Account authentication service with chip card

US 9,864,993 B2
Filed: 04/06/2009
Issued: 01/09/2018
Est. Priority Date: 04/24/2000
Status: Active Grant

First Claim

Patent Images

1. A method of authenticating a cardholder during an online transaction for a requesting party, said method comprising:

receiving, at a trusted party access control server, a cardholder authentication request originating from a merchant computer said cardholder authentication request including a cardholder account identifier and being routed to the trusted party access control server from the merchant computer via the cardholder computer;

sending a chip authentication request from said trusted party access control server to said cardholder computer in response to receipt of the cardholder authentication request at the trusted party access control server;

receiving a chip authentication response from said cardholder computer at said access control server that includes a cryptogram and a cardholder authentication password, said cryptogram being generated by a chip card and application in communication with said cardholder computer;

generating a second cryptogram at said access control server and comparing said second cryptogram to said cryptogram;

determining, by said access control server, that said cardholder authentication password matches a stored password that corresponds to said cardholder account identifier based on a first comparison;

determining that said cryptograms match based on a second comparison; and

responsive to the first and second comparisons, sending, via said cardholder computer, a cardholder authentication response from said trusted party access control server to said merchant computer indicating that said chip card and said cardholder authentication password are authentic, whereby said access control server authenticates said cardholder for said requesting party during said online transaction.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A payment authentication service authenticates the identity of a payer during online transactions. The authentication service of the present invention allows a card issuer to verify a cardholder'"'"'s identity using a variety of authentication methods, such as the use of passwords. Also, the only system participant requiring a certificate is the issuing financial institution. One embodiment of the invention for authenticating the identity of a cardholder during an online transaction involves querying an access control server to determine if a cardholder is enrolled in the payment authentication service, requests a password from the cardholder, verifies the password, and notifies a merchant whether the cardholder'"'"'s authenticity has been verified. In another aspect of the invention, a chip card and the authentication service independently generate cryptograms that must match in order for the service to verify that the correct chip card is being used by the cardholder.

127 Citations

17 Claims

1. A method of authenticating a cardholder during an online transaction for a requesting party, said method comprising:
- receiving, at a trusted party access control server, a cardholder authentication request originating from a merchant computer said cardholder authentication request including a cardholder account identifier and being routed to the trusted party access control server from the merchant computer via the cardholder computer;
  
  sending a chip authentication request from said trusted party access control server to said cardholder computer in response to receipt of the cardholder authentication request at the trusted party access control server;
  
  receiving a chip authentication response from said cardholder computer at said access control server that includes a cryptogram and a cardholder authentication password, said cryptogram being generated by a chip card and application in communication with said cardholder computer;
  
  generating a second cryptogram at said access control server and comparing said second cryptogram to said cryptogram;
  
  determining, by said access control server, that said cardholder authentication password matches a stored password that corresponds to said cardholder account identifier based on a first comparison;
  
  determining that said cryptograms match based on a second comparison; and
  
  responsive to the first and second comparisons, sending, via said cardholder computer, a cardholder authentication response from said trusted party access control server to said merchant computer indicating that said chip card and said cardholder authentication password are authentic, whereby said access control server authenticates said cardholder for said requesting party during said online transaction.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13)
- - 2. A method as recited in claim 1 further comprising:
    - receiving data specific to said chip card at said access control server from said cardholder computer; and
      
      wherein generating said second cryptogram comprises generating said second cryptogram using said data specific to said chip card.
  - 3. A method as recited in claim 1 wherein said cardholder authentication password is not a personal identification number (PIN) for use with an ATM or POS device.
  - 4. A method as recited in claim 1 wherein said online transaction is a payment transaction.
  - 5. A method as recited in claim 1 further comprising:
    - receiving a verify enrollment request from said merchant computer at said trusted party access control server with said cardholder account identifier; and
      
