WO2013119914A1 - Tokenization in mobile and payment environments - Google Patents

Tokenization in mobile and payment environments Download PDF

Info

Publication number
WO2013119914A1
WO2013119914A1 PCT/US2013/025289 US2013025289W WO2013119914A1 WO 2013119914 A1 WO2013119914 A1 WO 2013119914A1 US 2013025289 W US2013025289 W US 2013025289W WO 2013119914 A1 WO2013119914 A1 WO 2013119914A1
Authority
WO
WIPO (PCT)
Prior art keywords
payment
token
information
central
payment information
Prior art date
Application number
PCT/US2013/025289
Other languages
French (fr)
Inventor
Ulf Mattsson
Yigal Rozenberg
Vichai LEVY
Original Assignee
Protegrity Corporation
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Protegrity Corporation filed Critical Protegrity Corporation
Priority to AU2013216868A priority Critical patent/AU2013216868B2/en
Priority to EP13747085.2A priority patent/EP2812821A4/en
Publication of WO2013119914A1 publication Critical patent/WO2013119914A1/en

Links

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06QINFORMATION AND COMMUNICATION TECHNOLOGY [ICT] SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES; SYSTEMS OR METHODS SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES, NOT OTHERWISE PROVIDED FOR
    • G06Q20/00Payment architectures, schemes or protocols
    • G06Q20/08Payment architectures
    • G06Q20/20Point-of-sale [POS] network systems
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/60Protecting data
    • G06F21/606Protecting data by securing the transmission between two devices or processes
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/60Protecting data
    • G06F21/62Protecting access to data via a platform, e.g. using keys or access control rules
    • G06F21/6218Protecting access to data via a platform, e.g. using keys or access control rules to a system of files or objects, e.g. local or distributed file system or database
    • G06F21/6245Protecting personal data, e.g. for financial or medical purposes
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06QINFORMATION AND COMMUNICATION TECHNOLOGY [ICT] SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES; SYSTEMS OR METHODS SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES, NOT OTHERWISE PROVIDED FOR
    • G06Q20/00Payment architectures, schemes or protocols
    • G06Q20/30Payment architectures, schemes or protocols characterised by the use of specific devices or networks
    • G06Q20/32Payment architectures, schemes or protocols characterised by the use of specific devices or networks using wireless devices
    • G06Q20/322Aspects of commerce using mobile devices [M-devices]
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06QINFORMATION AND COMMUNICATION TECHNOLOGY [ICT] SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES; SYSTEMS OR METHODS SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES, NOT OTHERWISE PROVIDED FOR
    • G06Q20/00Payment architectures, schemes or protocols
    • G06Q20/30Payment architectures, schemes or protocols characterised by the use of specific devices or networks
    • G06Q20/32Payment architectures, schemes or protocols characterised by the use of specific devices or networks using wireless devices
    • G06Q20/322Aspects of commerce using mobile devices [M-devices]
    • G06Q20/3223Realising banking transactions through M-devices
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06QINFORMATION AND COMMUNICATION TECHNOLOGY [ICT] SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES; SYSTEMS OR METHODS SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES, NOT OTHERWISE PROVIDED FOR
    • G06Q20/00Payment architectures, schemes or protocols
    • G06Q20/30Payment architectures, schemes or protocols characterised by the use of specific devices or networks
    • G06Q20/34Payment architectures, schemes or protocols characterised by the use of specific devices or networks using cards, e.g. integrated circuit [IC] cards or magnetic cards
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06QINFORMATION AND COMMUNICATION TECHNOLOGY [ICT] SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES; SYSTEMS OR METHODS SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES, NOT OTHERWISE PROVIDED FOR
    • G06Q20/00Payment architectures, schemes or protocols
    • G06Q20/30Payment architectures, schemes or protocols characterised by the use of specific devices or networks
    • G06Q20/36Payment architectures, schemes or protocols characterised by the use of specific devices or networks using electronic wallets or electronic money safes
    • G06Q20/367Payment architectures, schemes or protocols characterised by the use of specific devices or networks using electronic wallets or electronic money safes involving electronic purses or money safes
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06QINFORMATION AND COMMUNICATION TECHNOLOGY [ICT] SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES; SYSTEMS OR METHODS SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES, NOT OTHERWISE PROVIDED FOR
    • G06Q20/00Payment architectures, schemes or protocols
    • G06Q20/38Payment protocols; Details thereof
    • G06Q20/382Payment protocols; Details thereof insuring higher security of transaction
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06QINFORMATION AND COMMUNICATION TECHNOLOGY [ICT] SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES; SYSTEMS OR METHODS SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES, NOT OTHERWISE PROVIDED FOR
    • G06Q20/00Payment architectures, schemes or protocols
    • G06Q20/38Payment protocols; Details thereof
    • G06Q20/382Payment protocols; Details thereof insuring higher security of transaction
    • G06Q20/3821Electronic credentials
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06QINFORMATION AND COMMUNICATION TECHNOLOGY [ICT] SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES; SYSTEMS OR METHODS SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES, NOT OTHERWISE PROVIDED FOR
    • G06Q20/00Payment architectures, schemes or protocols
    • G06Q20/38Payment protocols; Details thereof
    • G06Q20/382Payment protocols; Details thereof insuring higher security of transaction
    • G06Q20/3823Payment protocols; Details thereof insuring higher security of transaction combining multiple encryption tools for a transaction
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06QINFORMATION AND COMMUNICATION TECHNOLOGY [ICT] SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES; SYSTEMS OR METHODS SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES, NOT OTHERWISE PROVIDED FOR
    • G06Q20/00Payment architectures, schemes or protocols
    • G06Q20/38Payment protocols; Details thereof
    • G06Q20/382Payment protocols; Details thereof insuring higher security of transaction
    • G06Q20/3829Payment protocols; Details thereof insuring higher security of transaction involving key management
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06QINFORMATION AND COMMUNICATION TECHNOLOGY [ICT] SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES; SYSTEMS OR METHODS SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES, NOT OTHERWISE PROVIDED FOR
    • G06Q20/00Payment architectures, schemes or protocols
    • G06Q20/38Payment protocols; Details thereof
    • G06Q20/385Payment protocols; Details thereof using an alias or single-use codes
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06QINFORMATION AND COMMUNICATION TECHNOLOGY [ICT] SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES; SYSTEMS OR METHODS SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES, NOT OTHERWISE PROVIDED FOR
    • G06Q20/00Payment architectures, schemes or protocols
    • G06Q20/38Payment protocols; Details thereof
    • G06Q20/40Authorisation, e.g. identification of payer or payee, verification of customer or shop credentials; Review and approval of payers, e.g. check credit lines or negative lists
    • G06Q20/401Transaction verification
    • G06Q20/4014Identity check for transactions
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06QINFORMATION AND COMMUNICATION TECHNOLOGY [ICT] SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES; SYSTEMS OR METHODS SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES, NOT OTHERWISE PROVIDED FOR
    • G06Q20/00Payment architectures, schemes or protocols
    • G06Q20/38Payment protocols; Details thereof
    • G06Q20/40Authorisation, e.g. identification of payer or payee, verification of customer or shop credentials; Review and approval of payers, e.g. check credit lines or negative lists
    • G06Q20/405Establishing or using transaction specific rules
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/04Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
    • H04L63/0428Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/02Protecting privacy or anonymity, e.g. protecting personally identifiable information [PII]
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/03Protecting confidentiality, e.g. by encryption
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06QINFORMATION AND COMMUNICATION TECHNOLOGY [ICT] SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES; SYSTEMS OR METHODS SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES, NOT OTHERWISE PROVIDED FOR
    • G06Q20/00Payment architectures, schemes or protocols
    • G06Q20/30Payment architectures, schemes or protocols characterised by the use of specific devices or networks
    • G06Q20/32Payment architectures, schemes or protocols characterised by the use of specific devices or networks using wireless devices
    • G06Q20/326Payment applications installed on the mobile devices
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06QINFORMATION AND COMMUNICATION TECHNOLOGY [ICT] SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES; SYSTEMS OR METHODS SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES, NOT OTHERWISE PROVIDED FOR
    • G06Q2220/00Business processing using cryptography
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L2209/00Additional information or applications relating to cryptographic mechanisms or cryptographic arrangements for secret or secure communication H04L9/00
    • H04L2209/56Financial cryptography, e.g. electronic payment or e-cash

Definitions

  • This application relates generally to the field of data protection, and more specifically to the tokenization of data in mobile and payment environments.
  • a mobile system for processing such sensitive data transmits the sensitive data, often wirelessly, between multiple authorized entities, any of which can store the sensitive data.
  • a mobile system for processing such sensitive data transmits the sensitive data, often wirelessly, between multiple authorized entities, any of which can store the sensitive data.
  • the register may transmit a credit card number received from the mobile phone to a local server
  • the local server may transmit the credit card number to a bank, and so forth.
  • the credit card number may be stored at the mobile phone, the register, the local server, the bank, and at any other entity implemented within a payment environment.
  • Sensitive data is vulnerable in such an environment to interception by unauthorized entities at multiple points, such as during each transmission between authorized entities or while stored at any authorized entity.
  • the sensitive data can be encrypted during transmission or storage using an encryption algorithm and encryption key.
  • encryption can be overcome/broken using a variety of hacking methods, and the use of encryption in financial systems is often subject to resource-intensive audit requirements.
  • Data storage security measures can be implemented while the sensitive data is stored at an authorized entity, but such storage security measures generally protect against intrusion by an unauthorized entity and do not protect the sensitive data after the unauthorized entity has overridden or bypassed the storage security measures.
  • Sensitive data such as communication data or payment information
  • a mobile device identifies data for communication, such as communication information entered by a user or as part of a communication or security protocol.
  • the mobile device retrieves device information and/or session information.
  • the mobile device identifies one or more tokenization parameters based on the retrieved device information and/or the retrieved session information, and tokenizes the identified data for communication based on the identified tokenization parameters.
  • the mobile device transmits the tokenized data to a communication system for processing.
  • a payment terminal can receive payment information associated with a transaction requested by a user, such as a credit card number or bank account number.
  • the payment terminal identifies transaction information associated with the transaction, such as a transaction amount or a geographic region.
  • the payment terminal identifies a set of tokenization parameters based on the identified transaction information, and tokenizes the received payment information based on the set of identified tokenization parameters.
  • the payment terminal then stores the tokenized payment information if the payment terminal is offline relative to a central payment system, or transmits the tokenized payment in formation if the payment terminal is online relative to the central payment system.
  • a payment terminal can receive payment information associated with a transaction, and can tokenize the received payment information based on a first set of tokenization parameters.
  • the payment terminal sends the tokenized payment information to a central payment system or other payment entity configured to detokenize and retokenize or to secondarily tokenize the tokenized payment information based on a second set of tokenization parameters.
  • the central payment system or other payment entity can be any payment system or other payment entity.
  • a user can submit payment information to a central security system and can receive a token card for storage at a mobile device of the user based on one or more use rules selected by the user.
  • the mobile device can display stored token cards, and in response to receiving a request for a transaction from the user, can allow the user to select a displayed token card for use in the transaction.
  • the selected token card is transmitted to a central payment system configured to identify the use rules used in generating the token card and to determine whether the identified use rules are satisfied by the transaction. Responsive to a determination that the use rules are satisfied by the transaction, the central payment system is configured to detokenize the selected token card and to send the detokenized payment card to a payment network for authorization and processing.
  • FIG. 1 illustrates a mobile and payment environment, according to one embodiment.
  • FIG. 2 illustrates a mobile and payment tokenization environment, according to one embodiment.
  • FIG. 3 is a flowchart of a process for the tokenization of data in a mobile environment, according to one embodiment.
  • Fig. 4 is a flowchart of a process for the tokenization of data in a payment environment, according to one embodiment.
  • FIG. 5 illustrates a centralized security system in a distributed payment tokenization environment, according to one embodiment.
  • FIG. 6 is a flowchart of a process for the tokenization and transmission of data by payment entities coupled to a central security system, according to one embodiment.
  • FIG. 7 illustrates data flow in a mobile and payment tokenization environment, according to one embodiment.
  • FIG. 8 is a flowchart of a process for using tokenized payment information stored on a mobile device in a financial transaction, according to one embodiment.
  • the tokenization of data refers to the generation of tokenized data by querying one or more token tables mapping input values to tokens with one or more portions of the data, and replacing the queried portions of the data with the resulting tokens from the token tables.
  • Tokenization can be combined with encryption for increased security, for example by encrypting sensitive data using a mathematically reversible cryptographic function (e.g., datatype-preserving encryption or DTP), a one-way non-reversible cryptographic function (e.g., a hash function with strong, secret salt), or a similar encryption before or after the tokenization of the sensitive data.
