Patent Application
20210035109
Embodiments generally relate to methods, apparatus and systems for securely and conveniently enrolling consumer biometric data into a biometric payment card, and methods concerning subsequent use of the biometric payment card. More specifically, in some embodiments a user is provided with a biometric payment card and then enrolls his or her fingerprints during a first purchase transaction directly into the biometric payment card for use in future purchase transactions. Fingerprint template data obtained from the consumer during one or more subsequent purchase transactions with the biometric payment card may then be used to refine, modify or replace the initial biometric enrollment data.
Millions of consumer transactions occur daily using payment cards, such as credit cards, debit cards, prepaid cards, and the like financial products. Consumers or cardholders may engage in transactions in a variety of different environments, such as in a retail store, over the Internet (or online), at automatic-teller machines (ATMs), and/or via a telephone call to order merchandise via an interaction between the cardholder and a customer service representative. Fraudulent or illegal transactions can occur in each of these cases.
A typical retail store purchase transaction involves a customer bringing one or more items to a checkout counter or cash register station, where a cashier or clerk scans the items and a purchase amount is tabulated. After all of the merchandise or items are scanned, the customer pulls out his or her plastic payment card and then either swipes the payment card through a card reader (if it is a magnetic stripe card) or inserts it into, or taps it on, a chip card reader (if it is a smart payment card or a chip card). The card reader reads cardholder credential data from the payment card and then transmits that data to the cash register, which then forwards the cardholder credential data along with purchase transaction data to an acquirer financial institution (FI), which then transmits it to a payment network. Next, the payment network identifies the issuer FI which issued the customer's payment card account, and then transmits the cardholder credential data and the purchase transaction data to that issuer FI for authorization processing. If all is in order (i.e., the issuer FI verifies the cardholder credential data and confirms that the payment card account has an adequate credit line available to cover the cost of the purchase), then the issuer FI authorizes the purchase transaction and transmits an authorization response to the payment network. The payment network forwards the authorization response to the acquirer FI, which then transmits an authorization message to the merchant's cash register and/or card reader for display to the cashier and the cardholder. In some cases, the customer is then prompted to utilize a special stylus or pen to sign an electronic signature pad associated with the card reader, but in other cases (for example, when the purchase transaction amount is below a predetermined threshold amount) the customer is not required to provide his or her signature. The customer is then typically provided with a paper receipt for the purchase transaction (which may include the merchant store name, a list of the items purchased and their cost, the total purchase amount, and an indication identifying the type of payment card account used by the customer) and then leaves the retail store.
In-store payment card purchase transaction processes may vary somewhat from the above example, and may also vary depending on the equipment being used by a particular merchant and/or retail store (for example, some card readers may be configured for the consumer to tap his or her near-field communication (NFC) payment card on a designated area instead of inserting or swiping the payment card through the card reader). Regardless of how cardholder data is obtained from a payment card, most cashiers and/or store clerks do not bother to verify or check the cardholder's signature. Thus, a thief may be able to use a stolen payment card to make fraudulent purchases until the actual cardholder realizes that his or her payment card has been lost or stolen, and then contacts the issuer FI to cancel or suspend that payment card account.
The risk of fraudulent activity (and loss of money) has increased with the increased use of payment card accounts, and thus major payment card transaction processing companies such as Mastercard International Incorporated, Visa Inc., and the American Express Company have designed and implemented various types of anti-fraud mechanisms and/or features. For example, many payment cards have been issued that include security features such as holograms, a photograph of the cardholder appearing on the rear side of the payment card, and/or a card verification code (CVC). In addition, payment card credential data processing features have been implemented that require the cardholder to use passwords and/or personal identification numbers (PINs). The payment card transaction processing companies have also implemented various types of payment card account fraud monitoring and notification processes in order to prevent and/or curtail fraudulent activities.
In order to further reduce the risk of fraud in card-present transactions, Mastercard International Incorporated introduced the Mastercard® Biometric Card, which provides a simple and secure way for cardholders to authenticate their identity for in-store purchases with a fingerprint, as an alternative to utilizing a PIN, a password or a signature. Since biometric characteristics are difficult to duplicate, they are ideal for use to protect against fraudulent activities. The Mastercard® Biometric Card includes fingerprint template data that is stored on the biometric payment card itself, and during purchase transaction processing (which includes user authentication of the cardholder) the fingerprint template data never leaves the biometric payment card. Instead, the cardholder places his or her finger (such as a thumb) on a fingerprint sensor built into the biometric payment card during a payment transaction. Fingerprint data is then obtained and compared to the stored fingerprint template data, and an authentication message transmitted to a merchant's reader device. The fingerprint template data on the biometric payment card data is not shared with the merchant, and therefore is not transmitted to a remote server for authentication purposes. Such operation protects the cardholder's personal identification data while also improving security of the purchase transaction.
