SYSTEMS AND METHODS FOR AUTHORIZING A TRANSACTION WITH AN UNEXPECTED CRYPTOGRAM

US 20130054474A1
Filed: 08/30/2012
Published: 02/28/2013
Est. Priority Date: 08/30/2011
Status: Active Grant

First Claim

Patent Images

1. A method for acquiring digital credential data by a point-of-sale terminal from a mobile device for authorization of a financial transaction comprising:

using a remote permanent cryptographic key to calculate an expected cryptogram that is expected to comprise at least a portion of the digital credential data, wherein the remote permanent cryptographic key is persistently stored at a remote source that is remote from the mobile device and wherein the mobile device does not access a duplicate local permanent cryptographic key persistently stored locally to the mobile device;

performing an interrogation between the point-of-sale terminal and the mobile device comprising;

sending through a communication channel at least one POS command communication from the point-of-sale terminal to the mobile device requesting the digital credential data; and

sending through the communication channel at least one device response communication from the mobile device to the point-of-sale terminal comprising the expected cryptogram as the at least a portion of the digital credential data;

wherein the financial transaction is authorized.

View all claims

3 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Methods are described for performing a timely authorization of digital credential data delivered from a mobile device that is without access to a local persistently stored permanent cryptographic key; through an interrogation with a point-of-sale that behaves according to the direction of a card specification; wherein the card specification expects the mobile device to create a cryptogram that is calculated, at least in part, using the permanent cryptographic key and, at least in part, from unpredictable data delivered from the point-of-sale to the mobile device during the interrogation.

527 Citations

29 Claims

1. A method for acquiring digital credential data by a point-of-sale terminal from a mobile device for authorization of a financial transaction comprising:
- using a remote permanent cryptographic key to calculate an expected cryptogram that is expected to comprise at least a portion of the digital credential data, wherein the remote permanent cryptographic key is persistently stored at a remote source that is remote from the mobile device and wherein the mobile device does not access a duplicate local permanent cryptographic key persistently stored locally to the mobile device;
  
  performing an interrogation between the point-of-sale terminal and the mobile device comprising;
  
  sending through a communication channel at least one POS command communication from the point-of-sale terminal to the mobile device requesting the digital credential data; and
  
  sending through the communication channel at least one device response communication from the mobile device to the point-of-sale terminal comprising the expected cryptogram as the at least a portion of the digital credential data;
  
  wherein the financial transaction is authorized.
- View Dependent Claims (2)
- - 2. The method of claim 1 further comprising a further step that precedes the performing the interrogation step, the further step comprising:
    - sending the remote permanent cryptographic key to the mobile device from the remote source; and
      
      transiently caching the remote permanent cryptographic key in the mobile device as a cached transient permanent cryptographic key;
      
      and wherein;
      
      the step of sending through the communication channel the at least one POS command communication comprises sending unpredictable data;
      
      the step of sending through the communication channel the at least one POS command communication comprises sending a request for an expected cryptogram that is expected to be calculated by the mobile device, at least in part, from the unpredictable data; and
      
      the step of sending through the communication channel the at least one device response communication from the mobile device to the point-of-sale terminal comprises sending the expected cryptogram calculated, at least in part, from the unpredictable data and, at least in part, from the cached transient cryptographic key.

3. A method for acquiring digital credential data by a point-of-sale terminal from a mobile device for authorization of a financial transaction comprising:
- performing an interrogation between the point-of-sale terminal and the mobile device comprising;
  
  sending through a communication channel at least one POS command communication from the point-of-sale terminal to the mobile device, the at least one POS command communication comprising (a) a request for the digital credential data that is expected to comprise an expected cryptogram that is expected to be calculated, at least in part, from unpredictable data, and, at least in part, from a permanent cryptographic key and (b) the unpredictable data; and
  
  sending through the communication channel at least one device response communication from the mobile device to the point-of-sale terminal, the at least one device response communication comprising at least a portion of the digital credential data that comprises an unexpected cryptogram, substituted in place of the expected cryptogram;
  
