Patent Grant
11107069
There are a number of ways to ensure that payment transactions are securely conducted. For example, there are a number of different ways to authenticate a consumer to ensure that the authentic consumer is the one conducting the payment transaction. There are also a number of different ways to authenticate a portable consumer device that is being used by the consumer.
Although different ways of authenticating payment transactions exist, improved authentication mechanisms are desirable to further reduce the risk of fraudulent transactions.
Embodiments of the invention address these and other problems individually and collectively.
Systems and methods for improved consumer and portable consumer device authentication are disclosed. Embodiments of the invention include ways to authenticate a portable consumer device such as a payment card, authenticate a consumer using the portable consumer device, perform back end processing, and provide consumer notification of purchase transactions.
One embodiment of the invention is directed to a method comprising: performing an authentication process for a consumer, wherein the consumer uses a portable consumer device to conduct a transaction; performing an authentication process for the portable consumer device, wherein performing the authentication process for the portable consumer device comprises verifying a fingerprint or a dynamic verification value associated with the portable consumer device; and performing a risk analysis after authenticating the consumer and authenticating the portable consumer device are performed, wherein the risk analysis determines whether or not the transaction is to be authorized.
One embodiment of the invention is directed to a method comprising: authenticating a portable consumer device using dynamic data generated by the portable consumer device or an access device in communication with the portable consumer device; and authenticating the consumer comprising sending a challenge message to the consumer, and receiving a challenge response from the consumer.
Another embodiment of the invention is directed to a method comprising: receiving an authorization request message associated with a transaction conducted using a portable consumer device, wherein the portable consumer device comprises a portable consumer device fingerprint, and wherein the authorization request message comprises an altered portable consumer device fingerprint and an algorithm identifier; selecting an algorithm from among a plurality of algorithms using the algorithm identifier; determining the portable consumer device fingerprint using the selected algorithm and the altered portable consumer device fingerprint; determining if the portable consumer device fingerprint matches a stored portable consumer device fingerprint; sending a challenge message to a consumer associated with the portable consumer device; and sending an authorization response message to the consumer, wherein the authorization response message indicates whether or not the transaction is approved.
Another embodiment of the invention is directed to a method comprising: authenticating a batteryless portable consumer device, wherein the portable consumer device comprises a batteryless portable consumer comprising an antenna; authenticating the consumer; and sending a notification message to the consumer that a transaction is being conducted.
Other embodiments of the invention are directed to specific combinations of other authentication aspects, which are provided below in the detailed description.
I. Exemplary Systems and Payment Transactions
Embodiments of the invention can be used to authenticate conventional purchase transactions as well as other types of transactions (e.g., money transfer transactions). Specific authentication systems and methods may involve the authentication of the consumer (e.g., a purchaser), portable consumer device (e.g., a credit card), and/or access device (e.g., a POS terminal) to ensure that the transaction is authentic.
In a typical purchase transaction, a consumer uses a portable consumer device (e.g., a credit card) to purchase goods or services from a merchant.
The consumer 30 may be an individual, or an organization such as a business that is capable of purchasing goods or services.
The portable consumer device 32 may be in any suitable form. For example, suitable portable consumer devices can be hand-held and compact so that they can fit into a consumer's wallet and/or pocket (e.g., pocket-sized). They may include smart cards, ordinary credit or debit cards (with a magnetic strip and without a microprocessor), keychain devices (such as the Speedpass™ commercially available from Exxon-Mobil Corp.), etc. Other examples of portable consumer devices include cellular phones, personal digital assistants (PDAs), pagers, payment cards, security cards, access cards, smart media, transponders, and the like. The portable consumer devices can also be debit devices (e.g., a debit card), credit devices (e.g., a credit card), or stored value devices (e.g., a stored value card).
The payment processing network 26 may include data processing subsystems, networks, and operations used to support and deliver authorization services, exception file services, and clearing and settlement services. An exemplary payment processing network may include VisaNet™. Payment processing networks such as VisaNet™ are able to process credit card transactions, debit card transactions, and other types of commercial transactions. VisaNet™, in particular, includes a VIP system (Visa Integrated Payments system) which processes authorization requests and a Base II system which performs clearing and settlement services.
The payment processing network 26 may include a server computer. A server computer is typically a powerful computer or cluster of computers. For example, the server computer can be a large mainframe, a minicomputer cluster, or a group of servers functioning as a unit. In one example, the server computer may be a database server coupled to a Web server. The payment processing network 26 may use any suitable wired or wireless network, including the Internet.
The merchant 22 may also have, or may receive communications from, an access device 34 that can interact with the portable consumer device 32. The access devices according to embodiments of the invention can be in any suitable form. Examples of access devices include point of sale (POS) devices, cellular phones, PDAs, personal computers (PCs), tablet PCs, handheld specialized readers, set-top boxes, electronic cash registers (ECRs), automated teller machines (ATMs), virtual cash registers (VCRs), kiosks, security systems, access systems, and the like.
If the access device 34 is a point of sale terminal, any suitable point of sale terminal may be used including card readers. The card readers may include any suitable contact or contactless mode of operation. For example, exemplary card readers can include RF (radio frequency) antennas, magnetic stripe readers, etc. to interact with the portable consumer devices 32.
In a typical purchase transaction, the consumer 30 purchases a good or service at the merchant 22 using a portable consumer device 32 such as a credit card. The consumer's portable consumer device 32 can interact with an access device 34 such as a POS (point of sale) terminal at the merchant 22. For example, the consumer 30 may take a credit card and may swipe it through an appropriate slot in the POS terminal. Alternatively, the POS terminal may be a contactless reader, and the portable consumer device 32 may be a contactless device such as a contactless card.
An authorization request message is then forwarded to the acquirer 24. After receiving the authorization request message, the authorization request message is then sent to the payment processing network 26. The payment processing network 26 then forwards the authorization request message to the issuer 28 of the portable consumer device 32.
After the issuer 28 receives the authorization request message, the issuer 28 sends an authorization response message back to the payment processing network 26 (step 56) to indicate whether or not the current transaction is authorized (or not authorized). The payment processing network 26 then forwards the authorization response message back to the acquirer 24. The acquirer 24 then sends the response message back to the merchant 22.
After the merchant 22 receives the authorization response message, the access device 34 at the merchant 22 may then provide the authorization response message for the consumer 30. The response message may be displayed by the access device 24, or may be printed out on a receipt.
At the end of the day, a normal clearing and settlement process can be conducted by the payment processing network 26. A clearing process is a process of exchanging financial details between and acquirer and an issuer to facilitate posting to a consumer's account and reconciliation of the consumer's settlement position. Clearing and settlement can occur simultaneously.
II. Transaction Authentication
Referring to
Portable consumer device authentication relates to the authentication of the portable consumer device. That is, in a portable consumer device authentication process, a determination is made as to whether the portable consumer device that is being used in the purchase transaction is the authentic portable consumer device or a counterfeit portable consumer device. Specific exemplary techniques for improving the authentication of a portable consumer device include:
Dynamic CVV on portable consumer devices such as magnetic stripe cards
Card security features (existing and new)
Contactless chips (limited use)
Magnetic stripe identification
Card Verification Values (CVV and CVV2)
Contact EMV chips
Consumer authentication relates to a determination as to whether or not the person conducting the transaction is in fact the owner or authorized user of the portable consumer device. Conventional consumer authentication processes are conducted by the merchants. For example, merchants may ask to see a credit card holder's driver's license, before conducting a business transaction with the credit card holder. Other ways to authenticate the consumer would be desirable, since consumer authentication at the merchant does not occur in every instance. Specific examples of possible ways to improve the consumer authentication process include at least the following:
Knowledge-based challenge-responses
Hardware tokens (multiple solution options)
OTPs (one time password, limited use)
AVSs (not as a stand alone solution)
Signatures
Software tokens
PINs (online/offline)
User IDs/Passcodes
Two-channel authentication processes (e.g., via phone)
Biometrics
Back end processing relates to processing that may occur at the issuer or payment processing network, or other non-merchant location. As will be explained in detail below, various processes may be performed at the “back end” of the payment transaction to help ensure that any transactions being conducted are authentic. Back end processing may also prevent transactions that should not be authorized, and can allow transactions that should be authorized.
Lastly, consumer notification is another aspect of transaction authentication. In some cases, a consumer may be notified that a purchase transaction is occurring or has occurred. If the consumer is notified (e.g., via cell phone) that a transaction is occurring using his portable consumer device, and the consumer is in fact not conducting the transaction, then appropriate steps may be taken to prevent the transaction from occurring. Specific examples of consumer notification processes include:
Purchase notification via SMS
Purchase notification via e-mail
Purchase notification by phone
Specific details regarding some of the above-described aspects are provided below. The specific details of the specific aspects may be combined in any suitable manner without departing from the spirit and scope of embodiments of the invention. For example, portable consumer device authentication, consumer authentication, back end processing, and consumer transaction notification may all be combined in some embodiments of the invention. However, other embodiments of the invention may be directed to specific embodiments relating to each individual aspects, or specific combinations these individual aspects.
III. Portable Consumer Device Authentication
Improvements can be made with respect to various portable consumer device authentication processes. Examples of such improvements are provided below.
A. Dynamic Card Verification Values (dCVVs)
To help ensure that the portable consumer device being used in a payment transaction is in fact the authentic portable consumer device, “dynamic” data may be provided from the portable consumer device. Dynamic data is data that may change over time, and is therefore more secure than static data (e.g., a name). For example, a portable consumer device authentication process may include “dynamic” verification data such as a dynamic CVV (or dynamic card verification value).
In comparison, “static” data may be data that does not change over time. For example, today, credit cards have card verification values (CVV values) printed on the back of the cards. These values can be used to verify that the portable consumer device being used is authentic. For example, when conducting a purchase transaction over the telephone or the Internet using a credit card, a merchant may ask for the CVV value on the back of the credit card. The CVV value may be matched to the credit card number to ensure that the caller in fact possesses the authentic portable consumer device. One problem with current CVVs is that they are static. They can be stolen and used.
Dynamic CVV (“dCVV”) is described in U.S. patent application Ser. No. 10/642,878, which is herein incorporated by reference in its entirety for all purposes. U.S. patent application Ser. No. 10/642,878 describes the generation of a verification value using information including a PAN (primary account number), an expiration date, a service code, and an automatic transaction counter. This verification value is transmitted from a merchant to a service provider (e.g., a payment processing organization or an issuer) where it is decoded and evaluated for possible approval. The automatic transaction counter keeps track of the number of times that a portable consumer device is used, and if there is a mismatch between a counter value that is received at the issuer and the counter at the issuer, then this may indicate possible data skimming or fraudulent use.
The dCVV or other dynamic data may be transmitted using any suitable secure data transmission process and may use DES (dynamic encryption standard), as well as ECC (elliptical curve cryptography), or AEC (advanced encryption cryptography). Any symmetric or asymmetric cryptographic elements may be used.
Other security enhancements of the dCVV process may include the use of a longer DES number and a longer counter.
B. dCVVs Created with Specific Input Data
It would be desirable to improve upon prior dCVV processes by generating different dynamic verification values using different data or different types of variable information. For example, more transaction and/or user specific data could be dynamically changed to verify that the portable consumer device is the correct one. This would be more secure than using just a simple counter. For example, specific information could include the following: terminal ID, time of day, telephone number, SIM card number, transaction amount, account number, service code (two digits), expiration date, current date, random numbers from the terminal, etc. The specific information preferably includes at least one dynamic data element such as a counter, time of day, purchase amount, etc. In other embodiments, the specific information used to create the dynamic verification value includes dynamic, consumer specific or transaction specific information such as the time of day when the transaction is taking place, the purchase amount, prior transaction data, etc. Any, some, or all of these may be used to create a verification value or other specific pieces of information could be dynamically altered to create a new dCVV. The new dCVV could then be processed in a manner that is similar to, or different than, the general process scheme described in U.S. patent application Ser. No. 10/642,878. In one specific example, data regarding a prior transaction (e.g., a prior purchase amount, the time of a prior purchase, etc.) may be a dynamic data element, which may be used to authenticate a portable consumer device for future transactions. Further details regarding such dCVV methods can be found in U.S. patent application Ser. No. 11/764,376, entitled Method and System for Generating a Dynamic Verfication Value, filed Jun. 18, 2007.
C. Reducing the Number of Rejected dCVV Transactions
The above described dCVV processes are useful. However, there may be a number of instances where the dynamic data (e.g., a counter value) transmitted from a portable consumer device and received at a service provider's server does not match the corresponding dynamic data (another corresponding counter value) that are generated at the issuer's server. For example, sometimes, a merchant might not forward transaction data to the issuer in a timely manner. If this occurs, it is possible that future transactions conducted by the consumer could be inadvertently rejected. For instance, if the portable consumer device used by the consumer has a counter in it to count the number of transactions conducted, and if the counter in the issuer's server does not keep a corresponding transaction count, because of the delayed receipt of transaction data from one or more merchants, some of the consumer's transactions may be inadvertently rejected. It is desirable to approve as many transactions as possible while disapproving transactions that may have been skimmed.
The solution to this problem may include widening the range of the transaction counter (or widening the tolerance of some other variable data such as the time, date, etc.) so that there is some margin for potential error. For example, a consumer's portable consumer device may have a counter in it that currently has a transaction total equal to 100. When the consumer conducts a transaction at a POS terminal, an authorization message may be sent from the POS terminal to the issuer's or payment processing network's server. The authorization message may indicate that this is transaction number 100 for consumer A. The issuer's server may then check a corresponding counter range. If the received transaction counter falls within the corresponding counter range determined by the issuer, then the transaction is approved. For example, the corresponding counter range may be between 98 and 102. Since the consumer's counter is 100 and falls between 98 and 102, the transaction is approved. Thus, if the issuer's server has a counter that has a value that is slightly different than the counter on the consumer's portable consumer device, the transaction will not be inadvertently rejected. If actual data skimming is occurring or if a consumer's payment account number is being used without authorization, the counter at the issuer's server would likely differ significantly from the actual counter on the consumer's portable consumer device.
