Method and system for token provisioning and processing

Information

  • Patent Grant
  • 12120117
  • Patent Number
    12,120,117
  • Date Filed
    Tuesday, August 29, 2023
    a year ago
  • Date Issued
    Tuesday, October 15, 2024
    a month ago
  • CPC
  • Field of Search
    • CPC
    • H04L63/0884
    • H04L2209/56
    • H04L9/3213
    • H04L63/0807
    • G06Q20/3821
    • G06Q20/385
    • G06Q20/40
    • G06F21/33
  • International Classifications
    • H04L9/40
    • Disclaimer
      This patent is subject to a terminal disclaimer.
      Term Extension
      0
Abstract
A method and system for provisioning credentials is disclosed. The method includes receiving, by a token provider computer, a token request message from a token requestor computer that comprises an initial access identifier. The token provider computer transmits the initial access identifier to a first authorization computer, and then the token provider computer receives an intermediate access identifier. The token provider computer then transmits a token activation request message to a second authorization computer based at least in part on the intermediate access identifier. The token provider computer then receives a token activation response message from the second authorization computer. The token provider computer then provides the token to the token requestor computer.
Description
BACKGROUND

Entities often maintain accounts for users, whereby users may access a resource utilizing an associated account with the entity (e.g., a bank, a government organization, cloud services provider, etc.). In a banking example, the bank may function as an account issuer and issue a payment card (e.g., a debit card) to the user which allows the user to utilize payment credentials (e.g., primary account number (PAN), CVV2, etc.) associated with the account to obtain a good. In some cases, the user may use the payment card for cross-border transactions. For example, the user may obtain the card from a bank in their residence country (e.g., Canada) and then travel to another country (e.g., the United States (U.S.)) to execute a payment transaction.


Also, modern systems have been created to provision a communication device (e.g., a mobile phone) with access data (e.g., a token) that is associated with a user account to be later used in conducting a transaction. For example, continuing with the banking example, the mobile phone may be provisioned with access data associated with the user's bank account (e.g., a PAN, a payment token, etc.) which may allow the mobile phone to access the account to obtain a good. Once the mobile phone is provisioned with the access data, the user may, for example, use the mobile phone to conduct e-commerce transactions utilizing the payment account. In another example, the user may go to a merchant store and tap the mobile phone on an access device (e.g., a Point-of-Sale (POS) terminal) to conduct the transaction. In a non-banking example, a cloud services provider entity may issue credentials for a particular user that allow the user to access a file associated with their account on a remote file share in the cloud. The cloud services provider may provision the user's mobile phone with access data (e.g., a token) corresponding to the user credentials with the cloud services provider, which enables the mobile phone to access the file on the remote file share in the cloud via the mobile phone.


However, transactions may often involve multiple entities that process transaction related data at various stages of the transaction processing pipeline. In these cases, interoperability between entities in the transaction pipeline is a significant challenge. For example, a bank in a particular country may issue a payment card that corresponds to a user account information (e.g., account number) that is formatted according to banking standards in that particular country. However, merchant stores and/or websites in another country may have an existing infrastructure (e.g., POS terminals, web servers) configured to conduct transactions with account numbers in a different format, which may present obstacles to conducting the transaction. In another example, software applications (e.g., a digital wallet) on the user's mobile phone may be configured to facilitate provisioning the mobile phone with access data based on receiving a user account number in a particular format, which may differ from the format of the account credentials issued by the issuer.


Embodiments of the invention are directed to methods and systems of improving interoperability between issuers and other entities involved in a transaction. Embodiments of the invention address these and other problems, individually and collectively.


SUMMARY

Embodiments of the invention are directed to secure token processing systems and methods.


One embodiment of the invention is directed to a method comprising: receiving, by a token provider computer, a token request message from a token requestor computer, the token request message comprising an initial access identifier; transmitting, by the token provider computer, the initial access identifier to a first authorization computer; receiving, by the token provider computer, an intermediate access identifier; transmitting, by the token provider computer and based at least in part on the intermediate access identifier, a token activation request message to a second authorization computer; receiving, by the token provider computer from the second authorization computer, a token activation response message from the second authorization computer; and providing, by the token provider computer, a token to the token requestor.


Another embodiment of the invention can be directed to a token provider computer configured to perform the above described method.


Another embodiment of the invention is directed to a method comprising: receiving, by a first authorization computer, an initial access identifier from a token provider computer. The method then includes obtaining, by the first authorization computer, an intermediate access identifier based at least in part on the initial access identifier; and transmitting, by the first authorization computer, the intermediate access identifier to the token provider computer, wherein the token provider computer transmits, based at least in part on the intermediate access identifier, a token activation request message to a second authorization computer to authorize a token to be provisioned to a token requestor computer.


Another embodiment of the invention can be directed to a first authorization computer configured to perform the above described method.


Another embodiment of the invention is directed to a method comprising: receiving, by a processing computer, an authorization request message comprising a token; providing, by the processing computer, the token to a token provider computer in a transaction; receiving, by the processing computer, an intermediate access identifier associated with the token; modifying, by the processing computer, the authorization request message to include the intermediate access identifier; and transmitting, by the processing computer, the authorization request message including the intermediate access identifier to a first authorization computer, wherein the first authorization computer modifies the authorization request message to include an initial access identifier associated with the intermediate access identifier, and transmits the authorization request message with the initial access identifier to a second authorization computer to authorize the transaction.


Other embodiments of the invention can be directed to a processing computer configured to perform the above-noted method.


These and other embodiments of the invention are described in further detail below, with reference to the Figures and Detailed Description.





BRIEF DESCRIPTION OF THE DRAWINGS


FIG. 1 shows a block diagram of a system according to an embodiment of the invention.



FIG. 2 shows a block diagram of a token requestor computer of the system according to an embodiment of the invention.



FIG. 3 shows a block diagram of a token provider computer of a system according to an embodiment of the invention.



FIG. 4 shows a block diagram of a first authorization computer of a system according to an embodiment of the invention.



FIG. 5 shows a block diagram of a processing computer of a system according to an embodiment of the invention.



FIG. 6 shows a block diagram of a system and a flow sequence illustrating a first provisioning process using push provisioning according to an embodiment of the invention.



FIG. 7 shows a block diagram of a system and a flow sequence illustrating a second provisioning process using manual provisioning according to an embodiment of the invention.



FIG. 8 shows block diagram of a system and a flow sequence illustrating use of a token according to an embodiment of the invention.



FIG. 9 shows a block diagram of a system illustrating use of a token according to an embodiment of the invention.





DETAILED DESCRIPTION

Embodiments of the invention provide for mechanisms for facilitating secure token provisioning to a token requestor computer (e.g., a communication device such as a mobile phone) for later use in a transaction. In one embodiment, a high-level provisioning process flow may proceed as follows. First, the token requestor computer may initiate a provisioning process by transmitting an initial access identifier (e.g., an International Bank Account Number (IBAN) obtained from the issuer bank) and a user identifier (e.g., user name, email address, etc.) to a token provider computer. Second, the token provider computer subsequently interacts with a first authorization computer (e.g., an intermediary that is a trusted third-party proxy for the issuer) to obtain an intermediate access identifier (e.g., a virtual PAN) based on the initial access identifier and the user identifier. The first authorization computer may store a mapping between the initial access identifier and the intermediate access identifier for future use in processing a transaction. Third, based on receiving the intermediate access identifier from the first authorization computer, the token provider computer interacts with a second authorization computer (e.g., the issuer) to obtain a token activation approval. Fourth, the token provider computer then provides the activated token to the token requestor computer, which may be stored for future use. The token provider computer may store a mapping between the intermediate access identifier and the token for future use in processing a transaction.


In some embodiments, a token may be “push” provisioned to a token requestor computer via an issuer application (e.g., bank application) that initiates a provisioning request by “pushing” a payload including user credentials to an application executing on the token requestor computer (e.g., a digital wallet). In this case, the user may simply use the issuer application to select a digital wallet to be provisioned with a token, and no manual entry of credentials by the user is required. The token requestor computer may then initiate a provisioning process with a token provider computer as described above.


In other embodiments, a token may be “manually” provisioned to a token requestor computer, whereby the token requestor application executing on the token requestor computer directly receives input from a user (e.g., via keyboard entry), for example, including a user identifier and an initial access identifier. The token requestor computer may then initiate a provisioning process with a token provider computer as described above.


In some embodiments, after the token requestor computer has been provisioned with a token, the token requestor computer may use the token to conduct a transaction. In one embodiment, and using a payment transaction as a non-limiting example, a high-level transaction process flow may proceed as follows. First, a communication device (e.g., which may be the same token requestor computer that was previously provisioned with a token) may interact with an access device (e.g., tapping the phone against a merchant POS terminal) by transmitting the provisioned token to the access device. Second, the access device may transmit an authorization request message including the token to a transport computer (e.g., an acquirer computer affiliated with the merchant access device). Third, the transport computer may transmit the authorization request message including the token to a processing computer (e.g., a server computer within a payment processing network such as VisaNet™). Fourth, the processing computer may then use the token to retrieve the intermediate access identifier (e.g., utilizing the mapping previously stored by the token provider computer during the provisioning process). The processing computer may then modify the authorization request message to include the intermediate access identifier. Fifth, the processing computer may transmit the modified authorization request message to the first authorization computer. Sixth, the first authorization computer may use the intermediate access identifier to retrieve the initial access identifier (e.g., utilizing the mapping previously stored by the first authorization computer during provisioning). The first authorization computer may then modify the authorization request message to include the initial access identifier. Seventh, the first authorization computer may send the modified authorization request message to the second authorization computer. Eighth, the second authorization computer may approve the transaction based at least in part on receiving the initial access identifier from the first authorization computer.


Embodiments of the invention provide for a number of technical advantages. In one non-limiting example, some initial access identifiers, such as IBANs, may be incompatible with existing token provisioning systems (e.g., which may require a PAN format). Accordingly, using conventional techniques, a user may be unable to provision their communication device (e.g., mobile phone) with a payment token based on the issued IBAN. In contrast, embodiments of the present invention utilize an intermediate access identifier to provide interoperability between issuers and other entities (e.g., a token provider service) within existing token provisioning systems. In this way, a user could provision their mobile phone with a payment token using an IBAN. Thus, for example, the user may be able to tap their token-provisioned mobile phone against a merchant access device to conduct a transaction. Additionally, the user may travel to another country (e.g., with different payment processing systems) and still be able to tap their token-provisioned mobile phone against a merchant access device to conduct a transaction. In yet another example, the user could conduct remote e-commerce transactions using a digital wallet on their mobile phone based on the token associated with the otherwise incompatible IBAN. Embodiments of the invention also provide for greater data security during the authorization process. For example, even if an intermediate access identifier may be compromised in a man-in-the-middle attack, in some embodiments, it will be of little value as it may not be used to conduct transactions.


It should be understood that the technical advantages of the present invention are not only applicable to payment-based token provisioning systems. In another non-limiting example, a cloud services provider may issue credentials used to access files whereby the credentials may have a particular format according to the particular geographical region and/or organization associated with the user. A token provisioning system may be configured to only provision tokens for accessing files upon receiving credentials in a different format. Similar to as described above, embodiments of the present invention may utilize an intermediate access identifier to provide interoperability between cloud services provider issuer and the token provisioning system, such that, for example, a user with issued credentials in an otherwise incompatible format may nevertheless be able to provision their communication device with a token so they may access files in the cloud. This also may reduce the number of infrastructure updates required by a particular issuer (e.g., bank, cloud services provider, etc.) to be interoperable with multiple token provisioning systems, and thus enable more efficient token provisioning to a wider variety of users.


Before discussing embodiments of the invention, some descriptions of some terms may be useful.


A “communication device” may comprise any suitable electronic device that may be operated by a user, which may also provide remote communication capabilities to a network. For example, a communication device may be a personal computer (PC). A “mobile communication device” may be an example of a “communication device” that can be easily transported. Examples of remote communication capabilities include using a mobile phone (wireless) network, wireless data network (e.g. 3G, 4G or similar networks), Wi-Fi, Wi-Max, or any other communication medium that may provide access to a network such as the Internet or a private network. Examples of mobile communication devices include mobile phones (e.g. cellular phones), PDAs, tablet computers, net books, laptop computers, personal music players, hand-held specialized readers, etc. Further examples of mobile communication devices include wearable devices, such as smart watches, fitness bands, ankle bracelets, rings, earrings, etc., as well as automobiles with remote communication capabilities. In some embodiments, a mobile communication device can function as a payment device (e.g., a mobile communication device can store and be able to transmit payment credentials for a transaction).