Biometric payment card transactions using the Mastercard Biometric Card are promptly conducted because cardholders do not need to remember and then enter a PIN during the checkout process. In addition, biometric card transactions do not require any hardware or software changes to current EMV®-enabled payment terminals, and thus there is no need for the merchant to make any hardware or software updates (the acronym EMV® stands for “Europay, Mastercard, Visa,” and denotes a global standard for cards equipped with computer chips and the technology used to authenticate chip-card transactions). Thus, cardholders enjoy an easy and secure checkout experience, while merchants can have enhanced certainty of genuine cardholder identity, which may result in an increase in revenue (from a reduction in false declines and/or a reduction in forgotten PIN transactions).
A challenge encountered when issuing biometric payment cards to consumers concerns enrollment of a consumer's biometric data, such as fingerprint template data, into a memory of the biometric payment card. In one enrollment method, the issuer FI provides a biometric payment card to the consumer via regular mail or via courier with instructions directing the consumer to go to a bank, a company office, a co-branded location or to a third-party entity affiliated with the issuer FI to enroll by providing biometric data into a tablet computer. In this case, the affiliated entity or issuer bank provides a tablet computer that includes an integrated scanner to perform, for example, fingerprint capture and to securely transfer at least two digital images immediately to the biometric payment card. Such an enrollment procedure can be conducted in about five (5) minutes or less at the designated location, is very secure, and includes obtaining an accurate and robust biometric enrollment image. This process also includes the advantage of having a customer service representative present to guide the consumer through the biometric data acquisition process and to answer any questions. However, such an enrollment process is expensive for the issuer FI and may also be inconvenient and/or somewhat time-consuming for some customers because of the requirement to take a trip to a designated location (such as a bank) to enroll.
Another enrollment procedure involves the issuer financial institution (FI) providing a disposable, light weight plastic sleeve along with the biometric payment card to the consumer (which is typically mailed in a package to the consumer's residence address). When the consumer receives the package, he or she removes the biometric payment card and plastic sleeve, which is sized to encase the biometric payment card, and follows instructions included in the package to enroll. The plastic sleeve includes electronic circuitry and a battery that enables the cardholder to enroll directly into the biometric card by using the biometric card's embedded biometric sensor (i.e., a fingerprint sensor), wherein the enrollment process typically takes a few minutes without issuer FI supervision. Although this biometric card enrollment procedure enables a consumer to enroll his or her biometric data (fingerprint data or fingerprint template data) while at home and is thus convenient, if he or she misunderstands the directions or instructions and/or an error occurs then the consumer may decide to abandon the process and thus fail to enroll. In addition, the biometric enrollment image (for example, the fingerprint image data) is limited by the size of the small sensor typically provided on the face of a biometric payment card, and thus may be inaccurate and/or difficult to match.
Accordingly, it would be advantageous to develop an easy and secure process for enrolling customer biometric data, such as fingerprint template data, into a newly issued biometric payment card that overcomes the drawbacks of the above described methods and leads to increased acceptance by consumers of biometric payment cards.
Features and advantages of some embodiments, and the manner in which the same are accomplished, will become more readily apparent with reference to the following detailed description taken in conjunction with the accompanying drawings, which illustrate exemplary embodiments, wherein:
Reference will now be made in detail to various novel embodiments, examples of which are illustrated in the accompanying drawings. The drawings and descriptions thereof are not intended to limit the invention to any particular embodiment(s). On the contrary, the descriptions provided herein are intended to cover alternatives, modifications, and equivalents thereof. In the following description, numerous specific details are set forth in order to provide a thorough understanding of the various embodiments, but some or all of these embodiments may be practiced without some or all of the specific details. In other instances, well-known process operations have not been described in detail in order not to unnecessarily obscure novel aspects.
