Securing external systems with account token substitution

US 9,342,832 B2
Filed: 08/12/2011
Issued: 05/17/2016
Est. Priority Date: 08/12/2010
Status: Active Grant

First Claim

Patent Images

1. A method comprising:

receiving, by a tokenization server, a registration request message from a merchant computer;

assigning, by the tokenization server, a merchant verification value and a token derivation key to a merchant associated with the merchant computer;

storing, by the tokenization server, the token derivation key and the merchant verification value in a database;

receiving, by the tokenization server, an authorization request message for a transaction that includes an account identifier and the merchant verification value, wherein the authorization request message is sent by the merchant computer;

sending, by the tokenization server, the authorization request message to an issuer computer for authorization of the transaction;

receiving, by the tokenization server from the issuer computer, an authorization response message indicating whether the transaction has been authorized by the issuer computer;

retrieving, by the tokenization server, the token derivation key using the merchant verification value included in the authorization request message from the database;

generating, by the tokenization server, an account token using the token derivation key by encrypting the account identifier using the token derivation key;

inserting, by the tokenization server, the account token in the authorization response message received from the issuer computer; and

sending, by the tokenization server, the authorization response message including the account token to the merchant computer, wherein the token derivation key is available only to the tokenization server.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Systems, apparatuses, and methods for providing an account token to an external entity during the lifecycle of a payment transaction. In some embodiments, an external entity may be a merchant computer requesting authorization of a payment message. In other embodiments, the external entity may be a support computer providing a payment processing network or a merchant support functions.

93 Citations

View as Search Results

21 Claims

1. A method comprising:
- receiving, by a tokenization server, a registration request message from a merchant computer;
  
  assigning, by the tokenization server, a merchant verification value and a token derivation key to a merchant associated with the merchant computer;
  
  storing, by the tokenization server, the token derivation key and the merchant verification value in a database;
  
  receiving, by the tokenization server, an authorization request message for a transaction that includes an account identifier and the merchant verification value, wherein the authorization request message is sent by the merchant computer;
  
  sending, by the tokenization server, the authorization request message to an issuer computer for authorization of the transaction;
  
  receiving, by the tokenization server from the issuer computer, an authorization response message indicating whether the transaction has been authorized by the issuer computer;
  
  retrieving, by the tokenization server, the token derivation key using the merchant verification value included in the authorization request message from the database;
  
  generating, by the tokenization server, an account token using the token derivation key by encrypting the account identifier using the token derivation key;
  
  inserting, by the tokenization server, the account token in the authorization response message received from the issuer computer; and
  
  sending, by the tokenization server, the authorization response message including the account token to the merchant computer, wherein the token derivation key is available only to the tokenization server.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15)
- - 2. The method of claim 1 wherein a reverse tokenization key usable to generate the account identifier from the account token is stored on the tokenization server.
  - 3. The method of claim 1, further comprising:
    - assigning a token derivation key index to the token derivation key; and
      
      inserting the token derivation key index in the authorization response message before the authorization response message is sent to the merchant computer.
  - 4. The method of claim 3, further comprising:
    - assigning a different token derivation key to the merchant associated with the merchant computer; and
      
      assigning a different derivation key index to the different token derivation key.
  - 5. The method of claim 3 wherein the token derivation key index is an incremental index.
  - 6. The method of claim 3 wherein the token derivation key index is a hidden index.
  - 7. The method of claim 1, further comprising:
    - generating, by the tokenization server, a reverse tokenization key using the merchant verification value;
      
      receiving an account identifier request from the merchant computer, wherein the account identifier request includes the account token;
      
      determining, by the tokenization server, the account identifier using the reverse tokenization key and the account token; and
      
      sending the account identifier to the merchant computer.
  - 8. The method of claim 1 wherein the account token is generated by applying the account identifier to an encryption or hash function using the token derivation key as a parameter.
  - 9. The method of claim 1 wherein the token derivation key is a key for a symmetric encryption algorithm, and wherein generating the account token further comprises applying the symmetric encryption algorithm to the account identifier.
  - 10. The method of claim 1 wherein the authorization response message includes a bitmap field, and wherein a bit in the bitmap field is set by the tokenization server upon inserting the account token in the authorization response message.
  - 11. The method of claim 1 wherein the authorization response message includes a field tag that identifies a field in the authorization response message containing the account token.
  - 12. The method of claim 1, further comprising:
    - receiving, from a merchant support system server, a normalization request message, wherein the normalization request message includes the merchant verification value and the account token, and wherein the merchant support system server is associated with a merchant support system;
      
      generating, by the tokenization server, the account identifier from the account token;
      
      selecting a token derivation key assigned to the merchant support system;
      
      generating, by the tokenization server, a normalized account token using the token derivation key assigned to the merchant support system; and
      
      sending the normalized account token to the merchant support system server.
  - 13. The method of claim 12 wherein the normalization request message further includes a support system verification value that is used to select the token derivation key assigned to the merchant support system.
  - 14. The method of claim 12 wherein the merchant support system is associated with a fraud scoring service that provides a fraud score for the transaction.
  - 15. The method of claim 12 wherein the merchant support system is associated with an alert service that transmits an alert to a mobile device of an account holder.

