SECURE UNIVERSAL TWO-STEP PAYMENT AUTHORIZATION SYSTEM

Abstract

A system and methods expedite and make secure payment data entry, and payment and authorization and authorization, for both in-store and online purchases. A mobile app, or widget or browser extension or installed service, on a mobile communication device, generates a barcode to be scanned at a point-of-sale terminal. Optional confirmation is sent to an app, or browser extension or widget or installed service, on a mobile or fixed communication device, to confirm a purchase. An independent app, or browser extension or widget or installed service, on a mobile or fixed communication device, generates a barcode that is sent directly to an online point-of-sale system. The method allows a purchaser to use the same app, or widget or browser extension or installed service, to purchase from any retailer with installed collaborating software.

Claims

1.-20. (canceled)

21. A financial institution subsystem in communication with a commercial entity subsystem, the financial institution subsystem comprising: at least one processor component; at least one memory component; and at least one communications component, wherein the financial institution subsystem is configured to: receive from the commercial entity subsystem a request for payment authorization, the request containing at least an encrypted digital representation of a commerce credential for the requested payment transaction, the commerce credential containing no payment credentials usable in any other future transactions; after the receiving, retrieve a payment credential from the memory component using the encrypted digital representation received from the commercial entity subsystem; after the retrieving, process the requested payment authorization; and after the processing, send an approval-or-denial reply regarding the payment authorization request to the commercial entity subsystem.

22. The financial institution subsystem of claim 21, wherein the financial institution subsystem is further configured to communicate with a merchant subsystem, and sends also the approval-or-denial reply to the merchant subsystem, after processing the requested payment authorization.

23. A financial institution subsystem in communication with a commercial entity subsystem, the financial institution subsystem comprising: at least one processor component; at least one memory component; and at least one communications component, wherein the financial institution subsystem is configured to: receive from the commercial entity subsystem a request for payment authorization, the request containing at least an encrypted digital representation of a commerce credential for the requested payment transaction, the commerce credential containing no payment credentials usable in any other future transactions; after the receiving, recover a payment credential from the encrypted digital representation received from the commercial entity subsystem; after the retrieval, process the requested payment authorization; and after the processing, send an approval-or-denial reply regarding the payment authorization request to the commercial entity subsystem.

24. The financial institution subsystem of claim 23, wherein the financial institution subsystem is further configured to communicate with a merchant subsystem, and sends also the approval-or-denial reply to the merchant subsystem, after processing the requested payment authorization.

25. A method comprising: receiving at a financial institution subsystem a request for payment authorization, the request containing at least an encrypted digital representation of a commerce credential for the requested payment transaction, the commerce credential containing no payment credentials usable in any other future transactions; after the receiving, retrieving a payment credential at financial institution subsystem using the encrypted digital representation received from the commercial entity subsystem; after the retrieving, processing the requested payment authorization at the financial institution subsystem; and after the processing, sending an approval-or-denial reply regarding the payment authorization request from the financial institution subsystem to the commercial entity subsystem.

26. The method of claim 25, further comprising: the financial institution subsystem sending the approval-or-denial reply also to a merchant subsystem, after processing the requested payment authorization.

Description

BRIEF DESCRIPTION OF THE DRAWINGS

[0027] The above and other objects and features in accordance with the present invention will become apparent from the following descriptions of embodiments in conjunction with the accompanying drawings, and in which:

[0028] FIG. 1 is a flowchart illustrating the actions and data flow in an in-store purchase with a mobile communication device.

[0029] FIG. 2 is a flowchart illustrating the actions and data flow in an online purchase with a laptop computer and a mobile communication device.

[0030] FIG. 3 depicts the steps of a USA app installed on a mobile communication device to complete an in-store purchase.

[0031] FIG. 4 depicts the steps of a USA app installed on a laptop computer to complete an online purchase.

DETAILED DESCRIPTION OF EXEMPLARY EMBODIMENTS

[0032] The present invention is a system and method referred to as a USA (universal secure authentication) service. A USA service is a modified barcode solution to expedite and make secure PDE, AA, and optional confirmation, for both in-store and online purchases. An operator that provides a USA service is said to be a USA service provider. A USA service provider is supported by a USA server system. A retailer is said to be a collaborating retailer if its POS system is installed with USA software that allows communication between a USA server system and its POS system to perform the work of a USA service.

[0033] The system and method is “universal” in that a purchaser is able to use a USA service to make purchases from any collaborating retailers (online or in-store) with any payment card. It is secure as it allows an optional confirmation to complete payment AA.