  wherein the financial transaction is authorized.
- View Dependent Claims (4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19, 20, 21, 22, 23, 24, 25, 26, 27)
- - 4. The method of claim 3, wherein the unpredictable data comprises an unpredictable number.
  - 5. The method of claim 3, wherein the unpredictable data comprises a transaction amount.
  - 6. The method of claim 3 further comprising a mobile device preparation step that precedes the performing an interrogation step, the mobile device preparation step comprising sending critical data from a remote source to a mobile device, wherein the critical data comprises data used to formulate at least a portion of the digital credential data as a local portion of the digital credential data.
  - 7. The method of claim 6 wherein the local portion of the digital credential data comprises a predetermined cryptogram, which is calculated without the use of the unpredictable data, as the unexpected cryptogram.
  - 8. The method of claim 6 wherein the mobile device preparation step further comprises:
    - creating remote unpredictable data in a remote application system wherein the remote application system is the remote source;
      
      sending the remote unpredictable data from application system to an HSM;
      
      calculating a predetermined cryptogram in the HSM;
      
      sending the predetermined cryptogram from the HSM to the remote application system;
      
      sending at least a portion of the predetermined cryptogram from the remote application system to the mobile device as a portion of the critical data; and
      
      whereinthe local portion of the digital credential data comprises the predetermined cryptogram as the unexpected cryptogram.
  - 9. The method of claim 6 wherein the mobile device preparation step further comprises:
    - creating a predetermined cryptogram, which is calculated without the use of the unpredictable data, in a remote application system wherein the remote application system as the remote source;
      
      sending at least a portion the predetermined cryptogram from the remote application system to the mobile device as a portion of the critical data; and
      
      whereinthe local portion of the digital credential data comprises the predetermined cryptogram as the unexpected cryptogram.
  - 10. The method of claim 6 wherein the critical data comprises a set of possible predetermined cryptograms;
    - and the method further comprises a logical step of logically determining, in the mobile device, which of the possible predetermined cryptograms within the set of predetermined cryptograms to designate as the unexpected cryptogram;
      
      wherein the logical step is based, at least in part, on the unpredictable data; and
      
      wherein the local portion of the digital credential data comprises the designated predetermined cryptogram as the unexpected cryptogram.
  - 11. The method of claim 6 wherein the critical data comprises a set of possible predetermined cryptograms and card risk management data;
    - and the method further comprises a logical step of logically determining, in the mobile device, which of the possible predetermined cryptograms within the set of possible predetermined cryptograms to designate as the unexpected cryptogram;
      
      wherein the logical step of is based, at least in part, on the unpredictable data or based, at least in part, on the card risk management data; and
      
      wherein the local portion of the digital credential data comprises the designated predetermined cryptogram as the unexpected cryptogram.
  - 12. The method of claim 6 wherein the mobile device preparation step further comprises transiently storing at least a portion of the critical data on the mobile device, wherein the mobile device does not persistently store the at least a portion of critical data.
  - 13. The method of claim 6 wherein the local portion of the digital credential data comprises an unpredictable cryptogram as the unexpected cryptogram, wherein the unpredictable cryptogram is calculated, at least in part, using a temporary cryptographic key.
  - 14. The method of claim 6 wherein the mobile device preparation step further comprises:
    - creating a temporary cryptographic key in a remote application system wherein the remote application system is the remote source;
      
      sending at least a portion of the temporary cryptographic key from the remote application system to the mobile device as a portion of the critical data; and
      
      whereinthe local portion of the digital credential data comprises an unpredictable cryptogram as the unexpected cryptogram, wherein the unpredictable cryptogram is calculated, at least in part, using the temporary cryptographic key.
  - 15. The method of claim 6 wherein the critical data comprises a temporary cryptographic key;
    - and the method further comprises a step of calculating at least one local unpredictable cryptogram that is calculated, in at least part, using the temporary cryptographic key, and, in at least part, using a calculation formula determined from a set of calculation formulas; and
      
      the method further comprises a logical step of logically determining, in the mobile device, which local unpredictable cryptogram to designate as the unpredictable cryptogram;
      
      wherein the step of logically determining a decision is made based, at least in part, on the unpredictable data; and
      
      wherein the local portion of the digital credential data comprises the designated local unpredictable cryptogram as the unexpected cryptogram.
  - 16. The method of claim 6 wherein the critical data comprises a temporary cryptographic key and card risk management data;
    - and the method further comprises a step of calculating at least one local unpredictable cryptogram that is calculated, in at least part, using the temporary cryptographic key, and, in at least part, using a calculation formula determined from a set of calculation formulas; and
      
      the method further comprises a logical step of logically determining, in the mobile device, which local unpredictable cryptogram to designate as the unpredictable cryptogram;
      
      wherein the logical step is made based, at least in part, on the unpredictable data or based, at least in part, on the card risk management data; and
      
