CN112136302A - Mobile network operator authentication protocol - Google Patents

Mobile network operator authentication protocol Download PDF

Info

Publication number
CN112136302A
CN112136302A CN201980032528.8A CN201980032528A CN112136302A CN 112136302 A CN112136302 A CN 112136302A CN 201980032528 A CN201980032528 A CN 201980032528A CN 112136302 A CN112136302 A CN 112136302A
Authority
CN
China
Prior art keywords
computer
virtual access
authorizing entity
access credential
authorization
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CN201980032528.8A
Other languages
Chinese (zh)
Other versions
CN112136302B (en
Inventor
O·威廉姆斯
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Visa International Service Association
Original Assignee
Visa International Service Association
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Visa International Service Association filed Critical Visa International Service Association
Priority to CN202310615621.XA priority Critical patent/CN116527384A/en
Publication of CN112136302A publication Critical patent/CN112136302A/en
Application granted granted Critical
Publication of CN112136302B publication Critical patent/CN112136302B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/0823Network architectures or network communication protocols for network security for authentication of entities using certificates
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/0807Network architectures or network communication protocols for network security for authentication of entities using tickets, e.g. Kerberos
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06QINFORMATION AND COMMUNICATION TECHNOLOGY [ICT] SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES; SYSTEMS OR METHODS SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES, NOT OTHERWISE PROVIDED FOR
    • G06Q20/00Payment architectures, schemes or protocols
    • G06Q20/08Payment architectures
    • G06Q20/10Payment architectures specially adapted for electronic funds transfer [EFT] systems; specially adapted for home banking systems
    • G06Q20/102Bill distribution or payments
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06QINFORMATION AND COMMUNICATION TECHNOLOGY [ICT] SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES; SYSTEMS OR METHODS SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES, NOT OTHERWISE PROVIDED FOR
    • G06Q20/00Payment architectures, schemes or protocols
    • G06Q20/08Payment architectures
    • G06Q20/16Payments settled via telecommunication systems
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06QINFORMATION AND COMMUNICATION TECHNOLOGY [ICT] SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES; SYSTEMS OR METHODS SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES, NOT OTHERWISE PROVIDED FOR
    • G06Q20/00Payment architectures, schemes or protocols
    • G06Q20/30Payment architectures, schemes or protocols characterised by the use of specific devices or networks
    • G06Q20/32Payment architectures, schemes or protocols characterised by the use of specific devices or networks using wireless devices
    • G06Q20/322Aspects of commerce using mobile devices [M-devices]
    • G06Q20/3223Realising banking transactions through M-devices
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06QINFORMATION AND COMMUNICATION TECHNOLOGY [ICT] SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES; SYSTEMS OR METHODS SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES, NOT OTHERWISE PROVIDED FOR
    • G06Q20/00Payment architectures, schemes or protocols
    • G06Q20/30Payment architectures, schemes or protocols characterised by the use of specific devices or networks
    • G06Q20/32Payment architectures, schemes or protocols characterised by the use of specific devices or networks using wireless devices
    • G06Q20/325Payment architectures, schemes or protocols characterised by the use of specific devices or networks using wireless devices using wireless networks
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06QINFORMATION AND COMMUNICATION TECHNOLOGY [ICT] SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES; SYSTEMS OR METHODS SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES, NOT OTHERWISE PROVIDED FOR
    • G06Q20/00Payment architectures, schemes or protocols
    • G06Q20/38Payment protocols; Details thereof
    • G06Q20/385Payment protocols; Details thereof using an alias or single-use codes
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06QINFORMATION AND COMMUNICATION TECHNOLOGY [ICT] SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES; SYSTEMS OR METHODS SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES, NOT OTHERWISE PROVIDED FOR
    • G06Q20/00Payment architectures, schemes or protocols
    • G06Q20/38Payment protocols; Details thereof
    • G06Q20/40Authorisation, e.g. identification of payer or payee, verification of customer or shop credentials; Review and approval of payers, e.g. check credit lines or negative lists
    • G06Q20/401Transaction verification
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06QINFORMATION AND COMMUNICATION TECHNOLOGY [ICT] SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES; SYSTEMS OR METHODS SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES, NOT OTHERWISE PROVIDED FOR
    • G06Q20/00Payment architectures, schemes or protocols
    • G06Q20/38Payment protocols; Details thereof
    • G06Q20/40Authorisation, e.g. identification of payer or payee, verification of customer or shop credentials; Review and approval of payers, e.g. check credit lines or negative lists
    • G06Q20/401Transaction verification
    • G06Q20/4015Transaction verification using location information
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/083Network architectures or network communication protocols for network security for authentication of entities using passwords
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/0853Network architectures or network communication protocols for network security for authentication of entities using an additional device, e.g. smartcard, SIM or a different communication terminal
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/10Network architectures or network communication protocols for network security for controlling access to devices or network resources
    • H04L63/102Entity profiles
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/40Network security protocols
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/08Access security
    • H04W12/084Access security using delegated authorisation, e.g. open authorisation [OAuth] protocol

Landscapes

  • Engineering & Computer Science (AREA)
  • Business, Economics & Management (AREA)
  • Accounting & Taxation (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Strategic Management (AREA)
  • Signal Processing (AREA)
  • General Business, Economics & Management (AREA)
  • General Physics & Mathematics (AREA)
  • Theoretical Computer Science (AREA)
  • Finance (AREA)
  • Physics & Mathematics (AREA)
  • Computing Systems (AREA)
  • Computer Hardware Design (AREA)
  • General Engineering & Computer Science (AREA)
  • Economics (AREA)
  • Development Economics (AREA)
  • Financial Or Insurance-Related Operations Such As Payment And Settlement (AREA)
  • Mobile Radio Communication Systems (AREA)
  • Computer And Data Communications (AREA)

Abstract

A method is disclosed and includes receiving, by a server computer, a virtual access credential request for interaction between a resource provider computer and a communication device operated by a user and associated with a mobile network operator computer system. The method further comprises the following steps: transmitting, by the server computer, the virtual access credential request to an authorizing entity computer; receiving, by the server computer, a virtual access credential from the authorizing entity computer; and transmitting, by the server computer, the virtual access credential to the communication device or the resource provider computer.

