Invented by Steven V. Bacastow, Stripe Inc
The Stripe Inc invention works as followsThis invention is a system and method for authenticating mobile transactions based on the introduction a middleware layer. Payment Networks, Merchants, Issuing Banks, Credit Reporting Bureaus, Insurance Companies, Healthcare Providers, and Healthcare Providers can customize the implementation of services according to their individual strategy and preferences.
Background for System and method for multi-modal transaction identification
There are two main types of debit card used today in the US for consumer purchases: signature debit and pin debit. Here is a quick overview of both:
Signature debit cards are usually branded with the Visa or MasterCard logo and can be used at any place that accepts Visa or MasterCard credit cards. Signature Debit transactions use the infrastructure provided by major Credit Card networks, such as Visa and MasterCard. They also follow a two-step procedure that includes an authorization followed by a settlement. The vast majority of merchants accept signature debit cards issued by the major networks. Merchants do not need any special equipment to accept signature debit cards. They can use the same equipment they already have to process credit card transactions. However, the cardholder must sign the signature. Signatures are not required or supported for online purchases using these signature-debit card. Due to the higher risk of fraud, online retailers pay a greater fee for accepting ‘card not present’ transactions. transactions.
A PIN Debit Card payment transaction requires, on the other hand, special equipment to capture and securely store the cardholder’s personal identification number (?PIN?) A PIN is a series of numbers or other characters used as a code to identify a cardholder. A PIN pad with encryption is attached to a merchant’s POS (Point of Sale) terminal. The cardholder enters his secret PIN when prompted using the encrypted PIN keypad. The cardholder’s PIN is encrypted using the CPU, hardware and circuitry in the encrypted PIN pad. PIN Block is a block of data that appears in the record for a payment transaction. PIN Debit is received and processed using proprietary systems that are physically separate and different from signature debit networks. PIN Debit Cards offer cardholders additional security and lower acceptance and fraud costs. PIN Debit cards have not been widely adopted by online retailers, due to the need to capture and securely store the PIN numbers of cardholders.
PIN-based debit is not as widely accepted. PIN-Debit is not widely used for eCommerce due to PIN-Debit Network regulations, concerns over the security of the cardholder PIN and limitations of current payment processing methods. This combination of factors makes it difficult for an Internet merchant accept a PIN Debit Card as payment. To overcome these limitations, the present invention is a method and system for enabling the wide use of PIN Debit for secure Internet “eCommerce?” sales.
Consumer research shows that most cardholders prefer PIN-based debit to other payment methods. Fraud related to eCommerce transactions has become a major concern as the cost of accepting payments continues to increase. This is also true for issuers, acquirers and online merchants. PIN-based electronic debit payments would reduce fraud and acceptance costs for online merchants. Due to limitations on the methods used for protecting and using cardholder PINs, this payment method is not widely accepted by eCommerce. PIN-Debit networks risk losing their market share as consumers shift spending from physical points of sale to online.
Another emerging trend in payments is the growth of mobile payment at physical points of sale, where the cardholder utilizes a “mobile wallet” Instead of using a physical wallet, a PDA/mobile phone can be used to store payment instruments digitally and allow access from the device. Like eCommerce, the security requirements surrounding protecting the Debit Card PIN numbers of cardholders are likely to slow or prevent widespread PIN-Debit payments from mobile wallets. In addition, since banks favor the more lucrative signature payment methods, the card issuing bank may not encourage the inclusion of PIN-Debit in mobile wallets approved by the bank. These trends could lead to a significant decline in transaction volumes on PIN-Debit networks if not addressed.
