US20200279263A1 - System and method for processing a payment transaction based on point-of-sale device and user device locations - Google Patents

System and method for processing a payment transaction based on point-of-sale device and user device locations Download PDF

Info

Publication number
US20200279263A1
US20200279263A1 US16/878,353 US202016878353A US2020279263A1 US 20200279263 A1 US20200279263 A1 US 20200279263A1 US 202016878353 A US202016878353 A US 202016878353A US 2020279263 A1 US2020279263 A1 US 2020279263A1
Authority
US
United States
Prior art keywords
context
payment
action
user device
request
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Abandoned
Application number
US16/878,353
Inventor
Kevin Patrick Mahaffey
Brian James Buck
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
LookOut Inc
Original Assignee
LookOut Inc
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Priority claimed from US13/829,132 external-priority patent/US9852416B2/en
Application filed by LookOut Inc filed Critical LookOut Inc
Priority to US16/878,353 priority Critical patent/US20200279263A1/en
Publication of US20200279263A1 publication Critical patent/US20200279263A1/en
Assigned to ALTER DOMUS (US) LLC reassignment ALTER DOMUS (US) LLC SECURITY INTEREST (SEE DOCUMENT FOR DETAILS). Assignors: Lookout, Inc.
Assigned to Lookout, Inc. reassignment Lookout, Inc. RELEASE OF PATENT SECURITY INTEREST AT REEL 59909 AND FRAME 0764 Assignors: ALTER DOMUS (US) LLC, AS ADMINISTRATIVE AGENT
Assigned to Lookout, Inc. reassignment Lookout, Inc. ASSIGNMENT OF ASSIGNORS INTEREST (SEE DOCUMENT FOR DETAILS). Assignors: MAHAFFEY, KEVIN PATRICK, BUCK, BRIAN JAMES
Abandoned legal-status Critical Current

Links

Images

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06QINFORMATION AND COMMUNICATION TECHNOLOGY [ICT] SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES; SYSTEMS OR METHODS SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES, NOT OTHERWISE PROVIDED FOR
    • G06Q20/00Payment architectures, schemes or protocols
    • G06Q20/38Payment protocols; Details thereof
    • G06Q20/40Authorisation, e.g. identification of payer or payee, verification of customer or shop credentials; Review and approval of payers, e.g. check credit lines or negative lists
    • G06Q20/401Transaction verification
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06QINFORMATION AND COMMUNICATION TECHNOLOGY [ICT] SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES; SYSTEMS OR METHODS SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES, NOT OTHERWISE PROVIDED FOR
    • G06Q20/00Payment architectures, schemes or protocols
    • G06Q20/08Payment architectures
    • G06Q20/20Point-of-sale [POS] network systems
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06QINFORMATION AND COMMUNICATION TECHNOLOGY [ICT] SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES; SYSTEMS OR METHODS SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES, NOT OTHERWISE PROVIDED FOR
    • G06Q20/00Payment architectures, schemes or protocols
    • G06Q20/08Payment architectures
    • G06Q20/20Point-of-sale [POS] network systems
    • G06Q20/202Interconnection or interaction of plural electronic cash registers [ECR] or to host computer, e.g. network details, transfer of information from host to ECR or from ECR to ECR
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06QINFORMATION AND COMMUNICATION TECHNOLOGY [ICT] SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES; SYSTEMS OR METHODS SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES, NOT OTHERWISE PROVIDED FOR
    • G06Q20/00Payment architectures, schemes or protocols
    • G06Q20/30Payment architectures, schemes or protocols characterised by the use of specific devices or networks
    • G06Q20/32Payment architectures, schemes or protocols characterised by the use of specific devices or networks using wireless devices
    • G06Q20/322Aspects of commerce using mobile devices [M-devices]
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06QINFORMATION AND COMMUNICATION TECHNOLOGY [ICT] SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES; SYSTEMS OR METHODS SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES, NOT OTHERWISE PROVIDED FOR
    • G06Q20/00Payment architectures, schemes or protocols
    • G06Q20/30Payment architectures, schemes or protocols characterised by the use of specific devices or networks
    • G06Q20/32Payment architectures, schemes or protocols characterised by the use of specific devices or networks using wireless devices
    • G06Q20/322Aspects of commerce using mobile devices [M-devices]
    • G06Q20/3224Transactions dependent on location of M-devices
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06QINFORMATION AND COMMUNICATION TECHNOLOGY [ICT] SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES; SYSTEMS OR METHODS SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES, NOT OTHERWISE PROVIDED FOR
    • G06Q20/00Payment architectures, schemes or protocols
    • G06Q20/30Payment architectures, schemes or protocols characterised by the use of specific devices or networks
    • G06Q20/32Payment architectures, schemes or protocols characterised by the use of specific devices or networks using wireless devices
    • G06Q20/327Short range or proximity payments by means of M-devices
    • G06Q20/3278RFID or NFC payments by means of M-devices
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06QINFORMATION AND COMMUNICATION TECHNOLOGY [ICT] SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES; SYSTEMS OR METHODS SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES, NOT OTHERWISE PROVIDED FOR
    • G06Q20/00Payment architectures, schemes or protocols
    • G06Q20/38Payment protocols; Details thereof
    • G06Q20/40Authorisation, e.g. identification of payer or payee, verification of customer or shop credentials; Review and approval of payers, e.g. check credit lines or negative lists
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06QINFORMATION AND COMMUNICATION TECHNOLOGY [ICT] SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES; SYSTEMS OR METHODS SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES, NOT OTHERWISE PROVIDED FOR
    • G06Q20/00Payment architectures, schemes or protocols
    • G06Q20/38Payment protocols; Details thereof
    • G06Q20/40Authorisation, e.g. identification of payer or payee, verification of customer or shop credentials; Review and approval of payers, e.g. check credit lines or negative lists
    • G06Q20/401Transaction verification
    • G06Q20/4015Transaction verification using location information
    • H04W12/00503
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/60Context-dependent security
    • H04W12/63Location-dependent; Proximity-dependent
    • H04W12/64Location-dependent; Proximity-dependent using geofenced areas
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W4/00Services specially adapted for wireless communication networks; Facilities therefor
    • H04W4/02Services making use of location information
    • H04W4/021Services related to particular areas, e.g. point of interest [POI] services, venue services or geofences

