During a transaction using a transaction card, such as a credit card, a debit card, a stored value card, a bank card, a loyalty card, a smart card and/or the like, it is important to verify a cardholder's ownership of an account to avoid a variety of problems, such as unauthorized use. Cardholder authentication is the process of verifying such ownership by the cardholder. For example, cardholder authentication during a “card present” transaction is performed when a merchant's representative verifies that the signature on a transaction card matches the cardholder's signature on a receipt.
Technological improvements have allowed businesses and individuals to engage in transactions in a plurality of environments. For example, cardholders can engage in traditional “in person” transactions, transactions via the Internet, transactions over the telephone and transactions through mail systems. In many cases, cardholders desire the convenience of performing transactions without having to directly visit a service provider. In doing so, the cardholder may seek to eliminate driving time and reduce the hassle associated with, for example, shopping in a retail environment or waiting in line at a bank by performing these transactions from the privacy of their own home.
“Card not present” (“CNP”) transaction volumes are increasing at least in part because of such convenience provided to cardholders and the extra sales provided to merchants. However, as CNP transaction volumes increase, fraudulent transactions and the monetary losses due to such transactions are increasing as well.
Various solutions have been proposed to make ecommerce and/or online banking transactions more secure, such as two-factor authentication (e.g., by GPayment Pty. Ltd.), dynamic passcodes (e.g., by Barclay PLC) and token authentication (e.g., by MasterCard International Inc.). However, these technological solutions have not been implemented for mail order and telephone order (“MOTO”) transactions due to unique challenges presented by such transactions.
For example, security weaknesses can arise when MOTO transactions use static passcodes. An unauthorized third party can obtain the static passcode by intercepting a transaction and reverse engineering the transmitted data to determine the account information and passcode. The unauthorized third party can be, for example, a person intercepting information passed between a cardholder and a merchant or between a merchant and an issuer. Alternatively, the unauthorized third party can be the merchant and/or its representative.
Solutions used to increase security include the use of static data, such as information stored in the Card Verification Value 2 (“CVV2”) field of a transaction card, information from an address verification service, expiry dates, authorization controls and the like. The CVV2 field demonstrates that a cardholder is in possession of the transaction card. When the cardholder provides the CVV2 information to the merchant, the merchant includes the CVV2 in an authorization request to the issuer, and the authorization response advises the merchant whether the CVV2 information provided is valid.
One disadvantage of such static authentication measures is that the authentication value does not change for each transaction. Accordingly, a third party that has access to the card for even a short period of time may be able to copy the information and use it without the cardholder's knowledge.
Another disadvantage of static authentication measures is that such measures typically verify only the transaction card's presence as opposed to authenticating the cardholder. However, cardholder authentication provides stronger security than transaction card verification. For example, cardholder authentication provides card issuers with sufficient non-repudiation evidence to warrant providing merchant chargeback protection, while transaction card authentication does not.
Dynamic authentication technologies have also been devised to facilitate cardholder authentication in MOTO environments. Such technologies include voice authentication, sound authentication (i.e., transaction cards that generate dynamic sounds) and dynamic passcodes. One disadvantage of such dynamic authentication technologies is that they only represent one piece of the required solution needed to implement a MOTO authentication solution. Such technologies do not represent a solution to the infrastructure layer whereby merchants receive authentication data from cardholders and transmit such data to transaction card issuers. Merchants would need to implement systems to accept and forward the dynamic information. Moreover, acquirers would need to implement systems to pass dynamic information to the transaction card issuer.
Accordingly, cardholders and merchants are concerned that fraudulent MOTO transactions occur frequently and that information in non-fraudulent transactions can be stolen for fraudulent purposes. What is needed is a method and system for inhibiting unauthorized accesses to MOTO transactions.
A need exists for a method and system that permits a MOTO transaction to be performed securely.
A further need exists for a method and system of performing two-factor authentication in a MOTO environment to inhibit fraudulent access to MOTO transactions.
The present disclosure is directed to solving one or more of the above-listed problems.