US20130297505A1 - System and method for instant issue of personalized financial transaction cards - Google Patents

System and method for instant issue of personalized financial transaction cards Download PDF

Info

Publication number
US20130297505A1
US20130297505A1 US13/867,678 US201313867678A US2013297505A1 US 20130297505 A1 US20130297505 A1 US 20130297505A1 US 201313867678 A US201313867678 A US 201313867678A US 2013297505 A1 US2013297505 A1 US 2013297505A1
Authority
US
United States
Prior art keywords
card
network
branch
data
server
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Abandoned
Application number
US13/867,678
Inventor
Bobby Smith
James White
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
EFT Source Inc
CPI Card Group Colorado Inc
CPI Card Group Minnesota Inc
CPI Card Group Tennessee Inc
Original Assignee
EFT Source Inc
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Priority to US13/867,678 priority Critical patent/US20130297505A1/en
Application filed by EFT Source Inc filed Critical EFT Source Inc
Assigned to EFT SOURCE, INC. reassignment EFT SOURCE, INC. ASSIGNMENT OF ASSIGNORS INTEREST (SEE DOCUMENT FOR DETAILS). Assignors: SMITH, BOBBY, WHITE, JAMES
Publication of US20130297505A1 publication Critical patent/US20130297505A1/en
Assigned to THE BANK OF NOVA SCOTIA reassignment THE BANK OF NOVA SCOTIA PATENT SECURITY AGREEMENT Assignors: EFT SOURCE, INC.
Assigned to EFT SOURCE, INC. reassignment EFT SOURCE, INC. RELEASE BY SECURED PARTY (SEE DOCUMENT FOR DETAILS). Assignors: THE BANK OF NOVA SCOTIA, AS AGENT
Assigned to THE BANK OF NOVA SCOTIA reassignment THE BANK OF NOVA SCOTIA PATENT SECURITY AGREEMENT Assignors: EFT SOURCE INC.
Priority to US15/014,757 priority patent/US10275747B2/en
Priority to US16/373,321 priority patent/US10846666B2/en
Priority to US16/951,524 priority patent/US11687894B2/en
Assigned to CPI CARD GROUP - TENNESSEE, INC., CPI CARD GROUP - MINNESOTA, INC., CPI CARD GROUP - COLORADO, INC. reassignment CPI CARD GROUP - TENNESSEE, INC. ASSIGNMENT OF ASSIGNORS INTEREST (SEE DOCUMENT FOR DETAILS). Assignors: GLAS AMERICAS LLC, AS SUCCESSOR TO THE BANK OF NOVA SCOTIA
Priority to US18/139,033 priority patent/US12079788B2/en
Abandoned legal-status Critical Current

Links

Images

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06QINFORMATION AND COMMUNICATION TECHNOLOGY [ICT] SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES; SYSTEMS OR METHODS SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES, NOT OTHERWISE PROVIDED FOR
    • G06Q20/00Payment architectures, schemes or protocols
    • G06Q20/08Payment architectures
    • G06Q20/10Payment architectures specially adapted for electronic funds transfer [EFT] systems; specially adapted for home banking systems
    • G06Q20/105Payment architectures specially adapted for electronic funds transfer [EFT] systems; specially adapted for home banking systems involving programming of a portable memory device, e.g. IC cards, "electronic purses"
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06QINFORMATION AND COMMUNICATION TECHNOLOGY [ICT] SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES; SYSTEMS OR METHODS SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES, NOT OTHERWISE PROVIDED FOR
    • G06Q20/00Payment architectures, schemes or protocols
    • G06Q20/38Payment protocols; Details thereof
    • G06Q20/40Authorisation, e.g. identification of payer or payee, verification of customer or shop credentials; Review and approval of payers, e.g. check credit lines or negative lists
    • G06Q20/401Transaction verification
    • G06Q20/4012Verifying personal identification numbers [PIN]
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06QINFORMATION AND COMMUNICATION TECHNOLOGY [ICT] SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES; SYSTEMS OR METHODS SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES, NOT OTHERWISE PROVIDED FOR
    • G06Q40/00Finance; Insurance; Tax strategies; Processing of corporate or income taxes
    • G06Q40/02Banking, e.g. interest calculation or account maintenance