A “payment device” may include any suitable device that may be used to conduct a financial transaction, such as to provide payment credentials to a merchant. The payment device may be a software object, a hardware object, or a physical object. As examples of physical objects, the payment device may comprise a substrate such as a paper or plastic card, and information that is printed, embossed, encoded, or otherwise included at or near a surface of an object. A hardware object can relate to circuitry (e.g., permanent voltage values), and a software object can relate to non-permanent data stored on a device (e.g., an identifier for a payment account). A payment device may be associated with a value such as a monetary value, a discount, or store credit, and a payment device may be associated with an entity such as a bank, a merchant, a payment processing network, or a person. Suitable payment devices can be hand-held and compact so that they can fit into a user's wallet and/or pocket (e.g., pocket-sized). Example payment devices may include smart cards, magnetic stripe cards, keychain devices (such as the Speedpass™ commercially available from Exxon-Mobil Corp.), etc. Other examples of payment devices include payment cards, smart media, transponders, and the like. If the payment device is in the form of a debit, credit, or smartcard, the payment device may also optionally have features such as magnetic stripes. Such devices can operate in either a contact or contactless mode.


A “credential” may be any suitable information that serves as reliable evidence of worth, ownership, identity, or authority. A credential may be a string of numbers, letters, or any other suitable characters, as well as any object or document that can serve as confirmation. Examples of credentials include value credentials, identification cards, certified documents, access cards, passcodes and other login information, etc.


“Payment credentials” may include any suitable information associated with an account (e.g. a payment account and/or payment device associated with the account). Such information may be directly related to the account or may be derived from information related to the account. Examples of account information may include a PAN (primary account number or “account number”), user name, expiration date, and verification values such as CVV, dCVV, CVV2, dCVV2, and CVC3 values.


An “application” may be a computer program that is used for a specific purpose. Examples of applications may include a banking application, digital wallet application, cloud services application, ticketing application, etc.


A “digital wallet” can include an electronic device and/or application that allows an individual to conduct electronic commerce transactions. A digital wallet may store user profile information, payment credentials, bank account information, access data, tokens, one or more digital wallet identifiers and/or the like and can be used in a variety of transactions, such as but not limited to eCommerce, social networks, money transfer/personal payments, mobile commerce, proximity payments, gaming, and/or the like for retail purchases, digital goods purchases, utility payments, purchasing games or gaming credits from gaming websites, transferring funds between users, accessing secure data, and/or the like. A digital wallet may be designed to streamline the purchase and payment process. A digital wallet may allow the user to load one or more payment cards onto the digital wallet so as to make a payment without having to enter an account number or present a physical card.


“Access data” may include any suitable data that can be used to access a resource or create data that can access a resource. In some embodiments, access data may be account information for a payment account. Account information may include a PAN, IBAN, payment token, expiration date, verification values (e.g., CVV, CVV2, dCVV, dCVV2), etc. In other embodiments, access data may be data that can be used to activate account data. For example, in some cases, account information may be stored on a mobile device, but may not be activated until specific information is received by the mobile device. In other embodiments, access data could include data that can be used to access a location. Such access data may be ticket information for an event, data to access a building, transit ticket information, etc. In yet other embodiments, access data may include data used to obtain access to sensitive data. Examples of access data may include codes or other data that are needed by a server computer to grant access to the sensitive data.


An “initial access identifier” may include an identifier originally used by a user. The initial access identifier may be an original credential that is issued by an issuer. The initial access identifier may be in any suitable format, such as alphanumeric characters, alphabetic characters, numeric, text based, etc. In some cases, the initial access identifier may be associated with an account for a single user. In other cases, the initial access identifier may be associated with multiple users, for example, who may share an account. Examples of an initial access identifier may include an original primary account number, or IBAN identifier. An IBAN identifier (also known as an “IBAN”) may include alphanumeric characters, instead of just numbers. Other examples may include a cloud services account number, mass transit account number, a building access identifier, etc. An initial access identifier may also include a combination of fields, for example, including an IBAN identifier and an email address or other user identifier.


An “intermediate access identifier” may include an identifier that can be used as an intermediary in a process. The intermediate access identifier may be in any suitable format, such as alphanumeric characters, alphabetic characters, numeric, text based, etc. In some cases, the intermediate access identifier may be associated with a single user or with multiple users, for example, who may share an account. Also, in some cases, the intermediate access identifier may be capable of being used to conduct a transaction. In other cases, the intermediate access identifier may be incapable of being used to conduct a transaction. For example, an intermediate access identifier may include a virtual PAN that is mapped to an IBAN initial access identifier. The virtual PAN may subsequently be mapped to a token. In some cases, the intermediate access identifier is 16, 18, or 19 digits long and may resemble a real PAN (primary account number), but may not be used to conduct a transaction.


A “token” may be a substitute value for a credential. A token may be a string of numbers, letters, or any other suitable characters. Examples of tokens include payment tokens, access tokens, personal identification tokens, etc.


A “payment token” may include an identifier for a payment account that is a substitute for an account identifier, such as a PAN or IBAN. For example, a payment token may include a series of alphanumeric characters that may be used as a substitute for an original account identifier. For example, a token “4900 0000 0000 0001” may be used in place of a PAN “4147 0900 0000 1234.” In some embodiments, a payment token may be “format preserving” and may have a numeric format that conforms to the account identifiers used in existing transaction processing networks (e.g., ISO 8583 financial transaction message format). In some embodiments, a payment token may be used in place of a PAN to initiate, authorize, settle or resolve a payment transaction or represent the original credential in other systems where the original credential would typically be provided. In some embodiments, a payment token may be generated such that the recovery of the original PAN or other account identifier from the token value may not be computationally derived. Further, in some embodiments, the token format may be configured to allow the entity receiving the token to identify it as a token and recognize the entity that issued the token.


“Tokenization” is a process by which data is replaced with substitute data. For example, a payment account identifier (e.g., a primary account number (PAN)) may be tokenized by replacing the primary account identifier with a substitute number (e.g. a token) that may be associated with the payment account identifier. Further, tokenization may be applied to any other information that may be replaced with a substitute value (i.e., token). Tokenization enhances transaction efficiency and security.


A “token issuer,” “token provider,” or “token service system” can include a system that services tokens. In some embodiments, a token service system can facilitate requesting, determining (e.g., generating) and/or issuing tokens, as well as maintaining an established mapping of tokens to credentials (e.g., primary account numbers (PANs)) in a repository (e.g. token vault). In some embodiments, the token service system may establish a token assurance level for a given token to indicate the confidence level of the token to PAN binding. The token service system may include or be in communication with a token vault where the generated tokens are stored. The token service system may support token processing of payment transactions submitted using tokens by de-tokenizing the tokens to obtain the actual credentials (e.g., PANs). In some embodiments, a token service system may include a tokenization computer alone, or in combination with other computers such as a transaction processing network computer. Various entities of a tokenization ecosystem may assume the roles of the token service provider. For example, payment networks and issuers or their agents may become the token service provider by implementing the token services according to embodiments of the present invention.


A “token domain” may indicate an area and/or circumstance in which a token can be used. Examples of token domains may include, but are not limited to, payment channels (e.g., e-commerce, physical point of sale, etc.), POS entry modes (e.g., contactless, magnetic stripe, etc.), and merchant identifiers to uniquely identify where the token can be used. A set of parameters (i.e., token domain restriction controls) may be established as part of token issuance by the token service provider that may allow for enforcing appropriate usage of the token in payment transactions. For example, the token domain restriction controls may restrict the use of the token with particular presentment modes, such as contactless or e-commerce presentment modes. In some embodiments, the token domain restriction controls may restrict the use of the token at a particular merchant that can be uniquely identified. Some exemplary token domain restriction controls may require the verification of the presence of a token cryptogram that is unique to a given transaction. In some embodiments, a token domain can be associated with a token requestor.


A “token expiry date” may refer to the expiration date/time of the token. The token expiry date may be passed among the entities of the tokenization ecosystem during transaction processing to ensure interoperability. The token expiration date may be a numeric value (e.g. a 4-digit numeric value). In some embodiments, the token expiry date can be expressed as a time duration as measured from the time of issuance.


A “token request message” may be an electronic message for requesting a token. A token request message may include information usable for identifying an account (e.g., payment account) or digital wallet, and/or information for generating a token. For example, a token request message may include payment credentials, mobile device identification information (e.g. a phone number or MSISDN), a digital wallet identifier, information identifying a tokenization service provider, a merchant identifier, an account access identifier, a user identifier, a cryptogram, and/or any other suitable information. Information included in a token request message can be encrypted (e.g., with an issuer-specific key).


A “token response message” may be a message that responds to a token request. A token response message may include an indication that a token request was approved or denied. A token response message may also include a payment token, mobile device identification information (e.g. a phone number or MSISDN), a digital wallet identifier, information identifying a tokenization service provider, a merchant identifier, a cryptogram, and/or any other suitable information. Information included in a token response message can be encrypted (e.g., with an issuer-specific key).


A “token requestor identifier” may include any characters, numerals, or other identifiers associated with an entity associated with a network token system. For example, a token requestor identifier may be associated with an entity that is registered with the network token system. In some embodiments, a unique token requestor identifier may be assigned for each domain for a token request associated with the same token requestor. For example, a token requestor identifier can identify a pairing of a token requestor (e.g., a mobile device, a mobile wallet provider, etc.) with a token domain (e.g., e-commerce, contactless, etc.). A token requestor identifier may include any format or type of information. For example, in one embodiment, the token requestor identifier may include a numerical value such as a ten digit or an eleven digit number (e.g., 4678012345).


A “user” may include an individual. In some embodiments, a user may be associated with one or more personal accounts and/or mobile devices. The user may also be referred to as a cardholder, account holder, or consumer in some embodiments.


A “user identifier” may include any characters, numerals, or other identifiers associated with a user associated with a network token system. For example, a user identifier may be associated with an entity that is registered with the network token system. For example, in one embodiment, the user identifier may be a customer ID or email address associated with an authorized user of a bank account that is maintained by a bank.


A “resource provider” may be an entity that can provide a resource such as goods, services, information, and/or access. Examples of resource providers includes merchants, data providers, transit agencies, governmental entities, venue and dwelling operators, etc.


A “merchant” may typically be an entity that engages in transactions and can sell goods or services, or provide access to goods or services.


An “acquirer” may typically be a business entity (e.g., a commercial bank) that has a business relationship with a particular merchant or other entity. Some entities can perform both issuer and acquirer functions. Some embodiments may encompass such single entity issuer-acquirers. An acquirer may operate an acquirer computer, which can also be generically referred to as a “transport computer”.


An “authorizing entity” may be an entity that authorizes a request. Examples of an authorizing entity may be an issuer, a governmental agency, a document repository, an access administrator, etc.


An “issuer” may typically refer to a business entity (e.g., a bank, cloud services provider) that maintains an account for a user. An issuer may also issue credentials (e.g., payment credentials) stored on a user device, such as a cellular telephone, smart card, tablet, or laptop to the consumer.


An “access device” may be any suitable device that provides access to a remote system. An access device may also be used for communicating with a merchant computer, a transaction processing computer, an authentication computer, or any other suitable system. An access device may generally be located in any suitable location, such as at the location of a merchant. An access device may be in any suitable form. Some examples of access devices include POS or point of sale devices (e.g., POS terminals), cellular phones, PDAs, personal computers (PCs), server computers, tablet PCs, hand-held specialized readers, set-top boxes, electronic cash registers (ECRs), automated teller machines (ATMs), virtual cash registers (VCRs), kiosks, security systems, access systems, and the like. An access device may use any suitable contact or contactless mode of operation to send or receive data from, or associated with, a mobile communication or payment device. In some embodiments, where an access device may comprise a POS terminal, any suitable POS terminal may be used and may include a reader, a processor, and a computer-readable medium. A reader may include any suitable contact or contactless mode of operation. For example, exemplary card readers can include radio frequency (RF) antennas, optical scanners, bar code readers, or magnetic stripe readers to interact with a payment device and/or mobile device. In some embodiments, a cellular phone, tablet, or other dedicated wireless device used as a POS terminal may be referred to as a mobile point of sale or an “mPOS” terminal.


An “authorization request message” may be an electronic message that requests authorization for a transaction. In some embodiments, it is sent to a transaction processing computer and/or an issuer of a payment card to request authorization for a transaction. An authorization request message according to some embodiments may comply with ISO 8583, which is a standard for systems that exchange electronic transaction information associated with a payment made by a user using a payment device or payment account. The authorization request message may include an issuer account identifier that may be associated with a payment device or payment account. An authorization request message may also comprise additional data elements corresponding to “identification information” including, by way of example only: a service code, a CVV (card verification value), a dCVV (dynamic card verification value), a PAN (primary account number or “account number”), a payment token, a user identifier, an initial access identifier, an intermediate access identifier, an expiration date, etc. An authorization request message may also comprise “transaction information,” such as any information associated with a current transaction, such as, in the case of a payment transaction, the transaction amount, merchant identifier, merchant location, acquirer bank identification number (BIN), card acceptor ID, information identifying items being purchased, etc., as well as any other information that may be utilized in determining whether to identify and/or authorize a transaction.


