Consumer payment devices are used by millions of people worldwide to facilitate various types of commercial transactions. In a typical transaction involving the purchase of a product or service at a merchant location, the payment device is presented at a point of sale terminal (“POS terminal”) located at a merchant's place of business. The POS terminal may be a card reader or similar device that is capable of accessing data stored on the payment device, where this data may include identification or authentication data, for example. Some or all of the data read from the payment device is provided to the merchant's transaction processing system and then to the Acquirer, which is typically a bank or other institution that manages the merchant's account. The data provided to the Acquirer may then be provided to a payment processing network that is in communication with data processors that process the transaction data to determine if the transaction should be authorized by the network, and assist in the clearance and account settlement functions for the transaction. The authorization decision and clearance and settlement portions of the transaction may also involve communication and/or data transfer between the payment processing network and the bank or institution that issued the payment device to the consumer (the Issuer).
Although a consumer payment device may be a credit or debit card, it may also take the form of a “smart” card or chip. A smart card is generally defined as a pocket-sized card (or other portable payment device) that is embedded with a microprocessor and one or more memory chips, or is embedded with one or more memory chips with non-programmable logic. The microprocessor type card typically can implement certain data processing functions, such as to add, delete, or otherwise manipulate information stored in a memory location on the card. In contrast, the memory chip type card (for example, a prepaid phone card) can typically only act as a file to hold data that is manipulated by a card reading device or terminal to perform a pre-defined operation, such as debiting a charge from a pre-established balance stored in the memory. Smart cards, unlike magnetic stripe cards (such as standard credit cards), can implement a variety of functions and contain a variety of types of information on the card. Therefore, in some applications they may not require access to remote databases for the purpose of user authentication or record keeping at the time of a transaction. A smart chip is a semiconductor device that is capable of performing most, if not all, of the functions of a smart card, but may be embedded in another device.
Smart cards or chips come in two general varieties; the contact type and the contactless type. A contact type smart card or chip is one that includes a physical element (e.g., a magnetic stripe) that enables access to the data and functional capabilities of the card, typically via some form of terminal or card reader. A contactless smart card or chip is a device that incorporates a means of communicating with the card reader or point of sale terminal without the need for direct contact. Thus, such devices may effectively be “swiped” by passing them close to a card reader or terminal. Contactless cards or chips typically communicate with a card reader or terminal using RF (radio-frequency) technology, wherein proximity to the reader or terminal causes data transfer between the card or chip and the reader or terminal. Contactless cards have found uses in banking and other applications, where they have the advantage of not requiring removal from a user's wallet or pocket in order to participate in a transaction. A contactless card or chip may be embedded in, or otherwise incorporated into, a mobile device such as a mobile phone or personal data assistant (PDA). Further, because of the growing interest in such cards, standards have been developed that govern the operation and interfaces for contactless smart cards, such as the ISO 14433 standard.
The contactless card may be pre-authorized to conduct offline transactions. An offline transaction is one in which the card Issuer does not have to authorize the transaction at the time of conducting the transaction. The contactless smart card may be provisioned to conduct a set number of offline transactions or a set maximum value of offline transactions. The maximum number and/or accumulated value of off-line transactions can be set by the card Issuer. An internal counter can be implemented on the smart card or the payment application that keeps track of the number and/or accumulated value of the off-line transactions.
In a conventional system, when a user reaches the maximum number of off-line transactions as determined by the internal counter, no more off-line transactions are allowed. Currently there is no process for performing a contactless refresh/reset of the internal counter in the payment application. The user has to present his card at a point of sale (POS) terminal that can connect to the Issuer and request a counter reset through the POS terminal or any other suitable terminal that can accept the contactless card and communicate with the Issuer. Once the counter is reset, the user can once again perform off-line transactions. However, there are instances where the user may not have access to a POS terminal in order to request a counter reset. In such instances, the user is prevented from conducting offline transactions thereby limiting his access to goods and services.
Mobile phones are also becoming useful as payment devices. A mobile device such as a mobile phone may include a transaction payment application to enable the phone to be used as a portable consumer payment device when making purchases. The payment application typically permits a user to make payment for goods or services, and may be linked to a payment account of the device owner. A problem may arise in situations in which the mobile device is lost or stolen because someone other than the owner of the device may then have access to the payment application and be able to execute transactions without the approval of the payment account owner. This can be particularly troublesome if the payment account is a prepaid account, as whoever is in possession of the device may be able to make purchases as long as the account balance is positive.
The payment application may be protected by a password. The password may be used to control access to the payment application. Similar to the counter, currently, there is no mechanism to perform a contactless password reset in case the password for the payment application become inoperative.
Embodiments of the invention address these and other problems, individually and collectively.