These embodiments of the invention can help decrease the number of false transaction denials. As an alternative or additional authentication measure, the issuer may provide a challenge question (e.g., what is your birthday) to the consumer if the issuer's server finds that the transaction counter received from the POS terminal and the transaction counter at the issuer's server do not match, or if the counter is not within a predetermined counter range determined by the issuer's server computer. If the consumer answers the challenge question correctly, then the transaction is approved. If the question is not answered correctly, then it is not approved. Additional details about possible challenge messages and challenge questions that can be used in such embodiments are provided below.
In yet other embodiments, the decision as to whether or not to perform further authentication processing (e.g., sending a challenge question to a consumer) or not perform further authentication processing if the counter (or other dynamic data element) falls within the predetermined range can be based on other factors. For example, if the counter or other dynamic data element falls within a predetermined range, further authentication processing may only take place if the transaction being analyzed is greater than a predetermined dollar limit (e.g., over $1000) or the transaction being analyzed is being conducted from a location or merchant that may indicate a higher tendency to originate fraudulent transactions. Thus, embodiments of the invention may include other variables that may be considered when determining whether or not to perform additional authentication processing.
Further details regarding embodiments that use ranges in conjunction with dynamic data elements used with verification values are in U.S. patent application Ser. No. 11/764,370, entitled Verification Error Reduction System, filed on Jun. 18, 20007 which is herein incorporated by reference in its entirety for all purposes.
D. Portable Consumer Devices that can Produce dCVVs
A number of different portable consumer devices may be produced, which are capable of providing variable transaction data such as counters. An example of this kind of portable consumer device includes a magnetic-stripe card that can rewrite the data provided on its magnetic stripe. A re-writing device such as a magnetic write head may be used to rewrite the data on a magnetic stripe. A patent that discusses this type of card is U.S. Pat. No. 7,044,394, which is herein incorporated by reference in its entirety for all purposes. A battery is within the card and can supply power for the re-writing device.
The use of batteries in payment cards is not particularly desirable in some cases. For example, batteries need to be replaced and disposed of in an environmentally friendly manner. Also, if a battery-powered card does not have sufficient power at a given moment, a particular transaction conducted with that card may not take place as intended. In addition, if a consumer has multiple battery-powered cards in his wallet, this can raise potential security issues when traveling on airlines. Thus, batteryless cards are preferred.
In some embodiments, the portable consumer devices are batteryless cards (or other batteryless form factors) which contain may contain chip which may comprise a counter. These batteryless cards are powered by some external power source, instead of an internal battery. Examples of external power sources include access devices such as POS terminals and transaction calculators. In embodiments of the invention, each time a batteryless card is powered by an external power source such as a POS terminal, a counter value (or other variable data) may be produced by the batteryless card. A number of specific embodiments are shown in
During use, the antenna 202(c) may allow the magnetic stripe card 202 to communicate with an external contactless reader (not shown) so that an account number and optionally counter information (or other variable data) may be obtained from magnetic stripe 202(e) via the processor 202(b) and the read-write device 202(d). At the same time, the antenna 202(c) may also be used to power the processor 202(b) and the read-write device 202(d) temporarily so that the read-write device 202(d) can also change dynamic data (e.g., a counter) on the magnetic stripe 202(e). Thus, as illustrated by this example, embodiments of the invention can include the use of a batteryless magnetic-stripe card that can provide dynamic data that can be used in a portable consumer device authentication transaction.
Although the example in
Another card embodiment 204 of the invention is shown in
However, in this embodiment, a semi-static display 202(h) is coupled to the processor 202(b). Each time the processor 202(b) is powered by a card reader during a purchase transaction, the processor 202(b) can cause the display 202(h) to display a verification value such as a dynamic card verification value (dCVV). The dCVV may be viewed by a consumer and used in a mail order, telephone, or Internet purchase transaction to help verify that the consumer has an authentic card. In this example, the same or different dCVV value (or other dynamic data) may be electronically transmitted to the card reader and subsequently transmitted in an authorization request message to the issuer for further verification.
The security device 300 may contain a microprocessor, batteries, and a memory comprising computer code for producing a one-time transaction code or number for a consumer purchase transaction. The logic for producing the one-time transaction code may also reside on another server or computer (e.g., an issuer's server) so that the issuer, merchant, or other party, can verify that the person holding the card is in fact the authorized cardholder. In this example, the security device 300 may be characterized as a hard security token and may be used to help authenticate the consumer.
During use, a consumer may insert a batteryless magnetic stripe card (as described above) into the slot 300(d). A one time transaction code may then be displayed on the screen 300(c). When the card is inserted into the security device 300, power from the power source in the security device 300 powers a processor and read-write device in the card so that dynamic data (e.g., a counter) on the card can change. Thus, the security device 300 can produce a one time transaction number for a transaction, and also temporarily supply power to a batteryless card so that a counter (or other dynamic element) can change in the card. A system using both the security device 300 and a batteryless card that can have dynamic data can advantageously authenticate both the consumer as well as the portable consumer device.
Further details regarding embodiments that use batteryless portable consumer devices are in U.S. patent application Ser. No. 11/764,622, entitled Portable Consumer Device Configured to Generate Dynamic Authentication Data, filed on Jun. 18, 2007 which is herein incorporated by reference in its entirety for all purposes.
E. Masked Primary Account Numbers (PANs)
Another way to authenticate a portable consumer device is to use a masked PAN or primary account number. In this example, a partial portion of a transmitted PAN is masked and/or dynamically changed. The PAN includes an identification number portion such as a BIN number or bank identification number. Other examples of identification number portions include a merchant location, financial institution location, or even an IP address. The last four digits of the PAN and the BIN number will remain the same, while other numbers in the PAN change. These dynamically changing numbers are typically masked on a payment card receipt that is received by a consumer so that the consumer does not see anything unusual.
An exemplary PAN 380 that might reside in memory (e.g., a magnetic stripe) in a portable consumer device is shown in
In one embodiment, the middle portion of the PAN that resides in the memory of the portable consumer device may be different than the middle portion of the real PAN. The PAN that resides in memory may be referred to as a secondary PAN while the real PAN may be referred to as a primary PAN. An appropriate algorithm or look-up table (e.g., stored at the issuer or in an access device such as a POS device) may be used to link the primary and secondary PANs. For example, the middle six digits of the PAN number might be 666666 in a primary PAN (e.g., 1234566666669999), but the middle six digits might be 222222 in the secondary PAN (e.g., 1234562222229999) which is stored in the memory in a consumer's portable consumer device. In one embodiment, the secondary PAN may be received at a POS terminal and the POS terminal may convert the secondary PAN to the primary PAN and the primary PAN may be transmitted from the POS terminal to the issuer for processing and/or authorization. In another embodiment, the secondary PAN may be transmitted to the issuer and the issuer may convert the secondary PAN to the primary PAN, and may thereafter process and/or authorize the transaction.
In this embodiment, the issuer may receive both the primary PAN and the secondary PAN to verify that the portable consumer device being used is authentic. If an unauthorized person tries to use the primary PAN, then that unauthorized person will not know the secondary PAN and cannot fraudulently conduct a purchase transaction without knowing the secondary PAN. Alternatively, if an unauthorized person electronically intercepts or “skims” the secondary PAN, then the unauthorized person will not be able to conduct the purchase transaction without knowing the primary PAN.
In another embodiment, the middle portion of the PAN may be changed dynamically. For example, an appropriate algorithm or counter may be used to dynamically change the middle portion of the PAN each time the portable consumer device is used. This way, even if the PAN is electronically intercepted by an unauthorized person, and knows the primary PAN, the secondary PAN will be dynamically changing. Even if the unauthorized person knows the primary PAN and intercepts the secondary PAN once, the intercepted secondary PAN would be useless, since it is a dynamically changing secondary PAN. In this case, the unauthorized person would need to know the algorithm used to dynamically change the PAN in addition to the primary PAN and the secondary PAN. Thus, this embodiment is particularly useful for conducting secure transactions.
Further details regarding embodiments that use masked primary account numbers are in U.S. patent application Ser. No. 11/761,821, entitled Track Data Encryption, filed on Jun. 12, 2007, which is herein incorporated by reference in its entirety for all purposes.
VI. Consumer Authentication
As noted above, a number of consumer authentication processes can be used in embodiments of the invention. Specific examples of possible ways to improve the authentication of a consumer include:
Knowledge-based challenge-responses
Hardware tokens (multiple solution options)
OTP (one time password, limited use)
AVS (not as a stand alone solution)
Signatures
Software token
PINs (online/offline)
User IDs/Passcodes
Two-channel authentication via phone
Biometrics
As illustrated above, a variety of mechanisms may be used to authenticate the consumer and the mechanisms may use no user input (e.g., an auto-software security token), limited user input (e.g., the user presses a button), or full user input (e.g., biometrics).
In addition, various “security tokens” may be used to help authenticate the user. A security token is an article or piece of information that can be used to verify real information or data. For example, a PIN may be a security token and may be used to verify the identity of the consumer when the consumer makes a purchase. In another example, a challenge question and corresponding answer may be considered a security token that helps to authenticate the consumer. This latter example is an example of a token having a “bi-directional channel” whereby information flows to the consumer and the consumer sends information back to another party such as an issuer so that the consumer can authenticate himself.
A. Knowledge Based Challenges
In embodiments of the invention, a merchant, a payment processing organization, an issuer, or any other suitable entity may pose challenge questions to the consumer to authenticate the consumer. The challenge questions may be static where the same questions are asked for each purchase transaction or dynamic where different questions may be asked over time.
The questions asked may also have static or dynamic (semi-dynamic or fully dynamic) answers. For example, the question “What is your birthday?” requires a static answer, since the answer does not change. The question “What is your zip-code?” requires a semi-dynamic answer, since it could change or can change infrequently. Lastly, the question “What did you purchase yesterday at 4 pm?” would require a dynamic answer since the answer changes frequently. Thus, in preferred embodiments, the challenge questions would preferably be based on “real time” information that the issuer would most likely possess. For example, the consumer might be asked a more specific question such as “Did you eat out at a Mexican restaurant last night?” By providing more specific knowledge based consumer challenges, the authentication of the consumer is ensured.
In one embodiment, the method includes conducting a transaction such as a purchase transaction using a portable consumer device. The portable consumer device may be a credit card or the like. The purchase transaction may take place at a merchant that has an access device such as a point of sale terminal.
The consumer may use the portable consumer device to interact with an access device such as a point of sale terminal and initiate the process. The point of sale terminal may initiate and then generate an authorization request message, which may thereafter be sent to a payment processing network, and then subsequently to the issuer of the portable consumer device. When the authorization request message is received, by either the payment processing network or the issuer, it is analyzed. A challenge message, which can be dynamic or semi-dynamic in nature, is then generated, and is sent to the consumer. The challenge message could be sent back to the access device, or to the consumer's portable consumer device (e.g., if the portable consumer device is a mobile phone).
The consumer then provides a response to the challenge message. The challenge response message is received from the consumer. The challenge response message is then verified and if it is verified, the authorization response message is analyzed to determine if the transaction is authorized (e.g., there are sufficient funds in the consumer's account or there is sufficient credit in the consumer's account). If the transaction is authorized, the issuer and also the payment processing network send an authorization response message to the consumer. The authorization response message indicates whether or not the transaction is authorized.
In the specific embodiments described above and below, challenge questions are described in detail, but embodiments of the invention are not limited thereto. Embodiments of the invention can generally relate to the use of challenge messages, which may include challenge questions. In some embodiments, as will be described in further detail below, challenge messages may or may not be read by a consumer, and may challenge the authenticity of the consumer in direct or indirect ways. Examples of challenge questions include questions relating to the consumer's portable consumer device (e.g., what is the CVV or card verification value on your card?), the consumer's location (e.g., what is your zip code?), the consumer's mobile or regular phone (e.g., what is your mobile phone number?), the consumer's personal information (e.g., what is your mother's maiden name?), etc. Examples of challenge messages that are not questions that are specifically answered by the consumer include messages which automatically query a phone as to its location or phone number, and cause the retrieval of such information. Another example of a challenge message may be a message which supplies a code (or other authentication token) to a phone, and the use of that code at an access device authenticates the consumer.
B. Systems Using Challenge Messages
The system 420 shown in
The consumer 430 may be an individual, or an organization such as a business that is capable of purchasing goods or services. In other embodiments, the consumer 430 may simply be a person who wants to conduct some other type of transaction such as a money transfer transaction. The consumer 430 may optionally operate a wireless phone 435.
The portable consumer device 432 may be in any suitable form. Suitable portable consumer devices are described above in
The payment processing network 426 may be similar to or different than the payment processing network 26 in
As will be explained in further detail below, the challenge questions may be static or dynamic in nature. For example, the challenge question engine 426(a)-1 may receive an authorization request message, and the authorization request message may include the consumer's account number, as well as the purchase amount. It may then look up the consumer's account number, and any consumer information associated with the consumer's account number. It may thereafter retrieve suitable questions from the challenge question database 426(c) or may generate suitable challenge questions on its own. For instance, in some cases, the challenge question engine 426(a)-1 may retrieve the question “What is your mobile phone number?” from the challenge question database 426(c) after receiving an authorization request message. Alternatively, the challenge question engine 426(a)-1 may generate a dynamic question such as “Did you use this credit card at McDonald's last night?” The information pertaining to the particular restaurant that the consumer 420 was at the preceding day could be retrieved from the transaction history database 426(b).
The challenge question database 426(c) may be populated with questions of any suitable type. The questions may relate to a past location (e.g., the consumer's current home, the city that the consumer recently visited) or current location (e.g., the current location of the store that the consumer is currently at), the type or name of the merchant that the consumer is presently visiting or has visited in the past, the consumer's family or personal data (e.g., name, phone number, social security number, etc.), etc. The questions in the challenge question database 426(c) may be generated by the challenge question engine 426(a)-1 and subsequently stored in the challenge question database 426(c).
Alternatively, or additionally, the challenge questions may be generated from an external source and then subsequently stored in the challenge question database 426(c). For example, the consumer 430 may use a browser on a personal computer or the like to supply specific challenge questions to the server 426(a) via a communication medium (not shown) such as the Internet.
In some embodiments, a consumer may determine the kinds and/or quantity of challenge questions to ask himself or herself. For example, the consumer may specify that the consumer wants to be asked three challenge questions if the consumer visits a jewelry store, but only one question if the consumer visits a fast food restaurant. The types of questions posed by the consumer may be based on the merchant type, frequency of purchasing, etc. Some concepts relating to user-defined authorization parameters are described in U.S. patent application Ser. No. 10/093,002, filed on Mar. 5, 2002, which is herein incorporated by reference in its entirety for all purposes.
