Like barcode and voice data entry, RFID is a contactless information acquisition technology. RFID systems are wireless, and are usually extremely effective in hostile environments where conventional acquisition methods often fail. RFID has established itself in a wide range of markets, such as, for example, the high-speed reading of railway containers, tracking moving objects such as livestock or automobiles, and retail inventory applications. As such, RFID technology has become a primary focus in automated data collection, identification and analysis systems worldwide.
Of late, companies are increasingly embodying RFID data acquisition technology in a fob or tag for use in completing financial transactions. A typical RFID fob is ordinarily a self-contained device, which may take the shape of any portable form factor. The RFID fob may include a transponder for transmitting information during a transaction. In some instances, a battery may be included in the fob to power the transponder, in which case the internal circuitry of the fob (including the transponder) may draw its operating power from the battery power source. Interrogation by the reader for activation of the fob is not required when using a battery source.
Alternatively, the fob may gain its operating power directly from a RF interrogation signal. U.S. Pat. No. 5,053,774, issued to Schuermann, describes a typical transponder RF interrogation system, which may be found in the prior art. The Schuermann patent generally describes the powering technology surrounding conventional transponder structures. U.S. Pat. No. 4,739,328 discusses a method by which a conventional transponder may respond to a RF interrogation signal. Other typical modulation techniques that may be used include, for example, ISO/IEC 14443 and the like. In the conventional fob powering technologies used, the fob is typically activated upon presenting the fob into an interrogation signal. In this regard, the fob may be activated irrespective of whether the user desires such activation.
One of the more visible uses of the RFID technology is the introduction of American Express' Expresspay®, Exxon/Mobil's Speedpass® and Shell's EasyPay® products. These products use transponders, placed in a fob or tag, which enable automatic identification of the user when the fob is presented at a merchant's point-of-sale (POS) device, for example, when attempting to complete a transaction. During the transaction completion, information from the RFID fob is ordinarily passed to the POS, which delivers the information to a merchant system.
To complete a typical transaction, fob identification data is passed to a third-party server database. The third-party server references the identification data to a consumer (e.g., user) credit or debit account. In an exemplary processing method, the third-party server seeks authorization for the transaction by passing the transaction and account data to an authorizing entity, such as for example an “acquirer” or account issuer. Once the server receives authorization from the authorizing entity, the authorizing entity sends clearance to the POS device for completion of the transaction.
To lessen the financial impact of fraudulent transactions in the RFID environment, fob issuers have focused much effort on securing RFID transactions. Many of the efforts have focused on securing the transaction account or related data during transmission from the user to the merchant, or from the merchant to a third-party server or account provider system. For example, one conventional method for securing RFID transactions involves requiring the device user to provide a secondary form of identification during transaction completion. The RFID transaction device user may be asked to enter a personal identification number (PIN) into a keypad. The PIN may then be verified against a number associated with the user or the RFID transaction device, wherein the associated number is stored in an account issuer database. If the PIN number provided by the device user matches the associated number, then the transaction may be cleared for completion.
One problem with the issuer's efforts in securing RFID transactions is that they are susceptible to eavesdropping and decrypting during transit, such as when transferred from the merchant system to the account issuer system. Such information may be sensitive information concerning the fob user or the fob user's account. Should the fob user's sensitive information be retrieved without authorization during transit, the fob user or issuer may be subjected to fraudulent activity.
As such, a need exists for a method of securing sensitive transaction account information, which permits the account provider, merchant system, or acquirer to have a significant influence on the security of the fob user information stored on a merchant system.