1. Field of the Invention
The present invention relates to payment cards, and in particular to cards that continuously display dynamic, use-once financial data for use in credit and debit card-not-present transactions.
2. Description of Related Art
A principal security weakness of conventional credit and debit cards is the static nature of the personal account number (PAN), card verification value (CVV), or expiration date (EXP). These can be easily copied down on paper and used over and over by fraudsters, especially in card-not-present transactions on the Internet or over the telephone where the actual possession of the card cannot be verified by the merchant.
Smart cards are more secure because they can engage in cryptographic exchanges with merchant card readers. But smart cards cannot be used in card-not-present transactions, because there is no card reader available or adopted for such a purpose.
QSecure, Inc. (Los Altos, Calif.) has developed a series of payment cards that place dynamic elements in the magnetic stripes of otherwise conventional payment cards. The great advantage is the vast installed based of legacy card readers are able to read the magnetic data as usual. The security benefits are that portions of the PAN, CVV, and/or EXP fields, discretionary fields, among others, can be implemented to be dynamic and use-once. But dynamic magnetic stripes are of minimal value in card-not-present transactions because there is no magnetic card reader being used. The so-called Mobile Order Telephone Order (MOTO) is an example of such transactions.
Tokens have recently become a widespread method to secure access to sensitive files, accounts, and data. A key-fob type of token is a familiar device with a pushbutton and display that will generate a six-digit numeric password, for example, that can be used to access bank accounts on-line with the Internet. Supporting these tokens requires a new and separate infrastructure that is not a part of the typical Visa-Mastercard payment processing. And, of course, a separate token device must be carried.
Token One time Password (OTP) devices are widely used on private banking and other proprietary networks. But, their formats are unusable in broad networks like Pulse, Star, and other networks that agree on standardized, published formats to convey financial card data.
Credit card and debit card use have become ubiquitous throughout the world. Originally, credit cards simply carried embossed numbers that were pressed against a carbon copy bank draft in a mechanical card-swiping machine. Merchants simply accepted any card presented, but then fraud became widespread. The used carbons could even be gathered from trashcans to glean account numbers for unauthorized transactions.
Imposing spending limits and issuing printed lists of lost/stolen cards proved relatively ineffective in preventing fraud and other financial losses. So, merchants were subsequently required to telephone a transaction authorization center to get pre-approval for transactions.
These pre-approvals were initially required only for purchases above a certain limit, but, as time went on, these transaction limits decreased such that more and more transactions required authorization. The volume of telephone traffic increased, the costs associated with each transaction escalated, and customers grew impatient, waiting for authorization calls to complete.
To speed up the authorization process and create an additional barrier for fraudsters, magnetic stripes were added to the embossed numbers and signature panel on credit cards.
Automated authorization systems appeared almost everywhere that allowed faster and easier transactions by reading and verifying the magnetic stripes on the backs of the cards and then handling the authorization process (for those transactions requiring verification) through a communications link. The card readers and computers improved the speed and accuracy of transaction processing and decreased the number of costly human errors. They also allowed near real-time control of fraudulent card usage. But detecting and reacting appropriately to fraud remained a problem.
Several of the elements which are embossed and magnetically recorded on MasterCard, Visa, and other typical payment cards are there to uniquely identify the account cardholder. A standardized personal account number (PAN) comprises four fields, e.g., a system/association number, a bank/product number, a user account number, and a checksum character. This PAN is typically sixteen digits but may be up to nineteen digits, and possibly more in future. Typically, the first six digits are called a BIN and represent the card network, the bank and the product for this bank. The last digit is reserved for a calculated value based on the previous digits of the PAN. This digit is calculated using the Luhn's modulus formula and assures some measure of data integrity vis-à-vis the PAN digits. The field sizes within the PAN may vary some by issuer.
In addition to the PAN, each card has an associated expiration date which comprises a month and year code, e.g., four more digits, but with limited range. The cardholder's name and/or business are also usually embossed on the face of the card and all of this data is also typically encoded within the magnetic stripe on the back of the card.
To reduce the level of fraud, several security features have been added to payment cards. The PIN code is primarily used for debit card-present transactions. Since this PIN must be hidden from everyone but the cardholder, such must be entered on secure and certified machines to make sure that no one can gain access to such. The PIN is typically stored on the magnetic stripe of the card in an encrypted form within a cryptogram block. A prior art example is the so-called, Verified by Visa, where a user can associate a PIN with a credit or debit card transaction, if the merchant terminal allows it.