Rules governing PIN-Debit are set by the main domestic PIN Debit networks, e.g. PULSE, Star, NYCE, Accel-Exchange, Shazam). The networks have different rules, but they all agree on the importance of high security for the PIN. To protect PIN numbers against accidental or malicious disclosures, hardware-based encryption at point-of sale locations that accept PIN-based Debit Cards is mandatory. The cardholder’s number is then encrypted and stored securely in an Encrypted Pin Block (EPB), within the payment transaction record. The cardholder’s PIN is referred to herein as the “Physical Pin”. Due to the lack of security measures in place for the protection of the Physical PIN during eCommerce transactions, the network rules prohibit the use PIN-Debit Cards for general eCommerce sales.
Furthermore…because the data that is typically received by the PIN-Debit network from a physical point of sale device is different, significant changes are required to enable the widespread use PIN-Debit in eCommerce sales.
Figures 1 and 2 illustrate examples of prior art in processing eCommerce transactions as well as point-of-sale transactions. FIGS. 1 and 2 Referring to FIG. 1. A Cardholder (1.0) sits down at a computer and enters Cardholder Data (1.0.1), as required by the Merchant Shopping Cart (1.1). Cardholder Data includes, for example, the Primary Account Number, or PAN, as well as name, email, shipping address, and other fields. The CVV2 code is required by most merchant shopping carts along with the other Cardholder Data. The method requires the cardholder to input the CVV2 code at the time of the transaction to verify the card’s availability. The CVV2 code acts as a security measure for “card not present”. The CVV2 code is a security feature for?card not present? transactions (e.g. Internet transactions). It appears on many (but certainly not all) of the major credit and debit card brands. Wikipedia states that “The CVV2 value is a 3 or 4 digit number printed on the signature strip or card, but it’s not encoded onto the magnetic stripe.
The Merchant Shopping Cart (1.1), and the underlying payment software, are typically hosted by a Merchant on its website. The Merchant Shopping Cart and payment software formats the payment transaction, and then forwards the payment transaction with the cardholder information (1.1.1) on to the Gateway (1.2). Herein, the Gateway is defined as an intermediary who is involved in eCommerce payment processing. The Gateway can link the Merchant with the Acquirer. The Gateway can also offer value-added services, such as fraud control, support for recurring payment, online reporting and virtual terminal data input. The Gateway forwards the transaction on to the Acquirer. The Acquirer has a contract with the Merchant to process payment transactions. It deposits the net proceeds of each day’s sales in the Merchant account. Sometimes a single entity can serve as both the Gateway and Acquirer.
The Acquirer (1.2), reformats the transaction record in accordance with the network requirements, and then forwards the ISO 8583 formatted transaction (1.3) to the Credit Card Networks(1.4). According to Wikipedia, “the vast majority of transactions at Automated Teller Machines (ATMs) use ISO 8583 in some form or another at some stage in the communication chain.” This also applies to transactions when a consumer uses a credit card to pay in a shop. Both the MasterCard and Visa networks, along with many other institutions, base their authorization communication on the ISO 8583 standards. Cardholder-originated transactions include purchase, withdrawal, deposit, refund, reversal, balance inquiry, payments and inter-account transfers. ISO 8583 defines messages between systems for key exchanges and reconciliations of totals. ISO 8583 is a standard that defines a common language, but it’s not used by networks or systems directly. Each network adapts ISO 8583 to its own needs with custom fields and usages?
The Credit Card Network receives ISO 8583 payments and forwards them (1.4.1) on to the issuing bank (1.5). The issuer checks if the cardholder is in possession of sufficient funds or credit to complete the transaction and then sends back a response (1.5.1) to the Card Network. The transaction is completed until the Merchant receives the response message. The PIN Debit Networks, as shown in element 1.4 are not included in the list for accepting signature debit and credit cards. This is due to the fact that prior art networks do not allow for the secure entry into the Merchant Shopping Carts of physical PIN numbers without significant changes.