An “authorization response message” may be a message that responds to an authorization request. In some cases, it may be an electronic message reply to an authorization request message generated by an issuing financial institution or a transaction processing computer. The authorization response message may include, by way of example only, one or more of the following status indicators: Approval—transaction was approved; Decline—transaction was not approved; or Call Center—response pending more information, merchant must call the toll-free authorization phone number. The authorization response message may also include an authorization code, which may be a code that a credit card issuing bank returns in response to an authorization request message in an electronic message (either directly or through the transaction processing computer) to the merchant's access device (e.g. POS equipment) that indicates approval of the transaction. The code may serve as proof of authorization. The authorization response message may also comprise additional data elements corresponding to “identification information” similar to as described above, which may be used to route the message to back to the requestor.


A “token presentment mode” may indicate a method through which a token is submitted for a transaction. Some non-limiting examples of the token presentment mode may include machine readable codes (e.g., QR™ code, bar code, etc.), mobile contactless modes (e.g., near-field communication (NFC) communication), e-commerce remote modes, e-commerce proximity modes, and any other suitable modes in which to submit a token.


A “server computer” may include a powerful computer or cluster of computers. For example, the server computer can be a large mainframe, a minicomputer cluster, or a group of servers functioning as a unit. In one example, the server computer may be a database server coupled to a Web server. The server computer may comprise one or more computational apparatuses and may use any of a variety of computing structures, arrangements, and compilations for servicing the requests from one or more client computers.


An “identification and verification (ID&V) method” may be used to ensure that the payment token is replacing a PAN that was legitimately being used by the token requestor. Examples of ID&V methods may include, but are not limited to, an account verification message, a risk score based on assessment of the primary account number (PAN) and use of one time password by the issuer or its agent to verify the account holder. Exemplary ID&V methods may be performed using information such as a user signature, a password, an offline or online personal identification number (PIN), an offline or online enciphered PIN, a combination of offline PIN and signature, a combination of offline enciphered PIN and signature, user biometrics (e.g. voice recognition, fingerprint matching, etc.), a pattern, a glyph, knowledge-based challenge-responses, hardware tokens (multiple solution options), one time passwords (OTPs) with limited use, software tokens, two-channel authentication processes (e.g., via phone), etc. Using the ID&V, a confidence level may be established with respect to the token to PAN binding.


A “token assurance level” may refer to an indicator or a value that allows the token service provider to indicate the confidence level of the token to PAN binding. The token assurance level may be determined by the token service provider based on the type of identification and verification (ID&V) performed and the entity that performed the ID&V. The token assurance level may be set when issuing the token. The token assurance level may be updated if additional ID&V is performed.


A “requested token assurance level” may refer to the token assurance level requested from the token service provider by the token requestor. The requested token assurance level may be included in a field of a token request message send by the requestor to the token service provider for the generation/issuance of the token.


An “assigned token assurance level” may refer to the actual (i.e., generated) value assigned by the token service provider to the token as the result of the identification and verification (ID&V) process performed by an entity within the tokenization ecosystem. The assigned token assurance level may be provided back to the token requestor in response to the token request message. The assigned token assurance level may be different than the requested token assurance level included in the token request message.


“Token attributes” may include any feature or information about a token. For example, token attributes may include information that can determine how a token can be used, delivered, issued, or otherwise how data may be manipulated within a transaction system. For example, the token attributes may include a type of token, frequency of use, token expiry date and/or expiry time, a number of associated tokens, a transaction lifecycle expiry date, and any additional information that may be relevant to any entity within a tokenization ecosystem. For example, token attributes may include a wallet identifier associated with the token, an additional account alias or other user account identifier (e.g., an email address, username, etc.), a device identifier, an invoice number, etc. In some embodiments, a token requestor may provide token attributes at the time of requesting the generation of tokens. In some embodiments, a network token system, payment network associated with the network token system, an issuer, or any other entity associated with the token may determine and/or provide the token attributes associated with a particular token.


The token attributes may identify a type of token indicating how the token may be used. A payment token may include a high value token that can be used in place of a real account identifier (e.g., PAN) to generate original and/or subsequent transactions for a consumer account and/or card. Another token type may be a “static” or “dynamic” token type for static and dynamic tokens, respectively.


A “token requestor” may refer to an entity that is seeking to implement tokenization according to embodiments of the present invention. In some embodiments, the token requestor may initiate a request that a primary account number (PAN) or an initial access identifier be tokenized by submitting a token request message to the token service provider. According to various embodiments discussed herein, a token requestor may no longer need to store a PAN associated with a token once the requestor has received the token in response to a token request message. The requestor may be an application, a device, a process, or a system that is configured to perform actions associated with tokens. For example, a requestor can request registration with a network token system, request token generation, token activation, token de-activation, token exchange, other token lifecycle management related processes, and/or any other token related processes. A requestor may interface with a network token system through any suitable communication networks and/or protocols (e.g., using HTTPS, SOAP and/or an XML interface among others). Some non-limiting examples of token requestors may include, for example, a communication device of an authorized account holder, card-on-file merchants, acquirers, acquirer processors, and payment gateways acting on behalf of merchants, payment enablers (e.g., original equipment manufacturers, mobile network operators, etc.), digital wallet providers, issuers, third party wallet providers, and/or payment processing networks. In some embodiments, a token requestor can request tokens for multiple domains and/or channels. A token requestor may be registered and identified uniquely by the token service provider within the tokenization ecosystem. During token requestor registration, the token service provider may formally process token requestor's application to participate in the token service system. The token service provider may collect information pertaining to the nature of the requestor and relevant use of tokens to validate and formally approve the token requestor and establish appropriate domain restriction controls. Successfully registered token requestors may be assigned a token requestor identifier that may also be entered and maintained within the token vault. Token requestors may be revoked or assigned new token requestor identifiers. This information may be subject to reporting and audit by the token service provider.


A “token request indicator” may refer to an indicator used to indicate that the message containing the indicator is related to a token request. The token request indicator may optionally be passed to the issuer as part of the Identification and Verification (ID&V) method to inform the issuer of the reason the account status check is being performed.


A “payment network” may refer to an electronic payment system used to accept, transmit, or process transactions made by payment devices for money, goods, or services. The payment network may transfer information and funds among issuers, acquirers, merchants, and payment device users.



FIG. 1 shows a block diagram of a system 100 for provisioning a token, according to an embodiment of the invention. The system 100 comprises a token requestor computer 102 which may be associated with a user 101, a token provider computer 104, a first authorization computer 106, and a second authorization computer 108.


The token requestor computer 102, the token provider 104 computer, the first authorization computer 106, and the second authorization computer 108 may all be in operative communication with each other through any suitable communication channel or communications network. Suitable communications networks may be any one and/or the combination of the following: a direct interconnection; the Internet; a Local Area Network (LAN); a Metropolitan Area Network (MAN); an Operating Missions as Nodes on the Internet (OMNI); a secured custom connection; a Wide Area Network (WAN); a wireless network (e.g., employing protocols such as, but not limited to a Wireless Application Protocol (WAP), I-mode, and/or the like); and/or the like. Messages between the computers, networks, and devices may be transmitted using a secure communications protocols such as, but not limited to, File Transfer Protocol (FTP); HyperText Transfer Protocol (HTTP); Secure Hypertext Transfer Protocol (HTTPS), Secure Socket Layer (SSL), ISO (e.g., ISO 8583) and/or the like.


The token requestor computer 102 may be configured to receive input from the user 101 that instructs the token requestor computer 102 to initiate a token provisioning process with the token provider computer 104 to provision a token. In some embodiments, the token requestor computer 102 may be a communication device (e.g., a mobile phone, PC, etc.) of the user 101, which receives instructions from the user 101 to provision a communication device with a token. In some embodiments, and as described in embodiments below, the token requestor computer 102 and the communication device to be provisioned may be the same device. However, it should be understood that in other embodiments, they may be different devices. For example, the token requestor computer 102 may request a token on behalf of another communication device, and then, once the token is received, transmit the token to the other communication device to be stored.


In some embodiments, the token requestor computer 102 may execute a token requestor application, for example, a digital wallet, which may be responsible for requesting, storing, and/or managing one or more tokens received by the token provider computer 104. In some embodiments, the token requestor computer 102 may also execute an issuer application such as a mobile banking application, a cloud services application, a mass transit account application, etc. The issuer application may be responsible for sending a token request message to the token requestor application to initiate a provisioning process with the token provider computer 104. However, in other embodiments, the token requestor computer 102 may not include an issuer application.


The token provider computer 104 may be a computer affiliated with a token provider. The token provider computer 104 may facilitate requesting, determining (e.g., generating) and/or issuing tokens. For example, the token provider computer 104 may receive a token request message from the token requestor computer 102, and in turn facilitate a sequence of message exchanges with the first authorization computer 106 and the second authorization computer 108, after which the token provider computer 104 provides the activated token to the token requestor computer 102. In some embodiments, the token provider computer 104 may also maintain a mapping of tokens to identifiers in a repository (e.g., a token vault). For example, the token provider computer 104 may maintain a mapping from tokens to intermediate access identifiers, initial access identifiers, etc. The token provider computer 104 may include or be in communication with a token vault where the generated tokens are stored. The token provider computer 104 may support token processing of transactions submitted using tokens by de-tokenizing the token to obtain an associated identifier (e.g., an intermediate access identifier) and then transmitting the associated identifier to the first authorization computer 106 for further processing.


The first authorization computer 106 may be a server computer that functions as an intermediary between the token provider computer 104 and the second authorization computer 108. In some embodiments, the first authorization computer 106 may be affiliated with a third-party entity (e.g., issuer processor) that functions as a trusted proxy for the issuer entity (e.g., a bank). In other embodiments, the first authorization computer 106 may be directly affiliated with the issuer entity. In some embodiments, the first authorization computer 106 and the token provider computer 104 are both operated by the token provider, and/or the functions of each may be performed by the same server computer. During the token provisioning process, the first authorization computer 106 may be responsible for obtaining (e.g., generating) an intermediate access identifier from the initial access identifier and maintaining a mapping between the initial access identifier and the intermediate access identifier. During the transaction processing phase, the first authorization computer 106 may receive the intermediate access identifier from the token provider computer 104, use the mapping to retrieve the initial access identifier, and then transmit the initial access identifier to the second authorization computer 108 for transaction authorization.


The second authorization computer 108 may be a server computer that is affiliated with the issuer. During the token provisioning phase, the second authorization computer 108 may be responsible for approving or else denying a token activation request that is received from the token provider computer 104 on behalf of the token requestor computer 102. During the transaction processing phase, the second authorization computer 108 may be responsible for authorizing or denying an authorization request received from the token provider computer 104 on behalf of the token requestor computer 102.



FIG. 2 shows a block diagram of a token requestor computer 102 of the system according to an embodiment of the invention. In some embodiments, the token requestor computer 102 may be a communication device (e.g., a mobile phone) that can be used to make payments or a device which can allow a user to gain access to a location. The exemplary token requestor computer 102 may comprise a computer readable medium 102-B and a memory 102-C that can be present within the body 102-J of the token requestor computer 102. The body 102-J may be in the form a plastic substrate, housing, or other structure. In some cases, the memory 102-C may be a secure element, and/or may also store information such as access data such as tokens, PANs, tickets, etc. Information in the memory 102-C may be transmitted by the token requestor computer 102 to another device using an antenna 102-D or contactless element 102-I.


The computer readable medium 102-B may comprises code, executable by the processor for implementing methods according to embodiments. The computer readable medium 102-B may contain an issuer application 110 and a token requestor application 120. The issuer application 110 can be used to “push” provision the token requestor computer 102 with a token by transmitting a token request message to the token requestor application 120. The issuer application also can provide functions provided by an issuer and may allow the token requestor computer 120 to communicate with an issuer computer (e.g., the second authorization computer 108). Examples of issuer applications can include banking applications, payment applications, merchant applications, transit applications, applications to access secure data, etc. The token requestor application 120 can allow the token requestor computer 102 to communicate with a token provider computer 104. Examples of token requestor applications can include various types of digital wallet applications (e.g., used for money transfer/personal payments, mobile commerce, accessing secure data, etc.). The token requestor application 120 may be used to facilitate the enrollment process to provision a token onto the token requestor computer 102. It may also subsequently be used to conduct a transaction with a token without requiring a user 101 to enter an account number or present a physical card.


In some embodiments, the token requestor computer 102 may further include a contactless element 102-I, which is typically implemented in the form of a semiconductor chip (or other data storage element) with an associated wireless transfer (e.g., data transmission) element, such as an antenna. Data or control instructions that are transmitted via a cellular network may be applied to the contactless element 102-I by means of a contactless element interface (not shown). Contactless element 102-I may be capable of transferring and receiving data using a short range wireless communication capability. Thus, the token requestor computer 102 may be capable of communicating and transferring data or control instructions via both cellular network (or any other suitable wireless network—e.g. the Internet or other data network) and short range communications.


The token requestor computer 102 may also include a processor 102-A (e.g., a microprocessor) for processing the functions of the token requestor computer 102 and a display 102-G to allow a user to view information. The token requestor computer 102 may further include input elements 102-E (e.g., a touchscreen, keyboard, touchpad, sensors such as biometric sensors, etc.), a speaker 102-H, and a microphone 102-F. The token requestor computer 102 may also include an antenna 102-D for wireless data transfer.