Since it was relatively easy for a fraudster to copy the PAN and expiration date of a card and create a copy of that card, the banks introduced a Card Verification Value (CVV) or Card Verification Code (CVC) on the magnetic stripe to make it more difficult for fraudsters to replicate a card (without reading the magnetic stripe). This code is usually a unique cryptogram, created based on the card data and the bank's master key. As a consequence, a fraudster had to gain possession of the card long enough to make a copy of the magnetic stripe in order to duplicate the card.
The same principle was adopted later for a second CVC, sometimes called “CVV2” or “4DBC” The CVV2 is commonly printed in the signature panel on the back of the card, and the 4DBC on the front of the card. For example, during a personalization phase that may be separate from the card manufacturing phase in order to add more security. CVV2 and 4DBC are used primarily to help secure eCommerce and Mail Order/Telephone Order (MOTO) transactions. A second unique cryptogram created from card data and the bank's master key, albeit different than the magnetic stripe CVC. The CVV2/4DBC is conventionally not present on the magnetic stripe.
There are two major types of transactions, “card-not-present” transactions which involve Internet/eCommerce and MOTO (mail-order/telephone-order) transactions, and “Card-Present” transactions which involve point-of-sale (POS) readers, manual swipe readers, and Automatic Teller Machines (ATM) transactions. Card-Present transactions involve magnetic card readers and always use the full 16-digit PAN (17 digits w/AMEX) and the 4-digit expiration date. The number of digits used may increase in the future, and some card associations have said the embossed information will be replaced by simple printing, to prevent simple swipe-copying of the data. card-not-present transactions require the user to read the embossed PAN and expiration date digits, and sometimes also the CVC/CVV2/4DBC number.
A principal way to stop fraudulent use of a stolen or compromised account number has been to simply cancel the old account number and issue a new one with a new expiration date. So, the issuing banks put in place a mechanism to invalidate old account numbers and to issue new numbers to existing users. But getting the new card could sometimes take weeks, and the delay would greatly inconvenience the user and cause a lull in spending.
With the emergence of eCommerce, more and more transactions are becoming card-not-present transactions. This type of transaction is subject to an increasing number of attacks from fraudsters. Several solutions to address this growing fraud have been developed and deployed. Such include use of Virtual Account numbers, authentication of cardholders separate from transaction, and use of hardware token to authenticate the user.
For example, American Express introduced a service called “Private Payments,” Orbiscom (Ireland) has “Controlled Payment Numbers,” and Discover Desktop and Citibank (New York) have similar products referred to as a “Virtual Account Numbers”. All of these solutions allow cardholders to shop online without having to transmit their actual card details over the Internet. Instead, these systems generate substitute single-use credit card numbers for secure online purchasing. The virtual number generator, or receiver/authenticator is either downloaded to the user's computer or accessed online. The user returns to the website for another new virtual number for subsequent transactions. Neither the merchant nor a card-number skimmer can use the number after its first use. So, seeing or having the virtual account number will do them no good if the user has already completed the intended transaction. The user is thus protected from fraudulent transactions because the virtual number is moved to an exclusion list. This also prevents an authorized merchant from automatically initiating future charges that a user may not have really agreed to nor been aware of.
A limitation with using Virtual Account Numbers is such requires the use of the Internet or at least a personal computer to get each new number, and the transactions must be online. POS or ATM use with magnetic card readers still obtain the real account number and continue to be subject to fraud.
Another example is Visa that has developed and is providing Verified by Visa to its member banks. This service once adopted by a bank is used by its customers at merchants' sites equipped to handle this type of transaction at checkout. The concept is when a customer wants to pay, he/she receives directly from the issuing bank a request on the screen to authenticate him/herself with a login and password. This way, the issuer knows that the right person is making the purchase.
Another example is the use of token authentication numbers. These tokes are cryptographically generated numbers generated by a small handheld fob device or card that are used to identify the account holder. The usually interact with an intermediary or the issuer's IT system for verification of the account holder. They do not interact directly, and are not directly associated with the PAN or user account data.
So what is needed is an auto-sequencing financial payment display card that can autonomously and visually change at least some portions of the PAN, CVV, and/or EXP fields to produce use-once combinations that secure every transaction.