Definitions

  • the present invention relates to the field of information technology, including, more particularly, to systems and techniques for authorizing a payment transaction based on a location of an authenticating device.
  • Mobile electronic communication devices have evolved beyond simple telephone functionality and are now highly complex multifunctional devices with capabilities rivaling those of desktop or laptop computers.
  • many mobile communication devices are capable of text messaging, e-mail communications, internet access, and the ability to run full-featured application software.
  • Mobile communication devices can use these capabilities to perform online transactions such as banking, stock trading, payments, and other financial activities.
  • mobile communication devices used by an individual, a business, or a government agency often store confidential or private information in forms such as electronic documents, text messages, access codes, passwords, account numbers, e-mail addresses, personal communications, phone numbers, and financial information.
  • POS point of sale
  • NFC NFC reader
  • the credentials can be transmitted to the POS module by tapping the configured mobile communication device on a sensor of the POS module, or by waving the device near the POS module's sensor.
  • the payment amount can be deducted from a pre-paid account or charged to a mobile or bank account directly.
  • FIG. 1 is a block diagram illustrating a system including an electronic device and a server coupled to a network according to an embodiment
  • FIG. 2 is a block diagram illustrating of a specific implementation of a system of the invention according to an embodiment
  • FIG. 3 is an operational flow diagram illustrating a high level overview of a method of the invention according to an embodiment
  • FIG. 4 is a block diagram illustrating an alternative implementation of a system of the invention according to an embodiment
  • FIG. 5 is an operational flow diagram illustrating a high level overview of a method of the invention according to another embodiment.
  • FIG. 6 is an operational flow diagram illustrating a high level overview of a method of the invention according to an embodiment.
  • the present invention can be implemented in numerous ways, including as a process, an apparatus, a system, a device, a method, or a computer readable medium such as a computer readable storage medium containing computer readable instructions or computer program code, or a computer network wherein computer readable instructions or computer program code are sent over optical or electronic communication links.
  • Applications, software programs or computer readable instructions may be referred to as components or modules.
  • Applications may take the form of software executing on a general purpose computer or be hardwired or hard coded in hardware.
  • Applications may also be downloaded in whole or in part through the use of a software development kit, framework, or toolkit that enables the creation and implementation of the present invention.
  • these implementations, or any other form that the invention may take may be referred to as techniques. In general, the order of the steps of disclosed processes may be altered within the scope of the invention.
  • an authorizing client device is associated with a user and is typically located on or near the user.
  • the location of the authorizing client device is indicative of the user's location. Based on this assumption, when a mobile payment transaction of the user is initiated on a POS module, the location of the user's authorizing client device can be used to determine whether the payment transaction is legitimate, e.g., being initiated by the user, or fraudulent, e.g., being initiated by a person other than the user.
  • a system for authorizing a mobile payment transaction includes an anti-fraud service coupled to the payment processing system that interfaces with the POS module.
  • the anti-fraud service can receive a request to authorize the payment transaction.
  • the request can include payment information of the payment transaction and information identifying the POS module, which can include or be used to identify the POS's location.
  • the anti-fraud service can identify an authorizing client device based on the payment information and then can determine location information of the authorizing client device. Once the location information of the authorizing client device and of the POS module are determined, the anti-fraud service can compare the location information to determine a disposition of the request to authorize the payment transaction.
  • the authorizing client device can be a dedicated device.
  • the authorizing client device can be a personal electronic device associated with the user, e.g., a smart phone, a car fob, or any other personal item typically carried by the user.
  • mobile communication device refers to mobile phones, tablets, PDAs and smartphones.
  • mobile communications device also refers to a class of laptop computers which run an operating system that is also used on mobile phones, tablets, PDAs, or smartphones. Such laptop computers are often designed to operate with a continuous connection to a cellular network or to the internet via a wireless link.
  • mobile communication devices include devices for which wireless communication services such as voice, messaging, data, or other wireless Internet capabilities are a primary function.
  • a “mobile communication device” may also be referred to as an “electronic device,” an “electronic client device,” “mobile device,” “mobile client,” or “handset.”
  • an “electronic device” an “electronic client device”
  • mobile device mobile device
  • mobile client mobile client
  • handset a person having skill in the art will appreciate that while the present invention is disclosed herein as being used on mobile communication devices, the present invention may also be used on other computing platforms, including desktop, laptop, notebook, netbook, or server computers.
  • FIG. 1 is a simplified block diagram of a computer network 100 that includes a mobile communication device 101 , a server system 111 , a POS module 112 and other electronic client devices 140 a - 140 c , coupled to a communication network 121 via a plurality of communication links 130 .
  • Communication network 121 may be comprised of many interconnected computer systems and communication links.
  • Communication links 130 may be hardwire links, optical links, satellite or other wireless communications links, wave propagation links, or any other mechanisms for communication of information.
  • communication protocols may be used to facilitate communication between the various devices shown in FIG. 1 .
  • These communication protocols may include TCP/IP, HTTP protocols, wireless application protocol (WAP), vendor-specific protocols, customized protocols, Internet telephony, IP telephony, digital voice, voice over broadband (VoBB), broadband telephony, Voice over IP (VoIP), public switched telephone network (PSTN), and others.
  • communication network 112 can be the Internet, in other embodiments, communication network 112 may be any suitable communication network including a local area network (LAN), a wide area network (WAN), a wireless network, a intranet, a private network, a public network, a switched network, and combinations of these, and the like.
  • the mobile device 101 includes: an operating system 113 , an input device 115 , a radio frequency transceiver(s) 116 , a visual display 125 , and a battery or power supply 119 . Each of these components is coupled to a central processing unit (CPU) 103 .
  • the device operating system 113 runs on the CPU 103 and enables interaction between application programs and the mobile device hardware components.
  • the mobile device 101 receives data through an RF transceiver(s) 116 which may be able to communicate via various networks, for example: BLUETOOTH, local area networks such as WI-FI, and cellular networks such as GSM, CDMA or LTE.
  • a local software component 175 is an application program that is downloaded to a mobile device and installed so that it integrates with the operating system 113 .
  • Much of the source code for the local software component 175 can be re-used between various mobile device platforms by using a cross-platform software architecture.
  • the majority of software functionality can be implemented in a cross-platform core module.
  • the cross-platform core can be universal allowing it to interface with various mobile device operating systems by using a platform-specific module and a platform abstraction module that both interact with the mobile device operating system 113 , which is described in U.S. Pat. No. 8,099,472, entitled “SYSTEM AND METHOD FOR A MOBILE CROSS-PLATFORM SOFTWARE SYSTEM.”
  • the local software component 175 can be device, platform or operating system specific.
  • the mobile device 101 may operate in a networked environment using logical connections 130 to one or more remote nodes 111 , 112 , 140 a - 140 c via a communication interface.
  • the remote node may be another computer 140 a , a server 111 , an NFC reader/POS module 112 , a client device 140 b - 140 c or other common network node, and typically includes many or all of the elements described above relative to the mobile device 101 .
  • the communication interface may interface with a wireless network and/or a wired network.
  • wireless networks include, for example, a BLUETOOTH network, a wireless personal area network, a wireless 802.11 local area network (LAN), a near field communication (NFC), and/or wireless telephony network (e.g., a cellular, PCS, or GSM network).
  • wired networks include, for example, a LAN, a fiber optic network, a wired personal area network, a telephony network, and/or a wide area network (WAN).
  • WAN wide area network
  • the arrangement of mobile communication device 101 illustrated in FIG. 1 is but one possible implementation and that other arrangements are possible.
  • the various system components (and means) defined by the claims, described below, and illustrated in the various block diagrams represent logical components that are configured to perform the functionality described herein.
  • one or more of these system components (and means) can be realized, in whole or in part, by at least some of the components illustrated in the arrangement of mobile device 101 .
  • at least one of these components are implemented at least partially as an electronic hardware component, and therefore constitutes a machine, the other components may be implemented in software, hardware, or a combination of software and hardware.
  • At least one component defined by the claims is implemented at least partially as an electronic hardware component, such as an instruction execution machine (e.g., a processor-based or processor-containing machine) and/or as specialized circuits or circuitry (e.g., discrete logic gates interconnected to perform a specialized function), such as those illustrated in FIG. 1 .
  • Other components may be implemented in software, hardware, or a combination of software and hardware. Moreover, some or all of these other components may be combined, some may be omitted altogether, and additional components can be added while still achieving the functionality described herein.
  • the subject matter described herein can be embodied in many different variations, and all such variations are contemplated to be within the scope of what is claimed.
  • FIG. 2 is a block diagram illustrating a system for authorizing a mobile payment transaction according to an embodiment.
  • the system 200 includes a payment facilitating device 210 , a POS module 220 , and a payment processing server 230 communicatively coupled to one another over one or more communication networks 201 .
  • the payment facilitating device 210 can be the client device used to initiate a payment transaction via the POS module 220 and can be a mobile communication device 101 , or any one of the other electronic client systems 140 a - 140 c .
  • the payment facilitating device 210 can include a display screen 216 and an operating system (not shown) that supports various device features and/or applications, such as a mobile payment application 212 .
  • the device 210 can be a portable electronic device that can be easily carried in a customer's pocket, wallet, purse or other personal item.
  • the device 210 can be a dedicated stand-alone device such as a card or a key chain.
  • it can be integrated with another portable electronic client device associated with the customer 206 , e.g., the customer's smart phone, car fob, or any other personal item typically carried by the customer.
  • the POS module 220 can be an in-store NFC reader and/or a BLUETOOTH enabled device that is configured to receive the user's payment credentials 202 for the payment transaction from the payment facilitating device 210 .
  • the payment facilitating device 210 when the payment facilitating device 210 is positioned near a sensor (not shown) in the POS module 220 or is physically tapped against the sensor, the customer's payment credentials 202 can be transmitted to the POS module 220 .
  • the POS module 220 collects payment information 222 for the payment transaction that can include the customer's payment credentials 202 and information identifying the customer 206 . The payment information 222 can then be transmitted from the POS module 220 to the payment processing server 230 in a request to process the payment 203 .
  • the payment processing server 230 hosts a payment processing service 240 that stores user information 242 that can include information identifying the user 207 , a user's credit/debit card information and/or banking information so that mobile payment transactions can be processed for the user's purchases.
  • the payment processing service 240 can receive the request to process the payment transaction 203 and can use the included payment credentials 202 of the customer 206 /user 207 to retrieve the user information 242 associated with the user 207 . The amount of the payment transaction can then be deducted from or charged to the user's banking/credit account.
  • the payment processing service 240 can generate a response 203 a to the request to process that indicates that the payment transaction was successfully processed and can transmit the response 203 a to the POS module 220 .
  • the POS module 220 can provide a receipt to the customer 206 or provide some other indication that the payment transaction has been successfully completed, e.g., by providing a message on a display 226 .
  • the customer 206 and the user 207 are the same entity and presumably, the submitted payment credentials 202 are associated with the customer 206 /user 207 . Nonetheless, such an assumption may be erroneous if the payment credentials 202 have been stolen by the customer 206 and embedded into the mobile payment application 212 of the facilitating device 210 . In this case, the customer 206 can effectively impersonate the user 207 and use the user's payment credentials 202 to improperly procure items and/or services, which will be charged to the user 207 .
  • the authorizing client device can be a device that is typically on or near the user 207 so that a location of the authorizing client device is indicative of a location of the user 207 .
  • the authorizing client device's location is at or near a location of the POS module 220 , it is highly likely that the customer 206 and the user 207 are the same entity and that the payment transaction is legitimate.
  • FIG. 3 is a flow diagram illustrating a method for authorizing a mobile payment transaction according to an embodiment.
  • the method illustrated in FIG. 3 can be carried out by at least some of the components in the example electronic device(s) illustrated in FIG. 1 and FIG. 2 , but can also be carried out in environments other than those illustrated in FIG. 1 and FIG. 2 .
  • the method 300 begins, in block 302 , when a request to authorize a payment transaction that originates from a POS module is received.
  • a system for authorizing a mobile payment transaction includes an anti-fraud service 250 configured for receiving the request to authorize the payment transaction 204 .
  • the anti-fraud service 250 can receive the request 204 from the payment processing service 240 when it receives the request to process the payment transaction 203 from the POS module 220 .
  • the anti-fraud service 250 can be hosted by the payment processing server 230 as is shown in FIG. 2 .
  • the anti-fraud service 450 can reside in another server 432 communicatively coupled to the payment processing server 430 and/or to the POS module 420 over the network 401 .
  • the anti-fraud service 450 can receive the request 404 over the network 401 from the POS module 420 when the POS module 420 receives the payment credentials 402 from the facilitating mobile device 410 .
  • the payment processing service 240 , 440 and/or the anti-fraud service 250 , 450 can be integrated in a common device with the POS module 220 , 420 .
  • the anti-fraud service 250 , 450 can receive the request to authorize 204 , 404 via an internal link from either the payment processing service 240 , 440 or the POS module 220 , 420 .
  • the request to authorize the payment transaction 204 , 404 can include the payment information 222 , 422 of the payment transaction and information identifying the POS module 224 , 424 .
  • the payment information 222 can include the payment credentials, e.g., 202 , and information identifying the user 207 with which the payment credentials are associated.
  • the information identifying the POS e.g., 424
  • the POS identifying information, e.g., 224 can include an identifier that can be correlated to a location of the POS module 220 .
  • This correlation can be included in a table that associates POS identifiers with locations for a plurality of POS modules, and the table can be stored in a database (not shown) on the payment processing server 230 or elsewhere on another server accessible via the network 201 .
  • an authorizing client device for the payment transaction is identified based on the payment information 222 , 422 in block 304 .
  • the authorizing client device e.g., 210 a
  • the authorizing client device 210 a is a personal mobile device associated with a user 207 that includes a mobile payment application 212 a , and an anti-fraud client application 214 which allows the anti-fraud service 250 to communicate with the authorizing client device 210 a over the network 201 .
  • the authorizing client device 210 a can be a smartphone, a tablet computer, or any network enabled handheld personal device.
  • a user 207 can designate one or more of her personal network enabled client devices to be an authorizing client device 210 a for the user's mobile payment transactions.
  • the user 207 can provide information relating to the client device 210 a that enables the anti-fraud service 250 to communicate with the client device 210 a .
  • the authorizing client device 210 a is the user's mobile phone, the phone number associated with the phone can be provided.
  • the authorizing client device 210 a can be a dedicated client device that is provided to the user 207 upon registering with a service provider associated with the anti-fraud service.
  • the anti-fraud service component 250 , 450 can store the information relating to the user's authorizing client device(s) 252 , 452 in a storage component coupled to the server 230 , 432 and accessed by the anti-fraud service component 250 , 450 .
  • the anti-fraud service 250 , 450 can be configured to extract the payment credentials 202 , 402 of the user 207 from the payment information 222 , 422 , in order to identify the user 207 .
  • the anti-fraud service 250 , 450 can be configured, in an embodiment, to identify the user's authorizing client device 210 a by retrieving the information 252 , 452 relating to the user's authorizing client device(s).
  • the anti-fraud service 250 is configured to determine location information of the authorizing client device 210 a in block 306 .
  • the information 252 relating to the user's authorizing client device 210 a includes information that enables the anti-fraud service 250 to communicate with the client device 210 a .
  • the anti-fraud service e.g., 250
  • the authorizing client device 210 a is a phone connected to a cellular network
  • the request message 205 can be transmitted over the cellular network 201 .
  • the anti-fraud service 250 can transmit the request for location information 205 ′ to the authorizing client device 210 a indirectly via the POS module 220 .
  • the POS module 220 when the POS module 220 receives the request 205 ′, it can be configured to forward the request 205 ′ to the authorizing client device 210 a over the network 201 , which in this embodiment, can be a wireless short range personal area network (“WPAN”), such as a BLUETOOTH network or a NFC network.
  • WPAN wireless short range personal area network
  • the anti-fraud client application 214 in the client device 210 a can provide its location information in several ways.
  • the client device 210 a is equipped with a Global Positioning System (“GPS”) tracking unit
  • the device's location information can be provided as geo-coordinates associated with its location.
  • the client device 210 a is connected to a cellular network that includes a plurality of cell towers
  • the device's location information can also be provided as the location of a cell tower nearest to the authorizing client device 210 a .
  • the nearest cell tower can be the destination tower that transmits the request message 205 directly to the authorizing client device 210 a .
  • the location information can be related to a wireless access point of the wireless network or related to a LAN.
  • the anti-fraud client application 214 in the client device 210 a can be configured to generate a response 205 a to the request for location 205 and to include the device's location information in the response 205 a .
  • the response 205 a can then be returned to and received by the anti-fraud service 250 over the network 201 .
  • the anti-fraud service 250 can receive the response 205 a directly from the client device 210 a over the network 201 , while in another embodiment, the anti-fraud service 250 can receive the response 250 a ′ indirectly via the POS module 220 .
  • the response 205 a ′ may not be received by the POS module 220 when the authorizing client device 210 a is not located within the module's short range WPAN 201 . If, however, the client device 210 a is located within the short range WPAN 201 , the POS module 220 can be configured to receive and forward the response 205 ′ to the anti-fraud service 250 over the network 201 .
  • the anti-fraud service 250 can be configured to transmit the request for location 205 , 205 ′ to the authorizing client device 210 a over different network environments, e.g., a WAN and a WPAN.
  • the response 205 a , 250 a ′ from the authorizing client device 210 a can be received over the same network environment as the one used to transmit the request or over a different network environment from that used to transmit the request.
  • the anti-fraud service 250 can transmit the request 205 to the client device 210 a directly over a WAN, such as the Internet, and the response 205 a ′ can be received indirectly via the POS module 220 over a BLUETOOTH network and a WAN.
  • the anti-fraud service 250 , 450 can be configured to compare the location information of the authorizing client device 210 a , 410 to the location information of the POS module 220 , 420 to determine a disposition of the request to authorize the payment transaction in block 308 .
  • the disposition of the request i.e., whether the request 204 , 404 is granted, denied, or pending, can be determined based on whether and to what degree the location of the authorizing client device 210 a , 410 is different from the location of the POS module 220 , 420 .
  • the authorizing client device 210 a is not the payment facilitating client device 210 , there is a likelihood that the authorizing client device 210 a will be in a different location from the POS module 220 , and that therefore the location information of the client device 210 a will be different from that of the POS module 220 .
  • the authorizing client device 410 is the payment facilitating device, it is likely that the location information of the authorizing client device 410 is substantially the same as the location information of the POS module 420 .
  • the anti-fraud service 250 , 450 can be configured to deny the request to authorize the payment transaction in an embodiment.
  • the anti-fraud service 250 , 450 can be configured to deny the request to authorize the payment transaction when a distance between the first geo-location and the second geo-location exceeds a threshold distance.
  • the threshold distance can be provided by the user 207 , 407 and/or by an administrator, and can vary according to contextual circumstances. For example, a threshold distance for a POS module 220 located in a highly restricted area can be shorter/smaller than the threshold distance for a POS module 420 in a public store because the adverse consequences of allowing an unauthorized transaction in the highly restricted area can be more severe than those in the public store.
  • the disposition of the request to authorize 204 , 404 can also depend on other circumstances unrelated to proximity.
  • a plurality of payment rules 454 can be provided that define under what circumstances the request to authorize 404 should be granted or denied based on factors in addition to the authorizing client device's proximity to the POS module 420 .
  • a payment rule 454 can be based on the location of the POS module 420 and can define whether the request to authorize 404 should be granted, denied, or conditionally granted when the POS module's location is within a specified region or location.
  • such a location-based payment rule 454 can indicate that a request to authorize 404 should be denied when the POS module 420 is located in a specified location associated with a particular fast food restaurant.
  • the request to authorize 404 will be denied when the POS module's location is in the fast food restaurant.
  • a payment rule 454 can be based on a temporal attribute of the payment transaction that defines the disposition of the request to authorize 404 according to when the request to authorize 404 is received. For example, such a time-based payment rule 454 can indicate that a request to authorize 404 should be granted during specified hours, specified days of the week, specified months, or during a specified time interval. In an embodiment, because the payment rules 454 are based on different factors, they can be enforced independently and simultaneously. Thus, the time-based payment rule 454 can be enforced along with the location-based payment rule 454 .
