Performing transactions remotely, such as over the Internet or other computer networks, using a payment token (e.g., a payment card) has traditionally presented a higher risk of fraud because the merchant is not able to verify the identity of the person presenting the payment token data, and no physical signature may be received from the token holder at the time of the transaction.
Various techniques have been developed to minimize the possibility of fraudsters submitting stolen payment token information when conducting transactions remotely. One such technique offered by MasterCard Worldwide is known as SECURECODE™, which permits cardholder verification and/or authentication at the time of an online transaction. In one implementation of the technique, before attempting a transaction, the cardholder is requested to enroll in the program by visiting a registration website where, after confirming that the account is eligible for enrollment in the program, the identity of the cardholder is verified by prompting the cardholder to answer one or more security questions, or other techniques. Once the identity of the cardholder is verified, the cardholder is prompted to set up and define his or her SECURECODE, which is a PIN or password known only to the cardholder. This SECURECODE is then stored in a secure database available to the financial institution that issued the payment card, and used for subsequent cardholder verification.
When the cardholder subsequently attempts to use the payment card at an online merchant, the cardholder's card number is entered into a web form, or otherwise made available to the merchant, and the merchant's computer queries a directory to verify if the card is within a range of card numbers that participate in the SECURECODE program. Rather than consulting a directory server, the merchant may instead query a local cache of participating card number ranges. If the card number used is within a participating range, the merchant then sends a message to a computer maintained by the issuer or its representative, to determine if the account being used is enrolled in the SECURECODE program. If the card account being used is enrolled, the merchant sends an instruction to the cardholder's computer, which then initiates communication with the issuer's computer. The cardholder is prompted to enter his or her PIN or password in a box on the cardholder's computer screen. The PIN or password is then verified by the issuer. If the issuer determines that the correct PIN or password has been entered, the issuer generates an Accountholder Authentication Value (AAV), which is returned to the merchant's web server application. Thereafter, the traditional payment processing occurs, except that the AAV is inserted in the authorization request message generated by the financial institution with whom the merchant maintains a relationship. The AAV is then used by the issuer to verify that the identify of the cardholder performing the online transaction has been verified using the SECURECODE process before returning an authorization response message to the merchant, or the merchant's acquirer.
In another embodiment of the SECURECODE process, rather than using a static PIN or password, the cardholder is provided with an intelligent token, such as an IC card or a contactless device, as well as an intelligent card reader, to interact with the intelligent token. In this approach, the cardholder is prompted to use the token to generate a dynamic security code, which is entered into a web form by the cardholder, or the intelligent token reader, and the dynamic security code is submitted to the issuer transaction to authenticate the cardholder. Such a system is described in more detail in U.S. patent application Ser. No. 10/506,016, entitled “Authentication Arrangement And Method For Use With Financial Transactions,” filed on Feb. 28, 2003, which is incorporated by reference herein in its entirety.
While the use of a static PIN and/or password can be effective at deterring or preventing fraudulent online transactions using stolen payment token information, this approach is not effective unless the token holder registers the payment token with the issuer in the program, and associates a PIN or password with the account. In some circumstances, it may be possible to force the token holder to register the token in the program the first time the token holder attempts an online purchase using a payment token that is eligible for use with the secure transaction program. Alternatively, the cardholder may be allowed to decline to register a predetermined number of times, before being forced to register in the program before further E-commerce or online transactions are permitted.
In some online or E-commerce transactions, however, the risk of fraud is not great enough to justify requiring a token holder to register his or her account and create a SECURECODE PIN or password. Additionally, even when a token holder is registered with a secure transaction program, the nature of the transaction may not justify the additional time and burden of requiring the PIN or password be verified before permitting the transaction.