      sending a verify enrollment response from said trusted party access control server to said merchant computer indicating said cardholder account identifier is enrolled, said verify enrollment request and said verify enrollment response occurring before said step of receiving the cardholder authentication request originating from the merchant computer.
  - 6. A method as recited in claim 1 wherein said cardholder computer is a mobile telephone.
  - 7. A method as recited in claim 1 wherein the cardholder account identifier is a card account number registered in a payment service.
  - 8. The method of claim 1 wherein the cardholder authentication request is routed to the trusted party access control server from the merchant computer via the cardholder computer using a URL stored in a distributed payment authentication service (PAS) module of the cardholder computer.
  - 9. The method of claim 1 further comprising:
    - determining if the cardholder computer includes a chip card reader.
  - 10. The method of claim 9 further comprising:
    - receiving the chip card at the chip card reader.
  - 11. The method of claim 9 wherein the access control server is configured to end the online transaction when the cardholder computer does not include the chip card reader.
  - 12. The method of claim 9 wherein the cardholder authentication response comprises a cardholder authentication verification value, the cardholder authentication verification value informing the merchant that the cardholder is authenticated.
  - 13. The method of claim 12 wherein the cardholder computer comprises a display device, a PIN pad or a keyboard entry device, and a card reader.

14. An access control server comprising a processor and a non-transitory computer readable medium coupled to the processor, the computer readable medium comprising code, executable by the processor for implementing a method comprisingreceiving, at the access control server, a cardholder authentication request originating from a merchant computer said cardholder authentication request including a cardholder account identifier and being routed to the access control server from the merchant computer via the cardholder computer;
- sending a chip authentication request from said access control server to said cardholder computer in response to receipt of the cardholder authentication request at the access control server;
  
  receiving a chip authentication response from said cardholder computer at said access control server that includes a cryptogram and a cardholder authentication password, said cryptogram being generated by a chip card and application in communication with said cardholder computer;
  
  generating a second cryptogram at said access control server and comparing said second cryptogram to said cryptogram;
  
  determining, by said access control server, that said cardholder authentication password matches a stored password that corresponds to said cardholder account identifier based on a first comparison;
  
  determining that said cryptograms match based on a second comparison; and
  
  responsive to the first and second comparisons, sending, via said cardholder computer, a cardholder authentication response from said access control server to said merchant computer indicating that said chip card and said cardholder authentication password are authentic, whereby said access control server authenticates said cardholder for a requesting party during an online transaction.
- View Dependent Claims (15, 16, 17)
- - 15. The access control server of claim 14 wherein the method further comprises:
    - receiving a verify enrollment request from said merchant computer at said access control server with said cardholder account identifier; and
      
      sending a verify enrollment response from said access control server to said merchant computer indicating said cardholder account identifier is enrolled, said verify enrollment request and said verify enrollment response occurring before said step of receiving the cardholder authentication request originating from the merchant computer.
  - 16. The access control server of claim 14 wherein the cardholder authentication response comprises a cardholder authentication verification value, the cardholder authentication verification value informing the merchant that the cardholder is authenticated.
  - 17. A system comprising:
    - the access control server of claim 14; and
      
      the cardholder computer in communication with the access control server.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Visa International Service Association (Visa, Inc.)
Original Assignee
Visa International Service Association (Visa, Inc.)
Inventors
Weller, Kevin D., Ryan, Stephen W., Hill, Peter R., Manessis, Thomas J., Lewis, Tony D., Dominguez, Benedicto H., Bray, Peter, Reno, James Donald, Redford, Liane, Levy, Philippe, Hill, Trudy
Primary Examiner(s)
Hayes, John
Assistant Examiner(s)
HALE, TIM B

Application Number

US12/419,115
Publication Number

US 20100057619A1
Time in Patent Office

3,200 Days
Field of Search

705 30- 44, 705 64- 79
US Class Current
CPC Class Codes

G06Q 20/02   involving a neutral party, ...

G06Q 20/027   involving a payment switch ...

G06Q 20/04   Payment circuits

G06Q 20/0855   involving a third party

G06Q 20/12   specially adapted for elect...

G06Q 20/341   Active cards, i.e. cards in...

G06Q 20/355   Personalisation of cards fo...

G06Q 20/367   involving electronic purses...

G06Q 20/3674   involving authentication

G06Q 20/382   insuring higher security of...

G06Q 20/3829   involving key management

G06Q 20/40   Authorisation, e.g. identif...

G06Q 20/4012   Verifying personal identifi...

G06Q 20/4014   Identity check for transact...

G07F 7/1008   Active credit-cards provide...

G07F 7/1016   Devices or methods for secu...

Account authentication service with chip card

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

127 Citations

17 Claims

Specification

Solutions

Use Cases

Quick Links

Account authentication service with chip card

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

127 Citations

17 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links