Description

Mobile network operator authentication protocol
Cross reference to related applications
This application claims the benefit of U.S. provisional application No. 62/671,325 filed on 5, 14, 2018, which is incorporated herein by reference in its entirety for all purposes.
Background
There are many situations where a user may not possess the proper credentials but may wish to be able to access a resource. In one example, a person may wish to enter a building, but may not have the proper identity card or key card for the building's entrance. In another example, a person may wish to purchase an item, but may not have an electronic debit or credit card to purchase the item. It is desirable to provide a user with access to a resource without the user having access credentials.
Embodiments of the present invention address the above problems and other problems, individually and collectively.
Disclosure of Invention
Embodiments of the present disclosure relate to methods and systems for providing authentication and authorization for access. In some examples, the methods and systems will establish first and second levels of authentication, where an authorizing entity may establish the first authentication and a mobile network operator computer may establish the second authentication. In other examples, the system will allow the user to initiate a purchase transaction or access a restricted area using a mobile network operator computer system associated with the user's communication device rather than an account with a bank.
One embodiment of the invention is directed to a method or system comprising: receiving, by a server computer, a virtual access credential request for interaction between a resource provider computer and a communication device operated by a user and associated with a mobile network operator computer system; transmitting, by the server computer, the virtual access credential request to an authorizing entity computer; receiving, by the server computer, a virtual access credential from the authorizing entity computer; transmitting, by the server computer, the virtual access credential to the communication device or the resource provider computer; receiving, by the server computer, an authorization request message including the virtual access credential, wherein the authorization request message requests authorization of the interaction; forwarding, by the server computer, the authorization request message to the authorizing entity computer; receiving, by the server computer, an authorization response message from the authorizing entity computer; and forwarding, by the server computer, the authorization response message to the resource provider computer, wherein the authorizing entity computer subsequently completes the interaction with the mobile network operator computer system.
Another embodiment of the invention relates to: receiving, by an authorizing entity computer, a virtual access credential request for an interaction between a resource provider computer and a communication device operated by a user and associated with a mobile network operator computer system; generating, by the authorizing entity computer, a virtual access credential associated with the approved amount; transmitting, by the authorizing entity computer, the virtual access credential to a processing network computer, wherein the virtual access credential is forwarded to the communication device or the resource provider computer; receiving, by the authorizing entity computer, an authorization request message including the virtual access credential, wherein the authorization request message requests authorization of the interaction; comparing a total amount of the authorization request to the approved amount of the virtual access credential; determining, by the authorizing entity computer, approval or denial of the authorization request message based on the comparison; generating, by the authorizing entity computer, an authorization response message based on the approval or denial of the authorization request message; forwarding, by the server computer, the authorization response message to the processing network computer; and subsequently forwarding a completion message to the mobile network operator computer system based on the approval or denial of the authorization request message.
Other embodiments are directed to server computers and systems adapted to perform the above-described and other methods.
These and other embodiments of the invention are described in further detail below.
Drawings
Fig. 1 shows a block diagram of an authentication and authorization system according to an embodiment of the invention.
FIG. 2 shows a block diagram of a processing network server computer according to an embodiment of the invention.
FIG. 3 shows a block diagram of a resource provider computer, according to an embodiment of the invention.
FIG. 4 shows a block diagram of an authorizing entity computer according to an embodiment of the invention.
Fig. 5 shows a block diagram of a mobile network operator computer system according to an embodiment of the invention.
Fig. 6 shows a block diagram of a communication device according to an embodiment of the invention.
Detailed Description
Before discussing embodiments of the invention, further description of some terms may be helpful in understanding embodiments of the invention.
The "virtual access credential" may be a credential having a limited lifetime or a limited number of uses. As described further below, the virtual access credential may have the form or attributes of a credential or payment credential, token or payment token. The virtual access credentials may be used to obtain resources such as goods, services, location, and security data. The virtual access credential may also be in any suitable form, including letters or numbers (e.g., 16-digit numbers).
A "credential" can be any suitable information that serves as a reliable proof of value, ownership, identity, or authority. A credential may be a string of numbers, letters, or any other suitable character, as well as any object or document that may be used as a confirmation. Examples of credentials include value credentials, such as payment credentials, identification cards, authentication files, pass cards, passwords, and other login information, among others.
The "payment credentials" may include any suitable information associated with the account (e.g., a payment account and/or payment device associated with the account). Such information may be directly related to the account, or may be derived from information related to the account. Examples of account information may include a PAN (primary account number or "account number"), a username, a validity period, and verification values, such as CVV, dCVV, CVV2, dCVV2, and CVC3 values.
A "digital wallet" may include an electronic device that allows an individual to conduct e-commerce transactions. The electronic wallet may store user profile information, payment credentials, bank account information, one or more digital wallet identifiers, etc., and may be used in various transactions, such as, but not limited to, e-commerce, social networking, money transfer/personal payments, mobile commerce, close range payments, games, etc., for retail purchases, digital merchandise purchases, utility payments, purchases of games or gaming coupons from gaming websites, transfers of funds between users, etc. The digital wallet may be designed to simplify the purchase and payment process. The digital wallet may allow a user to load one or more payment cards onto the digital wallet for payment without entering an account number or presenting a physical card.
The "token" may be a substitute value for the credential. The token may be a string of numbers, letters, or any other suitable character. Examples of tokens include payment tokens, access tokens, personal identification tokens, and the like.
The "payment token" may include an identifier of the payment account, which is a substitute for an account identifier, such as a Primary Account Number (PAN). For example, the payment token may include a series of alphanumeric characters that may be used as a replacement for the original account identifier. For example, the token "4900000000000001" may be used in place of PAN "4147090000001234". In some embodiments, the payment token may be "reserved format" and may have a numeric format (e.g., ISO8583 financial transaction message format) consistent with account identifiers used in existing transaction processing networks. In some embodiments, the payment token may be used in place of the PAN to initiate, authorize, settle, or resolve payment transactions, or represent the original credential in other systems that would normally provide the original credential. In some embodiments, a payment token may be generated such that a recovery of the original PAN or other account identifier may not be computationally derivable from the token. Further, in some embodiments, the token format may be configured to allow an entity receiving the token to identify it as a token and identify the entity that issued the token.
"tokenization" is the process of replacing data with replacement data. For example, a payment account identifier (e.g., a Primary Account Number (PAN)) may be tokenized by replacing a primary account identifier with a surrogate number (e.g., token) that may be associated with the payment account identifier. Furthermore, tokenization may be applied to any other information that may be replaced with a replacement value (i.e., token). Tokenization improves transaction efficiency and security.
The "virtual access ticket request message" may be an electronic message requesting a virtual access ticket. The virtual access credential request message may include information that may be used to identify the payment account or digital wallet, and/or information used to generate the virtual access credential. For example, the virtual access credential request message may include payment credentials, mobile device identification information (e.g., a telephone number or MSISDN), a digital wallet identifier, information identifying a tokenized service provider, a merchant identifier, a password, and/or any other suitable information. The information included in the virtual access credential request message may be encrypted (e.g., using an authorized entity-specific key). In some examples, the virtual access credential request message may include an approved amount of money (e.g., a debit amount, etc.) provided to the user on behalf of the authorizing entity computer, and the approved amount of money is stored in a user profile at the authorizing entity computer for comparison to a total amount of money included in the authorization request message at a later time.
The "virtual access credential response message" may be a message responding to a virtual access credential request. The virtual access credential response message may include an indication that the virtual access credential request is approved or denied. The virtual access credential response message may also include the virtual access credential, mobile device identification information (e.g., a telephone number or MSISDN), a digital wallet identifier, information identifying the tokenized service provider, a resource provider identifier, a password, and/or any other suitable information. The information included in the virtual access ticket response message may be encrypted (e.g., using an issuer-specific key).
The "user" may comprise an individual. In some embodiments, a user may be associated with one or more personal accounts and/or mobile devices. In some embodiments, the user may also be referred to as a cardholder, account holder, or consumer.
