There are two primary types of debit cards in use today for consumer purchases in the US: signature debit and PIN debit. The following is a brief overview of each:
A signature debit card typically carries a Visa or MasterCard brand and is generally accepted as a form of payment at any location that accepts the Visa or MasterCard Credit Cards. These Signature Debit transactions utilize the infrastructure provided by the major Credit Card networks (such as Visa, MasterCard) and utilize a two-step process which includes an authorization step followed by a settlement step. Signature debit cards issued from the major networks are accepted at the vast majority of physical merchants and eCommerce merchants. No special equipment is required for merchants to accept signature-debit cards beyond the equipment already in place to process credit cards; however, a signature from the cardholder is required. Conversely, signatures are neither supported nor required for online purchases made with these signature-debit cards. As a result of the increased potential for fraud, online merchants pay a higher fee for accepting these “card not present” transactions.
A PIN Debit card payment transaction, by contrast, presently requires a special type of equipment that is used to securely capture and store the cardholder personal identifying number (“PIN”). A PIN is typically a string of numbers and/or other characters that serve as a confidential code associated with a cardholder's account. An encrypted PIN pad is attached to the merchant's point of sale (“POS”) terminal. When prompted, the cardholder enters the secret PIN using the encrypted PIN pad. Using the hardware, CPU and circuitry of the encrypted PIN pad, the cardholder PIN number is then encrypted and stored as a field (e.g. PIN Block) within a record of the payment transaction. PIN Debit transactions are received and processed by the debit networks using proprietary systems which are physically different and separate from the signature debit networks. PIN Debit cards carry the advantages of additional security for cardholders and lower fraud and acceptance costs for merchants. However, because of the requirement to securely capture and store the cardholder PIN number, PIN Debit has not been broadly adopted for online, eCommerce sales, such as those conducted via the Internet.
So, whereas signature debit is widely accepted and used in connection with eCommerce sales, PIN-based debit does not enjoy the same level of acceptance. There is little penetration of the PIN-Debit payment method for eCommerce sales as a result of PIN-Debit Network rules, concerns about the protection of the cardholder PIN, and limitations related to the current payment-processing methods. These factors combine to make it problematic to easily allow an Internet merchant to accept a PIN-Debit Card as a form of payment. In order to overcome these limitations of the current art, the present invention relates to methods and systems for enabling the broad use of PIN Debit as a payment method for secure Internet “eCommerce” sales.
Consumer research indicates that many cardholders prefer to use PIN-based debit over other forms of payment. As the cost of payment acceptance continues to rise, fraud related to eCommerce transactions is also a growing concern for online merchants, acquirers, and issuers. Online merchants would benefit from lower fraud and lower acceptance costs related to the PIN-based Debit form of electronic payments. However, as a result of limitations in methods surrounding the use and protection of cardholder PINs this payment type is not widely accepted for eCommerce. As consumer spending shifts away from the physical point of sale to the Internet, the PIN-Debit networks are at risk of losing market share and relevance to consumers and merchants alike.
Another emerging payment trend is related to the expected growth of mobile payments at the physical point of sale whereby the cardholder uses a “mobile wallet” in lieu of a physical wallet to digitally store and access payment instruments from a PDA or mobile phone. As with eCommerce sales, security requirements surrounding the protection of the cardholder's Debit Card PIN number, are likely to slow down or prevent the widespread use of PIN-Debit from mobile wallet payments. Furthermore, because banks prefer the more profitable signature payment methods the card issuing banks may not encourage PIN-Debit to be supported in bank-approved mobile wallets. If not addressed now, these trends represent a potential for significant erosion of transaction volumes for the PIN-Debit networks.