  • a mathematically reversible cryptographic function e.g., datatype-preserving encryption or DTP
  • a one-way non-reversible cryptographic function e.g., a hash function with strong, secret salt
  • Any suitable type of encryption can be used in the tokenization of data.
  • token refers to a string of characters mapped to an input string of characters in a token table, used as a substitute for the string of characters in the creation of tokenized data.
  • a token may have the same number of characters as the string being replaced, or can have a different number of characters. Further, the token may have characters of the same type (such as numeric, symbolic, or alphanumeric characters) as the string of characters being replaced or characters of a different type. Tokens can be randomly generated and assigned to a particular token table input value.
  • SLT tokenization maps each possible input values (e.g., possible character combinations of a string of characters) to a particular token.
  • An SLT includes a first column comprising permutations of input string values, and may include every possible input string value.
  • the second column of an SLT includes tokens, with each associated with an input string value of the first column. Each token in the second column may be unique among the tokens in the second column.
  • the SLT may also include one or several additional columns with additional tokens mapped to the input string values of the first column.
  • a seed value can be used to generate an SLT, for instance by generating random numbers based on the seed value for each token in the SLT.
  • sensitive data can be tokenized two or more times using the same or additional token tables.
  • Each successive tokenization is referred to as a "tokenization iteration" herein.
  • the first 8 digits of a 16 digit credit card number can be tokenized with an 8 digit token table to form first tokenized data
  • the last 12 digits of the first tokenized data can be tokenized using a 12 digit token table to form second tokenized data.
  • the first 4 digits of a credit card number are tokenized using a first token table
  • the second 4 digits are tokenized with a second token table
  • the third 4 digits are tokenized with a third token table
  • the last 4 digits are tokenized with a fourth token table.
  • Certain sections of the sensitive data may also be left un-tokenized; thus a first subset of the resulting tokenized data may contain portions of the sensitive data and a second subset of the tokenized data may contain a tokenized version of the sensitive data.
  • Dynamic token lookup table (“DLT”) tokenization operates similarly to SLT tokenization, but instead of using static tables for multiple tokenizations, a new token table entry is generated each time sensitive data is tokenized.
  • a seed value can be used to generate each DLT.
  • the sensitive data or portions of the sensitive data can be used as the seed value.
  • DLTs can in some configurations provide a higher level of security compared to SLT, but can also require the storage and/or transmission of a large amount of data associated with each of the generated token tables. While DLT tokenization can be used to tokenize data according to the principles described herein, the remainder of the description will be limited to instances of SLT tokenization for the purposes of simplicity
  • An IV is a string of data used to modify sensitive data prior to tokenizing the sensitive data.
  • Example sensitive data modification operations include performing linear or modulus addition on the IV and the sensitive data, performing logical operations on the sensitive data with the IV, encrypting the sensitive data using the IV as an encryption key, and the like.
  • the IV can be a portion of the sensitive data. For example, for a 12-digit number, the last 4 digits can be used as an IV to modify the first 8 digits before tokenization.
  • IVs can also be retrieved from an IV table, received from an external entity configured to provide IVs for use in tokenization, or can be generated based on, for instance, the identity of a user, the date/time of a requested tokenization operation, based on various tokenization parameters, and the like.
  • Data modified by one or more IVs that is subsequently tokenized includes an extra layer of security - an unauthorized party that gains access to the token tables used to tokenized the modified data will be able to detokenize the tokenized data, but will be unable to de-modify the modified data without access to the IVs used to modify the data.
  • tokenization parameters refers to the properties or characteristics of a tokenization operation.
  • tokenizing data according to tokenization parameters can refer to but is not limited to one or more of the following: the generation of token tables for use in tokenizing the data; the identity of pre-generated token tables for use in tokenizing the data; the type and number of token tables for use in tokenizing the data; the number of tokenization iterations to perform; the type, number, and source of initialization vectors for use in modifying the data prior to tokenization; and encryption operations to perform on the data before or after tokenization.
  • Tokenization and initialization vectors are described in greater detail in U.S. Patent Application No. 13/595,438, titled “Multiple Table Tokenization", filed August 27, 2012, the contents of which are hereby incorporated by reference.
  • Fig. 1 illustrates a mobile and payment environment, according to one embodiment.
  • the environment of Fig. 1 includes a mobile device 102, a payment terminal 104, a central payment system 106, a payment network 108, a bank 110, an authorization entity 112, a central communication system 114, and a central security system 116.
  • the entities of Fig. 1 are, include, or are implemented within computing devices and are configured to transmit and receive data through a connecting network 100.
  • the mobile and payment environment of Fig. 1 can include additional or different entities, and the entities illustrated can perform functionalities differently or other than those described herein.
  • any number of any type of entity may be included in the mobile and payment environment.
  • the connecting network 100 is typically the Internet, but may be any network, including but not limited to a LAN, a MAN, a WAN, a mobile wired or wireless network, a private network, a virtual private network, a direct communication line, and the like.
  • the connecting network can be a combination of multiple different networks. In such
  • the tokenization system can be implemented at, within, or co-located with an entity illustrated in Fig. 1, and can include both inner- and inter-entity communication lines.
  • the mobile device 102 is a computing device such as a mobile phone, a tablet computer, or a laptop computer.
  • the mobile device is a traditionally non-mobile entity, such as a desktop computer, a television, and the like.
  • the mobile device includes software configured to allow a user of the mobile device to interact with other entities within the environment of Fig. 1.
  • the mobile device can include a mobile wallet application or other payment application configured to allow a user to use the mobile device to transmit payment information when conducting a transaction, for instance at a store or restaurant.
  • the mobile device can also include a communication application configured to allow a user to use the mobile device to communication with other entities and other mobile devices.
  • the mobile device communicates wirelessly (for instance via Bluetooth, near field communication or "NFC", or mobile phone networks), though wired communication technologies may also be used.
  • transaction refers to the exchange of funds for goods or services. Funds can be exchanged by providing payment information from a first payment entity to a second payment entity.
  • payment information can include credit card numbers, debit card numbers, bank account numbers, PIN numbers, gift card numbers, ticket and other pay-card information (such as identifying information or account balance information), identity information, or any other information used to conduct financial transactions.
  • a transaction can involve the providing of cash to a user of an ATM terminal; in such instances, "goods or services” involves the transfer of cash from the ATM terminal to a user and the deduction of an equivalent amount of funds from a user account.
  • payment entity refers to an entity involved in the performance of a transaction, and can include, for example, any of the entities of the environment of Fig. 1, any applications running on the entities of the environment of Fig. 1, or any other entity associated with a transaction.
  • the payment terminal 104 is a computing device configured to allow a user to conduct a transaction, such as paying for goods or services, transferring funds, and the like.
  • the payment terminal can be an ATM terminal, a ticket dispenser, a terminal co-located with a cash register at a store or restaurant, a hand-held mobile phone payment system, or any other computing device for use in conducting a transaction.
  • the payment terminal can be configured to receive and transmit information associated with or characteristics of a transaction (hereinafter "transaction information”) and payment information to other payment entities.
  • Transaction information can include, but is not limited to, the identity of a user requesting/performing a transaction, a method of payment in a transaction, goods or services associated with the transaction, a price or cost associated with the transaction, the identity of an entity associated with the payment terminal or any other payment entity (such as a bank, store, business, and the like), a time/date of the transaction, and the like.
  • the payment terminal can receive and communicate transaction information and payment information wirelessly, though in other embodiments, the payment terminal may also be equipped with a physical credit card reader, with a cash receiving/output means, with network cables, and the like.
  • the payment terminal 104 includes a payment application (such as the payment application 214 described below in conjunction with Figs. 2, 5, and 7) including executable software configured to run on the payment terminal.
  • the payment application can be configured to allow the user 200 to conduct transactions via the payment terminal, for instance by allowing a user to provide payment information to other entities in exchange for goods or services, or to transfer funds. It should be noted that, as shown in the embodiment of Fig. 7, a payment application can also implemented in the mobile device 102, allowing a user to use the mobile device to conduct transactions.
  • the central payment system 106 is a computing device, such as a server, configured to provide a centralized payment interface between one or more payment terminals and one or more other payment entities, such as a payment network 108, a bank 110, and an authorization entity 112.
  • the central payment system can receive a transaction request from a payment terminal, identify an associated payment entity, transmit payment information associated with the transaction request to the associated payment entity, receive an authorization or denial for the transaction from the associated payment entity, transmit the authorization or denial to the payment terminal, and process the transaction upon receiving an authorization.
  • the payment terminals may communicatively couple to the central payment system only periodically; in such embodiments, a payment terminal may allow a user to conduct a transaction when the payment terminal is offline from the central payment system, may store offline transaction information and payment information at the payment terminal, and may upload the stored transaction information and payment information to the central payment system when the payment terminal next communicatively couples to the central payment system.
  • the payment network 108 includes a network of computing devices associated with various payment entities, such as credit card companies, debit card entities, online payment systems (such as Paypal and Google Wallet), coupon servers, merchant websites, payment gateways, and the like.
  • the payment network is configured to receive transaction information and payment information from the central payment system 106, identify a payment entity associated with the transaction, and provide a communicative interface between the central payment system and the payment entity.
  • the bank 110 includes one or more computing devices associated with a bank, such as web servers, financial servers, and the like. The bank 110 is configured to interface with the central payment system to conduct transactions, to allow for the transfer of funds, and to perform other financial functions.
  • the authorization entity 112 is a computing device associated with any entity configured to communicate with the central payment system to authorize transactions by users of a payment terminal 104.
  • an authorization entity can be a credit agency, a debit card account balance server, a gift card balance server, and the like.
  • the payment network, the bank, and the authorization entity can be implemented within the same computing device or network, and any number of payment networks, banks, and authorization entities can be present in the environment of Fig. 1.
  • the central communication system 114 is configured to provide a
  • the central communication system can include a communication server, a cell phone tower, a router, a wireless station or access point, a web server, or any other communicative computing system configured to receive and send communication
  • the central communication system can include and implement a variety of communication protocols in operation, and in various embodiments can provide webpages, SMS functionality, email routing, and the like between entities.
  • the central security system 116 is configured to provide a centralized security interface between entities in the environment of Fig. 1.
  • the central security system can generate, store, and provide token tables to the various entities, for instance in response to a request from the central communication system 1 14 or a payment terminal 104.
  • the central security system can also provide security use rules, encryption keys, credential information, initialization vectors, and any other security information for use in securing data transferred between entities in the environment of Fig. 1.
  • the central security system 116 is configured to receive credential information, for instance a password from a user or authorization credentials from a bank 110, and to authenticate the credential information prior to providing security information to an entity in the environment of Fig. 1.
  • Fig. 2 illustrates a mobile and payment tokenization environment, according to one embodiment.
  • the environment of Fig. 2 includes a mobile device 102, a payment terminal 104, a central payment system 106, and a central communication system 114.
  • the mobile device, payment terminal, central payment system, and central communication system are communicatively coupled to a central security system 116.
  • the central communication system is additionally communicatively coupled to a mobile phone 222, a computer 224, and a communication server 226.
  • the central payment system is additionally communicatively coupled to a payment network 108, a bank 110, and an authorization entity 112. Any number of each entity may be present in Fig. 2, and fewer, additional, or different entities may be present.
  • various entities can be implemented within a single entity, for instance the payment terminal can be implemented within the mobile device.
  • the mobile device 102, the payment terminal 104, the central communication system 114, and the central payment system 106 each include a token server (token server 202A, 202B, 202C, and 202D, respectively; “token servers 202" collectively) and a token tables storage module (204A, 204B, 204C, and 204D, respectively; "token tables storage modules 204" collectively).
  • Each token table storage module 204 stores token tables for use in tokenization.
  • the token tables storage modules can store token tables received from various sources, such as the central security system 116, the components of the entity with which each token tables storage module is part, or other entities within the environment of Fig. 2.
  • Each token server 202 is configured to retrieve token tables stored in a respective token tables storage module 204, and serve the retrieved token tables to various respective entity components.
  • the token server 202A is configured to retrieve token tables stored in the token tables storage module 204A and to provide the retrieved token tables to the communication application 206.
  • the token server 202B is configured to serve retrieved token tables to the payment application 214
  • the token server 202C is configured to serve retrieved token tables to the security interface 212
  • the token server 202D is configured to serve retrieved token tables to the payment interface 218.
  • the token servers 202 are also configured to store received token tables in the token tables storage modules 204. Each token server can receive token tables from the central security system 116, from respective entity components, or from other token servers. For example, the token server 202A can store token tables generated by and received from the communication application 206, received from the central security system 116, and received from the token server 202C.
  • Each token server 202 can also serve token tables to other token servers.
  • the token server 202A can serve one or more token tables used in tokenization by the communication application 206 to the token server 202C for use in detokenization by the security interface 212, and for storage in the token tables storage module 204C.