  • a payment rule 454 can be based on a type of item and/or service associated with the payment transaction. For example, this type of payment rule 454 can provide a white or black list of items and services that are allowed or disallowed or disallowed unless additional authentication information is provided respectively. Similar to the other payment rules 454 described above, the item/service-based payment rules 454 can be enforced independently and simultaneously.
  • payment rules 454 can be based on a payment amount associated with the payment transaction.
  • transaction amount-based payment rules 454 can define the disposition of the request to authorize 404 according to the cost of any individually charge item and/or the total cost associated with the payment transaction.
  • the cost-based payment rules 454 can indicate that a request to authorize 404 should be denied outright or conditionally denied unless additional authentication is provided when a cost of an individual item exceeds a threshold value, and/or when the total cost of the transaction exceeds another threshold value.
  • the request to authorize 404 can be denied or conditionally denied when a frequency of payment transactions within a specified time period exceeds another threshold value.
  • the payment rules 454 for the authorizing client device 410 can be defined and provided by the user 407 associated with the client device 410 .
  • some payment rules 454 can be provided and stored during the registration phase along with the information relating to the authorizing client device 410 .
  • other payment rules 454 can be stored on the authorizing client device 410 and provided to the anti-fraud service component 450 when the payment transaction is initiated or pending.
  • the anti-fraud service component 450 can be configured to determine the disposition of the request to authorize the payment transaction 404 based on whether the authorizing client device 410 is located within a predetermined proximity to the POS module 420 and on whether at least one of the payment rules 454 is satisfied.
  • the anti-fraud service 250 , 450 can be configured to conditionally deny the request unless additional authentication information is provided by the customer 206 /user 407 .
  • the anti-fraud service 250 , 450 when it would otherwise deny the request, it can be configured instead to transmit an indication to the POS module 220 , 420 directing it to request additional authentication information from the customer 206 /user 407 .
  • the customer 206 can be requested to produce additional forms of identification or to submit a PIN or password to prove that she is the user 207 , 407 associated with the payment credentials 202 .
  • the anti-fraud service 250 , 450 can be configured to send a message relating to the requested payment transaction at the POS module 220 to the authorizing client device 210 a for display to the user 207 on the device's display 216 a .
  • the message can include a request to verify the requested payment transaction thereby allowing the user 207 to override the anti-fraud service's denial and to indicate that the payment transaction is legitimate. For example, when the customer 206 is an employee of the user 207 and is making a purchase on behalf of the user 207 , the user 207 can verify that the mobile payment transaction as an approved transaction.
  • the authorization can be included in a response to the request to verify, which can be transmitted to and received by the anti-fraud service 250 .
  • the anti-fraud service 250 can be configured to disregard the denial and to grant the request to authorize the payment transaction.
  • the anti-fraud service component 250 is configured to proactively determine the location information of the authorizing client device 210 a so that the location information of the authorizing client device can be compared to that of the POS module 220 .
  • the authorizing client device 410 can take a more proactive role in providing its information automatically, and the anti-fraud service component 450 can take a more passive role by listening for the information regarding the authorizing client device 410 .
  • FIG. 5 is a flow diagram illustrating a method for authorizing a mobile payment transaction according to this embodiment. The method illustrated in FIG. 5 can be carried out by at least some of the components in the example electronic device(s) illustrated in FIG. 1 and FIG. 4 , but can also be carried out in environments other than those illustrated in FIG. 1 and FIG. 4 .
  • the method 500 begins, in block 502 , when the anti-fraud service component 450 receives the request to authorize a payment transaction 404 that originates from the POS module 420 .
  • the request to authorize 404 can be received from the POS module 420 when the POS module 420 receives the payment credentials 402 from the mobile device 410 .
  • it can be received from the payment processing service 440 when it receives the request to process the payment transaction 403 from the POS module 420 .
  • the request 404 can be received over at least one external network 401 .
  • the anti-fraud service 450 can receive the request to authorize 404 via an internal link from either the payment processing service 440 or the POS module 420 .
  • the anti-fraud service 450 can be configured to determine whether information regarding an authorizing client device for the payment transaction has been received in block 504 and to determine a disposition of the request when the information has been received in block 506 .
  • the anti-fraud client application 414 in the authorizing client device 410 can be configured to collect information regarding itself and to transmit that information 405 to the anti-fraud service component 450 periodically and/or spontaneously.
  • the anti-fraud client application 414 can be configured to transmit the information regarding itself 405 every five (5) minutes.
  • the anti-fraud client application 414 can be configured to transmit the information 405 when the payment application 412 is invoked and/or when the payment credentials 402 of the user 407 are presented to the POS module 420 .
  • the anti-fraud service component 450 can receive the information regarding the authorizing client device 405 periodically or when the client device 410 is used to facilitate a payment transaction.
  • the information regarding the authorizing client device 405 can include information identifying the client device and its location information.
  • the anti-fraud service component 450 can be configured to receive the information, to identify the authorizing client device 410 based on the received information, and to store the received information in the storage component along with the information relating to the user's authorizing client device(s) 452 .
  • the anti-fraud service component 450 can identify the authorizing client device 410 for the payment transaction and can determine that information regarding the identified authorizing client device 405 has been received. In an embodiment, the anti-fraud service component 450 can be configured to compare the location information of the authorizing client device 410 to the location information of the POS module 424 a . In an embodiment where the information 405 is received periodically, the client device's location information received immediately prior to receiving the request to authorize 404 can be compared to the POS module's location information 424 a . The anti-fraud service component 450 can be configured to grant the request to authorize the payment transaction when the comparison indicates that the authorizing client device 410 is located within a predetermined distance of the POS module 420 .
  • the client device 410 automatically transmits the information 405 when the payment transaction is initiated or while the payment transaction is pending, the fact that the information regarding the authorizing client device 405 is not received by the anti-fraud service component 450 suggests that the payment transaction is fraudulent.
  • the anti-fraud service component 450 can be configured to deny the request to authorize the payment transaction.
  • the anti-fraud service component 250 can be configured to transmit a request 205 , 205 ′ for the client device information, e.g., the location information of the authorizing client device, to the client device 210 a directly over the network 201 or indirectly via the POS module 220 .
  • the anti-fraud client application 214 cannot transmit its response 205 a ′ to the anti-fraud service component 250 via the POS module 220 unless the client device 210 a located within the module's wireless short range network.
  • the anti-fraud service component 250 cannot transmit the request 205 ′ to the anti-fraud client application 214 indirectly via the POS module 220 unless the client device 210 a is located within the module's wireless short range network.
  • the anti-fraud service component 250 will receive the information 405 regarding the authorizing client device when the client device 210 a , 410 is located within the POS module's wireless short range network.
  • the anti-fraud service component 450 can be configured to grant the request to authorize the payment transaction 404 .
  • the anti-fraud service component 450 can be configured to deny the request to authorize the payment transaction 404 .
  • the anti-fraud service component 250 , 450 can be configured to transmit the location information of the POS module 424 a to the authorizing client device 410 , and to request that the authorizing client device 410 confirm or deny that a current location of the authorizing client device substantially matches the POS module's location information 424 a .
  • the anti-fraud client application 414 in the client device 410 can be configured to receive the location information of the POS module 424 a and the request, and to compare its own location information to that of the POS module 420 .
  • the anti-fraud client application 414 can generate a decision either confirming or denying that its current location information substantially matches the POS module's location information 424 a .
  • the anti-fraud client application 414 can then include the decision in a reply message and can transmit the reply message to the anti-fraud service component 450 .
  • the anti-fraud service component 450 can be configured to determine the disposition of the request to authorize the payment transaction 404 based on the authorizing client device's decision confirming or denying that the current location information of the authorizing client device substantially matches the POS module's location information 424 a .
  • the anti-fraud service component 450 can be configured to grant the request to authorize the payment transaction 404 .
  • the anti-fraud service 250 , 450 can be configured to generate a response 204 a , 404 a to the request to authorize 204 , 404 that includes the disposition of the request and to transmit the response to 204 a , 404 a to the payment processing service 240 , 340 and/or the POS module 220 , 420 .
  • the payment processing service 240 can either proceed with or stop processing the payment transaction.
  • the POS module 420 can transmit the request 203 to process the payment transaction or deny the transaction depending on the disposition.
  • a system for authorizing a mobile payment transaction that originates from a POS module includes an anti-fraud service component coupled to the POS module and/or to a payment processing service associated with the POS module.
  • the anti-fraud service component can identify and determine a location a client device typically carried by the user. Because the user typically carries the client device on his or her person, the device's location is indicative of the user's location.
  • the payment transaction can be authorized based on the assumption that the authorized user is carrying the client device and is also located at or near the POS module.
  • the location of the client device is not at or near the POS module, the authorized user is presumptively not at or near the POS module. In this case, the payment transaction can be denied outright or denied pending the presentation of additional authentication information from the customer.
  • the user may designate more than one of her personal network enabled client devices to be an authorizing client device 210 a for the user's mobile payment transactions.
  • the personal network enabled client devices can be in different locations, but typically only those devices that are actively in use will be considered in the same location as the user. That is, it would be unusual for one of the personal network enabled client devices to be actively in use at one location while one or more of the user's other personal network enabled client devices are actively in use at a different location.
  • the anti-fraud service component may obtain current locations for a plurality of authorizing client devices, together with information indicating whether the devices are actively in use. If one of the authorizing client devices is at the location of the POS module, and the other authorizing client devices are not, but they are not currently active, then the transaction can be permitted. Alternatively, if one or more of the authorizing client devices are not at the location of the POS module and are actively in use, even if one of them is at the location of the POS module, the legitimacy of the transaction can be questionable. In this embodiment, under such a situation, the anti-fraud service component can deny the request to authorize the transaction, and/or request additional authentication or authorization information from the user via one or more of the authorizing client devices.
  • device information 452 for use with one or more payment rules 454 may contain information regarding contextual factors.
  • the contextual factors may include the information previously discussed regarding payment rules 454 , such as location information, distance information, time information, transaction item, and transaction amount.
  • Additional contextual factors may include, for example, one or more of the current security state of the payment facilitating device (e.g., trusted, untrusted, or unknown), the security state of the authorizing client device, the security state of the one or more network connections 401 from the payment application 412 providing payment credentials 402 to POS module 420 , said security state being trusted or untrusted (e.g., based on detection of a Man in the Middle in the connection).
  • a decision to grant a request to proceed with the processing of the payment transaction may be based on such contextual information and whether the contextual information conforms to one or more payment rules 454 .
  • the request could be granted based on one or more rules related to contextual factors being met, such as: the distance between the authorizing client device and the POS device does not exceed a threshold distance; the security state of the device is “trusted;” and the security state of the network is “trusted.”
  • the request could be denied when one or more rules related to contextual factors are not met, such as: the distance between the authorizing client device and the POS device exceeds a threshold distance; the security state of the device is not “trusted;” and the security state of the network is not “trusted.”
  • various combinations of rules related to contextual factors may result in different outcomes regarding whether the request is granted.
  • the request may be denied when the security state of the device is “untrusted.”
  • Methods for determining whether to grant a request to process a payment transaction based on contextual factors and payment rules are further illustrated with regard to FIG. 6 .
  • FIG. 6 is a flow diagram illustrating a method for authorizing a mobile payment transaction according to an embodiment.
  • the method illustrated in FIG. 6 can be carried out by at least some of the components in the example electronic device(s) illustrated in FIG. 1 and FIG. 2 , but can also be carried out in environments other than those illustrated in FIG. 1 and FIG. 2 .
  • the method 600 begins, in block 602 , when a request to authorize a payment transaction that originates from a POS module is received.
  • a system for authorizing a mobile payment transaction includes an anti-fraud service 250 configured for receiving the request to authorize the payment transaction 204 .
  • the anti-fraud service 250 can receive the request 204 from the payment processing service 240 when it receives the request to process the payment transaction 203 from the POS module 220 .
  • the anti-fraud service 250 can be hosted by the payment processing server 230 as is shown in FIG. 2 .
  • the anti-fraud service 450 can reside in another server 432 communicatively coupled to the payment processing server 430 and/or to the POS module 420 over the network 401 .
  • the anti-fraud service 450 can receive the request 404 over the network 401 from the POS module 420 when the POS module 420 receives the payment credentials 402 from the facilitating mobile device 410 .
  • the payment processing service 240 , 440 and/or the anti-fraud service 250 , 450 can be integrated in a common device with the POS module 220 , 420 .
  • the anti-fraud service 250 , 450 can receive the request to authorize 204 , 404 via an internal link from either the payment processing service 240 , 440 or the POS module 220 , 420 .
  • the request to authorize the payment transaction 204 , 404 can include the payment information 222 , 422 of the payment transaction and information identifying the POS module 224 , 424 .
  • the payment information 222 can include the payment credentials, e.g., 202 , and information identifying the user 207 with which the payment credentials are associated.
  • the information identifying the POS e.g., 424
  • the POS identifying information, e.g., 224 can include an identifier that can be correlated to a location of the POS module 220 .
  • This correlation can be included in a table that associates POS identifiers with locations for a plurality of POS modules, and the table can be stored in a database (not shown) on the payment processing server 230 or elsewhere on another server accessible via the network 201 .
  • an authorizing client device for the payment transaction is identified based on the payment information 222 , 422 .
  • the authorizing client device e.g., 210 a
  • the authorizing client device is a personal mobile device associated with a user 207 that includes a mobile payment application 212 a , and an anti-fraud client application 214 which allows the anti-fraud service 250 to communicate with the authorizing client device 210 a over the network 201 .
  • the authorizing client device 210 a can be a smartphone, a tablet computer, or any network enabled handheld personal device.
  • a user 207 can designate one or more of her personal network enabled client devices to be an authorizing client device 210 a for the user's mobile payment transactions.
  • the user 207 can provide information relating to the client device 210 a that enables the anti-fraud service 250 to communicate with the client device 210 a .
  • the authorizing client device 210 a is the user's mobile phone, the phone number associated with the phone can be provided.
  • the authorizing client device 210 a can be a dedicated client device that is provided to the user 207 upon registering with a service provider associated with the anti-fraud service.
  • the anti-fraud service component 250 , 450 can store the information relating to the user's authorizing client device(s) 252 , 452 in a storage component coupled to the server 230 , 432 and accessed by the anti-fraud service component 250 , 450 .
  • the anti-fraud service 250 , 450 can be configured to extract the payment credentials 202 , 402 of the user 207 from the payment information 222 , 422 , in order to identify the user 207 .
  • the anti-fraud service 250 , 450 can be configured, in an embodiment, to identify the user's authorizing client device 210 a by retrieving the information 252 , 452 relating to the user's authorizing client device(s).
  • the anti-fraud service 250 determines context information associated with the request.
  • Contextual information associated with the request may include contextual information associated with the authorizing client device, the payment facilitating device, and the POS module.
  • the determined context information may include and of: the location information of the authorizing client device 210 a , location information of the payment facilitating device, distance information, time information, transaction item, transaction amount, the security state of the payment facilitating device, the security state of the authorizing client device, and the security state of the one or more network connections 401 from the payment application 412 providing payment credentials 402 to POS module 420 .
  • the information 252 relating to the user's authorizing client device 210 a includes information that enables the anti-fraud service 250 to communicate with the client device 210 a . Therefore, according to an embodiment, the anti-fraud service, e.g., 250 , can use the information 252 to generate and transmit a request for contextual information to the authorizing client device 210 a over the network 201 , which in an embodiment, can be a Wi-Fi network, a LAN, a PAN, a WAN, a BLUETOOTH network, or a near field communication (NFC) depending on the circumstances. In another embodiment when the authorizing client device 210 a is a phone connected to a cellular network, the request message 205 can be transmitted over the cellular network 201 .
  • the authorizing client device 210 a is a phone connected to a cellular network
  • the request message 205 can be transmitted over the cellular network 201 .
  • the anti-fraud service 250 can transmit the request for contextual information to the authorizing client device 210 a indirectly via the POS module 220 .
  • the POS module 220 when the POS module 220 receives the request 205 ′, it can be configured to forward the request 205 ′ to the authorizing client device 210 a over the network 201 , which in this embodiment, can be a wireless short range personal area network (“WPAN”), such as a BLUETOOTH network or a NFC network.
  • WPAN wireless short range personal area network
  • the anti-fraud client application 214 in the client device 210 a can provide its contextual information in several ways.
  • the client device 210 a is equipped with a Global Positioning System (“GPS”) tracking unit
  • the device's contextual information in this case location information, can be provided as geo-coordinates associated with its location.
  • the client device 210 a is connected to a cellular network that includes a plurality of cell towers
  • the device's contextual information can also be provided as the location of a cell tower nearest to the authorizing client device 210 a .
  • the nearest cell tower can be the destination tower that transmits the request message 205 directly to the authorizing client device 210 a .
  • the contextual information can be related to a wireless access point of the wireless network or related to a LAN.
  • the anti-fraud client application 214 in the client device 210 a can be configured to generate a response 205 a to the request for contextual information and to include the device's contextual information in the response 205 a .
  • the response 205 a can then be returned to and received by the anti-fraud service 250 over the network 201 .
  • the anti-fraud service 250 can receive the response 205 a directly from the client device 210 a over the network 201 , while in another embodiment, the anti-fraud service 250 can receive the response 250 a ′ indirectly via the POS module 220 .
  • the response 205 a ′ may not be received by the POS module 220 when the authorizing client device 210 a is not located within the module's short range WPAN 201 . If, however, the client device 210 a is located within the short range WPAN 201 , the POS module 220 can be configured to receive and forward the response 205 ′ to the anti-fraud service 250 over the network 201 .
  • the anti-fraud service 250 can be configured to transmit the request for contextual information to the authorizing client device 210 a over different network environments, e.g., a WAN and a WPAN.
  • the response 205 a , 250 a ′ from the authorizing client device 210 a can be received over the same network environment as the one used to transmit the request or over a different network environment from that used to transmit the request.
  • the anti-fraud service 250 can transmit the request to the client device 210 a directly over a WAN, such as the Internet, and the response 205 a ′ can be received indirectly via the POS module 220 over a BLUETOOTH network and a WAN.
  • the anti-fraud service 250 , 450 can be configured to compare the contextual information to one or more applicable payment rules 454 to determine a disposition of the request to authorize the payment transaction.
  • the disposition of the request i.e., whether the request 204 , 404 is granted, denied, or pending, can be determined based on whether and to what degree the determined contextual information satisfies one or more applicable payment rules 454 .
  • the one or more applicable payment rules 454 may vary, e.g., based on the user of the authorized client device.
  • payment rules 454 are determined to be applicable based on those rules being associated with, e.g., a particular user, or a particular authorizing client device.
  • the association between the payment rules and the user or client device may be created by, e.g., the user or administrator of the authorizing client device.
  • requests for context information associated with block 606 may be fashioned based on what contextual information must be satisfied by the applicable payment rules 454 in order for the payment request to be granted, or denied.
  • any of the above embodiments may be used alone or together with one another in any combination.
  • the one or more implementations encompassed within this specification may also include embodiments that are only partially mentioned or alluded to or are not mentioned or alluded to at all.
  • the embodiments do not necessarily address any of these deficiencies.
  • different embodiments may address different deficiencies that may be discussed in the specification.
  • Some embodiments may only partially address some deficiencies or just one deficiency that may be discussed in the specification, and some embodiments may not address any of these deficiencies.