In preferred embodiments, the challenge questions are derived from past transaction data in the transaction history database 426(b). The consumer 430 may conduct many transactions with the payment processing network 26 (and/or the issuer 428) over time. This consumer transaction information may be stored in the transaction history database 426(b) over time, and challenge questions may be generated using the transaction information. The past transaction information provides a good basis for authenticating the consumer 430, since the consumer 430 will know about what transactions that the consumer 430 has conducted in the past. For example, the consumer 430 may have used his credit card to pay for a hotel room in New York the previous day, and on the next day may be asked a question such as “Did you stay at a hotel in New York yesterday?” In another example, the consumer 430 may have purchased an item that is more than $2000 the day before, and on the next day may be asked “Did you make a purchase for more than $2000 yesterday?” The questions/answers that are presented to the consumer 430 may be free form in nature and/or may include pre-formatted answers such as multiple choice or true-false answers from which the consumer may select.
The merchant 422 may also have, or may receive communications from, an access device 434 that can interact with the portable consumer device 432. Suitable types of access devices are described above (e.g., access device 34 in
If the access device 434 is a point of sale terminal, any suitable point of sale terminal may be used including card readers. The card readers may include any suitable contact or contactless mode of operation. For example, exemplary card readers can include RF (radio frequency) antennas, magnetic stripe readers, etc. to interact with the portable consumer devices 432.
The issuer 428 may be a bank or other organization that may have an account associated with the consumer 430. The issuer 426 may operate a server 428(a) which may have a challenge question engine 428(a)-1. A transaction history database 426(b) and a challenge question database 428(c) may be in communication with the server 428(a). The issuer server 428(a), challenge question engine 428(a)-1, transaction history database 426(b), and challenge question database 428(c) may operate in the same way or a different way than the payment processing network server 428(a), challenge question engine 428(a)-1, transaction history database 428(b), and challenge question database 428(c). The above-descriptions as to elements 426(a), 426(a)-1, 426(b), and 426(c) may apply to elements 428(a), 428(a)-1, 428(b), and 428(c).
Embodiments of the invention are not limited to the above-described embodiments. For example, although separate functional blocks are shown for an issuer, payment processing network, and acquirer, some entities perform all or any suitable combination of these functions and may be included in embodiments of invention. Additional components may also be included in embodiments of the invention.
C. Methods Using Challenge Messages
Methods according to embodiments of the invention can be described with reference to
A first authorization request message is then forwarded to the acquirer 424. After the acquirer 424 receives the first authorization request message, the first authorization request message is then sent to the payment processing network 426 (step 504). The first authorization request message is then received at the payment processing network server 426(a) and the payment processing network server 426(a) then determines if a challenge is needed.
Various criteria may be used to determine if a challenge is needed. For example, the payment processing network server 426(a) may determine that the particular transaction is a high value transaction (e.g., greater than $1000) and that a challenge is therefore appropriate. In another example, the payment processing network server 426(a) may determine that there is something suspicious about the present transaction and may thereafter determine that a challenge is appropriate. For example, the payment processing network server 426(a) may determine that the portable consumer device 432 is currently being used at a location which is different from the consumer's home state, and the consumer's recent purchase history suggests that the consumer is not traveling.
Once it has been determined that a challenge is appropriate for the present transaction, the challenge question engine 426(a)-1 may then fetch (local or remote) a challenge question (step 508). In some embodiments, the challenge question engine 426(a)-1 may retrieve the question from the challenge question database 426(c).
At this point, rather than sending the first authorization request message to the issuer 426, the payment processing network 426 sends a first authorization response message back to the access device 434 via the merchant 422 and the acquirer 424 (step 510). The first authorization response message may contain data representing the challenge request that was previously obtained by the challenge question engine 426(a)-1. The first authorization response message may be characterized as an initial decline, since it does not indicate approval of the transaction.
Once the challenge question is received at the access device 434, the consumer 430 supplies the challenge response to the access device 434. The challenge response may be supplied to the access device 434 in any suitable manner (e.g., through a keypad, contactless reader, etc.). Once the access device 434 receives the challenge response, the access device 434 then forwards the challenge response to the payment processing network server 426(a) via the merchant 422 and the acquirer 424, and it is received by them (step 512). The challenge response message may be part of a second authorization request message.
The payment processing network server 426(a) then validates the challenge response message (step 514). If the challenge response message is not validated, then the payment processing network server 426(a) may send a response message back to the access device 434 indicating that that transaction is not approved. Alternatively or additionally, the payment processing network server 426(a) may send another challenge question to the access device 434. On other hand, if the challenge is validated, the payment processing network server 426(a) may send the second authorization request message to the issuer 428 (step 516) along with an indication that the consumer 430 has satisfied any challenges posed by the payment processing network 426.
After the issuer 428 receives the second authorization request, the issuer 428, using the issuer server 428(a), determines if the transaction is authorized or is not authorized (step 518). The transaction may not be authorized because the consumer 430 has insufficient funds or credit. If the consumer 430 does have sufficient funds or credit, the issuer 428 may then send a second authorization response message indicating that the transaction is authorized back to the access device 434 via the payment processing network 426, the acquirer 424, and the merchant 422 (step 522).
At the end of the day, a normal clearing and settlement process can be conducted by the payment processing network 426. A clearing process is a process of exchanging financial details between and acquirer and an issuer to facilitate posting to a consumer's account and reconciliation of the consumer's settlement position. Clearing and settlement can occur simultaneously.
A number of alternative embodiments are also possible. For example, the issuer 428 could generate challenge questions and send them to the consumer 430 instead of or in addition to the payment processing network 426. The challenge question engine 428(a)-1, the transaction history database 428(b), and the challenge question database 426(c) operated by the issuer 428 may be used in the same or different way as the above-described challenge question engine 426(a)-1, the transaction history database 426(b), and the challenge question database 426(c) operated by the payment processing network 426.
In the above-described embodiments, there are two authorization request messages that are sent to the payment processing network 426 (and/or the issuer 428). This is desirable, since existing payment processing systems have “timers” that are set at various points between the access device 434 and the issuer 428 during a payment authorization process. The timers time how long various events should take place during the payment authorization process. The timers may be set and embodied as computer code at the acquirer 424, the payment processing network 426, and the issuer 428. For example, the timers at the acquirer 424, payment processing network 426, and issuer 428 may be respectively set to 3 seconds, 6 seconds, and 10 seconds. If an authorization request message is not received within these respective times, then some event may be triggered. For instance, an error message may be sent back to the access device 434 requesting that the merchant 422 resubmit the authorization request message, if an authorization request message is not received at the issuer 428 within 10 seconds. If a challenge request is created during the authorization process and before the authorization request message reaches the issuer 428, the issuer's timer may trigger an event indicating that an error has occurred. Creating challenge requests and responses during a single authorization process could potentially conflict with pre-existing timers in a payment system.
By using at least two authorization request messages in two separate authorization processes, the above-described timers are advantageously not affected. The timers need not be changed to send challenge questions to the consumer 430. This allows embodiments of the invention to be used with an existing payments infrastructure and widespread changes are not needed in embodiments of the invention. In comparison, if the retrieval of a challenge question during a payment authorization process occurs using a single authorization request message, this may delay the authorization request message and may necessitate changes in timers present in a payment processing system.
The at least two authorization request messages may have information such as BINs (bank identification numbers), transaction amounts, account numbers, service codes, etc. They may also contain the same transaction amount for the transaction being conducted, and/or different transaction amounts. For example, the first authorization request message may have the actual transaction amount, and the second authorization request message may have a zero dollar amount or other identifier to indicate that that prior authentication request with a transaction amount has already been submitted. A transaction code may be used to link the first and second authorization requests in some embodiments.
The method described with respect to
Examples of open channel methods according to embodiments of the invention can be described with reference to
A first authorization request message is then forwarded to the acquirer 424. After receiving the first authorization request message, the first authorization request message is then sent to the payment processing network 426 (step 604). The first authorization request message is received at the payment processing network server 26(a) and the payment processing network server 426(a) then determines if a challenge is needed.
Various criteria may be used to determine if a challenge is needed. For example, the payment processing network server 426(a) may determine that the particular transaction is a high value transaction (e.g., greater than $1000) and that a challenge is therefore appropriate. In another example, the payment processing network server 426(a) may determine that there is something suspicious about the present transaction and may thereafter determine that a challenge is appropriate.
Once it has been determined that a challenge is appropriate for the present transaction, the challenge question engine 426(a)-1 may then fetch (local or remote) a challenge question (step 608). In some embodiments, the challenge question engine 426(a)-1 may retrieve the question from the challenge question database 426(c).
Rather than sending the first authorization request message to the issuer 426, and rather than sending a first authorization response message back to the access device 434, the payment processing network 426 sends a first authorization response message back to the consumer's mobile phone 435 (step 610) or other type of access device. The first authorization response message may be sent back to the consumer's mobile phone 435. This can be done directly or through some intermediate entity. The first authorization response message may contain data representing the challenge request that we previously obtained by the challenge question engine 426(a)-1. The first authorization response message may be characterized as an initial decline, since it does not indicate approval of the transaction.
Once the challenge question is received at the mobile phone 435, the consumer 430 supplies the challenge response to the access device 434 (step 612) The access device 434 then forwards the challenge response to the payment processing network server 426(a) via the merchant 422 and the acquirer 424, and it is received by them (step 614). The challenge response message may be part of a second authorization response message.
Note that although challenge questions that the consumer actively answers are described in detail, other types of challenge requests may be sent to the mobile phone 435. For example, in some cases, the challenge requests may not require an answer that is actively provided by the consumer 430. Passive answers to challenge requests may be provided. For example, in some embodiments, the challenge request supplied to the mobile phone 435 may be a query regarding the physical location of the mobile phone 435. The mobile phone 435 may have a GPS device or other location device and this information (or a cryptogram, etc.) may be transmitted to the payment processing network 426, and the payment processing network 426 may authenticate the consumer 434 using this location information.
Once the payment processing network server 426(a) receives the challenge response message, the payment processing network server 426(a) then validates the challenge response message (step 616). If the challenge response message is not validated, then the payment processing network server 426(a) may send a response message back to the access device 434 indicating that that transaction is not approved. Alternatively or additionally, the payment processing network server 426(a) may send another challenge message to the access device 434 and/or the mobile phone 435. On other hand, if the challenge is validated, the payment processing network server 426(a) may then send the second authorization request message to the issuer 428 (step 618) along with an indication that the consumer 430 has satisfied any challenges posed by the payment processing network 426.
After the issuer 428 receives the second authorization request, the issuer 428 using the issuer server 428(a) determines if the transaction is authorized or is not authorized (step 620). The transaction may not be authorized because the consumer 430 has insufficient funds or credit. If the consumer 430 does have sufficient funds or credit, the issuer 428 may then send a second authorization response message indicating that the transaction is authorized back to the access device 434 via the payment processing network 426, the acquirer 424, and the merchant 422 (step 622).
At the end of the day, a normal clearing and settlement process can be conducted by the payment processing network 426. A clearing process is a process of exchanging financial details between and acquirer and an issuer to facilitate posting to a consumer's account and reconciliation of the consumer's settlement position. Clearing and settlement can occur simultaneously.
A number of alternative embodiments are also possible. For example, the issuer 428 could generate challenge questions and send them to the mobile phone 435 instead of or in addition to the payment processing network 426. The challenge question engine 428(b)-1, the transaction history database 428(b), and the challenge question database 426(c) operated by the issuer 428 may be used in the same or different way as the above-described challenge question engine 426(a)-1, the transaction history database 426(b), and the challenge question database 426(c) operated by the payment processing network 426.
In another embodiment, instead of sending a challenge question to the payment processing network server 426(a) may send an electronic coupon to the consumer's mobile phone 435. The payment processing network 426 may determine that a challenge is appropriate and may send the electronic coupon to the phone 435. Upon receipt of this electronic coupon, the consumer may then be prompted to use the coupon at the access device 434. If the consumer 430 uses the coupon at the access device 434, then access device 434 forwards the coupon to the payment processing network 426, and receipt of the coupon by the payment processing network 426 indicates that the consumer 430 is authenticated. It is presumed that the consumer 430 is authentic since a non-authentic consumer would not be in possession of the consumer's phone 435.
Further details regarding embodiments that use challenges are described in U.S. patent application Ser. No. 11/763,240, entitled Consumer Authentication System and Method, filed on Jun. 14, 2007 which is herein incorporated by reference in its entirety for all purposes.
VII. Other Transaction Authentication Techniques
A. Methods Using Algorithm Identifiers
In embodiments of the invention, a payment processing organization or other entity may support different security technologies offered by different companies. The different security technologies may use portable consumer device fingerprints. For example, two magnetic stripes on two payment cards can store identical consumer data (e.g., account number information), but the magnetic structures of the two magnetic stripes may be different. A specific magnetic structure may be an example of a fingerprint or “DNA” that is associated with a payment card. If a thief copied the consumer data stored on a magnetic stripe to an unauthorized credit card, the magnetic stripe of the unauthorized credit card would have a different magnetic structure or fingerprint than the authorized credit card. A back end server computer receiving the authorization request message in response to the unauthorized card's use would determine that the unauthorized credit card is not real, because the fingerprint is not present in the authorization request message. Two companies that offer this type of technology are Magtek™ and Semtek™. Each company uses its own proprietary algorithm in a point of sale terminal to alter (e.g., encrypt) its own fingerprint before it is sent to an issuer or other entity in a subsequent authentication process.
In embodiments of the invention, a portable consumer device fingerprint may include any suitable identification mechanism that allows one to identify the portable consumer device, independent of static consumer data such as an account number or expiration date associated with the portable consumer device. Typically, unlike consumer data, portable consumer device fingerprint data is not known to the consumer. For instance, in some embodiments, the fingerprint data may relate to characteristics of the materials from which the portable consumer devices are made. For example, as noted above, a portable consumer device fingerprint can be embedded within the particular microscopic structure of the magnetic particles in the magnetic stripe in a payment card. In some cases, no two magnetic stripes will have same portable consumer device fingerprint.