16. A server computer comprising:
- a processor anda non-transitory computer-readable storage medium coupled to the processor, the computer readable storage medium comprising code that, when executed by the processor, causes the processor to perform a method comprising;
  
  receiving a registration request message from a merchant computer;
  
  assigning a merchant verification value and a token derivation key to a merchant associated with the merchant computer;
  
  storing the token derivation key and the merchant verification value in a database;
  
  receiving an authorization request message for a transaction that includes an account identifier and the merchant verification value, wherein the authorization request message is sent by the merchant computer;
  
  sending the authorization request message to an issuer computer for authorization of the transaction;
  
  receiving, from the issuer computer, an authorization response message indicating whether the transaction has been authorized by the issuer computer;
  
  retrieving the token derivation key using the merchant verification value included in the authorization request message from the database;
  
  generating an account token using the token derivation key by encrypting the account identifier using the token derivation key;
  
  inserting the account token in the authorization response message received from the issuer computer; and
  
  sending the authorization response message including the account token to the merchant computer, wherein the token derivation key is available only to the server computer.
- View Dependent Claims (17, 18, 19, 20)
- - 17. The server computer of claim 16 wherein a reverse tokenization key usable to generate the account identifier from the account token is stored on the server computer.
  - 18. The server computer of claim 16, wherein the method further comprises:
    - assigning a token derivation key index to the token derivation key; and
      
      inserting the token derivation key index in the authorization response message before the authorization response message is sent to the merchant computer.
  - 19. The server computer of claim 18, wherein the method further comprises:
    - assigning a different token derivation key to the merchant associated with the merchant computer; and
      
      assigning a different derivation key index to the different token derivation key.
  - 20. The method of claim 19, further comprising:
    - determining that the token derivation key has been compromised prior to assigning the different token derivation key to the merchant.

21. A non-transitory computer readable medium storing computer instructions when executed by a processor of a server causes the processor to perform a method comprising:
- receiving a registration request message from a merchant computer;
  
  assigning a merchant verification value and a token derivation key to a merchant associated with the merchant computer;
  
  storing the token derivation key and the merchant verification value in a database;
  
  receiving an authorization request message for a transaction that includes an account identifier and the merchant verification value, wherein the authorization request message is sent by the merchant computer;
  
  sending the authorization request message to an issuer computer for authorization of the transaction;
  
  receiving, from the issuer computer, an authorization response message indicating whether the transaction has been authorized by the issuer computer;
  
  retrieving the token derivation key using the merchant verification value included in the authorization request message from the database;
  
  generating an account token using the token derivation key by encrypting the account identifier using the token derivation key;
  
  inserting the account token in the authorization response message received from the issuer computer; and
  
  sending the authorization response message including the account token to the merchant computer, wherein the token derivation key is available only to the server.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Visa International Service Association (Visa, Inc.)
Original Assignee
Visa International Service Association (Visa, Inc.)
Inventors
Basu, Gourab, Mori, Michael, Sakata, Ross, Cracknell, Steve, Yee, Millie, Carlson, Mark, Stan, Patrick, Keshan, Surendra, Katzin, Edward
Primary Examiner(s)
KIM, STEVEN S

Application Number

US13/208,733
Publication Number

US 20120041881A1
Time in Patent Office

1,740 Days
Field of Search

705/67, 705/17, 705/44, 705/64, 705/71, 705/78
US Class Current

1/1
CPC Class Codes

G06Q 20/02   involving a neutral party, ...

G06Q 20/12   specially adapted for elect...

G06Q 20/322   Aspects of commerce using m...

G06Q 20/3672   initialising or reloading t...

G06Q 20/3674   involving authentication

G06Q 20/382   insuring higher security of...

G06Q 20/38215   Use of certificates or encr...

G06Q 20/385   using an alias or single-us...

G06Q 20/4016   involving fraud or risk lev...

G06Q 2220/00   Business processing using c...

Securing external systems with account token substitution

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

93 Citations

21 Claims

Specification

Solutions

Use Cases

Quick Links

Securing external systems with account token substitution

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

93 Citations

21 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links