1. Field of the Invention
The present invention relates to components and methods for secure financial transactions with consumer payment cards.
2. Description of Related Art
Credit card and debit card use have become ubiquitous throughout the world. Originally, credit cards simply carried embossed numbers that were pressed against a carbon copy bank draft in a mechanical card-swiping machine. Merchants simply accepted any card presented, but then fraud became widespread. The used carbons could even be gathered from trashcans to glean account numbers for unauthorized transactions.
Imposing spending limits and issuing printed lists of lost-stolen cards proved ineffective in presenting fraud and other financial losses. So, merchants were subsequently required to telephone a transaction authorization center to get pre-approval for transactions.
These pre-approvals were initially required only for purchases above a certain limit, but, as time went on, these transaction limits decreased such that more and more transactions required authorization. The volume of telephone traffic increased, the costs associated with each transaction escalated, and customers grew impatient, waiting for authorization calls to complete.
To speed up the authorization process and create an additional barrier for fraudsters, magnetic stripes were added to the embossed numbers and signature panel on credit cards.
Automated authorization systems appeared almost everywhere that allowed faster and easier transactions by reading and verifying the magnetic stripes on the backs of the cards and then handling the authorization process (for those transactions requiring verification) through a communications link. The card readers and computers improved the speed and accuracy of transaction processing and decreased the number of costly human errors. They also allowed near real-time control of fraudulent card usage. But detecting and reacting appropriately to fraud remained a problem.
Several of the elements which are embossed and magnetically recorded on MasterCard, Visa, and other typical payment cards are there to uniquely identify the account cardholder. A standardized personal account number (PAN) comprises four fields, e.g., a system number, a bank/product number, a user account number, and a check character. This PAN is typically sixteen digits but may be up to nineteen digits. The first size digits are called a BIN and represent the card network, the bank and the product for this bank. The last digit is reserved for a calculated value based on the previous digits of the PAN. This digit is calculated using the Luhn formula and assures some measure of data integrity vis-à-vis the PAN digits. The field sizes within the PAN may vary some by issuer.
In addition to the PAN the card also has an expiration date associated with the PAN which comprises a month and year code, e.g., four more digits, but with limited range. The cardholders's name and/or business are also usually embossed on the face of the card and all of this data is also typically encoded within the magnetic stripe on the back of the card.
To reduce the level of fraud, several security features have been added to payment cards. The PIN code is primarily used for debit card-present transactions. Since this PIN must not hidden from everyone but the cardholder, such must be entered on secure and certified machines to make sure that no one can gain access to such. The PIN is stored on the magnetic stripes of the card in an encrypted form within a cryptogram block.
Since it was relatively easy for a fraudster to copy the PAN and expiration date of a card and create a copy of that card, the banks introduced a Card Verification Value (CVV) or Card Verification Code (CVC) on the magnetic stripe to make it more difficult for fraudsters to replicate a card (without reading the magnetic stripe). This code is usually a unique cryptogram, created based on the card data and the bank's master key. As a consequence, a fraudster had to gain possession of the card long enough to make a copy of the magnetic stripe in order to duplicate the card.
The same principle was adopted later for a second CVC, sometimes called CVV2 or 4DBC, which is commonly printed in the signature panel on the back of the card, or on the front of the card for the 4DBC. This CVV2/4DBC is used primarily to help secure Commerce and Mail Order/Telephone Order (MOTO) transactions. This is a second unique cryptogram created from card data and the bank's master key, albeit different than the magnetic stripe CVC. The CVV2/4DBC is not conventionally present on the magnetic stripe.
There are two major types of transactions, “card-not-present” transactions which involve Internet/Commerce and MOTO (mail-order/telephone-order) transactions, and “Card-Present” transactions which involve point-of-sale (POS) readers, manual swipe readers, and Automatic Teller Machines (ATM) transactions. Card-Present transactions involve magnetic card readers and always use the full 16-digit PAN (17-digits with AMEX) and the 4-digit expiration date. card-not-present transactions require the user to read the embossed PAN and expiration date digits, and sometimes also the CVC/CVV2/4DBC number.
A principal way to stop fraudulent use of a stolen or compromised account number has been to simply cancel the old account number and issue a new one with a new expiration date. So, the issuing banks put in place a mechanism to invalidate old account numbers and to issue new numbers to existing users. But getting the new card could sometimes take weeks, and the delay would greatly inconvenience the user and cause a lull in spending.
With the emergence of Commerce, more and more transactions are becoming card-not-present transactions. This type of transaction is subject to an increasing number of attacks from fraudsters. Several solutions to address this growing fraud have been developed and deployed. Such include use of Virtual Account numbers, authentication of cardholders separate from transaction, and use of hardware token to authenticate the user.
For example, American Express introduced a service called “Private Payments,” Orbiscom (Ireland) has “Controlled Payment Numbers,” and Discover Desktop and Citibank (New York) have similar products referred to as a “Virtual Account Numbers”. All of these solutions allow cardholders to shop online without having to transmit their actual card details over the Internet. Instead, these systems generate substitute single-use credit card numbers for secure online purchasing. The virtual number generator is either downloaded to the user's computer or accessed online. The user returns to the website for another new virtual number for subsequent transactions. Neither the merchant nor a card-number skimmer can use the number after its first use. So, seeing or having the virtual account number will do them no good if the user has already completed the intended transaction. The use is thus protected from fraudulent transactions because the virtual number is moved to an exclusion list. This also prevents an authorized merchant from automatically initiating future charges that a user may not have really agreed to nor been aware of.
A limitation with using Virtual Account Numbers is such requires the use of the Internet or at least a personal computer to get each new number, and the transactions must be online. POS or ATM use with magnetic card readers still obtain the real account number and continue to be subject to fraud.
Another example is Visa that has developed and is providing Verified by Visa to its member banks. This service once adopted by a bank is used by its customers at merchants' sites equipped to handle this type of transaction at checkout. The concept is when a customer wants to pay, he/she receives directly from the issuing bank a request on the screen to authenticate him/herself with a login and password. This way, the issuer knows that the right person is making the purchase.
Another example is the use of token authentication numbers. These tokes are cryptographically generated numbers generated by a small handheld fob device or card that are used to identify the account holder. The usually interact with an intermediary or the issuer's IT system for verification of the account holder. They do not interact directly, and are not directly associated with the PAN or user account data.