Portable consumer device fingerprints can take other forms. For example, another card verification technology comes from a company called QSecure™. The technology offered by QSecure™ uses a dynamic CVV (card verification value) that can be generated by a chip in a payment card (the chip may be under a magnetic stripe and can write the dynamic CVV or a number related to the dynamic CVV to the magnetic stripe). In this case, the dynamic CVV may act as a portable consumer device fingerprint identifying the particular portable consumer device. The dynamic CVV may be sent to a point of sale device during a payment transaction. A specific algorithm in the point of sale device may alter (e.g., encrypt) the dynamic CVV before it is sent to the issuer of the payment card for authorization. The issuer, payment processing organization, or other entity, may receive the altered dynamic CVV and may restore it to its original form. The dynamic CVV can then be checked by the back end server computer to see if it corresponds to an independently derived dynamic CVV, thereby authenticating the portable consumer device. In this example, the dynamic CVV value could also be considered a portable consumer device fingerprint, even though it is dynamic in nature.
Embodiments of the invention allow for many different types of portable consumer device fingerprinting systems to be used together in a single payment processing system. In embodiments of the invention, a different identifier or ID is assigned to each type of algorithm in each type of POS terminal. For example, a back end entity such as an issuer or a payment processing organization might use algorithm identifiers like those in Table 1 below.
As shown in Table 1, the algorithm ID may take any suitable form. For example, the algorithm IDs may simply be one, two, or three digit numbers.
When the POS terminal sends an authorization request message to an issuer, the authorization request message may contain the particular algorithm ID associated with the POS terminal and an altered portable consumer device fingerprint. When the authorization request message is received by a back end server computer, it can determine which algorithm was used to encrypt the portable consumer device fingerprint. The back end server computer may then decrypt the encrypted portable consumer device fingerprint and may determine if the portable consumer device fingerprint corresponds to the portable consumer device fingerprint that is stored in a back end database. The portable consumer device fingerprint may have been previously stored in the back end database along with corresponding consumer data (e.g., an account number) as part of the process of issuing the portable consumer device to the consumer who will use it.
Using such algorithm identifiers, embodiments of the invention can effectively integrate different technologies into a single payment processing system. For example, a consumer can swipe a payment card through a POS (point of sale) terminal to pay $5.00 for office supplies. The POS terminal may contain an encryption algorithm produced by Company A. The encryption algorithm may encrypt a fingerprint that is embedded in the magnetic structure of the magnetic stripe of the payment card. The POS terminal may then send an authorization request message to a back end server computer. The authorization request message may contain information including the purchase amount, consumer data such as the consumer's account number, the encrypted fingerprint, and an algorithm identifier that is specifically associated with the encryption algorithm produced by company A. The back end server computer can receive the authorization request message from a POS (point of sale) terminal. It can then determine which algorithm was used to encrypt the fingerprint, and can subsequently decrypt the fingerprint. Once the fingerprint is determined, the back end server computer can determine if the received fingerprint corresponds to the stored fingerprint. If it does, then the payment card is authenticated.
Other details regarding methods and systems that utilize algorithm identifiers are provided below.
B. Confidence Assessment Methods
In some embodiments, the back end processor, or back end server computer, can also determine whether a transaction meets a desired confidence threshold of likely validity before it determines that a portable consumer device is authenticated. If the confidence threshold is not met, additional authentication processes can be performed. Such additional authentication processes may include the sending of one or more challenge questions and/or notification messages to the consumer.
Illustratively, a back end server computer may receive an authorization request message from a POS terminal after a consumer tries to pay for office supplies using a payment card. The back end server computer may determine that one of the three card verification technologies in Table I above is present, and that there have not been any recent suspicious transactions associated the payment card. The back end server computer may thereafter determine that the transaction is valid (i.e., a confidence threshold has been met) and can proceed if the transaction is otherwise authorized by the issuer of the payment card. Conversely, if an old (legacy) card and reader are used to conduct the transaction, none of the three card protection technologies in Table 1 (above) is used, and there has been recent suspicious activity associated with the payment card, then the server computer may determine that a confidence threshold has not been met, and additional authentication processes can be initiated by the server computer. For example, a dynamic challenge (query) can be sent to the consumer before approval, and/or the consumer can be notified that a transaction is occurring.
Transaction confidence determinations can also take into account whether one algorithm could be more reliable than the other. The back end server computer can evaluate the algorithm that was used at the front end (e.g., at the POS terminal) and can determine whether or not the transaction should proceed. For example, the back end server computer may determine that the algorithm from company A may have 90% reliability and the algorithm from Company B may have 50% reliability.
There are a number of reasons why different algorithms may have different levels of reliability. For example, depending on the sensitivity of the terminal, depending on the way that the card is swiped, and depending on the aging of the card, some algorithms may be able to handle data more precisely. In this example, if the server computer receives an authorization request message indicating that the algorithm from Company B is present and there has been recent suspicious activity associated with the payment card, then additional authentication processing may be initiated. On the other hand, if the server computer receives an authorization request message indicating that the algorithm from Company A is present and there has been recent suspicious activity, then the back end server computer may not initiate additional authentication processing.
Illustratively, McDonalds may have a relationship with Company A and Taco Bell may have a relationship with Company B. They have may use different algorithms at their point of sale devices. Each one delivers two sets of data using two different algorithms. When they come back to a payment processing organization such as Visa, it may identify data as originating from a Company A algorithm, and/or from Company B algorithm. Weight can be put on the algorithms so that a confidence level can be determined. Additional authentication processing may then take place if a confidence level (or threshold) is not satisfied.
C. Exemplary Systems Using Algorithm Identifiers and Confidence Assessment
For purposes of illustration, access device A 732(a) may be produced by Company A, which may be associated with an algorithm with an algorithm identifier “01”. Access device B 732(b) may be produced by Company B and may be associated with an algorithm with an algorithm identifier “02”. Access device C 732(c) may be associated with Company D and may have no algorithm associated with it.
The portable consumer devices 732(a), 732(b), 732(c) may be in any suitable form. For example, suitable portable consumer devices 732(a), 732(b), 732(c) can be hand-held and compact so that they can fit into a consumer's wallet and/or pocket (e.g., pocket-sized). Suitable portable consumer devices are described above (e.g., portable consumer device 32 in
The merchants 722(a), 722(b), 722(c) may also have, or may receive communications from, respective access devices 734(a), 734(b), 734(c) that can interact with the portable consumer devices 732(a), 732(b), 732(c). Suitable types of access devices are described above (e.g., access device 34 in
If the access device is a point of sale terminal, any suitable point of sale terminal may be used including card readers. The card readers may include any suitable contact or contactless mode of operation. For example, exemplary card readers can include RF (radio frequency) antennas, magnetic stripe readers, etc. to interact with the portable consumer devices 732(a), 732(b), 732(c).
The payment processing network 726 may include any of the characteristics described above (e.g., with respect to payment processing network 26 in
The server computer 726(a) may comprise any suitable number of software modules and they may be of any suitable type. As shown in
The algorithm identification module 726(a)-1, in conjunction with the decryption module 726(a)-3, may review a received authorization request message including an algorithm ID and an altered portable consumer device fingerprint. From the received algorithm ID, it may then determine which algorithm was used to alter (e.g., encrypt) the portable consumer device fingerprint. A lookup table or the like may be used to identify correspondence between the algorithm ID, the algorithm(s) used to alter a portable consumer device fingerprint or restore an altered portable consumer device fingerprint, and consumer data (e.g., an account number). (In some cases, the algorithm may be a key in an encryption process.) The server computer 726(a) may then be used to determine (e.g., by unencrypting) the portable consumer device fingerprint from the altered portable consumer device fingerprint in an authorization request message. Once the portable consumer device fingerprint is determined, this information may be analyzed to determine if it corresponds to a stored fingerprint linked to consumer data (e.g., account number) associated with the portable consumer device.
The confidence assessment module 726(a)-2 may generate a confidence assessment from various pieces of information. Such information may include the type of portable consumer device used (e.g., a phone may be more secure than a payment card), the type of algorithm used to encrypt the portable consumer device fingerprint (e.g., some encryption algorithms are more secure than others), etc. Using the confidence module 726(a)-2, the server computer 726(a) may subsequently determine if additional authentication processes need to take place. Such additional authentication processes may comprise challenge questions and/or consumer notification that a transaction is occurring.
The confidence assessment module 726(a)-2 can “score” a transaction based on a number of transaction variables. If this score exceeds a predetermined threshold, then the transaction can be considered valid and additional authentication processing need not take place. Conversely, if the score does not exceed a predetermined threshold, then the transaction may be characterized as suspicious and additional authentication processes may be initiated.
The data formatter module 726(a)-4 may be used to format data so that it can be used by the confidence assessment module 726(a)-2. In some cases, data that is from different POS terminals from different companies may be decrypted by the decryption module 726(a)-3 and may be in different formats. The data formatter can format any data so that it can be used by the confidence assessment module 726(a)-2.
Embodiments of the invention are not limited to the above-described embodiments. For example, although separate functional blocks are shown for an issuer, payment processing network, and acquirer, some entities perform all of these functions and may be included in embodiments of invention.
D. Exemplary Methods for Using Fingerprints and Identifiers
Various methods according to embodiments of the invention may be described with reference to
Some or all of the steps shown in
Also, while the flowcharts shown in
Referring to
After the portable consumer device A 732(a) interfaces with the access device A 734(a) at merchant A 722(a), the access device A 734(a) reads consumer data and portable consumer device fingerprint data such as magnetic stripe fingerprint data from the portable consumer device A 732(a) (step 804). The consumer data may include information of which the consumer is typical aware. Examples of consumer data include a consumer's account number, expiration date, and service code. As noted above, portable consumer device fingerprint data are data that are not typically known to the consumer, but are used to authenticate the portable consumer device. In this example, the portable consumer device fingerprint data may be magnetic stripe fingerprint data. The magnetic stripe fingerprint data may also comprise data that are embedded into the magnetic structure of the magnetic stripe and are only readable using an access device that is manufactured by a particular company.
Once the access device A 734(a) obtains the consumer data from the portable consumer device A 734(a), an authorization request message including an algorithm identifier is created (step 806). The authorization request message may also include consumer data (e.g., an account number), data relating to the amount of the purchase, and portable consumer device fingerprint data. The access device A 734(a) may alter (e.g., encrypt) the received fingerprint data using an algorithm A that is stored in a memory in access device A 734(a), before it is incorporated into the authorization request message. In some embodiments, the portable consumer device fingerprint and the algorithm identifier may be stored in a supplementary data field called Field 55.
Different types and sizes of fingerprints may originate from different portable consumer devices offered by different manufacturers. These different fingerprints may be inserted into a data field of standard size so that transmission through the payment processing system is uniform regardless of the particular fingerprint being transmitted. For example, in some cases, it is desirable to pad the data field with characters such as zeros to fill up the data field. For example, a data field may have a size of 64 bytes. The fingerprint from one type of portable consumer device may be 54 bytes while the fingerprint from another type of portable consumer device may be 56 bytes. Additional padding characters may be present in the 64 byte field along with a two character algorithm identifier. The padding characters may be placed in the field in a predetermined manner.
In embodiments of the invention, the previously described algorithm identifier may not only identify the algorithm used to encrypt a portable consumer device fingerprint; the identified algorithm can also be used to restore the fingerprint to its original form so that it can be evaluated. For example, the algorithm identifier may be used to identify the algorithm that may be used to remove any padding characters to restore the received, but altered fingerprint to its original form so that it can be evaluated.
The authorization request message is then sent from access device 734(a) to the payment processing network 726 via the acquirer A 724(a) associated with the merchant A 722(a) (step 808). In other embodiments, the access device 734(a) could send the authorization request message to the payment processing network directly, instead of through the acquirer A 724(a).
After the authorization request message is received by the payment processing network 726, the server computer 726(a) in the payment processing network 726 analyzes the authorization request message and then selects an algorithm using an algorithm ID that is in the authorization request message (step 810). The selected algorithm ID and the selected algorithm may be selected from the algorithm database 726(c). The algorithm database 726(c) may contain a plurality of algorithm IDs and a plurality of algorithms which may be associated with various access devices (e.g., access device A 732(a) and access device B 734(b)).
After the algorithm is identified, the portable consumer device fingerprint is determined by the server computer 726(a) in the payment processing network 726 (step 812). The selected algorithm is then used to restore (e.g., decrypt) the altered portable consumer device fingerprint present in the authorization request message.
Then, the server computer 726(a) determines if the determined portable consumer device fingerprint corresponds to a previously stored fingerprint in a database (step 814). The server computer 726(a) can first obtain consumer data such as the consumer's account number from the authorization request message and/or may obtain additional consumer data from the consumer database 726(b) after analyzing the authorization request message. Once the consumer data are determined, the server computer 726(a) can obtain the portable consumer device fingerprint from the consumer database 726(b). The server computer 726(a) then determines if the portable consumer device fingerprint in the authorization request message and the portable consumer device fingerprint in the consumer database 726(b) match.
If the portable consumer device fingerprint obtained from the consumer database 726(b) does not correspond to the previously restored portable consumer device fingerprint obtained from the authorization request message, then additional authentication processes may be performed and/or an authorization response message may be sent back to the consumer A 722(a) indicating that the transaction is denied (step 822). Additional authentication processing may include sending a transaction notification message to the consumer A 722(a) (e.g., to the consumer's cell phone or the consumer's computer) notifying the consumer that a transaction is taking place. The notification message may request that the consumer A 722(a) confirm that the transaction is authentic. Alternatively or additionally, other types of challenges, such as challenge questions, may be sent to consumer A 722(a). Challenges such as challenge questions are described in further detail in U.S. patent application Ser. No. 11/763,240, entitled “Consumer Authentication System and Method” filed on Jun. 14, 2007, which is herein incorporated by reference in its entirety for all purposes.
In some embodiments, if a fingerprint obtained from the authorization request message and the fingerprint in the consumer database 726(b) match, the server computer 726(a) may also optionally determine if a transaction confidence threshold is satisfied (step 815). If the confidence threshold is not satisfied, then additional authorization processing may be performed (step 823). If, however, the confidence threshold is satisfied, then an authorization request message may then be forwarded onto issuer A 428(a) (step 816).