Rules regarding PIN-Debit transactions are governed by the major domestic PIN-Debit networks (e.g. PULSE, Star, NYCE, Accel-Exchange, Shazam). Although rules vary somewhat between networks, the networks are in agreement with respect to the need for high security over the personal identification number or PIN. In order to protect these PIN numbers from accidental or malicious disclosure, stringent hardware-based encryption is mandated at the point-of-sale locations that accept these PIN-based Debit cards. After entry, the cardholder's PIN number is encrypted and securely stored within an Encrypted PIN Block (EPB) within the payment transaction record. This cardholder PIN number is herein referred to as the “Physical PIN”. Because of a lack of adequate security measures for protecting the Physical PIN in eCommerce transactions, network rules generally prohibit the use of PIN-Debit cards for general eCommerce sales.
Furthermore, because the typical data set accepted by a merchant's eCommerce site is different from the data set that a PIN-Debit Network would typically receive from a physical point-of-sale device, a significant amount of change is required in order to facilitate the widespread use of PIN-Debit for eCommerce sales.
Examples of the state of the prior art for processing eCommerce and point-of-sale (POS) transactions are illustrated in FIGS. 1 and 2. Referring to FIG. 1, a Cardholder (1.0), sits at a PC and enters Cardholder Data (1.0.1) required by the Merchant Shopping Cart (1.1). Cardholder Data typically includes the Primary Account Number (PAN), name, address, email address, ship to address and other related fields. Most merchant Shopping carts also require the entry of the CVV2 security code along with other Cardholder Data. Its method consists of requiring a cardholder to enter the CVV2 number in at transaction time to verify that the card is on hand. The CVV2 code is a security feature for “card not present” transactions (e.g., Internet transactions), and now appears on most (but not all) major credit and debit cards. According to Wikipedia “The CVV2 is a 3- or 4-digit value printed on the card or signature strip, but not encoded on the magnetic stripe”.
The Merchant Shopping Cart (1.1) and underlying payment software are software typically hosted by the Merchant in connection with its website. The Merchant Shopping Cart (1.1) and payment software format the payment transaction and forward the payment transaction including the cardholder data (1.1.1) to the Gateway or Acquirer (1.2). The Gateway is defined herein as an intermediary that is often involved in processing eCommerce payment transactions. The Gateway can connect the Merchant to the Acquirer. The Gateway may also provide value added services such as fraud controls, support for recurring payments, online reporting, and virtual terminal data entry. The Gateway ultimately forwards the transaction to the Acquirer. The Acquirer typically has a contractual relationship with the Merchant for the purpose of processing payment transactions and deposits the net proceeds for each day's sales into the Merchant bank account. In some cases a single entity serves both the role of Gateway and Acquirer.
The Acquirer (1.2) reformats the record comprising the transaction in accordance with network requirements and forwards the ISO 8583 (1.3) formatted transaction to the Credit Card Networks (1.4). For definition purposes, and according to the Wikipedia, “The vast majority of transactions made at Automated Teller Machines use ISO 8583 at some point in the communication chain, as do transactions made when a customer uses a card to make a payment in a store. In particular, both the MasterCard and Visa networks base their authorization communications on the ISO 8583 standard, as do many other institutions and networks. Cardholder-originated transactions include purchase, withdrawal, deposit, refund, reversal, balance inquiry, payments and inter-account transfers. ISO 8583 also defines system-to-system messages for secure key exchanges, reconciliation of totals, and other administrative purposes. Although ISO 8583 defines a common standard, it is not typically used directly by systems or networks. Instead, each network adapts the standard for its own use with custom fields and custom usages”.
The Credit Card Network (1.4) receives the ISO 8583 payment transaction and forwards it (1.4.1) to the card issuing bank or Issuer (1.5). The Issuer determines whether the cardholder has sufficient credit or available funds to complete the purchase and sends a response message (1.5.1) back to the Card Network (1.4). The transaction path is traversed until the response message is received by the Merchant. As shown by element 1.4, the PIN Debit Networks are not represented in the list of available networks for credit card and signature debit payment acceptance. This is primarily a result of the fact that the prior art does not support the secure entry of Physical PIN numbers into Merchant Shopping carts without requiring significant changes to the existing networks.