Definitions

  • the present invention relates to methods and systems for creating, issuing and printing financial transaction cards, such as credit cards issued to consumers by financial institutions.
  • the present invention pertains to methods and systems that allow a bank or other financial institution to instantly and securely issue a personalized credit card to a consumer at a branch or other remote location.
  • New customer accounts opened by banks include one or more debit or credit cards associated with the account.
  • New customer accounts are typically opened at branch locations whereas new cards are often issued by a centralized card services provider that is not physically near the bank branch. Accordingly, the customer must supply card information to a bank employee at the branch. The customer may or may not have an opportunity to select a personalized PIN at that time.
  • This card data is then communicated, perhaps in a batch mode with other card data, to a card services provider.
  • the card services provider fulfills the card request by printing and encoding the card, then mailing it to the branch or to the customer. The customer must then activate the card. This process involves delay and expense that is undesirable and may introduce unnecessary security risks.
  • the present invention is a method for issuing a personalized financial transaction card from a financial institution to a customer in response to a customer request made from a branch location associated with the financial institution.
  • a bank employee or operator receives customer information and card information from the customer at the branch location.
  • the card information may include a card personal identification number (PIN).
  • PIN card personal identification number
  • the operator inputs the customer information and at least some the card information into a data processing terminal at the branch.
  • the customer information and the card information are communicated from the branch across a network to a card services provider.
  • the PIN is entered into a PIN database, a reference number associated with the customer is generated, and a PIN offset is generated.
  • the reference number and at least some of the customer data and card data may be stored in a card file associated with the customer.
  • the reference number is used to retrieve the PIN from the PIN database.
  • the retrieved PIN is then used to apply calculations to the card file.
  • the card file is securely sent from the card services provider across the network to the branch location.
  • the financial transaction card is printed for the customer at the branch location.
  • the personalized card is instantly issued while the customer is present at the branch location.
  • a verification message may be sent to the financial institution and to a card transaction processor when the financial transaction card has been successfully printed.
  • an error message may be sent to the branch location and to a card transaction processor when the financial transaction card does not successfully print.
  • the step of securely sending the card file to the branch location may include distributing a virtual desktop from a server at the card services provider across the network to a virtual desktop client at the branch location.
  • the card file may be stored at the branch location and the step of storing the reference number and at least some of the customer data further may include updating the card file with the reference number at the branch location.
  • the method may include sending a card issue request from the branch location and receiving it in a hardware security module (HSM) at the card services provider.
  • HSM hardware security module
  • the HSM may retrieve the PIN from the PIN database and apply the reference number to the calculations in the card file.
  • the system and method of the present invention will minimize upfront costs incurred by financial institution banks for hardware, software, licensing and maintenance fees. It will provide a secure process for customer selected PINs and rely upon secure web service applications to transmit card personalization data to drive the remote card printers.
  • FIG. 1( a ) is a block diagram showing an arrangement of hardware and software modules in accordance with one embodiment of the system of the present invention, further showing system communications from a bank branch desktop PC that communicates an instant card issue request to the system web service.
  • FIG. 1( b ) is a block diagram of the system of FIG. 1( a ), further showing system communications between the system web service and the card services provider web service after initiation of the instant issue request as shown in FIG. 1( a ).
  • FIG. 1( c ) is a block diagram of the system of FIG. 1( a ), further showing system communications between the card services provider web service and the card services provider application server after initiation of the instant issue request as shown in FIGS. 1( a ) and 1 ( b ).
  • FIG. 1( d ) is a block diagram of the system of FIG. 1( a ), further showing the card services provider application server placing data into a card services provider database server after initiation of the instant issue request as shown in FIGS. 1( a )- 1 ( c ).
  • FIG. 1( e ) is a block diagram of the system of FIG. 1( a ), further showing the card services provider application server retrieving a PIN/offset calculation from the card services provider hardware security module after initiation of the instant issue request as shown in FIGS. 1( a )- 1 ( d ).
  • FIG. 1( f ) is a block diagram of the system of FIG. 1( a ), further showing the card services provider application server communicating a card print job to the card services provider print server after initiation of the instant issue request as shown in FIGS. 1( a )- 1 ( e ).
  • FIG. 1( g ) is a block diagram of the system of FIG. 1( a ), further showing the card services provider print server securely communicating a card print job to a printer at the bank branch, after initiation of the instant issue request as shown in FIGS. 1( a )- 1 ( f ).
  • FIG. 1( h ) is a block diagram of the system of FIG. 1( a ), further showing the printer at the bank branch communicating a card print job success or failure message back to the card services provider print server, after initiation of the instant issue request as shown in FIGS. 1( a )- 1 ( g ).
  • FIG. 1( i ) is a block diagram of the system of FIG. 1( a ), further showing the card services provider print server communicating a card print job success or failure message back to the card services provider application server, after initiation of the instant issue request as shown in FIGS. 1( a )- 1 ( h ).
  • FIG. 1( j ) is a block diagram of the system of FIG. 1( a ), further showing the card services provider application server posting card print success or failure information to the system web service, after initiation of the instant issue request as shown in FIGS. 1( a )- 1 ( i ).
  • FIG. 1( k ) is a block diagram of the system of FIG. 1( a ), further showing the system web service communicating card print success or failure information to the bank branch desktop PC, after initiation of the instant issue request as shown in FIGS. 1( a )- 1 ( j ).
  • FIG. 2 is a flow chart illustrating a method for instant issue of a personalized credit card at a bank branch, in accordance with one embodiment of the present invention.
  • FIG. 3 a is a block diagram showing an arrangement of hardware and software modules in accordance with another embodiment of the system of the present invention.
  • FIG. 3 b is a block diagram of the embodiment of the system of FIG. 3 a , further showing a site-to-site VPN tunnel being established between the system web service and the card services provider web service.
  • FIG. 3 c is a block diagram of the system of FIG. 3 a , further showing a dynamic site-to-site VPN tunnel created between the printer and printer appliance and the print DMZ network.
  • FIG. 3 d is a block diagram of the system of FIG. 3 a , further showing a persistent connection between the print server to the application server.
  • FIG. 3 e is a block diagram of the system of FIG. 3 a , further showing the bank branch issuing a card instant issue request to the system web service.
  • FIG. 3 f is a block diagram of the system of FIG. 3 a , further showing the system web service sending an HTTP POST request to the web service DMZ network.
  • FIG. 3 g is a block diagram of the system of FIG. 3 a , further showing the HTTP POST being proxied to the PCI-compliant card services provider application server and the HTTP status being returned to the web service.
  • FIG. 3 h is a block diagram of the system of FIG. 3 a , further showing the PCI-compliant application server 50 a requesting a card CVV Key Cryptogram from application server 50 b.
  • FIG. 3 k is a block diagram of the system of FIG. 3 a , further showing the PCI-compliant application server 50 a contacting the application server 50 b and requesting card image calculation information.
  • FIG. 3 l is a block diagram of the system of FIG. 3 a , further showing the application server retrieving the card image calculation information from the database and returning the results.
  • FIG. 3 m is a block diagram of the system of FIG. 3 a , further showing the application server 50 a connecting to the application server 50 b and requesting the card image data.
  • FIG. 3 n is a block diagram of the system of FIG. 3 a , further showing the application server 50 b retrieving the card image data from the file server and transmitting it back over the HTTP request.
  • FIG. 3 o is a block diagram of the system of FIG. 3 a , further showing the application server 50 a connecting to the application server 50 b to retrieve card magnetic stripe calculation data.
  • FIG. 3 p is a block diagram of the system of FIG. 3 a , further showing the application server 50 b retrieving the magnetic stripe calculation data from the database and returning the results to the application server 50 a over the HTTP response.
  • FIG. 3 q is a block diagram of the system of FIG. 3 a , further showing the application server 50 a communicating the card print job on a print job message bus.
  • FIG. 3 r is a block diagram of the system of FIG. 3 a , further showing a connection broker assigning the print job to a worker thread on the print server.
  • FIG. 3 s is a block diagram of the system of FIG. 3 a , further showing the print server sending the print job to the printer through the dynamic site-to-site VPN tunnel.
  • FIG. 3 t is a block diagram of the system of FIG. 3 a , further showing the printer attempting to print the card and sending a card print response message (success/failure/user intervention required) back to the print server.
  • FIG. 3 u is a block diagram of the system of FIG. 3 a , further showing the worker thread placing the print result on the message bus.
  • FIG. 3 v is a block diagram of the system of FIG. 3 a , further showing the application server sending the print result to the web service DMZ network via HTTP POST.
  • FIG. 3 w is a block diagram of the system of FIG. 3 a , further showing the proxy server in the card services provider web service relaying the card print result to the system web service.
  • FIG. 3 x is a block diagram of the system of FIG. 3 a , further showing the system web service relaying the card print result to the requesting bank branch.
  • a bank provides retail banking services to customers through one or more bank branches 15 a - 15 c .
  • the branches 15 run data processing systems connected to each other and to a bank central office by a wide area network (WLAN) or system web service 20 and a public data network 5 , such as the public Internet.
  • WLAN wide area network
  • public data network 5 such as the public Internet.
  • the bank and its branches 15 are authorized to issue financial transaction cards, such as debit or credit cards, which are associated with a branded card transaction processor such as Visa® or MasterCard®.
  • financial transaction cards such as debit or credit cards
  • a branded card transaction processor such as Visa® or MasterCard®.
  • These transaction processors operate and control a global financial network of electronically interconnected card issuers, acquirers, merchants, and data processing centers.
  • the bank may contract with a card services provider to provide services associated with the issuance of a new credit or debit card to a bank customer.
  • the card services provider will operate hardware and software networks 35 that can receive and process requests for new cards sent by a bank branch 15 .
  • the card service provider networks may include an instant issue web service DMZ network 55 , an instant issue server network 36 , an instant issue personalization network 45 , and an instant issue print DMZ network 60 .
  • the instant issue server network 36 may include an active directory or domain controller 37 , an application server 50 , and a database server 41 . Accordingly, the card services provider will maintain a PIN (Personal Identification Number) database 40 connected to the database server 41 that can securely store PINs selected by bank customers when a new card is issued.
  • PIN Personal Identification Number
  • the card services provider may also operate a hardware-host security module (HSM) 47 to provide a secure environment for card data encryption, PIN calculations, sensitive cryptographic operations, secure key storage, and management of a large number of secure keys, as is known to a person of skill in the art.
  • HSM hardware-host security module
  • a hardware-host security module is a combination of hardware and software/firmware that is functionally connected to a PC or server to provide cryptographic functions.
  • the HSM 47 may include a user interface and programmable interface.
  • the physical part of an HSM which may be a plug-in card or external device such as a physical Windows Server, may include tamper-resistant features.
  • the functional interface between the card services provider networks 35 , the public network 5 , and the system web service 20 may include a web service “demilitarized zone” (DMZ) network 55 .