Abstract

A method for processing a payment transaction is provided that is based on device locations. The method includes a processor receiving a request to authorize an action from a point of sale (POS) device with the request including context representing a first location associated with the action and context representing information about an account associated with the action. In response to receiving additional context including a location associated with a user device from the user device, the processor compares the context representing the first location and the additional context to determine whether to authorize the action.

Description

    CROSS REFERENCE TO RELATED APPLICATIONS
  • The present application is a continuation of U.S. patent application Ser. No. 15/805,889, entitled “SYSTEM AND METHOD FOR AUTHORIZING A PAYMENT TRANSACTION BASED ON DEVICE LOCATIONS,” filed on Nov. 7, 2017, which is a continuation-in-part of U.S. patent application Ser. No. 13/829,132, entitled “SYSTEM AND METHOD FOR AUTHORIZING A PAYMENT TRANSACTION, filed on Mar. 14, 2013, now U.S. Pat. No. 9,852,416, each of which is incorporated by reference in its entirety. This application is related to: U.S. application Ser. No. 15/687,395, entitled “METHODS AND SYSTEMS FOR BLOCKING THE INSTALLATION OF AN APPLICATION TO IMPROVE THE FUNCTIONING OF A MOBILE COMMUNICATIONS DEVICE,” filed on Aug. 25, 2017; U.S. application Ser. No. 15/608,556, entitled “METHODS AND SYSTEMS FOR DETECTING AND PREVENTING NETWORK CONNECTION COMPROMISE,” filed on May 30, 2017; U.S. application Ser. No. 14/634,115, entitled “ASSESSING A SECURITY STATE OF A MOBILE COMMUNICATIONS DEVICE TO DETERMINE ACCESS TO SPECIFIC TASKS,” filed on Feb. 27, 2015; and U.S. application Ser. No. 14/071,366, entitled “METHODS AND SYSTEMS FOR SECURE NETWORK CONNECTIONS,” filed on Nov. 4, 2013, each of which is incorporated by reference in its entirety.
    • TECHNICAL FIELD
  • The present invention relates to the field of information technology, including, more particularly, to systems and techniques for authorizing a payment transaction based on a location of an authenticating device.
    • BACKGROUND OF THE INVENTION
  • Mobile electronic communication devices have evolved beyond simple telephone functionality and are now highly complex multifunctional devices with capabilities rivaling those of desktop or laptop computers. In addition to voice communications, many mobile communication devices are capable of text messaging, e-mail communications, internet access, and the ability to run full-featured application software. Mobile communication devices can use these capabilities to perform online transactions such as banking, stock trading, payments, and other financial activities. Furthermore, mobile communication devices used by an individual, a business, or a government agency often store confidential or private information in forms such as electronic documents, text messages, access codes, passwords, account numbers, e-mail addresses, personal communications, phone numbers, and financial information.
  • In addition to the functionality described above, mobile electronic communication devices are frequently being used to perform mobile payments, thereby eliminating the need, in some cases, for customers to carry coin/paper currency, checks or credit/debit cards. In a particular implementation, a merchant or a service provider is equipped with a point of sale (“POS”) module, e.g., an NFC reader, that is coupled to a payment processing system on a server or in a cloud computing environment. When a mobile communication device is configured for mobile payments, a user of the device can purchase items from the merchant by simply using the device to exchange a user's payment credentials from the device to the POS module. The credentials can be transmitted to the POS module by tapping the configured mobile communication device on a sensor of the POS module, or by waving the device near the POS module's sensor. The payment amount can be deducted from a pre-paid account or charged to a mobile or bank account directly.
  • As mobile payments using phone-based or electronic wallet-based payments mediated by the use of mobile devices become more widespread, it is more likely that there will be attempts to steal user payment credentials and to use them fraudulently. This could be done by malware on a user's communication device or personal computer, or by network eavesdropping on a user's network connections, for example. Accordingly, a merchant, a payment processor, and/or the user herself need to be sure that when mobile payment credentials are presented at a POS module, the person presenting them is actually the user associated with the payment credentials or is someone who has stolen the payment credentials to make unauthorized purchases.
    • DESCRIPTION OF THE FIGURES
  • In the following drawings like reference numbers are used to refer to like elements. Although the following figures depict various examples, the one or more implementations are not limited to the examples depicted in the figures.
  • FIG. 1 is a block diagram illustrating a system including an electronic device and a server coupled to a network according to an embodiment;
  • FIG. 2 is a block diagram illustrating of a specific implementation of a system of the invention according to an embodiment;
  • FIG. 3 is an operational flow diagram illustrating a high level overview of a method of the invention according to an embodiment;
  • FIG. 4 is a block diagram illustrating an alternative implementation of a system of the invention according to an embodiment;
  • FIG. 5 is an operational flow diagram illustrating a high level overview of a method of the invention according to another embodiment; and
  • FIG. 6 is an operational flow diagram illustrating a high level overview of a method of the invention according to an embodiment.
    •  DETAILED DESCRIPTION
  • It should be appreciated that the present invention can be implemented in numerous ways, including as a process, an apparatus, a system, a device, a method, or a computer readable medium such as a computer readable storage medium containing computer readable instructions or computer program code, or a computer network wherein computer readable instructions or computer program code are sent over optical or electronic communication links. Applications, software programs or computer readable instructions may be referred to as components or modules. Applications may take the form of software executing on a general purpose computer or be hardwired or hard coded in hardware. Applications may also be downloaded in whole or in part through the use of a software development kit, framework, or toolkit that enables the creation and implementation of the present invention. In this specification, these implementations, or any other form that the invention may take, may be referred to as techniques. In general, the order of the steps of disclosed processes may be altered within the scope of the invention.
  • According to an embodiment, an authorizing client device is associated with a user and is typically located on or near the user. Thus, the location of the authorizing client device is indicative of the user's location. Based on this assumption, when a mobile payment transaction of the user is initiated on a POS module, the location of the user's authorizing client device can be used to determine whether the payment transaction is legitimate, e.g., being initiated by the user, or fraudulent, e.g., being initiated by a person other than the user.
  • In an embodiment, a system for authorizing a mobile payment transaction includes an anti-fraud service coupled to the payment processing system that interfaces with the POS module. When a payment transaction is initiated at the POS module, the anti-fraud service can receive a request to authorize the payment transaction. The request can include payment information of the payment transaction and information identifying the POS module, which can include or be used to identify the POS's location. When the request is received, the anti-fraud service can identify an authorizing client device based on the payment information and then can determine location information of the authorizing client device. Once the location information of the authorizing client device and of the POS module are determined, the anti-fraud service can compare the location information to determine a disposition of the request to authorize the payment transaction.
  • According to an embodiment, when the location of the user's authorizing client device is at or near the POS module, the user associated with the presented payment information is presumably also at or near the POS module, and payment authorization can be granted. Otherwise, when the opposite is true, i.e., the authorizing client device's location is not in proximity to the POS module, the payment authorization can be denied or additional authentication information can be requested from the customer. In an embodiment, the authorizing client device can be a dedicated device. In another embodiment, the authorizing client device can be a personal electronic device associated with the user, e.g., a smart phone, a car fob, or any other personal item typically carried by the user.
  • As used herein, the term “mobile communication device” refers to mobile phones, tablets, PDAs and smartphones. The term “mobile communications device” also refers to a class of laptop computers which run an operating system that is also used on mobile phones, tablets, PDAs, or smartphones. Such laptop computers are often designed to operate with a continuous connection to a cellular network or to the internet via a wireless link. Specifically, mobile communication devices include devices for which wireless communication services such as voice, messaging, data, or other wireless Internet capabilities are a primary function. As used herein, a “mobile communication device” may also be referred to as an “electronic device,” an “electronic client device,” “mobile device,” “mobile client,” or “handset.” However, a person having skill in the art will appreciate that while the present invention is disclosed herein as being used on mobile communication devices, the present invention may also be used on other computing platforms, including desktop, laptop, notebook, netbook, or server computers.
  • Prior to describing the subject matter in detail, an exemplary network in which the subject matter may be implemented shall first be described. Those of ordinary skill in the art will appreciate that the elements illustrated in FIG. 1 may vary depending on the system implementation. FIG. 1 is a simplified block diagram of a computer network 100 that includes a mobile communication device 101, a server system 111, a POS module 112 and other electronic client devices 140 a-140 c, coupled to a communication network 121 via a plurality of communication links 130. Communication network 121 may be comprised of many interconnected computer systems and communication links. Communication links 130 may be hardwire links, optical links, satellite or other wireless communications links, wave propagation links, or any other mechanisms for communication of information. Various communication protocols may be used to facilitate communication between the various devices shown in FIG. 1. These communication protocols may include TCP/IP, HTTP protocols, wireless application protocol (WAP), vendor-specific protocols, customized protocols, Internet telephony, IP telephony, digital voice, voice over broadband (VoBB), broadband telephony, Voice over IP (VoIP), public switched telephone network (PSTN), and others. While in one embodiment, communication network 112 can be the Internet, in other embodiments, communication network 112 may be any suitable communication network including a local area network (LAN), a wide area network (WAN), a wireless network, a intranet, a private network, a public network, a switched network, and combinations of these, and the like.
  • In an embodiment, the mobile device 101 includes: an operating system 113, an input device 115, a radio frequency transceiver(s) 116, a visual display 125, and a battery or power supply 119. Each of these components is coupled to a central processing unit (CPU) 103. The device operating system 113 runs on the CPU 103 and enables interaction between application programs and the mobile device hardware components. In an embodiment, the mobile device 101 receives data through an RF transceiver(s) 116 which may be able to communicate via various networks, for example: BLUETOOTH, local area networks such as WI-FI, and cellular networks such as GSM, CDMA or LTE.
  • In an embodiment, a local software component 175 is an application program that is downloaded to a mobile device and installed so that it integrates with the operating system 113. Much of the source code for the local software component 175 can be re-used between various mobile device platforms by using a cross-platform software architecture. In such a system, the majority of software functionality can be implemented in a cross-platform core module. The cross-platform core can be universal allowing it to interface with various mobile device operating systems by using a platform-specific module and a platform abstraction module that both interact with the mobile device operating system 113, which is described in U.S. Pat. No. 8,099,472, entitled “SYSTEM AND METHOD FOR A MOBILE CROSS-PLATFORM SOFTWARE SYSTEM.” In another embodiment, the local software component 175 can be device, platform or operating system specific.
  • As indicated above, the mobile device 101 may operate in a networked environment using logical connections 130 to one or more remote nodes 111, 112, 140 a-140 c via a communication interface. The remote node may be another computer 140 a, a server 111, an NFC reader/POS module 112, a client device 140 b-140 c or other common network node, and typically includes many or all of the elements described above relative to the mobile device 101. The communication interface may interface with a wireless network and/or a wired network. Examples of wireless networks include, for example, a BLUETOOTH network, a wireless personal area network, a wireless 802.11 local area network (LAN), a near field communication (NFC), and/or wireless telephony network (e.g., a cellular, PCS, or GSM network). Examples of wired networks include, for example, a LAN, a fiber optic network, a wired personal area network, a telephony network, and/or a wide area network (WAN). Such networking environments are commonplace in intranets, the Internet, offices, enterprise-wide computer networks and the like.
  • It should be understood that the arrangement of mobile communication device 101 illustrated in FIG. 1 is but one possible implementation and that other arrangements are possible. It should also be understood that the various system components (and means) defined by the claims, described below, and illustrated in the various block diagrams represent logical components that are configured to perform the functionality described herein. For example, one or more of these system components (and means) can be realized, in whole or in part, by at least some of the components illustrated in the arrangement of mobile device 101. In addition, while at least one of these components are implemented at least partially as an electronic hardware component, and therefore constitutes a machine, the other components may be implemented in software, hardware, or a combination of software and hardware. More particularly, at least one component defined by the claims is implemented at least partially as an electronic hardware component, such as an instruction execution machine (e.g., a processor-based or processor-containing machine) and/or as specialized circuits or circuitry (e.g., discrete logic gates interconnected to perform a specialized function), such as those illustrated in FIG. 1. Other components may be implemented in software, hardware, or a combination of software and hardware. Moreover, some or all of these other components may be combined, some may be omitted altogether, and additional components can be added while still achieving the functionality described herein. Thus, the subject matter described herein can be embodied in many different variations, and all such variations are contemplated to be within the scope of what is claimed.
  • In the description that follows, the subject matter will be described with reference to acts and symbolic representations of operations that are performed by one or more devices, unless indicated otherwise. As such, it will be understood that such acts and operations, which are at times referred to as being computer-executed, include the manipulation by the processing unit of data in a structured form. This manipulation transforms the data or maintains it at locations in the memory system of the device, which reconfigures or otherwise alters the operation of the device in a manner well understood by those skilled in the art. The data structures where data is maintained are physical locations of the memory that have particular properties defined by the format of the data. However, while the subject matter is being described in the foregoing context, it is not meant to be limiting as those of skill in the art will appreciate that various of the acts and operation described hereinafter may also be implemented in hardware.
  • FIG. 2 is a block diagram illustrating a system for authorizing a mobile payment transaction according to an embodiment. As is shown in FIG. 2, the system 200 includes a payment facilitating device 210, a POS module 220, and a payment processing server 230 communicatively coupled to one another over one or more communication networks 201. The payment facilitating device 210 can be the client device used to initiate a payment transaction via the POS module 220 and can be a mobile communication device 101, or any one of the other electronic client systems 140 a-140 c. Accordingly, the payment facilitating device 210 can include a display screen 216 and an operating system (not shown) that supports various device features and/or applications, such as a mobile payment application 212. The device 210 can be a portable electronic device that can be easily carried in a customer's pocket, wallet, purse or other personal item. In an embodiment, the device 210 can be a dedicated stand-alone device such as a card or a key chain. Alternatively, it can be integrated with another portable electronic client device associated with the customer 206, e.g., the customer's smart phone, car fob, or any other personal item typically carried by the customer.
  • The POS module 220 can be an in-store NFC reader and/or a BLUETOOTH enabled device that is configured to receive the user's payment credentials 202 for the payment transaction from the payment facilitating device 210. In an embodiment, for example, when the payment facilitating device 210 is positioned near a sensor (not shown) in the POS module 220 or is physically tapped against the sensor, the customer's payment credentials 202 can be transmitted to the POS module 220. According to an embodiment, the POS module 220 collects payment information 222 for the payment transaction that can include the customer's payment credentials 202 and information identifying the customer 206. The payment information 222 can then be transmitted from the POS module 220 to the payment processing server 230 in a request to process the payment 203.
  • The payment processing server 230 hosts a payment processing service 240 that stores user information 242 that can include information identifying the user 207, a user's credit/debit card information and/or banking information so that mobile payment transactions can be processed for the user's purchases. The payment processing service 240 can receive the request to process the payment transaction 203 and can use the included payment credentials 202 of the customer 206/user 207 to retrieve the user information 242 associated with the user 207. The amount of the payment transaction can then be deducted from or charged to the user's banking/credit account. When the payment transaction is completed, the payment processing service 240 can generate a response 203 a to the request to process that indicates that the payment transaction was successfully processed and can transmit the response 203 a to the POS module 220. When the response 203 a is received, the POS module 220 can provide a receipt to the customer 206 or provide some other indication that the payment transaction has been successfully completed, e.g., by providing a message on a display 226.
  • Presumably, the customer 206 and the user 207 are the same entity and presumably, the submitted payment credentials 202 are associated with the customer 206/user 207. Nonetheless, such an assumption may be erroneous if the payment credentials 202 have been stolen by the customer 206 and embedded into the mobile payment application 212 of the facilitating device 210. In this case, the customer 206 can effectively impersonate the user 207 and use the user's payment credentials 202 to improperly procure items and/or services, which will be charged to the user 207.
  • To address this issue, a system and method is described for authorizing a mobile payment transaction based on the proximity of an authorizing client device associated with the user 207 to the POS module 220. According to an embodiment, the authorizing client device can be a device that is typically on or near the user 207 so that a location of the authorizing client device is indicative of a location of the user 207. Thus, when the authorizing client device's location is at or near a location of the POS module 220, it is highly likely that the customer 206 and the user 207 are the same entity and that the payment transaction is legitimate. When the opposite is true, there is a strong suggestion that the payment transaction is fraudulent.
  • FIG. 3 is a flow diagram illustrating a method for authorizing a mobile payment transaction according to an embodiment. The method illustrated in FIG. 3 can be carried out by at least some of the components in the example electronic device(s) illustrated in FIG. 1 and FIG. 2, but can also be carried out in environments other than those illustrated in FIG. 1 and FIG. 2. According to an embodiment, the method 300 begins, in block 302, when a request to authorize a payment transaction that originates from a POS module is received. In an embodiment, a system for authorizing a mobile payment transaction includes an anti-fraud service 250 configured for receiving the request to authorize the payment transaction 204. According to an embodiment, the anti-fraud service 250 can receive the request 204 from the payment processing service 240 when it receives the request to process the payment transaction 203 from the POS module 220.