An "authorization request message" may be an electronic message requesting authorization for a transaction. In some embodiments, an authorization request message is sent to the transaction processing computer and/or the issuer of the payment card to request transaction authorization. The authorization request message according to some embodiments may conform to ISO8583, which is a standard for systems that exchange electronic transaction information associated with payments made by users using payment devices or payment accounts. The authorization request message may include an issuer account identifier that may be associated with the payment device or the payment account. The authorization request message may also include additional data elements corresponding to "identification information," including (by way of example only): a service code, CVV (card verification value), dCVV (dynamic card verification value), PAN (primary account number or "account number"), payment token, user name, expiration date, etc. The authorization request message may also include "transaction information," such as any information associated with the current transaction, such as a total amount of the transaction, a merchant identifier, a merchant location, an acquirer Bank Identification Number (BIN), a card acceptor ID, information identifying the item being purchased, etc., as well as any other information that may be used to determine whether to identify and/or authorize the transaction.
The "authorization response message" may be a message in response to the authorization request. In some cases, the authorization response message may be an electronic message reply to the authorization request message generated by the issuing financial institution or the transaction processing computer. By way of example only, the authorization response message may include one or more of the following status indicators: approval-the transaction is approved; decline-transaction not approved; or call center-in response to more information pending, the merchant must call the toll free authorization phone number. The authorization response message may also include an authorization code, which may be a code indicating that the transaction is approved that the credit card issuing bank returned to the merchant's access device (e.g., POS device) in response to the authorization request message in the electronic message (either directly or through the transaction processing computer). The code may serve as proof of authorization.
A "server computer" may include a powerful computer or cluster of computers. For example, a server computer may be a mainframe, a minicomputer cluster, or a group of servers functioning as a unit. In one example, the server computer may be a database server coupled to a network server. The server computer may include one or more computing devices and may service requests from one or more client computers using any of a variety of computing structures, arrangements, and compilations.
Embodiments of the present disclosure include methods and systems for providing authentication and authorization for access. In some examples, the system will establish first and second levels of authentication, where an authorizing entity may establish the first authentication and a mobile network operator computer may establish the second authentication. In other examples, the system will allow the user to initiate a purchase transaction or access a restricted area using a mobile network operator computer system associated with the user's communication device rather than an account with a bank.
Fig. 1 shows a block diagram of an authentication and authorization system according to an embodiment of the invention. As shown, the system may include a communication device 102, a resource provider computer 110, a delivery computer 115, a processing network server computer 120, an authorizing entity computer 130, and a mobile network operator computer system 140.
The system of fig. 1 may include a processing network server computer 120. The example processing network server computer 120 of FIG. 1 is shown in FIG. 2. The processing network server computer 120 may include one or more server computers, as well as data processing subsystems, networks, and operations for supporting and delivering authorization services, exception file services, and clearing and settlement services. An exemplary processing network may include VisaNetTM. Such as VisaNetTMCan process credit card transactions, debit card transactions, and other types of commercial transactions. VisanetTMSpecifically including a VIP system (Visa integrated payment system) that processes authorization requests, and a Base II system that performs clearing and settlement services. The processing network may use any suitable wired or wireless network, including the internet.
The processing network server computer may include subsystems or components interconnected via a system bus 210 as shown in FIG. 2. The interconnection via system bus 210 allows processor 212 to communicate with each subsystem and to control the execution of instructions from system memory 214. The system memory 214 may embody a computer readable medium. Communication interface 216 may be used to connect the server computer to a wide area network, such as the internet, or other I/O devices associated with the computer system. The system bus 210 may also connect one or more modules or engines embodied in the memory, including a communication module 230, a virtual access credential module 232, and/or an interaction engine 234.
The communication module 230 may be configured to receive and transmit electronic messages from other computers and devices throughout the system shown in fig. 1. For example, the communication module 230 may be configured to receive a virtual access credential request from the communication device 102, transmit the virtual access credential request to the authorizing entity computer 130, receive and transmit virtual access credentials, receive and transmit authorization request messages, and receive and transmit authorization response messages.
The virtual access credential module 232 may be configured to parse the virtual access credential request to determine a user identifier associated with the communication device 102 operated by the user. The user identifier may correspond to the mobile network operator computer system 140 to receive additional information associated with the user identifier. The additional information may include order history, location history, or user profile information for communication devices registered with the mobile network operator computer system 140. The virtual access credential module 232 may determine whether to generate a virtual access credential based on the additional information.
The interaction engine 234 may be configured to identify the authorizing entity computer 130 based on the virtual access credentials and route the authorization request message to the appropriate authorizing entity computer 130. For example, the authorization request message may include a credential including a Bank Identification Number (BIN) that uniquely identifies one of the plurality of authorizing entity computers. The interaction engine 234 may associate the received BIN with the appropriate routing information to the authorizing entity computer and enable transmission of the authorization request message to the appropriate authorizing entity computer.
The system of FIG. 1 may also include a resource provider computer 110. The example resource provider computer 110 of FIG. 1 is shown in FIG. 3. A resource provider computer may be an entity that may provide resources such as goods, services, information, and/or access. Examples of resource providers include merchants, data providers, transportation agencies, government entities, site and home operators, and the like. A merchant may generally be an entity that participates in a transaction and is capable of selling or providing access to goods or services.
The resource provider computer may include subsystems or components that are interconnected via a system bus 310 as shown in FIG. 3. The interconnection via system bus 310 allows processor 312 to communicate with each subsystem and to control the execution of instructions from system memory 314. The system memory 314 may embody a computer-readable medium. The communication interface 316 may be used to connect the resource provider computer to a wide area network, such as the internet, or other I/O device associated with the resource provider computer. The system bus 310 may also connect one or more modules or engines embodied in the memory, including a communications module 330, a request engine 332, and/or an interaction engine 334. One or more databases may store information received, maintained, and transmitted by the resource provider computer, including item database 350.
The communication module 330 may be configured to receive and transmit electronic messages from other computers and devices throughout the system shown in fig. 1. For example, the communication module may be configured to receive a request to order an item or service at the interaction site 112, receive an indication of interaction at the interaction site 112 (e.g., select a "bill me" button, etc.), transmit a virtual access credential request to the processing network server computer 120, and transmit an authorization request message to the transfer computer 115.
The request engine 332 may be configured to generate a virtual access credential request associated with an interaction between the communication device 102 and the interaction site 112 (not shown in fig. 3). The virtual access credential request may include information associated with a communication device operated by the user. In some embodiments, the virtual access credential may correspond to an approved amount associated with a request to access a resource requested by the communication device 102. The amount may be approved by the authorizing entity computer 130.
The request engine 332 may also be configured to generate an authorization request message that includes the virtual access credentials received from the authorizing entity computer 130 and a total amount associated with the resource requested by the communication device 102. The request engine 332 may associate the authorization request message with one or more resources (e.g., goods or services, etc.) provided by the resource provider computer 110. The resources may correspond to item descriptions, value amounts, and other relevant information stored in item database 350.
The interaction engine 334 may be configured to allow access to the resource upon authenticating the virtual access credential and the authorization associated with the authorization response message including the approval determination from the authorizing entity computer 130.