FIG. 3 shows a block diagram of a token provider computer 104 of a system according to an embodiment of the invention. FIG. 3 shows a token provider computer 104 and a token vault 130 coupled to the token provider computer 104.


The token vault 130 may store tokens and their associated credentials in a database. The token vault 130 may store data in a token record database such as an Oracle™ database. In some embodiments, the token vault 130 may store in the database a mapping between a token and one or more associated credentials (e.g., an intermediate access identifier and/or initial access identifier).


The token provider computer 104 may comprise a processor 104-A, which may be coupled to a system memory 104-B and an external communication interface 104-C. A computer readable medium 104-D may also be operatively coupled to the processor 104-A.


The computer readable medium 104-D may comprise a number of software modules including a communication module 104-D1, an encryption module 104-D2, a token provisioning module 104-D3, a validation module 104-D4, and an enrollment facilitation module 104-D5.


The communication module 104-D1 may comprise code that causes the processor 104-A to generate messages, forward messages, reformat messages, and/or otherwise communicate with other entities.


The encryption module 104-D2 may comprise code that includes any suitable encryption algorithms to encrypt data in embodiments of the invention. Suitable data encryption algorithms may include DES, tripe DES, AES, etc. It may also store encryption keys that can be used with such encryption algorithms. The encryption module 104-D2 may utilize symmetric or asymmetric encryption techniques to encrypt and/or verify data.


The token provisioning module 104-D3 may comprise code that causes the processor 104-A to provide tokens. For example, the token provisioning module 104-D3 may contain logic that causes the processor 104-A to generate a payment token and/or associate the payment token with a set of payment credentials (e.g., an intermediate access identifier). A token record may then be stored in a token record database of the token vault 130 indicating that the payment token is associated with (i.e., mapped to) a certain user or a certain set of payment credentials.


The validation module 104-D4 may comprise code that causes the processor 104-A to validate token requests before a token is provided. For example, validation module 104-D4 may contain logic that causes the processor 104-A to confirm that a token request message is authentic by decrypting a cryptogram included in the message, by confirming that the payment credentials are authentic and associated with the requesting device (e.g., a token requestor computer 102), and/or by assessing risk associated with the requesting device.


The enrollment facilitation module 104-D5 may comprise code that causes the processor 104-A to transmit messages to one or more entities to facilitate a token provisioning process. For example, the enrollment facilitation module 104-D5 may contain logic that causes the processor 104-D5 to transmit a message containing an initial access identifier, received from the token requestor computer 102, to a first authorization computer 106. The enrollment facilitation module 104-D5 may also receive back from the first authorization computer 106 an intermediate access identifier. In some embodiments, the enrollment facilitation module 104-D5 may subsequently exchange messages with the token requestor computer 102 to receive input from the user 101 to continue the enrollment process (e.g., agreeing to terms and conditions). In some embodiments, based on receiving the intermediate access identifier from the first authorization computer 106 and/or input from the user 101 indicating agreement with the terms and conditions, the enrollment facilitation module 104-D5 may subsequently send a token activation request message to the second authorization computer 108, and receive back a token activation response message indicating approval or else denial of the activation request. The enrollment facilitation module 104-D5 may then relay that indication back to the token requestor computer 102. Assuming that the second authorization computer 108 approved the activation request, the enrollment facilitation module 104-D5 may provide the token to the token requestor computer 102 and store a mapping of the token to one or more credentials (e.g., the intermediate access identifier) in the token vault 130.



FIG. 4 shows a block diagram of a first authorization computer 106 of a system according to an embodiment of the invention. The first authorization computer 106 may be coupled to a records database (not shown), whereby the first authorization computer 106 stores a mapping between identifiers. For example, the database may store a mapping between an initial access identifier and an intermediate access identifier. In some embodiments, the mapping may also include other associations, for example, a mapping between the initial access identifier and a user identifier that corresponds to the user 101. In some embodiments, for example, if the first authorization computer 106 and the token provider computer 104 operate as one entity, the records database of the first authorization computer 106 and the token record database of the token vault 130 may correspond to the same database. In that case, the token vault 130 may store a mapping between the token, the initial access identifier, the intermediate access identifier, and/or the user identifier.


The first authorization computer 106 may comprise a processor 106-A, which may be coupled to a system memory 106-B and an external communication interface 106-C. A computer readable medium 106-D may also be operatively coupled to the processor 106-A.


The computer readable medium 106-D may comprise a number of software modules including a communication module 106-D1, an encryption module 106-D2, an identifier conversion module 106-D3, a validation module 106-D4, and an authorization request translation module 106-D5.


The communication module 106-D1 may comprise code that causes the processor 106-A to generate messages, forward messages, reformat messages, and/or otherwise communicate with other entities.


The encryption module 106-D2 may comprise code that includes any suitable encryption algorithms to encrypt data in embodiments of the invention. Suitable data encryption algorithms may include DES, tripe DES, AES, etc. It may also store encryption keys that can be used with such encryption algorithms. The encryption module 106-D2 may utilize symmetric or asymmetric encryption techniques to encrypt and/or verify data.


The identifier conversion module 106-D3 may comprise code that causes the processor 106-A to obtain (e.g., generate or retrieve from an existing pool in the records database) an intermediate access identifier based on receiving an initial access identifier. In some embodiments, for example in the case of retrieving from an existing pool, the identifier conversion module 106-D3 may maintain a record of intermediate access identifiers that are mapped to active initial access identifiers (e.g., non-expired or not deactivated) as well as non-active initial access identifiers. For example, the first authorization computer 106 may receive updates from a token provider computer 104 about what initial access identifiers are active. If, upon receiving a request for an intermediate access identifier based on receiving an initial access identifier, the identifier conversion module 106-D3 determines that an existing intermediate access identifier is currently mapped to a non-active initial access identifier, the identifier conversion module 106-D3 may provide the existing intermediate access identifier and re-map the intermediate access identifier to the initial access identifier received as input. In other embodiments, upon receiving a request, the identifier conversion module 106-D3 may generate a new intermediate access identifier and map it to the initial access identifier received as input. In some embodiments, the generated or updated intermediate access identifier and the corresponding mapping may be stored in the records database.


The validation module 106-D4 may comprise code that causes the processor 106-A to validate requests for an identifier (e.g., intermediate access identifier) before one is provided. For example, validation module 106-D4 may contain logic that causes the processor 106-A to confirm that a request message is authentic by decrypting a cryptogram included in the message, by confirming that the credentials (e.g., initial access identifier, user identifier, etc.) are authentic and associated with the requesting device (e.g., a token requestor computer 102, token provider computer 104), and/or by assessing risk associated with the requesting device. As described above, the first authorization computer 106 may be a trusted third-party proxy or otherwise associated with an issuer of the initial access identifier. Accordingly the first authorization computer 106 may also receive predefined rules from the issuer (e.g., the second authorization computer 108) corresponding to whether a particular initial access identifier qualifies to be issued an intermediate access identifier. For example, a rule may determine that only initial access identifiers (e.g., IBANs) within a certain range of values may qualify to be mapped to an intermediate access identifier (e.g., a virtual PAN).


The authorization request translation module 106-D5 may comprise code that causes the processor 106-A to retrieve one identifier based on receiving another identifier during a transaction process phase. For example, the authorization request translation module 106-D5 may receive an authorization request message containing an intermediate access identifier (e.g., previously generated during the token provisioning phase by the identifier conversion module 106-D3). Based on the intermediate access identifier, the authorization request translation module 106-D5 may retrieve the associated initial access identifier from the records database. The authorization request translation module 106-D5 may then modify the authorization request message to include the initial access identifier and then transmit the modified message to another entity (e.g., the second authorization computer 108) for transaction authorization.


It should be understood that, as described herein, the mappings stored may be bidirectional. For example, a mapping between a token and an initial access identifier that is stored in the token vault 130 may be operable such that an initial access identifier may be used to retrieve a token, and vice versa. In another example, a mapping between an initial access identifier and an intermediate access identifier may be operable that an intermediate access identifier may be used to retrieve an initial access identifier, and vice versa. Accordingly, for example, if the first authorization computer 106 receives an authorization response message from the second authorization computer 108 that contains the initial access identifier, the first authorization computer 106 may use the initial access identifier to retrieve the associated intermediate access identifier and transmit it to another entity (e.g., a transaction processing computer) for further processing. In this way, messages may be correctly routed in both directions.



FIG. 5 shows a block diagram of a processing computer 150 of a system according to an embodiment of the invention. FIG. 5 shows a processing computer 150 and the token vault 130 coupled to the processing computer 150. It should be understood that, in some embodiments, the processing computer 150 and the token provider computer 104 may be housed within the unit and/or be affiliated with the same token provisioning system.


The processing computer 150 may comprise a processor 150-A, which may be coupled to a system memory 150-B and an external communication interface 150-C. A computer readable medium 150-D may also be operatively coupled to the processor 150-A.


The computer readable medium 150-D may comprise a number of software modules including a communication module 150-D1, an encryption module 150-D2, a token exchange module 150-D3, a validation module 150-D4.


The communication module 150-D1 may comprise code that causes the processor 150-A to generate messages, forward messages, reformat messages, and/or otherwise communicate with other entities.


The encryption module 150-D2 may comprise code that includes any suitable encryption algorithms to encrypt data in embodiments of the invention. Suitable data encryption algorithms may include DES, tripe DES, AES, etc. It may also store encryption keys that can be used with such encryption algorithms. The encryption module 150-D2 may utilize symmetric or asymmetric encryption techniques to encrypt and/or verify data.


The token exchange module 150-D3 may comprise code that causes the processor 150-A to retrieve an identifier based on receiving a token (or vice versa). For example, in some embodiments, upon receiving a token within an authorization request message (e.g., from a token requestor computer 102), the token exchange module 150-D3 may retrieve an intermediate access identifier from the token vault 130. The intermediate access identifier may have been previously stored in the token vault 130 by the token provider computer 104 during a token provisioning process, whereby the token was mapped to the intermediate access identifier. Upon retrieving the identifier, the token exchange module 150-D3 may transmit the identifier to another entity. For example, token exchange module 150-D3 may modify the authorization request message to include the intermediate access identifier and then transmit the modified message to another entity (e.g., the first authorization computer 106) for further processing.


The validation module 150-D4 may comprise code that causes the processor 150-A to validate authorization request messages to proceed with a transaction based on a token received as input. For example, validation module 150-D4 may contain logic that causes the processor 104-A to validate an authorization request message by decrypting a cryptogram included in the message, confirming that the token included within the message is authentic (e.g., associated with the requesting device), and/or by assessing risk associated with the requesting device. The validation module 150-D4 may also verify that the token attributes (e.g., a user identifier, token requestor identifier, token expiration date, frequency of use, etc.) conform to a set of predetermined rules. The predetermined rules may be determined by an entity (e.g., issuer bank) that has a trusted relationship with the processing computer 150.



FIGS. 6 and 7, respectively, show a block diagram of a system and a flow sequence illustrating different options for provisioning a token to a device according to embodiments of the invention: a first “push” provisioning process and a second “manual” provisioning process. In the “push” provisioning process of FIG. 6, an issuer application 110 (e.g., an banking application) may provide a user ID (e.g., a customer ID) and an initial access identifier (e.g., an IBAN) to a token requestor application 120 (“token requestor”) (e.g., a digital wallet). The token requestor 120 may then initiate a provisioning process with a token provider computer 104. In the “manual” provisioning process of FIG. 7, a user may provide a user ID and an initial access identifier directly to a token requestor 120. The token requestor 120 may then initiate a provisioning process with a token provider computer 104.


Turning to FIG. 6 in further detail, a block diagram 600 of a system and a flow sequence illustrating a “push” provisioning process is illustrated. FIG. 6 shows a token requestor computer 102 that may request a token from a token provider computer 104. In some embodiments, the token requestor computer 102 may be a mobile communication device (e.g., a mobile phone). Also, although FIG. 6 depicts the issuer application 110 and the token requestor application 120 as being on the same device, embodiments of the invention should not be construed to be so limiting. In any case, under the “push” provisioning method, the issuer application 110 may be in communication with the token requestor 120. The token provider computer 104 may be associated with (e.g., contain or communicate with) a token vault 130. The token vault 130 may be a database that stores tokens with their associated real credentials or intermediate access identifiers. The token provider computer 104 may be in communication with a first authorization computer 106 and a second authorization computer 108.