The transaction confidence threshold may take any number of transaction characteristics to score the transaction as being authentic or potentially suspicious. Such transaction characteristics may relate to the access device (e.g., whether the access device uses new or old technology, whether the access device uses a secure encryption algorithm to encrypt data, etc.), portable consumer device (e.g., whether the portable consumer device is a phone, a magnetic stripe card with old technology, a magnetic stripe card with new technology, etc.), etc.
As noted above, in a payment processing system, there can be many different combinations of access devices and portable consumer devices interacting together at any given time. These different combinations of access devices and potable consumer devices may initiate transactions that may have different levels of potential authenticity. For example, referring to
After the authorization request message is received by issuer A 728(a), issuer A may then determine if the transaction is authorized. If the transaction is not authorized (e.g., due to insufficient funds or credit in consumer A's account), then additional authorization processing may be performed and/or an authorization response message indicating that the transaction is declined may be sent to consumer A 730(a) (step 824).
If the transaction is approved by issuer A 728(a), then an authorization response message may be sent back to consumer A 730(a) via the payment processing network 726, acquirer A 724(a), merchant A 722(a), and access device A 734(a) (step 820).
At the end of the day, a normal clearing and settlement process can be conducted by the payment processing network 726. A clearing process is a process of exchanging financial details between an acquirer and an issuer to facilitate posting to a consumer's account and reconciliation of the consumer's settlement position. Clearing and settlement can occur simultaneously.
Further details regarding embodiments that use the methods and systems that are described above can be found in U.S. patent application Ser. No. 11/764,361, entitled Portable Consumer Device Verification System and Method, filed on Jun. 18, 2007 which is herein incorporated by reference in its entirety for all purposes.
It should be understood that the present invention as described above can be implemented in the form of control logic using computer software in a modular or integrated manner. Based on the disclosure and teachings provided herein, a person of ordinary skill in the art will know and appreciate other ways and/or methods to implement the present invention using hardware and a combination of hardware and software
Any of the software components or functions described in this application, may be implemented as software code to be executed by a processor using any suitable computer language such as, for example, Java, C++ or Perl using, for example, conventional or object-oriented techniques. The software code may be stored as a series of instructions, or commands on a computer readable medium, such as a random access memory (RAM), a read only memory (ROM), a magnetic medium such as a hard-drive or a floppy disk, or an optical medium such as a CD-ROM. Any such computer readable medium may reside on or within a single computational apparatus, and may be present on or within different computational apparatuses within a system or network.
The above description is illustrative and is not restrictive. Many variations of the invention will become apparent to those skilled in the art upon review of the disclosure. The scope of the invention should, therefore, be determined not with reference to the above description, but instead should be determined with reference to the pending claims along with their full scope or equivalents.
One or more features from any embodiment may be combined with one or more features of any other embodiment without departing from the scope of the invention.
A recitation of “a”, “an” or “the” is intended to mean “one or more” unless specifically indicated to the contrary.
This application is a continuation of U.S. patent application Ser. No. 11/764,343 filed on Jun. 18, 2007, which is a non-provisional patent application of and claims the benefit of the filing dates of U.S. Provisional Patent Application No. 60/815,059, filed on Jun. 19, 2006, U.S. Provisional Patent Application No. 60/815,430 filed on Jun. 20, 2006, and U.S. Provisional Patent Application No. 60/884,089 filed on Jan. 9, 2007. All of these applications are herein incorporated by reference in their entirety for all purposes.
| Number | Name | Date | Kind |
|---|---|---|---|
| 3956615 | Anderson et al. | May 1976 | A |
| 4186871 | Anderson et al. | Feb 1980 | A |
| 4238853 | Ehrsam et al. | Dec 1980 | A |
| 4277837 | Stuckert | Jul 1981 | A |
| 4317957 | Sendrow | Mar 1982 | A |
| 4423287 | Zeidler | Dec 1983 | A |
| 4528442 | Endo | Jul 1985 | A |
| 4707592 | Ware | Nov 1987 | A |
| 4742351 | Suzuki | May 1988 | A |
| 4758714 | Carlson et al. | Jul 1988 | A |
| 5017766 | Tamada et al. | May 1991 | A |
| 5163097 | Pegg | Nov 1992 | A |
| 5177342 | Adams | Jan 1993 | A |
| 5254843 | Hynes et al. | Oct 1993 | A |
| 5311594 | Penzias | May 1994 | A |
| 5361062 | Weiss et al. | Nov 1994 | A |
| 5365586 | Indeck et al. | Nov 1994 | A |
| 5384449 | Peirce | Jan 1995 | A |
| 5408505 | Indeck et al. | Apr 1995 | A |
| 5420926 | Low et al. | May 1995 | A |
| 5428683 | Indeck et al. | Jun 1995 | A |
| 5434398 | Goldberg | Jul 1995 | A |
| 5465206 | Hilt et al. | Nov 1995 | A |
| 5465387 | Mukherjee | Nov 1995 | A |
| 5500513 | Langhans et al. | Mar 1996 | A |
| 5513250 | McAllister | Apr 1996 | A |
| 5526409 | Conrow et al. | Jun 1996 | A |
| 5530438 | Bickham | Jun 1996 | A |
| 5539810 | Kennedy et al. | Jul 1996 | A |
| 5546462 | Indeck et al. | Aug 1996 | A |
| 5577121 | Davis et al. | Nov 1996 | A |
| 5615110 | Wong | Mar 1997 | A |
| 5621201 | Langhans et al. | Apr 1997 | A |
| 5625689 | Indeck et al. | Apr 1997 | A |
| 5655007 | McAllister | Aug 1997 | A |
| 5679940 | Templeton et al. | Oct 1997 | A |
| 5708422 | Blonder et al. | Jan 1998 | A |
| 5721781 | Deo et al. | Feb 1998 | A |
| 5737421 | Audebert | Apr 1998 | A |
| 5740244 | Indeck et al. | Apr 1998 | A |
| 5745576 | Abraham et al. | Apr 1998 | A |
| 5774525 | Kanevsky et al. | Jun 1998 | A |
| 5802176 | Audebert | Sep 1998 | A |
| 5812668 | Weber | Sep 1998 | A |
| 5819226 | Gopinathan et al. | Oct 1998 | A |
| 5832458 | Jones | Nov 1998 | A |
| 5834747 | Cooper | Nov 1998 | A |
| 5835599 | Buer | Nov 1998 | A |
| 5839119 | Krsul et al. | Nov 1998 | A |
| 5872834 | Teitelbaum | Feb 1999 | A |
| 5878337 | Joao et al. | Mar 1999 | A |
| 5883810 | Franklin | Mar 1999 | A |
| 5903830 | Joao et al. | May 1999 | A |
| 5914471 | Van De Pavert | Jun 1999 | A |
| 5914472 | Foladare et al. | Jun 1999 | A |
| 5920628 | Indeck et al. | Jul 1999 | A |
| 5953710 | Fleminq | Sep 1999 | A |
| 5956699 | Wong et al. | Sep 1999 | A |
| 5988497 | Wallace | Nov 1999 | A |
| 5988500 | Litman | Nov 1999 | A |
| 5991410 | Albert et al. | Nov 1999 | A |
| 6000832 | Franklin et al. | Dec 1999 | A |
| 6005942 | Chan et al. | Dec 1999 | A |
| 6012144 | Pickett | Jan 2000 | A |
| 6016476 | Maes et al. | Jan 2000 | A |
| 6029154 | Pettitt | Feb 2000 | A |
| 6052675 | Checchio | Apr 2000 | A |
| 6053406 | Litman | Apr 2000 | A |
| 6055505 | Elston | Apr 2000 | A |
| 6064990 | Goldsmith | May 2000 | A |
| 6067529 | Ray et al. | May 2000 | A |
| 6081792 | Cucinotta et al. | Jun 2000 | A |
| 6094643 | Anderson et al. | Jul 2000 | A |
| 6095413 | Tetro et al. | Aug 2000 | A |
| 6105006 | Davis et al. | Aug 2000 | A |
| 6112191 | Burke | Aug 2000 | A |
| 6122624 | Tetro et al. | Sep 2000 | A |
| 6157707 | Baulier et al. | Dec 2000 | A |
| 6182894 | Hackett et al. | Feb 2001 | B1 |
| 6184651 | Fernandez et al. | Feb 2001 | B1 |
| 6219793 | Li et al. | Apr 2001 | B1 |
| 6226624 | Watson et al. | May 2001 | B1 |
| 6234901 | Nagoshi et al. | May 2001 | B1 |
| 6254002 | Litman | Jul 2001 | B1 |
| 6260146 | Mos et al. | Jul 2001 | B1 |
| 6263447 | French et al. | Jul 2001 | B1 |
| 6282522 | Davis et al. | Aug 2001 | B1 |
| 6282656 | Wang | Aug 2001 | B1 |
| 6298336 | Davis et al. | Oct 2001 | B1 |
| 6308890 | Cooper | Oct 2001 | B1 |
| 6327578 | Linehan | Dec 2001 | B1 |
| 6330550 | Brisebois et al. | Dec 2001 | B1 |
| 6339766 | Gephart | Jan 2002 | B1 |
| 6345101 | Jayant | Feb 2002 | B1 |
| 6367011 | Lee et al. | Apr 2002 | B1 |
| 6381584 | Ogram | Apr 2002 | B1 |
| 6442532 | Kawan | Aug 2002 | B1 |
| 6456984 | Demoff et al. | Sep 2002 | B1 |
| 6466126 | Collins et al. | Oct 2002 | B2 |
| 6488206 | Flaig et al. | Dec 2002 | B1 |
| 6496936 | French et al. | Dec 2002 | B1 |
| 6505046 | Baker | Jan 2003 | B1 |
| 6523745 | Tamori | Feb 2003 | B1 |
| 6529725 | Joao et al. | Mar 2003 | B1 |
| 6535855 | Cahill et al. | Mar 2003 | B1 |
| 6560581 | Fox et al. | May 2003 | B1 |
| 6592044 | Wong et al. | Jul 2003 | B1 |
| 6607136 | Atsmon et al. | Aug 2003 | B1 |
| 6612488 | Suzuki | Sep 2003 | B2 |
| 6616035 | Ehrensvard et al. | Sep 2003 | B2 |
| 6636833 | Flitcroft et al. | Oct 2003 | B1 |
| 6647269 | Hendrey et al. | Nov 2003 | B2 |
| 6651885 | Arias | Nov 2003 | B1 |
| 6684250 | Anderson et al. | Jan 2004 | B2 |
| 6714918 | Hillmer et al. | Mar 2004 | B2 |
| 6715672 | Tetro et al. | Apr 2004 | B1 |
| RE38572 | Tetro et al. | Aug 2004 | E |
| 6775539 | Deshpande | Aug 2004 | B2 |
| 6816058 | McGregor et al. | Nov 2004 | B2 |
| 6823721 | Fujii | Dec 2004 | B1 |
| 6830183 | von Mueller et al. | Dec 2004 | B2 |
| 6832721 | Fujii | Dec 2004 | B2 |
| 6836670 | Casstrogiovanni et al. | Dec 2004 | B2 |
| 6837425 | Gauthier et al. | Jan 2005 | B2 |
| 6839840 | Cooreman | Jan 2005 | B1 |
| 6839845 | Hsu et al. | Jan 2005 | B2 |
| 6850916 | Wang | Feb 2005 | B1 |
| 6857073 | French et al. | Feb 2005 | B2 |
| 6862575 | Anttila et al. | Mar 2005 | B1 |
| 6868391 | Hultgren | Mar 2005 | B1 |
| 6877661 | Webb et al. | Apr 2005 | B2 |
| 6883717 | Kelley | Apr 2005 | B1 |
| 6899269 | Deland | May 2005 | B1 |
| 6904526 | Hongwei | Jun 2005 | B1 |
| 6913194 | Suzuki | Jul 2005 | B2 |
| 6944782 | von Mueller et al. | Sep 2005 | B2 |
| 6948656 | Williams | Sep 2005 | B2 |
| 6968180 | Kirby et al. | Nov 2005 | B2 |
| 6980660 | Hind et al. | Dec 2005 | B1 |
| 6983882 | Cassone | Jan 2006 | B2 |
| 7003495 | Burger et al. | Feb 2006 | B1 |
| 7003497 | Maes | Feb 2006 | B2 |
| 7007840 | Davis | Mar 2006 | B2 |
| 7013293 | Kipnis et al. | Mar 2006 | B1 |
| 7024396 | Woodward | Apr 2006 | B2 |
| 7044394 | Brown | May 2006 | B2 |
| 7051002 | Keresman, III et al. | May 2006 | B2 |
| 7058611 | Kranzley et al. | Jun 2006 | B2 |
| 7058978 | Feuerstein et al. | Jun 2006 | B2 |
| 7080035 | Williams et al. | Jul 2006 | B1 |
| 7096003 | Joao et al. | Aug 2006 | B2 |
| 7107250 | Harrison | Sep 2006 | B2 |
| 7137551 | Crews et al. | Nov 2006 | B1 |
| 7143095 | Barrett et al. | Nov 2006 | B2 |
| 7152788 | Williams | Dec 2006 | B2 |
| 7160189 | Walker et al. | Jan 2007 | B2 |
| 7225156 | Fisher et al. | May 2007 | B2 |
