1. Field of the Invention
The invention relates to authentication and payment systems and, more particularly, to secure authentication and payment systems.
2. Background Information
Authentication is a major constituent of essentially all commercial transactions. When individuals deal with each other face to face, authentication may be implicit if the individuals know each other. If they do not, authentication at various levels may be required before the transaction is allowed to be completed. For example, a photo ID such as a driver's license may be required by a party to the transaction before the transaction is allowed to proceed. Authentication is particularly a problem if the parties do not know each other and/or are not dealing with each other face to face. In such a case, various forms of identification, such as passwords, may be required as a condition of completion.
Authentication systems, of course, are adjuncts to payment systems. There are many systems used for exchange of value (payment) which include, but are not limited to, cash, checks and credit/debit cards. The latter are particularly vulnerable to fraud and theft, and account for substantial losses to merchants and financial institutions every year, despite significant efforts to authenticate the transaction of which they are a part.
Businesses which sell items of comparatively low cost have an especial need for transaction authentication which is simple and minimally intrusive but nonetheless robust. Purchasers of such items are largely members of the general public, often with limited patience. While they will accept some level of authentication in connection with a transaction, the level is generally not sufficient to ensure reliable authentication of all transactions, and customers will often refuse to deal with merchants who seek to impose higher levels of authentication. Thus, merchants frequently limit the authentication requirements that they impose, and therefore knowingly incur a predictable level of loss rather than lose customers who will not accept higher levels of authentication.
The cost of authenticating a transaction is also a major factor in its use. The cost of authentication must not be significant in relation to the cost of the article, else authentication may be omitted in order to induce the sale.
One of the first and still most widely used systems of authentication is the bank Automated Teller Machine (ATM) system that is used by many banks. In this system a financial institution issues to an individual an ATM card which is preprogrammed by the financial institution to be accepted by the network. The individual can then access funds and banking information by inserting or swiping the card using ATM specific apparatus which is connected to the network, either in real-time or through a dial-up service. The apparatus requests a PIN (personal identification number) from the user. After the individual has keyed in the PIN, the network matches the keyed PIN with a pre-recorded PIN. If the information matches exactly, the ATM network allows the individual to check his account balance, pay a bill, or receive currency from the machine, among other available transactions.
This level of authentication has been deemed acceptable to individuals and financial institutions, but it requires special apparatus (the ATM machines and the ATM cards) as well as a private communications network over which the transactions take place. Further, different banking networks belong to different ATM networks.
Authentication When Not Present (AWNP) has become an important issue in increasingly complex commercial transactions. Typically enterprises such as American Express®, VISA®, MasterCard®, banks or check-clearing networks and their affiliates (referred to collectively herein as Payment Networks (PN)) provide a unique apparatus to merchants that are connected to one or more PN's. In order to obtain authorization for a payment, the PN typically requires that the cards issued by them be swiped through the apparatus or that check numbers and other details be inputted on a keyboard by the merchant or by their agent. The merchant may also simply read the card or check data over the phone to the PN agent. The unique data is then transported on a network and authorization is obtained from the appropriate PN. The merchant then typically requires the customer to sign a template document to verify the purchase and the customer's responsibility for paying for the goods to the PN or, in the case of checks, to completing a check and signing it.
Sometimes a merchant will require a separate identification (ID), but in most circumstances, especially in the case of a PN card, the only authentication typically required is the PN card itself. After the customer signs the template document, the merchant relegates the responsibility for payment to the PN, relying on the authorization obtained from the PN and the signed document they have obtained from the customer. If the customer disputes the transaction, the merchant presents the document as a means of verifying the purchase.
This system relies on two premises:                1. That the customer will promptly report a lost or stolen card, so that a card presented by a customer to the merchant, if not previously reported lost or stolen, can be assumed to belong to the customer presenting it.        2. That the signature on the back of the card matches the template document after authorization has been obtained by the merchant.        
There are many ways that fraud can occur in this arrangement. Some examples include, e.g., a card that has been stolen but not reported as such; a card that has not been signed by its authorized owner but has been signed by an unauthorized user instead; and failure of the merchant to check a signature when a customer signs the template document, among others. In the case of taking orders over a phone or on the Internet, a card is not present and no signature is obtained to verify the customer; therefore, in most circumstances, if a customer disputes a transaction, the PN holds the merchant responsible, as the merchant was willing to proceed with the transaction without obtaining a signature. This is referred to in the card industry as “charge back”, and can account for 2 to 10% of the value of the goods sold by the merchant. Additionally, most PN's require a higher transaction fee for Transactions When Not Present (TWNP), or for merchant classes that have higher proportion of their sales as TWNP, and thus the merchant's transaction costs are increased.