In a conventional consumer card payment transaction, a cardholder presents a merchant with a portable consumer device such as a credit card to pay for goods or services. The processing of the transaction involves the merchant, an acquirer, a payment processing network, and a card issuer. The merchant initiates online processing and forwards an authorization request message to the acquirer, through the payment processing network, and to the issuer. The issuer verifies that the card number, transaction amount, and other information are valid and returns an authorization response message for the transaction back to the merchant. A variety of fraud prevention measures are used by issuers to guard against the unauthorized (or wrongly authorized) use of such cards.
Fraud prevention measures include a Cardholder Verification Value (CVV), which comprises a three-digit code that is stored within a magnetic stripe data (MSD) region of the card when the issuer provides the card for personalization. The issuer maintains a database of the CVV data for the issued cards and can therefore check an incoming request for authorization against the CVV data maintained at the issuer for the card in question. The issuer can safeguard the CVV data to ensure that such data is not shared outside of the issuer, thereby maintaining an increased level of security against fraud and counterfeit cards.
Under some situations, offline processing using a payment card is desirable. For example, transit fare processing from payment cards is typically conducted offline, because of transaction speed requirements at transit fare collection devices such as subway turnstiles or bus fareboxes For transit transactions, thirty to forty-five customers (passengers) are processed per minute, so there is insufficient time for the merchant (the transit system) to go online to the issuer for transaction authorization. Moreover, such transactions typically utilize some form of contactless card for payment that does not require physical contact between the card presented for payment and the transit fare collection device of the transit system. In these situations, some form of offline card authentication is desirable to prevent potential counterfeit card attacks and the potential organized fraud.
In this discussion, “contactless cards” for payment systems will include contactless “smart” cards and also contactless smart chips. A smart card is generally defined as a pocket-sized card (or other portable consumer device) that is embedded with either a microprocessor and one or more memory chips, or as one or more memory chips with non-programmable logic. The microprocessor-type smart card typically can implement certain data processing functions, such as to add, delete, or otherwise manipulate information stored in a memory location of the smart card. In contrast, the memory-chip-type card (for example, a pre-paid phone card) can only act as a file to hold data that is manipulated by the reading device to perform a predefined operation, such as debiting a charge from a pre-established balance held in the memory or secure memory. Smart cards, unlike magnetic stripe cards (such as conventional credit cards), can implement a variety of functions and contain a variety of types of information on the card. Therefore, in some applications they do not require access to remote databases for the purpose of user authentication or record keeping at the time of a transaction. A smart chip is a semiconductor device that is capable of performing most, if not all, of the functions of a smart card, but may be embedded in another device.
A contactless smart card is a smart card that incorporates a means of communicating with the card reader or terminal without the need for direct contact. Thus, such cards may effectively be “swiped” by passing them close to the card reader or terminal. Such contactless smart cards typically communicate with the card reader or terminal using RF (radio-frequency) technology, wherein proximity to an antenna causes data transfer between the card and the reader or terminal. Contactless smart cards have found uses in banking and other applications, as it may not be necessary to remove them from one's wallet or pocket in order to complete a transaction. Furthermore, because of the growing interest in such smart cards, standards have been developed that govern the operation and interfaces for contactless smart cards, such as the ISO 14443 standard. A variety of financial transactions, such as retail payment and transit fare collection, have adopted the ISO 14443 standard for contactless smart cards.
As noted above, an MSD area of a payment card can be used to store CVV data and the like to protect against fraudulent use in consumer transactions. In a contactless smart card, data for an additional, separate payment application, such as a transit application, might be stored in the card and might be feasible for performing offline authentication processing. The additional transit application data stored in the MSD area would require specialized readers that can detect and execute the offline-payment transit application. This would require additional effort on the part of the issuer to install and manage such applications, placing a burden on the issuer that may prevent widespread adoption of the solutions.
From the discussion above, it should be apparent that there is a need for transaction processing that can perform authorization operations in an offline transaction processing environment. Embodiments of the present invention satisfy this need.