Systems and methods for secure detokenization

US 9,780,953 B2
Filed: 07/22/2015
Issued: 10/03/2017
Est. Priority Date: 07/23/2014
Status: Active Grant

First Claim

Patent Images

1. A method comprising:

receiving, by a second token provider computer, from a requestor computer, a de-tokenization request comprising a requestor certificate and a second token generated by the second token provider computer, the requestor certificate including a requestor public key;

determining, by the second token provider computer, a first token associated with the second token, wherein the first token was generated by a first token provider computer;

replacing, by the second token provider computer, the second token with the first token in the de-tokenization request; and

forwarding, by the second token provider computer, the de-tokenization request with the requestor certificate and the first token to the first token provider computer, wherein the first token provider computer returns a credential associated with the first token to the requestor computer, wherein the credential returned to the requestor computer is encrypted using the requestor public key, and wherein the requestor certificate indicates that the requestor computer is authorized to receive the credential.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A method for requesting a credential associated with token in a multiple token layer environment is disclosed. A tokenization certificate serves to validate the identity of a credential requestor and provide information about the requestor'"'"'s authorization for de-tokenizing a token. Also, a public key in the tokenization certificate is used to encrypt the credential for secure transmission to the requestor.

658 Citations

22 Claims

1. A method comprising:
- receiving, by a second token provider computer, from a requestor computer, a de-tokenization request comprising a requestor certificate and a second token generated by the second token provider computer, the requestor certificate including a requestor public key;
  
  determining, by the second token provider computer, a first token associated with the second token, wherein the first token was generated by a first token provider computer;
  
  replacing, by the second token provider computer, the second token with the first token in the de-tokenization request; and
  
  forwarding, by the second token provider computer, the de-tokenization request with the requestor certificate and the first token to the first token provider computer, wherein the first token provider computer returns a credential associated with the first token to the requestor computer, wherein the credential returned to the requestor computer is encrypted using the requestor public key, and wherein the requestor certificate indicates that the requestor computer is authorized to receive the credential.
- View Dependent Claims (2, 3, 4, 5)
- - 2. The method of claim 1, wherein the requestor certificate is a PKI certificate.
  - 3. The method of claim 1, wherein the first token is a first payment token, and wherein the second token is a second payment token.
  - 4. The method of claim 1, further comprising:
    - receiving, at the second token provider computer, a de-tokenization response from the first token provider computer, the de-tokenization response including the encrypted credential; and
      
      forwarding, by the second token provider computer, the de-tokenization response to the requestor computer.
  - 5. The method of claim 1, further comprising:
    - determining, by the second token provider computer, based on the requestor certificate, that the requestor computer is authorized to de-tokenize the second token.

6. A second token provider computer comprising:
- a processor; and
  
  a computer readable medium, the computer readable medium comprising code, executable by the processor, for implementing a method comprising;
  
  receiving from a requestor computer, a de-tokenization request comprising a requestor certificate and a second token generated by the second token provider computer, the requestor certificate including a requestor public key;
  
  determining a first token associated with the second token, wherein the first token was generated by a first token provider computer;
  
  replacing the second token with the first token in the requestor certificate; and
  
  forwarding the de-tokenization request to the first token provider computer, wherein the first token provider computer returns a credential associated with the first token to the requestor computer, wherein the credential returned to the requestor computer is encrypted using the requestor public key, and wherein the requestor certificate indicates that the requestor is authorized to receive the credential.
- View Dependent Claims (7, 8, 9, 10)
- - 7. The second token provider computer of claim 6, wherein the requestor certificate is a PKI certificate.
  - 8. The second token provider computer of claim 6, wherein the first token is a first payment token, and wherein the second token is a second payment token.
  - 9. The second token provider computer of claim 6, wherein the method further comprises:
    - receiving a de-tokenization response from the first token provider computer, the de-tokenization response including the encrypted credential; and
      
      forwarding the de-tokenization response to the requestor computer.
  - 10. The second token provider computer of claim 6, wherein the method further comprises:
    - determining, by the second token provider computer, based on the requestor certificate, that the requestor computer is authorized to de-tokenize the second token.