In the illustrated flow, in step S601, a user with a mobile communication device 102 may log in to the issuer application 110. In some embodiments, the issuer application 110 may correspond to a banking account issued by a bank. The bank may provide the user with one or more payment credentials that may be associated with the banking account and may be stored on the mobile communication device 102 by the issuer application 110. In some embodiments, the payment credentials may include multiple elements such as a user identifier (e.g., user name, user email address, user phone number, etc.), account number (e.g., PAN), expiration date, CVV2 value, etc. However, in some embodiments, the payment credentials may include less elements. For example, the payment credentials provided to the user and/or issuer application may include only an account number and a user identifier. In yet other embodiments, the payment credentials may include only an account number, for example, in a case where the account may be shared by multiple users. In this case, when the user 101 logs into the issuer application (e.g., by inputting the account number and a password), the user 101 may be dynamically provided with a user identifier by the bank. In some embodiments, the account number may be an IBAN, which may have a different format than a PAN. For example, the IBAN may contain an alphanumeric string characters (e.g., “DE89 3704 0044 0532 0130 00”), whereas a PAN may be only numeric characters (e.g., “1234 5678 8765 4321”). In some embodiments, the bank may also issue a payment card (e.g., debit card) that may be associated with the account and may having printed on the card one or more payment credentials (e.g., user name, account number, etc.).


In the flow sequence discussed below in reference to FIG. 6, the payment credentials stored by the issuer application 110 on the mobile communication device may include an account number that is an IBAN, which may correspond to an initial access identifier. The payment credentials also may include a user identifier that is either generated in advance of the user 101 logging in, or at the time the user logs in. Although, as discussed below, the user identifier is a separate data element from the initial access identifier, embodiments of the invention should not be construed to be so limiting. For example, in some embodiments, the initial access identifier may include multiple fields, including a user identifier. It should be noted that, in the example of FIG. 6, the payment credentials stored on the mobile communication device 102 (and/or printed on the payment card issued to the user 101) may not include certain fields, for example, a CVV2 value.


Continuing with step S601, the issuer application 110 may prompt the user 101 to select a particular application to be provisioned with a token. The user 101 may then select the token requestor application 120, which may be a digital wallet in this example. Upon selecting the token requestor 120, the issuer application 110 may encrypt a payload containing the initial access identifier and the user identifier, and transmit the payload to the token requestor 120.


In step S602, the token requestor 120 may transmit a token request message to be received by a token provider computer 104. The token request message may contain the initial access identifier and the user identifier to enroll the initial access identifier with the token provider computer 104. In some embodiments, the token requestor 120 may first decrypt the payload from the issuer application 110 to obtain the initial access identifier and the user identifier. In some embodiments, the token requestor 120 may include other information within the token request message, including for example, a token requestor identifier (e.g. mobile device 102 identifier, digital wallet provider identifier, token domain, etc.). In some embodiments, the token request message may be encrypted.


In step S604, the token provider computer 104 may then transmit the user identifier and the initial access identifier to the first authorization computer 106, for example, by invoking the enrollment facilitation module 104-D5. Prior to transmitting the user identifier and the initial access identifier, the token provider computer 104 may first decrypt and/or validate the token request message received by the token requestor 120. For example, the token provider computer 104 may invoke the validation module 104-D4 to validate a cryptogram from the token requestor 120 to authenticate the token requestor 120 and assess a level of risk with the request. In some embodiments, if the validation module 104-D4 determines that the initial access identifier and/or device 102 is not eligible, the token provider computer 104 may return an error to the token requestor 120.


Upon receiving the user identifier and the initial access identifier, the first authorization computer 106 may then obtain (e.g., generate or retrieve from an existing pool) an intermediate account identifier, for example, by invoking the identifier conversion module 106-D3. In some embodiments, the first authorization computer 106 may first invoke the validation module 104-D4 to verify that the initial access identifier is eligible, and if not, may return an error to the token provider computer 104. In some embodiments, assuming the validation is successful, the obtained intermediate account identifier may correspond to an account identifier that is a different format (e.g., different fields and/or field formats) than the initial access identifier (e.g., a virtual PAN). More specifically, the intermediate account identifier may be a virtual debit card number, and it may have an expiration date and CVV2 value associated with it (e.g., in contrast with the initial access identifier, which may be an IBAN that does not have an associated CVV2 value). In some embodiments, the intermediate account identifier may be associated with an expiration date that is independent of an expiration date of the initial access identifier. In other embodiments, the expiration date may be the same expiration date as the initial access identifier (or derived from an expiration date of the initial access identifier using any suitable means). Upon generating the intermediate account identifier, the first authorization computer 106 may further invoke the identifier conversion module 106-D3 to store a mapping of the initial access identifier (and associated fields, e.g., the user identifier) and the intermediate access identifier (and associated fields, e.g., the expiration date) in a records database.


In some embodiments, the intermediate account identifier may be incapable of being used to directly conduct access transactions, but may be a conduit for provisioning a token to the communication device 102 and facilitating token-based transactions. For example, in some embodiments, the intermediate account identifier may be incapable of being used by a person to conduct a payment transaction. However, in other embodiments and as discussed below, the intermediate account identifier may be capable of being used to conduct a transaction, for example, at an e-commerce website.


In step S606, the first authorization computer 106 may transmit the intermediate access identifier to the token provider computer 104. In some embodiments, the first authorization computer 106 may also transmit an expiration date associated with the intermediate access identifier to the token provider computer 104.


In some embodiments, upon receiving the intermediate access identifier and expiration date from the first authorization computer 106, the token provider computer 104 may optionally conduct a message exchange process with the token requestor 120 (not shown in FIG. 6, but depicted in FIG. 7 steps S708 and S710). As depicted in FIG. 6, the token provider computer 104 does not send an enrollment confirmation message to the token requestor application 120 and instead automatically proceeds with continuing the enrollment process, as described below.


In step S608, based at least in part on receiving the intermediate access identifier in step S606, token provider computer 104 may transmit a token activation request message to the second authorization computer 108. In some embodiments, the token activation request message may include at least the initial access identifier. In some embodiments, any suitable information may be included in the message to enable the second authorization computer 108 to validate the token activation request message, including, but not limited to, the initial access identifier and/or the user identifier. In some embodiments, the second authorization computer 108 may utilize the initial access identifier to query the user 101 of the token requestor computer 102 and authenticate the user if desired using an ID&V process (e.g., with a one-time password or OTP).


In step S610, the second authorization computer 108 may respond with a token activation response message that is received by the token provider computer 104. The token activation response message may indicate whether the token activation request was approved (e.g., authorized) or denied.


In steps S612 and S614, assuming that the second authorization computer 108 agreed to provide the token to the token requestor 120, the token provider computer 104 may retrieve a token from the token vault 130, which may have been previously stored by the token provisioning module 104-D3. As described above, the mapping between the token and the intermediate access identifier may also be stored in the token vault 130 along with the associated token.


In step S616, the token provider computer 104 may provide (e.g., transmit) a token activation notification to the second authorization computer 108.


In step S618, the token provider computer 104 may provide (provision) the token to the token requestor 120. The token requestor 120 may store the token in a memory such as a secure memory 120C of the token requestor computer 102. The token may be permanent semi-permanent, or dynamic.



FIG. 7 shows a block diagram 700 of a system and a flow sequence illustrating a second provisioning process using manual provisioning according to an embodiment of the invention. Similar to as depicted in FIG. 6, FIG. 7 shows a token requestor computer 102 that may request a token from a token provider computer 104. In some embodiments, the token requestor computer 102 may be a mobile communication device (e.g., a mobile phone). However, in contrast with FIG. 6, a token requestor application 120 (“token requestor”) (e.g., a digital wallet) on the token provider computer 104 may be configured to receive input directly from the user 101 to initiate the provisioning process, instead of having an issuer application that pushes the initiation request and payload to the token requestor. Similar to FIG. 6, the token requestor 120 may be in communication with the token provider computer 104. The token provider computer 104 may be associated with (e.g., contain or communicate with) a token vault 130. The token vault 130 may be a database that stores tokens with their associated real credentials or intermediate access identifiers. The token provider computer 104 may be in communication with a first authorization computer 106 and a second authorization computer 108.


In the illustrated flow, in step S701 the token requestor 120 may receive input from the user 101 to initiate the provisioning process. For example, the user 101 may input via an input element 102-E (e.g., keyboard) credentials such as an IBAN and a user identifier (e.g., email address, user name, etc.). The token requestor 120 may receive the credentials using any suitable method. The credentials entered may be similar to the credentials that are encrypted within the payload that is transmitted from the issuer application 110 to the token requestor 120 in FIG. 6.


Steps S702-S706, respectively, may be substantially the same as steps S602-S606 of FIG. 6. The descriptions thereof are incorporated herein and need not be repeated.


In step S708, as described earlier as an optional step in reference to FIG. 6, the token provider computer 104 may send an enrollment confirmation message to the token requestor 120. In some embodiments, upon receiving the enrollment confirmation message, the token requestor 120 may prompt the user 101 to agree to terms and conditions of token provisioning. In some embodiments, the enrollment confirmation message sent to the token requestor 120 may contain the intermediate access identifier and expiration date, which may be stored on the token requestor computer 102 and presentable to the user 101. This may be done, for example, in the case where an issuer enables a user 101 to conduct transactions directly via the intermediate access identifier. However, in other embodiments, the intermediate access identifier is completely hidden from the user 101 (e.g., managed between the token provider computer 104 and the first authorization computer). In some embodiments, the enrollment confirmation message may also contain a reference number that is associated with the token enrollment session, which the token requestor 120 may return back to the token provider computer 104 to proceed with the enrollment process, as discussed in step S710, below.


In step S710, upon the user 101 agreeing to the terms and conditions and/or selecting other provisioning options presented by the token requestor 120, the token requestor 120 may transmit an enrollment confirmation reply message to the token provider computer 104 that contains the reference number and other suitable information, indicating that the user 101 will continue with the provisioning process. The token provider computer 104, upon receiving the reference number back from the token requestor computer 102, may use the reference number to look up and retrieve information from the token vault to proceed with the enrollment process (e.g., the initial access identifier, user identifier, etc.).


Steps S712-S722, respectively, may be substantially the same as steps S608-S618 of FIG. 6. The descriptions thereof are incorporated herein and need not be repeated.



FIG. 8 shows block diagram 800 of a system and a flow sequence illustrating use of a token after it has been provisioned to a user's communication device, according to an embodiment of the invention. FIG. 8 shows a system including a communication device 102 of a user 101, an access device 820 (e.g., POS terminal), a transport computer 840 (e.g., an acquirer computer), a processing computer 150 (e.g., in a payment processing network such as VisaNet), a first authorization computer 106, and a second authorization computer 108, all in communication with each other. A token vault 130 may be in communication with the processing computer 150.


Prior to step S802, the communication device 102 may be provisioned with a token as described above in reference to FIGS. 6 and 7. In step S802, the communication device 102 can interact with the access device 820 according to any suitable token presentment mode (e.g., NFC communication). In other embodiments, for example an e-commerce transaction, the communication device 102 may submit the token over the Internet to a website associated with the access device 820. In the process, the access device 820 may receive other associated with the token information (e.g., a token expiration date, other token attributes).


In step S804, an authorization request message comprising the token may be generated by the access device 820, and then transmitted to the transport computer 840.


In step S806, the transport computer 840 may transmit the authorization request message including the token to be received by the processing computer 150. The processing server computer 150 may be in a payment processing network. The payment processing network may include data processing subsystems, networks, and operations used to support and deliver authorization services, exception file services, and clearing and settlement services. An exemplary payment processing network may include VisaNet™′ Payment processing networks such as VisaNet™ are able to process credit card transactions, debit card transactions, and other types of commercial transactions. VisaNet™, in particular, includes a VIP system (Visa Integrated Payments system) which processes authorization requests and a Base II system which performs clearing and settlement services. The payment processing network may use any suitable wired or wireless network, including the Internet.


In step S808, the processing computer 150 may validate the authorization request message by executing the validation module 150-D4. Upon a successful validation, the processing computer 150 may invoke the token exchange module 150-D3, which may provide the token to the token vault 130 (e.g., via the token provider computer 104).


In step S810, the token exchange module 150-D3 may, in turn, retrieve (e.g., receive) the intermediate access identifier associated with the token from the token vault 130.


In step S812, the processing computer 150 may provide (e.g., transmit) the intermediate access identifier to the first authorization computer 106. In some embodiments, the token exchange module 150-D3 may modify the authorization request message to include the intermediate access identifier and then transmit the modified authorization request message to the first authorization computer 106 for further processing.


In step S814, the first authorization computer 106 may retrieve the initial access identifier based on the intermediate access identifier received from the processing computer 150. In some embodiments, the first authorization computer 106 may execute the authorization request translation module 106-D5 to translate (e.g., replace, or additionally include) the intermediate access identifier with the initial access identifier in the modified authorization request message. The first authorization computer 106 may then transmit the modified message including the initial access identifier to the second authorization computer 108 for authorizing the transaction.


If approved (e.g., authorized), the second authorization computer 108 may transmit an authorization response message back to the access device 820 via the transport computer 840, the processing computer 150, and the first authorization computer 106 (step sequence not shown in FIG. 8). In some embodiments, the authorization response message may be routed back to the access device 820 based on the initial access identifier, the intermediate access identifier, and/or the token. For example, upon the first authorization computer 106 receiving the authorization response message containing the initial access identifier, the first authorization computer 240 may switch the initial access identifier for the intermediate access identifier, and then transmit the modified authorization response message to the processing computer 150. The processing computer 150 may, in turn, switch the intermediate access identifier for the token in the authorization response message (e.g., retrieving the token from the token vault 130 based on the mapping stored within the token vault 130). The processing computer 150 may then transmit the authorization response message to the transport computer 840 based on token attributes and other suitable information that was originally received in the authorization request message in step S806. The authorization response message may be similarly routed from the transport computer 840 to the access device 820 and/or mobile device 102.


