Like barcode and voice data entry, RFID is a contactless information acquisition technology. Of late, companies are increasingly embodying RFID data acquisition technology in a fob or tag for use in completing financial transactions. During the transaction completion, information from the RFID fob is ordinarily passed to the POS, which delivers the information to a merchant system.
To complete the transaction, fob identification data is typically passed to a third-party server database. The third-party server references the identification data to a consumer (e.g., user) transaction account (e.g., charge, credit, debit, loyalty, etc). In an exemplary processing method, the third-party server may seek authorization for the transaction by passing the transaction and account data to an authorizing entity, such as for example an “acquirer” and/or account issuer. Once the server receives authorization from the authorizing entity, the authorizing entity sends clearance to the POS device for completion of the transaction.
In addition to sending the information to an issuer system for verification, the merchant system may store the information in a merchant system database for later reference. For example, where the transaction device user is a repeat consumer, the transaction device user may wish to complete the transaction using transaction account information previously submitted to the merchant system. Since the account information is stored on the merchant system, the user need not provide the information to a merchant to complete subsequent transactions. Instead, the user may indicate to the merchant to use the transaction account information stored on the merchant system for transaction completion.
In another typical example, the merchant system may store the transaction account information for later reference when the transaction device user establishes a “recurrent billing” account. In this instance, the merchant may periodically charge a user for services rendered and/or goods purchased. The user may authorize the merchant system to seek satisfaction of the bill using the transaction account information. The merchant may thereby send a transaction request regarding the bill to an account provider, and/or a third-party server.
To lessen the financial impact of fraudulent transactions in the RFID environment, fob issuers have focused much effort on securing RFID transactions. Many of the efforts have focused on securing the transaction account and/or related data during transmission from the user to the merchant, and/or from the merchant to a third-party server and/or account provider system. For example, one conventional method for securing RFID transactions involves requiring the device user to provide a secondary form of identification during transaction completion. The RFID transaction device user may be asked to enter a personal identification number (PIN) into a keypad. The PIN may then be verified against a number associated with the user and/or the RFID transaction device, wherein the associated number is stored in an account issuer database. If the PIN number provided by the device user matches the associated number, then the transaction may be cleared for completion.
One problem with the issuer's efforts in securing RFID transactions is that they typically do not focus on the ways to guard the transaction account information stored on the merchant system from theft. As noted, the merchant may typically store on a merchant database the information received from the transaction device during a transaction. Such information may be sensitive information concerning the fob user or the fob user's account. Should the fob user's sensitive information be retrieved from the merchant system without authorization, the fob user or issuer may be subjected to fraudulent activity. The ability to secure the sensitive information stored on the merchant system is limited by the security measures taken by the merchant in securing its merchant system database. Consequently, the account provider often has little influence over the security of the account information once the information is provided to the merchant system.
As such, a need exists for a method of securing sensitive transaction account information which permits the account provider to have a significant influence on the security of the fob user information stored on a merchant system. A suitable system may secure the sensitive information irrespective of the merchant system.