FIG. 2.0 illustrates prior art for processing payment transactions at the physical point-of-sale (POS), as opposed to an on-line transaction as illustrated in FIG. 1. Referring to FIG. 2, a Cardholder (1.0) uses a physical card that provides data (2.0.1), typically via a magnetic strip, to the Merchant POS System (2.1). The Merchant POS System reads the data from the card and determines from the Primary Account Number (PAN) that the card is related to a PIN Debit Network and then prompts the Cardholder (1.0) to enter the Physical PIN (2.0.2) into the PIN Pad (2.1.1). The Physical PIN Number is encrypted by the PIN Pad and passed to the Merchant POS System for insertion into the payment transaction Encrypted PIN Block. The Merchant POS System (2.1) forwards the Payment Transaction including the cardholder data (2.1.1) and the Encrypted PIN Block (2.1.2) to the Acquirer (2.2).
The Acquirer further formats the transaction and forwards the ISO 8583 transaction (2.3) to the Debit Network (2.4). These Debit Networks include organizations such as (STAR, PULSE, NYCE) and others. The Debit Network (2.4) forwards the transaction (2.4.1) to the Issuer (2.5). The Issuer determines if there is sufficient funding available in the cardholder's account, validates the Physical PIN and returns a response code (2.5.1) to the POS.
It is important to note that this prior art does not support the entry of data elements into the Merchant POS System (2.1) that would be commonly supported by the Merchant Shopping Cart shown in FIG. 1.1). The data elements which are not supported include such information as: Cardholder address, CVV2 security code, email address, and other data typically required for eCommerce transactions.
As has been described above, there are differences in the systems, requirements and methods that are currently used to process online Signature Debit and POS based PIN-Debit payments. There are also differences in the formatted ISO 8583 transactions. The most notable differences being that the POS PIN-Debit transaction (2.1.1) includes the Encrypted PIN Block and the eCommerce transaction (1.1.1) includes the CVV2, cardholder address, and other data fields and specifically does not support the EPB.
In order to promote the use of PIN Debit for ecommerce sales, methods and systems have been proposed and developed with limited success. New methods have failed to attract cardholders, merchants, or networks as a result of their limitations. For example:                (i) Some current methods require the cardholder to install special software on their personal computer.        (ii) Other methods require the cardholder to purchase and, or install special equipment such as PIN pads or magnetic-stripe readers on personal computers.        (iii) Other methods require the cardholder to leave the merchant's eCommerce site when using the PIN-Debit payment method.        (iv) Still other methods require significant changes to merchant sites, transaction formats, and issuer authorization methods.        
The widespread adoption of PIN-Debit payments for eCommerce transactions will be facilitated if the PIN can be securely processed in a simpler manner for the cardholders, merchants, payment gateways, networks, and issuing banks or their processors. Therefore, a need exists for a method which will overcome current limitations and lead to the widespread acceptance of PIN-Debit transactions for eCommerce (Internet Sales).
Another emerging risk for PIN-Debit Networks is related to the expected growth of mobile payments at the physical point-of-sale and for online payments. A mobile payment is best characterized as a payment made to a merchant that is facilitated by a payment instrument digitally stored in a mobile wallet. As in the case of a payment made at the physical point of sale, at checkout the cardholder is prompted by the mobile wallet application to select a payment method from among the cardholder's previously-stored payment instruments (e.g. credit card, signature debit, prepaid or gift card). The mobile wallet then prompts the cardholder to enter a “mobile wallet PIN number” and subsequently releases the selected payment type to the acquiring processor for authorization and settlement. Because PIN-Debit transactions made at the point of sale require an encrypted PIN pad for completion, using current methods, a PIN-Debit transaction would require a second Physical PIN number to be entered into the available POSPIN pad. Although possible, the entry of two PIN numbers for a single point-of-sale transaction would be considered slow and inefficient while detracting from the “mobile payment experience”. Therefore, a method is needed that will enable the PIN-Debit payment to be supported by mobile wallet payments in such a way as to require only the “mobile wallet PIN number” to be entered by the cardholder.