  • The anti-fraud service 250 can be hosted by the payment processing server 230 as is shown in FIG. 2. Alternatively, in another embodiment shown in FIG. 4, the anti-fraud service 450 can reside in another server 432 communicatively coupled to the payment processing server 430 and/or to the POS module 420 over the network 401. In this embodiment, the anti-fraud service 450 can receive the request 404 over the network 401 from the POS module 420 when the POS module 420 receives the payment credentials 402 from the facilitating mobile device 410. In another embodiment, the payment processing service 240, 440 and/or the anti-fraud service 250, 450 can be integrated in a common device with the POS module 220, 420. In this case, the anti-fraud service 250, 450 can receive the request to authorize 204, 404 via an internal link from either the payment processing service 240, 440 or the POS module 220, 420.
  • In an embodiment, the request to authorize the payment transaction 204, 404 can include the payment information 222, 422 of the payment transaction and information identifying the POS module 224, 424. As stated above, the payment information 222 can include the payment credentials, e.g., 202, and information identifying the user 207 with which the payment credentials are associated. The information identifying the POS, e.g., 424, can include location information of the POS module 424 a and/or information that can be used to determine the location information of the POS module 220, 420. For example, the POS identifying information, e.g., 224, can include an identifier that can be correlated to a location of the POS module 220. This correlation can be included in a table that associates POS identifiers with locations for a plurality of POS modules, and the table can be stored in a database (not shown) on the payment processing server 230 or elsewhere on another server accessible via the network 201.
  • Referring again to FIG. 3, when the request to authorize the payment transaction 204, 404 is received by the anti-fraud service component (250, 450), an authorizing client device for the payment transaction is identified based on the payment information 222, 422 in block 304. According to an embodiment, the authorizing client device, e.g., 210 a, is a personal mobile device associated with a user 207 that includes a mobile payment application 212 a, and an anti-fraud client application 214 which allows the anti-fraud service 250 to communicate with the authorizing client device 210 a over the network 201. In an embodiment, for example, the authorizing client device 210 a can be a smartphone, a tablet computer, or any network enabled handheld personal device.
  • In an embodiment, during a service registration phase, a user 207 can designate one or more of her personal network enabled client devices to be an authorizing client device 210 a for the user's mobile payment transactions. The user 207 can provide information relating to the client device 210 a that enables the anti-fraud service 250 to communicate with the client device 210 a. For example, when the authorizing client device 210 a is the user's mobile phone, the phone number associated with the phone can be provided. In another embodiment, the authorizing client device 210 a can be a dedicated client device that is provided to the user 207 upon registering with a service provider associated with the anti-fraud service.
  • According to an embodiment, the anti-fraud service component 250, 450 can store the information relating to the user's authorizing client device(s) 252, 452 in a storage component coupled to the server 230, 432 and accessed by the anti-fraud service component 250, 450. In an embodiment, when the request to authorize the payment transaction 204, 404 is received, the anti-fraud service 250, 450 can be configured to extract the payment credentials 202, 402 of the user 207 from the payment information 222, 422, in order to identify the user 207. Once the user 207 is identified, the anti-fraud service 250, 450 can be configured, in an embodiment, to identify the user's authorizing client device 210 a by retrieving the information 252, 452 relating to the user's authorizing client device(s).
  • Referring again to FIG. 3, once the authorizing client device for the payment transaction, e.g., 210 a, is identified, the anti-fraud service 250 is configured to determine location information of the authorizing client device 210 a in block 306. As noted above, the information 252 relating to the user's authorizing client device 210 a includes information that enables the anti-fraud service 250 to communicate with the client device 210 a. Therefore, according to an embodiment, the anti-fraud service, e.g., 250, can use the information 252 to generate and transmit a request for location information 205 to the authorizing client device 210 a over the network 201, which in an embodiment, can be a Wi-Fi network, a LAN, a PAN, a WAN, a BLUETOOTH network, or a near field communication (NFC) depending on the circumstances. In another embodiment when the authorizing client device 210 a is a phone connected to a cellular network, the request message 205 can be transmitted over the cellular network 201.
  • In another embodiment, the anti-fraud service 250 can transmit the request for location information 205′ to the authorizing client device 210 a indirectly via the POS module 220. In this case, when the POS module 220 receives the request 205′, it can be configured to forward the request 205′ to the authorizing client device 210 a over the network 201, which in this embodiment, can be a wireless short range personal area network (“WPAN”), such as a BLUETOOTH network or a NFC network.
  • When the request for location 205 is received by the authorizing client device 210 a, the anti-fraud client application 214 in the client device 210 a can provide its location information in several ways. For example, in an embodiment, when the client device 210 a is equipped with a Global Positioning System (“GPS”) tracking unit, the device's location information can be provided as geo-coordinates associated with its location. Alternatively or in addition, when the client device 210 a is connected to a cellular network that includes a plurality of cell towers, the device's location information can also be provided as the location of a cell tower nearest to the authorizing client device 210 a. For example, the nearest cell tower can be the destination tower that transmits the request message 205 directly to the authorizing client device 210 a. Alternatively or in addition, when the client device 210 a is connected to a wired or wireless network 201, the location information can be related to a wireless access point of the wireless network or related to a LAN.
  • According to an embodiment, the anti-fraud client application 214 in the client device 210 a can be configured to generate a response 205 a to the request for location 205 and to include the device's location information in the response 205 a. The response 205 a can then be returned to and received by the anti-fraud service 250 over the network 201. In an embodiment, the anti-fraud service 250 can receive the response 205 a directly from the client device 210 a over the network 201, while in another embodiment, the anti-fraud service 250 can receive the response 250 a′ indirectly via the POS module 220. In the latter case, the response 205 a′ may not be received by the POS module 220 when the authorizing client device 210 a is not located within the module's short range WPAN 201. If, however, the client device 210 a is located within the short range WPAN 201, the POS module 220 can be configured to receive and forward the response 205′ to the anti-fraud service 250 over the network 201.
  • As discussed above, the anti-fraud service 250 can be configured to transmit the request for location 205, 205′ to the authorizing client device 210 a over different network environments, e.g., a WAN and a WPAN. The response 205 a, 250 a′ from the authorizing client device 210 a can be received over the same network environment as the one used to transmit the request or over a different network environment from that used to transmit the request. Accordingly, in an embodiment, the anti-fraud service 250 can transmit the request 205 to the client device 210 a directly over a WAN, such as the Internet, and the response 205 a′ can be received indirectly via the POS module 220 over a BLUETOOTH network and a WAN.
  • Referring again to FIG. 3, when the location information of the authorizing client device is determined, the anti-fraud service 250, 450 can be configured to compare the location information of the authorizing client device 210 a, 410 to the location information of the POS module 220, 420 to determine a disposition of the request to authorize the payment transaction in block 308. According to an embodiment, the disposition of the request, i.e., whether the request 204, 404 is granted, denied, or pending, can be determined based on whether and to what degree the location of the authorizing client device 210 a, 410 is different from the location of the POS module 220, 420.
  • For example, in FIG. 2, because the authorizing client device 210 a is not the payment facilitating client device 210, there is a likelihood that the authorizing client device 210 a will be in a different location from the POS module 220, and that therefore the location information of the client device 210 a will be different from that of the POS module 220. Alternatively, in FIG. 4, because the authorizing client device 410 is the payment facilitating device, it is likely that the location information of the authorizing client device 410 is substantially the same as the location information of the POS module 420.
  • Depending on the circumstances, when the location information of the authorizing client device 210 a, 410 is different from the location information of the POS module 220, 420, the anti-fraud service 250, 450 can be configured to deny the request to authorize the payment transaction in an embodiment. In another embodiment, when the location information of the authorizing client device corresponds to a first geo-location and the location information of the POS module corresponds to a second geo-location, the anti-fraud service 250, 450 can be configured to deny the request to authorize the payment transaction when a distance between the first geo-location and the second geo-location exceeds a threshold distance. According to an embodiment, the threshold distance can be provided by the user 207, 407 and/or by an administrator, and can vary according to contextual circumstances. For example, a threshold distance for a POS module 220 located in a highly restricted area can be shorter/smaller than the threshold distance for a POS module 420 in a public store because the adverse consequences of allowing an unauthorized transaction in the highly restricted area can be more severe than those in the public store.
  • According to an embodiment, the disposition of the request to authorize 204, 404 can also depend on other circumstances unrelated to proximity. In an embodiment, a plurality of payment rules 454 can be provided that define under what circumstances the request to authorize 404 should be granted or denied based on factors in addition to the authorizing client device's proximity to the POS module 420. For example, a payment rule 454 can be based on the location of the POS module 420 and can define whether the request to authorize 404 should be granted, denied, or conditionally granted when the POS module's location is within a specified region or location. So, for instance, such a location-based payment rule 454 can indicate that a request to authorize 404 should be denied when the POS module 420 is located in a specified location associated with a particular fast food restaurant. Thus, even though the authorizing client device's location is within a specified distance of the POS module's location, the request to authorize 404 will be denied when the POS module's location is in the fast food restaurant.
  • In another embodiment, a payment rule 454 can be based on a temporal attribute of the payment transaction that defines the disposition of the request to authorize 404 according to when the request to authorize 404 is received. For example, such a time-based payment rule 454 can indicate that a request to authorize 404 should be granted during specified hours, specified days of the week, specified months, or during a specified time interval. In an embodiment, because the payment rules 454 are based on different factors, they can be enforced independently and simultaneously. Thus, the time-based payment rule 454 can be enforced along with the location-based payment rule 454.
  • In another embodiment, a payment rule 454 can be based on a type of item and/or service associated with the payment transaction. For example, this type of payment rule 454 can provide a white or black list of items and services that are allowed or disallowed or disallowed unless additional authentication information is provided respectively. Similar to the other payment rules 454 described above, the item/service-based payment rules 454 can be enforced independently and simultaneously.
  • In addition, payment rules 454 can be based on a payment amount associated with the payment transaction. According to an embodiment, transaction amount-based payment rules 454 can define the disposition of the request to authorize 404 according to the cost of any individually charge item and/or the total cost associated with the payment transaction. For example, the cost-based payment rules 454 can indicate that a request to authorize 404 should be denied outright or conditionally denied unless additional authentication is provided when a cost of an individual item exceeds a threshold value, and/or when the total cost of the transaction exceeds another threshold value. In another embodiment, the request to authorize 404 can be denied or conditionally denied when a frequency of payment transactions within a specified time period exceeds another threshold value.
  • According to an embodiment, the payment rules 454 for the authorizing client device 410 can be defined and provided by the user 407 associated with the client device 410. In an embodiment, some payment rules 454 can be provided and stored during the registration phase along with the information relating to the authorizing client device 410. Alternatively or in addition, other payment rules 454 can be stored on the authorizing client device 410 and provided to the anti-fraud service component 450 when the payment transaction is initiated or pending. Accordingly, the anti-fraud service component 450 can be configured to determine the disposition of the request to authorize the payment transaction 404 based on whether the authorizing client device 410 is located within a predetermined proximity to the POS module 420 and on whether at least one of the payment rules 454 is satisfied.
  • As noted above, instead of or in addition to, denying the request, the anti-fraud service 250, 450 can be configured to conditionally deny the request unless additional authentication information is provided by the customer 206/user 407. For example, in an embodiment, when the anti-fraud service 250, 450 would otherwise deny the request, it can be configured instead to transmit an indication to the POS module 220, 420 directing it to request additional authentication information from the customer 206/user 407. For example, the customer 206 can be requested to produce additional forms of identification or to submit a PIN or password to prove that she is the user 207, 407 associated with the payment credentials 202.
  • In addition to denying the request and/or requesting additional authentication information, in another embodiment, the anti-fraud service 250, 450 can be configured to send a message relating to the requested payment transaction at the POS module 220 to the authorizing client device 210 a for display to the user 207 on the device's display 216 a. According to an embodiment, the message can include a request to verify the requested payment transaction thereby allowing the user 207 to override the anti-fraud service's denial and to indicate that the payment transaction is legitimate. For example, when the customer 206 is an employee of the user 207 and is making a purchase on behalf of the user 207, the user 207 can verify that the mobile payment transaction as an approved transaction. When the user 207 authorizes the requested payment transaction, the authorization can be included in a response to the request to verify, which can be transmitted to and received by the anti-fraud service 250. Upon receipt, the anti-fraud service 250 can be configured to disregard the denial and to grant the request to authorize the payment transaction.
  • In the embodiment described above, the anti-fraud service component 250 is configured to proactively determine the location information of the authorizing client device 210 a so that the location information of the authorizing client device can be compared to that of the POS module 220. In another embodiment, the authorizing client device 410 can take a more proactive role in providing its information automatically, and the anti-fraud service component 450 can take a more passive role by listening for the information regarding the authorizing client device 410. FIG. 5 is a flow diagram illustrating a method for authorizing a mobile payment transaction according to this embodiment. The method illustrated in FIG. 5 can be carried out by at least some of the components in the example electronic device(s) illustrated in FIG. 1 and FIG. 4, but can also be carried out in environments other than those illustrated in FIG. 1 and FIG. 4.
  • According to an embodiment, the method 500 begins, in block 502, when the anti-fraud service component 450 receives the request to authorize a payment transaction 404 that originates from the POS module 420. As described above, the request to authorize 404 can be received from the POS module 420 when the POS module 420 receives the payment credentials 402 from the mobile device 410. Alternatively, it can be received from the payment processing service 440 when it receives the request to process the payment transaction 403 from the POS module 420. In either of these embodiments, the request 404 can be received over at least one external network 401. In another embodiment, when the payment processing service 440 and/or the anti-fraud service 450 are integrated in a common device with the POS module 420, the anti-fraud service 450 can receive the request to authorize 404 via an internal link from either the payment processing service 440 or the POS module 420.
  • Once the request to authorize the payment transaction 404 is received, the anti-fraud service 450 can be configured to determine whether information regarding an authorizing client device for the payment transaction has been received in block 504 and to determine a disposition of the request when the information has been received in block 506.
  • According to an embodiment, the anti-fraud client application 414 in the authorizing client device 410 can be configured to collect information regarding itself and to transmit that information 405 to the anti-fraud service component 450 periodically and/or spontaneously. For example, the anti-fraud client application 414 can be configured to transmit the information regarding itself 405 every five (5) minutes. In another embodiment, the anti-fraud client application 414 can be configured to transmit the information 405 when the payment application 412 is invoked and/or when the payment credentials 402 of the user 407 are presented to the POS module 420. Accordingly, the anti-fraud service component 450 can receive the information regarding the authorizing client device 405 periodically or when the client device 410 is used to facilitate a payment transaction.
  • In an embodiment, the information regarding the authorizing client device 405 can include information identifying the client device and its location information. The anti-fraud service component 450 can be configured to receive the information, to identify the authorizing client device 410 based on the received information, and to store the received information in the storage component along with the information relating to the user's authorizing client device(s) 452.
  • According to an embodiment, when the request to authorize 404 is received, the anti-fraud service component 450 can identify the authorizing client device 410 for the payment transaction and can determine that information regarding the identified authorizing client device 405 has been received. In an embodiment, the anti-fraud service component 450 can be configured to compare the location information of the authorizing client device 410 to the location information of the POS module 424 a. In an embodiment where the information 405 is received periodically, the client device's location information received immediately prior to receiving the request to authorize 404 can be compared to the POS module's location information 424 a. The anti-fraud service component 450 can be configured to grant the request to authorize the payment transaction when the comparison indicates that the authorizing client device 410 is located within a predetermined distance of the POS module 420.
  • In another embodiment where the client device 410 automatically transmits the information 405 when the payment transaction is initiated or while the payment transaction is pending, the fact that the information regarding the authorizing client device 405 is not received by the anti-fraud service component 450 suggests that the payment transaction is fraudulent. Thus, when the information regarding the authorizing client device 405 has not been received under these circumstances, the anti-fraud service component 450 can be configured to deny the request to authorize the payment transaction.
  • In another embodiment, as described above with regard to FIG. 2, the anti-fraud service component 250 can be configured to transmit a request 205, 205′ for the client device information, e.g., the location information of the authorizing client device, to the client device 210 a directly over the network 201 or indirectly via the POS module 220. When the request 205 is received directly over the network 201, the anti-fraud client application 214 cannot transmit its response 205 a′ to the anti-fraud service component 250 via the POS module 220 unless the client device 210 a located within the module's wireless short range network. Alternatively, the anti-fraud service component 250 cannot transmit the request 205′ to the anti-fraud client application 214 indirectly via the POS module 220 unless the client device 210 a is located within the module's wireless short range network.