  • the token server 202B can serve one or more token tables used in tokenization by the payment application 214 for use in detokenization by the payment interface 218, and for storage in the token tables storage module 204D.
  • the central security system 116 provides token tables to the token servers 202 for storage in the token tables storage modules 204.
  • the central security system can provide one or more token tables periodically (for instance, every day, hour, or other time period); in response to a request for tokens from a token server 202; from the communication application 206, the security interface 212, the payment application 214, or the payment interface 218; in response to a certain number of tokenization operations by one or more of the entities of Fig. 2; in response to a transaction or communication request from the user 200; and the like.
  • the central security system can provide pre-generated token tables stored at the central security system, or can generate token tables in response to receiving a request for token tables.
  • Token tables stored at the central security system and the token tables storage modules can be associated with identifiers such that a token server 202 can request a particular token table. For example, if the communication application uses token table "X7m2" to tokenize data, the security interface can use the identifier "X7m2" to retrieve the same token table from the token tables storage module 204C for use in detokenizing the tokenized data.
  • a user 200 can use the mobile device 102 to transmit communication information to the central communication system 114.
  • the mobile device can be a mobile phone configured to make phone calls and/or send text messages to the central communication system, which can be a phone service provider, a mobile phone communication tower, and the like.
  • the mobile device can be a computer configured to send emails or other messages to or to communicate over any wired or wireless communication protocol, the selection of which is not material to the invention.
  • “communication data” refers to any information sent from the mobile device to the central communication system.
  • the mobile device 102 includes the token server 202A, the token tables storage module 204A, the communication application 206, and the device information storage module 208.
  • the central communication system 114 includes the token server 202C, the token tables storage module 204C, the communication server 210, and the security interface 212.
  • the communication application is configured to identify communication data, to identify device information and/or session information, to tokenize the communication data based on the device and/or session information, and to send the tokenized communication data to the central communication system.
  • the communication server provides a communicative interface between the central communication system and other entities (such as the mobile device, the mobile phone 222, the computer 224, and the communication server 226) by receiving and routing communication data between entities.
  • the security interface is configured to implement various tokenization-based security protocols for communication data received and routed by the communication server, as will be described below in detail.
  • the device information storage module 208 stores information describing the mobile device 102 (hereinafter "device information").
  • device information can include the brand or manufacturer of the mobile device, the make or model of the mobile device, identifying information associated with a mobile device SIM card, a phone number associated with the mobile device, a MAC address or IP address associated with the mobile device, a serial number of the mobile device, a wireless server provider associated with the mobile device, information identifying a user of the mobile device (such as a user name, a password, and the like), or any information associated with the mobile device.
  • the device information storage module 208 can also store information associated with use of the mobile device 102 (hereinafter "session information").
  • session information can include the number of times that the mobile device has previously communicated with the central communication system 114, the time and/or date of the previous communication between the mobile device and the central communication system, the length of a previous communication session or the total length of all
  • both the device information and the session information stored at the device information storage module can also be stored at the central communication system.
  • the communication application 206 identifies and tokenizes communication data.
  • the communication data can be data entered by the user 200, such as a text message, an email, a web search query, and the like.
  • the user 200 such as a text message, an email, a web search query, and the like.
  • communication data can be data required to implement a communication protocol, such as session establishing information, session continuance information, communication information formatted according to the communication protocol, access rights information, device identification information, and the like.
  • the communication data can be data required to establish a connection between the mobile device and central communication system in order for the user to make a phone call, to connect the mobile device to a wireless network implemented by the central communication system, and the like.
  • the communication application 206 receives a security protocol from the central communication system 114 and retrieves device and/or session information from the device information storage module 208 for use in tokenizing the identified communication data based on the received security protocol.
  • the received security protocol received specifies tokenization parameters for the communication application to identify and specifies retrieved device information and/or session information on which to identify the tokenization parameters.
  • a security protocol can specify that token table identities are to be determined based on particular retrieved device information and/or session information.
  • a communication application implementing such a security protocol can identify a token table based on, for example, a phone number associated with the mobile device 102.
  • a security protocol can also specify that token tables are to be generated based on the particular device information and/or session information.
  • a communication application implementing such a security protocol can use, for example, a SIM card number as a seed value to generate token values for a token table, or can send a session identifier to the central security system 116 for use in generate token tables.
  • a security protocol can specify that IVs can be determined based on particular device information and/or session information.
  • a communication application implementing such a security protocol can use, for example, the last four digits of a phone number associated with the mobile device 102 as an IV, or can use the time of the previous communication between the mobile device and the central communication system 114 to query an IV table to retrieve an IV.
  • a security protocol can specify that portion of the identified communication data for tokenization based on device information and/or session information.
  • a communication application implementing such a security protocol can identify, for example, the first four digits of the identified communication data if the date of the previous communication between the mobile device and the central communication system was between 1 and 4 days ago, the second four digits if the date of the previous communication was between 5 and 8 days ago, and so forth.
  • a security protocol can specify other tokenization parameters based on the device information and/or session information.
  • a communication application can determine a type of tokenization to use in tokenizing the identified communication data based on a geographic location of the mobile device 102, a number of tokenization iterations based on a time of day, a number of IVs for use in tokenization based on a brand of the mobile device, a type of modification to perform on the identified communication data with one or more IVs based on the identity of the user 200, an encryption to perform on the identified communication data before or after tokenization based on the strength of wireless connection between the mobile device and the central communication system 114, or any other tokenization parameter based on any other device and/or session information.
  • the communication application 206 tokenizes the identified tokenization parameters based on device and/or session information.
  • the tokenization parameters include a) the identity of a token table for retrieval from the token tables storage module 204A, b) an IV based on the first 4 bits of the identified
  • the communication application modifies the last 6 bits of the identified communication data with the first 4 bits, and tokenizes the modified data using the retrieved token table to produce tokenized communication data.
  • the communication application then sends the tokenized
  • the communication server 210 receives tokenized data from the communication application 206.
  • the communication server can store the received tokenized data in a communication storage module (not shown in Fig. 2), or can route it to another entity (such as the mobile phone 222, the computer 224, or the communication server 226).
  • the communication server can also respond to receiving tokenized data, for instance by informing the communication application that the tokenized data was received.
  • the security interface 212 is configured to implement one or more security protocols for use in tokenizing communications between the mobile device 102 and the central communication system 114.
  • the security protocols implemented by the security interface specify tokenization parameters for the communication application 206 to identify, and can specify the device information and/or the session information based on which the communication application identifies the tokenization parameters.
  • a security protocol implemented by the security interface can specify that the first 7 digits of a phone number associated with the mobile device be used by the communication application to identify a token table for use in tokenizing the communication data.
  • the security interface 212 can implement security measures for communications between the mobile device 102 and the central communication system unrelated to tokenization.
  • the security interface can require that the communication application establish a secure or encrypted connection prior to establishing a communication session between the mobile device and the central communication system 114.
  • the communication application uses device and/or session information specified by the security interface as an encryption key for encrypting communication data, and upon the receipt of the encrypted communication data by the communication server, the security interface decrypts the encrypted communication data using device information and/or session information received from the mobile device or stored at the central communication system.
  • the security interface 212 can require the communication application 206 to authenticate the identity of the user 200 or the mobile device 102 prior to establishing a communication session between the mobile device and the central communication system 114.
  • the security interface can require that the communication application tokenize a pre-determined data string by using a phone number of the mobile device to identify a token table stored in the token tables 204A and tokenizing the pre-determined string with the phone identified token table.
  • the security interface can tokenize the same pre-determined data string by using a phone number known to be associated with the mobile device to identify a token table stored in the token tables storage module 204C and tokenizing the predetermined string with the identified token table. If the tokenized string received from the communication application matches the string tokenized by the security interface, the security interface can determine that the identity of the mobile device is authentic, and can permit the establishment of the communication session.
  • the security interface 212 can require the mobile device 102 to re-authenticate itself periodically, or before each new communication session.
  • session information representing a session count is stored by the mobile device and the central communication system 114. After each communication session between the mobile device and the central communication system, the session count stored by each is incremented.
  • the security interface can require the communication application 206 to tokenize communication data using the session count, for instance as a token table identifier, an encryption key, or an IV.
  • the security interface 212 can require the communication application 206 to obtain a particular set of token tables for use in tokenizing communication data for a communication session.
  • the security interface can require the communication application to request and obtain (via the token server 202A and the token server 202C) a set of token tables stored at the token tables storage module 204C.
  • the security interface can require the communication application to obtain (via the token server 202A) a set of token tables from the central security system 116 for use in a communication session, and can retrieve (via the token server 202C) the same set of token tables, for instance in response to receiving communication data tokenized with the set of token tables from the communication application.
  • the security interface 212 can detokenize received tokenized communication data prior to the storage or routing of the communication data by the communication server 210. For example, if the central communication system 114 is securely coupled to the communication server 226, the security interface can detokenized received tokenized communication data, such as an email, and can serve the detokenized email to the communication server 210.
  • the security interface can also re-tokenize detokenized communication data prior to storage or routing.
  • the security interface may require a first level of security be implemented between the mobile device 102 and the central communication system, and a second level of security be implemented between the central communication system and the computer 224. Accordingly, the security interface can detokenize communication data from the mobile device tokenized according to the first level of security, and can re-tokenize the communication data according to the second level of security prior to the serving of the communication data to the computer by the communication server.
  • the security interface 212 may be required to access to the token tables used by the communication application 206 to tokenize the communication data.
  • the token server 202A receives token tables stored at the token tables storage module 204C via the token server 202C, or the token server 202A and the token server 202C each receive token tables from the central security system 116.
  • the security interface can request the generated token tables from the token server 202 A via the token server 202C, or can generate the same token tables using the device information and/or session information (for instance, if the device information and session information is also stored at the central communication system 114, or in response to requesting and receiving such information from the mobile device).
  • the token servers 202 A and 202C synchronize token tables stored at the token tables storage modules 204A and 204C periodically.
  • FIG. 3 is a flowchart of a process for the tokenization of data in a mobile environment, according to one embodiment.
  • a mobile device identifies 300 communication data to be communicated.
  • the communication data can be data entered by a user of the mobile device (such as a text message or email), can be data required for the establishment of a communication session (such as authentication information), or can be data required for communication using a particular communication protocol (such as WiFi or VoIP).
  • the mobile device retrieves 310 device information and/or session information associated with the mobile device, for instance based on a received security protocol.
  • Examples of device information include a phone number of the mobile device, a SIM card number of the device, and a serial number of the mobile device.
  • Examples of session information include a date and time of a previous communication session by the mobile device, a communication session count, and a session identifier.
  • the mobile device identifies 320 one or more tokenization parameters based on the retrieved device information and/or session information, for instance as specified in a received security protocol. For example, one or more token tables can be retrieved or generated based on a phone number of the mobile device, an IV can be generated based on the session count associated with the mobile device, and an encryption key can be generated for use in encrypting the tokenized data prior to communication based on an identity of the user of the mobile device.
  • the mobile device tokenizes 330 the identified data based on the identified tokenized parameters, and transmits 340 the tokenized data to a central tokenization parameters.
  • a user 200 can use the payment terminal 104 to conduct a financial transaction.
  • the payment terminal includes a payment application 214 and a transactions storage module 216.
  • the payment application is configured to receive payment information from the user, to tokenize the payment information, and to store or transmit the tokenized payment information.
  • the payment application can include, for example, a user interface presenting the user with various selectable transaction information (such as a description of a good or service, a price associated with the transaction, and various options for providing payment information).
  • the user selects one or more options associated with a transaction, is presented with a price associated with the transaction, and provides payment information by swiping a credit card at a card reader of the payment terminal.
  • the payment terminal 104 transmits tokenized payment information to and otherwise communicates with the central payment system 106.
  • the payment terminal can alternate between being communicatively coupled and communicatively uncoupled from the central payment system.
  • the payment terminal may communicatively couple to the central payment system periodically, such as once an hour or once a day, or may communicatively couple to the central payment system at a pre-determined time or in response to a request from the central payment system.
  • the payment terminal is referred to herein as "online” when communicatively coupled to the central payment system, and "offline" when communicatively uncoupled from the central payment system.
  • the payment application 214 is configured to allow a user 200 to conduct transactions when the payment terminal 104 is both online and offline.
  • the payment application can receive payment information from the user, can tokenize the received payment information, and can determine whether the payment terminal is online or offline.
  • the payment application can store the tokenized payment information in the transactions storage module 216.
  • the payment application can transmit the tokenized payment information to the central payment system 106.
  • the payment application 214 tokenizes the received payment information by accessing one or more token tables (identified, for instance, by one or more tokenization parameters as described below) and tokenizing all or part of the payment information using the accessed token tables.
  • the payment application can request token tables from the token server 202B, which, as described above, is configured to retrieve the requested token tables from the token tables storage module 204B.
  • the token server 202B Upon retrieving the requested token tables, the token server 202B provides the retrieved token tables to the payment application.