[0034] A USA service makes the selection of a payment method easy—a purchaser does not have to remove a payment card from his purse. A USA service allows a purchaser to avoid manual data entry for a payment card—for in-store purchases, card swiping is avoided; for online purchases, manual data entry is avoided. This provision makes the PDE process easy and more fault-tolerant. As a result, the PDE process is accelerated.

[0035] A purpose of the present invention is to make all communication of payment card data secure and in compliance with PCI DSS (payment card industry data security standard). According to one aspect of the present invention, it is unnecessary for a collaborating retailer or a USA service provider to store payment card data. For each purchase, the payment card data is communicated to the POS system of a retailer in the form of a barcode. This barcode may be sent directly to a payment system operator for AA. Therefore, even if the POS system of a retailer or a USA server system is hacked, only the barcodes stored in either system will be lost to the hack.

[0036] Optionally, a barcode generated by a USA service is a UUID code (universally unique identifier) based on a payment card selected by a purchaser. Optionally, a USA service generates a UUID by encoding the payment card data with a onetime pad (or encryption key)—this will make the encrypted barcode perfectly secret. The onetime decryption key for each payment card may be stored at 3 possible places: the POS system of a collaborating retailer, a USA server system, or the server system of a payment system operator.

[0037] Hereafter, a mobile communication device is a handheld computing-communication device that connects to the Internet wirelessly. A fixed communication device is a computing-communication device that connects to the Internet through a fixed line. A wearable device is a consumer item that can be worn and is equipped with computing and communication technology. Examples of a wearable device include Apple's iWatch and the Google glass.

[0038] Hereafter, a payment card system is meant to be an electronic payment system with or without a payment card, plastic or non-plastic. Such a system could be credit-based or debit-based, or a combination of both.

[0039] A transaction-acquiring financial institution or processor (the “acquirer”) is a payment system operator that executes payment AA. An “acquirer” either approves a transaction or routes a transaction to a payment-card account issuer (the “issuer”) for further approval or denial of the transaction. Hereafter, a payment system operator is meant to be a transaction acquirer, an issuer, or any financial institutions that approves and executes electronic payment.

[0040] In accordance with one aspect the current invention, a USA system or service comprises 2 necessary components: (1) a USA app, or widget or browser extension or installed service, which is responsible for PDE, and (2) a USA server system, which is responsible for AA-C (authentication-authorization with confirmation).

[0041] A USA system or service is not restricted to work with a designated retailer with a designated set of payment systems. Any retailer (in-store or online) can work with a USA service provider by installing USA software on its POS system and become a collaborating retailer of the USA service.

[0042] In a USA service or system, a mobile or fixed communication device is installed with a USA app, or widget, or browser extension, or installed service. The USA app, or widget or browser extension or installed service, generates a special barcode for each payment card selected by a user.

[0043] A USA server system may make payment-AA request directly to a payment system operator to obtain a payment approval or denial code. Once the USA server system receives an approval or denial code, it relays the code to the POS system that is working on the current purchase. Otherwise, the POS system of a retailer makes payment-AA request directly to a payment system operator.

[0044] For an in-store purchase, a sales agent scans the barcode generated by a USA app, or widget or browser extension or installed service, on a mobile communication device held by a purchaser. For an online purchase, a USA app, or widget or browser extension or installed service, generates a barcode, which is either copied-and-pasted onto a web page, or is sent directly to the POS system of the online retailer.

[0045] For both in-store and online purchases, the POS system recognizes the barcode and associates the barcode with a payment card of the purchaser. The POS system may send the associated payment card data along with the transaction details (the purchase description, the purchase amount, etc.) to a USA server system. For each payment card, its detailed data (payment card account number, expiration date, security code, etc.) may be stored in the POS system of a collaborating retailer, or a USA server system, or both.

[0046] Optionally, a barcode generated by a USA system is an encoded UUID (universally unique identifier). UUID is an identifier standard used in software construction, standardized by the Open Software Foundation. Optionally, after a barcode is scanned, a POS system uses the decoded UUID as the key to retrieve the stored payment card data for the purchase, if the POS system stores such data. The POS system may also send the decoded UUID to a USA server system. At a USA server system, a decoded UUID may be used as the key to retrieve the stored payment card data for the purchase.

[0047] According to one aspect of the present invention, the POS system of a collaborating retailer may not store payment card data for each purchase in an explicit form; in addition, the server system of a USA service may not store the payment card data for each purchase in an explicit form. The POS system of a collaborating retailer may store payment card data for each purchase only in the form of a barcode; similarly, the server system of a USA service may store the payment card data for each purchase in the form of a barcode. Each barcodes so stored may be encrypted with a onetime pad (encryption key).