      wherein the local portion of the digital credential data comprises the designated local unpredictable cryptogram as the unexpected cryptogram.
  - 17. The method of claim 3 further comprising:
    - creating a predetermined cryptogram on the mobile device as the unexpected cryptogram;
      
      wherein the predetermined cryptogram is calculated without the use of the unpredictable data; and
      
      sending at least a portion of the predetermined cryptogram from the mobile device to a remote application system.
  - 18. The method of claim 3 further comprising:
    - creating a temporary cryptographic key on the mobile device;
      
      wherein the temporary cryptographic key is used to calculate, at least in part, an unpredictable cryptogram as the unexpected cryptogram;
      
      sending at least a portion of the unpredictable cryptogram from the mobile device to a remote application system.
  - 19. The method of claim 3 further comprising an authorizing step that follows the step of performing the interrogation, the authorizing step comprising:
    - sending an authorization request comprising the unpredictable data and the unexpected cryptogram from the point-of-sale terminal to a remote application system, wherein the unexpected cryptogram comprises a predetermined cryptogram;
      
      verifying a correctness of the predetermined cryptogram by the application system (a) by comparing the predetermined cryptogram with a previously stored reference predetermined cryptogram and (b) without reference to the unpredictable data from the point-of-sale terminal; and
      
      sending an authorization response from the remote application system to the point-of-sale wherein data contained in the authorization response is determined, at least in part, by the verifying of the correctness of the predetermined cryptogram.
  - 20. The method of claim 3 further comprising an authorizing step that follows the step of performing the interrogation, the authorizing step comprising:
    - sending an authorization request comprising the unpredictable data and the unexpected cryptogram from the point-of-sale terminal to a remote application system, wherein the unexpected cryptogram comprises an unpredictable cryptogram;
      
      verifying a correctness of the unpredictable cryptogram by the application system wherein the unpredictable cryptogram is compared with a result of an unpredictable cryptogram calculation;
      
      wherein the unpredictable cryptogram calculation is calculated using, at least in part, a temporary cryptographic key; and
      
      sending an authorization response from the remote application system to the point-of-sale wherein data contained in the authorization response is determined, at least in part, by the verifying of the correctness of the unpredictable cryptogram.
  - 21. The method of claim 3 further comprising a corroborative authorizing step that follows the step of performing the interrogation, the corroborative authorizing step comprising:
    - sending through a second communication channel an authorization request comprising the unpredictable data and the unexpected cryptogram from the point-of-sale terminal to a remote application system;
      
      sending through a third communication channel the unpredictable data from the mobile device to the remote application system;
      
      verifying a correctness of the unexpected cryptogram in the remote application system;
      
      verifying a correctness of the unpredictable data in the remote application system by comparing the unpredictable data sent through the second communication channel with the unpredictable data sent through the third communication channel;
      
      sending through the second communication channel an authorization response from the remote application system to the point-of-sale terminal wherein data contained in the authorization response is determined, at least in part, by the verifying of the correctness of the unpredictable data and, at least in part, by the verifying of the correctness of the unexpected cryptogram.
  - 22. The method of claim 21 further comprising a verifying a transaction amount step that follows the step of performing an interrogation and precedes the corroborative authorizing step, the verifying a transaction amount step comprising:
    - displaying transaction amount data to a display on the mobile device wherein the transaction amount data is at least a portion of the unpredictable data;
      
      requesting verification of the transaction amount data from a card holder by the mobile device display screen;
      
      sending the result of the requesting verification of the transaction amount data to a remote application system as input transaction amount data; and
      
      wherein the corroborative authorizing step comprises determining, at least in part, an accuracy of the result of the verification step by using the input of the transaction amount data.
  - 23. The method of claim 3, further comprising an authorizing step that follows the step of performing an interrogation, the authorizing step comprising:
    - sending an authorization request comprising the unpredictable data and the unexpected cryptogram from the point-of-sale terminal to a remote application system, wherein the unexpected cryptogram comprises a predetermined cryptogram;
      
      verifying a correctness of the predetermined cryptogram wherein the unpredictable data from the point-of sale (a) is substituted by the application system with a previously created unpredictable data that was previously used to calculate the predetermined cryptogram; and
      
      subsequently (b) is sent with the predetermined cryptogram to the HSM for cryptogram correctness verification; and
      
      sending an authorization response from the remote application system to the point-of-sale terminal wherein data contained in the authorization response is determined, at least in part, by the verifying of the correctness of the predetermined cryptogram.
  - 24. The method of claim 3, further comprising an authorizing step that follows the step of performing an interrogation, the authorizing step comprising sending the unpredictable data from the mobile device to a remote application system.
  - 25. The method of claim 3 wherein the POS command communication conforms to ISO7816-4 data protocol and the device response communication conforms to ISO7816-4 data protocol.
  - 26. The method of claim 3 wherein the communication channel comprises a near-field communication channel.
  - 27. The method of claim 3 wherein the mobile device does not access a local persistently stored permanent cryptographic key that is expected to be used to calculate the expected cryptogram wherein the expected cryptogram is expected to be contained within the at least a portion of the digital credential.