  • a demilitarized zone sometimes referred to as a Perimeter Network, is a physical or logical sub-network that contains and exposes an organization's external services to a larger untrusted network, such as the Internet.
  • the DMZ network 55 adds an additional layer of security to the communications link between the system web service 20 and the card services provider networks 35 , so that an external attacker has access only to hardware in the DMZ and not in any other part of the networks.
  • a card services provider web service 56 Within the DMZ network 55 is .
  • the web service 56 may be implemented using, for example, a Windows virtual server or Apache proxy server.
  • the DMZ network 55 and the system web service 20 may be interconnected by a private network connection or across the public network 5 , such as the public Internet.
  • this connection may be implemented by an encrypted (e.g., IPSEC) Virtual Private Network (VPN) tunnel using an IPSEC endpoint device or security appliance 59 .
  • IPSEC Virtual Private Network
  • VPN Virtual Private Network
  • One conventional example of a security appliance that may be used is a Model ASA 5050 Firewall from Cisco Systems, Inc.
  • the instant issue server network 36 may be coupled to the DMZ network 55 through a firewall 58 , e.g., a virtual appliance.
  • the HSM 47 is also functionally coupled to the instant issue server network 36 using a firewall 46 , e.g., a virtual appliance.
  • the card services provider networks 35 may include an instant issue card print network DMZ 60 containing a print server 61 .
  • the instant issue card print network DMZ 60 may be connected to the DMZ network 55 through a firewall 38 , e.g., a security appliance such as the Cisco ASA 5050 Firewall.
  • the instant issue card print network DMZ 60 and the system web service 20 may be interconnected by a private network connection or across the public network 5 . In one embodiment, this connection may be implemented by an encrypted (e.g., IPSEC) Virtual Private Network (VPN) tunnel using and an IPSEC endpoint device 62 such as the Cisco ASA 5050 Firewall.
  • IPSEC Virtual Private Network
  • the system 10 may also include hardware and software located at each branch location 15 , including one or more desktop PCs or workstations 16 functionally coupled to the system web service 20 and a branch card printer network 17 .
  • the branch card printer network 17 includes a card printer 18 .
  • the branch card printer network 17 may be isolated and therefore coupled to the instant issue card print network DMZ 60 using a VPN tunnel established between a firewall and IPSEC endpoint device and endpoint device 62 .
  • the branch card printer network 17 may also be connected to the public network 5 through firewall and IPSEC endpoint device 19 . In the embodiment shown, a wireless internet connection is used.
  • the card printer 18 may be a Datacard Model FP65i Financial Card Printer from the Datacard Group.
  • the branch desktop PCs 16 can securely communicate with the card services provider networks 35 .
  • the branch PCs 16 will access and display one or more browser-based system user interfaces generated by the system web service 20 and card services provider web service 56 .
  • This user interface on the branch PCs 16 is used by a bank operator at the branch during the process of using the system 10 to request and issue a new card.
  • the desktop PCs 16 are functionally coupled to the client services provider networks 35 through the system web service 20 and DMZ network 55 to provide secure data communications between the branches 15 and the card services provider networks.
  • the branch card printer 18 is functionally coupled to the client services provider print server 61 to securely receive card print commands.
  • the card printer 18 may be equipped with a supply of blank card stock.
  • the card printer 18 uses the data in a card file to imprint a blank card with personalized information associated with and selected by a customer.
  • a bank employee or other system operator working in the branch receives information from the customer that is needed to initiate the request for issuance of a personalized credit or debit card to the customer. This information is entered into corresponding card data fields used by the system.
  • the card data fields are part of a CAF card file.
  • the data fields in the card file may include data identifying the customer by name and address, the branch, the bank operator, and the particular type of financial transaction card (e.g., credit or debit) being requested.
  • a PIN Personal Identification Number
  • the personalized PIN is entered into the system by the customer directly, using a keypad-type data terminal at the branch or a telephone and voice recognition system, so that the bank operator does not see or hear the PIN.
  • a PIN selection system that can be used for this purpose is described in U.S. Pat. No. 5,132,521, the entire disclosure of which is incorporated herein by reference.
  • the selected PIN is communicated electronically 130 to a PIN database.
  • the PIN database is maintained remotely by a card services company that contracts with the bank to produce, encode, and issue personalized financial transaction cards to customers of that bank.
  • a fourth step 140 the software associated with the PIN database generates a reference number associated with the customer and the selected PIN.
  • the reference number is communicated to and may be stored in the card file associated with the customer as a file update. This updated card file may be used by the system software used at the branch location.
  • a card request is communicated 150 to an edit function software application in the hardware host security module (HSM) 47 .
  • HSM 47 may be controlled by a card services provider remote from the branch.
  • the HSM edit function application uses the reference number to retrieve 160 the PIN from the PIN database so that algorithmic calculations can be applied to the PIN in the card file.
  • a next step 170 the card file is securely sent to a remote card printer at the branch location.
  • this step is implemented by a means of a virtual desktop server communicating with a virtual desktop client associated with the remote card printer and a PC or terminal located at the branch.
  • the customer's card is then printed 180 by the remote printer using the data in the card file.
  • a verification message may be sent 190 to the bank and to the card transaction processor. This verification message confirms that the card is ready for use by the customer. Alternatively, if the card printing is not successful, an error message is communicated 200 to the bank operator in the branch and to the transaction processor.
  • FIGS. 1( a )- 1 ( k ) An embodiment of a method for instant issue of a personalized credit card to a bank customer located at a bank branch location can be further understood by reference to FIGS. 1( a )- 1 ( k ).
  • a system operator makes a card issue request at the branch desktop PC 16 , which then communicates an instant card issue request to the system web service 20 .
  • the system web service 20 connects to the card services provider web service 56 over a persistent secure (e.g., IPSEC) tunnel and communicates the card instant issue request to the client services provider networks 35 , as shown in FIG. 1( b ).
  • the card services provider web service 56 connects to the card services provider application server 50 ( FIG. 1( c )).
  • the application server 50 places data into the card services provider database 40 ( FIG. 1( d )).
  • the card services provider application server 50 retrieves a PIN/offset calculation from the card services provider hardware security module 47 .
  • the card services provider application server 50 communicates a card print job to the card services provider print server 61 , as seen in FIG. 1( f ). This card print job is sent to the instant issue card printer 18 ( FIG. 1( g )). This allows the financial transaction card to be printed at the bank branch 15 that made the card issue request.
  • the printer 18 communicates a card print job success or failure message back to the card services provider print server 61 ( FIG. 1( h )).
  • the card services provider print server 61 then communicates a card print job success or failure message back to the card services provider application server 50 ( FIG. 1( i )).
  • the card services provider application server 50 then posts card print success or failure information to the system web service 20 (( FIG. 1( j )).
  • the system web service 20 communicates card print success or failure information to the bank branch desktop PC 16 .
  • FIG. 3 a illustrates another embodiment of the system 10 in which the card printer 18 at the branch location 15 is physically combined with a security appliance 21 inside a common housing.
  • the combination of the card printer 18 and security appliance 21 may be PCI (Payment Card Industry) compliant. This compliance requires a novel method of managing an IPSEC tunnel through a Linux appliance 21 .
  • PSK pre-shared key
  • This type of tunnel allows either end to initiate the tunnel when traffic designated for the other end of the tunnel is detected. This traffic is known in the art as “interesting traffic”. When there is no “interesting traffic” (for a pre-configured period of time) the security association between the end-points will be terminated and thus the IPSEC tunnel is said to be “down.” This is not a problem for two public, static IP Addresses, as either side can initiate the tunnel to the public address on the remote end.
  • the system embodiment shown in FIG. 3 includes a device with an operating system built into the printer case. This built-in Linux appliance 21 on the private, dynamic end (at the bank branch) is able to initiate the IPSEC tunnel while monitoring the other side for connectivity.
  • NAT Network Address Translation
  • the appliance 21 may be a hardened Linux appliance functioning as a router, firewall, and dynamic-to-static IPSEC endpoint that complies with Center for Internet Security (CIS) standards.
  • the card printer 18 may be a Dualys card printer from Evolis.
  • the card services provider will operate hardware and software networks 35 a and 35 b that can receive and process requests for new cards sent by a bank branch 15 .
  • the network 35 a is PCI-compliant and includes an instant issue web service DMZ network 55 , an instant issue server network 36 a , an instant issue personalization network 45 , and an instant issue print DMZ network 60 , as described above with reference to FIG. 1( a ).
  • the PCI compliant instant issue server network 36 a may include an active directory or domain controller 37 , an application server 50 a , one or more workstations 39 , and an IPSEC administrative server 43 .
  • Card services provider network 36 b includes an application server 50 b , a PIN database 40 connected to a database server 41 to securely store PINs selected by bank customers when a new card is issued, and a file server 42 .
  • FIGS. 3 a - 3 x illustrate sequential operation of this embodiment of system 10 .
  • a site-to-site VPN link is established between the system web service 20 and the card services provider networks 35 a and 35 b .
  • a dynamic site-to-site VPN tunnel is then created between printer appliance 21 and the print DMZ network 60 , as shown in FIG. 3 c .
  • the print server 61 establishes a persistent connection to the application server 50 a , as shown in FIG. 3 d .
  • a bank branch 15 issues a card instant issue request to the system web service 20 .
  • the system web service then sends an HTTP POST request to the web service DMZ network 55 (proxy server 56 ), as shown in FIG. 3 f .
  • the HTTP POST is proxied to the application server 50 a and the HTTP status is returned to the web service 20 , as shown in FIG. 3 g.
  • the application server 50 a requests a card CVV Key Cryptogram as known in the art from application server 50 b ( FIG. 3 h ).
  • the application server 50 b proxies this request to the card services provider database 40 and returns the results to the application server 50 a ( FIG. 3 i ).
  • the application server 50 a contacts the HSM 47 via HTTP (9090), submits the CVV Key Cryptogram(s) and card personalization data, and retrieves CV1 and CV2 values, again as known in the art ( FIG. 3 j ).
  • the application server 50 a contacts the application server 50 b and requests card image calculation information ( FIG. 3 k ).
  • the application server 50 b retrieves the image calculation information from the database 40 and returns the results ( FIG. 31 ).
  • the application server 50 a connects to application server 50 b and requests the card image data ( FIG. 3 m ).
  • the application server 50 b retrieves the card image data from the file server 42 and transmits it back over the HTTP request ( FIG. 3 n ).
  • the application server 50 a then connects to the application server 50 b to retrieve card magnetic stripe calculation data.
  • the application server 50 b retrieves the magnetic stripe calculation data from the database 40 and returns the results to the application server 50 a over the HTTP response ( FIG. 3 p ).
  • the application server 50 a communicates the card print job on a message bus ( FIG. 3 q ).
  • the connection broker assigns the job to a worker thread on the print server 61 ( FIG. 3 r ).
  • the print server 61 sends the print job to the printer 18 through the dynamic site-to-site VPN tunnel ( FIG. 3 s ).
  • the printer 18 attempts to print the card and sends a card print response message (success/failure/user intervention required) back to the print server 61 ( FIG. 3 t ).
  • the worker thread places the print result on the message bus ( FIG. 3 u ).
  • the application server 50 a sends the print result to the web service DMZ network 55 (proxy server 56 ) via HTTP POST ( FIG. 3 v ).
  • the proxy server 56 relays the print result to the system web service 20 ( FIG. 3 w ) which relays the result to the requesting branch 15 ( FIG. 3 x ), completing the process.
  • the system 10 is now ready for another card print request.