The resource provider computer 110 may also be associated with an access device. The access device may be operated by a resource provider and may comprise any suitable device that provides access to a remote system. The access device may also be used to communicate with a resource provider computer 110, a transaction processing computer, an authentication computer, or any other suitable system. The access means may generally be located at any suitable location, for example at a resource provider location. The access means may take any suitable form. Some examples of access devices include POS or point-of-sale devices (e.g., POS terminals), cellular phones, PDAs, Personal Computers (PCs), tablet PCs, hand-held application-specific readers, set-top boxes, Electronic Cash Registers (ECRs), Automated Teller Machines (ATMs), Virtual Cash Registers (VCRs), kiosk machines, security systems, access systems, and the like. The access device may use any suitable contact or contactless mode of operation to send or receive data from or associated with the mobile communication device or payment device. In some embodiments where the access device may comprise a POS terminal, any suitable POS terminal may be used and may include a reader, a processor, and a computer-readable medium. The reader may include any suitable contact or contactless mode of operation. For example, an exemplary card reader may include a Radio Frequency (RF) antenna, an optical scanner, a barcode reader, or a magnetic stripe reader to interact with a payment device and/or a mobile device. In some embodiments, a cellular phone, tablet, or other dedicated wireless device used as a POS terminal may be referred to as a mobile point of sale or "mPOS" terminal.
The system of fig. 1 may also include a transfer computer 115. The transfer computer 115 may be operated by an acquirer or a business entity (e.g., a commercial bank) that has a business relationship with a particular merchant or other entity. Some entities may perform both issuer functions and acquirer functions. Some embodiments may encompass such a single entity issuer-acquirer.
The system of FIG. 1 may also include an authorizing entity computer 130. An example authorizing entity computer 130 is shown in FIG. 4. The authorizing entity may be the entity that authorizes the request. Examples of authorized entities may be issuers, government agencies, document repositories, access administrators, banks, and the like. Authorized entity computer 130 may generally refer to a business entity (e.g., a bank or issuer computer) that maintains a user account.
The authorizing entity computer may include subsystems or components interconnected via a system bus 410 as shown in figure 4. The interconnection via system bus 410 allows processor 412 to communicate with each subsystem and to control the execution of instructions from system memory 414. The system memory 414 may embody a computer readable medium. Communication interface 416 may be used to connect the authorizing entity computer to a wide area network, such as the internet, or other I/O device associated with the authorizing entity computer. The system bus 410 may also connect one or more modules or engines embodied in the memory, including a communication module 430, a virtual access credential module 432, and/or an authorization module 434. One or more databases may store information received, maintained, and transmitted by authorized entity computers, including credential database 450.
The communication module 430 may be configured to receive and transmit electronic messages from other computers and devices throughout the system shown in fig. 1. For example, the communication module 430 may be configured to receive a virtual access credential request from the processing network server computer 120, transmit a virtual access credential to the processing network server computer 120, receive an authorization request message, generate and transmit an authorization response message, and transmit an electronic message associated with clearing and settlement after an interaction has occurred between the communication device 102 and the resource provider computer 110.
The virtual access credential module 432 may be configured to generate and issue virtual access credentials to a communication device 102, such as a cellular phone, smart card, tablet computer, or laptop computer. The virtual access credential may include a user identifier associated with a communication device operated by the user. The user identifier may correspond to a user account registered with the mobile network operator computer system 140. The virtual access credentials may also correspond to an approved amount of money to subscribe to the resource provided by the resource provider computer 110.
The authorization module 434 may be configured to determine whether to allow or deny access to a resource provided by the resource provider computer 110 based at least in part on comparing a first virtual access credential provided in response to the virtual access credential request with a second virtual access credential received with the authorization request message. The virtual access credentials may be stored in the credential database 450 and associated with the communication device 102 or the user.
The authorization module 434 may also be configured to determine whether to permit or deny access to the resource provided by the resource provider computer 110 based at least in part on comparing the total amount included in the authorization request message with an approved amount provided to the user on behalf of the authorizing entity computer. The approved amount may be stored in the user profile and virtual access credentials at the authorizing entity computer 130.
The system of fig. 1 may also include a mobile network operator computer system 140. An example mobile network operator computer system 140 is shown in fig. 5. The mobile network operator computer system 140 may include an entity that provides mobile network services for mobile devices, including the communication device 102. The mobile network operator computer system 140 may perform radio spectrum allocation, wireless network infrastructure, and the like. The mobile network operator computer system 140 may identify the mobile device through a user account associated with one or more corresponding users of the mobile device. The mobile network operator computer system 140 may also provide invoices or bills to the user in exchange for providing mobile network services.
The mobile network operator computer system may include subsystems or components interconnected via a system bus 510 as shown in fig. 5. The interconnection via system bus 410 allows processor 512 to communicate with each subsystem and to control the execution of instructions from system memory 514. The system memory 514 may embody a computer readable medium. The communication interface 516 may be used to connect the resource provider computer to a wide area network, such as the internet, or other I/O devices associated with the resource provider computer. The system bus 510 may also connect one or more modules or engines embodied in the memory, including a communications module 530, an interaction engine 532, and/or a network operations engine 534. One or more databases may store information received, maintained, and transmitted by mobile network operator computer systems, including subscriber database 550.
The communication module 530 may be configured to receive and transmit electronic messages from other computers and devices throughout the system shown in fig. 1. For example, the communication module 530 may be configured to provide mobile network services to the communication device 102, receive communications from the communication device 102 including payment for invoices providing the mobile network services, and receive and transmit communications with the authorizing entity computer 130, including messages associated with settlement and clearing processes.
The interaction engine 532 may be configured to determine order history, location history, or user profile information associated with the communication device 102 through the process of providing mobile network communication services. For example, a user may periodically subscribe to mobile network communication services from the mobile network operator computer system 140. The history of subscribed services may be received and processed by profile engine 142 and stored in user database 550. In some examples, the communication device 102 may transmit a location message that is received by the mobile network operator computer system 140 and stored in the subscriber database 550 to generate a history of location information associated with the communication device 102.
The network operations engine 534 may be configured to perform radio spectrum allocation, wireless network infrastructure, and the like. The network operations engine 534 may identify the communication device 102 through a user account associated with one or more corresponding users of the device.
The system of fig. 1 may include a communication device 120. The example communication device 102 of fig. 1 is shown in fig. 6. The communication device may comprise any suitable electronic device operable by a user, which may also provide remote communication functions with a network. A mobile communication device may be an example of a communication device that may be easily transferred. Examples of remote communication functions include using a mobile telephone (wireless) network, a wireless data network (e.g., 3G, 4G, or the like), Wi-Fi, Wi-Max, or any other communication medium that may provide access to a network, such as the internet or a private network. Examples of mobile communication devices include mobile phones (e.g., cellular phones), PDAs, tablets, netbooks, laptops, personal music players, handheld application specific readers, and the like. Other examples of mobile communication devices include wearable devices such as smart watches, fitness bracelets, foot chains, rings, earrings, and the like, as well as cars with telecommunications capabilities. In some embodiments, the mobile communication device may act as a payment device (e.g., the mobile communication device may store and be able to transmit payment credentials for a transaction).
The payment device may incorporate the communication device 102 and include any suitable device that may be used to conduct a financial transaction to provide payment credentials to a merchant. The payment means may be a software object (e.g., a payment application associated with a credit, debit, or pre-paid account), a hardware object, or a physical object. The payment device may be associated with a value such as a monetary value, discount, or store credit, and the payment device may be associated with an entity such as a bank, merchant, payment processing network, or individual.
The communication device 600 of fig. 6 may include a processor 602 and a body 614. It may also include a computer-readable medium 604. The computer-readable medium 604 may be in the form of (or may include) memory that stores transaction data, and may be in any suitable form including a magnetic stripe, a memory chip, and the like. The memory may store information such as financial information including bank account information, account balance information, expiration date, or consumer information such as the account holder's name, date of birth, etc. Any of this information may be transmitted by the communication device 600 via the antenna 618.
The communication device 600 may further include a contactless element 612, which may be implemented in the form of a semiconductor chip or other data storage element with an associated wireless transfer (e.g., data transmission) element, such as an antenna 618. The contactless element 612 may be associated with or embedded within the communication device 600. Data or control instructions may be transmitted via a cellular network and may be applied to contactless element 612 by means of a contactless element interface (not shown). The contactless element interface may be used to allow data and/or control instructions to be exchanged between the device circuitry (and thus the cellular network) and the optional contactless element.