In some embodiments, the second authorization computer 108, the first authorization computer 106, the processing computer 150, and the transport computer 840 may perform a settlement process to settle the transaction.



FIG. 9 shows a block diagram 900 of a system illustrating use of a token according to an embodiment of the invention. FIG. 9 shows a system including a communication device 102 of a user 101, an access device 920 (e.g., a gateway server), and a cloud services file server 930. The access device 920 may be in further communication with other intermediary computers between the access device 920 and the file server 930 (not shown), similar to as depicted in FIG. 8 (e.g., a processing computer 150, first authorization computer 106, second authorization computer 150, token vault 130).


In FIG. 9, the mobile device 102 may be provisioned with a token as described above in reference to FIGS. 6 and 7. The mobile device 102 may interact with the access device 920 according to any suitable token presentment mode (e.g., over the Internet). In the process, the access device 920 may receive the token and other information (e.g., an expiration date). The access device 920 may then proceed with a series of steps to request authorization, on behalf of the user 101, to access a remote file on the file server 920. In some embodiments, the steps may be substantially similar to steps S804-S814 of FIG. 8.


Any of the software components or functions described in this application, may be implemented as software code to be executed by a processor using any suitable computer language such as, for example, Java, C++ or Perl using, for example, conventional or object-oriented techniques. The software code may be stored as a series of instructions, or commands on a computer readable medium, such as a random access memory (RAM), a read only memory (ROM), a magnetic medium such as a hard-drive or a floppy disk, or an optical medium such as a CD-ROM. Any such computer readable medium may reside on or within a single computational apparatus, and may be present on or within different computational apparatuses within a system or network.


The above description is illustrative and is not restrictive. Many variations of the invention may become apparent to those skilled in the art upon review of the disclosure. The scope of the invention can, therefore, be determined not with reference to the above description, but instead can be determined with reference to the pending claims along with their full scope or equivalents.


One or more features from any embodiment may be combined with one or more features of any other embodiment without departing from the scope of the invention.


A recitation of “a”, “an” or “the” is intended to mean “one or more” unless specifically indicated to the contrary.


All patents, patent applications, publications, and descriptions mentioned above are herein incorporated by reference in their entirety for all purposes. None is admitted to be prior art.

Claims
  • 1. A first authorization computer comprising: a processor; anda non-transitory computer readable medium coupled to the processor, the computer readable medium comprising code, executable by the processor, for implementing a method comprising:receiving an initial access identifier from a token provider computer;obtaining an intermediate access identifier based at least in part on the initial access identifier; andtransmitting the intermediate access identifier to the token provider computer, wherein the token provider computer transmits a token activation request message, based at least in part on the intermediate access identifier, to a second authorization computer to authorize a token to be provisioned to a token requestor computer.
  • 2. The first authorization computer of claim 1, wherein the initial access identifier comprises an alphanumeric value that corresponds to an account identifier of an account.
  • 3. The first authorization computer of claim 2, wherein receiving the initial access identifier further comprises receiving a user identifier of an authorized user that is associated with the account.
  • 4. The first authorization computer of claim 3, wherein obtaining the intermediate access identifier comprises generating a virtual primary account number that is associated with the authorized user and the account.
  • 5. A method comprising: receiving, by a processing computer, an authorization request message comprising a token;providing, by the processing computer, the token to a token provider computer in a transaction;receiving, by the processing computer, an intermediate access identifier associated with the token;modifying, by the processing computer, the authorization request message to include the intermediate access identifier; andtransmitting, by the processing computer, the authorization request message including the intermediate access identifier to a first authorization computer, wherein the first authorization computer modifies the authorization request message to include an initial access identifier associated with the intermediate access identifier, and transmits the authorization request message with the initial access identifier to a second authorization computer to authorize the transaction.
  • 6. The method of claim 5, wherein the initial access identifier comprises an alphanumeric value that corresponds to an identifier for a resource.
  • 7. The method of claim 6, wherein the resource corresponds to a file on a remote file server.
  • 8. The method of claim 5, wherein the intermediate access identifier is a virtual resource identifier.
  • 9. The method of claim 8, wherein the virtual resource identifier is not operable for being used to directly conduct a transaction.
  • 10. The method of claim 5, wherein the intermediate access identifier is associated with an expiration date.
  • 11. The method of claim 5, the method further comprising: subsequent to the second authorization computer authorizing the transaction, receiving, by the processing computer, an authorization response message from the first authorization computer, the authorization response message including the intermediate access identifier, the first authorization computer having replaced the initial access identifier included in an original authorization response message received from the second authorizing computer with the intermediate access identifier;retrieving, by the processing computer, the token from the token provider computer based at least in part on the intermediate access identifier;including, by the processing computer, the token in a modified authorization response message; andtransmitting, by the processing computer, the modified authorization response message to an access device.
  • 12. The method of claim 5, wherein the intermediate access identifier is received from the token provider computer, the token provider computer maintaining a mapping of the token to the intermediate access identifier.
  • 13. A processing computer comprising: a processor; anda non-transitory computer readable medium coupled to the processor, the computer readable medium comprising code, executable by the processor, for implementing a method comprising:receiving an authorization request message comprising a token;providing the token to a token provider computer in a transaction;receiving an intermediate access identifier associated with the token;modifying the authorization request message to include the intermediate access identifier; andtransmitting the authorization request message including the intermediate access identifier to a first authorization computer, wherein the first authorization computer modifies the authorization request message to include an initial access identifier associated with the intermediate access identifier, and transmits the authorization request message with the initial access identifier to a second authorization computer to authorize the transaction.
  • 14. The processing computer of claim 13, wherein the initial access identifier is comprises an alphanumeric value that corresponds to an identifier for a resource.
  • 15. The processing computer of claim 14, wherein the resource corresponds to a file on a remote file server.
  • 16. The processing computer of claim 13, wherein the intermediate access identifier is a virtual resource identifier.
  • 17. The processing computer of claim 16, wherein the virtual resource identifier is not operable for being used to directly conduct a transaction.
  • 18. The processing computer of claim 13, wherein the intermediate access identifier is associated with an expiration date.
  • 19. The processing computer of claim 13, wherein the method further comprises: subsequent to the second authorizing computer authorizing the transaction, receiving, by the processing computer an authorization response message from the first authorization computer, the authorization response message including the intermediate access identifier, the first authorization computer having replaced the initial access identifier included in an original authorization response message received from the second authorizing computer with the intermediate access identifier;retrieving, by the processing computer, the token from the token provider computer based at least in part on the intermediate access identifier;including, by the processing computer, the token in a modified authorization response message; andtransmitting, by the processing computer, the modified authorization response message to an access device.
  • 20. The processing computer of claim 13, wherein the intermediate access identifier is received from the token provider computer, the token provider computer maintaining a mapping of the token to the intermediate access identifier.
CROSS-REFERENCE TO RELATED APPLICATIONS

This application is a continuation of U.S. patent application Ser. No. 17/269,935, filed on Feb. 19, 2021, which is a National Stage of international application claims priority to U.S. Patent Application No. 62/721,128, filed on Aug. 22, 2018, the disclosure of which are herein incorporated by reference in their entirety for all purposes.