A number of terms will be used herein. The use of such terms is not intended to be limiting, but rather are used for convenience and ease of exposition. For example, as used herein, the term “consumer” may be used interchangeably with the term “cardholder” or “user” and such terms are used herein to refer to a consumer, person, individual, business or other entity that owns (or is authorized to use) a financial account such as a payment card account (for example, a credit card account). In addition, the term “biometric payment card account” may include or be associated with a credit card account, a debit card account, and/or a deposit account or other type of financial account that an account holder may access. The term “payment card account number” or “biometric payment card account number” includes a number that identifies a payment card system account or a number carried by a payment card, and/or a number that is used to route a transaction in a payment network that handles debit card and/or credit card transactions and the like. Moreover, as used herein the terms “payment network,” “payment card system” and/or “payment system” refer to a system and/or network for processing and/or handling purchase transactions and related financial transactions, which may be operated by a payment card system operator such as Mastercard International Incorporated (the assignee of the present application), or a similar system. In some embodiments, the term “payment card system” may be limited to systems in which member financial institutions (such as banks) issue payment card accounts to individuals, businesses and/or other entities or organizations.
As used herein, the term “issuer” and/or “issuer FI” is used to refer to the financial institution or entity (such as a bank) that issues a biometric payment account (such as a credit card or debit card account) to a consumer or cardholder. The issuer of a biometric payment card maintains the payment card accounts of its cardholders, including biometric payment card account holders.
In general, and for the purpose of introducing concepts of novel embodiments described herein, disclosed are methods, apparatus and systems that allow a consumer or user to securely and conveniently enroll his or her biometric data directly into a newly issued biometric payment card. It has been recognized that capturing and loading biometric data onto a biometric payment card is not as straight forward as loading biometric data onto a mobile device (such as a smartphone). For example, saving biometric data such as fingerprint template data onto the mobile device can be relatively straight forward, by following directions presented on a display screen of the mobile device while utilizing an integrated fingerprint sensor of the mobile device. Consumers, however, desire a convenient method for enrolling after receiving a newly issued biometric payment card, while issuer FIs desire an enrollment process that is inexpensive and includes obtaining robust consumer biometric data for use in authenticating the cardholder.
For ease of understanding, the example embodiments described herein include a biometric payment card having an integrated fingerprint sensor. The disclosed enrollment processes involve obtaining fingerprint template data from the customer or cardholder during a first or initial use of the biometric payment card involving a purchase transaction, and then utilizing that fingerprint template data in subsequent transactions. In some embodiments, under some circumstances and/or conditions, subsequent fingerprint data obtained from the cardholder during one or more subsequent purchase transactions may be used to modify and/or replace the stored fingerprint template data on the biometric payment card. However, it is contemplated that other types of biometric sensors could be integrated onto a biometric payment card instead of, or in addition to, a fingerprint sensor, such as a retina scanner or an audio sensor (such as a microphone) for obtaining biometric data from the consumer during an authentication process. Thus, although embodiments described herein relate to using fingerprint data obtained from the cardholder, the processes disclosed herein could also be utilized with other types of biometric data.
Accordingly, in some embodiments disclosed herein, an issuer financial institution (FI) sends a package containing a biometric payment card to the consumer who applied for (and qualified for) obtaining a biometric payment card account. The package contains the biometric payment card along with instructions for activating the basic payment card functions. In some embodiments, the cardholder activates the biometric payment card by, for example, calling a voice recognition unit (VRU) from a home telephone number (which the issuer FI has on file), or by calling a customer service representative, or by logging into the issuer FI's website or application to confirm receipt of the biometric payment card. In some implementations, the package also includes instructions for the cardholder to enroll biometric data into the biometric payment card during a first purchase transaction in order to activate the biometric technology features of the biometric payment card, which process is described in detail below. In addition, in some embodiments data stored in the biometric payment card is updated during a subsequent purchase transaction under some circumstances, for example, to improve the biometric data (such as fingerprint template data) stored on the biometric payment card. Thus, enrollment of biometric data by the cardholder occurs during a first use of the biometric payment card by the cardholder, and biometric data updates may also occur during subsequent usage under some circumstances, in accordance with procedures described herein during card usage in the field, when the genuine cardholder attempts to perform purchase transactions.
In some embodiments, the biometric payment card 100 is made of a plastic material, and has dimensions conforming to the known ID-1 format, which is commonly used for credit cards, debit cards, ATM cards and the like. (The ID-1 format specifies a card size of 85.60×53.98 mm (3 ⅜ inches by 2 ⅛ inches), and includes rounded corners having a radius of between 2.88 millimeters (mm) to 3.48 mm). The biometric payment card 100 may also include a primary account number (PAN) 108, an expiration date 110, the cardholder's name 112, and a payment card logo 114 which are printed or embossed on the front side or face of the payment card 100. It should be understood that the biometric payment card 100 may be made of other types of materials (i.e., a metallic material or composite material), and may include other features and/or components.