FIG. “FIG. 1. Referring to FIG. In FIG. 2, a cardholder (1.0), using a physical, magnetic-striped card, provides data to the Merchant POS System 2.1. The Merchant POS System scans the card data and, based on the Primary Account Number(PAN), determines that the card belongs to a PIN Debit Network. It then asks the Cardholder to enter their Physical PIN into the PIN pad (2.1.1) The PIN Pad encrypts the Physical PIN and passes it to the Merchant POS System, which inserts the Encrypted Block of the Payment Transaction. The Merchant POS System (2.1), forwards the Payment Transaction, including cardholder data (2.1.1), and the Encrypted Pin Block (2.1.2), to the Acquirer (2.2).
The Acquirer formats the transaction further and sends it to the Debit network (2.4) in ISO 8583 format (2.3). Debit Networks such as (STAR PULSE NYCE) are among these organizations. The Debit network (2.4) sends the transaction (2.4.1) on to the Issuer (2.5). The Issuer checks if the cardholder has sufficient funds in their account and validates the physical PIN. They then return a response code (2.5.1) to the POS.
The Merchant Shopping Cart in FIG. 1.1 is not supported by this prior art. 1.1). “The data elements that are not supported are: Cardholder Address, CVV2 Security Code, Email address, and any other data required for eCommerce transactions.
As described above, the current systems, requirements, and methods used to process online Signature Debit, and POS-based PIN Debit payments, are different. The ISO 8583 formatted transactions also differ. “The most noticeable differences are that the POS PIN Debit transaction (2.1.1), includes the Encrypted PIN Block, while the eCommerce transaction (1.1.1), includes the CVV2, Cardholder Address, and other data field and specifically does NOT support the EPB.
Methods and systems were developed and proposed to promote PIN Debit in ecommerce, but with limited success. Due to their limitations, new methods have not been able to attract merchants, cardholders or networks. “For example:
The widespread adoption of PIN debit payments for eCommerce transactions would be facilitated by a method that allows the PIN to be processed securely in a more straightforward manner for cardholders and merchants. This will also benefit payment gateways, networks and the issuing banks. There is a need for a solution that will allow PIN-Debit payments to be accepted by eCommerce (Internet Sales) and overcome the current limitations.
Another emerging threat for PIN-Debit Networks relates to the expected increase in mobile payments both at physical points of sale and online. Mobile payments are defined as a payment to a merchant facilitated by digitally stored payment instruments in a mobile wallet. The mobile wallet app prompts the cardholder to choose a payment option from the previously stored payment instruments, just as it would at a physical point of purchase. Credit card, signature debit card, prepaid card or gift card. The mobile wallet will then ask the cardholder to input a “mobile wallet PIN” number. The selected payment type is then released to the acquiring processor, for authorization and settlement. Due to the fact that PIN-Debit at the point-of-sale transactions require an encrypted PIN Pad for completion, current methods require a PIN Debit transaction to require a second Physical PIN Number be entered into the POSPIN pad. Even though it is possible, entering two PINs for a single transaction at the point of sale would be slow and inefficient. It would also detract from the “mobile payment experience”. It is therefore necessary to find a way to support mobile wallet payments with PIN-Debit, so that only the “mobile wallet PIN” number will be required. The cardholder must enter only the?mobile wallet PIN number?
The invention provides systems and methods to process eCommerce, mobile, and point-of sale purchases. The systems and method described herein enable PIN-debit transaction processing without significant modification to existing Debit Networks or eCommerce transaction sites, such as websites. The systems and method described herein allow for authentication of nonpayment transactions by using a mobile phone.
In one embodiment, the invention provides for a method of processing PIN-debit payment received on a website operated by a retailer. The merchant can receive a customer’s account information and send it to a computing device which determines if the transaction is PIN-debit. The acquirer computing device will forward the account number if the transaction is PIN-debit. The PIN debit service computing device may communicate with the customer through the mobile phone to get approval for the transaction. The PIN debit service computing device may also be able to insert the cardholder?s physical PIN associated with their PIN-debit Account Number and forward the transaction along with the cardholder?s PIN to the Debit Network.
Click here to view the patent on Google Patents.