| 7231657 | Honarvar et al. | Jun 2007 | B2 |
| 7243853 | Levy et al. | Jul 2007 | B1 |
| 7248017 | Cheng et al. | Jul 2007 | B2 |
| 7249093 | King | Jul 2007 | B1 |
| 7251624 | Lee et al. | Jul 2007 | B1 |
| 7257545 | Hung | Aug 2007 | B1 |
| 7264154 | Harris | Sep 2007 | B2 |
| 7272728 | Pierson et al. | Sep 2007 | B2 |
| 7273168 | Linlor | Sep 2007 | B2 |
| 7328850 | Sines | Feb 2008 | B2 |
| 7330871 | Barber | Feb 2008 | B2 |
| 7343149 | Benco et al. | Mar 2008 | B2 |
| 7343317 | Jokinen et al. | Mar 2008 | B2 |
| 7349668 | Ilan et al. | Mar 2008 | B2 |
| 7357310 | Calabrese et al. | Apr 2008 | B2 |
| D568388 | Hammad | May 2008 | S |
| D568389 | Hammad | May 2008 | S |
| D568390 | Hammad | May 2008 | S |
| 7373669 | Eisen | May 2008 | B2 |
| 7377433 | Morley et al. | May 2008 | B2 |
| D571399 | Hammad et al. | Jun 2008 | S |
| D571856 | Hammad et al. | Jun 2008 | S |
| 7389275 | Kemper et al. | Jun 2008 | B2 |
| D572752 | Hammad | Jul 2008 | S |
| D573181 | Hammad | Jul 2008 | S |
| 7401049 | Hobbs et al. | Jul 2008 | B2 |
| 7403908 | Jaramillo | Jul 2008 | B1 |
| D575815 | Hammad et al. | Aug 2008 | S |
| D576207 | Hammad et al. | Sep 2008 | S |
| 7420474 | Elks et al. | Sep 2008 | B1 |
| 7427021 | Kemper et al. | Sep 2008 | B2 |
| 7430537 | Templeton et al. | Sep 2008 | B2 |
| D578158 | Hammad et al. | Oct 2008 | S |
| D580974 | Hammad | Nov 2008 | S |
| 7451917 | McCall et al. | Nov 2008 | B2 |
| D584769 | Hammad | Jan 2009 | S |
| 7482925 | Hammad et al. | Jan 2009 | B2 |
| 7493487 | Phillips et al. | Feb 2009 | B2 |
| 7500607 | Williams | Mar 2009 | B2 |
| 7545748 | Riddle | Apr 2009 | B1 |
| 7527208 | Hammad et al. | May 2009 | B2 |
| 7540015 | Friedman | May 2009 | B2 |
| 7548890 | Shakkarwar | Jun 2009 | B2 |
| 7571124 | Bodin | Aug 2009 | B2 |
| 7575177 | Killian et al. | Aug 2009 | B2 |
| 7610216 | May et al. | Oct 2009 | B1 |
| 7620600 | Patil et al. | Nov 2009 | B2 |
| 7653597 | Stevanocski et al. | Jan 2010 | B1 |
| 7665657 | Huh | Feb 2010 | B2 |
| 7731086 | Saunders et al. | Jun 2010 | B2 |
| 7740168 | Hammad | Jun 2010 | B2 |
| 7761374 | Sahota | Jul 2010 | B2 |
| 7810165 | Hammad | Oct 2010 | B2 |
| 7818264 | Hammad et al. | Oct 2010 | B2 |
| 7819322 | Hammad et al. | Oct 2010 | B2 |
| 7885899 | Sancho | Feb 2011 | B1 |
| 7899753 | Everhart | Mar 2011 | B1 |
| 8087582 | Hammad | Jan 2012 | B2 |
| 8135647 | Hammad et al. | Mar 2012 | B2 |
| 8229854 | Stephen et al. | Jul 2012 | B2 |
| 8533118 | Weller et al. | Sep 2013 | B2 |
| 20010037453 | Mitty et al. | Nov 2001 | A1 |
| 20010044777 | Haley et al. | Nov 2001 | A1 |
| 20010056409 | Bellovin | Dec 2001 | A1 |
| 20020002681 | Kawano et al. | Jan 2002 | A1 |
| 20020007320 | Hogan et al. | Jan 2002 | A1 |
| 20020007352 | Feischi et al. | Jan 2002 | A1 |
| 20020013711 | Ahuja et al. | Jan 2002 | A1 |
| 20020026396 | Dent et al. | Feb 2002 | A1 |
| 20020026478 | Rodgers et al. | Feb 2002 | A1 |
| 20020032661 | Schuba et al. | Mar 2002 | A1 |
| 20020035548 | Hogan et al. | Mar 2002 | A1 |
| 20020035622 | Barber | Mar 2002 | A1 |
| 20020038287 | Villaret et al. | Mar 2002 | A1 |
| 20020046186 | Nishio et al. | Apr 2002 | A1 |
| 20020046189 | Morita et al. | Apr 2002 | A1 |
| 20020049818 | Gilhuly et al. | Apr 2002 | A1 |
| 20020066014 | Dworkin et al. | May 2002 | A1 |
| 20020073044 | Singhal | Jun 2002 | A1 |
| 20020073046 | David | Jun 2002 | A1 |
| 20020077144 | Keller et al. | Jun 2002 | A1 |
| 20020077978 | O'Leary et al. | Jun 2002 | A1 |
| 20020088863 | Chi-Yuan | Jul 2002 | A1 |
| 20020091562 | Siegel et al. | Jul 2002 | A1 |
| 20020091945 | Ross | Jul 2002 | A1 |
| 20020095388 | Yu et al. | Jul 2002 | A1 |
| 20020095389 | Gaines | Jul 2002 | A1 |
| 20020096570 | Wong et al. | Jul 2002 | A1 |
| 20020099642 | Schwankl et al. | Jul 2002 | A1 |
| 20020099665 | Burger et al. | Jul 2002 | A1 |
| 20020108062 | Nakajima et al. | Aug 2002 | A1 |
| 20020116341 | Hogan et al. | Aug 2002 | A1 |
| 20020116626 | Wood | Aug 2002 | A1 |
| 20020120587 | D'Agostino | Aug 2002 | A1 |
| 20020123972 | Hodgson et al. | Sep 2002 | A1 |
| 20020133462 | Shteyn | Sep 2002 | A1 |
| 20020138445 | Laage et al. | Sep 2002 | A1 |
| 20020147658 | Kwan | Oct 2002 | A1 |
| 20020152179 | Racov | Oct 2002 | A1 |
| 20020153424 | Li et al. | Oct 2002 | A1 |
| 20020158747 | McGregor et al. | Oct 2002 | A1 |
| 20020161724 | Peters | Oct 2002 | A1 |
| 20020174030 | Praisner et al. | Nov 2002 | A1 |
| 20020180584 | McGregor et al. | Dec 2002 | A1 |
| 20020194499 | Audebert et al. | Dec 2002 | A1 |
| 20030001005 | Risafi et al. | Jan 2003 | A1 |
| 20030028481 | Flitcroft et al. | Feb 2003 | A1 |
| 20030033228 | Bosworth-Davies et al. | Feb 2003 | A1 |
| 20030050896 | Wiederin | Mar 2003 | A1 |
| 20030061110 | Bodin | Mar 2003 | A1 |
| 20030061168 | Routhenstein | Mar 2003 | A1 |
| 20030074317 | Hofi | Apr 2003 | A1 |
| 20030080185 | Werther | May 2003 | A1 |
| 20030085286 | Kelley | May 2003 | A1 |
| 20030101137 | Wronski | May 2003 | A1 |
| 20030105710 | Barbara | Jun 2003 | A1 |
| 20030105964 | Brainard et al. | Jun 2003 | A1 |
| 20030109300 | Walker et al. | Jun 2003 | A1 |
| 20030115142 | Brickell et al. | Jun 2003 | A1 |
| 20030126079 | Roberson et al. | Jul 2003 | A1 |
| 20030126094 | Fisher et al. | Jul 2003 | A1 |
| 20030135463 | Brown et al. | Jul 2003 | A1 |
| 20030140004 | O'Leary et al. | Jul 2003 | A1 |
| 20030140007 | Kramer et al. | Jul 2003 | A1 |
| 20030154406 | Honarvar et al. | Aug 2003 | A1 |
| 20030168510 | Allen | Sep 2003 | A1 |
| 20030169881 | Niedermeyer | Sep 2003 | A1 |
| 20030172040 | Kemper et al. | Sep 2003 | A1 |
| 20030200184 | Dominguez et al. | Oct 2003 | A1 |
| 20030208684 | Camacho et al. | Nov 2003 | A1 |
| 20030216996 | Cummings et al. | Nov 2003 | A1 |
| 20030222135 | Stoutenburg et al. | Dec 2003 | A1 |
| 20030225703 | Angel | Dec 2003 | A1 |
| 20040003285 | Whelan et al. | Jan 2004 | A1 |
| 20040014423 | Croome et al. | Jan 2004 | A1 |
| 20040015435 | Solomon et al. | Jan 2004 | A1 |
| 20040019564 | Goldthwaite et al. | Jan 2004 | A1 |
| 20040024638 | Restis | Feb 2004 | A1 |
| 20040031856 | Atsmon et al. | Feb 2004 | A1 |
| 20040034604 | Klebanoff | Feb 2004 | A1 |
| 20040039694 | Dunn et al. | Feb 2004 | A1 |
| 20040059688 | Dominguez et al. | Mar 2004 | A1 |
| 20040064403 | Hasumi et al. | Apr 2004 | A1 |
| 20040078340 | Evans | Apr 2004 | A1 |
| 20040107170 | Labrou et al. | Jun 2004 | A1 |
| 20040122747 | Jimenez et al. | Jun 2004 | A1 |
| 20040128243 | Kavangh et al. | Jul 2004 | A1 |
| 20040138955 | Song et al. | Jul 2004 | A1 |
| 20040153417 | Everhart | Aug 2004 | A1 |
| 20040156537 | Chung et al. | Aug 2004 | A1 |
| 20040171373 | Suda et al. | Sep 2004 | A1 |
| 20040171406 | Purk | Sep 2004 | A1 |
| 20040179684 | Appenzeller et al. | Sep 2004 | A1 |
| 20040185830 | Joao et al. | Sep 2004 | A1 |
| 20040187018 | Owen | Sep 2004 | A1 |
| 20040019970 | Ferry et al. | Oct 2004 | A1 |
| 20040254892 | Adamson | Dec 2004 | A1 |
| 20050029349 | McGregor et al. | Feb 2005 | A1 |
| 20050043997 | Sahota et al. | Feb 2005 | A1 |
| 20050060233 | Bonalle et al. | Mar 2005 | A1 |
| 20050060730 | Soeda et al. | Mar 2005 | A1 |
| 20050065876 | Kumar | Mar 2005 | A1 |
| 20050071226 | Nguyen et al. | Mar 2005 | A1 |
| 20050071227 | Hammad et al. | Mar 2005 | A1 |
| 20050071228 | Bortolin et al. | Mar 2005 | A1 |
| 20050071235 | Nguyen et al. | Mar 2005 | A1 |
| 20050080730 | Sorrentino | Apr 2005 | A1 |
| 20050091152 | Suisa | Apr 2005 | A1 |
| 20050097320 | Golan et al. | May 2005 | A1 |
| 20050119978 | Ates | Jun 2005 | A1 |
| 20050122209 | Black | Jun 2005 | A1 |
| 20050149455 | Bruesewitz et al. | Jul 2005 | A1 |
| 20050167495 | Morley et al. | Aug 2005 | A1 |
| 20050170814 | Joao et al. | Aug 2005 | A1 |
| 20050171905 | Wankmueller et al. | Aug 2005 | A1 |
| 20050184145 | Law et al. | Aug 2005 | A1 |
| 20050218229 | Morley et al. | Oct 2005 | A1 |
| 20050228986 | Fukasawa et al. | Oct 2005 | A1 |
| 20050234822 | VanFleet et al. | Oct 2005 | A1 |
| 20050240527 | Goldman | Oct 2005 | A1 |
| 20050268107 | Harris et al. | Dec 2005 | A1 |
| 20050273442 | Bennett et al. | Dec 2005 | A1 |
| 20050278542 | Pierson et al. | Dec 2005 | A1 |
| 20060010072 | Eisen | Jan 2006 | A1 |
| 20060018523 | Saitoh et al. | Jan 2006 | A1 |
| 20060059110 | Madhok et al. | Mar 2006 | A1 |
| 20060074698 | Bishop et al. | Apr 2006 | A1 |
| 20060112275 | Jeal et al. | May 2006 | A1 |
| 20060136546 | Trioano et al. | Jun 2006 | A1 |
| 20060156385 | Chiviendacz et al. | Jul 2006 | A1 |
| 20060165060 | Dua | Jul 2006 | A1 |
| 20060202025 | Calabrese et al. | Sep 2006 | A1 |
| 20060219776 | Finn | Oct 2006 | A1 |
| 20060255128 | Johnson et al. | Nov 2006 | A1 |
| 20060278704 | Saunders et al. | Dec 2006 | A1 |
| 20060281439 | Benco et al. | Dec 2006 | A1 |
| 20060282382 | Balasubramanian et al. | Dec 2006 | A1 |
| 20060287955 | Moulart et al. | Dec 2006 | A1 |
| 20060290501 | Hammad et al. | Dec 2006 | A1 |
| 20060293027 | Hammad et al. | Dec 2006 | A1 |
| 20070017970 | Gauthier et al. | Jan 2007 | A1 |
| 20070021126 | Nanda et al. | Jan 2007 | A1 |
| 20070034679 | Gauthier et al. | Feb 2007 | A1 |
| 20070034700 | Poidomani et al. | Feb 2007 | A1 |
| 20070045398 | Chen | Mar 2007 | A1 |
| 20070055630 | Gauthier et al. | Mar 2007 | A1 |
| 20070057034 | Patrick et al. | Mar 2007 | A1 |
| 20070067833 | Colnot | Mar 2007 | A1 |
| 20070087813 | Walker et al. | Apr 2007 | A1 |
| 20070103274 | Berthold | May 2007 | A1 |
| 20070124801 | Thomas et al. | May 2007 | A1 |
| 20070130062 | Huh | Jun 2007 | A1 |
| 20070136131 | Mankoff | Jun 2007 | A1 |
| 20070136211 | Brown et al. | Jun 2007 | A1 |
| 20070143227 | Kranzley et al. | Jun 2007 | A1 |
| 20070143230 | Narainsamy et al. | Jun 2007 | A1 |
| 20070174082 | Singh | Jul 2007 | A1 |
| 20070174448 | Ahuja et al. | Jul 2007 | A1 |
| 20070192601 | Spain et al. | Aug 2007 | A1 |
| 20070214151 | Thomas et al. | Sep 2007 | A1 |
| 20070234409 | Eisen | Oct 2007 | A1 |
| 20070239606 | Eisen | Oct 2007 | A1 |
| 20070239622 | Routhenstein | Oct 2007 | A1 |
| 20070244830 | Hilderman | Oct 2007 | A1 |
| 20070250380 | Mankoff | Oct 2007 | A1 |
| 20070260544 | Wankmueller et al. | Nov 2007 | A1 |
| 20070262138 | Somers et al. | Nov 2007 | A1 |
| 20070271596 | Boubion et al. | Nov 2007 | A1 |
| 20070276765 | Hazel et al. | Nov 2007 | A1 |
| 20070288641 | Lee | Dec 2007 | A1 |
| 20070294182 | Hammad | Dec 2007 | A1 |
| 20080004121 | Gatto et al. | Jan 2008 | A1 |
| 20080005037 | Hammad et al. | Jan 2008 | A1 |
| 20080029593 | Hammad et al. | Feb 2008 | A1 |
| 20080034221 | Hammad et al. | Feb 2008 | A1 |
| 20080040271 | Hammad et al. | Feb 2008 | A1 |
| 20080040276 | Hammad et al. | Feb 2008 | A1 |
| 20080065553 | Faith et al. | Mar 2008 | A1 |
| 20080087722 | Collins | Apr 2008 | A1 |
| 20080103972 | Lanc | May 2008 | A1 |
| 20080103982 | Hammad et al. | May 2008 | A1 |
| 20080104684 | Lunde et al. | May 2008 | A1 |
| 20080116264 | Hammad et al. | May 2008 | A1 |
| 20080120214 | Steele et al. | May 2008 | A1 |
| 20080120236 | Faith et al. | May 2008 | A1 |
| 20080120507 | Shakkarwar | May 2008 | A1 |