  • the payment application 214 identifies one or more tokenization parameters for use in tokenizing the received payment information.
  • the tokenization parameters are identified based on transaction information associated with the transaction being conducted. It should be noted that any tokenization parameter can be identified based on any combination of transaction information.
  • the payment application may also identify one or more tokenization parameters based on default or requested security protocols, or based on any other suitable factor.
  • the payment application can identify one or more token tables for retrieval or generation by the token server 202B based on the transaction information. For example, the payment application can identify a token table identifier or a seed value for generating token tables based on a time of transaction or a transaction price. Similarly, the payment application can identify, based on transaction information, an IV for use in tokenization, a type of modification to perform on the payment information based on an IV, a portion of the payment information to tokenize, a type of tokenization or number of tokenization iterations to perform, an encryption algorithm and/or encryption key for use in encrypting the payment information before or after tokenization, transaction information to combine with the payment information before or after tokenization, or any other tokenization parameter. In one embodiment, instead of identifying tokenization parameters based on transaction information, the payment application can identify tokenization parameters based on a default security protocol or based on a security protocol implemented by the central payment system 106.
  • the payment application 214 tokenizes the payment information based on the tokenization parameters. For example, if the identified tokenization parameters include the identity of token tables retrieved from the token tables storage module 204B and an encryption algorithm and key, the payment application encrypts the payment information using the encryption algorithm and key, and tokenizes the encrypted payment information using the retrieved token tables.
  • the payment terminal can store the tokenized payment information in the transactions storage module 216 if the payment terminal is offline, and can transmit the tokenized payment information to the central payment system 106 if the payment terminal is online. Tokenized payment information stored at the transactions storage module can be stored until the payment terminal comes online (e.g., when the payment terminal becomes
  • the payment terminal can output the stored tokenized payment information upon a request from the central payment system, or after tokenized payment information representing a threshold number of transactions is stored.
  • the central payment system 106 includes a payment interface 218 and a transactions storage module 220.
  • the payment interface is configured to receive tokenized payment information from the payment application payment terminal 104, and to route payment information to one or more financial entities, such as the payment network 108, the bank 110, the authorization entity 112, or any other financial entity not illustrated in the embodiment of Fig. 2.
  • the payment interface can route the tokenized credit card number to the authorization entity, can receive authorization for the transaction, and can output the tokenized credit card number to the payment network for processing and completion of the transaction.
  • the payment interface 218, prior to routing received tokenized payment information, can store the tokenized payment information in the transactions storage module 220.
  • Tokenized payment information associated with multiple transactions can be aggregated at the transactions storage module, and the payment interface can route the aggregated tokenized payment information periodically, at a pre-determined time, after a threshold number of transactions, or in response to a request from a payment entity, such as the payment network 108, the bank 110, or the authorization entity 112.
  • the central payment system can store and aggregate tokenized payment information at the transactions storage module until tokenized payment information associated with 100 transactions is stored, upon which the payment interface outputs the tokenized payment information representing the 100 transactions to the bank.
  • the payment terminal 104 is an ATM terminal
  • the central payment system can store and aggregate tokenized payment information at the transactions storage module until tokenized payment information associated with 100 transactions is stored, upon which the payment interface outputs the tokenized payment information representing the 100 transactions to the bank.
  • the payment terminal 104 is an ATM terminal
  • the central payment system can store and aggregate tokenized payment information at the transactions storage
  • the payment interface 218 detokenizes received tokenized payment information prior to storing the payment information at the transactions storage module 220, or prior to routing the payment information.
  • the payment interface can re-tokenize detokenized payment information prior to storage or routing, for instance based on more robust tokenization parameters.
  • the payment interface can perform secondary tokenization on the tokenized payment information, thus increasing the security of the tokenized payment information further.
  • the payment application 214 can provide the tokenization parameters used to tokenize the payment information for each transaction to the payment interface for use in detokenizing the tokenized payment information.
  • the payment application can output the identity of the user along with the tokenized payment information.
  • the payment interface can then access the one or more tables used to tokenize the payment information based on the identity of the user for use in detokenizing the payment information.
  • the token tables used by the payment application 214 to tokenize payment information, and/or used by the payment interface 218 to detokenize, re-tokenize or secondarily tokenize payment information can be received from the central security system 116 as noted above. Received token tables are stored at the token tables storage module 204B and 204D.
  • the central payment system 106 receives token tables from the central security system or generates token tables, and provides token tables to the payment terminal 104 for use in tokenization.
  • the central payment system can provide new or updated token tables to the payment terminal upon the payment terminal coming online.
  • the payment application uses the new or updated token tables for tokenization upon the payment terminal subsequently going offline until the payment terminal comes online again.
  • the payment terminal 104 after coming online after performing transactions while offline, the payment terminal 104 outputs stored tokenized payment information to the central payment system 106, and in response, the central payment system outputs a set of token tables to the payment terminal for use in subsequent tokenization.
  • the payment application 214 generates token tables for use in tokenization
  • the payment terminal can output the generated token tables along with stored tokenized payment information to the central payment system, and the payment interface 218 can use the received token tables in detokenizing the tokenized payment information.
  • the central payment system may be required to access the token tables used by the payment application to tokenize payment information before the payment interface 218 can detokenize the tokenized payment information.
  • tokenizing payment information prior to transmitting the payment information may eliminate various audit requirements imposed within financial institutions and systems.
  • tokenization may be combined with encryption, tokenized data itself is not an encrypted representation of the original data.
  • tokenized data includes one or more portions of the original data replaced with tokens within token table entries associated with the one or more portions of the original data.
  • the original data cannot be derived from the tokenized data. Accordingly, as unauthorized entities that intercept tokenized data cannot detokenize the data without access to the token tables used to tokenize the data, the need for various audits required by financial institutions and systems can be preempted.
  • FIG. 4 is a flowchart of a process for the tokenization of data in a payment environment, according to one embodiment.
  • a transaction can be requested by a user, for instance at a payment terminal, and in response, the payment terminal can prompt the user for payment information.
  • the payment terminal receives 400 payment information associated with a transaction.
  • the payment information can be a credit card number, a bank account number, or the like.
  • the payment terminal identifies 410 transaction information associated with the transaction.
  • Transaction information can include the time and date of the transaction, the identity of the user performing the transaction, the identity of a merchant associated with the transaction, the transaction payment method, the transaction amount/cost, and the like.
  • the payment terminal identifies 420 one or more tokenization parameters based on the transaction information. For example, one or more token tables can be identified based on a PIN number associated with the transaction, one or more token tables can be generated based on a user name associated with the user, a number of tokenization iterations can be identified based on the time of day of the transaction, and the like.
  • the payment terminal tokenizes 430 the payment information based on the identified tokenization parameters. For example, if the tokenization parameters identify a set of token tables and an encryption algorithm, the payment information is tokenized using the set of token tables and the tokenized payment information is subsequently encrypted using the encryption algorithm.
  • the payment terminal stores 440 the tokenized payment information until the payment terminal becomes communicatively coupled to the central payment system.
  • the payment terminal transmits 450 the tokenized payment information to the central payment system.
  • the tokenized payment information is transmitted from the payment terminal when coupled to the central payment system at a pre-determined time, at periodic intervals, or in response to a request from the central payment system.
  • Fig. 5 illustrates a centralized security system in a distributed payment tokenization environment, according to one embodiment. It should be noted that the payment tokenization environment of Fig. 2 can be implemented within the distributed payment tokenization environment of Fig. 5. Accordingly, the features and functionalities described in conjunction to Fig. 2 are equally applicable to the environment of Fig. 5.
  • the environment of Fig. 5 includes a variety of payment entities, such as a payment terminal 104, a payment application 212, a central payment system 106, a payment network 108, and a bank 110.
  • Other embodiments of the environment of Fig. 5 can include fewer, additional, or different entities than those shown in Fig. 2.
  • Each payment entity is communicatively coupled to a central security system 116, and is configured to receive token tables and/or tokenization parameters from the central security system, as will be described herein in greater detail.
  • the payment terminal 104 receives payment information from a user 200 during the performance of a transaction, for instance at a card reader or other input interface associated with the payment terminal.
  • the payment terminal includes the payment application 212, for instance running on the payment terminal or running in a computing system communicatively coupled to the payment terminal.
  • the payment application receives the payment information from the payment terminal and sends the payment information to the central payment system 106 (as described above).
  • the payment application may store the payment information when the payment terminal is offline, and may send the payment information to the central payment system when the payment terminal is online, for instance in response to a request from the central payment system or after payment information representing a threshold number of transactions is stored by the payment application.
  • the central payment system 106 can store received payment information for subsequent routing to the payment network 108, or can immediately send received payment information to the payment network.
  • the payment network can store received payment information for subsequent routing to the bank 110, or can immediately send received payment information to the bank.
  • the bank can process the transaction associated with the payment information by, for example, appropriating or transferring funds based on the received payment information. It should be noted that the payment network to which the central payment system sends the payment information can be based on information associated with or characteristics of the transaction ("transaction information" as used above). Similarly, the bank to which the payment network sends the payment information can be based on transaction information associated with the transaction.
  • a user with a Visa debit card associated with a Wells Fargo bank account can swipe the debit card at the grocery store checkout line card reader, and a payment application running on the card reader can send the debit card information to the grocery store's central payment system.
  • the central payment system of the grocery store can be configured to, at a pre-determined time of day, send the debit card information to a payment network associated with Visa, which in turn is configured to send the debit card information to a bank server associated with Wells Fargo.
  • any of the payment entities of the embodiment of Fig. 5 can tokenize payment information received from another payment entity. Further, any of the payment entities can implement one or more additional security measures, such as data modification (for instance, using IV s), encryption before or after tokenization, and the like. Accordingly, each payment entity in the embodiment of Fig. 5 can be configured to receive a set of token tables and/or a set of tokenization parameters from the central security system, and can tokenize received payment information based on the set of token tables and received tokenization parameters.
  • a payment entity can receive payment information tokenized with a first set of token tables and according to a first set of tokenization parameters, and can tokenize the tokenized payment information using a second set of token tables and according to a second set of tokenization parameters.
  • Payment entities can also detokenize payment information tokenized with a first set of token tables and according to a first set of tokenization parameters, and can re-tokenize the detokenized payment information using a second set of token tables and according to a second set of tokenization parameters.
  • tokenization parameters is used herein, in some embodiments, a payment entity can receive an encryption algorithm and/or encryption key, and can encrypt/decrypt received payment information without explicitly performing tokenization.
  • the central security system 116 includes a central token server 500, a token generation module 502, a security interface 504, a token tables storage module 506, and a tokenization parameters storage module 508.
  • the central security system includes components other than those described herein.
  • the central token server 500 retrieves, in response to a request from the security interface 504, one or more token tables received stored in the token tables storage module 506, and serves the retrieved token tables to the payment entities of Fig. 5.
  • the central token server can also receive token tables from the payment entities of Fig. 5, and can store the received token tables in the token tables storage module 506.
  • the payment application 212 can output the generated token tables, and the central token server can receive and store the generated token tables for subsequent retrieval and serving to a payment entity for use in detokenizing payment information tokenized with the generated token tables (such as the payment network 108 or the bank 110).
  • the token generation module 502 generates token tables, for instance in response to a request from the security interface 504. Token tables generated by the token generation module are sent to one or more payment entities and/or stored in the token tables storage module 506 by the central token server 500.
  • the security interface provides a token table seed value to the token generation module, and the token generation module generates token tables based on the token table seed value.
  • the security interface 504 provides sets of token tables (via the central token server 500) and/or sets of tokenization parameters to the payment entities of the Fig. 5 for use in tokenizing payment information.
  • each set of tokenization parameters can include an identity of one or more token tables for use in tokenization, a number of tokenization iterations to perform, a type of tokenization to perform, a data modification to perform (for instance, an IV modification), an encryption to perform, and any other property of tokenization.
  • the security interface can provide a set of tokenization parameters stored in the tokenization parameters storage module 508, or can generate a set of tokenization parameters and provide the generated set of tokenization parameters.
  • the security interface 504 can select a set of token tables and a set of tokenization parameters to provide to a payment entity based on a variety of factors. For example, the security interface can select a set of token tables and/or a set of tokenization parameters based on properties associated with the payment entity (such as the identity of the payment entity, a company or person associated with the payment entity, or a security level requested by the payment entity), properties associated with the user 200 (such as the identity of the user, a user name associated with the user, and the like), or transaction information (such as an amount of the transaction, a payment method, and the like). The security interface can select a different set of token tables and a different set of tokenization parameters for each payment entity in Fig. 5, or can select the same set of token tables and/or tokenization parameters for one or more payment entities.
  • properties associated with the payment entity such as the identity of the payment entity, a company or person associated with the payment entity, or a security level requested by the payment entity
  • properties associated with the user 200 such as the identity of
  • Any payment entity of Fig. 5 can tokenize received payment information and/or can detokenize payment information tokenized by a preceding payment entity.
