Adaptive authentication options

US 10,346,837 B2
Filed: 11/06/2007
Issued: 07/09/2019
Est. Priority Date: 11/16/2006
Status: Active Grant

First Claim

Patent Images

1. A method comprising:

receiving, by a server computer, a transaction message relating to a request by a consumer to conduct a transaction using a portable consumer device associated with a payment account number;

determining, by the server computer, that the portable consumer device is enrolled in an authentication program that provides greater security for the consumer when the consumer conducts transactions using the portable consumer device, by contacting a directory server which sends a request to an access control server operated by an issuer of the payment account number to determine if the portable consumer device is enrolled in the authentication program and receives a response from the access control server;

analyzing, by the server computer, the transaction message to determine if the transaction is a specialized transaction, wherein the specialized transaction is a purchase transaction and involves a recurring payment, a micro-payment, or a one-step online payment;

determining that the transaction is the specialized transaction;

analyzing the transaction message, using the server computer, to determine if a re-authentication event has taken place or has not taken place by analyzing data in the transaction message against re-authentication events in a re-authentication event database;

determining that the re-authentication event has not taken place; and

in response to determining that the re-authentication event has not taken place, initiating an authorization request message comprising the payment account number and an amount of the transaction to the issuer of the payment account number for approval, using the server computer, without sending a re-authentication message to the consumer.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A method for authenticating a consumer for a portable consumer device is disclosed. One embodiment of the invention includes receiving a transaction message relating to a request by a consumer to conduct a transaction using a portable consumer device, wherein the consumer was previously enrolled in an authentication program and the consumer was previously authenticated, analyzing the transaction message to determine if a re-authentication event has taken place, causing a re-authentication message to be sent to the consumer before initiating an authorization request message to the issuer if the re-authentication event has taken place, and initiating the authorization request message to the issuer without sending the re-authentication message to the consumer if the re-authentication event has not taken place.

97 Citations

View as Search Results

14 Claims

1. A method comprising:
- receiving, by a server computer, a transaction message relating to a request by a consumer to conduct a transaction using a portable consumer device associated with a payment account number;
  
  determining, by the server computer, that the portable consumer device is enrolled in an authentication program that provides greater security for the consumer when the consumer conducts transactions using the portable consumer device, by contacting a directory server which sends a request to an access control server operated by an issuer of the payment account number to determine if the portable consumer device is enrolled in the authentication program and receives a response from the access control server;
  
  analyzing, by the server computer, the transaction message to determine if the transaction is a specialized transaction, wherein the specialized transaction is a purchase transaction and involves a recurring payment, a micro-payment, or a one-step online payment;
  
  determining that the transaction is the specialized transaction;
  
  analyzing the transaction message, using the server computer, to determine if a re-authentication event has taken place or has not taken place by analyzing data in the transaction message against re-authentication events in a re-authentication event database;
  
  determining that the re-authentication event has not taken place; and
  
  in response to determining that the re-authentication event has not taken place, initiating an authorization request message comprising the payment account number and an amount of the transaction to the issuer of the payment account number for approval, using the server computer, without sending a re-authentication message to the consumer.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8)
- - 2. The method of claim 1, wherein the re-authentication event is a change in the consumer'"'"'s home address, payment terms, shipping address, billing address, email address, name, account number, payment method, portable consumer device expiration date, or password, and wherein the consumer was previously authenticated to the issuer.
  - 3. The method of claim 1, wherein the re-authentication event is a new or different IP address, an out of pattern activity, an order amount above a specified dollar amount, or a long period of inactivity in the payment account.
  - 4. The method of claim 1, wherein the re-authentication event is where a previous transaction was associated with an authentication failure or attempt.
  - 5. The method of claim 1, wherein the transaction is a first transaction, the request is a first request, the transaction message is a first transaction message, the authorization request message is a first authorization request message, and the re-authentication event is a first re-authentication event, and wherein the method further comprises:
    - receiving by the server computer, a second transaction message relating to a second request by the consumer to conduct a second transaction using the portable consumer device;
      
      determining, by the server computer, that the portable consumer device is enrolled in the authentication program;
      
      analyzing, by the server computer, the second transaction message to determine if the second transaction is another specialized transaction;
      
      determining that the second transaction is another specialized transaction;
      
      analyzing the second transaction message, using the server computer, to determine if a second re-authentication event has taken place or has not taken place;
      
      determining that the second re-authentication event has taken place; and
      
      in response to determining that the second re-authentication event has taken place, initiating, by the server computer, a re-authentication process with the consumer;
      
      determining, by the server computer, that the consumer is authentic; and
      
      in response to determining that the consumer is authentic, initiating a second authorization request message to the issuer, using the server computer.
  - 6. The method of claim 5, wherein the re-authentication process comprises sending, by the server computer and via the directory server, a first message to an access control server at the issuer, wherein the access control server thereafter sends a re-authentication request message to a client computer operated by the consumer and subsequently receives a password from the consumer via the client computer, and sends a second message to the server computer indicating that the consumer has been authenticated.
  - 7. The method of claim 6 wherein the portable consumer device is in the form of a card and wherein the second transaction message comprises a digital certificate of the issuer.
  - 8. The method of claim 1, wherein initiating the authorization request message to the issuer, using the server computer, comprises generating the authorization request message and sending the authorization request message to the issuer through an acquirer and a payment processing network.