11. A method comprising:
- receiving, by a first token provider computer, from a second token provider computer, a de-tokenization request comprising a first token generated by the first token provider computer and a requestor certificate associated with a requestor computer, wherein the de-tokenization request originated from the requestor computer, and wherein the second token provider computer replaced a second token with the first token in the de-tokenization request;
  
  determining, by the first token provider computer, a credential associated with the first token;
  
  determining, by the first token provider computer, that the requestor computer is authorized to receive the credential;
  
  encrypting, by the first token provider computer, the credential with a public key included in the requestor certificate; and
  
  sending, by the first token provider computer, a de-tokenization response to the requestor computer, the de-tokenization response including the encrypted credential.
- View Dependent Claims (12, 13, 19, 20, 21, 22)
- - 12. The method of claim 11, further comprising:
    - validating, by the first token provider computer, the requestor certificate.
  - 13. The method of claim 11, wherein the requestor computer decrypts the encrypted credential with a private key that is paired with the public key.
  - 19. The method of claim 13, wherein the requestor computer is a merchant computer, and wherein the requestor computer uses the credential to determine a fraud risk for a subsequent transaction.
  - 20. The method of claim 11, wherein the requestor certificate includes a requestor computer address, and wherein the de-tokenization response is sent to the requestor computer address.
  - 21. The method of claim 11, wherein the first token is a first payment token, and wherein the second token is a second payment token.
  - 22. The method of claim 11, wherein the requestor certificate indicates that the requestor computer is authorized to receive the credential.

14. A first token provider computer comprising:
- a processor; and
  
  a computer readable medium, the computer readable medium comprising code, executable by the processor, for implementing a method comprising;
  
  receiving from a second token provider computer, a de-tokenization request comprising a first token generated by the first token provider computer and a requestor certificate associated with a requestor computer, wherein the de-tokenization request originated from the requestor computer, and wherein the second token provider computer replaced a second token with the first token in the de-tokenization request;
  
  determining a credential associated with the first token;
  
  determining that the requestor computer is authorized to receive the credential;
  
  encrypting the credential with a public key included in the requestor certificate; and
  
  sending a de-tokenization response to the requestor computer, the de-tokenization response including the encrypted credential.
- View Dependent Claims (15, 16, 17, 18)
- - 15. The first token provider computer of claim 14, wherein the requestor certificate indicates that the requestor computer is authorized to receive the credential.
  - 16. The first token provider computer of claim 14, wherein the first token is a first payment token, and wherein the second token is a second payment token.
  - 17. The first token provider computer of claim 16, wherein the requestor computer is a merchant computer, wherein the first token provider computer is an authorizing entity computer, and wherein the second token provider computer is a transaction processing network computer.
  - 18. The first token provider computer of claim 17, wherein the merchant computer utilizes the primary account number for processing a user refund or for tracking user activity.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Visa International Service Association (Visa, Inc.)
Original Assignee
Visa International Service Association (Visa, Inc.)
Inventors
Gaddam, Ajit, Aissi, Selim
Primary Examiner(s)
Zand, Kambiz
Assistant Examiner(s)
Sanders, Stephen

Application Number

US14/806,257
Publication Number

US 20160028550A1
Time in Patent Office

804 Days
Field of Search

713173
US Class Current
CPC Class Codes

H04L 2209/42   Anonymization, e.g. involvi...

H04L 2209/56   Financial cryptography, e.g...

H04L 2209/64   Self-signed certificates

H04L 63/0807   using tickets, e.g. Kerbero...

H04L 63/0823   using certificates cryptogr...

H04L 9/3215   using a plurality of channe...

H04L 9/3263   involving certificates, e.g...

Systems and methods for secure detokenization

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

658 Citations

22 Claims

Specification

Solutions

Use Cases

Quick Links

Systems and methods for secure detokenization

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

658 Citations

22 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links