  • any payment entity can encrypt received payment information, can decrypt payment information encrypted by a preceding payment entity, can modify received payment information, and/or can de-modify payment information modified by a preceding payment entity.
  • any payment entity can tokenize previously tokenized payment information, resulting in payment information that is tokenized two, three, or more times.
  • any payment entity can encrypt previously encrypted information, and can modify previously modified information.
  • a "preceding payment entity" refers to a payment entity within Fig. 5 that receives payment information in the performance of a transaction before the second payment entity.
  • the payment application 212 is a preceding payment entity relative to the central payment system 106, the payment network 108, and the bank 110.
  • "payment information” may refer to tokenized or untokenized payment information.
  • the security interface 504 can provide sets of token tables and tokenization parameters to the payment entities of Fig. 5 in response to a transaction request by the user, in response to the receipt of payment application at the payment terminal 104, or in response to requests from the payment entities of Fig. 5.
  • the central security system can provide sets of token tables and/or tokenization parameters to the payment entities of Fig. 5 in advance of a particular transaction, for instance periodically or after a set number of transactions.
  • the payment terminal 104 receives payment information in association with a transaction, and forwards the payment information to the payment application 212.
  • the payment application receives a first set of tokenization parameters identifying a first token table stored at the payment application, and identifying a first portion of the payment information to tokenize.
  • the payment application tokenizes the first portion of the payment information using the first token table to produce first tokenized payment information, and sends the first tokenized payment information to the central payment system 106.
  • the central payment system receives a second set of
  • tokenization parameters identifying a second token table stored at the central payment system and a second portion of the first tokenized payment information to tokenize.
  • the central payment system tokenizes the second portion of the tokenized payment information using the second token table to produce second tokenized payment information, and sends the second tokenized payment information to the payment network 108.
  • the payment network sends the second tokenized payment information to the bank 110, which receives a third set of tokenization parameters identifying the token tables and payment information portions identified by the first and second sets of tokenization parameters.
  • the bank retrieves the first and second token tables (for instance, from a token table storage module at the bank, or by requesting the token tables from the payment application and central payment system or from the central security system), and detokenizes the second tokenized payment information using the first and second token tables and based on the identified first and second payment information portions to obtain the original payment information for processing.
  • the payment terminal 104 receives payment information from the user 200, and tokenizes the payment information using a first set of token tables stored at the payment terminal to produce first tokenized payment information.
  • the payment application 212 receives an encryption algorithm from the central security system 116, encrypts the first tokenized payment information, and outputs the encrypted payment information.
  • the central payment system 106 receives the encryption algorithm and a second set of token tables from the central security system, decrypts the encrypted payment information using the encryption algorithm, tokenizes the decrypted payment information using the second set of token tables, and outputs the second tokenized payment information.
  • the payment network 108 receives the second set of token tables from the central security system, detokenizes the second tokenized payment information, and outputs the detokenized payment information.
  • the bank 110 receives the first set of token tables from the central security system, and detokenizes the detokenized payment information with the first set of token tables to produce the original payment information.
  • FIG. 6 is a flowchart of a process for the tokenization and transmission of data by payment entities coupled to a central security system, according to one embodiment.
  • a payment terminal receives 600 payment information associated with a transaction.
  • the payment terminal also receives 610 a first set of tokenization parameters from a central security system.
  • the payment terminal tokenizes 620 the payment information based on the first set of tokenization parameters, and transmits 630 the tokenized payment information to a centralized payment system coupled to a payment network associated with the transaction.
  • the centralized payment system receives 640 the first set of tokenization parameters and a second set of tokenization parameters from the central security system.
  • the centralized payment system detokenizes 650 the tokenized payment information based on the first set of tokenization parameters, and re -tokenizes 660 the detokenized payment information based on the second set of tokenization parameters.
  • the centralized payment system transmits 670 the re-tokenized payment information to the payment network.
  • Fig. 7 illustrates data flow in a mobile and payment tokenization environment, according to one embodiment.
  • the environment of Fig. 7 includes a mobile device 102, a central payment system 106, a payment network 108, an authorization entity 112, and a central security system 1 16.
  • Other embodiments of the environment of Fig. 7 can include fewer, additional, or different entities than those shown in Fig. 2.
  • a user 200 can register one or more credit card numbers, bank account numbers, or other payment information with the central security system 116, which provides tokenized representations of the payment information (hereinafter, "token cards") to the user's mobile device 102 for use in subsequent transactions.
  • the central security system includes a central token server 500, a token tables storage module 506, a tokenization module 702, and a use rules storage module 704. The central security system as described in the embodiment of Fig.
  • a credit card company or bank interface such as a website or computing system interface
  • a third-party tokenization broker an entity configured to receive payment information from users and provide token cards based on the payment information
  • a third-party tokenization broker an entity configured to receive payment information from users and provide token cards based on the payment information
  • a third-party tokenization broker an entity configured to receive payment information from users and provide token cards based on the payment information
  • any other entity configured to provide a user with an interface to create token cards.
  • the central token server 500 retrieves token tables stored in the token tables storage module 506 in response to a request from the tokenization module 702 or the central payment system 106.
  • the token tables storage module 506 stores a plurality of token tables, and each token table can be associated with one or more use rules.
  • each token table can include a metadata field storing a description of one or more use rules, or a use rules table can map token table identifiers to use rules associated with each token table.
  • the use rules storage module 704 stores a plurality of use rules.
  • a "use rule" defines a limitation or restriction of the use of payment information based on transaction information.
  • use rules can limit the use of payment information by business identity (a particular store, restaurant, and the like), by business type (e.g., movie theater, grocery store, hair salon), by geographic location (e.g., a particular city, state, or country), by transaction amount (the cost of a purchase or the amount of a transfer of funds), by date (e.g., day of the week, week, month, or particular date), by time (e.g., before 7pm, or between 1 lam and 1pm), by item/service purchase (e.g., groceries, gasoline), by merchant type (e.g., online or in-store), or by any other transaction characteristic.
  • business identity a particular store, restaurant, and the like
  • business type e.g., movie theater, grocery store, hair salon
  • geographic location e.g., a particular city, state, or country
  • the use rules storage module can also store a use rules table mapping token table identifiers to use rules. For example, for a token table that is used to tokenize payment information to produce token cards for use in transactions under $100, a token table identifier for the token table can be mapped to the use rule "under $100" in the use rules table.
  • the user 200 can request a token card through an interface provided by the tokenization module 702.
  • the tokenization module can prompt the user to enter payment information and to select one or more use rules.
  • the tokenization module retrieves example use rules from the use rules storage module 704 for display to a user, and the user can select from among the displayed use rules.
  • the user can create customized use rules that are subsequently stored in the use rules storage module.
  • the tokenization module receives payment information and a selection of one or more use rules 700.
  • the tokenization module may receive a credit card number and a selection of use rules restricting the use of a token card associated with the credit card number to gas stations and for purchases under $50.
  • the tokenization module 702 identifies (via the central token server 500) a token table stored at the token tables storage module 506 associated with the selected use rules.
  • the central token server queries metadata fields associated with each token table stored in the token tables storage module to identify a token table associated with the selected use rules.
  • the central token server can query a use rules table to identify a token table associated with the selected use rules.
  • An identified token table associated with the selected use rules is retrieved by the central token server and provided to the tokenization module. It should be noted that while the remainder of the description herein is limited to the identification of one table based on selected use rules for use in tokenizing payment information, other embodiments may identify multiple token tables associated with selected use rules for use in tokenizing payment information according to the principles described herein.
  • the tokenization module tokenizes the received payment information using the identified token table to produce a token card 706, and provides the token card to a mobile device 102 of the user.
  • the tokenization module can tokenize the received payment information by querying the identified token table with a data string representing the payment information, and by outputting the token mapped to the data string in the identified token table as the token card.
  • the tokenization module can produce a token card by querying the identified token table with a portion of the data string representing the payment information, by replacing the portion of the data string with the token mapped to the data string portion in the identified token table, and by outputting the partial tokenized payment information as the token card.
  • any tokenization parameters can be used by the tokenization module to tokenize the received payment information, though further description of such embodiments is not included for the purposes of simplicity.
  • a user can create multiple token cards using the same payment information (e.g., the same credit card number) by selecting different use rules in each instance of creating a token card for the payment information. For example, a first token card limiting transactions to grocery store purchases can be generated for a credit card number limiting purchases to grocery stores, a second token card limiting transactions to restaurant purchases under $75 can be generated for the credit card number, and so forth.
  • the selected use rules used to detokenize a token card are identified by first identifying the token table used to generate the token card, and then identifying the use rules associated with the token table (for instance by querying the metadata field of the token table or querying a use rules table as described above). Accordingly, in order to identify the token table used to generate the token card, the token tables stored at the token tables storage module 506 are queried to identify the token table that includes the token used to generate the token card. Thus, in some embodiments, no two token tables stored at the token tables storage module include the same token, allowing each token table to be uniquely identified by any of the tokens included in the token table.
  • the tokenization module allows the user to provide a name for a token card for display on the mobile device. For example, for a use rule restricting the use of a bank account number to purchases in Toronto, Canada, a user can provide the token card name "Toronto vacation", the tokenization module can store the token card name within the token card (for instance, in a metadata field), and the mobile device can display the token card name "Toronto vacation" in a list of token card names associated with token cards at the mobile device.
  • the user 200 can register a plurality of credit cards, debit cards, bank accounts, and other payment information with the central security system 116 in advance of conducting transactions associated with the registered payment information.
  • the central security system generates a token card each time the user provides payment information based on the use rules selected by the user, and the token cards are sent to the user's mobile device 102 for storage.
  • the payment information itself is not stored at the mobile device, limiting the exposure and risk of conducting transactions with the mobile device.
  • the user further limits the risk of an unauthorized entity conducting transactions with the mobile device in the event the mobile device is lost by the user. An unauthorized entity that gains access to the mobile device will be restricting in the use of the payment information based on the use rules selected by the user.
  • the user 200 uses the mobile device 102 to conduct a transaction using a token card stored at the mobile device.
  • the mobile device includes a user interface 710, a token cards storage module 712, a payment application 214, and an authorization interface 728.
  • the mobile device includes different components than those shown in the embodiment of Fig. 7.
  • the payment application 214 of the mobile device 102 is an application configured to allow the user 200 to conduct a transaction with a token card stored in the token cards storage module 712.
  • the token cards storage module stores token cards received from the central security system.
  • the payment application presents one or more stored token cards to the user via the user interface 710.
  • the user interface includes a display configured to display token cards presented by the payment application and input means configured to allow the user to select a presented token card.
  • the payment application 214 Upon receiving a request for a transaction from the user 200, the payment application 214 displays one or more stored token cards (for instance, all token cards stored at the token cards storage module, or a subset of stored token cards selected based on transaction information associated with the transaction) via the user interface 710. In response, the user can provide a token card selection 708 to the payment application via the user interface. The payment application retrieves the selected token card from the token cards storage module 712 and outputs the selected token card and associated transaction
  • the transaction information includes various characteristics of the transaction, for instance, the cost of the transaction, the merchant associated with the transaction, the geographic location of the transaction, and the like.
  • the central payment system 106 includes a payment interface 218, a token tables storage module 204D, a verification module 718, and a detokenization module 720.
  • the central payment system includes different components than those shown in the embodiment of Fig. 7.
  • the payment interface as described above, is configured to receive tokenized payment information (e.g., a selected token card), and to route payment
  • the token tables storage module 204D stores token tables 716 received from the central security system 116.
  • the central security system can provide token tables stored at the token tables storage module 506 to the token tables storage module 204D in advance of a particular transaction, in response to a request to create a token card from the user 200, or in response to a request from the central payment system.
  • the central security system can provide all token tables to the central payment system, or can provide just the token tables used in the creation of token cards.
  • the central security can also provide a use rules table to the central payment system for use in identifying token tables used in the generation of token cards.
  • the verification module 718 is configured to receive the selected token card and transaction information 714 from the payment interface 218. In response to receiving the selected token card, the verification module identifies the token table used to generate the selected token card. The verification module queries the token tables stored in the token tables storage module 204D to identify the token table including the selected token card as a token. In alternative embodiments, the verification module queries the central security system 116 to identify a token table stored in the token tables storage module 506 that includes the token equivalent to the selected token card.
  • the verification module retrieves the set of tokenization parameters and identifies the token table used to generate the selected token card based on the set of tokenization parameters.
  • the verification module 718 Upon identifying the token table used to generate the selected token card, the verification module 718 identifies the use rules associated with the token table.
  • the verification module accesses the metadata field of the identified token table to identify the stored use rules.
  • the use rules are stored in a use rules table mapping token table identifiers to use rules associated with token tables
  • the verification module queries the use rules table with an identifier of the identified token table to identify use rules associated with the identified token table.