9. A server computer comprising a non-transitory computer readable medium storing a computer program containing instructions thereon for instructing the server computer to perform a method comprising the steps of:
- receiving a transaction message relating to a request by a consumer to conduct a transaction using a portable consumer device associated with a payment account number;
  
  determining that the portable consumer device is enrolled in an authentication program that provides greater security for the consumer when the consumer conducts transactions using the portable consumer device, by contacting a directory server which sends a request to an access control server operated by an issuer of the payment account number to determine if the portable consumer device is enrolled in the authentication program and receives a response from the access control server;
  
  analyzing the transaction message to determine if the transaction is a specialized transaction, wherein the specialized transaction is a purchase transaction and involves a recurring payment, a micro-payment, or a one-step online payment;
  
  determining that the transaction is the specialized transaction;
  
  analyzing the transaction message to determine if a re-authentication event has not taken place by analyzing data in the transaction message against re-authentication events in a re-authentication event database;
  
  determining that the re-authentication event has taken place or has not taken place; and
  
  in response to determining that the re-authentication event has not taken place, initiating an authorization request message comprising the payment account number and an amount of the transaction to the issuer of the payment account number for approval, using the server computer, without sending a re-authentication message to the consumer.
- View Dependent Claims (10, 11)
- - 10. The server computer of claim 9 wherein the transaction is a first transaction, the request is a first request, the transaction message is a first transaction message, the authorization request message is a first authorization request message, and the re-authentication event is a first re-authentication event, and wherein the method further comprises:
    - receiving by the server computer, a second transaction message relating to a second request by the consumer to conduct a second transaction using the portable consumer device;
      
      determining, by the server computer, that the portable consumer device is enrolled in the authentication program;
      
      analyzing, by the server computer, the second transaction message to determine if the second transaction is another specialized transaction;
      
      determining that the second transaction is another specialized transaction;
      
      analyzing the second transaction message, using the server computer, to determine if a second re-authentication event has taken place or has not taken place;
      
      determining that the second re-authentication event has taken place; and
      
      in response to determining that the second re-authentication event has taken place, initiating, by the server computer, a re-authentication process with the consumer;
      
      determining, by the server computer, that the consumer is authentic; and
      
      in response to determining that the consumer is authentic, initiating a second authorization request message to the issuer, using the server computer.
  - 11. The server computer of claim 10 wherein the re-authentication process comprises sending, by the server computer and via the directory server, a first message to an access control server at the issuer, wherein the access control server thereafter sends a re-authentication request message to a client computer operated by the consumer and subsequently receives a password from the consumer via the client computer, and sends a second message to the server computer indicating that the consumer has been authenticated.

12. A system comprising:
- (a) a server computer comprising a non-transitory computer readable medium storing a computer program containing instructions thereon for instructing the server computer to perform the steps ofreceiving a transaction message relating to a request by a consumer to conduct a transaction using a portable consumer device associated with payment account number,determining that the portable consumer device is enrolled in an authentication program that provides greater security for the consumer when the consumer conducts transactions using the portable consumer device, by contacting a directory server which sends a request to an access control server operated by an issuer of the payment account number to determine if the portable consumer device is enrolled in the authentication program and receives a response from the access control server,analyzing the transaction message to determine if the transaction is a specialized transaction, wherein the specialized transaction is a purchase transaction and involves a recurring payment, a micro-payment, or a one-step online payment,determining that the transaction is the specialized transaction,analyzing the transaction message to determine if a re-authentication event has taken place or has not taken place by analyzing data in the transaction message against re-authentication events in a re-authentication event database,determining that the re-authentication event has not taken place, andin response to determining that the re-authentication event has not taken place, initiating an authorization request message comprising the payment account number and an amount of the transaction to the issuer of the payment account number for approval, using the server computer, without sending a re-authentication message to the consumer; and
  
  (b) a client computer coupled to the server computer.
- View Dependent Claims (13, 14)
- - 13. The system of claim 12 further comprising:
    - (c) the directory server in communication with the server computer; and
      
      (d) an access control server coupled to the directory server.
  - 14. The system of claim 12 wherein the transaction is a first transaction, the request is a first request, the transaction message is a first transaction message, the authorization request message is a first authorization request message, the re-authentication event is a first re-authentication event, and wherein the instructions further comprise:
    - receiving by the server computer, a second transaction message relating to a second request by the consumer to conduct a second transaction using the portable consumer device;
      
      determining, by the server computer, that the portable consumer device is enrolled in the authentication program;
      
      analyzing, by the server computer, the second transaction message to determine if the second transaction is another specialized transaction;
      
      determining that the second transaction is another specialized transaction;
      
      analyzing the second transaction message, using the server computer, to determine if a second re-authentication event has taken place or has not taken place;
      
      determining that the second re-authentication event has taken place; and
      
      in response to determining that the second re-authentication event has taken place, initiating, by the server computer, a re-authentication process with the consumer;
      
      determining, by the server computer, that the consumer is authentic; and
      
      in response to determining that the consumer is authentic, initiating a second authorization request message to the issuer, using the server computer.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Visa USA, Inc. (Visa, Inc.)
Original Assignee
Visa USA, Inc. (Visa, Inc.)
Inventors
Steele, Kim, Yakel, Mike, Weller, Kevin, Faith, Patrick, Van Deloo, Lori D.
Primary Examiner(s)
Marcus, Leland

Application Number

US11/935,740
Publication Number

US 20080120214A1
Time in Patent Office

4,263 Days
Field of Search

705 35- 45, 713183
US Class Current
CPC Class Codes

G06Q 20/341   Active cards, i.e. cards in...

G06Q 20/40   Authorisation, e.g. identif...

G06Q 20/4014   Identity check for transact...

G06Q 30/06   Buying, selling or leasing ...

G06Q 40/00   Finance; Insurance; Tax str...

G07F 7/1008   Active credit-cards provide...

Adaptive authentication options

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

97 Citations

14 Claims

Specification

Solutions

Use Cases

Quick Links

Adaptive authentication options

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

97 Citations

14 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links