Contactless element 612 may be capable of transferring and receiving data using Near Field Communication (NFC) according to a standardized protocol or data transfer mechanism (e.g., ISO 14443/NFC). The near field communication function may include short range communication functions including RFID, bluetooth, infrared, or other data transfer functions that may be used to exchange data between the communication device and the interrogation device. Thus, the communication device may be capable of communicating and transferring data and/or control instructions via the cellular network by near field communication.
The communication device may also include a processor 602 for processing functions of the communication device. The communication device may also include a display 606 that allows a user to see information and messages via the user interface. The communication device may further include an input element 608 that allows a user to provide information to the communication device, a speaker 610 that allows a user to engage in secure voice communications, music, and the like. The communication device may also include a microphone 616 that allows a user to transmit their voice or other sound files through the communication device. The communication device may also include an antenna 618 for wireless data transfer and transmission.
Returning to step 1 of FIG. 1, the communication device 102 operated by the user may interact with the resource provider computer 110. The resource provider computer 110 may provide an interaction site 112 to receive one or more interactions from the communication device 102. In some examples, the resource provider computer 110 may provide an application program that may be stored in the communication device 102 and executed by the communication device 102. The communication device 102 may present an application at a display of the communication device 102 to receive interactions from a user at the communication device 102.
The interaction site 112 (or application) may provide one or more goods or services for ordering. The communication device 102 may interact with one or more items or services to add the items to an electronic shopping cart carried by the interaction site 112 of the resource provider computer 110. The interaction site 112 (or application) may also provide a "bill me" button. The "bill me" button, when selected, may initiate a transaction with the processing web server computer 120 for items included in the electronic shopping cart.
The resource provider computer 110 may receive the interaction from the communication device 102 via a "bill me" button provided at the interaction site 112. For example, after the user selects an item to be added to an electronic shopping cart on resource provider computer 110, the user may select the button to initiate an order for the item. The interaction may be associated with a total value of items added to the electronic shopping cart.
In some examples, the user may not have a pre-existing credit or debit account, or may not make this particular purchase using a pre-existing credit or debit account. In these examples, the user associated with the communication device 102 may not have a user account with the authorized physical computer. Thus, when the interactive site 112 provides a "bill me" button and this button is selected, the user may not correspond to a credit or debit account to complete the purchase of the item or service.
At step 2, upon selection of the "bill me" button via the communication device 102, a virtual access credential request will be sent (via the interaction site 112 or an application stored at the communication device 102) from the resource provider computer 110 to the processing web server computer 120. In some examples, the virtual access credential request can identify a user corresponding to the communication device 102 to support the request for authorization for the interaction (e.g., complete a transaction for an item or service in an electronic shopping cart upon activation of a "bill me" button, etc.). In some examples, the total value of the items added to the electronic shopping cart may be included in the virtual access credential request.
Upon receiving the request, the processing network server computer 120 may initiate generation of the virtual access credential. The virtual access credential may not be bound to the user's pre-existing account prior to the transaction. In some cases, the user may be considered "bankless" and may not have any bank accounts of any type, but may have an account with the mobile network operator computer system 140.
At step 3, the processing network server computer 120 may communicate with an authorizing entity computer 130, which may then generate a virtual access credential. The virtual access credentials may be associated with a mobile network operator computer system 140 associated with a user operating the communication device 102 and not with the user itself. For example, the authorizing entity computer 130 may extend enterprise credit to the mobile network operator computer system 140 instead of the user. The mobile network operator computer system 140 may be a party that conducts transactions in place of the user.
Prior to generating the virtual access ticket, the authorizing entity computer 130 may execute a set of rules associated with the user to determine whether the virtual access ticket may be issued to the mobile network operator computer system 140. For example, authorizing entity computer 130 may determine whether mobile network operator computer system 140 provides "opt-in" communications to provide credit to its user. In some examples, the "opt-out" communication may identify that the mobile network operator computer system 140 will not support issuing virtual access credentials for its users.
The mobile network operator computer system 140 may also execute a set of rules associated with the user to determine whether the virtual access ticket may be issued to the user operating the communication device associated with the mobile network operator computer system 140. The mobile network operator computer system 140 may identify suitable information, such as device information for the communication device 102, any data the mobile network operator computer system 140 or the resource provider computer 110 may have about the user, historical orders or payment information, and so forth.
In some examples, the mobile network operator computer system 140 may execute a set of rules associated with the user to determine whether the virtual access credentials may be issued. The authorizing entity computer 130 may correspond to the mobile network operator computer system 140 to receive a determination by the mobile network operator computer system 140 as to whether to issue a virtual access credential to the user based on executing a set of rules associated with the user. Based on the determination by the mobile network operator computer system 140, the authorizing entity computer 130 may generate a virtual access credential.
The virtual access credentials may include a reusable or a single-use account identifier. When the virtual access credentials are reusable, the credentials may be stored in and associated with a user profile at the mobile network operator computer system 140 and used for more than one transaction. When the virtual access credential is a one-time-use account identifier, a virtual access credential request may be transmitted between the resource provider computer 110 and the processing network server computer 120 for each potential transaction. In either example, the virtual access credentials may be stored in the credential database 450 of the authorizing entity computer 130 for retrieval and use during the authorization process. In some examples, the virtual access credentials may be stored with the user account at the authorizing entity computer 130. The user account may include a total value requested by the virtual access credential.
At step 4, the authorizing entity computer 130 may provide the virtual access credentials to the processing network server computer 120. The processing network server computer 120 may obtain virtual access credentials from the authorizing entity computer 130.
At step 5, the processing network server computer 120 may transmit the virtual access credentials from the authorizing entity computer 130 to the resource provider computer 110 or the communication device 102 for processing. Via its mobile application or interaction site 112, the resource provider computer 110 may process the transaction using the virtual access credentials. For example, the resource provider computer 110 may generate an authorization request message that includes the virtual access credential. The resource provider computer 110 may include the virtual access credentials in the authorization request message to initiate a transaction for goods and services associated with the "bill me" button and located in the electronic shopping cart.
In some examples, the "bill me" button is located at an application stored at communication device 102. The virtual access credentials may be provided to an application of the communication device 102, and the application may generate an authorization request message that includes the virtual access credentials originating from the application at the communication device 102. An authorization request message may be transmitted from the communication device 102 to the resource provider computer 110.
At step 6, the resource provider computer 110 may transmit an authorization request message including the virtual access credential to the delivery computer 115. The delivery computer 115 may transmit the authorization request message to the processing network server computer 120. The processing network server computer 120 may receive an authorization request message including the virtual access credential, wherein the authorization request message requests authorization for the interaction.
In some examples, the processing network server computer 120 may identify the authorized entity computer 130 based on resolving the virtual access credentials. For example, the virtual access credential may include a substring that uniquely identifies the authorized entity that handles the network server computer 120. The substring may be similar to a Bank Identification Number (BIN) stored in processing network server computer 120. When the substring of the virtual access ticket matches the stored information, the processing network server computer 120 may identify the location of the appropriate authorization entity to transmit the authorization request message.
At step 7, processing network server computer 120 may forward the authorization request message to authorizing entity computer 130. The authorizing entity computer 130 may determine whether to approve or deny the transaction. For example, during the approval or denial process, the authorizing entity computer 130 may compare the transaction value included in the authorization request message to the total value included in the virtual access credential and stored in the user account. The transaction may be approved when the value of the transaction is within a threshold range of the total value. Otherwise, the transaction may be denied because the transaction value included in the authorization request message for the transaction does not match the total value included in the virtual access credential request.
At step 8, authorizing entity computer 130 may generate an authorization response message to processing network server computer 120 that includes an approval or a denial of the transaction. Processing network server computer 120 may receive an authorization response message from authorizing entity computer 130.
At step 9, the processing network server computer 120 may forward the authorization response message to the delivery computer 115 and then to the resource provider computer 110. The processing network server computer 120 may also transmit a message to the mobile network operator computer system 140 informing the mobile network operator computer system 140 that a transaction has just been initiated.
