The present disclosure generally relates to protecting information transmitted in a computer network and, more specifically, to protecting passcode information transmitted via the Internet.
Electronic commerce, also referred to as e-commerce, provides the opportunity for merchants to reach consumers that are outside of a geographic region normally associated with a physical storefront. However, a merchant implementing electronic commerce needs to address the associated issues of customer payment, payment authentication, and payment authorization.
A merchant can accept, for example, customer credit cards or debit cards for payment. The merchant may authenticate a payment card presented by a customer in a physical storefront. The merchant can compare a customer signature in a field on the back of the card to the signature provided on a sales receipt. Additionally, the merchant may authenticate the customer by asking for an independent picture identification such as a driver's license. A merchant may also electronically authenticate a payment card received from a customer at a physical storefront. The merchant can read information typically stored on a magnetic stripe on the back of the payment card. The merchant can read the information on a point of sale device located at the checkout counter. The point of sale device can be connected to an issuer network. The payment card issuer can authenticate the payment card by comparing the information stored on the magnetic stripe to corresponding information stored in an issuer database. The point of sale device can be configured to provide an additional measure of security by asking for a Personal Identification Number (PIN) or passcode associated with the payment card. Presumably, only an authorized user has access to the passcode. The customer maintains control over the payment card and passcode throughout the transaction and the merchant typically has no ability to access the customer's passcode. The customer provides the passcode directly to the point of sale device, which is connected to the payment card issuer network.
A merchant and customer engaged in an electronic commerce transaction complicate the authentication process. The merchant does not have physical access to the payment card. Additionally, a customer may be hesitant to supply a passcode to a merchant.
Secure communication links, such as Secure Sockets Layer (SSL) connections authenticate the parties and secure the information provided using the connection. However, such security protocols do not contribute to authenticating a payment card. Additionally, such security protocols do not provide a consumer with any level of confidence that a passcode is not stored in unencrypted form on a merchant server or database.
Hence it is desirable to provide a system for authenticating a payment card that securely maintains consumer personal information such as passcode information. The authentication system should allow secure payment card authentication and should not compromise the security of any underlying authentication networks.