| 20080128513 | Hammad et al. | Jun 2008 | A1 |
| 20080133420 | Barber | Jun 2008 | A1 |
| 20080154760 | Calabrese et al. | Jun 2008 | A1 |
| 20080163257 | Carlson et al. | Jul 2008 | A1 |
| 20080179401 | Hart et al. | Jul 2008 | A1 |
| 20080183480 | Carlson et al. | Jul 2008 | A1 |
| 20080201212 | Hammad et al. | Aug 2008 | A1 |
| 20080203151 | Hammad et al. | Aug 2008 | A1 |
| 20080203152 | Hammad et al. | Aug 2008 | A1 |
| 20080203170 | Hammad et al. | Aug 2008 | A1 |
| 20080208681 | Hammad et al. | Aug 2008 | A1 |
| 20080232582 | Chevallier-Mames et al. | Sep 2008 | A1 |
| 20080235136 | Kemper et al. | Sep 2008 | A1 |
| 20080235138 | Yokota et al. | Sep 2008 | A1 |
| 20080244744 | Thomas et al. | Oct 2008 | A1 |
| 20080255992 | Lin | Oct 2008 | A1 |
| 20080288384 | Collins et al. | Nov 2008 | A1 |
| 20080288405 | John | Nov 2008 | A1 |
| 20080298588 | Shakkarwar | Dec 2008 | A1 |
| 20080302876 | Mullen | Dec 2008 | A1 |
| 20080303632 | Hammad | Dec 2008 | A1 |
| 20080319896 | Carlson et al. | Dec 2008 | A1 |
| 20080319904 | Carlson et al. | Dec 2008 | A1 |
| 20090037213 | Eisen | Feb 2009 | A1 |
| 20090048975 | Felger | Feb 2009 | A1 |
| 20090049529 | Felger | Feb 2009 | A1 |
| 20090055315 | Felger | Feb 2009 | A1 |
| 20090055892 | Lu et al. | Feb 2009 | A1 |
| 20090055893 | Manessis et al. | Feb 2009 | A1 |
| 20090083184 | Eisen | Feb 2009 | A1 |
| 20090083191 | Hammad et al. | Mar 2009 | A1 |
| 20090089213 | Hammad | Apr 2009 | A1 |
| 20090099961 | Ogilvy | Apr 2009 | A1 |
| 20090150288 | Bishop et al. | Jun 2009 | A1 |
| 20090171682 | Dixon et al. | Jul 2009 | A1 |
| 20090171849 | Hammad et al. | Jul 2009 | A1 |
| 20090202081 | Hammad et al. | Aug 2009 | A1 |
| 20090204524 | McGeeorge | Aug 2009 | A1 |
| 20090271306 | Pierson | Oct 2009 | A1 |
| 20100024029 | Sasaki et al. | Jan 2010 | A1 |
| 20100036749 | Barber | Feb 2010 | A1 |
| 20100252623 | Hammad et al. | Oct 2010 | A1 |
| 20100262546 | Sahota et al. | Oct 2010 | A1 |
| 20110004526 | Hammad et al. | Jan 2011 | A1 |
| 20110004553 | Hammad et al. | Jan 2011 | A1 |
| 20110231315 | Bandyopadhyay et al. | Sep 2011 | A1 |
| Number | Date | Country |
|---|---|---|
| 2267672 | Aug 2000 | CA |
| 1344396 | Apr 2002 | CN |
| 1435985 | Aug 2003 | CN |
| 1449540 | Oct 2003 | CN |
| 1508746 | Jun 2004 | CN |
| 0 745 961 | Dec 1996 | EP |
| 0 540 234 | Mar 1998 | EP |
| 0 926 624 | Jun 1999 | EP |
| 1 139 200 | Oct 2001 | EP |
| 2 796 742 | Jan 2001 | FR |
| 2 398 152 | Aug 2004 | GB |
| 3149690 | Jun 1991 | JP |
| 04-213784 | Aug 1992 | JP |
| 10275069 | Oct 1998 | JP |
| 11213044 | Aug 1999 | JP |
| 11-275096 | Oct 1999 | JP |
| 2000-078128 | Mar 2000 | JP |
| 2000-151578 | May 2000 | JP |
| 2000-298733 | Oct 2000 | JP |
| 2000-322486 | Nov 2000 | JP |
| 2001-188759 | Jul 2001 | JP |
| 2001-509908 | Jul 2001 | JP |
| 2001-524771 | Dec 2001 | JP |
| 2002-024719 | Jan 2002 | JP |
| 2002-092739 | Mar 2002 | JP |
| 2002-92739 | Mar 2002 | JP |
| 2002-109436 | Apr 2002 | JP |
| 2002-117377 | Apr 2002 | JP |
| 2002-140302 | May 2002 | JP |
| 2002-366868 | Dec 2002 | JP |
| 2003-016364 | Jan 2003 | JP |
| 2003-136566 | May 2003 | JP |
| 2003-519420 | Jun 2003 | JP |
| 2003-196566 | Jul 2003 | JP |
| 2003 281476 | Oct 2003 | JP |
| 2003-532206 | Oct 2003 | JP |
| 2003-337917 | Nov 2003 | JP |
| 2003-534585 | Nov 2003 | JP |
| 2004-500671 | Jan 2004 | JP |
| 2004-126898 | Apr 2004 | JP |
| 2004-272827 | Sep 2004 | JP |
| 2005 062957 | Mar 2005 | JP |
| 2006505051 | Feb 2006 | JP |
| 2007-517272 | Feb 2007 | JP |
| 2007-513395 | May 2007 | JP |
| 2004-0103581 | Dec 2004 | KR |
| 10-2006-0031156 | Apr 2006 | KR |
| 2003129649 | Apr 2005 | RU |
| 2263347 | Oct 2005 | RU |
| 95-06371 | Mar 1995 | WO |
| 97-24825 | Jul 1997 | WO |
| 98-31123 | Jul 1998 | WO |
| 9831123 | Jul 1998 | WO |
| 00-25262 | May 2000 | WO |
| 00-46769 | Aug 2000 | WO |
| 00-52866 | Sep 2000 | WO |
| 01-41093 | Jun 2001 | WO |
| 02-01462 | Jan 2002 | WO |
| 0201325 | Jan 2002 | WO |
| 02038719 | May 2002 | WO |
| 03-001866 | Jan 2003 | WO |
| 03-003704 | Jan 2003 | WO |
| 03-081832 | Oct 2003 | WO |
| 03-083737 | Oct 2003 | WO |
| 2004042540 | May 2004 | WO |
| 2004-081837 | Sep 2004 | WO |
| 2004-104528 | Dec 2004 | WO |
| 2005-001635 | Jan 2005 | WO |
| 2005-020012 | Mar 2005 | WO |
| 2005-025292 | Mar 2005 | WO |
| 2005-059795 | Jun 2005 | WO |
| 2005-072382 | Aug 2005 | WO |
| 2006-023839 | Mar 2006 | WO |
| 2006040820 | Apr 2006 | WO |
| 2008027642 | May 2008 | WO |
| Entry |
|---|
| U.S. Appl. No. 11/761,821, dated Jun. 12, 2007, Faith. |
| U.S. Appl. No. 11/763,240, dated Jun. 14, 2007, Faith. |
| U.S. Appl. No. 11/764,351, dated Jun. 18, 2007, Faith. |
| U.S. Appl. No. 11/764,361, dated Jun. 18, 2007, Faith. |
| U.S. Appl. No. 11/764,370, dated Jun. 18, 2007, Faith. |
| U.S. Appl. No. 11/764,376, dated Jun. 18, 2007, Faith. |
| U.S. Appl. No. 11/764,622, dated Jun. 18, 2007, Faith. |
| Fujitsu Microelectronics America Announces New Fingerprint Identification Technology for Cell Phones, Mobile Devices Mar. 11, 2002 by Fujitsu Microelectronics America, Inc at www.fujitsu.com-us-news-pr-fma_20020311.html. |
| U.S. Appl. No. 10/642,878, filed Aug. 18, 2003. |
| U.S. Appl. No. 11/536,296, filed Sep. 26, 2006. |
| U.S. Appl. No. 11/566,614, filed Dec. 4, 2006. |
| U.S. Appl. No. 11/680,589, filed Feb. 28, 2007. |
| U.S. Appl. No. 11/680,592, filed Feb. 28, 2007. |
| U.S. Appl. No. 11/680,594, filed Feb. 28, 2007. |
| U.S. Appl. No. 11/811,875, filed Jun. 11, 2007. |
| U.S. Appl. No. 11/935,740, filed Nov. 6, 2007. |
| U.S. Appl. No. 11/940,074, filed Nov. 14, 2007. |
| U.S. Appl. No. 11/962,836, filed Dec. 21, 2007. |
| U.S. Appl. No. 11/963,736, filed Dec. 28, 2007. |
| U.S. Appl. No. 11/966,233, filed Dec. 21, 2007. |
| U.S. Appl. No. 12/022,060, filed Jan. 28, 2008. |
| U.S. Appl. No. 12/022,075, filed Jan. 29, 2008. |
| U.S. Appl. No. 12/028,220, filed Feb. 8, 2008. |
| U.S. Appl. No. 29/263,226, filed Jul. 17, 2006. |
| U.S. Appl. No. 29/266,546, filed Sep. 22, 2006. |
| U.S. Appl. No. 29/279,367, filed Apr. 27, 2007. |
| U.S. Appl. No. 29/279,368, filed Apr. 27, 2007. |
| U.S. Appl. No. 29/279,369, filed Apr. 27, 2007. |
| U.S. Appl. No. 29/279,370, filed Apr. 27, 2007. |
| U.S. Appl. No. 29/279,371, filed Apr. 27, 2007. |
| U.S. Appl. No. 29/281,167, filed Jun. 15, 2007. |
| U.S. Appl. No. 29/306,280, filed Apr. 4, 2008. |
| European Search Report dated May 27, 2011, 8 pages. |
| Office Action dated Mar. 3, 2011 from Mexican Patent Application No. MX-a-2008-016165, 6 pages. |
| Office Action dated Aug. 18, 2011 from Mexican Patent Application No. MX-a-2008-016165, 9 pages. |
| Office Action dated Nov. 10, 2011, from Russian Federation Patent Application No. 2009101311-08, 6 pages. |
| Chinese Office Action dated Mar. 23, 2011, for Chinese Patent Application No. 200780027259.3, with English Translation, 11 pages. |
| Chinese Office Action dated Mar. 21, 2012, for Chinese Patent Application No. 200780027259.3, with English Translation, 15 pages. |
| Hribar, U.; “Secure Electronic Transaction”; Organizacija; Apr. 2000; pp. 281-285; vol. 33; No. 4; dialog search results, 2 pages total. |
| Rosenburge, Jerry M.; Dictionary of computers information processing and Telecommunications; John Wiley and Sons Inc.; 1987; pp. 206; 2nd edition. |
| Australian Notice of Acceptance dated Mar. 17, 2011, for AU Patent Application No. 2007290325, 3 pages. |
| Australian Office Action dated Jun. 24, 2010, for AU Patent Application No. 2007290325, 4 pages. |
| Australian Office Action dated Jun. 25, 2010, for AU Application No. 2007281365, 2 pages. |
| Australian Office Action dated Jun. 25, 2010, for AU Patent Application No. 2007261082, 4 pages. |
| Australian Office Action dated Jul. 1, 2010, for AU Patent Application No. 2007261152, 2 pages. |
| Australian Office Action dated Oct. 1, 2010, for AU Patent Application No. 2007261072, 5 pages. |
| Australian Office Action dated Feb. 15, 2011, for AU Patent Application No. 2007261082, 2 pages. |
| Australian Office Action dated Feb. 24, 2011, for AU Application No. 2007281365, 1 page. |
| Australian Office Action dated Jul. 20, 2011, for AU Patent Application No. 2007261035, 2 pages. |
| Australian Office Action dated Mar. 2, 2012, for AU Patent Application No. 2007261035, 2 pages. |
| Australian Notice of Acceptance dated Jun. 26, 2011, for AU Patent Application No. 2007261072, 3 pages. |
| Australian Notice of Acceptance dated Jul. 7, 2011, for AU Patent Application No. 2007261082, 3 pages. |
| Canadian Office Action dated Oct. 4, 2011 for CA Patent Application No. 2,536,208, 3 pages. |
| Chinese Office Action dated Jan. 12, 2011, for CN Patent Application No. 200780022874.5, with English translation, 12 pages. |
| Chinese Office Action dated Mar. 1, 2012, for CN Patent Application No. 200780022875.X, with English translation, 19 pages. |
| Chinese Office Action dated Oct. 21, 2011, for CN Patent Application No. 200780022874.5, with English translation, 15 pages. |
| Chinese Office Action dated Feb. 22, 2012, for CN Patent Application No. CN 200780029553.8, with English Translation, 10 pages. |
| Communication from the European Patent Office dated Sep. 20, 2005, for EP Patent Application No. 03716368.0, 7 pages. |
| European Summons to Attend Oral Proceedings dated Dec. 23, 2008, for EP Patent Application No. 03716368.0, 5 pages. |
| European Decision to Refuse a European Patent Application dated Apr. 1, 2009, for EP Patent Application No. 03716368.0, 24 pages. |
| Communication from the European Patent Office dated Dec. 22, 2011 or EP Patent Application No. 07840259.1, 5 pages. |
| Communication from the European Patent Office dated Dec. 22, 2011, for EP Patent Application No. 07812158.9, 7 pages. |
| Communication from the European Patent Office dated Dec. 27, 2011, for EP Patent Application No. 07812194.4, 5 pages. |
| European Search Report dated Feb. 10, 2005, for EP Patent Application No. 03716368.0, 3 pages. |
| Extended European Search Report dated Dec. 27, 2010, for Application No. EP 10184725.9, 8 pages. |
| Extended European Search Report for Application dated Feb. 17, 2011, for EP Patent Application No. 07812194.4, 6 pages. |
| European Search Report dated Feb. 28, 2011, for EP Patent Application No. 07812158.9, 7 pages. |
| Extended European Search Report dated Jul. 3, 2011 for EP Patent Application No. 07840259.1, 6 pages. |
| Extended European Search Report dated Jul. 10, 2011, for EP Patent Application No. 07798557.0, 6 pages. |
| International Preliminary Examination Report dated Nov. 17, 2003, for PCT Patent Application No. PCT-US03-06999, 3 pages. |
| International Search Report dated May 22, 2003, for PCT Patent Application No. PCT-US03-06999, 1 page. |
| International Search Report dated May 7, 2007, for PCT patent Application No. PCT-US04-26813, 2 pages. |
| International Search Report dated Feb. 22, 2008, for PCT Patent Application No. PCT-US07-71479, 1 page. |
| International Search Report dated Mar. 28, 2008, for PCT Patent Application No. PCT-US07-71480, 1 page. |
| International Search Report dated Apr. 10, 2008, for PCT Patent Application No. PCT-US07-71376, 4 pages. |
