Existing credit and debit card processing systems utilize a card processing terminal, typically associated with a host computer, which is connected to a private network for credit and/or debit card processing. A consumer desiring to make payments for goods or services purchased at a merchant location would typically present his/her credit or debit card to a representative of the merchant at the check out counter. The representative at the check out counter would swipe the card across a card reader which is typically attached to or part of the card processing terminal. Once the card is swiped, information associated with the transaction is transmitted via a private network maintained by private network operators, such as First Data Corp., to a server associated with the private network. The private network server in turn sends information associated with the transaction to a server associated with the bank issuing the card and the bank which processes the electronic authorization of the payments for the merchant (the payment processor), again through a private network maintained by the private network operator. The payment processor then sends back authorization for charging the card to the server maintained by the private network operator, which in turn sends the authorization to the merchant location.
Typically a payment processor, such as a bank or other payment acceptance provider, in order to allow a subscriber, such as a merchant, to open an account such as a merchant account with the payment processor so that the merchant may provide a network service, such as a payment processing service, to its customer would collect an application from the merchant. The application is typically received by the payment processor by fax, regular mail, via an interview between a representative of the payments processor and the subscriber, or via a web page on the internet.
Once information about the subscriber is collected, the payment processor performs due diligence on the information. The information collected is used to verify the validity, the legitimacy and/or the worthiness of the business, the subscriber applying for the account on behalf of the business and/or the personal guarantor of the subscriber. Such information may include personal, credit and/or historical information of the subscriber and/or personal guarantor, credit and/or historical information about the business entity, financial history and tax information, business location and site information, marketing methods, products and services descriptions, means of delivery of the products/services, point-of-transaction information, projected processing volumes and/or the like.
The authentication of the signor of the application or the subscriber is typically performed by physical verification where the signor of the application presents or supplies identifying information to a representative of the payment processor. The identifying information may also be provided directly to the payment processor where the subscriber photocopies an identification card, such as a driver's license or a birth certificate and provides it to the payment processor for identification. However, for applications received over the internet, there is no direct authentication of the subscriber. The site location of the merchant is typically authenticated by using third party site assessment companies visit the physical site of the business and taking pictures.
Once the legitimacy of the business entity is verified and the business or personal guarantor's credit is cleared for providing the business with a subscriber account, a transaction processing device, such as a point-of-sale electronic terminal is distributed to the subscriber. The subscriber may also have older terminals and/or software. In any case, the terminals used by the subscribers are programmed for servicing the new payments processing service. Programming of the terminals is desirable to provide receipt related data to the terminal. Such data may include subscriber identifying information, such as name of the merchant, address of the merchant, phone number of the merchant, logo of the merchant, and/or the like.
The process for distributing and/or programming the terminals is currently performed in one of the following three methods. In the first method, the terminal may be programmed at the location of the payment processor or at the location of a third party authorized by the payment processor. Once the terminal is programmed, the preprogramed terminal is distributed to the merchant through regular mail.
In the second method, the terminal is distributed to a field representative or a contracted representative of the payment processor. The representative of the payment processor delivers the terminal to the merchant and the terminal is programmed at the business location of the merchant by the representative of the payment processor.
In the third method, the terminal is distributed to the merchant by regular mail. The received terminal may then be remotely configured via private communication lines. Typically during the configuration, the merchant is guided through the setup process by a representative of the payment processor. Some portion of the configuration information may be remotely downloaded. Because the terminal is configured via private communication lines there is no need to provide any extra security to the information transmitted or received.
Existing systems for receiving an application for a subscriber account, performing due diligence on the application, programming and/or distributing a terminal to the merchants have several drawbacks. Such systems do not provide electronic means for verifying the identity of the individual from whom the information was actually collected. For example, when a merchant applies for a merchant account over the internet, the authentication of the person applying over the internet cannot be performed electronically. Moreover, existing systems and methods are not capable of electronically verifying that the person using the terminal is an authorized user of the terminal.
Additionally, each of the processes for distributing and/or programming the terminals described above has drawbacks. For example, each of the methods described above requires a representative of the payment processor to provide instructions to and authenticate the subscriber applying for the subscriber account and/or to program the terminal. This adds to the cost of the payment processor to provide a subscriber account to the subscriber.
Moreover, once the terminal is mailed to the subscriber, there is no way of verifying that an authorized individual is actually using or setting up the terminal at the merchant location for a legitimate business purpose. Thus, there is no way to verify that an unauthorized individual or business is not currently using the terminal and the merchant account. This causes problems especially in a payment processing system where the individual using the terminal and/or merchant account acquires access to credit card numbers of consumers by virtue of possessing the terminal. Thus, an unauthorized user of the terminal could get funds deposited to his/her bank account even though he has provided no goods or services. For example, a person with malicious intent could access the web page of the payment processor in order to apply for a merchant account. The person could provide stolen identifying information, such as someone else's name and business information to the payment processor. The only information provided to the payment processor that would correspond with information of the unauthorized person would be his/her banking information.
Upon receiving the information, the payment processor would perform physical due diligence on the business and the principal of the business. Because the due diligence is performed on an existing individual with a viable business, the due diligence would not alert the payment processor as to any discrepancy in the provided information. Thus, the payment processor could preprogram the terminal and provide it to the address provided for delivery. Or, the payment processor could inadvertently help the unauthorized user set up an existing terminal to access the processing service. In any case, once the unauthorized individual receives the terminal or reconfigures an existing terminal he/she could start processing credit cards without the payment processor being aware for a period of time that the terminal is under the control of an unauthorized individual.
Therefore, there is a need in the art for a system and method for secure electronic authentication of a subscriber, such as a merchant requesting a subscriber account to provide services over a private network or a public network, such as the internet.