Token provisioning utilizing a secure authentication system

US 10,491,389 B2
Filed: 07/14/2017
Issued: 11/26/2019
Est. Priority Date: 07/14/2017
Status: Active Grant

First Claim

Patent Images

1. A computer-implemented method, comprising:

receiving, by a resource provider computer associated with a resource provider, transaction data corresponding to a transaction associated with a user, each portion of the transaction data being different from a token;

transmitting, by the resource provider computer to a directory server computer, an authentication request message including the transaction data and a token request indicator, wherein the directory server computer subsequently transmits the authentication request message to an access control server computer associated with an authorizing entity, wherein receipt of the authentication request message causes the access control server computer to authenticate the user, generate a verification value representing the authentication, and transmit an authentication response message comprising the verification value to the directory server computer;

receiving, by the resource provider computer from the directory server computer, the authentication response message comprising the verification value and a new token, wherein the new token is provisioned by a token provider computer and obtained by the directory server computer from the token provider computer based at least in part on inclusion of the token request indicator in the authentication request message, and wherein provisioning the new token comprises generating the new token and generating an association between the new token and a portion of the transaction data;

transmitting, by the resource provider computer to the directory server computer, a cryptogram request message associated with the token, wherein receipt of the cryptogram request message causes the directory server computer to;

transmit the cryptogram request message to the token provider computer; and

receive a cryptogram response message comprising a cryptogram associated with the token from the token provider computer; and

receiving, by the resource provider computer, the cryptogram response message comprising the cryptogram associated with the token, the cryptogram being associated with one or more token restrictions.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Systems and methods of the invention are directed to provisioning a token by a secure authentication system. A user may initiate a transaction that causes a resource provider computer to transmit an authentication request message to a directory server computer. The directory server computer may transmit the authentication request message to an access control server computer for authentication. Subsequent to receiving the authentication request message, the directory server computer may request a token for the transaction from a token provider computer. If authentication is successful, the token may be included in an authentication response message transmitted by the directory server computer to the resource provider computer. The token may then be utilized by the resource provider computer in lieu of sensitive user information for any suitable purpose. In some embodiments, user-specific-data provided by the access control server computer may be included in the authentication response message.

535 Citations

17 Claims

1. A computer-implemented method, comprising:
- receiving, by a resource provider computer associated with a resource provider, transaction data corresponding to a transaction associated with a user, each portion of the transaction data being different from a token;
  
  transmitting, by the resource provider computer to a directory server computer, an authentication request message including the transaction data and a token request indicator, wherein the directory server computer subsequently transmits the authentication request message to an access control server computer associated with an authorizing entity, wherein receipt of the authentication request message causes the access control server computer to authenticate the user, generate a verification value representing the authentication, and transmit an authentication response message comprising the verification value to the directory server computer;
  
  receiving, by the resource provider computer from the directory server computer, the authentication response message comprising the verification value and a new token, wherein the new token is provisioned by a token provider computer and obtained by the directory server computer from the token provider computer based at least in part on inclusion of the token request indicator in the authentication request message, and wherein provisioning the new token comprises generating the new token and generating an association between the new token and a portion of the transaction data;
  
  transmitting, by the resource provider computer to the directory server computer, a cryptogram request message associated with the token, wherein receipt of the cryptogram request message causes the directory server computer to;
  
  transmit the cryptogram request message to the token provider computer; and
  
  receive a cryptogram response message comprising a cryptogram associated with the token from the token provider computer; and
  
  receiving, by the resource provider computer, the cryptogram response message comprising the cryptogram associated with the token, the cryptogram being associated with one or more token restrictions.
- View Dependent Claims (2, 3, 4, 5, 6)
- - 2. The computer-implemented method of claim 1, further comprising:
    - generating, by the resource provider computer, an authorization request message comprising the token; and
      
      transmitting, by the resource provider computer, the authorization request message comprising the token to an authorization entity computer for the transaction.
  - 3. The computer-implemented method of claim 1, wherein the receipt of the cryptogram request message associated with the token further causes the directory server computer to:
    - transmit a data request message to the access control server computer; and
      
      receive, from the access control server computer, a data response message comprising user-specific data associated with the user, wherein the authentication response message received from the directory server computer further comprises the user-specific data received from the access control server computer.
  - 4. The computer-implemented method of claim 1, wherein receipt of the authentication request message further causes the access control server computer to provide user-specific data associated with the user within the authentication response message transmitted to the directory server computer.
  - 5. The computer-implemented method of claim 4, wherein the user-specific data comprises at least one of:
    - a billing address, a phone number, an electronic mail address, an account identifier, or transaction device data associated with the user.
  - 6. The computer-implemented method of claim 1, wherein the authentication response message further comprises the cryptogram associated with the new token.