Landscapes

  • Business, Economics & Management (AREA)
  • Accounting & Taxation (AREA)
  • Finance (AREA)
  • Engineering & Computer Science (AREA)
  • General Physics & Mathematics (AREA)
  • Strategic Management (AREA)
  • Physics & Mathematics (AREA)
  • General Business, Economics & Management (AREA)
  • Theoretical Computer Science (AREA)
  • Economics (AREA)
  • Development Economics (AREA)
  • Marketing (AREA)
  • Technology Law (AREA)
  • Computer Security & Cryptography (AREA)
  • Accessory Devices And Overall Control Thereof (AREA)
  • Financial Or Insurance-Related Operations Such As Payment And Settlement (AREA)

Abstract

In a method for instantly issuing a personalized financial transaction card to a customer, a bank employee receives customer and card information a branch location, including a card PIN. The customer and card information is input into a data terminal and communicated across a network to a card services provider, where the PIN is entered into a PIN database. A reference number associated with the customer and a PIN offset is generated. The reference number is used to retrieve the PIN from the PIN database. The PIN is then used to apply calculations to the card file. The card file is securely sent from the card services provider across the network to the branch location. Using information from the card file, the financial transaction card is printed for the customer at the branch location.

Description

    BACKGROUND OF THE INVENTION
  • The present invention relates to methods and systems for creating, issuing and printing financial transaction cards, such as credit cards issued to consumers by financial institutions.
  • More specifically, the present invention pertains to methods and systems that allow a bank or other financial institution to instantly and securely issue a personalized credit card to a consumer at a branch or other remote location.
  • Many new customer accounts opened by banks include one or more debit or credit cards associated with the account. New customer accounts are typically opened at branch locations whereas new cards are often issued by a centralized card services provider that is not physically near the bank branch. Accordingly, the customer must supply card information to a bank employee at the branch. The customer may or may not have an opportunity to select a personalized PIN at that time. This card data is then communicated, perhaps in a batch mode with other card data, to a card services provider.
  • The card services provider fulfills the card request by printing and encoding the card, then mailing it to the branch or to the customer. The customer must then activate the card. This process involves delay and expense that is undesirable and may introduce unnecessary security risks.
  • What is needed, then, is a low cost, secure, simple and easy to install system and method for providing instant issue of personalized financial transaction cards in a bank branch. This needed system and method should interface with the new accounts platform/host used by the bank and meet all of the security requirements imposed by the major credit and debit card issuers and transaction processors.
  • BRIEF SUMMARY OF THE INVENTION
  • In one embodiment, the present invention is a method for issuing a personalized financial transaction card from a financial institution to a customer in response to a customer request made from a branch location associated with the financial institution. A bank employee or operator receives customer information and card information from the customer at the branch location. The card information may include a card personal identification number (PIN). The operator inputs the customer information and at least some the card information into a data processing terminal at the branch.
  • The customer information and the card information are communicated from the branch across a network to a card services provider. At the card services provider, the PIN is entered into a PIN database, a reference number associated with the customer is generated, and a PIN offset is generated. The reference number and at least some of the customer data and card data may be stored in a card file associated with the customer. The reference number is used to retrieve the PIN from the PIN database. The retrieved PIN is then used to apply calculations to the card file.
  • The card file is securely sent from the card services provider across the network to the branch location. Using information from the card file, the financial transaction card is printed for the customer at the branch location. In a preferred embodiment, the personalized card is instantly issued while the customer is present at the branch location.
  • In another embodiment, a verification message may be sent to the financial institution and to a card transaction processor when the financial transaction card has been successfully printed. Also, an error message may be sent to the branch location and to a card transaction processor when the financial transaction card does not successfully print.
  • In a further embodiment of the method, the step of securely sending the card file to the branch location may include distributing a virtual desktop from a server at the card services provider across the network to a virtual desktop client at the branch location.
  • In some embodiments, the card file may be stored at the branch location and the step of storing the reference number and at least some of the customer data further may include updating the card file with the reference number at the branch location.
  • In yet another embodiment of the invention, after the card file at the branch location is updated with the reference number, the method may include sending a card issue request from the branch location and receiving it in a hardware security module (HSM) at the card services provider. In this embodiment, in response to receiving the card issue request, the HSM may retrieve the PIN from the PIN database and apply the reference number to the calculations in the card file.
  • Thus, the system and method of the present invention will minimize upfront costs incurred by financial institution banks for hardware, software, licensing and maintenance fees. It will provide a secure process for customer selected PINs and rely upon secure web service applications to transmit card personalization data to drive the remote card printers.
  • BRIEF DESCRIPTION OF THE SEVERAL VIEWS OF THE DRAWINGS
  • FIG. 1( a) is a block diagram showing an arrangement of hardware and software modules in accordance with one embodiment of the system of the present invention, further showing system communications from a bank branch desktop PC that communicates an instant card issue request to the system web service.
  • FIG. 1( b) is a block diagram of the system of FIG. 1( a), further showing system communications between the system web service and the card services provider web service after initiation of the instant issue request as shown in FIG. 1( a).
  • FIG. 1( c) is a block diagram of the system of FIG. 1( a), further showing system communications between the card services provider web service and the card services provider application server after initiation of the instant issue request as shown in FIGS. 1( a) and 1(b).
  • FIG. 1( d) is a block diagram of the system of FIG. 1( a), further showing the card services provider application server placing data into a card services provider database server after initiation of the instant issue request as shown in FIGS. 1( a)-1(c).
  • FIG. 1( e) is a block diagram of the system of FIG. 1( a), further showing the card services provider application server retrieving a PIN/offset calculation from the card services provider hardware security module after initiation of the instant issue request as shown in FIGS. 1( a)-1(d).
  • FIG. 1( f) is a block diagram of the system of FIG. 1( a), further showing the card services provider application server communicating a card print job to the card services provider print server after initiation of the instant issue request as shown in FIGS. 1( a)-1(e).
  • FIG. 1( g) is a block diagram of the system of FIG. 1( a), further showing the card services provider print server securely communicating a card print job to a printer at the bank branch, after initiation of the instant issue request as shown in FIGS. 1( a)-1(f).
  • FIG. 1( h) is a block diagram of the system of FIG. 1( a), further showing the printer at the bank branch communicating a card print job success or failure message back to the card services provider print server, after initiation of the instant issue request as shown in FIGS. 1( a)-1(g).
  • FIG. 1( i) is a block diagram of the system of FIG. 1( a), further showing the card services provider print server communicating a card print job success or failure message back to the card services provider application server, after initiation of the instant issue request as shown in FIGS. 1( a)-1(h).
  • FIG. 1( j) is a block diagram of the system of FIG. 1( a), further showing the card services provider application server posting card print success or failure information to the system web service, after initiation of the instant issue request as shown in FIGS. 1( a)-1(i).
  • FIG. 1( k) is a block diagram of the system of FIG. 1( a), further showing the system web service communicating card print success or failure information to the bank branch desktop PC, after initiation of the instant issue request as shown in FIGS. 1( a)-1(j).
  • FIG. 2 is a flow chart illustrating a method for instant issue of a personalized credit card at a bank branch, in accordance with one embodiment of the present invention.
  • FIG. 3 a is a block diagram showing an arrangement of hardware and software modules in accordance with another embodiment of the system of the present invention.
  • FIG. 3 b is a block diagram of the embodiment of the system of FIG. 3 a, further showing a site-to-site VPN tunnel being established between the system web service and the card services provider web service.
  • FIG. 3 c is a block diagram of the system of FIG. 3 a, further showing a dynamic site-to-site VPN tunnel created between the printer and printer appliance and the print DMZ network.
  • FIG. 3 d is a block diagram of the system of FIG. 3 a, further showing a persistent connection between the print server to the application server.
  • FIG. 3 e is a block diagram of the system of FIG. 3 a, further showing the bank branch issuing a card instant issue request to the system web service.
  • FIG. 3 f is a block diagram of the system of FIG. 3 a, further showing the system web service sending an HTTP POST request to the web service DMZ network.
  • FIG. 3 g is a block diagram of the system of FIG. 3 a, further showing the HTTP POST being proxied to the PCI-compliant card services provider application server and the HTTP status being returned to the web service.
  • FIG. 3 h is a block diagram of the system of FIG. 3 a, further showing the PCI-compliant application server 50 a requesting a card CVV Key Cryptogram from application server 50 b.