In some examples, authorizing entity computer 130 may then complete the interaction with mobile network operator computer system 140. This may include transferring funds between the mobile network operator computer system 140 and the authorizing entity computer 130 at the time of the clearing and settlement procedure.
At step 10, a clearing and settlement process may be performed. At the end of the day or at any other suitable time period, settlement may be made between the transfer computer 115 and the authorizing entity computer 130, or settlement may be made directly with the mobile network operator computer system 140. If the authorizing entity computer 130 is billed to the transfer computer 115, the authorizing entity computer 130 may request reimbursement (for any cost adjustments) from the mobile network operator computer system 140. The mobile network operator computer system 140 may then invoice the user along with the user's monthly telephone bill invoice provided by the mobile network operator computer system 140.
The mobile network operator computer system 140 may generate invoices for users of the communication devices 102. The invoice may include any transaction made between the communication device 102 and the mobile network operator computer system 140, as well as any transaction made between the communication device 102 in any resource provider computer. The transactions listed in the invoice may be aggregated for the resource provider computer 110 or provided separately based on the transaction and the time at which the transaction was conducted. The user may provide a charge reimbursement to the mobile network operator computer system 140.
Commission fees may also be exchanged. For example, the authorizing entity computer 130 may pay a commission to the processing network server computer 120. The resource provider computer 110 may pay a commission fee to the authorizing entity computer 130 based at least in part on the crediting and establishment of a user account corresponding to the approved amount bound to the virtual access credential. The authorizing entity computer 130 may request reimbursement from the mobile network operator computer system 140. The mobile network operator computer system 140 may charge the user of the communication device 102 using a telephone bill.
Other embodiments may also be described using fig. 1. For example, in step 1 of the additional embodiment of FIG. 1, the communication device 102 may interact with the resource provider computer 110 to access resources managed by the resource provider computer. The communication device 102 may interact with the resource provider computer 110 via an application on the interaction site 112 or a display screen of the communication device 102.
At step 2, the resource provider computer 110 may generate and transmit a virtual access credential request to the processing network server computer 120. The virtual access credential request can identify that the user corresponds to the communication device 102. This information may support requests for authorization for interactions (e.g., obtaining access to restricted areas or resources, etc.).
At step 3, processing network server computer 120 may communicate with authorized entity computer 130 to request access. The authorizing entity computer 130 may generate a virtual access credential.
In some examples, authorizing entity computer 130 may act as an initial gateway to determine whether access rights (e.g., access rights to restricted information of resource provider computer 110) should be authorized. The authorizing entity computer 130 may correspond directly to the communication device 102 (or to the communication device 102 via the processing network server computer 120) to request an initial authentication response from the communication device 102, including a password or other unique identifier of the user. The communication device 102 may respond to the authorizing entity computer 130 with a password or other unique identifier at which time the authorizing entity computer 130 may generate the virtual access credential.
In some examples, authorizing entity computer 130 may correspond to mobile network operator computer system 140 to access additional information about communication device 102, including order history, location history, or user profile information associated with communication device 102. For example, the mobile network operator computer system 140 may provide mobile network services to the communication device 102 and store a history of location information using a Global Positioning System (GPS) associated with location tracking of the communication device 102. In some cases, mobile network operator computer system 140 may provide this information to authorizing entity computer 130 to initiate a first authentication process with communication device 102.
At step 4, the authorizing entity computer 130 may provide the virtual access credentials to the processing network server computer 120 (e.g., upon receiving a password or other unique identifier from the user, etc.).
At step 5, the processing network server computer 120 may transmit the virtual access credentials from the authorizing entity computer 130 to the resource provider computer 110 or the communication device 102 for processing. The resource provider computer 110 may initiate a process to allow access to the resource based at least in part on receiving the virtual access credential. For example, the resource provider computer 110 may generate an authorization request message that includes the virtual access credential.
At step 6, the resource provider computer 110 may transmit an authorization request message including the virtual access credential to the delivery computer 115. The delivery computer 115 may transmit the authorization request message to the processing network server computer 120. The processing network server computer 120 may receive an authorization request message including the virtual access credential, wherein the authorization request message requests authorization for the interaction.
At step 7, processing network server computer 120 may forward the authorization request message to authorizing entity computer 130. The authorizing entity computer 130 may determine whether to allow or deny access based at least in part on comparing the virtual access credentials from the initial authentication process with the user information included in the authorization request message. This comparison and match may correspond to a second level of authentication.
At step 8, authorizing entity computer 130 may generate an authorization response message that includes an approval or a denial of access to processing network server computer 120. Processing network server computer 120 may receive an authorization response message from authorizing entity computer 130.
At step 9, the processing network server computer 120 may forward the authorization response message to the delivery computer 115 and then to the resource provider computer 110.
At step 10, additional interactions are possible between the authorizing entity computer 130, the transfer computer 115, and the mobile network operator computer system 140, including allowing access to resources provided by the resource provider 110.
It should be noted that while the above examples relate to payment, it should be understood that embodiments are not so limited. Other embodiments may be directed to systems and methods that may generate virtual access credentials to access secure location or secure data from a remote server computer.
Technical improvements are described throughout the application. Conventional systems may provide a single authentication or authorization for the interaction. Embodiments of the present disclosure may include a dual authentication or authorization protocol including a first process performed by an authorizing entity computer and a second process performed by a mobile network operator computer system. This two-layer authentication or authorization protocol may provide improved technical validation prior to interaction between the user and the resource, thereby providing greater security.
Further, embodiments also allow users without credentials to obtain temporary credentials so that they can access a desired resource, such as data, location, goods or services. Embodiments can perform this operation without significant changes to the access infrastructure.
The computer systems described herein may be embodied in hardware and include one or more elements of the figures that may be adapted to implement such functionality. Examples of such systems or components that may be combined with a computing system may be interconnected via a system bus. Additional subsystems may be provided, such as a printer, keyboard, fixed disk or other memory including computer-readable media, monitor or other components. The monitor may be coupled with a display adapter. Peripherals and other input/output (I/O) devices can be coupled to the I/O controller and can be connected to the computer system by any number of means known in the art, such as serial ports. For example, a serial port or other external interface may be used to connect the computer system to a wide area network, such as the Internet, a mouse input device, or a scanner. The interconnection via a system bus allows the central processor to communicate with each system and to control the execution of instructions from the system memory or fixed disk and the exchange of information between subsystems. This is a memory and/or fixed disk that may embody a computer readable medium.
In addition, while the present disclosure has been described using a particular combination of hardware and software in the form of control logic and programming code and instructions, it should be recognized that other combinations of hardware and software are also within the scope of the present application. The present application may be implemented in hardware only, software only, or a combination thereof.
Any of the software components or functions described herein may be implemented as software code executed by a processor using, for example, conventional or object-oriented techniques, and using any suitable computer language (e.g., Java, C + +, or Perl). The software code may be stored as a series of instructions or commands on a computer readable medium, such as a Random Access Memory (RAM), a Read Only Memory (ROM), a magnetic medium such as a hard drive or floppy disk, or an optical medium such as a CD-ROM. Any such computer-readable media may reside on or within a single computing device, and may be present on or within different computing devices within a system or network.
The above description is illustrative and not restrictive. Many variations of the invention will become apparent to those skilled in the art upon review of this disclosure. The scope of the invention may, therefore, be determined not with reference to the above description, but instead may be determined with reference to the pending claims along with their full scope or equivalents.
One or more features of any embodiment may be combined with one or more features of any other embodiment without departing from the scope of the invention.
The recitation of "a" or "the" is intended to mean "one or more" unless explicitly indicated to the contrary.
All patents, patent applications, publications, and descriptions mentioned above are incorporated by reference in their entirety for all purposes. They are not admitted to be prior art.