[0048] Optionally, a USA app, or widget or browser extension or installed service, on a fixed or mobile communication device, requires a PIN (personal identification number) or PIC (personal identification code) or biometric data from a purchaser for high-value purchases over a fixed dollar amount. The threshold may be zero—in this case, a PIN or PIC is needed for each purchase. The optional requirement may be triggered by a POS system, a USA app, or widget or browser extension or installed service, or a USA server system.

[0049] Optionally, before a payment system operator is contacted for payment AA, a USA server system sends a request message “confirm-to-purchase” to the purchaser, through a USA app, or widget or browser extension or installed service, on a mobile or fixed communication device used by the purchaser. The USA app, or widget or browser extension or installed service, prompts the purchaser to confirm or cancel the purchase with a simple input. The USA app, or widget or browser extension or installed service, then sends a reply message, confirming or cancelling the purchase, back to the USA server system.

[0050] Optionally, a barcode generated by the USA system is an encrypted code using an encryption key. The decryption keys may be stored at a USA server system, or the POS system of a collaborating retailer, or a server system of a payment system operator. Optionally, an encryption key and its decryption key are for one-time use—a new set of keys is generated for each transaction.

[0051] Optionally, a USA service user is given a user account in a USA server system. After a payment system operator approves a purchase, the USA server system stores the new purchase details in the user's account. This action enables value-added services through the USA server system to the USA customer. For example, e-reward, e-coupon, expense handling, and transaction reporting can be part of the value-added services.

[0052] Optionally, a USA system is configured to provide repeat-purchase (such as monthly or quarterly repurchase) or installment payments to merchants.

[0053] FIG. 1 shows a flowchart of actions and data in a USA system for an in-store purchase. In step 201, the purchaser 200 launches a USA app on his mobile communication device, and the USA app generates a barcode. In step 101, the POS operator 100 scans the barcode, and the POS system 100 sends the purchase details with payment data to a USA server system 300. In step 301, the USA server system 300 sends a confirmation request to the purchaser through the USA app on his mobile device. In step 202, the purchaser 200 confirms or cancels the purchase, and the USA app sends a message to the USA server system 300 confirming or canceling the purchase. In step 302, the USA server system 300 sends a message confirming or canceling the purchase to the POS system 100, and optionally contacts a payment operator 400 for payment AA. In step 102, having received a confirmed message from the USA server system 300, the POS system 100 optionally contacts a payment system operator 400 for payment AA.

[0054] If the purchase amount is greater than a threshold, in step 301, the USA server system request optional biometric data from the purchaser to confirm the purchase.

[0055] FIG. 2 shows a flowchart of actions and data in a USA system for an online purchase. In step 201, the purchaser 200 launches a USA app on his laptop computer, and the USA app generates a barcode and sends the barcode to the online POS system 100. Also in step 201, the USA app connects to a USA server system 300. In step 101, the POS system 100 sends purchase details with payment data to a USA server system 300. In step 301, the USA server system 300 connects to the USA app and the POS system 100. Also in step 301, the USA server system 300 sends a confirmation request to the purchaser through the USA app on his mobile or fixed device. In step 202, the purchaser 200 confirms or cancels the purchase. Also in step 202, the USA app sends a message to the USA server system 300 confirming or canceling the purchase. In step 302, the USA server system 300 sends a message confirming or cancelling the purchase to the POS system 100, and optionally contacts a payment operator 400 for payment AA. In step 102, having received a confirmed message from the USA server system 300, the POS system 100 optionally contacts a payment system operator 400 for payment AA.

[0056] FIG. 3 shows the steps for a USA app 200 to complete in a mobile communication device for an in-store purchase. In step 201, the user chooses a payment card. If the user does not specify a specific card, the USA app 200 chooses a default payment card. In step 201, optionally, the USA app 200 requests a PIC or PIN to be entered by the purchaser. In step 202, the USA app 200 generates a barcode to be scanned. In step 203, the USA app 200 on the mobile device may prompt the user to confirm the purchase. In step 204, the USA app 200 may prompts the user to confirm the purchase by biometric data. In step 205, a confirmation message is sent back to the USA server system.

[0057] FIG. 4 shows the steps for a USA app 200 in a laptop computer to complete an online purchase. In step 201, the USA app 200 establishes a connection with an online POS system. Also in step 201, if the user does not specify a specific card, the USA app 200 chooses a default payment card. In step 201, optionally, the USA app 200 requests a PIC or PIN to be entered by the purchaser. In step 202, given the chosen payment card, the USA app 200 generates a barcode. At step 203, the barcode is sent to the POS system of the online retailer. In step 204, the USA app 200 may prompt the user to confirm the purchase. In step 205, the USA app 200 may prompt the user to confirm the purchase by biometric data. In step 206, the USA app 200 sends the confirmation message back to the USA server system.