In accordance with embodiments described herein, a user or cardholder of a newly issued biometric payment card 100 enrolls his or her fingerprint template data during a first purchase transaction with the biometric payment card. For example, referring to
In the scenario described immediately above, in accordance with embodiments disclosed herein, the issuer FI performs a purchase transaction authorization procedure based on the PIN provided by cardholder and its' own internal fraud and/or analytics processing, to confirm it's a genuine transaction and that the PIN matches stored data associated with the cardholder. The issuer FI also determines whether the cardholder has adequate funds or an adequate credit line to cover the cost of the purchase transaction. When the purchase transaction is authorized, the issuer FI transmits an authorization message to the merchant device 204 via the payment network 208 and acquirer FI 206 along with an additional enrollment message. The enrollment message is transmitted to the payment card reader device 202 and forwarded to the biometric payment card 100, and includes instructions for the EMV® chip 102 to store the fingerprint template data presented earlier by the cardholder (when the cardholder first presented the biometric payment card 100 to the payment card reader device 202 to conduct the transaction) as enrollment biometric data (enrollment fingerprint template data). This enrollment fingerprint template data will then be used when the cardholder next utilizes her biometric payment card 100 for another or subsequent purchase transaction.
Thus, after the enrollment process occurs, during a subsequent purchase transaction, the consumer takes out her biometric payment card 100 and again places her right forefinger on the finger touch pad 107 of the biometric sensor 106 and taps the biometric payment card on a landing pad of the payment card reader device 202. In this case, since there is a fingerprint template stored within the biometric payment card, then a biometric matching process is conducted which compares the fingerprint template data extracted from the cardholder's right finger image data to the stored fingerprint template data. If a match occurs, then the cardholder is authenticated and purchase transaction information along with cardholder information is transmitted via the merchant acquirer financial institution (FI) 206 to the payment network 208. The payment network 208 then determines which one of a plurality of issuer FIs (210A to 210N) issued the cardholder's biometric payment card, and then transmits the biometric authentication data and purchase transaction data to that issuer FI 210A. The issuer FI 210A then determines, based on the cardholder authentication data and on the creditworthiness of the cardholder, to authorize or to decline the purchase transaction. Thus, the issuer FI 210A generates and transmits an authorization or decline message back to the merchant device 204 via the payment network 208 and acquirer FI 206.
In some implementations, if the biometric authentication failed (e.g., the current fingerprint template data of the cardholder did not match the enrollment fingerprint template data) then the card reader 202 may prompt the cardholder to try again (for example, by displaying a message on a display screen). If the cardholder again cannot match his or her fingerprint to the stored fingerprint template data, then the cardholder may be asked to enter an alternate cardholder verification method (CVM) such as a personal identification number (PIN), which the merchant then handles in accordance with the merchant's purchase transaction risk procedures. As explained above, such a purchase transaction process assumes that the cardholder has already enrolled his or her biometric data (for example, fingerprint template data) into the biometric payment card 100.
Accordingly, after enrollment, the consumer can utilize the fingerprint feature of her biometric payment card 100 to perform purchase transactions. For example, the cardholder can dip or tap the biometric payment card at a merchant's chip-enabled terminal while at the same time holding his finger (such as his thumb) on the face 107 of the integrated fingerprint sensor 106. A processor embedded in the EMV® chip 102 of the biometric payment card compares the extracted features of the user's fingerprint image (picked up by the fingerprint sensor 106) to the fingerprint template data 306 stored on the card. In some embodiments, a match occurs when a matching score generated by the EMV® chip 102 is above a matching threshold value. In some embodiments, the matching score relates to how closely the current fingerprint template data matches the stored fingerprint template data (which may be the enrollment fingerprint template data) based on a percentage match, and the threshold value is set or predetermined by the issuer FI (the issuer of the cardholder's biometric card account). For example, if the matching threshold is set at sixty percent (60%) by the issuer FI and the matching score is ninety percent (90%), this means that ninety percent of the fingerprint features of the stored fingerprint template data matched the cardholder's current fingerprint data obtained by the fingerprint sensor 106 of the biometric payment card 100. Accordingly, the cardholder is authenticated. When such a match occurs, in some implementations the biometric payment card 100 transmits an indication of successful cardholder authentication along with payment card account credentials and additional information concerning the match (such as matching score) to the merchant's chip reader device 202, which forwards the information to an acquirer FI 206 for further processing (see
In some embodiments, when the issuer FI receives the matching score from the merchant system, then the issuer FI's backend system determines whether to conduct further processing.