  • FIG. 3 i is a block diagram of the system of FIG. 3 a, further showing the application server proxying the card print request to the card services provider database and returning the results to the application server.
  • FIG. 3 j is a block diagram of the system of FIG. 3 a, further showing the application server communicating to the hardware security module, submitting the CVV Key Cryptogram(s) and card personalization data, and retrieving CV1 and CV2 values.
  • FIG. 3 k is a block diagram of the system of FIG. 3 a, further showing the PCI-compliant application server 50 a contacting the application server 50 b and requesting card image calculation information.
  • FIG. 3 l is a block diagram of the system of FIG. 3 a, further showing the application server retrieving the card image calculation information from the database and returning the results.
  • FIG. 3 m is a block diagram of the system of FIG. 3 a, further showing the application server 50 a connecting to the application server 50 b and requesting the card image data.
  • FIG. 3 n is a block diagram of the system of FIG. 3 a, further showing the application server 50 b retrieving the card image data from the file server and transmitting it back over the HTTP request.
  • FIG. 3 o is a block diagram of the system of FIG. 3 a, further showing the application server 50 a connecting to the application server 50 b to retrieve card magnetic stripe calculation data.
  • FIG. 3 p is a block diagram of the system of FIG. 3 a, further showing the application server 50 b retrieving the magnetic stripe calculation data from the database and returning the results to the application server 50 a over the HTTP response.
  • FIG. 3 q is a block diagram of the system of FIG. 3 a, further showing the application server 50 a communicating the card print job on a print job message bus.
  • FIG. 3 r is a block diagram of the system of FIG. 3 a, further showing a connection broker assigning the print job to a worker thread on the print server.
  • FIG. 3 s is a block diagram of the system of FIG. 3 a, further showing the print server sending the print job to the printer through the dynamic site-to-site VPN tunnel.
  • FIG. 3 t is a block diagram of the system of FIG. 3 a, further showing the printer attempting to print the card and sending a card print response message (success/failure/user intervention required) back to the print server.
  • FIG. 3 u is a block diagram of the system of FIG. 3 a, further showing the worker thread placing the print result on the message bus.
  • FIG. 3 v is a block diagram of the system of FIG. 3 a, further showing the application server sending the print result to the web service DMZ network via HTTP POST.
  • FIG. 3 w is a block diagram of the system of FIG. 3 a, further showing the proxy server in the card services provider web service relaying the card print result to the system web service.
  • FIG. 3 x is a block diagram of the system of FIG. 3 a, further showing the system web service relaying the card print result to the requesting bank branch.
  • DETAILED DESCRIPTION OF THE INVENTION
  • Referring now to FIGS. 1( a)-(k), an arrangement of hardware and software elements, components, and modules used in one embodiment of the system 10 of the present invention is shown. In this embodiment, a bank provides retail banking services to customers through one or more bank branches 15 a-15 c. The branches 15 run data processing systems connected to each other and to a bank central office by a wide area network (WLAN) or system web service 20 and a public data network 5, such as the public Internet.
  • Conventionally, the bank and its branches 15 are authorized to issue financial transaction cards, such as debit or credit cards, which are associated with a branded card transaction processor such as Visa® or MasterCard®. These transaction processors operate and control a global financial network of electronically interconnected card issuers, acquirers, merchants, and data processing centers.
  • The bank may contract with a card services provider to provide services associated with the issuance of a new credit or debit card to a bank customer. In the embodiment of FIG. 1( a), the card services provider will operate hardware and software networks 35 that can receive and process requests for new cards sent by a bank branch 15. The card service provider networks may include an instant issue web service DMZ network 55, an instant issue server network 36, an instant issue personalization network 45, and an instant issue print DMZ network 60.
  • The instant issue server network 36 may include an active directory or domain controller 37, an application server 50, and a database server 41. Accordingly, the card services provider will maintain a PIN (Personal Identification Number) database 40 connected to the database server 41 that can securely store PINs selected by bank customers when a new card is issued.
  • As part of the instant issue personalization network 45, the card services provider may also operate a hardware-host security module (HSM) 47 to provide a secure environment for card data encryption, PIN calculations, sensitive cryptographic operations, secure key storage, and management of a large number of secure keys, as is known to a person of skill in the art. A hardware-host security module, as known to those of skill in the art, is a combination of hardware and software/firmware that is functionally connected to a PC or server to provide cryptographic functions. The HSM 47 may include a user interface and programmable interface. The physical part of an HSM, which may be a plug-in card or external device such as a physical Windows Server, may include tamper-resistant features.
  • Preferably, the functional interface between the card services provider networks 35, the public network 5, and the system web service 20 may include a web service “demilitarized zone” (DMZ) network 55. A demilitarized zone, sometimes referred to as a Perimeter Network, is a physical or logical sub-network that contains and exposes an organization's external services to a larger untrusted network, such as the Internet. The DMZ network 55 adds an additional layer of security to the communications link between the system web service 20 and the card services provider networks 35, so that an external attacker has access only to hardware in the DMZ and not in any other part of the networks. Within the DMZ network 55 is a card services provider web service 56. The web service 56 may be implemented using, for example, a Windows virtual server or Apache proxy server.
  • The DMZ network 55 and the system web service 20 may be interconnected by a private network connection or across the public network 5, such as the public Internet. In one embodiment, this connection may be implemented by an encrypted (e.g., IPSEC) Virtual Private Network (VPN) tunnel using an IPSEC endpoint device or security appliance 59. One conventional example of a security appliance that may be used is a Model ASA 5050 Firewall from Cisco Systems, Inc. The instant issue server network 36 may be coupled to the DMZ network 55 through a firewall 58, e.g., a virtual appliance. The HSM 47 is also functionally coupled to the instant issue server network 36 using a firewall 46, e.g., a virtual appliance.
  • The card services provider networks 35 may include an instant issue card print network DMZ 60 containing a print server 61. The instant issue card print network DMZ 60 may be connected to the DMZ network 55 through a firewall 38, e.g., a security appliance such as the Cisco ASA 5050 Firewall. The instant issue card print network DMZ 60 and the system web service 20 may be interconnected by a private network connection or across the public network 5. In one embodiment, this connection may be implemented by an encrypted (e.g., IPSEC) Virtual Private Network (VPN) tunnel using and an IPSEC endpoint device 62 such as the Cisco ASA 5050 Firewall.
  • The system 10 may also include hardware and software located at each branch location 15, including one or more desktop PCs or workstations 16 functionally coupled to the system web service 20 and a branch card printer network 17. In one embodiment, the branch card printer network 17 includes a card printer 18. The branch card printer network 17 may be isolated and therefore coupled to the instant issue card print network DMZ 60 using a VPN tunnel established between a firewall and IPSEC endpoint device and endpoint device 62. The branch card printer network 17 may also be connected to the public network 5 through firewall and IPSEC endpoint device 19. In the embodiment shown, a wireless internet connection is used. In one embodiment, the card printer 18 may be a Datacard Model FP65i Financial Card Printer from the Datacard Group.
  • In the embodiment of FIGS. 1( a)-(k), the branch desktop PCs 16 can securely communicate with the card services provider networks 35. The branch PCs 16 will access and display one or more browser-based system user interfaces generated by the system web service 20 and card services provider web service 56. This user interface on the branch PCs 16 is used by a bank operator at the branch during the process of using the system 10 to request and issue a new card. The desktop PCs 16 are functionally coupled to the client services provider networks 35 through the system web service 20 and DMZ network 55 to provide secure data communications between the branches 15 and the card services provider networks.
  • The branch card printer 18 is functionally coupled to the client services provider print server 61 to securely receive card print commands. The card printer 18 may be equipped with a supply of blank card stock. The card printer 18 uses the data in a card file to imprint a blank card with personalized information associated with and selected by a customer.
  • Referring now to FIG. 2, an embodiment of a method 100 for instant issue of a personalized credit card to a bank customer located at a bank branch location can be described. In a first step 110, a bank employee or other system operator working in the branch receives information from the customer that is needed to initiate the request for issuance of a personalized credit or debit card to the customer. This information is entered into corresponding card data fields used by the system. In one embodiment the card data fields are part of a CAF card file. The data fields in the card file may include data identifying the customer by name and address, the branch, the bank operator, and the particular type of financial transaction card (e.g., credit or debit) being requested.
  • In a second step 120, the customer selects a PIN (Personal Identification Number) that will be associated with the card to be issued to the customer. In a preferred embodiment, the personalized PIN is entered into the system by the customer directly, using a keypad-type data terminal at the branch or a telephone and voice recognition system, so that the bank operator does not see or hear the PIN. A PIN selection system that can be used for this purpose is described in U.S. Pat. No. 5,132,521, the entire disclosure of which is incorporated herein by reference.