7. A resource provider computer, comprising:
- a hardware processor, anda non-transitory computer readable medium coupled to the processor, the computer readable medium comprising code, executable by the processor, for implementing a method comprising;
  
  receiving transaction data corresponding to a transaction associated with a user, the transaction data being different from a token;
  
  transmitting, to a directory server computer, an authentication request message including the transaction data and a token request indicator, wherein the directory server computer subsequently transmits the authentication request message to an access control server computer associated with an authorizing entity, wherein receipt of the authentication request message causes the access control server computer to authenticate the user, generate a verification value representing the authentication, and transmit an authentication response message comprising the verification value to the directory server computer;
  
  receiving, from the directory server computer, the authentication response message comprising the verification value and a new token, wherein the new token is provisioned by a token provider computer and obtained by the directory server computer from the token provider computer based at least in part on inclusion of the token request indicator in the authentication request message, and wherein provisioning the new token comprises generating the new token and generating an association between the new token and a portion of the transaction data;
  
  transmitting, to the directory server computer, a cryptogram request message associated with the token, wherein receipt of the cryptogram request message causes the directory server computer to;
  
  transmit the cryptogram request message to the token provider computer; and
  
  receive a cryptogram response message comprising a cryptogram associated with the token from the token provider computer; and
  
  receiving the cryptogram response message comprising the cryptogram associated with the token, the cryptogram being associated with one or more token restrictions.
- View Dependent Claims (8, 9, 10, 11, 12)
- - 8. The resource provider computer of claim 7, the method further comprising:
    - generating an authorization request message comprising the token; and
      
      transmitting the authorization request message comprising the token to an authorization entity computer for the transaction.
  - 9. The resource provider computer of claim 7, wherein the receipt of the cryptogram request message associated with the token further causes the directory server computer to:
    - transmit a data request message to the access control server computer; and
      
      receive, from the access control server computer, a data response message comprising user-specific data associated with the user.
  - 10. The resource provider computer of claim 9, wherein the authentication response message received from the directory server computer further comprises the user-specific data received from the access control server computer.
  - 11. The resource provider computer of claim 7, wherein receipt of the authentication request message further causes the access control server computer to provide user-specific data associated with the user within the authentication response message transmitted to the directory server computer.
  - 12. The resource provider computer of claim 11, wherein the user-specific data comprises at least one of:
    - a billing address, a phone number, an electronic mail address, an account identifier, or transaction device data associated with the user.

13. A directory server computer, comprising:
- a hardware processor, anda non-transitory computer readable medium coupled to the processor, the computer readable medium comprising code, executable by the processor, for implementing a method comprising;
  
  receiving, from a resource provider computer, an authentication request message comprising transaction data for a transaction between a user and a resource provider and a token request indicator, the transaction data being different from a token;
  
  sending the authentication request message to an access control server computer at an issuer, wherein receipt of the authentication request message causes the access control server computer authenticate the user, generate a verification value representing the authentication, and transmit an authentication response message comprising the verification value to the directory server computer;
  
  receiving, by the directory server computer from the access control server computer, the authentication response message;
  
  transmitting, to a token provider computer, a token request message based at least in part on receiving the token request indicator in the authentication request message, the token request message including at least a portion of the transaction data, wherein receipt of the token request message causes the token provider computer to generate a new token corresponding to the transaction and an association between the new token and a portion of the transaction data;
  
  receiving, from the token provider computer, the new token corresponding to the transaction; and
  
  transmitting, to the resource provider computer, the authentication response message comprising the new token;
  
  receiving, from the resource provider computer, a cryptogram request message associated with the new token, wherein receipt of the cryptogram request message causes the directory server computer to transmit the cryptogram request message to the token provider computer and receive a cryptogram response message comprising a cryptogram associated with the new token from the token provider computer; and
  
  transmitting, to the resource provider computer, the cryptogram response message comprising the cryptogram associated with the new token, the cryptogram being associated with one or more token restrictions.
- View Dependent Claims (14, 15, 16, 17)
- - 14. The directory server computer of claim 13, wherein the method further comprises:
    - transmitting a data request message to the access control server computer; and
      
      receiving, from the access control server computer, a data response message comprising user-specific data associated with the user.
  - 15. The directory server computer of claim 14, wherein the authentication response message transmitted by the directory server computer further comprises the user-specific data received from the access control server computer.
  - 16. The directory server computer of claim 13, wherein receipt of the authentication request message further causes the access control server computer to provide user-specific data associated with the user within the authentication response message received by the directory server computer.
  - 17. The directory server computer of claim 16, wherein the user-specific data comprises at least one of:
    - a billing address, a phone number, an electronic mail address, an account identifier, or transaction device data associated with the user.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Visa International Service Association (Visa, Inc.)
Original Assignee
Visa International Service Association (Visa, Inc.)
Inventors
Girish, Aparna Krishnan, Bansal, Parveen
Primary Examiner(s)
Tran, Tri M

Application Number

US15/649,923
Publication Number

US 20190020478A1
Time in Patent Office

865 Days
Field of Search

None
US Class Current
CPC Class Codes

H04L 2209/56   Financial cryptography, e.g...

H04L 63/0807   using tickets, e.g. Kerbero...

H04L 63/083   using passwords cryptograph...

H04L 9/08   Key distribution or managem...

H04L 9/30   Public key, i.e. encryption...

H04L 9/32   including means for verifyi...

H04L 9/3213   using tickets or tokens, e....

H04L 9/3231   Biological data, e.g. finge...

H04L 9/3247   involving digital signatures

H04L 9/3271   using challenge-response

Token provisioning utilizing a secure authentication system

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

535 Citations

17 Claims

Specification

Solutions

Use Cases

Quick Links

Token provisioning utilizing a secure authentication system

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

535 Citations

17 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links