The use of payment cards has become increasing popular. For example, credit cards, debit cards, charge cards, pre-paid cards and other similar plastic cards are often used in place of cash in point-of-sale (POS) transactions. Payment cards do not have to be embodied in plastic cards, they may be embodied a form of other physical devices such as appropriately configured smart phones. Further, they may be merely bank accounts associated with account numbers (such as the primary account number, PAN) which have been typically used for performing internet-based/e-commerce transactions (e.g. making a payment) with a merchant. The payment cards are typically issued by banks (i.e. issuing banks) and are associated with one or more bank accounts (e.g. a credit card account, a loan account, a checking account, a saving account etc) of the cardholder at the issuing bank.
In a typical POS transaction involving a physical payment card, a cardholder presents the physical card as payment to a merchant and the merchant submits the transaction to an acquirer (i.e. acquiring bank). The acquirer verifies the card number, the transaction type and the amount with the issuer and reserves that amount of the cardholder's credit limit for the merchant. For internet-based or e-commerce purchases (or other card-not-present transactions), the cardholder provides certain information of the card (e.g. the card number, expiration date, security code and/or other information of the card) to the merchant, who then prepares an authorization request based on the card information without seeing the physical card.
Credit card security relies on the physical security of the plastic card and the privacy of the credit card number. However, in the above process, sensitive card data such as the card number, may be get stolen or otherwise compromised, since the card related data are accessed by multiple parties and can be intercepted during the transmission of the transaction details among relevant parties.
To minimize fraudulent use of credit cards, sensitive card data are usually encrypted or tokenized (a process in which sensitive data is replaced by non-sensitive data which is infeasible to reverse in the absence of a detokenization system) before it is handled by the relevant parties, for example, during the transmission, processing or storage of transaction related details.
However, there are still loopholes with the existing way of handling payment, which may expose the sensitive transaction data to security risks. Therefore, it is desirable to provide an improved system for processing a payment.