| International Search Report dated Jul. 15, 2008, for PCT Patent Application No. PCT-US07-71518, 1 page. |
| International Search Report dated Aug. 5, 2008, for PCT Patent Application No. PCT-US07-71301, 1 page. |
| Japanese Office Action dated Sep. 2, 2010, for JP Patent Application No. 2006-524010, English translation only, 3 pages. |
| Japanese Decision to Grant dated Mar. 29, 2011, for JP Patent Application No. 2006-524010, English translation only, 4 pages. |
| Korean Office Action dated Dec. 9, 2010, for KR Application No. 10-2006-7003356, with English translation, 6 pages. |
| Korean Office Action dated Aug. 19, 2011, for KR Application No. 10-2006-7003356, with English translation, 6 pages. |
| Korean Office Action dated Nov. 8, 2011, for KR Application No. 10-2006-7003356, with English translation, 6 pages. |
| Mexican Office Action dated Sep. 29, 2011, for MX Patent Application No. MX-a-2008-016174, 2 pages. |
| Russian Office Action dated Nov. 18, 2011, for RU Patent Application No. 2009101310-08(001608), English translation only, 7 pages. |
| Russian Office Action dated Mar. 14, 2012, for RU Patent Application No. 2009101311-08, with English translation, 16 pages. |
| Singapore Search Report and Written Opinion dated Jun. 15, 2007, for SG Patent Application No. 200601078-9, 11 pages. |
| Singapore Search Report and Written Opinion dated Jun. 2, 2009, for SG Patent Application No. 200717870-0, 9 pages. |
| Singapore Examination Report dated Jan. 11, 2010, for SG Patent Application No. 200717870-0, 6 pages. |
| Written Opinion of the International Searching Authority dated May 7, 2007, for PCT patent Application No. PCT-US04-26813, 3 pages. |
| Written Opinion of the International Searching Authority dated Dec. 6, 2007, for PCT Patent Application No. PCT-US07-71200, 6 pages. |
| Written Opinion of the International Searching Authority dated Feb. 22, 2008, for PCT Patent Application No. PCT-US07-71479, 4 pages. |
| Written Opinion of the International Searching Authority dated Apr. 10, 2008, for PCT Patent Application No. PCT-US07-71376, 7 pages. |
| Written Opinion of the International Searching Authority dated Jul. 15, 2008, for PCT Patent Application No. PCT-US07-71518, 7 pages. |
| Written Opinion of the International Searching Authority dated Aug. 5, 2008, for PCT Patent Application No. PCT-US07-71301, 3 pages. |
| Australian Office Action dated Sep. 10, 2012 for AU Patent Application No. 2007261035, 3 pages. |
| Japanese Office Action dated Jul. 31, 2012 for JP Patent Application No. 2009-51660, with English Translation, 10 pages. |
| Japanese Office Action Issued in JP Patent Application No. 2009-516648 dated Aug. 31, 2012, with English Translation, 8 pages. |
| Chinese Office Action Issued in CN Patent Application No. 200780022875.X dated Aug. 21, 2012, with English Translation, 21 pages. |
| Chinese Office Action Issued in CN Patent Application No. 200780027259.3 dated Nov. 2, 2012, with English Translation, 21 pages. |
| Japanese Decision of Rejection dated Jan. 18, 2013 for JP Patent Application No. 2009-516660, with English Translation, 6 pages. |
| Australian Notice of Acceptance dated Aug. 11, 2011 for AU Patent Application No. 2007261152, 3 pages. |
| European Communication dated Apr. 18, 2013 for EP Patent Application No. 07853494.8, 6 pages. |
| Canadian Office Action dated Nov. 14, 2012 for CA Patent Application No. 2,536,208, 4 pages. |
| European Search Report dated Oct. 17, 2012 for EP Patent Application No. 04781493.4, 6 pages. |
| Korean Office Action dated Feb. 26, 2013 for KR Patent Application No. 10-2006-7003356, with English translation, 10 pages. |
| Japanese Office Action dated Oct. 12, 2012 for JP Patent Application No. 2009-516638, with English translation, 12 pages. |
| Australian Notice of Acceptance dated Jan. 18, 2013 for AU Patent Application No. 2007261035, 3 pages. |
| European Communication dated Nov. 26, 2012 for EP Patent Application No. 10184725.9, 8 pages. |
| International Preliminary Report on Patentability dated Feb. 3, 2011 for PCT Application No. PCT/US07/71301, 5 pages. |
| Japanese Office Action dated Dec. 4, 2012 for JP Patent Application No. 2009-516645, with English translation, 10 pages. |
| Chinese Office Action dated Jun. 5, 2012 for CN Patent Application No. 200780022874.5, with English translation, 6 pages. |
| Gandhi, Kiran; “White Paper: Magneprint: A Real Time Risk Management Tool,”; located at httpp:--www.greensheets.com-gs_archive.php?issue_Number=040302&Story=6; 2004; 6 pages. |
| Wong, K.K. et al.; “Adaptive Water Marking,”; IEEE Transactions on Consumer Electronics; Nov. 1997; vol. 43; No. 4; pp. 1003-1009. |
| Chinese Office Action dated Jan. 25, 2013 for CN Patent Application No. 200780022875, with English translation, 23 pages. |
| European Office Action dated Aug. 23, 2013 for EP Patent Application No. 04781493.4, 5 pages. |
| European Search Report dated Aug. 29, 2013 for EP Patent Application No. 13151933.2, 5 pages. |
| Korean Office Action dated Aug. 27, 2013 for KR Patent Application No. 10-2009-7000804, with English Translation, 11 pages. |
| Japanese Office Action dated Jun. 7, 2013 for JP Patent Application No. 2009-516638, with English Translation, 14 pages. |
| Summons to Attend Oral Proceedings dated Sep. 11, 2013, for EP Patent Application No. 07812158.9, 10 pages. |
| Japanese Office Action dated Jul. 2, 2013 for JP Patent Application No. 2009-516645, with English Translation, 6 pages. |
| EP Summons to Attend Oral Proceedings dated Oct. 1, 2013 for EP Patent Application No. 07812194.4, 7 pages. |
| Korean Notice of Decision of Grant dated Nov. 26, 2013 for KR Patent Application No. 10-2006-7003356, with English Translation, 3 pages. |
| Korean Office Action dated Nov. 27, 2013 for KR Patent Application No. 10-2009-7000931, English Translation, 7 pages. |
| Japanese Office Action dated Dec. 20, 2013 for JP Patent Application No. 2013-106124, with English Translation, 5 pages. |
| Canadian Office Action dated Mar. 6, 2014 for CA Patent Application No. 2,536,208, 5 pages. |
| Japanese Notice of Allowance dated May 2, 2014 for JP Patent Application No. 2013-106124, 3 pages. |
| Canadian Office Action dated Apr. 11, 2014 for CA Patent Application No. 2,655,423, 3 pages. |
| Korean Office Action dated Dec. 31, 2014 for KR Patent Application No. 10-2009-7000932, with English translation, 11 pages. |
| Chinese Office Action dated Jan. 6, 2015 for CN Patent Application No. 200780022874.5, with English translation, 15 pages. |
| Mexican Office Action dated May 24, 2012 for MX Patent Application No. MX-a-2008-016173, 2 pages. (In Spanish No Translation). |
| Mexican Office Action dated Nov. 18, 2011 for MX Patent Application No. MX-a-2008-016173, 10 pages. (English Translation). |
| Canadian Office Action dated Apr. 28, 2014 for CA Patent Application No. 2,655,748, 3 pages. |
| Non-Final Office Action for Canadian Application 2,655,015, dated Jul. 31, 2014, 2 pages. |
| Office Action for Korean Patent Application No. 2009-7000931 dated Nov. 11, 2013, with English Translation, 14 pages. |
| Decision on Reexamination for Chinese Application No. 200780022874.5, dated Nov. 25, 2014, 6 pages. |
| Notice of Allowance for Korean Patent Application No. 2009-7000931 dated Dec. 19, 2014, with English Translation, 3 pages. |
| Japanese Decision of Appeal dated Feb. 12, 2015 for JP Patent Application No. 2009-516645, 61 pages. (No English Translation). |
| White, Ron, “How Computers Work,” Millennium Ed., Que Corporation, Indianapolis, IN, 1999. |
| Canadian Office Action dated Apr. 7, 2015 for CA Patent Application No. 2,655,423, 4 pages. |
| Chinese Office Action dated May 12, 2015 for CN Patent Application No. 200780027259.3, with English translation, 19 pages. |
| Chinese Office Action dated Jul. 16, 2015 for CN Patent Application No. 200780022874.5, with English translation, 14 pages. |
| Korean Office Action dated Jul. 24, 2015 for KR Patent Application No. 10-2009-7000932, with English translation, 10 pages. |
| Non-Final Rejection, dated Jun. 30, 2016, in Korean Patent Application No. 2015-7026249, 12 pages. |
| First Examination Report, dated Mar. 22, 2018, in Indian Patent Application No. 291-CHENP-2009, 6 pages. |
| BRPI0713866-0 , “Office Action”, dated Oct. 1, 2019, 13 pages. |
| U.S. Appl. No. 11/764,343 , Final Office Action, dated Nov. 12, 2015, 14 pages. |
| U.S. Appl. No. 11/764,343 , Final Office Action, dated Feb. 28, 2014, 9 pages. |
| U.S. Appl. No. 11/764,343 , Non Final Office Action, dated Aug. 1, 2013, 10 pages. |
| U.S. Appl. No. 11/764,343 , Non Final Office Action, dated Feb. 3, 2012, 15 pages. |
| U.S. Appl. No. 11/764,343 , Non-Final Office Action, dated Apr. 29, 2015, 12 pages. |
| U.S. Appl. No. 11/764,343 , Final Office Action, dated Oct. 26, 2012, 18 pages. |
| U.S. Appl. No. 11/764,370 , Final Office Action, dated May 16, 2016, 18 pages. |
| U.S. Appl. No. 11/764,370 , Final Office Action, dated May 11, 2017, 21 pages. |
| U.S. Appl. No. 11/764,370 , Non-Final Office Action, dated Jan. 2, 2015, 14 pages. |
| U.S. Appl. No. 11/764,370 , Non-Final Office Action, dated Nov. 2, 2016, 22 pages. |
| U.S. Appl. No. 11/764,370 , Final Office Action, dated Dec. 14, 2012 dated Dec. 14, 2012, 15 pages. |
| U.S. Appl. No. 11/764,370 , Non-Final Office Action, dated Jul. 5, 2012, 18 pages. |
| Application No. RU2009101311 , Office Action, dated Dec. 13, 2011, 15 pages. |
| Application No. CA2,655,423 , Notice of Allowance, dated May 2, 2017, 1 page. |
| Application No. CA2,655,423 , Office Action, dated May 10, 2016, 5 pages. |
| Application No. CN200780027259.3 , Notice of Decision to Grant, dated Sep. 27, 2017, 4 pages. |
| Application No. CN200780027259.3 , Office Action, dated Nov. 20, 2015, 16 pages. |
| Application No. CN200780027259.3 , Office Action, dated Jan. 5, 2017, 15 pages. |
| Application No. CN200780027259.3 , Office Action, dated May 16, 2016, 8 pages. |
| Application No. EP07853494.8 , Extended European Search Report, dated May 26, 2011, 8 pages. |
| Application No. JP2009-516660 , Office Action, dated Jul. 31, 2012, 10 pages. |
| Application No. KR2009-7000804 , Notice of Allowance, dated Jan. 29, 2014, 3 pages. |
| Application No. KR2015-7026249 , Notice of Allowance, dated Apr. 26, 2017, 5 pages. |
| Application No. KR2015-7026249 , Office Action, dated Jul. 20, 2016, 12 pages. |
| Application No. KR2015-7026249 , Office Action, dated Dec. 23, 2015, 9 pages. |
| Application No. RU2009101311 , Notice of Allowance, dated Oct. 26, 2012, 15 pages. |
| Application No. RU2013100948 , Notice of Decision to Grant, dated Jun. 19, 2017, 15 pages. |
| Application No. RU2013100948 , Office Action, dated Nov. 25, 2016, 8 pages. |
| Number | Date | Country | |
|---|---|---|---|
| 20190005494 A1 | Jan 2019 | US |
| Number | Date | Country | |
|---|---|---|---|
| 60815059 | Jun 2006 | US | |
| 60815430 | Jun 2006 | US | |
| 60884089 | Jan 2007 | US |
| Number | Date | Country | |
|---|---|---|---|
| Parent | 11764343 | Jun 2007 | US |
| Child | 16123996 | US |
