Individuals are often involved in interactions in which there is a need to provide some kind of identifying information to another party. Transactions, such as credit transactions, debit transactions, loyalty card transactions and the like, rely on message and data exchanges between participants (e.g., members, merchants, associations and cardholders). Traditionally, many such interactions have been performed face-to-face or over private networks using proprietary protocols, reducing the likelihood that transactions will be compromised or that an identity will be falsified.
The Internet, mobile communications networks, interactive television networks, and new access devices have created convenience for performing transactions. The number of such electronic commerce transactions continues to grow as a result. In concert with this growth trend, the threat from fraud by compromising the transaction or through falsification of identity over the Internet or in conjunction with such new access devices is likely to increase as well.
Prior to the Internet and the introduction of other remote networking technologies, some exchanges of information between information providers and information requestors, for example the exchange of information between a merchant and an issuer of a transaction card (such as a credit card, debit card, smart card, stored value card, loyalty card, and the like), occurred solely over private networks. Although current e-commerce transactions perform a majority of the messaging associated with the transaction via trusted networks, such as between the merchant and the issuer (e.g., a member) or the acquirer (e.g., an association), typically at least some portion of the messaging must occur outside of the trusted environment raising the potential that the transaction data will be compromised. With the increasingly wide-spread use of the Internet and of non-traditional devices (e.g., mobile phones, PDAs, vending machines, set-top boxes, and the like) to conduct transactions there is a concomitant increase in messaging outside of the trusted environment. This raises the potential threat of the transaction data being compromised and used in an unauthorized fashion in either the current or subsequent transactions.
Fraudulent transactions have a monetary impact on issuers and associations. Such transactions can result from, for example, skimmed transaction card data or stolen transaction cards. Today, the threat posed by skimmed card data far exceeds the threat posed by stolen cards. In the case of a stolen transaction card, a cardholder generally recognizes when a transaction card has been stolen since the cardholder no longer has the physical card. When the cardholder next attempts to use the transaction card, he will discover that the transaction card is missing and will likely contact the issuer to cancel the transaction card. In contrast, when data is skimmed from a transaction card, the cardholder has no visible sign that the transaction card has been compromised. In fact, unless the issuer determines that transaction activity stemming from the transaction card is abnormal, the cardholder will possibly not recognize that the transaction card is compromised until the next statement is received. Accordingly, the monetary impact caused by skimming card data is fairly estimated to be significantly larger than the monetary impact caused by theft of a physical card.
Additionally, other types of private information are increasingly exchanged in untrusted environments such as the Internet. Much of this information could be fraudulently used if intercepted by someone taking advantage of an insecure network to falsify an identity or to intercept an unsecured communication.
The majority of current verification methods have been designed to rely upon the existence of trusted networks to reduce the ease of skimming card data. For example, password-based or Personal Identification Number (PIN) based systems have been implemented to reduce the likelihood of unauthorized use of a transaction card. However, password or PIN information may be skimmed during a transaction.
Alternatively a static or dynamic card authentication verification value (CVV) may be used to protect the transaction in a trusted environment. A static CVV may have the same problems as a password or PIN-based system in that the CVV may be skimmed.
A transaction including a dynamic CVV resists the effects of skimming because the CVV is unique to the transaction. Accordingly, skimming a CVV from one transaction will not permit a skimmer from using the CVV in a separate transaction. Presently, however, a dynamic CVV can only be transmitted when a card is physically swiped or brought within the proximity of a contactless reader.
As a result, current transaction devices, such as credit cards, debit cards, smart cards, stored value cards, loyalty cards and the like, are designed to be used most effectively in trusted acceptance environments. In a trusted acceptance environment, the transmitted information is assumed to be valid because skimming attacks are unlikely to occur.
However, in some transactions, such as for e-commerce transactions or transactions with non-traditional devices, the connection between a merchant and a cardholder can be untrusted, insecure, and/or compromised. Accordingly, it is not the case that the entire transaction is guaranteed to be secure and uncompromised. As the number of such transactions rises, the need to secure such untrusted channels becomes more prevalent. As such, what is needed is a system and method for securing transactions in an untrusted environment.
A need exists for a system and method for providing a protection mechanism that provides security for an information exchange transaction between an information provider and an information requester in an untrusted environment.
A further need exists for a system and method for authenticating identity to permit an information exchange transaction to proceed in an untrusted environment.