  • The selected PIN is communicated electronically 130 to a PIN database. In one embodiment, the PIN database is maintained remotely by a card services company that contracts with the bank to produce, encode, and issue personalized financial transaction cards to customers of that bank.
  • In a fourth step 140, the software associated with the PIN database generates a reference number associated with the customer and the selected PIN. The reference number is communicated to and may be stored in the card file associated with the customer as a file update. This updated card file may be used by the system software used at the branch location.
  • In one embodiment of the method, after the card file is updated following generation of the reference number, a card request is communicated 150 to an edit function software application in the hardware host security module (HSM) 47. The HSM 47 may be controlled by a card services provider remote from the branch. The HSM edit function application uses the reference number to retrieve 160 the PIN from the PIN database so that algorithmic calculations can be applied to the PIN in the card file.
  • In a next step 170, the card file is securely sent to a remote card printer at the branch location. In one embodiment, this step is implemented by a means of a virtual desktop server communicating with a virtual desktop client associated with the remote card printer and a PC or terminal located at the branch.
  • The customer's card is then printed 180 by the remote printer using the data in the card file. After the card is printed, a verification message may be sent 190 to the bank and to the card transaction processor. This verification message confirms that the card is ready for use by the customer. Alternatively, if the card printing is not successful, an error message is communicated 200 to the bank operator in the branch and to the transaction processor.
  • An embodiment of a method for instant issue of a personalized credit card to a bank customer located at a bank branch location can be further understood by reference to FIGS. 1( a)-1(k). To initiate the process as shown in FIG. 1( a), a system operator makes a card issue request at the branch desktop PC 16, which then communicates an instant card issue request to the system web service 20.
  • The system web service 20 connects to the card services provider web service 56 over a persistent secure (e.g., IPSEC) tunnel and communicates the card instant issue request to the client services provider networks 35, as shown in FIG. 1( b). The card services provider web service 56 connects to the card services provider application server 50 (FIG. 1( c)). In response, the application server 50 places data into the card services provider database 40 (FIG. 1( d)). As shown in FIG. 1( e), the card services provider application server 50 then retrieves a PIN/offset calculation from the card services provider hardware security module 47.
  • The card services provider application server 50 communicates a card print job to the card services provider print server 61, as seen in FIG. 1( f). This card print job is sent to the instant issue card printer 18 (FIG. 1( g)). This allows the financial transaction card to be printed at the bank branch 15 that made the card issue request.
  • The printer 18 communicates a card print job success or failure message back to the card services provider print server 61 (FIG. 1( h)). The card services provider print server 61 then communicates a card print job success or failure message back to the card services provider application server 50 (FIG. 1( i)). The card services provider application server 50 then posts card print success or failure information to the system web service 20 ((FIG. 1( j)). Finally, as shown in FIG. 1( k), the system web service 20 communicates card print success or failure information to the bank branch desktop PC 16.
  • FIG. 3 a illustrates another embodiment of the system 10 in which the card printer 18 at the branch location 15 is physically combined with a security appliance 21 inside a common housing. In this embodiment, the combination of the card printer 18 and security appliance 21 may be PCI (Payment Card Industry) compliant. This compliance requires a novel method of managing an IPSEC tunnel through a Linux appliance 21.
  • There are several known techniques for negotiating an IPSEC tunnel. A common technique is to use a pre-shared key (PSK) shared between two public, static IP addresses. This type of tunnel allows either end to initiate the tunnel when traffic designated for the other end of the tunnel is detected. This traffic is known in the art as “interesting traffic”. When there is no “interesting traffic” (for a pre-configured period of time) the security association between the end-points will be terminated and thus the IPSEC tunnel is said to be “down.” This is not a problem for two public, static IP Addresses, as either side can initiate the tunnel to the public address on the remote end. However, when one side of the tunnel will not be static, or the IP address will not be known, or if it is behind a router/firewall that does Network Address Translation (NAT), only one end (the non-static, non-public end) may initiate the IPSEC tunnel. For the static, public (non-initiating) end of the tunnel to send traffic to the private, dynamic end, the tunnel must be aggressively kept “up” at all times. To achieve this, the system embodiment shown in FIG. 3 includes a device with an operating system built into the printer case. This built-in Linux appliance 21 on the private, dynamic end (at the bank branch) is able to initiate the IPSEC tunnel while monitoring the other side for connectivity. If monitoring detects problems, the device 21 is able to re-establish the IPSEC tunnel. Thus, the appliance 21 may be a hardened Linux appliance functioning as a router, firewall, and dynamic-to-static IPSEC endpoint that complies with Center for Internet Security (CIS) standards. In this embodiment, the card printer 18 may be a Dualys card printer from Evolis.
  • In the embodiment of FIG. 3 a, the card services provider will operate hardware and software networks 35 a and 35 b that can receive and process requests for new cards sent by a bank branch 15. The network 35 a is PCI-compliant and includes an instant issue web service DMZ network 55, an instant issue server network 36 a, an instant issue personalization network 45, and an instant issue print DMZ network 60, as described above with reference to FIG. 1( a).
  • The PCI compliant instant issue server network 36 a may include an active directory or domain controller 37, an application server 50 a, one or more workstations 39, and an IPSEC administrative server 43.
  • Card services provider network 36 b includes an application server 50 b, a PIN database 40 connected to a database server 41 to securely store PINs selected by bank customers when a new card is issued, and a file server 42.
  • FIGS. 3 a-3 x illustrate sequential operation of this embodiment of system 10. In FIG. 3 b, a site-to-site VPN link is established between the system web service 20 and the card services provider networks 35 a and 35 b. A dynamic site-to-site VPN tunnel is then created between printer appliance 21 and the print DMZ network 60, as shown in FIG. 3 c. The print server 61 establishes a persistent connection to the application server 50 a, as shown in FIG. 3 d. In FIG. 3 e, a bank branch 15 issues a card instant issue request to the system web service 20. The system web service then sends an HTTP POST request to the web service DMZ network 55 (proxy server 56), as shown in FIG. 3 f. The HTTP POST is proxied to the application server 50 a and the HTTP status is returned to the web service 20, as shown in FIG. 3 g.
  • The application server 50 a requests a card CVV Key Cryptogram as known in the art from application server 50 b (FIG. 3 h). The application server 50 b proxies this request to the card services provider database 40 and returns the results to the application server 50 a (FIG. 3 i). The application server 50 a contacts the HSM 47 via HTTP (9090), submits the CVV Key Cryptogram(s) and card personalization data, and retrieves CV1 and CV2 values, again as known in the art (FIG. 3 j).
  • The application server 50 a contacts the application server 50 b and requests card image calculation information (FIG. 3 k). The application server 50 b retrieves the image calculation information from the database 40 and returns the results (FIG. 31). The application server 50 a connects to application server 50 b and requests the card image data (FIG. 3 m). The application server 50 b retrieves the card image data from the file server 42 and transmits it back over the HTTP request (FIG. 3 n).
  • As shown in FIG. 3 o, the application server 50 a then connects to the application server 50 b to retrieve card magnetic stripe calculation data. The application server 50 b retrieves the magnetic stripe calculation data from the database 40 and returns the results to the application server 50 a over the HTTP response (FIG. 3 p).
  • Now having the card CV1 and CV2 values, the card personalization data, the card image information, the card image data, and the magnetic stripe data, the application server 50 a communicates the card print job on a message bus (FIG. 3 q). The connection broker then assigns the job to a worker thread on the print server 61 (FIG. 3 r). The print server 61 sends the print job to the printer 18 through the dynamic site-to-site VPN tunnel (FIG. 3 s). The printer 18 then attempts to print the card and sends a card print response message (success/failure/user intervention required) back to the print server 61 (FIG. 3 t). The worker thread places the print result on the message bus (FIG. 3 u). The application server 50 a sends the print result to the web service DMZ network 55 (proxy server 56) via HTTP POST (FIG. 3 v). The proxy server 56 relays the print result to the system web service 20 (FIG. 3 w) which relays the result to the requesting branch 15 (FIG. 3 x), completing the process. The system 10 is now ready for another card print request.
  • In the process described above, while many of the data retrieval steps are performed sequentially, this is not required. For example, some or all of the data needed from the servers as illustrated and described with reference to FIGS. 3 h-3 q can be retrieved concurrently in a single step.
  • Thus, although there have been described particular embodiments of the present invention of a new and useful system and method for instant issue of personalized financial transaction cards, it is not intended that such references be construed as limitations upon the scope of this invention except as set forth in the following claims.