  • the verification module 718 determines whether the identified use rules are satisfied based on the received transaction information and approves or denies the transaction based on the determination. For example, if the transaction information identifies that the transaction request is originating from Oregon, and the identified use rules limit use of the selected token card to transactions originating from California, the verification module determines that the use rules are not satisfied by the received transaction information and denies the transaction. In another example, if the transaction information identifies that the transaction is for $16, and the identified use rules limit use of the selected token card to transactions under $20, the verification module determines that the use rules are satisfied by the received transaction information and allows the transaction. In one embodiment, the verification module only verifies the transaction if all identified use rules are satisfied by the received transaction information.
  • the detokenization module 720 detokenizes the selected token card using the identified token table to produce the payment information associated with the selected token card.
  • the payment interface 218 transmits the payment information 722 to the payment network 108.
  • the payment network can seek authorization for the transaction from an authorization entity 112. Accordingly, the payment network can send an authorization request 724 including, for example, the amount of the transaction, the identity of the merchant, and any other suitable transaction information to the authorization entity.
  • the authorization entity 112 in response to receiving the authorization request 724, can authorize the transaction based on the transaction information included in the authorization request. For instance, if the transaction is for an amount below a threshold or within a geographic region associated with the user 200, the authorization entity can authorize the transaction without further input from the user. The authorization entity can also require user authorization from the user based on the transaction information included in the authorization request prior to authorizing the transaction. Continuing with the previous example, if the transaction is for an amount above the threshold or outside the geographic region associated with the user, the authorization entity can prompt the user to provide user authorization before the authorization entity authorizes the transaction.
  • the authorization entity 112 can send a user authorization request 726 to the mobile device 102 of the user 200.
  • the authorization interface 728 of the mobile device can receive the user authorization request and can prompt the user via the user interface 710 to authorize the transaction.
  • the authorization interface can display text via the user interface indicating that user authorization is required, and can receive via the user interface user input authorization the transaction.
  • the authorization entity can specify via the user authorization request a type of authorization required. For instance, the authorization entity can require the user to enter a PIN, password, or other user credentials associated with the user and known to the authorization entity in order to authorize the transaction, or can merely require the user to select an "authorize" button in order to authorize the transaction.
  • the authorization interface can display a request for user credentials via the user interface and based on the authorization requirements of the authorization entity.
  • the user 200 can authorize the transaction via the mobile device 102, for instance by entering required user credentials, by selecting an "authorize” button, or by providing any other authorization information.
  • the authorization interface 728 Upon receiving authorization information from the user, the authorization interface 728 sends a user authorization 730 to the authorization entity 112.
  • the user authorization can include authorization information such as a PIN, password, or other user credentials.
  • the user can reject the transaction, for instance, by selecting a "do not authorize" button provided by the authorization interface, or by taking no action with regards to the displayed authorization request.
  • the authorization interface can send the authorization rejection to the authorization entity, and in response, the authorization entity can deny authorization to the payment network.
  • the authorization entity 112 can authorize the transaction upon receiving the user authorization 730. If the authorization entity requires that the user provide various user credentials (such as a PIN or password), the authorization entity can determine whether the user credentials match known user credentials associated with the user, and can authorize the transaction based on the determination. If the authorization entity authorizes the transaction, the authorization entity outputs the authorization 732 to the payment network 108, and the payment network processes the transaction.
  • the authorization entity can determine whether the user credentials match known user credentials associated with the user, and can authorize the transaction based on the determination. If the authorization entity authorizes the transaction, the authorization entity outputs the authorization 732 to the payment network 108, and the payment network processes the transaction.
  • the use rules selected by a user 200 in the creation of a token card 706 can specify a level of authorization required for a transaction.
  • a user rule can specify that a PIN number or password be entered by the user at the mobile device before the transaction can be authorized.
  • the central payment system 106 upon receiving a selected token card generated based on such a use rule, can indicate to the payment network 108 that a particular authorization is required.
  • the payment network in turn can send an authorization request 724 to the authorization entity 112 specifying the required authorization, and the authorization entity 112 can send a user authorization request 726 based on the required authorization.
  • the central security system 116 can generate token cards 706 based on selected use rules, and can generate a token card table associating each token card with the use rules selected in the generation of the each token card.
  • the central security system can then send the token card table to the central payment system 106, and the verification module 718 can identify the user rules associated with a selected token card by querying the token card table with the selected token card.
  • token tables used in the generation of token cards are not necessarily associated with use rules.
  • the token card table can associate each token card with the identities of the one or more token tables used to generate the token card, allowing the verification module to identify the token tables used to generate a selected token card by querying the token card table with the selected token card.
  • the verification module if the verification module identifies a token table used to generate a selected token card that is not stored at the token tables storage module 204D, the verification module can request and receive the identified token table from the central security system 116.
  • Fig. 8 is a flowchart of a process for using tokenized payment information stored on a mobile device in a financial transaction, according to one embodiment.
  • a user provides 800 payment information and a selection of use rules to a central security system.
  • the payment information can be, for example, a credit card number, and the selected use rules can restrict, for example, the use of payment information to transactions under a threshold amount and within a geographic region.
  • the central security system can identify a token table associated with the selected use rules, and tokenize the payment information using the identified token table to generate a token card.
  • a mobile device of the user receives 810 a token card based on the provided payment information and the selected use rules.
  • a user selects 820 the token card, for instance from among a plurality of token cards stored at the mobile device, for use in a transaction.
  • the mobile device transmits 830 the selected token card to a central payment system for verification.
  • the mobile device can also transmit various transaction information associated with the transaction.
  • the central payment system identifies 840 the token table used to generate the selected token card, for instance by querying token tables stored at the central payment system or by querying the central security system with the selected token card.
  • the central payment system then identifies 850 the use rules associated with the identified token table, for instance by querying a metadata field of the identified token table storing the use rules or by querying a use rules table mapping token table identities to use rules.
  • the central payment system determines 860 if the identified use rules are satisfied by the transaction. For example, the central payment system ensures that the transaction information associated with the transaction do not violate the restrictions of the use rules. Responsive to a determination that the use rules are satisfied, the central payment system detokenizes 870 the selected token card using the identified token table to obtain the original payment information, and transmits 880 the payment information to a payment network.
  • the payment network requires authorization from an authorization entity and/or the user, and the user is prompted via the mobile device to provide authorization for the transaction (for instance by entering a PIN or password into the mobile device).
  • Certain aspects of the present invention include process steps and instructions described herein in the form of an algorithm. It should be noted that the process steps and instructions of the present invention could be embodied in software, firmware or hardware, and when embodied in software, could be downloaded to reside on and be operated from different platforms used by real time network operating systems.
  • the present invention also relates to an apparatus for performing the operations herein.
  • This apparatus may be specially constructed for the required purposes, or it may comprise a general-purpose computer selectively activated or reconfigured by a computer program stored on a non-transitory computer readable medium that can be accessed by the computer.
  • Such a computer program may be stored in a computer readable storage medium, such as, but is not limited to, any type of disk including floppy disks, optical disks, CD- ROMs, magnetic-optical disks, read-only memories (ROMs), random access memories (RAMs), EPROMs, EEPROMs, magnetic or optical cards, application specific integrated circuits (ASICs), or any type of computer-readable storage medium suitable for storing electronic instructions, and each coupled to a computer system bus.
  • the computers referred to in the specification may include a single processor or may be architectures employing multiple processor designs for increased computing capability.
  • the present invention is well suited to a wide variety of computer network systems over numerous topologies.
  • the configuration and management of large networks comprise storage devices and computers that are communicatively coupled to dissimilar computers and storage devices over a network, such as the Internet.

Landscapes

  • Engineering & Computer Science (AREA)
  • Business, Economics & Management (AREA)
  • Accounting & Taxation (AREA)
  • Theoretical Computer Science (AREA)
  • Physics & Mathematics (AREA)
  • General Physics & Mathematics (AREA)
  • Computer Security & Cryptography (AREA)
  • Strategic Management (AREA)
  • General Business, Economics & Management (AREA)
  • Finance (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • General Health & Medical Sciences (AREA)
  • Bioethics (AREA)
  • Health & Medical Sciences (AREA)
  • Computer Hardware Design (AREA)
  • General Engineering & Computer Science (AREA)
  • Software Systems (AREA)
  • Development Economics (AREA)
  • Economics (AREA)
  • Medical Informatics (AREA)
  • Databases & Information Systems (AREA)
  • Computing Systems (AREA)
  • Microelectronics & Electronic Packaging (AREA)
  • Financial Or Insurance-Related Operations Such As Payment And Settlement (AREA)
  • Mobile Radio Communication Systems (AREA)
  • Telephonic Communication Services (AREA)

Abstract

Data can be protected in mobile and payment environments through various tokenization operations. A mobile device can tokenize communication data based on device information and session information associated with the mobile device. A payment terminal can tokenize payment information received at the payment terminal during a transaction based on transaction information associated with the transaction. Payment data tokenized first a first set of token tables and according to a first set of tokenization parameters by a first payment entity can be detokenized or re-tokenized with a second set of token tables and according to a second set of tokenization parameters. Payment information can be tokenized and sent to a mobile device as a token card based on one or more selected use rules, and a user can request a transaction based on the token card. The transaction can be authorized if the transaction satisfies the selected use rules.

Description

TO E M Z AT I O IN MOBILE AND PAYMENT ENVIRONMENTS
INVENTORS:
ULF MATTSSON
YlGAL ROZENBERG
ViCHAi LEVY
CROSS REFERENCE TO RELATED APPLICATIONS
[0001] The application claims the benefit of Provisional Application No. 61/597,588, filed on February 10, 2012; Provisional Application No. 61/597,592, filed on February 10, 2012; Provisional Application No. 61/609,677, filed on March 12, 2012; Application No. 13/761,028, filed on February 6, 2013; Application No. 13/761,020, filed on February 6, 2013; Application No. 13/761,011, filed on February 6, 2013; and Application No.
13/761,009, filed on February 6, 2013, all of which are incorporated herein by reference.
FIELD OF ART
[0002] This application relates generally to the field of data protection, and more specifically to the tokenization of data in mobile and payment environments.
BACKGROUND
[0003] Many challenges exist in handling financial and other sensitive data, such as credit card numbers, social security numbers, bank account numbers, and the like. In use, a mobile system for processing such sensitive data transmits the sensitive data, often wirelessly, between multiple authorized entities, any of which can store the sensitive data. For example, in a retail environment a user may make a payment with a mobile phone at a register, the register may transmit a credit card number received from the mobile phone to a local server, the local server may transmit the credit card number to a bank, and so forth. In this example, the credit card number may be stored at the mobile phone, the register, the local server, the bank, and at any other entity implemented within a payment environment.
Sensitive data is vulnerable in such an environment to interception by unauthorized entities at multiple points, such as during each transmission between authorized entities or while stored at any authorized entity.
[0004] To prevent unauthorized access to sensitive data, steps can be taken to protect the sensitive data. Such data protection measures are required by many jurisdictions for various categories of sensitive data. The sensitive data can be encrypted during transmission or storage using an encryption algorithm and encryption key. However, encryption can be overcome/broken using a variety of hacking methods, and the use of encryption in financial systems is often subject to resource-intensive audit requirements. Data storage security measures can be implemented while the sensitive data is stored at an authorized entity, but such storage security measures generally protect against intrusion by an unauthorized entity and do not protect the sensitive data after the unauthorized entity has overridden or bypassed the storage security measures.
SUMMARY
[0005] Sensitive data, such as communication data or payment information, is tokenized in a mobile environment or a payment environment. A mobile device identifies data for communication, such as communication information entered by a user or as part of a communication or security protocol. In response, the mobile device retrieves device information and/or session information. The mobile device identifies one or more tokenization parameters based on the retrieved device information and/or the retrieved session information, and tokenizes the identified data for communication based on the identified tokenization parameters. The mobile device transmits the tokenized data to a communication system for processing.
[0006] A payment terminal can receive payment information associated with a transaction requested by a user, such as a credit card number or bank account number. The payment terminal identifies transaction information associated with the transaction, such as a transaction amount or a geographic region. The payment terminal identifies a set of tokenization parameters based on the identified transaction information, and tokenizes the received payment information based on the set of identified tokenization parameters. The payment terminal then stores the tokenized payment information if the payment terminal is offline relative to a central payment system, or transmits the tokenized payment in formation if the payment terminal is online relative to the central payment system.