US Referenced Citations (603)
Number Name Date Kind
5280527 Gullman et al. Jan 1994 A
5613012 Hoffman et al. Mar 1997 A
5781438 Lee et al. Jul 1998 A
5883810 Franklin et al. Mar 1999 A
5930767 Reber et al. Jul 1999 A
5953710 Fleming Sep 1999 A
5956699 Wong et al. Sep 1999 A
6000832 Franklin et al. Dec 1999 A
6014635 Harris et al. Jan 2000 A
6044360 Picciallo Mar 2000 A
6163771 Walker et al. Dec 2000 A
6227447 Campisano May 2001 B1
6236981 Hill May 2001 B1
6267292 Walker et al. Jul 2001 B1
6327578 Linehan Dec 2001 B1
6341724 Campisano Jan 2002 B2
6385596 Wiser et al. May 2002 B1
6422462 Cohen Jul 2002 B1
6425523 Shem-Ur et al. Jul 2002 B1
6453301 Niwa Sep 2002 B1
6592044 Wong et al. Jul 2003 B1
6636833 Flitcroft et al. Oct 2003 B1
6748367 Lee Jun 2004 B1
6805287 Bishop et al. Oct 2004 B2
6879965 Fung et al. Apr 2005 B2
6891953 DeMello et al. May 2005 B1
6901387 Wells et al. May 2005 B2
6931382 Laage et al. Aug 2005 B2
6938019 Uzo Aug 2005 B1
6941285 Sarcanin Sep 2005 B2
6980670 Hoffman et al. Dec 2005 B1
6990470 Hogan et al. Jan 2006 B2
6991157 Bishop et al. Jan 2006 B2
7051929 Li May 2006 B2
7069249 Stolfo et al. Jun 2006 B2
7103576 Mann, III et al. Sep 2006 B2
7113930 Eccles et al. Sep 2006 B2
7136835 Flitcroft et al. Nov 2006 B1
7177835 Walker et al. Feb 2007 B1
7177848 Hogan et al. Feb 2007 B2
7194437 Britto et al. Mar 2007 B1
7209561 Shankar et al. Apr 2007 B1
7264154 Harris Sep 2007 B2
7287692 Patel et al. Oct 2007 B1
7292999 Hobson et al. Nov 2007 B2
7350230 Forrest Mar 2008 B2
7353382 Labrou et al. Apr 2008 B2
7379919 Hogan et al. May 2008 B2
RE40444 Linehan Jul 2008 E
7415443 Hobson et al. Aug 2008 B2
7444676 Asghari-Kamrani et al. Oct 2008 B1
7469151 Khan et al. Dec 2008 B2
7548889 Bhambri et al. Jun 2009 B2
7567934 Flitcroft et al. Jul 2009 B2
7567936 Peckover et al. Jul 2009 B1
7571139 Giordano et al. Aug 2009 B1
7571142 Flitcroft et al. Aug 2009 B1
7580898 Brown et al. Aug 2009 B2
7584153 Brown et al. Sep 2009 B2
7593896 Flitcroft et al. Sep 2009 B1
7606560 Labrou et al. Oct 2009 B2
7627531 Breck et al. Dec 2009 B2
7627895 Gifford et al. Dec 2009 B2
7650314 Saunders Jan 2010 B1
7685037 Reiners et al. Mar 2010 B2
7702578 Fung et al. Apr 2010 B2
7707120 Dominguez et al. Apr 2010 B2
7712655 Wong May 2010 B2
7734527 Uzo Jun 2010 B2
7753265 Harris Jul 2010 B2
7770789 Oder, II et al. Aug 2010 B2
7784685 Hopkins, III Aug 2010 B1
7793851 Mullen Sep 2010 B2
7801826 Labrou et al. Sep 2010 B2
7805376 Smith Sep 2010 B2
7805378 Berardi et al. Sep 2010 B2
7818264 Hammad Oct 2010 B2
7828220 Mullen Nov 2010 B2
7835960 Breck et al. Nov 2010 B2
7841523 Oder, II et al. Nov 2010 B2
7841539 Hewton Nov 2010 B2
7844550 Walker et al. Nov 2010 B2
7848980 Carlson Dec 2010 B2
7849020 Johnson Dec 2010 B2
7853529 Walker et al. Dec 2010 B1
7853995 Chow et al. Dec 2010 B2
7865414 Fung et al. Jan 2011 B2
7873579 Hobson et al. Jan 2011 B2
7873580 Hobson et al. Jan 2011 B2
7890393 Talbert et al. Feb 2011 B2
7891563 Oder, II et al. Feb 2011 B2
7896238 Fein et al. Mar 2011 B2
7908216 Davis et al. Mar 2011 B1
7922082 Muscato Apr 2011 B2
7931195 Mullen Apr 2011 B2
7937324 Patterson May 2011 B2
7938318 Fein et al. May 2011 B2
7954705 Mullen Jun 2011 B2
7959076 Hopkins, III Jun 2011 B1
7996288 Stolfo Aug 2011 B1
8025223 Saunders et al. Sep 2011 B2
8046256 Chien et al. Oct 2011 B2
8060448 Jones Nov 2011 B2
8060449 Zhu Nov 2011 B1
8074877 Mullen et al. Dec 2011 B2
8074879 Harris Dec 2011 B2
8082210 Hansen et al. Dec 2011 B2
8095113 Kean et al. Jan 2012 B2
8104679 Brown Jan 2012 B2
RE43157 Bishop et al. Feb 2012 E
8109436 Hopkins, III Feb 2012 B1
8121942 Carlson et al. Feb 2012 B2
8121956 Carlson et al. Feb 2012 B2
8126449 Beenau et al. Feb 2012 B2
8132723 Hogg et al. Mar 2012 B2
8171525 Pelly et al. May 2012 B1
8175973 Davis et al. May 2012 B2
8190523 Patterson May 2012 B2
8196813 Vadhri Jun 2012 B2
8205791 Randazza et al. Jun 2012 B2
8219489 Patterson Jul 2012 B2
8224702 Mengerink et al. Jul 2012 B2
8225385 Chow et al. Jul 2012 B2
8229852 Carlson Jul 2012 B2
8265993 Chien et al. Sep 2012 B2
8280777 Mengerink et al. Oct 2012 B2
8281991 Wentker et al. Oct 2012 B2
8328095 Oder, II et al. Dec 2012 B2
8336088 Raj et al. Dec 2012 B2
8346666 Lindelsee et al. Jan 2013 B2
8376225 Hopkins, III Feb 2013 B1
8380177 Laracey Feb 2013 B2
8387873 Saunders et al. Mar 2013 B2
8401539 Beenau et al. Mar 2013 B2
8401898 Chien et al. Mar 2013 B2
8402555 Grecia Mar 2013 B2
8403211 Brooks et al. Mar 2013 B2
8412623 Moon et al. Apr 2013 B2
8412837 Emigh et al. Apr 2013 B1
8417642 Oren Apr 2013 B2
8447699 Batada et al. May 2013 B2
8453223 Svigals et al. May 2013 B2
8453925 Fisher et al. Jun 2013 B2
8458487 Palgon et al. Jun 2013 B1
8484134 Hobson et al. Jul 2013 B2
8485437 Mullen et al. Jul 2013 B2
8494959 Hathaway et al. Jul 2013 B2
8498908 Mengerink et al. Jul 2013 B2
8504475 Brand et al. Aug 2013 B2
8504478 Saunders et al. Aug 2013 B2
8510816 Quach et al. Aug 2013 B2
8528067 Hurry et al. Sep 2013 B2
8533116 Davis et al. Sep 2013 B2
8533860 Grecia Sep 2013 B1
8538845 Liberty Sep 2013 B2
8555079 Shablygin et al. Oct 2013 B2
8566168 Bierbaum et al. Oct 2013 B1
8567670 Stanfield et al. Oct 2013 B2
8571939 Lindsey et al. Oct 2013 B2
8577336 Mechaley, Jr. Nov 2013 B2
8577803 Chatterjee et al. Nov 2013 B2
8577813 Weiss Nov 2013 B2
8578176 Mattsson Nov 2013 B2
8583494 Fisher Nov 2013 B2
8584251 McGuire et al. Nov 2013 B2
8589237 Fisher Nov 2013 B2
8589271 Evans Nov 2013 B2
8589291 Carlson et al. Nov 2013 B2
8595098 Starai et al. Nov 2013 B2
8595812 Bomar et al. Nov 2013 B2
8595850 Spies et al. Nov 2013 B2
8606638 Dragt Dec 2013 B2
8606700 Carlson et al. Dec 2013 B2
8606720 Baker et al. Dec 2013 B1
8615468 Varadarajan Dec 2013 B2
8620754 Fisher Dec 2013 B2
8635157 Smith et al. Jan 2014 B2
8646059 Von Behren et al. Feb 2014 B1
8651374 Brabson et al. Feb 2014 B2
8656180 Shablygin et al. Feb 2014 B2
8751391 Freund Jun 2014 B2
8751642 Vargas et al. Jun 2014 B2
8762263 Gauthier et al. Jun 2014 B2
8793186 Patterson Jul 2014 B2
8838982 Carlson et al. Sep 2014 B2
8856539 Weiss Oct 2014 B2
8887308 Grecia Nov 2014 B2
9065643 Hurry et al. Jun 2015 B2
9070129 Sheets et al. Jun 2015 B2
9100826 Weiss Aug 2015 B2
9160741 Wentker et al. Oct 2015 B2
9229964 Stevelinck Jan 2016 B2
9245267 Singh Jan 2016 B2
9249241 Dai et al. Feb 2016 B2
9256871 Anderson et al. Feb 2016 B2
9280765 Hammad Mar 2016 B2
9530137 Weiss Dec 2016 B2
9646303 Karpenko et al. May 2017 B2
9680942 Dimmick Jun 2017 B2
20010029485 Brody et al. Oct 2001 A1
20010034720 Armes Oct 2001 A1
20010054003 Chien et al. Dec 2001 A1
20020007320 Hogan et al. Jan 2002 A1
20020016749 Borecki et al. Feb 2002 A1
20020029193 Ranjan et al. Mar 2002 A1
20020035548 Hogan et al. Mar 2002 A1
20020073045 Rubin et al. Jun 2002 A1
20020116341 Hogan et al. Aug 2002 A1
20020133467 Hobson et al. Sep 2002 A1
20020147913 Lun Yip Oct 2002 A1
20030028481 Flitcroft et al. Feb 2003 A1
20030130955 Hawthorne Jul 2003 A1
20030191709 Elston et al. Oct 2003 A1
20030191945 Keech Oct 2003 A1
20030216998 Chang et al. Nov 2003 A1
20040010462 Moon et al. Jan 2004 A1
20040050928 Bishop et al. Mar 2004 A1
20040059682 Hasumi et al. Mar 2004 A1
20040093281 Silverstein et al. May 2004 A1
20040139008 Mascavage, III Jul 2004 A1
20040143532 Lee Jul 2004 A1
20040158532 Breck et al. Aug 2004 A1
20040210449 Breck et al. Oct 2004 A1
20040210498 Freund Oct 2004 A1
20040232225 Bishop et al. Nov 2004 A1
20040236632 Maritzen et al. Nov 2004 A1
20040260646 Berardi et al. Dec 2004 A1
20050037735 Coutts Feb 2005 A1
20050080730 Sorrentino Apr 2005 A1
20050108178 York May 2005 A1
20050199709 Linlor Sep 2005 A1
20050246293 Ong Nov 2005 A1
20050269401 Spitzer et al. Dec 2005 A1
20050269402 Spitzer et al. Dec 2005 A1
20060235795 Johnson et al. Oct 2006 A1
20060237528 Bishop et al. Oct 2006 A1
20060278704 Saunders et al. Dec 2006 A1
20070107044 Yuen et al. May 2007 A1
20070129955 Dalmia et al. Jun 2007 A1
20070136193 Starr Jun 2007 A1
20070136211 Brown et al. Jun 2007 A1
20070170247 Friedman Jul 2007 A1
20070179885 Bird et al. Aug 2007 A1
20070208671 Brown et al. Sep 2007 A1
20070245414 Chan et al. Oct 2007 A1
20070288377 Shaked Dec 2007 A1
20070291995 Rivera Dec 2007 A1
20080015988 Brown et al. Jan 2008 A1
20080029607 Mullen Feb 2008 A1
20080035738 Mullen Feb 2008 A1
20080052226 Agarwal et al. Feb 2008 A1
20080054068 Mullen Mar 2008 A1
20080054079 Mullen Mar 2008 A1
20080054081 Mullen Mar 2008 A1
20080065554 Hogan et al. Mar 2008 A1
20080065555 Mullen Mar 2008 A1
20080201264 Brown et al. Aug 2008 A1
20080201265 Hewton Aug 2008 A1
20080228646 Myers et al. Sep 2008 A1
20080243702 Hart et al. Oct 2008 A1
20080245855 Fein et al. Oct 2008 A1
20080245861 Fein et al. Oct 2008 A1
20080283591 Il et al. Nov 2008 A1
20080302869 Mullen Dec 2008 A1
20080302876 Mullen Dec 2008 A1
20080313264 Pestoni Dec 2008 A1
20090006262 Brown et al. Jan 2009 A1
20090010488 Matsuoka et al. Jan 2009 A1
20090037333 Flitcroft et al. Feb 2009 A1
20090037388 Cooper et al. Feb 2009 A1
20090043702 Bennett Feb 2009 A1
20090048971 Hathaway et al. Feb 2009 A1
20090106112 Dalmia et al. Apr 2009 A1
20090106160 Skowronek Apr 2009 A1
20090134217 Flitcroft et al. May 2009 A1
20090157555 Biffle et al. Jun 2009 A1
20090159673 Mullen et al. Jun 2009 A1
20090159700 Mullen et al. Jun 2009 A1
20090159707 Mullen et al. Jun 2009 A1
20090173782 Muscato Jul 2009 A1
20090200371 Kean et al. Aug 2009 A1
20090248583 Chhabra Oct 2009 A1
20090276347 Kargman Nov 2009 A1
20090281948 Carlson Nov 2009 A1
20090294527 Brabson et al. Dec 2009 A1
20090307139 Mardikar et al. Dec 2009 A1
20090308921 Mullen Dec 2009 A1
20090327131 Beenau et al. Dec 2009 A1
20100008535 Abulafia et al. Jan 2010 A1
20100088237 Wankmueller Apr 2010 A1
20100094755 Kloster Apr 2010 A1
20100106644 Annan et al. Apr 2010 A1
20100120408 Beenau et al. May 2010 A1
20100133334 Vadhri Jun 2010 A1
20100138347 Chen Jun 2010 A1
20100145860 Pelegero Jun 2010 A1
20100161433 White Jun 2010 A1
20100185545 Royyuru et al. Jul 2010 A1
20100211505 Saunders et al. Aug 2010 A1
20100223186 Hogan et al. Sep 2010 A1
20100228668 Hogan et al. Sep 2010 A1
20100235284 Moore Sep 2010 A1
20100258620 Torreyson et al. Oct 2010 A1
20100291904 Musfeldt et al. Nov 2010 A1
20100299267 Faith et al. Nov 2010 A1
20100306076 Taveau et al. Dec 2010 A1
20100325041 Berardi et al. Dec 2010 A1
20110010292 Giordano et al. Jan 2011 A1
20110016047 Wu et al. Jan 2011 A1
20110016320 Bergsten et al. Jan 2011 A1
20110040640 Erikson Feb 2011 A1
20110047076 Carlson et al. Feb 2011 A1
20110083018 Kesanupalli et al. Apr 2011 A1
20110087596 Dorsey Apr 2011 A1
20110093397 Carlson et al. Apr 2011 A1
20110125597 Oder, II et al. May 2011 A1
20110153437 Archer et al. Jun 2011 A1
20110153498 Makhotin et al. Jun 2011 A1
20110154466 Harper et al. Jun 2011 A1
20110161233 Tieken Jun 2011 A1
20110178926 Lindelsee et al. Jul 2011 A1
20110191244 Dai Aug 2011 A1
20110238511 Park et al. Sep 2011 A1
20110238573 Varadarajan Sep 2011 A1