Claims (15)

What is claimed is:
1. A method for issuing a personalized financial transaction card from a financial institution to a customer in response to a customer request made from a branch location associated with the financial institution, wherein the customer request includes customer data associated with the customer and card data including a selected card personal identification number (PIN) to be associated with the financial transaction card, the method comprising:
electronically receiving at a card services provider network, customer data and at least the PIN portion of the card data communicated across a data network from the branch location;
electronically entering the PIN received by the card services provider network into a PIN database;
storing at least some of the customer data and card data in an electronic card file associated with the customer;
using application software, retrieving the PIN from the PIN database;
using application software and the retrieved PIN to apply calculations to the electronic card file;
configuring the electronic card file for use in printing a personalized financial transaction card for a customer at the branch location; and
securely transmitting the configured electronic card file from the card services provider network across the data network to the branch location.
2. The method of claim 1 further comprising electronically receiving a verification message sent from the financial institution when the financial transaction card has been successfully printed.
3. The method of claim 1 further comprising electronically sending an error message to the branch location when the financial transaction card did not successfully print.
4. The method of claim 1 wherein the electronic card file is stored at the branch location and the step of storing at least some of the customer data further comprises updating the electronic card file at the branch location.
5. The method of claim 4 further comprising:
after the electronic card file at the branch location is updated, electronically receiving a card issue request from the branch location and receiving it in a hardware security module (HSM) at the card services provider; and
in response to receiving the card issue request, using the HSM to retrieve the PIN from the PIN database and to apply calculations to data in the card file.
6. A system for instant issue of financial transaction cards in response to card requests made by customers at one or more branch locations associated with a financial institution, wherein the card requests include customer information associated with the customer and card information including a selected card personal identification number (PIN) to be associated with a financial transaction card, wherein there is at least one branch data terminal at each branch location that is effective to receive customer information and at least the PIN portion of card information associated with a card request and to transmit the customer information and at least the PIN portion of the card information to a card services provider network via a secure data communications link, and wherein there is at least one branch card printer network at a branch location that is responsive to card print commands, the branch card printer network including at least one card printer, the system comprising:
a card services provider network functionally coupled via a secure data communications link to the branch data terminals and to the branch card printer networks;
the card services provider network comprises
a PIN database effective to receive and securely store PINs transmitted by branch data terminals,
PIN application software effective to generate reference numbers associated with card requests using customer PINs stored in the PIN database,
card file application software effective to
create an electronic card file associated with a card request,
update the electronic card file using the reference number, and
configure the electronic card files for use in printing personalized financial transaction cards for customers present at branch locations; and
card print application software effective to securely transmit card print commands and card files associated with card requests to branch card printer networks at branch locations.
7. The system of claim 6 further comprising:
a system web service coupled to the branch data terminals and to the branch card printer networks;
a perimeter network coupled to the card services provider network; and
wherein the branch data terminals and the branch card printer networks securely communicate with the card services provider network through the system web service and the perimeter network.
8. The system of claim 7 further comprising a virtual private network (VPN) functionally coupled to the perimeter network and to the card services provider network and wherein the VPN includes at least one security appliance and is effective to provide encrypted data communications between the system web service and the perimeter network.
9. The system of claim 8 wherein the card services provider network includes a hardware-host security module (HSM) effective to provide a secure functional environment for the PIN application software and the card file application software.
10. The system of claim 9 wherein the branch card printer networks at branch locations each further comprise a security appliance functionally coupled to the card printer.
11. The system of claim 9 wherein the card services provider network is effective to receive card print job verification messages from branch card printer networks at branch locations, the print job verification message confirming that financial transaction cards printed at the branch locations in response to receiving print commands are ready for use by the customers.
12. The system of claim 11 wherein:
the card services provider network further comprises a card services provider print server hosting the card print application software,
the card services provider print server is effective to receive card print job success and failure messages electronically communicated from branch card printer networks at branch locations; and
the card services provider network is further effective to communicate card print success and failure information to the branch data terminal at the branch location from which a corresponding card print job success or failure message was communicated to the card services provider print server.
13. A system for processing of a card request made by a customer at a branch location associated with a financial institution, wherein the card request includes customer information, card information including a selected card personal identification number (PIN), and a requirement that the card be instantly issued while the customer is present in the branch location, the system comprising:
a first card services provider network comprising
an instant issue server network including a first application server network,
an instant issue card personalization network coupled to the instant issue server network,
an instant issue web service perimeter network coupled to the instant issue server network, and
an instant issue print perimeter network coupled to the instant issue server network, the instant issue print perimeter network including a print server;
a second card services provider network comprising
a second application server,
a file server,
a database server, and
a database coupled to the database server,
the instant issue web service perimeter network is effective to receive a card request from the branch location and to communicate the card request to the first application server;
in response to receiving a card request from the branch location via the instant issue web service perimeter network, the first application server is effective to communicate card data requests to the second application server;
the database server is effective to securely store a PIN associated with a card request in the database;
in response to receiving a card data request, the second application server, the database server and the file server are effective to communicate card cryptographic data, card image information, card image data, and card magnetic stripe data to the first application server;
in response to receiving the card cryptographic data, the first application server is effective to communicate the card cryptographic data to the instant issue card personalization network and to retrieve card security data from the instant issue card personalization network;
in response to receiving the card image information, the card image data, the card magnetic stripe data, and the card security data, the first application server is effective to communicate a card print job to the print server;
in response to receiving a card print job, the print server is effective to transmit the card print job to the branch location.
14. The system of claim 13 further comprising:
a first security appliance coupling the instant issue server network to the instant issue print perimeter network;
a second security appliance coupling the instant issue card personalization network to the instant issue server network; and
a third security appliance coupling the instant issue server network to the instant issue web service perimeter network.
15. The system of claim 14 wherein the instant issue card personalization network comprises a hardware-host security module.
US13/867,678 2010-07-19 2013-04-22 System and method for instant issue of personalized financial transaction cards Abandoned US20130297505A1 (en)

Priority Applications (5)

Application Number Priority Date Filing Date Title
US13/867,678 US20130297505A1 (en) 2010-07-19 2013-04-22 System and method for instant issue of personalized financial transaction cards
US15/014,757 US10275747B2 (en) 2010-07-19 2016-02-03 System and method for instant issue of personalized financial transaction cards
US16/373,321 US10846666B2 (en) 2010-07-19 2019-04-02 System and method for instant issue of personalized financial transaction cards
US16/951,524 US11687894B2 (en) 2010-07-19 2020-11-18 System and method for instant issue of personalized financial transaction cards
US18/139,033 US12079788B2 (en) 2010-07-19 2023-04-25 System and method for instant issue of personalized financial transaction cards

Applications Claiming Priority (5)

Application Number Priority Date Filing Date Title
US36567310P 2010-07-19 2010-07-19
US13/186,302 US8429075B2 (en) 2010-07-19 2011-07-19 System and method for instant issue of personalized financial transaction cards
PCT/US2011/044530 WO2012012421A2 (en) 2010-07-19 2011-07-19 System and method for instant issue of personalized financial transaction cards
WO201012421 2011-07-19
US13/867,678 US20130297505A1 (en) 2010-07-19 2013-04-22 System and method for instant issue of personalized financial transaction cards

Related Parent Applications (1)

Application Number Title Priority Date Filing Date
US13/186,302 Continuation US8429075B2 (en) 2010-07-19 2011-07-19 System and method for instant issue of personalized financial transaction cards

Related Child Applications (1)

Application Number Title Priority Date Filing Date
US15/014,757 Continuation US10275747B2 (en) 2010-07-19 2016-02-03 System and method for instant issue of personalized financial transaction cards

Publications (1)

Publication Number Publication Date
US20130297505A1 true US20130297505A1 (en) 2013-11-07

Family

ID=45467698

Family Applications (6)

Application Number Title Priority Date Filing Date
US13/186,302 Active US8429075B2 (en) 2010-07-19 2011-07-19 System and method for instant issue of personalized financial transaction cards
US13/867,678 Abandoned US20130297505A1 (en) 2010-07-19 2013-04-22 System and method for instant issue of personalized financial transaction cards
US15/014,757 Active 2032-02-21 US10275747B2 (en) 2010-07-19 2016-02-03 System and method for instant issue of personalized financial transaction cards
US16/373,321 Active 2031-09-07 US10846666B2 (en) 2010-07-19 2019-04-02 System and method for instant issue of personalized financial transaction cards
US16/951,524 Active 2031-09-13 US11687894B2 (en) 2010-07-19 2020-11-18 System and method for instant issue of personalized financial transaction cards
US18/139,033 Active US12079788B2 (en) 2010-07-19 2023-04-25 System and method for instant issue of personalized financial transaction cards

Family Applications Before (1)

Application Number Title Priority Date Filing Date
US13/186,302 Active US8429075B2 (en) 2010-07-19 2011-07-19 System and method for instant issue of personalized financial transaction cards

Family Applications After (4)

Application Number Title Priority Date Filing Date
US15/014,757 Active 2032-02-21 US10275747B2 (en) 2010-07-19 2016-02-03 System and method for instant issue of personalized financial transaction cards
US16/373,321 Active 2031-09-07 US10846666B2 (en) 2010-07-19 2019-04-02 System and method for instant issue of personalized financial transaction cards
US16/951,524 Active 2031-09-13 US11687894B2 (en) 2010-07-19 2020-11-18 System and method for instant issue of personalized financial transaction cards
US18/139,033 Active US12079788B2 (en) 2010-07-19 2023-04-25 System and method for instant issue of personalized financial transaction cards

Country Status (12)

Country Link
US (6) US8429075B2 (en)
EP (1) EP2596466B1 (en)
CN (1) CN103003832B (en)
AU (1) AU2011282283B2 (en)
BR (1) BR112013000991B8 (en)
CA (1) CA2805436C (en)
CL (1) CL2013000161A1 (en)
CO (1) CO6650385A2 (en)
ES (1) ES2715223T3 (en)
HK (1) HK1177807A1 (en)
TR (1) TR201904066T4 (en)
WO (1) WO2012012421A2 (en)

Families Citing this family (9)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US8997203B2 (en) * 2012-08-07 2015-03-31 Blackberry Limited Filtering network packets in multiple forwarding information base systems
JP6011167B2 (en) * 2012-09-03 2016-10-19 ブラザー工業株式会社 Communication relay program and communication relay device
JP6167502B2 (en) 2012-10-31 2017-07-26 ブラザー工業株式会社 Communication relay program, communication relay apparatus, and image processing apparatus
JP6075010B2 (en) 2012-10-31 2017-02-08 ブラザー工業株式会社 Communication relay program and image processing apparatus
US9940608B2 (en) * 2013-05-16 2018-04-10 Mts Holdings, Inc. Real time EFT network-based person-to-person transactions
US11367077B2 (en) * 2015-06-11 2022-06-21 Idid Tecnologia Ltda Antifraud resilient transaction identifier datastructure apparatuses, methods and systems
WO2018200327A1 (en) * 2017-04-24 2018-11-01 Cpi Card Group - Tennessee, Inc. Bridge application for user pin selection
DE102018001673A1 (en) 2018-03-02 2019-09-05 Giesecke+Devrient Mobile Security Gmbh Method and system for isolating immediately issued cards with visual imperfections
US11461763B2 (en) * 2020-04-16 2022-10-04 Capital One Services Llc Systems and methods for instant bank card issuance

Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20090055323A1 (en) * 2007-08-22 2009-02-26 Total System Services, Inc. System and method for providing custom personal identification numbers at point of sale
US20100123002A1 (en) * 2008-11-20 2010-05-20 Anthony Caporicci Card printing verification system