[0007] A payment terminal can receive payment information associated with a transaction, and can tokenize the received payment information based on a first set of tokenization parameters. The payment terminal sends the tokenized payment information to a central payment system or other payment entity configured to detokenize and retokenize or to secondarily tokenize the tokenized payment information based on a second set of
tokenization parameters. The central payment system or other payment entity can
subsequently transmit the tokenized payment information to a payment network associated with the transaction. [0008] A user can submit payment information to a central security system and can receive a token card for storage at a mobile device of the user based on one or more use rules selected by the user. The mobile device can display stored token cards, and in response to receiving a request for a transaction from the user, can allow the user to select a displayed token card for use in the transaction. The selected token card is transmitted to a central payment system configured to identify the use rules used in generating the token card and to determine whether the identified use rules are satisfied by the transaction. Responsive to a determination that the use rules are satisfied by the transaction, the central payment system is configured to detokenize the selected token card and to send the detokenized payment card to a payment network for authorization and processing.
BRIEF DESCRIPTION OF DRAWINGS
[0009] Fig. 1 illustrates a mobile and payment environment, according to one embodiment.
[0010] Fig. 2 illustrates a mobile and payment tokenization environment, according to one embodiment.
[0011] Fig. 3 is a flowchart of a process for the tokenization of data in a mobile environment, according to one embodiment.
[0012] Fig. 4 is a flowchart of a process for the tokenization of data in a payment environment, according to one embodiment.
[0013] Fig. 5 illustrates a centralized security system in a distributed payment tokenization environment, according to one embodiment.
[0014] Fig. 6 is a flowchart of a process for the tokenization and transmission of data by payment entities coupled to a central security system, according to one embodiment.
[0015] Fig. 7 illustrates data flow in a mobile and payment tokenization environment, according to one embodiment.
[0016] Fig. 8 is a flowchart of a process for using tokenized payment information stored on a mobile device in a financial transaction, according to one embodiment.
[0017] The figures depict embodiments for purposes of illustration only. One skilled in the art will readily recognize from the following description that alternative embodiments of the structures and methods illustrated herein may be employed without departing from the principles of the invention described herein. DETAILED DESCRIPTION
TOKENIZATION OVERVIEW
[0018] As used herein, the tokenization of data refers to the generation of tokenized data by querying one or more token tables mapping input values to tokens with one or more portions of the data, and replacing the queried portions of the data with the resulting tokens from the token tables. Tokenization can be combined with encryption for increased security, for example by encrypting sensitive data using a mathematically reversible cryptographic function (e.g., datatype-preserving encryption or DTP), a one-way non-reversible cryptographic function (e.g., a hash function with strong, secret salt), or a similar encryption before or after the tokenization of the sensitive data. Any suitable type of encryption can be used in the tokenization of data.
[0019] As used herein, the term token refers to a string of characters mapped to an input string of characters in a token table, used as a substitute for the string of characters in the creation of tokenized data. A token may have the same number of characters as the string being replaced, or can have a different number of characters. Further, the token may have characters of the same type (such as numeric, symbolic, or alphanumeric characters) as the string of characters being replaced or characters of a different type. Tokens can be randomly generated and assigned to a particular token table input value.
[0020] Any type of tokenization may be used to perform the functionalities described herein. One such type of tokenization is static lookup table ("SLT") tokenization. SLT tokenization maps each possible input values (e.g., possible character combinations of a string of characters) to a particular token. An SLT includes a first column comprising permutations of input string values, and may include every possible input string value. The second column of an SLT includes tokens, with each associated with an input string value of the first column. Each token in the second column may be unique among the tokens in the second column. Optionally, the SLT may also include one or several additional columns with additional tokens mapped to the input string values of the first column. A seed value can be used to generate an SLT, for instance by generating random numbers based on the seed value for each token in the SLT.
[0021] In some embodiments, to increase the security of tokenization, sensitive data can be tokenized two or more times using the same or additional token tables. Each successive tokenization is referred to as a "tokenization iteration" herein. For example, the first 8 digits of a 16 digit credit card number can be tokenized with an 8 digit token table to form first tokenized data, and the last 12 digits of the first tokenized data can be tokenized using a 12 digit token table to form second tokenized data. In another example, the first 4 digits of a credit card number are tokenized using a first token table, the second 4 digits are tokenized with a second token table, the third 4 digits are tokenized with a third token table, and the last 4 digits are tokenized with a fourth token table. Certain sections of the sensitive data may also be left un-tokenized; thus a first subset of the resulting tokenized data may contain portions of the sensitive data and a second subset of the tokenized data may contain a tokenized version of the sensitive data.
[0022] Dynamic token lookup table ("DLT") tokenization operates similarly to SLT tokenization, but instead of using static tables for multiple tokenizations, a new token table entry is generated each time sensitive data is tokenized. A seed value can be used to generate each DLT. In some embodiments, the sensitive data or portions of the sensitive data can be used as the seed value. DLTs can in some configurations provide a higher level of security compared to SLT, but can also require the storage and/or transmission of a large amount of data associated with each of the generated token tables. While DLT tokenization can be used to tokenize data according to the principles described herein, the remainder of the description will be limited to instances of SLT tokenization for the purposes of simplicity
[0023] The security of tokenization can be further increased through the use of initialization vectors ('TVs"). An IV is a string of data used to modify sensitive data prior to tokenizing the sensitive data. Example sensitive data modification operations include performing linear or modulus addition on the IV and the sensitive data, performing logical operations on the sensitive data with the IV, encrypting the sensitive data using the IV as an encryption key, and the like. The IV can be a portion of the sensitive data. For example, for a 12-digit number, the last 4 digits can be used as an IV to modify the first 8 digits before tokenization. IVs can also be retrieved from an IV table, received from an external entity configured to provide IVs for use in tokenization, or can be generated based on, for instance, the identity of a user, the date/time of a requested tokenization operation, based on various tokenization parameters, and the like. Data modified by one or more IVs that is subsequently tokenized includes an extra layer of security - an unauthorized party that gains access to the token tables used to tokenized the modified data will be able to detokenize the tokenized data, but will be unable to de-modify the modified data without access to the IVs used to modify the data. [0024] As used herein, "tokenization parameters" refers to the properties or characteristics of a tokenization operation. For example, tokenizing data according to tokenization parameters can refer to but is not limited to one or more of the following: the generation of token tables for use in tokenizing the data; the identity of pre-generated token tables for use in tokenizing the data; the type and number of token tables for use in tokenizing the data; the number of tokenization iterations to perform; the type, number, and source of initialization vectors for use in modifying the data prior to tokenization; and encryption operations to perform on the data before or after tokenization. Tokenization and initialization vectors are described in greater detail in U.S. Patent Application No. 13/595,438, titled "Multiple Table Tokenization", filed August 27, 2012, the contents of which are hereby incorporated by reference.
MOBILE AND PAYMENT ENVIRONMENT OVERVIEW
[0025] Fig. 1 illustrates a mobile and payment environment, according to one embodiment. The environment of Fig. 1 includes a mobile device 102, a payment terminal 104, a central payment system 106, a payment network 108, a bank 110, an authorization entity 112, a central communication system 114, and a central security system 116. The entities of Fig. 1 are, include, or are implemented within computing devices and are configured to transmit and receive data through a connecting network 100. In other embodiments, the mobile and payment environment of Fig. 1 can include additional or different entities, and the entities illustrated can perform functionalities differently or other than those described herein. In addition, although only one of each type of entities are illustrated in Fig. 1, any number of any type of entity may be included in the mobile and payment environment.
[0026] The connecting network 100 is typically the Internet, but may be any network, including but not limited to a LAN, a MAN, a WAN, a mobile wired or wireless network, a private network, a virtual private network, a direct communication line, and the like. The connecting network can be a combination of multiple different networks. In such
embodiments, the tokenization system can be implemented at, within, or co-located with an entity illustrated in Fig. 1, and can include both inner- and inter-entity communication lines.
[0027] The mobile device 102 is a computing device such as a mobile phone, a tablet computer, or a laptop computer. In some embodiments, the mobile device is a traditionally non-mobile entity, such as a desktop computer, a television, and the like. The mobile device includes software configured to allow a user of the mobile device to interact with other entities within the environment of Fig. 1. For example, the mobile device can include a mobile wallet application or other payment application configured to allow a user to use the mobile device to transmit payment information when conducting a transaction, for instance at a store or restaurant. The mobile device can also include a communication application configured to allow a user to use the mobile device to communication with other entities and other mobile devices. Generally, the mobile device communicates wirelessly (for instance via Bluetooth, near field communication or "NFC", or mobile phone networks), though wired communication technologies may also be used.
[0028] As used herein, "transaction" refers to the exchange of funds for goods or services. Funds can be exchanged by providing payment information from a first payment entity to a second payment entity. As used herein, "payment information" can include credit card numbers, debit card numbers, bank account numbers, PIN numbers, gift card numbers, ticket and other pay-card information (such as identifying information or account balance information), identity information, or any other information used to conduct financial transactions. It should be noted that in some embodiments, a transaction can involve the providing of cash to a user of an ATM terminal; in such instances, "goods or services" involves the transfer of cash from the ATM terminal to a user and the deduction of an equivalent amount of funds from a user account. As used herein, "payment entity" refers to an entity involved in the performance of a transaction, and can include, for example, any of the entities of the environment of Fig. 1, any applications running on the entities of the environment of Fig. 1, or any other entity associated with a transaction.
[0029] The payment terminal 104 is a computing device configured to allow a user to conduct a transaction, such as paying for goods or services, transferring funds, and the like. The payment terminal can be an ATM terminal, a ticket dispenser, a terminal co-located with a cash register at a store or restaurant, a hand-held mobile phone payment system, or any other computing device for use in conducting a transaction. The payment terminal can be configured to receive and transmit information associated with or characteristics of a transaction (hereinafter "transaction information") and payment information to other payment entities. Transaction information can include, but is not limited to, the identity of a user requesting/performing a transaction, a method of payment in a transaction, goods or services associated with the transaction, a price or cost associated with the transaction, the identity of an entity associated with the payment terminal or any other payment entity (such as a bank, store, business, and the like), a time/date of the transaction, and the like. The payment terminal can receive and communicate transaction information and payment information wirelessly, though in other embodiments, the payment terminal may also be equipped with a physical credit card reader, with a cash receiving/output means, with network cables, and the like.
[0030] The payment terminal 104 includes a payment application (such as the payment application 214 described below in conjunction with Figs. 2, 5, and 7) including executable software configured to run on the payment terminal. The payment application can be configured to allow the user 200 to conduct transactions via the payment terminal, for instance by allowing a user to provide payment information to other entities in exchange for goods or services, or to transfer funds. It should be noted that, as shown in the embodiment of Fig. 7, a payment application can also implemented in the mobile device 102, allowing a user to use the mobile device to conduct transactions.
[0031] The central payment system 106 is a computing device, such as a server, configured to provide a centralized payment interface between one or more payment terminals and one or more other payment entities, such as a payment network 108, a bank 110, and an authorization entity 112. The central payment system can receive a transaction request from a payment terminal, identify an associated payment entity, transmit payment information associated with the transaction request to the associated payment entity, receive an authorization or denial for the transaction from the associated payment entity, transmit the authorization or denial to the payment terminal, and process the transaction upon receiving an authorization. Alternatively, the payment terminals may communicatively couple to the central payment system only periodically; in such embodiments, a payment terminal may allow a user to conduct a transaction when the payment terminal is offline from the central payment system, may store offline transaction information and payment information at the payment terminal, and may upload the stored transaction information and payment information to the central payment system when the payment terminal next communicatively couples to the central payment system.
[0032] The payment network 108 includes a network of computing devices associated with various payment entities, such as credit card companies, debit card entities, online payment systems (such as Paypal and Google Wallet), coupon servers, merchant websites, payment gateways, and the like. The payment network is configured to receive transaction information and payment information from the central payment system 106, identify a payment entity associated with the transaction, and provide a communicative interface between the central payment system and the payment entity. The bank 110 includes one or more computing devices associated with a bank, such as web servers, financial servers, and the like. The bank 110 is configured to interface with the central payment system to conduct transactions, to allow for the transfer of funds, and to perform other financial functions. The authorization entity 112 is a computing device associated with any entity configured to communicate with the central payment system to authorize transactions by users of a payment terminal 104. For example, an authorization entity can be a credit agency, a debit card account balance server, a gift card balance server, and the like. Although illustrated separately, the payment network, the bank, and the authorization entity can be implemented within the same computing device or network, and any number of payment networks, banks, and authorization entities can be present in the environment of Fig. 1.
[0033] The central communication system 114 is configured to provide a
communicative interface between a mobile device 102 and one or more other entities, such as one or more payment entities, other mobile devices and computing devices, web sites, email servers, and the like. The central communication system can include a communication server, a cell phone tower, a router, a wireless station or access point, a web server, or any other communicative computing system configured to receive and send communication
information to and from communicating entities. The central communication system can include and implement a variety of communication protocols in operation, and in various embodiments can provide webpages, SMS functionality, email routing, and the like between entities.
