Technological improvements have allowed businesses and individuals to engage in transactions in new and expanding environments. For example, payment of a transaction may now be made over a wireless interface such as in the case of a radio frequency or infrared enabled electronic device. For instance, radio frequency enabled credit cards, also commonly known as contactless cards, typically comprise an integrated circuit, and a coiled antenna. The integrated circuit of a contactless card comprises a processor, memory such as random access memory or electrically erasable-programmable read only memory (“EEPROM”), and a modulator/demodulator for impressing data on a radio frequency wave and decoding received data. The antenna is coiled through the interior of the contactless card and is used to communicate data with an external location. In addition, the coiled antenna inductively couples with an external electromagnetic field and serves as a power source for the contactless card. In addition, wireless transactions may be conducted by any electronic device which is enabled to communicate transaction information over any wireless interface including infrared, radio frequency, laser, or another frequency or communication means or protocol for use therewith.
Contactless cards provide increased cost savings to the issuer of such cards because they do not require contact with a physical card-reading device to receive power or exchange information. Similarly, contactless integrated circuit cards provide significant convenience to the cardholder as they allow a consumer to conduct a transaction more quickly and conveniently than in a contact-based environment. For example, using contactless technology, a consumer could present the card for payment without having to locate their card in their wallet, physically provide the card to the merchant, await the merchant to properly read the card through physical means, receive the card back from the merchant, and replace the card in their wallet. Rather, using contactless technology, the transaction could be conducted without the consumer ever removing the card from their wallet. By eliminating the physical exchanges between the consumer and the merchant, contactless technology will result in significant overall time savings to the consumer even if actual processing time for contactless transactions is longer than for contact-based transactions. In addition, a contactless card never needs to leave the actual possession of the card holder as all of the data necessary to the transaction is transferred over a wireless interface. This feature itself provides the cardholder with a increased level of security as it reduces the likelihood that the card will be passed through an unauthorized reader for purposes of skimming the data on the card and creating a counterfeit card.
Nonetheless, these benefits must be balanced against the potential for security breaches which are presented by contactless cards that are not presented in a contact-based environment. In particular, different security issues arise where information is transmitted between a card and a contactless card reader which information may be intercepted during transmission. Potential security breaches which arise by the use of contactless cards include data “hijacking”, data “pick-pocketing” and the “man in the middle” attack.
Hijacking data occurs when a party not involved in a credit card transaction taps into the exchange of data occurring as part of the transaction to extract information being transmitted between a contactless card and a contactless card reader. Not surprisingly, the ability for a fraudulent device to obtain valid data is inversely proportional to the distance between the hijacking device and the card reader and/or the contactless card. In other words, as the hijacking device is permitted to be in closer proximity to card reader and/or the contactless card, the likelihood of the hijacking device successfully obtaining valid data from the transaction is increased.
Pick-pocketing data occurs when a fraudulent device activates and reads the contactless card without the cardholder's knowledge. Data pick-pocketing may even occur when the card is not being used in a transaction as the pick-pocketing device can activate the card and initiate a data exchange. Data is obtained from the card by the fraudulent device using legitimate commands causing the card to evaluate the data exchange as legitimate. Since a contactless card transmits data as radio frequency waves propagating from a single source, a contactless card may be subject to such an attack in locations and from sources of which the cardholder is not aware. Again, the ability for a fraudulent device to obtain valid data is inversely proportional to the distance between the contactless card and the fraudulent device.
A “man in the middle” attack occurs when an exchange between a contactless card and a legitimate card reader is unknowingly intercepted by a third and unauthorized device to the transaction. The third and unauthorized device to the transaction intercepts the data transmitted by the card, copies or otherwise manipulates such data, then transmits such data to the legitimate card reader. When the card reader is returning data or instructions to the card, the third device receives such data and transmits such data to the card. The transaction continues with the third device accepting and re-transmitting all data exchanged between the card and the legitimate card reader. In this fashion, the third device has access to all of the data of the transaction, without the knowledge of either the card holder or the merchant operated card reader.
Because the security risks inherent in a contactless environment may require additional security measures to be performed to secure data during transmission, terminals interfacing with cards need to differentiate between contactless cards and cards that physically contact the terminal. Applications deployed on cards capable of contactless communication with a point of sale terminal may vary and require the use of different types of data, in different formats and with different processing requirements. For example, a single card as used in the present invention may simultaneously have deployed thereon applications which utilize magnetic stripe data and applications which utilize chip data. In this context, magnetic stripe data is that data which is commonly referred to in the industry as Track 1 and/or Track 2 data, as this data is commonly stored on those tracks of the magnetic stripe which appears on the back of non-integrated circuit enabled cards. Chip data is that data which is utilized in the so call smartcard transactions, such as for example the Visa Smart Debit/Credit (VSDC) transactions, and is stored on memory residing on the card itself.
Accordingly, utilizing an integrated circuit card to perform transactions across both a wireless interface with a point of sale terminal and across a contact interface require methods for selecting the application which will be used in the transaction, the interface which will be used in the transaction and the data format which will be used in the transaction. The present invention provides such methods and further provides for their use in the existing environment for credit and debit card transactions with minimal equipment changes to merchant and issuer or service provider equipment.