Claims (20)

1. A method, comprising:
receiving, by a server computer, a virtual access credential request for interaction between a resource provider computer and a communication device operated by a user and associated with a mobile network operator computer system;
transmitting, by the server computer, the virtual access credential request to an authorizing entity computer;
receiving, by the server computer, a virtual access credential from the authorizing entity computer;
transmitting, by the server computer, the virtual access credential to the communication device or the resource provider computer;
receiving, by the server computer, an authorization request message including the virtual access credential, wherein the authorization request message requests authorization of the interaction;
forwarding, by the server computer, the authorization request message to the authorizing entity computer;
receiving, by the server computer, an authorization response message from the authorizing entity computer; and
forwarding, by the server computer, the authorization response message to the resource provider computer, wherein the authorizing entity computer subsequently completes the interaction with the mobile network operator computer system.
2. The method of claim 1, wherein the virtual access credentials comprise data usable to access location or secure data.
3. The method of claim 1, wherein the communication device is a mobile phone.
4. The method of claim 1, wherein the mobile network operator computer system executes a set of rules associated with the user prior to determining the virtual access credentials by the authorizing entity computer.
5. The method of claim 1, further comprising:
generating a user profile associated with the virtual access credential; and
storing the determination made by the authorizing entity computer with the user profile.
6. A computer system, comprising:
a processor; and
a computer-readable medium coupled to the processor, the computer-readable medium comprising code executable by the processor for implementing a method comprising:
receiving a virtual access credential request for interaction between a resource provider computer and a communication device operated by a user and associated with a mobile network operator computer system;
transmitting the virtual access credential request to an authorizing entity computer;
receiving a virtual access credential from the authorizing entity computer;
transmitting the virtual access credentials to the communication device or the resource provider computer;
receiving an authorization request message including the virtual access credential, wherein the authorization request message requests authorization of the interaction;
forwarding the authorization request message to the authorizing entity computer;
receiving an authorization response message from the authorizing entity computer; and
forwarding the authorization response message to the resource provider computer, wherein the authorizing entity computer then completes the interaction with the mobile network operator computer system.
7. The computer system of claim 6, wherein the virtual access ticket is 16 bits in length.
8. The computer system of claim 6, wherein the mobile network operator computer system routes messages to and from a plurality of wireless module devices.
9. The computer system of claim 6, wherein the mobile network operator computer system executes a set of rules associated with the user before the virtual access credentials are determined.
10. The computer system of claim 6, further comprising:
generating a user profile associated with the virtual access credential; and
storing the determination made by the authorizing entity computer with the user profile.
11. A method, comprising:
receiving, by an authorizing entity computer, a virtual access credential request for an interaction between a resource provider computer and a communication device operated by a user and associated with a mobile network operator computer system;
generating, by the authorizing entity computer, a virtual access credential associated with the approved amount;
transmitting, by the authorizing entity computer, the virtual access credential to a processing network computer, wherein the virtual access credential is forwarded to the communication device or the resource provider computer;
receiving, by the authorizing entity computer, an authorization request message including the virtual access credential, wherein the authorization request message requests authorization of the interaction;
comparing a total amount of the authorization request to the approved amount of the virtual access credential;
determining, by the authorizing entity computer, approval or denial of the authorization request message based on the comparison;
generating, by the authorizing entity computer, an authorization response message based on the approval or denial of the authorization request message;
forwarding, by the server computer, the authorization response message to the processing network computer; and
a completion message is then forwarded to the mobile network operator computer system based on the approval or denial of the authorization request message.
12. The method of claim 11, wherein the virtual access credential allows access to secure data.
13. The method of claim 11, wherein the communication device is a mobile phone.
14. The method of claim 11, wherein the mobile network operator computer system executes a set of rules associated with the user before the virtual access credentials are determined.
15. The method of claim 11, further comprising:
generating a user profile associated with the virtual access credential; and
storing the approval or denial of the authorization request message with the user profile.
16. A computer system, comprising:
receiving, by an authorizing entity computer, a virtual access credential request for an interaction between a resource provider computer and a communication device operated by a user and associated with a mobile network operator computer system;
generating, by the authorizing entity computer, a virtual access credential associated with the approved amount;
transmitting, by the authorizing entity computer, the virtual access credential to a processing network computer, wherein the virtual access credential is forwarded to the communication device or the resource provider computer;
receiving, by the authorizing entity computer, an authorization request message including the virtual access credential, wherein the authorization request message requests authorization of the interaction;
comparing a total amount of the authorization request to the approved amount of the virtual access credential;
determining, by the authorizing entity computer, approval or denial of the authorization request message based on the comparison;
generating, by the authorizing entity computer, an authorization response message based on the approval or denial of the authorization request message;
forwarding, by the server computer, the authorization response message to the processing network computer; and
a completion message is then forwarded to the mobile network operator computer system based on the approval or denial of the authorization request message.
17. The computer system of claim 16, wherein the virtual access credential allows access to a location.
18. The computer system of claim 16, wherein the communication device is a notebook computer.
19. The computer system of claim 16, wherein the mobile network operator computer system executes a set of rules associated with the user before the virtual access credentials are determined.
20. The computer system of claim 16, further comprising:
generating a user profile associated with the virtual access credential; and
storing the approval or denial of the authorization request message with the user profile.
CN201980032528.8A 2018-05-14 2019-05-13 Mobile network operator authentication protocol Active CN112136302B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202310615621.XA CN116527384A (en) 2018-05-14 2019-05-13 Mobile network operator authentication protocol