Family Cites Families (29)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
GB2146814A (en) * 1983-09-17 1985-04-24 Ibm Electronic fund transfer systems
US4924514A (en) * 1988-08-26 1990-05-08 International Business Machines Corporation Personal identification number processing using control vectors
US5132521A (en) 1989-09-15 1992-07-21 Smith Charles M System and method for acquisition and encoding of ATM card data
US5757431A (en) * 1994-06-20 1998-05-26 Lau Technologies Apparatus for coupling multiple data sources onto a printed document
JP2951844B2 (en) 1994-06-30 1999-09-20 日本信販株式会社 Credit card system and credit card issuing method using the system
DE19517818C2 (en) 1995-05-18 1997-12-18 Angewandte Digital Elektronik Method for issuing individual chip cards to a plurality of individual chip card users using a neutral chip card dispensing station
US6144948A (en) 1997-06-23 2000-11-07 Walker Digital, Llc Instant credit card marketing system for reservations for future services
US6539359B1 (en) 1998-10-02 2003-03-25 Motorola, Inc. Markup language for interactive services and methods thereof
FR2785694B1 (en) 1998-11-05 2001-01-12 Gemplus Card Int CHIP CARD PERSONALIZATION SYSTEM
US6493677B1 (en) 2000-01-19 2002-12-10 Jones Soda Co. Method and apparatus for creating and ordering customized branded merchandise over a computer network
US7111163B1 (en) * 2000-07-10 2006-09-19 Alterwan, Inc. Wide area network using internet with quality of service
US6578761B1 (en) 2000-08-18 2003-06-17 Donald Spector Method for issuance of satellite credit and debit cards
US6877656B1 (en) 2000-10-24 2005-04-12 Capital One Financial Corporation Systems, methods, and apparatus for instant issuance of a credit card
JP4039061B2 (en) 2002-01-07 2008-01-30 凸版印刷株式会社 IC card issuing device and IC card issuing method
US20030210696A1 (en) * 2002-04-25 2003-11-13 Globespanvirata Incorporated System and method for routing across segments of a network switch
JP2004013541A (en) 2002-06-06 2004-01-15 Jcb:Kk Card instant issue system and card instant issue method based on online application
US20040186925A1 (en) * 2003-03-21 2004-09-23 Joe Cooper Printing system with retained print job emailing
US20050149739A1 (en) * 2003-12-31 2005-07-07 Hewlett-Packard Development Company, L.P. PIN verification using cipher block chaining
US7191939B2 (en) 2004-03-12 2007-03-20 American Express Travel Related Services Company, Inc. Systems, methods, and devices for selling transaction instruments via web-based tool
US7444505B2 (en) * 2004-04-22 2008-10-28 At&T Intellectual Property I, L.P. Method, system and software for maintaining network access and security
ZA200601849B (en) * 2004-11-23 2007-11-28 Standard Bank Of South Africa A method of securely distributing a financial instrument and an associated personal identification number
US7984851B2 (en) * 2005-07-13 2011-07-26 Sean Macguire Consumer self-activated financial card
JP2009501981A (en) * 2005-07-15 2009-01-22 レボリューション マネー,インコーポレイテッド System and method for new execution and management of financial and data transactions
US9324076B2 (en) * 2006-06-02 2016-04-26 First Data Corporation PIN creation system and method
US20090048970A1 (en) * 2007-02-09 2009-02-19 Muscato Michael A Approval and Issuance of a Financial Card
US7806338B1 (en) 2007-08-01 2010-10-05 Dynamic Solutions International Real time card printing systems and methods
US20100123003A1 (en) 2008-11-20 2010-05-20 Olson A Wayne Method for verifying instant card issuance
US8413894B2 (en) * 2009-11-05 2013-04-09 X-Card Holdings, Llc Card with illuminated codes for use in secure transactions
US20110196753A1 (en) * 2010-02-09 2011-08-11 Brian Joseph Hodgdon System and method for immediate issuance of an activated prepaid card with improved security measures

Patent Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20090055323A1 (en) * 2007-08-22 2009-02-26 Total System Services, Inc. System and method for providing custom personal identification numbers at point of sale
US20100123002A1 (en) * 2008-11-20 2010-05-20 Anthony Caporicci Card printing verification system

Also Published As

Publication number Publication date
AU2011282283A1 (en) 2013-01-31
BR112013000991B8 (en) 2021-05-25
BR112013000991A2 (en) 2017-10-17
HK1177807A1 (en) 2013-08-30
CL2013000161A1 (en) 2013-11-08
EP2596466A4 (en) 2014-10-29
WO2012012421A2 (en) 2012-01-26
CN103003832A (en) 2013-03-27
BR112013000991B1 (en) 2021-05-11
AU2011282283B2 (en) 2014-02-20
US20190228392A1 (en) 2019-07-25
US20230259905A1 (en) 2023-08-17
TR201904066T4 (en) 2019-05-21
CN103003832B (en) 2015-11-25
US20160328688A1 (en) 2016-11-10
EP2596466A2 (en) 2013-05-29
US8429075B2 (en) 2013-04-23
US12079788B2 (en) 2024-09-03
ES2715223T3 (en) 2019-06-03
US20210073756A1 (en) 2021-03-11
CO6650385A2 (en) 2013-04-15
CA2805436A1 (en) 2012-01-26
WO2012012421A3 (en) 2012-05-18
US10846666B2 (en) 2020-11-24
CA2805436C (en) 2017-01-03
US20120016797A1 (en) 2012-01-19
US11687894B2 (en) 2023-06-27
US10275747B2 (en) 2019-04-30
EP2596466B1 (en) 2018-12-26

Similar Documents

Publication Publication Date Title
US12079788B2 (en) System and method for instant issue of personalized financial transaction cards
US10917393B2 (en) Remote monitoring and management of an instant issuance system
US20030074315A1 (en) System and apparatus for remotely printing certified documents
WO1998058356A2 (en) System and method for processing multiple financial applications using a three-tier value network
US9667474B2 (en) Systems and methods for broadband backup
KR20120082853A (en) Information system, processing station and credit card payment method
WO2009070041A2 (en) Payment system and method of operation
CN100397812C (en) Communication method and system basenon vertual link customer terminal and bank network
US20240028532A1 (en) Chip card socket communication
JP2024020612A (en) Payment and charging system using url medium and internet site
CN105160531B (en) Transaction data processing method and processing device
KR20090081768A (en) System and method for servicing online opening premium account(or fund) and program recording medium
NZ563922A (en) Payment system
NZ585446A (en) Payment system and method of operation by reconfiguring a POS terminal to use the EMV tags that provide the required operating configuration
CN110633990A (en) Online service processing method and server
TW201804407A (en) Host equipment for bank transaction system converting a unique format of the transaction input into a general format which can be identified by a core processing unit
JP2002074007A (en) Transfer processing method and transfer device, transfer device and transaction device

Legal Events

Date Code Title Description
AS Assignment

Owner name: EFT SOURCE, INC., TENNESSEE

Free format text: ASSIGNMENT OF ASSIGNORS INTEREST;ASSIGNORS:SMITH, BOBBY;WHITE, JAMES;REEL/FRAME:030684/0073

Effective date: 20130618

AS Assignment

Owner name: THE BANK OF NOVA SCOTIA, CANADA

Free format text: PATENT SECURITY AGREEMENT;ASSIGNOR:EFT SOURCE, INC.;REEL/FRAME:033695/0158

Effective date: 20140902

AS Assignment

Owner name: EFT SOURCE, INC., COLORADO

Free format text: RELEASE BY SECURED PARTY;ASSIGNOR:THE BANK OF NOVA SCOTIA, AS AGENT;REEL/FRAME:036342/0348

Effective date: 20150817

AS Assignment

Owner name: THE BANK OF NOVA SCOTIA, CANADA

Free format text: PATENT SECURITY AGREEMENT;ASSIGNOR:EFT SOURCE INC.;REEL/FRAME:036401/0130

Effective date: 20150817

STCB Information on status: application discontinuation

Free format text: ABANDONED -- FAILURE TO RESPOND TO AN OFFICE ACTION

AS Assignment

Owner name: CPI CARD GROUP - MINNESOTA, INC., MINNESOTA

Free format text: ASSIGNMENT OF ASSIGNORS INTEREST;ASSIGNOR:GLAS AMERICAS LLC, AS SUCCESSOR TO THE BANK OF NOVA SCOTIA;REEL/FRAME:056750/0435

Effective date: 20210315

Owner name: CPI CARD GROUP - COLORADO, INC., COLORADO

Free format text: ASSIGNMENT OF ASSIGNORS INTEREST;ASSIGNOR:GLAS AMERICAS LLC, AS SUCCESSOR TO THE BANK OF NOVA SCOTIA;REEL/FRAME:056750/0435

Effective date: 20210315

Owner name: CPI CARD GROUP - TENNESSEE, INC., TENNESSEE

Free format text: ASSIGNMENT OF ASSIGNORS INTEREST;ASSIGNOR:GLAS AMERICAS LLC, AS SUCCESSOR TO THE BANK OF NOVA SCOTIA;REEL/FRAME:056750/0435

Effective date: 20210315