In payment transactions using a payment device (e.g. a contact integrated circuit card, a contactless integrated circuit card or a mobile device with a digital wallet), authorisation and consent are used to secure payment transactions. Authorisation ensures that a payment device is permitted to perform a payment transaction, and this is typically carried out by checking with an issuer of a payment device. For example, authorisation may be revoked by the issuer if the payment device is reported as lost or stolen by a user.
Consent ensures that a user of a payment device agrees to the payment device being used in a particular payment transaction. For example, in a ‘chip-and-PIN’ payment transaction using an integrated circuit card as the payment device, as the user of the payment device verifies their identity by providing their PIN on a Point of Interaction (POI, e.g. a payment transaction terminal) once the payment device is connected to the POI, consent from the user is implied.
The combination of authorisation and consent means that a fraudulent user cannot perform contactless pick-pocketing, eavesdropping attacks or perform two consecutive transactions while the user of the payment device only intended to perform one. FIG. 1 illustrates contactless pick-pocketing wherein a fraudulent user 10 having a dummy POI is in close proximity to a user 12 having a contactless payment device 14.
Typically, contactless payment transaction employ an upper limit to the value of the payment transaction is imposed unless a Cardholder Verification Method (CVM) is used. This provides speed and convenience to users as they do not have to undertake a verification method.
Consumer Device Cardholder Verification Methods (CDCVMs) are increasingly being used for payment devices comprising a mobile device with a digital wallet. The use of CDCVMs generally allows the value of a payment transaction to be increased due to the security provided by verification. CDCVMs involve a user of the payment device verifying their identity on the payment device itself. During a payment transaction using CDCVM, no additional customer action is required on the POI or paper receipt to verify the customer, such as a signature or PIN. For example, the mobile device may be arranged to receive a PIN and/or comprise a biometric sensor for verifying the identity of a user. The payment device can then be used with a POI to undertake a payment transaction.
It is an aim of the present disclosure to address disadvantages associated with the prior art.