Online challenge-response

US 9,898,740 B2
Filed: 05/08/2014
Issued: 02/20/2018
Est. Priority Date: 11/06/2008
Status: Active Grant

First Claim

Patent Images

1. A method of authenticating a consumer conducting a transaction with a merchant, the method comprising:

sending, by a client computer, a transaction request to a merchant computer, the transaction request including information associated with an account being used to conduct the transaction, wherein the merchant computer is configured to send a request message to a server computer, wherein the server computer is configured to determine that an authentication challenge will be sent to the client computer based upon a risk determination that a risk threshold has been exceeded and is configured to determine that the authentication challenge will not be sent if the risk threshold is not exceeded;

receiving, by the client computer from the merchant computer, a uniform resource locator associated with the server computer to be utilized for a consumer authentication;

gathering and sending characteristics of the client computer to the server computer, wherein the risk determination is based upon characteristics of the transaction and the characteristics of the client computer;

sending, by the client computer using the uniform resource locator, a request to the server computer for the consumer authentication;

receiving, by the client computer, the authentication challenge from the server computer after the server computer determines that the risk threshold has been exceeded, wherein the authentication challenge is received using the uniform resource locator, and wherein the authentication challenge is dynamically generated by the server computer based on transaction history associated with the account;

sending, by the client computer, a challenge response to the server computer, wherein the server computer compares the challenge response to an expected response;

receiving, by the client computer from the server computer, a result of the consumer authentication; and

sending, by the client computer, the result of the consumer authentication to the merchant computer, wherein the merchant computer thereafter initiates authorization processing.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Embodiments of the invention enable cardholders conducting an online transaction to be authenticated in real-time using a challenge-response application. The challenge-response application can be administered by an issuer or by a third party on-behalf-of an issuer. A challenge question can be presented to the cardholder, and the cardholder'"'"'s response can be verified. The challenge question presented can be selected based on an analysis of the risk of the transaction and potentially other factors. A variety of dynamic challenge questions can be used without the need for the cardholder to enroll into the program. Additionally, there are many flexible implementation options of the challenge-response application that can be adjusted based on factors such as the location of the merchant or the location of the consumer.

Citations

21 Claims

1. A method of authenticating a consumer conducting a transaction with a merchant, the method comprising:
- sending, by a client computer, a transaction request to a merchant computer, the transaction request including information associated with an account being used to conduct the transaction, wherein the merchant computer is configured to send a request message to a server computer, wherein the server computer is configured to determine that an authentication challenge will be sent to the client computer based upon a risk determination that a risk threshold has been exceeded and is configured to determine that the authentication challenge will not be sent if the risk threshold is not exceeded;
  
  receiving, by the client computer from the merchant computer, a uniform resource locator associated with the server computer to be utilized for a consumer authentication;
  
  gathering and sending characteristics of the client computer to the server computer, wherein the risk determination is based upon characteristics of the transaction and the characteristics of the client computer;
  
  sending, by the client computer using the uniform resource locator, a request to the server computer for the consumer authentication;
  
  receiving, by the client computer, the authentication challenge from the server computer after the server computer determines that the risk threshold has been exceeded, wherein the authentication challenge is received using the uniform resource locator, and wherein the authentication challenge is dynamically generated by the server computer based on transaction history associated with the account;
  
  sending, by the client computer, a challenge response to the server computer, wherein the server computer compares the challenge response to an expected response;
  
  receiving, by the client computer from the server computer, a result of the consumer authentication; and
  
  sending, by the client computer, the result of the consumer authentication to the merchant computer, wherein the merchant computer thereafter initiates authorization processing.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 19, 20, 21)
- - 2. The method of claim 1, wherein the risk determination is a risk score.
  - 3. The method of claim 1 wherein the result of the consumer authentication is sent in a payer authentication response.
  - 4. The method of claim 1, wherein the merchant computer is configured to send the request message to the server computer via a directory server.
  - 5. The method of claim 1, wherein the transaction is a credit card transaction.
  - 6. The method of claim 1, further comprising:
    - sending information regarding the result of the consumer authentication to an authentication history server.
  - 7. The method of claim 1, wherein the authentication challenge comprises a password challenge.
  - 8. The method of claim 1, wherein authorization processing occurs through an acquirer.
  - 19. The method of claim 1, wherein the request that is sent from the client computer to the server computer for the consumer authentication includes at least one of an IP address associated with the client computer, a browser version associated with a browser in the client computer, and a browser language associated with the browser.
  - 20. The method of claim 1, wherein the request that is sent from the client computer to the server computer for the consumer authentication includes the characteristics of the client computer, and wherein the characteristics of the client computer include an IP address associated with the client computer, a browser version associated with a browser in the client computer, and a browser language associated with the browser.
  - 21. The method of claim 1, wherein sending the characteristics of the client computer to the server computer and sending the request to the server computer for the consumer authentication occur in a single message transmission.

