Data theft due to hacking, viruses, and malicious software is a serious problem in the our digital information society. Data breaches of secure databases containing consumer information are a regular occurrence. Merchants store vast databases of sensitive account and personal information for financial related purposes. Hackers interested in identify theft have found these merchant databases to be easy targets. Security breaches at merchants and other entities have led to countless unauthorized transactions being completed using consumers account information. This problem may be compounded by small business merchants that do not have the resources to secure their data against sophisticated hackers. Accordingly, merchants may store sensitive information about their consumers that may cause the merchant to be liable if the information is stolen and used to complete unauthorized transactions.
Additionally, some owners and/or employees of a merchant may also access sensitive consumer information from the vast records of sensitive data and use information from the databases to initiate unauthorized transactions at other merchants. Because no data is breached during an attack from an outside entity, many times no one may know that the consumer's information has been stolen or when it was stolen. Accordingly, malicious merchants with access to sensitive information may open the consumer to loss through fraudulent transactions. Because no particular merchant may be traceable to the data breach, it may be hard to find the appropriate merchant responsible and thus the consumer may bear the liability for the unauthorized transaction.
Additionally, as payment transactions using accounts associated with portable consumer devices become more prevalent, consumers demand more flexible payment options. One solution may be to allow consumers to use personal information to initiate transactions. However, allowing consumers to initiate transactions with the use of personal information makes the personal information more sensitive data because third parties may use the personal information to initiate unauthorized transactions. Furthermore, personal information related to the consumer may be easier for malicious parties to gain access to then account passwords, personal identification numbers, and other such authentication techniques used in the past. For example, if consumers are allowed to initiate a transaction by merely providing their phone number, the ability for third parties to initiate unauthorized transactions by merely submitting a phone number that can be found in a phone book increases the chances of an unauthorized transaction being initiated astronomically. Accordingly, as personal information that used to be non-sensitive are becoming more sensitive as it is being used to initiate payment transactions. Therefore, a need exists to protect the consumers personal information from being stored in merchant records, while providing more flexible payment options.
Consumers are constantly in need of access to their payment accounts no matter what circumstances they find themselves in. For example, a consumer may have misplaced or lost their portable consumer device. As such, there exists a need for authentication procedures that are both secure as well as consumer friendly. Consumer friendly authentication means that the consumer may use information that is recognizable, relevant, and easily remembered to initiate a transaction. Furthermore, it may mean that transactions may be initiated without the need for a device to be carried or swiped.
However, the use of tokens that are recognizable, easy to remember, and familiar to consumers can also be easily overheard, sniffed, or otherwise compromised by a third party. Once a consumers information is compromised it is possible to use it at different merchants. Accordingly, there is a need for a simple, flexible, and mobile form of payment that is also secure from interception from third parties and use at multiple merchants.
Furthermore, consumers use their sensitive data with so many different merchants that it may be difficult to keep their sensitive or personal information secure. Many consumers ask consumers for their personal information as a matter of course during transactions presently. Accordingly, there is a need for an authentication system that can be implemented at individual merchants where any tokens used in the authentication may not be relevant or usable by other merchants.
Storing consumer financial and personal information at a merchant uses a vast amount of system resources and may leave the merchant liable for any data breaches. Furthermore, merchant attempts to secure this sensitive information uses further system resources and for small entities with limited budgets, appropriate security may not be feasible. Accordingly, there is a need to design an authentication technique that is secure, flexible, and does not require the storing of sensitive consumer information.
Embodiments of the present invention address these problems and other problems individually and collectively.