The use of credit and debit cards for remote transactions is ever increasing. Whether over the telephone, through the mail, at retail outlets, or over the Internet, the need to perform transactions without face-to-face contact is a common one. A remote transaction, however, is less secure than a face-to-face transaction and the likelihood of fraud is commensurately higher, particularly if a transaction card is lost or stolen.
One approach to minimizing fraud is through the use of a personal identification number, or PIN. In this approach, at the time of the transaction, the user's card is inserted or swiped in a card reader. The reader extracts certain data from the card, such as an account number. The card reader then requests the user enter his or her PIN on a keypad. The PIN is encrypted or otherwise secured and the secure PIN data is transmitted to an authorization location, such as an authorization computer, where cardholder data is stored. At the authorization computer, the account identification data is used to lookup and retrieve account information, and the retrieved information is used to verify that the PIN entered by the cardholder was correct. This approach minimizes fraud because the person in possession of the card must also know the secret PIN to complete the transaction. One disadvantage to this approach is that, because the PIN is static, a thief could intercept the PIN during a legitimate transaction and reuse it in a subsequent fraudulent transaction.
In another approach recently suggested by the inventor, the use of a static PIN is replaced by a dynamic code that frequently changes. That approach is described in more detail in U.S. Patent Application No. 60/626,649 entitled “Method And System For Enabling The Use Of Dynamic Codes For Authentication,” which application is hereby incorporated by reference in its entirety. One aspect of this approach involves generating a dynamic code using a smart card and smart card reader. Smart cards are well known in the art and are typically credit card shaped cards that include a secure data storage area and processor. At the time of a potential transaction, the smart card generates an application cryptogram using secret data stored in the secure memory of the smart card, as well as other data related to the potential transaction. The generation of application cryptograms is well known in the art and are explained in more detail, for example, in the well known smart card specifications entitled: “EMV Integrated Circuit Card Specifications for Payment Systems” promulgated by EMVCo. LLC. available on the Internet at http://www.emvco.com, which specifications are hereby incorporated by reference in their entirety. This data, or a portion of it, is then transmitted as a dynamic code to an authorization computer. The authorization computer can verify, based on account information retrieved from an authorization database associated with the account number, whether the dynamic code was generated by the smart card associated with the account number being used to complete the transaction, or not.
One disadvantage to using smart cards to enhance the security of a transaction is that they are relatively expensive to manufacture compared to a more traditional magnetic stripe card. Additionally, smart cards require a smart card reader to be used during each transaction, requiring an upgrade from existing point of sale terminals that are designed for magnetic stripe cards. Because of these and other reasons, smart cards and smart card readers have not been deployed widely in the United States.