9. A client computer comprising a processor and the computer readable medium coupled to the processor, the computer readable medium comprising code executable by the processor to implement a method comprising:
- sending, by the client computer, a transaction request to a merchant computer, the transaction request including information associated with an account being used to conduct the transaction, wherein the merchant computer is configured to send a request message to a server computer, wherein the server computer is configured to determine that an authentication challenge will be sent to the client computer based upon a risk determination that a risk threshold has been exceeded and is configured to determine that the authentication challenge will not be sent if the risk threshold is not exceeded;
  
  receiving, by the client computer from the merchant computer, a uniform resource locator associated with the server computer to be utilized for a consumer authentication;
  
  gathering and sending characteristics of the client computer to the server computer, wherein the risk determination is based upon characteristics of the transaction and the characteristics of the client computer;
  
  sending, by the client computer using the uniform resource locator, a request to the server computer for the consumer authentication;
  
  receiving, by the client computer, the authentication challenge from the server computer after the server computer determines that the risk threshold has been exceeded, wherein the authentication challenge is received using the uniform resource locator, and wherein the authentication challenge is dynamically generated by the server computer based on transaction history associated with the account;
  
  sending, by the client computer, a challenge response to the server computer, wherein the server computer compares the challenge response to an expected response;
  
  receiving, by the client computer from the server computer, a result of the consumer authentication; and
  
  sending, by the client computer, the result of the consumer authentication to the merchant computer, wherein the merchant computer thereafter initiates authorization processing.
- View Dependent Claims (10, 11, 12, 13, 14, 15, 16, 17, 18)
- - 10. The client computer of claim 9, wherein the risk determination is a risk score.
  - 11. The client computer of claim 9, wherein the result of the consumer authentication is sent in a payer authentication response.
  - 12. The client computer of claim 9, wherein the merchant computer is configured to send the request message to the server computer via a directory server.
  - 13. The client computer of claim 9, wherein the transaction is a credit card transaction.
  - 14. The client computer of claim 9, wherein the method further comprises:
    - sending information regarding the result of the consumer authentication to an authentication history server.
  - 15. The client computer of claim 9, wherein the authentication challenge comprises a password challenge.
  - 16. The client computer of claim 9, wherein authorization processing occurs through an acquirer.
  - 17. A system comprising:
    - the client computer of claim 9; and
      
      the server computer coupled to the client computer.
  - 18. The system of claim 17, further comprising the merchant computer coupled to the client computer.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Visa International Service Association (Visa, Inc.)
Original Assignee
Visa International Service Association (Visa, Inc.)
Inventors
Weller, Kevin, Steele, Kim, Koganti, Krishna, Faith, Patrick
Primary Examiner(s)
OYEBISI, OJO O

Application Number

US14/273,331
Publication Number

US 20140244511A1
Time in Patent Office

1,384 Days
Field of Search

705 39, 705 40, 705 44, 705 35
US Class Current
CPC Class Codes

G06F 21/31   User authentication

G06F 2221/2103   Challenge-response

G06Q 20/12   specially adapted for elect...

G06Q 20/40   Authorisation, e.g. identif...

G06Q 20/4016   involving fraud or risk lev...

G06Q 20/405   Establishing or using trans...

G06Q 30/06   Buying, selling or leasing ...

G06Q 50/265   Personal security, identity...

H04L 9/3213   using tickets or tokens, e....

H04L 9/3226   using a predetermined code,...

H04L 9/3273   for mutual authentication n...

Online challenge-response

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

Citations

21 Claims

Specification

Solutions

Use Cases

Quick Links

Online challenge-response

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

21 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links