  • Accordingly, in this embodiment, the anti-fraud service component 250 will receive the information 405 regarding the authorizing client device when the client device 210 a, 410 is located within the POS module's wireless short range network. In this case, when the information 405 regarding the authorizing client device has been received, the anti-fraud service component 450 can be configured to grant the request to authorize the payment transaction 404. Alternatively, when the client device 210 a, 410 is not located within the POS module's wireless short range network, the information 405 will not be received. In this case, when the information 405 regarding the authorizing client device has not been received, the anti-fraud service component 450 can be configured to deny the request to authorize the payment transaction 404.
  • According to yet another embodiment, instead of transmitting a request for location information 205 to the authorizing client device 210 a or waiting to receive information 405 regarding the authorizing client device 410, the anti-fraud service component 250, 450 can be configured to transmit the location information of the POS module 424 a to the authorizing client device 410, and to request that the authorizing client device 410 confirm or deny that a current location of the authorizing client device substantially matches the POS module's location information 424 a. In this embodiment, the anti-fraud client application 414 in the client device 410 can be configured to receive the location information of the POS module 424 a and the request, and to compare its own location information to that of the POS module 420.
  • Based on the comparison, the anti-fraud client application 414 can generate a decision either confirming or denying that its current location information substantially matches the POS module's location information 424 a. The anti-fraud client application 414 can then include the decision in a reply message and can transmit the reply message to the anti-fraud service component 450. Upon receiving the reply, the anti-fraud service component 450 can be configured to determine the disposition of the request to authorize the payment transaction 404 based on the authorizing client device's decision confirming or denying that the current location information of the authorizing client device substantially matches the POS module's location information 424 a. For example, when the decision is confirming, the anti-fraud service component 450 can be configured to grant the request to authorize the payment transaction 404.
  • In an embodiment, the anti-fraud service 250, 450 can be configured to generate a response 204 a, 404 a to the request to authorize 204, 404 that includes the disposition of the request and to transmit the response to 204 a, 404 a to the payment processing service 240, 340 and/or the POS module 220, 420. In an embodiment when the response 204 a is transmitted to the payment processing service 240, depending on the disposition of the request, the payment processing service 240 can either proceed with or stop processing the payment transaction. In another embodiment, when the response 404 a is transmitted to the POS module 420, the POS module 420 can transmit the request 203 to process the payment transaction or deny the transaction depending on the disposition.
  • According to embodiments, a system for authorizing a mobile payment transaction that originates from a POS module includes an anti-fraud service component coupled to the POS module and/or to a payment processing service associated with the POS module. In an embodiment, when payment credentials associated with a user are provided to the POS module to initiate the payment transaction, the anti-fraud service component can identify and determine a location a client device typically carried by the user. Because the user typically carries the client device on his or her person, the device's location is indicative of the user's location. In an embodiment, when the anti-fraud service component determines that the user's client device is located at or near the POS module, the payment transaction can be authorized based on the assumption that the authorized user is carrying the client device and is also located at or near the POS module. When the location of the client device is not at or near the POS module, the authorized user is presumptively not at or near the POS module. In this case, the payment transaction can be denied outright or denied pending the presentation of additional authentication information from the customer.
  • According to an embodiment, the user may designate more than one of her personal network enabled client devices to be an authorizing client device 210 a for the user's mobile payment transactions. The personal network enabled client devices can be in different locations, but typically only those devices that are actively in use will be considered in the same location as the user. That is, it would be unusual for one of the personal network enabled client devices to be actively in use at one location while one or more of the user's other personal network enabled client devices are actively in use at a different location.
  • In an embodiment, based on this premise, the anti-fraud service component may obtain current locations for a plurality of authorizing client devices, together with information indicating whether the devices are actively in use. If one of the authorizing client devices is at the location of the POS module, and the other authorizing client devices are not, but they are not currently active, then the transaction can be permitted. Alternatively, if one or more of the authorizing client devices are not at the location of the POS module and are actively in use, even if one of them is at the location of the POS module, the legitimacy of the transaction can be questionable. In this embodiment, under such a situation, the anti-fraud service component can deny the request to authorize the transaction, and/or request additional authentication or authorization information from the user via one or more of the authorizing client devices.
  • In an embodiment, device information 452 for use with one or more payment rules 454 may contain information regarding contextual factors. The contextual factors may include the information previously discussed regarding payment rules 454, such as location information, distance information, time information, transaction item, and transaction amount. Additional contextual factors may include, for example, one or more of the current security state of the payment facilitating device (e.g., trusted, untrusted, or unknown), the security state of the authorizing client device, the security state of the one or more network connections 401 from the payment application 412 providing payment credentials 402 to POS module 420, said security state being trusted or untrusted (e.g., based on detection of a Man in the Middle in the connection). In the embodiment, a decision to grant a request to proceed with the processing of the payment transaction may be based on such contextual information and whether the contextual information conforms to one or more payment rules 454. For example, the request could be granted based on one or more rules related to contextual factors being met, such as: the distance between the authorizing client device and the POS device does not exceed a threshold distance; the security state of the device is “trusted;” and the security state of the network is “trusted.” Similarly, the request could be denied when one or more rules related to contextual factors are not met, such as: the distance between the authorizing client device and the POS device exceeds a threshold distance; the security state of the device is not “trusted;” and the security state of the network is not “trusted.” In addition, various combinations of rules related to contextual factors may result in different outcomes regarding whether the request is granted. For example, even if the distance between the authorizing client device and the POS device is within a threshold distance, the request may be denied when the security state of the device is “untrusted.” Methods for determining whether to grant a request to process a payment transaction based on contextual factors and payment rules are further illustrated with regard to FIG. 6.
  • Disclosure regarding the security state of a device is further contained in U.S. application Ser. No. 14/634,115, entitled “ASSESSING A SECURITY STATE OF A MOBILE COMMUNICATIONS DEVICE TO DETERMINE ACCESS TO SPECIFIC TASKS,” filed on Feb. 27, 2015, and U.S. application Ser. No. 15/687,395, entitled “METHODS AND SYSTEMS FOR BLOCKING THE INSTALLATION OF AN APPLICATION TO IMPROVE THE FUNCTIONING OF A MOBILE COMMUNICATIONS DEVICE,” filed on Aug. 25, 2017, which are both incorporated by reference in their entirety. Disclosure regarding security states of network connections is further contained in U.S. application Ser. No. 15/608,556, entitled “METHODS AND SYSTEMS FOR DETECTING AND PREVENTING NETWORK CONNECTION COMPROMISE,” filed on May 30, 2017, which is incorporated by reference in its entirety. And disclosure regarding contextual information, the security state of a device, and the security state of a connection is further contained in U.S. application Ser. No. 14/071,366, entitled “METHODS AND SYSTEMS FOR SECURE NETWORK CONNECTIONS,” filed on Nov. 4, 2013, which is incorporated by reference in its entirety.
  • FIG. 6 is a flow diagram illustrating a method for authorizing a mobile payment transaction according to an embodiment. The method illustrated in FIG. 6 can be carried out by at least some of the components in the example electronic device(s) illustrated in FIG. 1 and FIG. 2, but can also be carried out in environments other than those illustrated in FIG. 1 and FIG. 2. According to an embodiment, the method 600 begins, in block 602, when a request to authorize a payment transaction that originates from a POS module is received. In an embodiment, a system for authorizing a mobile payment transaction includes an anti-fraud service 250 configured for receiving the request to authorize the payment transaction 204. According to an embodiment, the anti-fraud service 250 can receive the request 204 from the payment processing service 240 when it receives the request to process the payment transaction 203 from the POS module 220.
  • The anti-fraud service 250 can be hosted by the payment processing server 230 as is shown in FIG. 2. Alternatively, in another embodiment shown in FIG. 4, the anti-fraud service 450 can reside in another server 432 communicatively coupled to the payment processing server 430 and/or to the POS module 420 over the network 401. In this embodiment, the anti-fraud service 450 can receive the request 404 over the network 401 from the POS module 420 when the POS module 420 receives the payment credentials 402 from the facilitating mobile device 410. In another embodiment, the payment processing service 240, 440 and/or the anti-fraud service 250, 450 can be integrated in a common device with the POS module 220, 420. In this case, the anti-fraud service 250, 450 can receive the request to authorize 204, 404 via an internal link from either the payment processing service 240, 440 or the POS module 220, 420.
  • In an embodiment, the request to authorize the payment transaction 204, 404 can include the payment information 222, 422 of the payment transaction and information identifying the POS module 224, 424. As stated above, the payment information 222 can include the payment credentials, e.g., 202, and information identifying the user 207 with which the payment credentials are associated. The information identifying the POS, e.g., 424, can include location information of the POS module 424 a and/or information that can be used to determine the location information of the POS module 220, 420. For example, the POS identifying information, e.g., 224, can include an identifier that can be correlated to a location of the POS module 220. This correlation can be included in a table that associates POS identifiers with locations for a plurality of POS modules, and the table can be stored in a database (not shown) on the payment processing server 230 or elsewhere on another server accessible via the network 201.
  • Referring again to FIG. 6, in block 604, when the request to authorize the payment transaction 204, 404 is received by the anti-fraud service component (250, 450), an authorizing client device for the payment transaction is identified based on the payment information 222, 422. According to an embodiment, the authorizing client device, e.g., 210 a, is a personal mobile device associated with a user 207 that includes a mobile payment application 212 a, and an anti-fraud client application 214 which allows the anti-fraud service 250 to communicate with the authorizing client device 210 a over the network 201. In an embodiment, for example, the authorizing client device 210 a can be a smartphone, a tablet computer, or any network enabled handheld personal device.
  • In an embodiment, during a service registration phase, a user 207 can designate one or more of her personal network enabled client devices to be an authorizing client device 210 a for the user's mobile payment transactions. The user 207 can provide information relating to the client device 210 a that enables the anti-fraud service 250 to communicate with the client device 210 a. For example, when the authorizing client device 210 a is the user's mobile phone, the phone number associated with the phone can be provided. In another embodiment, the authorizing client device 210 a can be a dedicated client device that is provided to the user 207 upon registering with a service provider associated with the anti-fraud service.
  • According to an embodiment, the anti-fraud service component 250, 450 can store the information relating to the user's authorizing client device(s) 252, 452 in a storage component coupled to the server 230, 432 and accessed by the anti-fraud service component 250, 450. In an embodiment, when the request to authorize the payment transaction 204, 404 is received, the anti-fraud service 250, 450 can be configured to extract the payment credentials 202, 402 of the user 207 from the payment information 222, 422, in order to identify the user 207. Once the user 207 is identified, the anti-fraud service 250, 450 can be configured, in an embodiment, to identify the user's authorizing client device 210 a by retrieving the information 252, 452 relating to the user's authorizing client device(s).
  • Referring again to FIG. 6, in block 606, once the authorizing client device for the payment transaction, e.g., 210 a, is identified, the anti-fraud service 250 determines context information associated with the request. Contextual information associated with the request may include contextual information associated with the authorizing client device, the payment facilitating device, and the POS module. For example, the determined context information may include and of: the location information of the authorizing client device 210 a, location information of the payment facilitating device, distance information, time information, transaction item, transaction amount, the security state of the payment facilitating device, the security state of the authorizing client device, and the security state of the one or more network connections 401 from the payment application 412 providing payment credentials 402 to POS module 420.
  • As noted above, the information 252 relating to the user's authorizing client device 210 a includes information that enables the anti-fraud service 250 to communicate with the client device 210 a. Therefore, according to an embodiment, the anti-fraud service, e.g., 250, can use the information 252 to generate and transmit a request for contextual information to the authorizing client device 210 a over the network 201, which in an embodiment, can be a Wi-Fi network, a LAN, a PAN, a WAN, a BLUETOOTH network, or a near field communication (NFC) depending on the circumstances. In another embodiment when the authorizing client device 210 a is a phone connected to a cellular network, the request message 205 can be transmitted over the cellular network 201.
  • In another embodiment, the anti-fraud service 250 can transmit the request for contextual information to the authorizing client device 210 a indirectly via the POS module 220. In this case, when the POS module 220 receives the request 205′, it can be configured to forward the request 205′ to the authorizing client device 210 a over the network 201, which in this embodiment, can be a wireless short range personal area network (“WPAN”), such as a BLUETOOTH network or a NFC network.
  • When the request for contextual information is received by the authorizing client device 210 a, the anti-fraud client application 214 in the client device 210 a can provide its contextual information in several ways. For example, in an embodiment, when the client device 210 a is equipped with a Global Positioning System (“GPS”) tracking unit, the device's contextual information, in this case location information, can be provided as geo-coordinates associated with its location. Alternatively or in addition, when the client device 210 a is connected to a cellular network that includes a plurality of cell towers, the device's contextual information can also be provided as the location of a cell tower nearest to the authorizing client device 210 a. For example, the nearest cell tower can be the destination tower that transmits the request message 205 directly to the authorizing client device 210 a. Alternatively or in addition, when the client device 210 a is connected to a wired or wireless network 201, the contextual information can be related to a wireless access point of the wireless network or related to a LAN.
  • According to an embodiment, the anti-fraud client application 214 in the client device 210 a can be configured to generate a response 205 a to the request for contextual information and to include the device's contextual information in the response 205 a. The response 205 a can then be returned to and received by the anti-fraud service 250 over the network 201. In an embodiment, the anti-fraud service 250 can receive the response 205 a directly from the client device 210 a over the network 201, while in another embodiment, the anti-fraud service 250 can receive the response 250 a′ indirectly via the POS module 220. In the latter case, the response 205 a′ may not be received by the POS module 220 when the authorizing client device 210 a is not located within the module's short range WPAN 201. If, however, the client device 210 a is located within the short range WPAN 201, the POS module 220 can be configured to receive and forward the response 205′ to the anti-fraud service 250 over the network 201.
  • As discussed above, the anti-fraud service 250 can be configured to transmit the request for contextual information to the authorizing client device 210 a over different network environments, e.g., a WAN and a WPAN. The response 205 a, 250 a′ from the authorizing client device 210 a can be received over the same network environment as the one used to transmit the request or over a different network environment from that used to transmit the request. Accordingly, in an embodiment, the anti-fraud service 250 can transmit the request to the client device 210 a directly over a WAN, such as the Internet, and the response 205 a′ can be received indirectly via the POS module 220 over a BLUETOOTH network and a WAN.
  • Referring again to FIG. 6, in block 608, when the contextual information of the authorizing client device is determined, the anti-fraud service 250, 450 can be configured to compare the contextual information to one or more applicable payment rules 454 to determine a disposition of the request to authorize the payment transaction. According to an embodiment, the disposition of the request, i.e., whether the request 204, 404 is granted, denied, or pending, can be determined based on whether and to what degree the determined contextual information satisfies one or more applicable payment rules 454.
  • In an embodiment, the one or more applicable payment rules 454 may vary, e.g., based on the user of the authorized client device. In this embodiment, payment rules 454 are determined to be applicable based on those rules being associated with, e.g., a particular user, or a particular authorizing client device. The association between the payment rules and the user or client device may be created by, e.g., the user or administrator of the authorizing client device. In this embodiment, once applicable payment rules 454 are determined, requests for context information associated with block 606 may be fashioned based on what contextual information must be satisfied by the applicable payment rules 454 in order for the payment request to be granted, or denied.
  • Any of the above embodiments may be used alone or together with one another in any combination. The one or more implementations encompassed within this specification may also include embodiments that are only partially mentioned or alluded to or are not mentioned or alluded to at all. Although various embodiments may have been motivated by various deficiencies with the prior art, which may be discussed or alluded to in one or more places in the specification, the embodiments do not necessarily address any of these deficiencies. In other words, different embodiments may address different deficiencies that may be discussed in the specification. Some embodiments may only partially address some deficiencies or just one deficiency that may be discussed in the specification, and some embodiments may not address any of these deficiencies.
  • In addition, one will appreciate that in the description above and throughout, numerous specific details are set forth in order to provide a thorough understanding of the present invention. It will be evident, however, to one of ordinary skill in the art, that the present invention may be practiced without these specific details. In other instances, well-known structures and devices are shown in block diagram form to facilitate explanation.
  • While one or more implementations have been described by way of example and in terms of the specific embodiments, it is to be understood that one or more implementations are not limited to the disclosed embodiments. To the contrary, it is intended to cover various modifications and similar arrangements as would be apparent to those skilled in the art. Therefore, the scope of the appended claims should be accorded the broadest interpretation so as to encompass all such modifications and similar arrangements.