20110246317 Coppinger Oct 2011 A1
20110258111 Raj et al. Oct 2011 A1
20110272471 Mullen Nov 2011 A1
20110272478 Mullen Nov 2011 A1
20110276380 Mullen et al. Nov 2011 A1
20110276381 Mullen et al. Nov 2011 A1
20110276424 Mullen Nov 2011 A1
20110276425 Mullen Nov 2011 A1
20110295745 White et al. Dec 2011 A1
20110302081 Saunders et al. Dec 2011 A1
20120023567 Hammad Jan 2012 A1
20120028609 Hruska Feb 2012 A1
20120030047 Fuentes et al. Feb 2012 A1
20120035998 Chien et al. Feb 2012 A1
20120041881 Basu et al. Feb 2012 A1
20120047237 Arvidsson et al. Feb 2012 A1
20120066078 Kingston et al. Mar 2012 A1
20120072350 Goldthwaite et al. Mar 2012 A1
20120078735 Bauer et al. Mar 2012 A1
20120078798 Downing et al. Mar 2012 A1
20120078799 Jackson et al. Mar 2012 A1
20120095852 Bauer et al. Apr 2012 A1
20120095865 Doherty et al. Apr 2012 A1
20120116902 Cardina et al. May 2012 A1
20120123882 Carlson et al. May 2012 A1
20120123940 Killian et al. May 2012 A1
20120129514 Beenau et al. May 2012 A1
20120143754 Patel Jun 2012 A1
20120143767 Abadir Jun 2012 A1
20120143772 Abadir Jun 2012 A1
20120158580 Eram et al. Jun 2012 A1
20120158593 Garfinkle et al. Jun 2012 A1
20120173431 Ritchie et al. Jul 2012 A1
20120185386 Salama et al. Jul 2012 A1
20120197807 Schlesser et al. Aug 2012 A1
20120203664 Torossian et al. Aug 2012 A1
20120203666 Torossian et al. Aug 2012 A1
20120215688 Musser et al. Aug 2012 A1
20120215696 Salonen Aug 2012 A1
20120221421 Hammad Aug 2012 A1
20120226582 Hammad Sep 2012 A1
20120231844 Coppinger Sep 2012 A1
20120233004 Bercaw Sep 2012 A1
20120246070 Vadhri Sep 2012 A1
20120246071 Jain et al. Sep 2012 A1
20120246079 Wilson et al. Sep 2012 A1
20120265631 Cronic et al. Oct 2012 A1
20120271770 Harris et al. Oct 2012 A1
20120297446 Webb et al. Nov 2012 A1
20120300932 Cambridge et al. Nov 2012 A1
20120303503 Cambridge et al. Nov 2012 A1
20120303961 Kean et al. Nov 2012 A1
20120304273 Bailey et al. Nov 2012 A1
20120310725 Chien et al. Dec 2012 A1
20120310831 Harris et al. Dec 2012 A1
20120316992 Oborne Dec 2012 A1
20120317035 Royyuru et al. Dec 2012 A1
20120317036 Bower et al. Dec 2012 A1
20130017784 Fisher Jan 2013 A1
20130018757 Anderson et al. Jan 2013 A1
20130019098 Gupta et al. Jan 2013 A1
20130031006 McCullagh et al. Jan 2013 A1
20130054337 Brendell et al. Feb 2013 A1
20130054466 Muscato Feb 2013 A1
20130054474 Yeager Feb 2013 A1
20130081122 Svigals et al. Mar 2013 A1
20130091028 Oder (“J.D.”), II et al. Apr 2013 A1
20130110658 Lyman et al. May 2013 A1
20130111599 Gargiulo May 2013 A1
20130117185 Collison et al. May 2013 A1
20130124290 Fisher May 2013 A1
20130124291 Fisher May 2013 A1
20130124364 Mittal May 2013 A1
20130138525 Bercaw May 2013 A1
20130144888 Faith et al. Jun 2013 A1
20130145148 Shablygin et al. Jun 2013 A1
20130145172 Shablygin et al. Jun 2013 A1
20130159178 Colon et al. Jun 2013 A1
20130159184 Thaw Jun 2013 A1
20130166402 Parento et al. Jun 2013 A1
20130166456 Zhang et al. Jun 2013 A1
20130173736 Krzeminski et al. Jul 2013 A1
20130185202 Goldthwaite et al. Jul 2013 A1
20130191227 Pasa et al. Jul 2013 A1
20130191286 Cronic et al. Jul 2013 A1
20130191289 Cronic et al. Jul 2013 A1
20130198071 Jurss Aug 2013 A1
20130198080 Anderson et al. Aug 2013 A1
20130200146 Moghadam Aug 2013 A1
20130204787 Dubois Aug 2013 A1
20130204793 Kerridge et al. Aug 2013 A1
20130212007 Mattsson et al. Aug 2013 A1
20130212017 Bangia Aug 2013 A1
20130212019 Mattsson et al. Aug 2013 A1
20130212024 Mattsson et al. Aug 2013 A1
20130212026 Powell et al. Aug 2013 A1
20130212666 Mattsson et al. Aug 2013 A1
20130218698 Moon et al. Aug 2013 A1
20130218769 Pourfallah et al. Aug 2013 A1
20130226799 Raj Aug 2013 A1
20130226802 Hammad et al. Aug 2013 A1
20130226813 Voltz Aug 2013 A1
20130246199 Carlson Sep 2013 A1
20130246202 Tobin Sep 2013 A1
20130246203 Laracey Sep 2013 A1
20130246258 Dessert Sep 2013 A1
20130246259 Dessert Sep 2013 A1
20130246261 Purves et al. Sep 2013 A1
20130246267 Tobin Sep 2013 A1
20130254028 Salci Sep 2013 A1
20130254052 Royyuru et al. Sep 2013 A1
20130254102 Royyuru Sep 2013 A1
20130254117 von Mueller et al. Sep 2013 A1
20130262296 Thomas et al. Oct 2013 A1
20130262302 Lettow et al. Oct 2013 A1
20130262315 Hruska Oct 2013 A1
20130262316 Hruska Oct 2013 A1
20130262317 Collinge et al. Oct 2013 A1
20130275300 Killian et al. Oct 2013 A1
20130275307 Khan Oct 2013 A1
20130275308 Paraskeva et al. Oct 2013 A1
20130282502 Jooste Oct 2013 A1
20130282575 Mullen et al. Oct 2013 A1
20130282588 Hruska Oct 2013 A1
20130297501 Monk et al. Nov 2013 A1
20130297504 Nwokolo et al. Nov 2013 A1
20130297508 Belamant Nov 2013 A1
20130304649 Cronic et al. Nov 2013 A1
20130308778 Fosmark et al. Nov 2013 A1
20130311382 Fosmark et al. Nov 2013 A1
20130317982 Mengerink et al. Nov 2013 A1
20130332344 Weber Dec 2013 A1
20130339253 Sincai Dec 2013 A1
20130346305 Mendes Dec 2013 A1
20130346314 Mogollon et al. Dec 2013 A1
20140007213 Sanin et al. Jan 2014 A1
20140013106 Redpath Jan 2014 A1
20140013114 Redpath Jan 2014 A1
20140013452 Aissi et al. Jan 2014 A1
20140019352 Shrivastava Jan 2014 A1
20140025581 Calman Jan 2014 A1
20140025585 Calman Jan 2014 A1
20140025958 Calman Jan 2014 A1
20140032417 Mattsson Jan 2014 A1
20140032418 Weber Jan 2014 A1
20140040137 Carlson et al. Feb 2014 A1
20140040139 Brudnicki et al. Feb 2014 A1
20140040144 Plomske et al. Feb 2014 A1
20140040145 Ozvat et al. Feb 2014 A1
20140040148 Ozvat et al. Feb 2014 A1
20140040628 Fort et al. Feb 2014 A1
20140041018 Bomar et al. Feb 2014 A1
20140046853 Spies et al. Feb 2014 A1
20140047551 Nagasundaram et al. Feb 2014 A1
20140052532 Tsai et al. Feb 2014 A1
20140052620 Rogers et al. Feb 2014 A1
20140052637 Jooste et al. Feb 2014 A1
20140068706 Aissi Mar 2014 A1
20140074637 Hammad Mar 2014 A1
20140108172 Weber et al. Apr 2014 A1
20140114857 Griggs et al. Apr 2014 A1
20140143137 Carlson May 2014 A1
20140164243 Aabye et al. Jun 2014 A1
20140188586 Carpenter Jul 2014 A1
20140249945 Gauthier et al. Sep 2014 A1
20140294701 Dai et al. Oct 2014 A1
20140297534 Patterson Oct 2014 A1
20140310183 Weber Oct 2014 A1
20140324690 Allen et al. Oct 2014 A1
20140330721 Wang Nov 2014 A1
20140330722 Laxminarayanan et al. Nov 2014 A1
20140331265 Mozell et al. Nov 2014 A1
20140337236 Wong et al. Nov 2014 A1
20140344153 Raj et al. Nov 2014 A1
20140372308 Sheets Dec 2014 A1
20150019443 Sheets et al. Jan 2015 A1
20150032625 Dill et al. Jan 2015 A1
20150032626 Dill et al. Jan 2015 A1
20150032627 Dill et al. Jan 2015 A1
20150046338 Laxminarayanan et al. Feb 2015 A1
20150046339 Wong et al. Feb 2015 A1
20150052064 Karpenko et al. Feb 2015 A1
20150081544 Schulz et al. Mar 2015 A1
20150088756 Makhotin et al. Mar 2015 A1
20150106239 Gaddam et al. Apr 2015 A1
20150112870 Nagasundaram et al. Apr 2015 A1
20150112871 Kumnick Apr 2015 A1
20150120472 Aabye et al. Apr 2015 A1
20150127529 Makhotin et al. May 2015 A1
20150127547 Powell et al. May 2015 A1
20150140960 Powell et al. May 2015 A1
20150142673 Nelsen et al. May 2015 A1
20150161597 Subramanian et al. Jun 2015 A1
20150178724 Ngo et al. Jun 2015 A1
20150180836 Wong et al. Jun 2015 A1
20150186864 Jones et al. Jul 2015 A1
20150193222 Pirzadeh et al. Jul 2015 A1
20150195133 Sheets et al. Jul 2015 A1
20150199679 Palanisamy et al. Jul 2015 A1
20150199689 Kumnick et al. Jul 2015 A1
20150220917 Aabye et al. Aug 2015 A1
20150242853 Powell Aug 2015 A1
20150269566 Gaddam et al. Sep 2015 A1
20150278799 Palanisamy Oct 2015 A1
20150287037 Salmon et al. Oct 2015 A1
20150312038 Palanisamy Oct 2015 A1
20150319158 Kumnick Nov 2015 A1
20150324736 Sheets et al. Nov 2015 A1
20150332262 Lingappa Nov 2015 A1
20150356560 Shastry et al. Dec 2015 A1
20150363781 Badenhorst Dec 2015 A1
20160028550 Gaddam et al. Jan 2016 A1
20160036790 Shastry et al. Feb 2016 A1
20160042263 Gaddam et al. Feb 2016 A1
20160065370 Le Saint Mar 2016 A1
20160086184 Carpenter et al. Mar 2016 A1
20160092696 Guglani Mar 2016 A1
20160092872 Prakash et al. Mar 2016 A1
20160092874 O'Regan et al. Mar 2016 A1
20160103675 Aabye et al. Apr 2016 A1
20160119296 Laxminarayanan et al. Apr 2016 A1
20160132878 O'Regan et al. May 2016 A1
20160140545 Flurscheim et al. May 2016 A1
20160148197 Dimmick May 2016 A1
20160148212 Dimmick May 2016 A1
20160171479 Prakash et al. Jun 2016 A1
20160173483 Wong et al. Jun 2016 A1
20160197725 Hammad Jul 2016 A1
20160210628 McGuire Jul 2016 A1
20160217461 Gaddam et al. Jul 2016 A1
20160218875 Le Saint et al. Jul 2016 A1
20160224976 Basu et al. Aug 2016 A1
20160224977 Sabba et al. Aug 2016 A1
20160232527 Patterson Aug 2016 A1
20160239842 Cash et al. Aug 2016 A1
20160260097 Nadella et al. Sep 2016 A1
20160269391 Gaddam et al. Sep 2016 A1
20160308995 Youdale et al. Oct 2016 A1
20170046696 Powell et al. Feb 2017 A1
20170076288 Awasthi Mar 2017 A1
20170103387 Weber Apr 2017 A1
20170109745 Al-Bedaiwi et al. Apr 2017 A1
20170148013 Rajurkar et al. May 2017 A1
20170163617 Laxminarayanan et al. Jun 2017 A1
20170163629 Law et al. Jun 2017 A1
20170186001 Reed et al. Jun 2017 A1
20170200156 Karpenko et al. Jul 2017 A1
20170200165 Laxminarayanan et al. Jul 2017 A1
20170201520 Chandoor et al. Jul 2017 A1
20170220818 Nagasundaram et al. Aug 2017 A1
20170221054 Flurscheim et al. Aug 2017 A1
20170221056 Karpenko et al. Aug 2017 A1
20170228723 Taylor et al. Aug 2017 A1
20170228728 Sullivan Aug 2017 A1
20170236113 Chitalia et al. Aug 2017 A1
20170293914 Girish et al. Oct 2017 A1
20170295155 Wong Oct 2017 A1
20170337549 Wong Nov 2017 A1
20170352026 Musil et al. Dec 2017 A1
20170364903 Lopez Dec 2017 A1
20170364914 Howard Dec 2017 A1
20170373852 Cassin Dec 2017 A1
20180006821 Kinagi Jan 2018 A1
20180075081 Chipman Mar 2018 A1
20180247303 Raj et al. Aug 2018 A1
20180262334 Hammad Sep 2018 A1
20180268399 Spector et al. Sep 2018 A1
20180268405 Lopez Sep 2018 A1
20180285875 Law et al. Oct 2018 A1
20180324184 Kaja et al. Nov 2018 A1
20180324584 Lopez Nov 2018 A1
20190020478 Girish Jan 2019 A1
20190066069 Faith et al. Feb 2019 A1
20190147439 Wang et al. May 2019 A1
20190356489 Palanisamy Nov 2019 A1
20190384896 Jones Dec 2019 A1
20190392431 Chitalia et al. Dec 2019 A1
20200267153 Kang et al. Aug 2020 A1
20200314644 Dean et al. Oct 2020 A1
Foreign Referenced Citations (1)
Number Date Country
2017176279 Oct 2017 WO
Non-Patent Literature Citations (6)
Entry
U.S. Appl. No. 17/269,935 , “Notice of Allowance”, May 31, 2023, 9 pages.
EP19852298.9 , “Extended European Search Report”, Sep. 10, 2021, 12 pages.
EP19852298.9 , “Office Action”, Feb. 8, 2023, 8 pages.
PCT/US2019/047712 , “International Preliminary Report on Patentability”, Mar. 4, 2021, 10 pages.
PCT/US2019/047712 , “International Search Report and Written Opinion”, Dec. 11, 2019, 13 pages.
SG11202101587S , “Written Opinion”, Nov. 14, 2022, 8 pages.
Related Publications (1)
Number Date Country
20230403277 A1 Dec 2023 US
Provisional Applications (1)
Number Date Country
62721128 Aug 2018 US
Continuations (1)
Number Date Country
Parent 17269935 US
Child 18457829 US