28. A method for acquiring digital credential data by a point-of-sale terminal from a secure mobile device for authorization of a financial transaction comprising:
- performing an interrogation between the point-of-sale terminal and the secure mobile device comprising;
  
  sending through a communication channel at least one POS command communication from the point-of-sale terminal to the secure mobile device, the at least one POS command communication comprising (a) a request for the digital credential data that is expected to comprise an expected cryptogram that is expected to be calculated, at least in part, from unpredictable data, and, at least in part, from a permanent cryptographic key and (b) the unpredictable data; and
  
  sending through the communication channel at least one device response communication from the secure mobile device to the point-of-sale terminal, the at least one device response communication comprising at least a portion of the digital credential data that comprises the expected cryptogram;
  
  in a step that follows the step of performing an interrogation, a secure mobile device transmitting step comprising sending over a second communication channel the unpredictable data from the secure mobile device to a remote application system;
  
  in a step that follows the step of performing an interrogation, a point-of-sale terminal transmitting step comprising sending over a third communication channel an authorization request from the point of sale terminal to the remote application system, the authorization request comprising the expected cryptogram and the unpredictable data;
  
  in a step that follows the secure mobile device transmitting step and the point-of-sale terminal transmitting step, a corroborative authorizing step comprising;
  
  verifying a correctness of the expected cryptogram by the application system;
  
  verifying a correctness of the unpredictable data by the application system by comparing the unpredictable data sent over the second communication channel with the unpredictable data sent over the third communication channel; and
  
  sending through the third communication channel an authorization response from the remote application system to the point-of-sale terminal wherein data contained in the authorization response is determined, at least in part, by the verifying of the correctness of the unpredictable data and at least in part by the verifying of the correctness of the expected cryptogram;
  
  wherein the financial transaction is authorized.
- View Dependent Claims (29)
- - 29. The method of claim 28 further comprising a verifying step that follows the step of performing an interrogation and precedes the corroborative authorizing step, the verifying step comprising:
    - displaying transaction amount data to the secure mobile device display screen wherein the transaction amount data is comprised within the unpredictable data;
      
      requesting verification of the transaction amount data from a card holder by the secure mobile device display screen;
      
      sending the result of the requesting verification of the transaction amount data to a remote application system as input of the transaction amount data; and
      
      wherein the corroborative authorizing step comprises determining, at least in part, the correctness of the result of the verification step by using the input of the transaction amount data.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
OV Loop, Inc.
Original Assignee
Yeager C. Douglas
Inventors
YEAGER, C. Douglas

Granted Patent

US 10,032,171 B2
Time in Patent Office

Days
Field of Search
US Class Current

705/71
CPC Class Codes

G06Q 20/02   involving a neutral party, ...

G06Q 20/20   Point-of-sale [POS] network...

G06Q 20/3223   Realising banking transacti...

G06Q 20/326   Payment applications instal...

G06Q 20/3278   RFID or NFC payments by mea...

G06Q 20/382   insuring higher security of...

G06Q 20/385   using an alias or single-us...

G06Q 20/40   Authorisation, e.g. identif...

G06Q 20/40975   using encryption therefor

H04L 2209/56   Financial cryptography, e.g...

H04L 2209/80   Wireless network architectu...

H04L 9/321   involving a third party or ...

H04L 9/3234   involving additional secure...

H04L 9/3271   using challenge-response

SYSTEMS AND METHODS FOR AUTHORIZING A TRANSACTION WITH AN UNEXPECTED CRYPTOGRAM

First Claim

3 Assignments

0 Petitions

Accused Products

Abstract

527 Citations

29 Claims

Specification

Solutions

Use Cases

Quick Links

SYSTEMS AND METHODS FOR AUTHORIZING A TRANSACTION WITH AN UNEXPECTED CRYPTOGRAM

First Claim

3 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

527 Citations

29 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links