Claims (21)

What is claimed is:
1. A method for processing a payment transaction, the method comprising:
receiving, by a processor, a request to authorize an action from a point of sale device, the request including a first context representing a first location associated with the action, and a second context representing information about an account associated with the action;
determining a user device information associated with the second context representing information about the account associated with the action;
transmitting a request for a third context to the user device associated with the second context representing information about the account associated with the action, the third context including a second location associated with the user device;
receiving the third context including a second location associated with the user device from the user device; and
determining whether to transmit a response to the point of sale device based on the comparison between the first context representing the first location associated with the action, and the third context including the second location associated with the user device, the response representing whether to authorize the action.
2. The method of claim 1, wherein determining whether to transmit the response to the point of sale device based on the comparison between the first context, and the third context is based on comparing a geographic proximity between the first context and the third context.
3. The method of claim 2, further comprising transmitting a response to the point of sale device indicating that the action is authorized.
4. The method of claim 3, wherein the third context represents a temporal attribute of the point of sale device to the user device.
5. The method of claim 1 further comprising the account being associated with payment rules, the payment rules representing one or more attributes that must be met before payment is authorized; and
wherein the determination whether to transmit the response to the point of sale device based on the comparison between the first context representing the first location associated with the action, and the third context including the second location associated with the user device is based on the payment rules associated with the account.
6. The method of claim 5, wherein the payment rule is a plurality of rules and the one or more attributes to be met before payment is authorized is based on a payment amount.
7. The method of claim 6, wherein the payment rule includes one or more attributes to be met before payment is authorized is based on the proximity between the point of sale device, and the user device.
8. A system, comprising:
at least one processor; and
memory storing instructions configured to instruct the at least one processor to:
receive a request to authorize an action from a point of sale device, the request including a first context representing a first location associated with the action, and a second context representing information about an account associated with the action;
determine a user device information associated with the second context representing information about the account associated with the action;
transmit a request for a third context to the user device associated with the second context representing information about the account associated with the action, the third context including a second location associated with the user device;
receive the third context including a second location associated with the user device from the user device; and
determine whether to transmit a response to the point of sale device based on the comparison between the first context representing the first location associated with the action, and the third context including the second location associated with the user device, the response representing whether to authorize the action.
9. The system of claim 8, wherein determining whether to transmit the response to the point of sale device based on the comparison between the first context, and the third context is based on comparing a geographic proximity between the first context and the third context.
10. The system of claim 9, further comprising transmitting a response to the point of sale device indicating that the action is authorized.
11. The system of claim 10, wherein the third context represents a temporal attribute of the point of sale device to the user device.
12. The system of claim 8 further comprising the account being associated with payment rules, the payment rules representing one or more attributes that must be met before payment is authorized; and
wherein the determination whether to transmit the response to the point of sale device based on the comparison between the first context representing the first location associated with the action, and the third context including the second location associated with the user device is based on the payment rules associated with the account.
13. The system of claim 12, wherein the payment rule is a plurality of rules and the one or more attributes to be met before payment is authorized is based on a payment amount.
14. The system of claim 13, wherein the payment rule includes one or more attributes to be met before payment is authorized is based on the proximity between the point of sale device, and the user device.
15. A non-transitory storage medium storing computer-readable instructions, which when executed, cause a computing device to:
receive a request to authorize an action from a point of sale device, the request including a first context representing a first location associated with the action, and a second context representing information about an account associated with the action;
determine a user device information associated with the second context representing information about the account associated with the action;
transmit a request for a third context to the user device associated with the second context representing information about the account associated with the action, the third context including a second location associated with the user device;
receive the third context including a second location associated with the user device from the user device; and
determine whether to transmit a response to the point of sale device based on the comparison between the first context representing the first location associated with the action, and the third context including the second location associated with the user device, the response representing whether to authorize the action.
16. The non-transitory storage medium of claim 15, wherein determining whether to transmit the response to the point of sale device based on the comparison between the first context, and the third context is based on comparing a geographic proximity between the first context and the third context.
17. The non-transitory storage medium of claim 16, further comprising transmitting a response to the point of sale device indicating that the action is authorized.
18. The non-transitory storage medium of claim 17, wherein the third context represents a temporal attribute of the point of sale device to the user device.
19. The non-transitory storage medium of claim 15. further comprising the account being associated with payment rules, the payment rules representing one or more attributes that must be met before payment is authorized; and
wherein the determination whether to transmit the response to the point of sale device based on the comparison between the first context representing the first location associated with the action, and the third context including the second location associated with the user device is based on the payment rules associated with the account.
20. The non-transitory storage medium of claim 19, wherein the payment rule is a plurality of rules and the one or more attributes to be met before payment is authorized is based on a payment amount.
21. The non-transitory storage medium of claim 20, wherein the payment rule includes one or more attributes to be met before payment is authorized is based on the proximity between the point of sale device, and the user device.
US16/878,353 2013-03-14 2020-05-19 System and method for processing a payment transaction based on point-of-sale device and user device locations Abandoned US20200279263A1 (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
US16/878,353 US20200279263A1 (en) 2013-03-14 2020-05-19 System and method for processing a payment transaction based on point-of-sale device and user device locations

Applications Claiming Priority (3)

Application Number Priority Date Filing Date Title
US13/829,132 US9852416B2 (en) 2013-03-14 2013-03-14 System and method for authorizing a payment transaction
US15/805,889 US10699273B2 (en) 2013-03-14 2017-11-07 System and method for authorizing payment transaction based on device locations
US16/878,353 US20200279263A1 (en) 2013-03-14 2020-05-19 System and method for processing a payment transaction based on point-of-sale device and user device locations

Related Parent Applications (1)

Application Number Title Priority Date Filing Date
US15/805,889 Continuation US10699273B2 (en) 2013-03-14 2017-11-07 System and method for authorizing payment transaction based on device locations

Publications (1)

Publication Number Publication Date
US20200279263A1 true US20200279263A1 (en) 2020-09-03

Family

ID=61281348

Family Applications (2)

Application Number Title Priority Date Filing Date
US15/805,889 Active 2033-11-09 US10699273B2 (en) 2013-03-14 2017-11-07 System and method for authorizing payment transaction based on device locations
US16/878,353 Abandoned US20200279263A1 (en) 2013-03-14 2020-05-19 System and method for processing a payment transaction based on point-of-sale device and user device locations

Family Applications Before (1)

Application Number Title Priority Date Filing Date
US15/805,889 Active 2033-11-09 US10699273B2 (en) 2013-03-14 2017-11-07 System and method for authorizing payment transaction based on device locations

Country Status (1)

Country Link
US (2) US10699273B2 (en)

Families Citing this family (8)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US10565589B2 (en) * 2016-06-14 2020-02-18 Mastercard International Incorporated Methods and system for real-time fraud decisioning based upon user-defined valid activity location data
CN110324390A (en) 2018-03-30 2019-10-11 京东方科技集团股份有限公司 A kind of cut-in method, platform of internet of things, application apparatus, service equipment
US11334896B2 (en) * 2019-04-17 2022-05-17 Capital One Services, Llc Systems and methods of real-time processing
GB2597159A (en) * 2019-04-29 2022-01-19 Apple Inc System and method of operating a secure contactless transaction
US11403640B2 (en) * 2019-05-21 2022-08-02 Jpmorgan Chase Bank, N.A. Mobile payment fraudulent device list
CN110992048A (en) * 2019-11-29 2020-04-10 中国联合网络通信集团有限公司 Transaction fraud determination method and device
CN111510862B (en) * 2020-04-24 2021-09-21 支付宝(杭州)信息技术有限公司 Terminal area positioning method and device and electronic equipment
US11836727B1 (en) * 2020-12-04 2023-12-05 Wells Fargo Bank, N.A. Location based transaction authentication

Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20090187492A1 (en) * 2007-10-25 2009-07-23 Ayman Hammad Location based authentication
US20130268378A1 (en) * 2012-04-06 2013-10-10 Microsoft Corporation Transaction validation between a mobile communication device and a terminal using location data