In
However,
In some embodiments, a consumer is required to enroll by placing one of her thumbs on the biometric sensor when making a first purchase transaction. Thus, a fingerprint template for only one thumb, for example the right thumb, of the consumer is stored on the card. However, in some implementations a consumer may be required to enroll by providing two or more fingerprints so that fingerprint template data can be stored corresponding to, for example, an index finger and a thumb. Such fingerprint data may also be stored on the biometric payment card as separate digital fingerprint templates. The number of fingers and/or fingerprint template data for storing on the payment card may be configurable and/or predefined, for example, by the issuer FI of the biometric payment card. In addition, the number or amount of fingerprint templates can vary depending on criteria required by the issuer of the biometric payment card and/or on physical constraints, such as the available storage space available on the biometric payment card.
In the case where the biometric authentication failed (there was no match between the fingerprint template data stored on the biometric payment card and the fingerprint data provided by the cardholder), then the merchant's card reader may display a request for the cardholder to try again. If biometric authentication continues to fail after one or more additional attempts, then the cardholder may be asked to enter an alternate cardholder verification method (such as a PIN or signature), which the merchant then handles in a manner according to that merchant's purchase transaction risk procedures.
In some embodiments, the issuer FI can utilize the matching score information to manage and/or to better control the cardholder authentication and/or the purchase transaction authorization process. In particular, the issuer FI backend system may have additional flexibility to utilize the matching score data with additional data or criteria concerning or associated with the cardholder to modify and/or to adjust the cardholder authentication parameters or criteria and/or the purchase transaction authorization parameters or criteria. For example, if the cardholder is utilizing her biometric payment card in a country, such as Singapore, that has tropical weather (high humidity), then the issuer FI backend system may adjust the matching threshold downwards because such locations with high humidity may detrimentally affect the matching score as compared to a drier location, such as New York City. Thus, for Singapore the matching threshold may be lowered to 52%, whereas for New York City the matching threshold may be increased to 75% for most purchase transactions. In another example, if a particular cardholder typically exhibits a high matching score such as 90%, but now is exhibiting a matching score close to the matching threshold of 65%, such behavior may be an indication of fraud. In addition, some user behaviors can provide information and/or data that may indicate that the issuer FI needs to train and/or coach the cardholder concerning how to best utilize the biometric payment card.
Systems, apparatus and processes disclosed herein advantageously provide consumers or cardholders with a convenient and secure method for enrolling biometric data into a newly issued biometric payment card. In addition, the disclosed systems, apparatus and processes for consumer enrollment into a biometric payment card are inexpensive for issuer FIs to deploy. Furthermore, methods described herein advantageously permit issuer FIs the flexibility to change the biometric cardholder authentication parameters and/or requirements for one or more biometric card holders based on various criteria or circumstances. For example, a matching threshold and/or a matching score for a particular cardholder or group of cardholders may be increased or decreased depending on conditions or criteria such at the weather near the cardholders' residence or retail store locations or based on cardholder or user behavior(s). In addition, the behavior of a biometric payment card cardholder may indicate that the issuer FI needs to provide training or coaching concerning the correct usage of the biometric payment card.
As used herein and in the appended claims, the term “computer” should be understood to encompass a single computer or two or more computers in communication with each other. In addition, as used herein and in the appended claims, a “server” includes a computer device or system that responds to numerous requests for service from other devices.
Also, as used herein and in the appended claims, the term “processor” should be understood to encompass a single processor or two or more processors in communication with each other. In addition, as used herein and in the appended claims, the term “memory” should be understood to encompass a single memory or storage device or two or more memories or storage devices.
The flow charts and descriptions thereof herein should not be understood to prescribe a fixed order of performing the method steps described therein. Rather the method steps may be performed in any order that is practicable, including simultaneous performance of steps, and/or in an order that omits one or more steps.
Although the present invention has been described in connection with specific exemplary embodiments, it should be understood that various changes, substitutions, and alterations apparent to those skilled in the art can be made to the disclosed embodiments without departing from the spirit and scope of the invention as set forth in the appended claims.
