate the consumer, a prompt appears on a data entry device for the consumer to provide his or her signature and/or a personal identification number (PIN).
Payment card-based transactions are now typically performed across multiple channels of commerce. For example, payment card-based transactions may be performed in-person at a retail outlet, via a computer connected to the internet (an online transaction), via a mobile phone and/or via a company-based call center (e.g., a 1-800 number for a catalog company). These various types of transactions are conducted in different ways, and thus each type of transaction is associated with a different level of fraud risk. In addition, the payment card transactions generally require that the consumer have his or her payment card available to either present to a cashier in a retail environment, or to enter the requested information via a web browser for an internet transaction, and/or to provide requested information over the telephone. In addition, many authentication processes require the consumer to remember and then provide a personal identification number (PIN) or some other type of number and/or password known only to that consumer. Those knowledgeable in the field recognize that the risk of financial fraud is greater for a remote transaction because there is less ability for the merchant to verify the identity and authenticity of the cardholder. The nature of remote transactions therefore increases risk for the merchant and for the payment card network provider (and/or the payment card issuer financial institution), which often results in more cardholder disputes and associated chargebacks than occur after in-person transactions.
With the advent of e-commerce (electronic commerce) and m-commerce (mobile commerce), consumers are using portable devices, such as smart phones, tablet computers, digital music players, and/or personal digital assistants (PDAs), to make purchases in retail stores and via merchant websites over the internet. Consequently, various techniques have evolved that allow consumers to pay for goods and/or services by utilizing a mobile device that is associated with one or more payment card accounts.
The terms mobile money, mobile money transfers, and mobile wallet generally refer to mobile device payment services that are performed via a mobile device. Thus, instead of paying by cash, check, credit card, debit card or store card, a consumer uses, for example, his or her mobile telephone to pay for a wide range of services and/or digital goods and/or hard goods. Although the concept of using non-coin-based currency systems has a long history, it is only fairly recently that the technology to support such mobile device payment systems has become widely available.
In some mobile device payment schemes, short message service (SMS) text messages are transmitted by consumers to their issuer financial institutions to send payment requests regarding purchases from merchants, and when the purchase is consummated a premium charge is applied to their phone bill or to their online wallet. The merchant involved in such a payment transaction is informed of the payment success and then releases the paid-for goods. In such cases, a trusted physical delivery address may not have been utilized, and thus the goods that can be purchased in such manner are most frequently digital items with the merchant replying using a multimedia messaging service (MMS) to deliver, for example, items such as digital music, ringtones, and/or digital wallpaper.
Some online companies, such as PayPal, Amazon Payments, and Google Wallet, also have mobile device payment options. In general, such mobile device payment schemes require consumers to first register with the mobile payment provider by providing information such as their name, residence address, and mobile phone number. After registration, the mobile payment provider transmits an SMS message to the consumer's device that includes a personal identification number (PIN). The consumer then enters the received PIN into an application running on his or her mobile device, which transmits it to the mobile payment provider to authenticate that mobile telephone number. When making a purchase utilizing his or her mobile device, the consumer then provides credit card information and/or another payment method (if necessary) and validates the payment. Subsequent mobile device payment transactions require the consumer to re-enter his or her PIN to authenticate and to validate payment. Such systems can be directly integrated with, or can be combined with, operator and credit card payments through a unified mobile web payment platform.
Payment solutions that utilize PINS and/or passwords to authenticate the mobile device owner offer some level of authentication, but they are weaker or at best equivalent to other payment systems available for point-of-sale (POS) transactions. Thus, the industry may be hesitant to move towards higher value mobile device payment transactions. For example, if a criminal steals a mobile device and is able to decipher the PIN, the criminal can use the mobile device as if he or she is the legitimate owner. Mobile payment solutions that store a consumer's financial account information on his or her mobile device are at even greater risk. For example, if a consumer's financial account information is stored on an IC card of the mobile device, and the criminal defeats the IC card's security features (if any), then the criminal then has instant access to the consumer's (the mobile device owner's) financial account.
Accordingly, some mobile devices are equipped with biometric readers, such as fingerprint sensors or iris readers, which function to restrict access via biometric security measures. However, such devices are not commonly available or affordable to consumers. In addition, mobile payment solutions that require specially equipped mobile devices to communicate with a POS terminal (or with a website) can hinder adoption due to the need for consumers to purchase such specially equipped devices, and due to the need for merchants to purchase hardware infrastructure to support such devices.
Furthermore, many mobile payment solutions do not account for the limitations of mobile devices. For example, some cell phone interfaces offer limited keypad functionality, which can make sending text messages inconvenient, especially during a transaction at a POS terminal. Similarly, DTMF methods typically require the consumer to switch back and forth between listening to the phone and pressing the keypad. Interactive voice request (IVR) solutions, in which a PIN is spoken into the cell phone, risk compromise of secret information by eavesdroppers. Such issues lessen the appeal of mobile device payment solutions and thereby limit their adoption.
Biometric authentication systems have been proposed that purportedly offer merchants a convenient and secure means for POS transactions. For example, “pay by touch” biometric payment solutions have been promoted that allow a consumer to register multiple payment accounts, as well as loyalty account information and other personal and identity-related information, in a central location. Such systems permit a consumer to access this information by providing a fingerprint scan at a POS terminal. However, to implement such a system, a merchant's POS terminals must be equipped with biometric sensors and/or scanners and/or biometric readers and the associated operating systems. Regardless of the benefits (e.g., security, convenience, etc.), a merchant may be hesitant to implement such a biometric payment solution due to the cost, time and other resources required for installation.
The inventor recognized that there is a need for simple, secure and flexible systems and methods for authenticating a person at an appropriate level of security depending on the context. For example, a need exists for simple, secure systems and methods for authenticating a consumer in association with a mobile device transaction which does not require the consumer to have to remember a PIN and/or password, or for authenticating a user wishing to gain entry to a secure building. Such systems and methods should enable users such as consumers and/or employees and/or commuters, for example, to customize the level of security in accordance with their comfort levels and based on the context of the transaction or activity.