Family Cites Families (75)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US5715518A (en) 1996-03-06 1998-02-03 Cellular Technical Services Company, Inc. Adaptive waveform matching for use in transmitter identification
US7159237B2 (en) 2000-03-16 2007-01-02 Counterpane Internet Security, Inc. Method and system for dynamic network intrusion monitoring, detection and response
US7574499B1 (en) 2000-07-19 2009-08-11 Akamai Technologies, Inc. Global traffic management system using IP anycast routing and dynamic load-balancing
US8341297B2 (en) 2000-07-19 2012-12-25 Akamai Technologies, Inc. Latencies and weightings in a domain name service (DNS) system
US6892225B1 (en) 2000-07-19 2005-05-10 Fusionone, Inc. Agent system for a secure remote access system
US6696941B2 (en) 2001-09-04 2004-02-24 Agere Systems Inc. Theft alarm in mobile device
US7181252B2 (en) 2002-12-10 2007-02-20 Nokia Corporation System and method for performing security functions of a mobile station
US7392043B2 (en) 2003-04-17 2008-06-24 Ntt Docomo, Inc. API system, method and computer program product for accessing content/security analysis functionality in a mobile communication framework
US7287173B2 (en) 2003-12-19 2007-10-23 Intel Corporation Method for computing power consumption levels of instruction and recompiling the program to reduce the excess power consumption
US20050186954A1 (en) 2004-02-20 2005-08-25 Tom Kenney Systems and methods that provide user and/or network personal data disabling commands for mobile devices
US7991854B2 (en) 2004-03-19 2011-08-02 Microsoft Corporation Dynamic session maintenance for mobile computing devices
US20050221800A1 (en) 2004-03-31 2005-10-06 Jackson Riley W Method for remote lockdown of a mobile computer
US7783281B1 (en) 2004-04-22 2010-08-24 Sprint Spectrum L.P. Method and system for securing a mobile device
US7865448B2 (en) 2004-10-19 2011-01-04 First Data Corporation Methods and systems for performing credit transactions with a wireless device
US20060217116A1 (en) 2005-03-18 2006-09-28 Cassett Tia M Apparatus and methods for providing performance statistics on a wireless communication device
EP1705872B1 (en) 2005-03-21 2008-12-24 Hewlett-Packard Development Company, L.P. Mobile device client and system supporting remote terminal management
US7479882B2 (en) 2005-04-14 2009-01-20 Flexilis, Inc. RFID security system and methods
US20070021112A1 (en) 2005-07-21 2007-01-25 Sun Microsystems, Inc. Method and system for ensuring mobile data security
US7730040B2 (en) 2005-07-27 2010-06-01 Microsoft Corporation Feedback-driven malware detector
US7304570B2 (en) 2005-08-10 2007-12-04 Scenera Technologies, Llc Methods, systems, and computer program products for providing context-based, hierarchical security for a mobile device
WO2007045150A1 (en) 2005-10-15 2007-04-26 Huawei Technologies Co., Ltd. A system for controlling the security of network and a method thereof
US7707314B2 (en) 2005-11-21 2010-04-27 Limelight Networks, Inc. Domain name resolution resource allocation
US7730187B2 (en) 2006-10-05 2010-06-01 Limelight Networks, Inc. Remote domain name service
US7707553B2 (en) 2005-12-08 2010-04-27 International Business Machines Corporation Computer method and system for automatically creating tests for checking software
US8290433B2 (en) 2007-11-14 2012-10-16 Blaze Mobile, Inc. Method and system for securing transactions made through a mobile communication device
US20070190995A1 (en) 2006-02-13 2007-08-16 Nokia Corporation Remote control of a mobile device
CN101438477B (en) 2006-03-28 2013-04-10 京瓷株式会社 Portable terminal and function operation control method
US7849502B1 (en) 2006-04-29 2010-12-07 Ironport Systems, Inc. Apparatus for monitoring network traffic
US20080046369A1 (en) 2006-07-27 2008-02-21 Wood Charles B Password Management for RSS Interfaces
US8149746B2 (en) 2006-08-28 2012-04-03 Intel Corporation Battery level based configuration of a mobile station by a base station
US8259568B2 (en) 2006-10-23 2012-09-04 Mcafee, Inc. System and method for controlling mobile device access to a network
US7853721B2 (en) 2006-11-09 2010-12-14 Yahoo! Inc. System and method for transmission of DNS beacons
US8195196B2 (en) 2006-12-29 2012-06-05 United States Cellular Corporation Mobility based service in wireless environment
US7430675B2 (en) 2007-02-16 2008-09-30 Apple Inc. Anticipatory power management for battery-powered electronic device
US7720936B2 (en) 2007-03-12 2010-05-18 Citrix Systems, Inc. Systems and methods of freshening and prefreshening a DNS cache
WO2009076447A1 (en) 2007-12-10 2009-06-18 Courion Corporaton Policy enforcement using esso
US8140796B2 (en) 2007-12-27 2012-03-20 Igt Serial advanced technology attachment write protection: mass storage data protection device
US8261351B1 (en) 2008-01-22 2012-09-04 F5 Networks, Inc. DNS flood protection platform for a network
US8948719B2 (en) 2008-05-22 2015-02-03 At&T Mobility Ii Llc Designation of cellular broadcast message identifiers for the commercial mobile alert system
US8266324B2 (en) 2008-06-12 2012-09-11 International Business Machines Corporation Domain specific domain name service
US8129949B2 (en) 2008-07-24 2012-03-06 Symbol Technologies, Inc. Device and method for instantaneous load reduction configuration to prevent under voltage condition
US9235704B2 (en) 2008-10-21 2016-01-12 Lookout, Inc. System and method for a scanning API
US8533844B2 (en) 2008-10-21 2013-09-10 Lookout, Inc. System and method for security data collection and analysis
US8108933B2 (en) 2008-10-21 2012-01-31 Lookout, Inc. System and method for attack and malware prevention
US8060936B2 (en) 2008-10-21 2011-11-15 Lookout, Inc. Security status and information display system
US8984628B2 (en) 2008-10-21 2015-03-17 Lookout, Inc. System and method for adverse mobile application identification
US8099472B2 (en) 2008-10-21 2012-01-17 Lookout, Inc. System and method for a mobile cross-platform software system
US9367680B2 (en) 2008-10-21 2016-06-14 Lookout, Inc. System and method for mobile communication device application advisement
US8051480B2 (en) 2008-10-21 2011-11-01 Lookout, Inc. System and method for monitoring and analyzing multiple interfaces and multiple protocols
US8347386B2 (en) 2008-10-21 2013-01-01 Lookout, Inc. System and method for server-coupled malware prevention
US8087067B2 (en) 2008-10-21 2011-12-27 Lookout, Inc. Secure mobile platform system
US8185134B2 (en) 2008-10-21 2012-05-22 Qualcomm Incorporated Multimode GPS-enabled camera
US8266288B2 (en) 2008-10-23 2012-09-11 International Business Machines Corporation Dynamic expiration of domain name service entries
US8121617B1 (en) 2008-12-09 2012-02-21 Lagrotta James Thomas Method of remotely locating a mobile device equipped with a radio receiver
US20120188064A1 (en) 2009-02-17 2012-07-26 Lookout. Inc., a California Corporation System and method for remotely initiating playing of sound on a mobile device
US8855601B2 (en) 2009-02-17 2014-10-07 Lookout, Inc. System and method for remotely-initiated audio communication
US8538815B2 (en) 2009-02-17 2013-09-17 Lookout, Inc. System and method for mobile device replacement
US8467768B2 (en) 2009-02-17 2013-06-18 Lookout, Inc. System and method for remotely securing or recovering a mobile device
US8955747B2 (en) 2009-06-23 2015-02-17 At&T Mobility Ii Llc Devices, systems and methods for wireless point-of-sale
US8451735B2 (en) 2009-09-28 2013-05-28 Symbol Technologies, Inc. Systems and methods for dynamic load balancing in a wireless network
US8397301B2 (en) 2009-11-18 2013-03-12 Lookout, Inc. System and method for identifying and assessing vulnerabilities on a mobile communication device
US8103915B2 (en) 2010-02-12 2012-01-24 Verizon Patent And Licensing Inc. Failure system for domain name system client
US9767474B1 (en) 2010-03-23 2017-09-19 Amazon Technologies, Inc. Transaction tracking and incentives
US8984597B2 (en) 2010-05-27 2015-03-17 Microsoft Technology Licensing, Llc Protecting user credentials using an intermediary component
EP2609538B1 (en) 2010-08-25 2016-10-19 Lookout Inc. System and method for server-coupled malware prevention
SG189304A1 (en) 2010-10-08 2013-05-31 Lumi Technologies Ltd Multi-phased and partitioned content preparation and delivery
WO2012060997A2 (en) 2010-11-01 2012-05-10 Michael Luna Application and network-based long poll request detection and cacheability assessment therefor
US8671221B2 (en) 2010-11-17 2014-03-11 Hola Networks Ltd. Method and system for increasing speed of domain name system resolution within a computing device
EP2661697B1 (en) 2011-01-07 2018-11-21 Seven Networks, LLC System and method for reduction of mobile network traffic used for domain name system (dns) queries
US8316098B2 (en) 2011-04-19 2012-11-20 Seven Networks Inc. Social caching for device resource sharing and management
US20120317172A1 (en) 2011-06-13 2012-12-13 International Business Machines Corporation Mobile web app infrastructure
US20120324568A1 (en) 2011-06-14 2012-12-20 Lookout, Inc., A California Corporation Mobile web protection
US9107055B2 (en) 2011-06-14 2015-08-11 Sonifi Solutions, Inc. Method and apparatus for pairing a mobile device to an output device
US8738765B2 (en) 2011-06-14 2014-05-27 Lookout, Inc. Mobile device DNS optimization
US8788881B2 (en) 2011-08-17 2014-07-22 Lookout, Inc. System and method for mobile device push communications

Patent Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20090187492A1 (en) * 2007-10-25 2009-07-23 Ayman Hammad Location based authentication
US20130268378A1 (en) * 2012-04-06 2013-10-10 Microsoft Corporation Transaction validation between a mobile communication device and a terminal using location data

Non-Patent Citations (2)

* Cited by examiner, † Cited by third party
Title
Anonymous. Mobile technology for increased productivity and profitability. Management Services; Enfield. Vol. 56, Iss. 3. Autum 2012: 15-17. (Year: 2012) *
Morris, Natalie. Tax Implications of Electronic Commerce. Alternate title: Belasting Implikasies Van Elektroniese Handel. University of Johannesburg (South Africa) ProQuest Dissertations Publishing, 2012. (Year: 2012) *

Also Published As

Publication number Publication date
US10699273B2 (en) 2020-06-30
US20180068309A1 (en) 2018-03-08

Similar Documents

Publication Publication Date Title
US9852416B2 (en) System and method for authorizing a payment transaction
US20200279263A1 (en) System and method for processing a payment transaction based on point-of-sale device and user device locations
US11783314B2 (en) Contacts for misdirected payments and user authentication
US11405781B2 (en) System and method for mobile identity protection for online user authentication
US9864987B2 (en) Account provisioning authentication
US10015156B2 (en) System for assessing network authentication requirements based on situational instance
CN105612543B (en) Method and system for provisioning payment credentials for mobile devices
US9934502B1 (en) Contacts for misdirected payments and user authentication
US9578022B2 (en) Multi-factor authentication techniques
US20150039519A1 (en) Tokenization in Mobile Environments
KR20160042865A (en) System and method for initially establishing and periodically confirming trust in a software application
US20170213220A1 (en) Securing transactions on an insecure network
CA3054287C (en) Contacts for misdirected payments and user authentication
JP2019537776A (en) Fraud detection in portable payment readers
US11580517B1 (en) Mobile device-based dual custody verification using micro-location
US11869004B2 (en) Mobile authentification method via peer mobiles
US11564102B2 (en) Fraudulent wireless network detection with proximate network data
Crowe et al. Mobile Phone Technology:“Smarter” Than We Thought
US20170213213A1 (en) Enhanced authentication security applicable in an at least partially insecure network environment
Park et al. Leveraging cellular infrastructure to improve fraud prevention
US20140222687A1 (en) Apparatus and method for reverse authorization
KR20130005635A (en) System for providing secure card payment system using mobile terminal and method thereof
CA2944084C (en) Provisioning of secure application

Legal Events

Date Code Title Description
STPP Information on status: patent application and granting procedure in general

Free format text: APPLICATION DISPATCHED FROM PREEXAM, NOT YET DOCKETED

STPP Information on status: patent application and granting procedure in general

Free format text: DOCKETED NEW CASE - READY FOR EXAMINATION

STPP Information on status: patent application and granting procedure in general

Free format text: NON FINAL ACTION MAILED

STPP Information on status: patent application and granting procedure in general

Free format text: RESPONSE TO NON-FINAL OFFICE ACTION ENTERED AND FORWARDED TO EXAMINER

AS Assignment

Owner name: ALTER DOMUS (US) LLC, ILLINOIS

Free format text: SECURITY INTEREST;ASSIGNOR:LOOKOUT, INC.;REEL/FRAME:059909/0764

Effective date: 20220506

STPP Information on status: patent application and granting procedure in general

Free format text: FINAL REJECTION MAILED

STPP Information on status: patent application and granting procedure in general

Free format text: RESPONSE AFTER FINAL ACTION FORWARDED TO EXAMINER

STPP Information on status: patent application and granting procedure in general

Free format text: ADVISORY ACTION MAILED

STPP Information on status: patent application and granting procedure in general

Free format text: DOCKETED NEW CASE - READY FOR EXAMINATION

AS Assignment

Owner name: LOOKOUT, INC., CALIFORNIA

Free format text: RELEASE OF PATENT SECURITY INTEREST AT REEL 59909 AND FRAME 0764;ASSIGNOR:ALTER DOMUS (US) LLC, AS ADMINISTRATIVE AGENT;REEL/FRAME:063844/0638

Effective date: 20230602

STPP Information on status: patent application and granting procedure in general

Free format text: FINAL REJECTION MAILED

AS Assignment

Owner name: LOOKOUT, INC., CALIFORNIA

Free format text: ASSIGNMENT OF ASSIGNORS INTEREST;ASSIGNORS:MAHAFFEY, KEVIN PATRICK;BUCK, BRIAN JAMES;SIGNING DATES FROM 20130821 TO 20130822;REEL/FRAME:063886/0959

STPP Information on status: patent application and granting procedure in general

Free format text: RESPONSE AFTER FINAL ACTION FORWARDED TO EXAMINER

STPP Information on status: patent application and granting procedure in general

Free format text: ADVISORY ACTION MAILED

STPP Information on status: patent application and granting procedure in general

Free format text: DOCKETED NEW CASE - READY FOR EXAMINATION

STPP Information on status: patent application and granting procedure in general

Free format text: NON FINAL ACTION MAILED

STCB Information on status: application discontinuation

Free format text: EXPRESSLY ABANDONED -- DURING EXAMINATION