Applications Claiming Priority (3)

Application Number Priority Date Filing Date Title
US201862671325P 2018-05-14 2018-05-14
US62/671,325 2018-05-14
PCT/US2019/031998 WO2019222090A1 (en) 2018-05-14 2019-05-13 Mobile network operator authentication protocol

Related Child Applications (1)

Application Number Title Priority Date Filing Date
CN202310615621.XA Division CN116527384A (en) 2018-05-14 2019-05-13 Mobile network operator authentication protocol

Publications (2)

Publication Number Publication Date
CN112136302A true CN112136302A (en) 2020-12-25
CN112136302B CN112136302B (en) 2023-05-30

Family

ID=68541132

Family Applications (2)

Application Number Title Priority Date Filing Date
CN202310615621.XA Pending CN116527384A (en) 2018-05-14 2019-05-13 Mobile network operator authentication protocol
CN201980032528.8A Active CN112136302B (en) 2018-05-14 2019-05-13 Mobile network operator authentication protocol

Family Applications Before (1)

Application Number Title Priority Date Filing Date
CN202310615621.XA Pending CN116527384A (en) 2018-05-14 2019-05-13 Mobile network operator authentication protocol

Country Status (2)

Country Link
CN (2) CN116527384A (en)
WO (1) WO2019222090A1 (en)

Citations (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20110289552A1 (en) * 2009-02-06 2011-11-24 Nec Corporation Information management system
CN102831514A (en) * 2011-06-15 2012-12-19 上海博路信息技术有限公司 Barcode based payment voucher
US20130297501A1 (en) * 2012-05-04 2013-11-07 Justin Monk System and method for local data conversion
CN105205655A (en) * 2009-02-14 2015-12-30 网络文本有限公司 Secure payment and billing method using mobile phone number or account
US20160328707A1 (en) * 2015-05-07 2016-11-10 Kim R. Wagner Provisioning of access credentials using device codes
US20170061433A1 (en) * 2015-09-02 2017-03-02 Jpmorgan Chase Bank, N.A. System and method for mobile device limits
CN107918738A (en) * 2016-10-10 2018-04-17 维萨国际服务协会 Regulation management user interface

Family Cites Families (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2015171625A1 (en) * 2014-05-05 2015-11-12 Visa International Service Association System and method for token domain control
US10911429B2 (en) * 2015-12-04 2021-02-02 Visa International Service Association Secure token distribution

Patent Citations (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20110289552A1 (en) * 2009-02-06 2011-11-24 Nec Corporation Information management system
CN105205655A (en) * 2009-02-14 2015-12-30 网络文本有限公司 Secure payment and billing method using mobile phone number or account
CN102831514A (en) * 2011-06-15 2012-12-19 上海博路信息技术有限公司 Barcode based payment voucher
US20130297501A1 (en) * 2012-05-04 2013-11-07 Justin Monk System and method for local data conversion
US20160328707A1 (en) * 2015-05-07 2016-11-10 Kim R. Wagner Provisioning of access credentials using device codes
US20170061433A1 (en) * 2015-09-02 2017-03-02 Jpmorgan Chase Bank, N.A. System and method for mobile device limits
CN107918738A (en) * 2016-10-10 2018-04-17 维萨国际服务协会 Regulation management user interface

Also Published As

Publication number Publication date
CN112136302B (en) 2023-05-30
CN116527384A (en) 2023-08-01
WO2019222090A1 (en) 2019-11-21

Similar Documents

Publication Publication Date Title
US11587067B2 (en) Digital wallet system and method
US11416865B2 (en) Authorization of credential on file transactions
US11966924B2 (en) Hosted thin-client interface in a payment authorization system
US10990977B2 (en) System communications with non-sensitive identifiers
CN110612546B (en) Method and apparatus for digital asset account management
US20230196355A1 (en) Processing of electronic transactions
CN109416795B (en) Token aggregation system for multiparty transactions
US20190356489A1 (en) Method and system for access token processing
US20170372417A1 (en) Digital asset account management
US20130073463A1 (en) Issuer trusted party system
US20210319450A1 (en) Authenticating transactions using risk scores derived from detailed device information
US10546287B2 (en) Closed system processing connection
US20130218769A1 (en) Mobile Funding Method and System
US20050097015A1 (en) Electronic financial transactions with portable merchant accounts
US20070266131A1 (en) Obtaining and Using Primary Access Numbers Utilizing a Mobile Wireless Device
US10740731B2 (en) Third party settlement
CN112514346B (en) Real-time interactive processing system and method
CN112136302B (en) Mobile network operator authentication protocol
CN113518990A (en) Virtual access credential interaction system and method
US20240104530A1 (en) Data processing utilizing a digital tag
CN115280721A (en) Token-to-token provisioning
CN115427999A (en) Multifunctional user device
CN117501268A (en) Method and system for processing motion data

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant