Embodiments of the present invention relate to portable wireless devices that may be used to conduct contactless payment transactions. More specifically, embodiments of the present invention relate to conducting those transactions in a secure manner.
In today's society the presence of portable wireless devices carried by consumers has become almost ubiquitous. Cellular telephones, Personal Digital Assistants (PDAs), pagers, and the like are being carried by larger and larger numbers of people. These devices are being used to perform a wide variety of tasks, such as standard voice communications, e-mail access, internet web surfing, and a whole host of other activities. One of the activities that is currently contemplated is the use of a portable wireless device to act as a replacement for a payment card, such as a standard credit or debit card.
At least one major manufacturer of cellular phones has introduced a phone that is capable of being used as a payment card. In addition to the standard elements and capabilities of a cellular phone, the device also contains an additional element that is capable of storing a user's payment card information, such as their credit card account number, in the element on the phone. This element is further tied in with a short range wireless transmission element, such as a Radio Frequency Identification (RFID) tag, to allow the phone to transmit the account number over a short range to a contactless reader.
Contactless readers are becoming more and more commonplace in the market as a replacement for standard credit card readers. As opposed to a standard card reader, whose operation involves a merchant or the consumer physically sliding the payment card through the card reader in order for the payment card account information to be read, a contactless card reader is able to retrieve the payment card information from the device through the use of a short range radio transmission, such as those provided by RFID tags. The device need only be held in the vicinity of the contactless reader. A real world example of such a contactless reader can be seen in a payment system offered by a major gasoline seller in the US. In that system, a consumer is issued a small device that may be attached to a keyring, and that further contains the consumers payment account information and a short range wireless transmission element. When the user purchases gasoline at the pump, he merely needs to wave this device in front of a designated area on the pump, and the payment account information is transferred to the seller to process the transaction.
Although the use of contactless card readers provides for increased convenience to the user, there are also disadvantages that this technology presents. Due to the wireless nature of the contactless reader, it is possible that the contactless reader may be used for surreptitious interrogation of the portable wireless device by intercepting the portable wireless device's communications. In addition, it is conceivable that a contactless reader may be developed or modified to enhance its power and sensitivity and thereby increase its ability to interrogate with and intercept signals from the portable wireless device from a greater distance than specified in standards used for contactless readers.
Theft of sensitive information, such as an account number, using wireless interrogation or interception of communications from portable wireless device is a major concern for consumers and businesses alike. Unfortunately, given the sophistication of the wireless interrogation equipment and the nature of wireless signals, it is easy for wireless interrogation to occur at virtually any time and place. Once the victim of the wireless interrogation discovers that they had sensitive information stolen, it is often too late to discover where the theft took place. The victim must then deal with the consequences and hassle of correcting the unauthorized access and possible uses of the information.
In response to such risk, many payment service providers have instigated safeguards for protecting purchases from fraudulent attacks, for example, by employing encryption technologies to encrypt the payment account number and other data associated with account transactions. Encryption generally involves encrypting transaction data on one end of a transmission with a key, and then regenerating the original transaction data by decrypting the encrypted data received with the same key on the other end of the transmission. While encryption technologies have proven to be highly effective in preventing information theft, implementing or upgrading to the latest encryption technology often requires upgrades by the end users of payment processing networks. Due to the cost, time, and risk of potential business interruption (e.g., loss of sales), many merchants, for example, resist making necessary upgrades to their procedures and systems to implement such safeguards. Therefore, such safeguards have had limited success as they are generally expensive to implement, can be overcome, and have not been fully accepted by the credit card industry, merchants, payment processors, etc.
In the case of a portable wireless device, such as that described above in relation to a cellular phone, it may be possible to require some type of code, such as a Personal Identification Number (PIN) to be entered prior to enabling the short range wireless transmission element. Although this may partially resolve the issue of the wireless transmission being intercepted while the user is not actively using the device, it still does not resolve the situation where the sensitive information is intercepted while the user is making a legitimate purchase and has thus already entered the PIN.
Therefore, what is needed is a cost effective device and method that integrates easily with existing payment processing networks and prevents an unauthorized user from using data wirelessly interrogated or intercepted from a portable wireless device.
Embodiments of the invention address the above problems and other problems individually and collectively.