[0034] The central security system 116 is configured to provide a centralized security interface between entities in the environment of Fig. 1. The central security system can generate, store, and provide token tables to the various entities, for instance in response to a request from the central communication system 1 14 or a payment terminal 104. The central security system can also provide security use rules, encryption keys, credential information, initialization vectors, and any other security information for use in securing data transferred between entities in the environment of Fig. 1. In one embodiment, the central security system 116 is configured to receive credential information, for instance a password from a user or authorization credentials from a bank 110, and to authenticate the credential information prior to providing security information to an entity in the environment of Fig. 1.
[0035] Fig. 2 illustrates a mobile and payment tokenization environment, according to one embodiment. The environment of Fig. 2 includes a mobile device 102, a payment terminal 104, a central payment system 106, and a central communication system 114. The mobile device, payment terminal, central payment system, and central communication system are communicatively coupled to a central security system 116. The central communication system is additionally communicatively coupled to a mobile phone 222, a computer 224, and a communication server 226. The central payment system is additionally communicatively coupled to a payment network 108, a bank 110, and an authorization entity 112. Any number of each entity may be present in Fig. 2, and fewer, additional, or different entities may be present. In some embodiments, various entities can be implemented within a single entity, for instance the payment terminal can be implemented within the mobile device.
[0036] The mobile device 102, the payment terminal 104, the central communication system 114, and the central payment system 106 each include a token server (token server 202A, 202B, 202C, and 202D, respectively; "token servers 202" collectively) and a token tables storage module (204A, 204B, 204C, and 204D, respectively; "token tables storage modules 204" collectively). Each token table storage module 204 stores token tables for use in tokenization. The token tables storage modules can store token tables received from various sources, such as the central security system 116, the components of the entity with which each token tables storage module is part, or other entities within the environment of Fig. 2.
[0037] Each token server 202 is configured to retrieve token tables stored in a respective token tables storage module 204, and serve the retrieved token tables to various respective entity components. For example, the token server 202A is configured to retrieve token tables stored in the token tables storage module 204A and to provide the retrieved token tables to the communication application 206. Similarly, the token server 202B is configured to serve retrieved token tables to the payment application 214, the token server 202C is configured to serve retrieved token tables to the security interface 212, and the token server 202D is configured to serve retrieved token tables to the payment interface 218.
[0038] The token servers 202 are also configured to store received token tables in the token tables storage modules 204. Each token server can receive token tables from the central security system 116, from respective entity components, or from other token servers. For example, the token server 202A can store token tables generated by and received from the communication application 206, received from the central security system 116, and received from the token server 202C.
[0039] Each token server 202 can also serve token tables to other token servers. For example, the token server 202A can serve one or more token tables used in tokenization by the communication application 206 to the token server 202C for use in detokenization by the security interface 212, and for storage in the token tables storage module 204C. Similarly, the token server 202B can serve one or more token tables used in tokenization by the payment application 214 for use in detokenization by the payment interface 218, and for storage in the token tables storage module 204D.
[0040] The central security system 116 provides token tables to the token servers 202 for storage in the token tables storage modules 204. The central security system can provide one or more token tables periodically (for instance, every day, hour, or other time period); in response to a request for tokens from a token server 202; from the communication application 206, the security interface 212, the payment application 214, or the payment interface 218; in response to a certain number of tokenization operations by one or more of the entities of Fig. 2; in response to a transaction or communication request from the user 200; and the like. The central security system can provide pre-generated token tables stored at the central security system, or can generate token tables in response to receiving a request for token tables. Token tables stored at the central security system and the token tables storage modules can be associated with identifiers such that a token server 202 can request a particular token table. For example, if the communication application uses token table "X7m2" to tokenize data, the security interface can use the identifier "X7m2" to retrieve the same token table from the token tables storage module 204C for use in detokenizing the tokenized data.
TOKENIZATION IN A MOBILE ENVIRONMENT
[0041] A user 200 can use the mobile device 102 to transmit communication information to the central communication system 114. In one embodiment, the mobile device can be a mobile phone configured to make phone calls and/or send text messages to the central communication system, which can be a phone service provider, a mobile phone communication tower, and the like. Alternatively, the mobile device can be a computer configured to send emails or other messages to or to communicate over any wired or wireless communication protocol, the selection of which is not material to the invention. As used herein, "communication data" refers to any information sent from the mobile device to the central communication system.
[0042] The mobile device 102 includes the token server 202A, the token tables storage module 204A, the communication application 206, and the device information storage module 208. The central communication system 114 includes the token server 202C, the token tables storage module 204C, the communication server 210, and the security interface 212. The communication application is configured to identify communication data, to identify device information and/or session information, to tokenize the communication data based on the device and/or session information, and to send the tokenized communication data to the central communication system. The communication server provides a communicative interface between the central communication system and other entities (such as the mobile device, the mobile phone 222, the computer 224, and the communication server 226) by receiving and routing communication data between entities. The security interface is configured to implement various tokenization-based security protocols for communication data received and routed by the communication server, as will be described below in detail.
[0043] The device information storage module 208 stores information describing the mobile device 102 (hereinafter "device information"). For example, device information can include the brand or manufacturer of the mobile device, the make or model of the mobile device, identifying information associated with a mobile device SIM card, a phone number associated with the mobile device, a MAC address or IP address associated with the mobile device, a serial number of the mobile device, a wireless server provider associated with the mobile device, information identifying a user of the mobile device (such as a user name, a password, and the like), or any information associated with the mobile device.
[0044] The device information storage module 208 can also store information associated with use of the mobile device 102 (hereinafter "session information"). For example, session information can include the number of times that the mobile device has previously communicated with the central communication system 114, the time and/or date of the previous communication between the mobile device and the central communication system, the length of a previous communication session or the total length of all
communication sessions between the mobile device and the central communication system, a session identifier identifying the current session between the mobile device and the communication system, or any information identifying the historical activity of the mobile device and/or the communication system. It should be noted that both the device information and the session information stored at the device information storage module can also be stored at the central communication system.
[0045] The communication application 206 identifies and tokenizes communication data. In one embodiment, the communication data can be data entered by the user 200, such as a text message, an email, a web search query, and the like. Alternatively, the
communication data can be data required to implement a communication protocol, such as session establishing information, session continuance information, communication information formatted according to the communication protocol, access rights information, device identification information, and the like. For example, the communication data can be data required to establish a connection between the mobile device and central communication system in order for the user to make a phone call, to connect the mobile device to a wireless network implemented by the central communication system, and the like.
[0046] The communication application 206 receives a security protocol from the central communication system 114 and retrieves device and/or session information from the device information storage module 208 for use in tokenizing the identified communication data based on the received security protocol. The received security protocol received specifies tokenization parameters for the communication application to identify and specifies retrieved device information and/or session information on which to identify the tokenization parameters.
[0047] A security protocol can specify that token table identities are to be determined based on particular retrieved device information and/or session information. A
communication application implementing such a security protocol can identify a token table based on, for example, a phone number associated with the mobile device 102. A security protocol can also specify that token tables are to be generated based on the particular device information and/or session information. A communication application implementing such a security protocol can use, for example, a SIM card number as a seed value to generate token values for a token table, or can send a session identifier to the central security system 116 for use in generate token tables.
[0048] A security protocol can specify that IVs can be determined based on particular device information and/or session information. A communication application implementing such a security protocol can use, for example, the last four digits of a phone number associated with the mobile device 102 as an IV, or can use the time of the previous communication between the mobile device and the central communication system 114 to query an IV table to retrieve an IV. A security protocol can specify that portion of the identified communication data for tokenization based on device information and/or session information. A communication application implementing such a security protocol can identify, for example, the first four digits of the identified communication data if the date of the previous communication between the mobile device and the central communication system was between 1 and 4 days ago, the second four digits if the date of the previous communication was between 5 and 8 days ago, and so forth.
[0049] A security protocol can specify other tokenization parameters based on the device information and/or session information. For example, a communication application can determine a type of tokenization to use in tokenizing the identified communication data based on a geographic location of the mobile device 102, a number of tokenization iterations based on a time of day, a number of IVs for use in tokenization based on a brand of the mobile device, a type of modification to perform on the identified communication data with one or more IVs based on the identity of the user 200, an encryption to perform on the identified communication data before or after tokenization based on the strength of wireless connection between the mobile device and the central communication system 114, or any other tokenization parameter based on any other device and/or session information.
[0050] Upon identifying one or more tokenization parameters based on device and/or session information, the communication application 206 tokenizes the identified
communication data based on the identified tokenization parameters. For example, if the tokenization parameters include a) the identity of a token table for retrieval from the token tables storage module 204A, b) an IV based on the first 4 bits of the identified
communication data, and c) a determination that the last 6 bits of the identified
communication data are to be modified with the IV and tokenized, then the communication application modifies the last 6 bits of the identified communication data with the first 4 bits, and tokenizes the modified data using the retrieved token table to produce tokenized communication data. The communication application then sends the tokenized
communication data to the central communication system 114, where it is received by the communication server 210.
[0051] The communication server 210 receives tokenized data from the communication application 206. The communication server can store the received tokenized data in a communication storage module (not shown in Fig. 2), or can route it to another entity (such as the mobile phone 222, the computer 224, or the communication server 226). The communication server can also respond to receiving tokenized data, for instance by informing the communication application that the tokenized data was received.
[0052] The security interface 212 is configured to implement one or more security protocols for use in tokenizing communications between the mobile device 102 and the central communication system 114. As noted above, the security protocols implemented by the security interface specify tokenization parameters for the communication application 206 to identify, and can specify the device information and/or the session information based on which the communication application identifies the tokenization parameters. For example, a security protocol implemented by the security interface can specify that the first 7 digits of a phone number associated with the mobile device be used by the communication application to identify a token table for use in tokenizing the communication data. [0053] The security interface 212 can implement security measures for communications between the mobile device 102 and the central communication system unrelated to tokenization. For example, the security interface can require that the communication application establish a secure or encrypted connection prior to establishing a communication session between the mobile device and the central communication system 114. In such an example, the communication application uses device and/or session information specified by the security interface as an encryption key for encrypting communication data, and upon the receipt of the encrypted communication data by the communication server, the security interface decrypts the encrypted communication data using device information and/or session information received from the mobile device or stored at the central communication system.
[0054] The security interface 212 can require the communication application 206 to authenticate the identity of the user 200 or the mobile device 102 prior to establishing a communication session between the mobile device and the central communication system 114. For example, the security interface can require that the communication application tokenize a pre-determined data string by using a phone number of the mobile device to identify a token table stored in the token tables 204A and tokenizing the pre-determined string with the phone identified token table. Upon the receipt of such a tokenized string by the communication server 210, the security interface can tokenize the same pre-determined data string by using a phone number known to be associated with the mobile device to identify a token table stored in the token tables storage module 204C and tokenizing the predetermined string with the identified token table. If the tokenized string received from the communication application matches the string tokenized by the security interface, the security interface can determine that the identity of the mobile device is authentic, and can permit the establishment of the communication session.
[0055] The security interface 212 can require the mobile device 102 to re-authenticate itself periodically, or before each new communication session. In one embodiment, session information representing a session count is stored by the mobile device and the central communication system 114. After each communication session between the mobile device and the central communication system, the session count stored by each is incremented. In this embodiment, the security interface can require the communication application 206 to tokenize communication data using the session count, for instance as a token table identifier, an encryption key, or an IV.
[0056] The security interface 212 can require the communication application 206 to obtain a particular set of token tables for use in tokenizing communication data for a communication session. For example, the security interface can require the communication application to request and obtain (via the token server 202A and the token server 202C) a set of token tables stored at the token tables storage module 204C. Likewise, the security interface can require the communication application to obtain (via the token server 202A) a set of token tables from the central security system 116 for use in a communication session, and can retrieve (via the token server 202C) the same set of token tables, for instance in response to receiving communication data tokenized with the set of token tables from the communication application.
[0057] The security interface 212 can detokenize received tokenized communication data prior to the storage or routing of the communication data by the communication server 210. For example, if the central communication system 114 is securely coupled to the communication server 226, the security interface can detokenized received tokenized communication data, such as an email, and can serve the detokenized email to the
communication server 226 for delivery to an intended recipient. The security interface can also re-tokenize detokenized communication data prior to storage or routing. For example, the security interface may require a first level of security be implemented between the mobile device 102 and the central communication system, and a second level of security be implemented between the central communication system and the computer 224. Accordingly, the security interface can detokenize communication data from the mobile device tokenized according to the first level of security, and can re-tokenize the communication data according to the second level of security prior to the serving of the communication data to the computer by the communication server.
[0058] It should be noted that in order to detokenize communication data received from the mobile device 102, the security interface 212 may be required to access to the token tables used by the communication application 206 to tokenize the communication data. As noted above, in certain embodiments, the token server 202A receives token tables stored at the token tables storage module 204C via the token server 202C, or the token server 202A and the token server 202C each receive token tables from the central security system 116. In embodiments in which the communication application 206 generates token tables based on device information and/or session information for use in tokenization, the security interface can request the generated token tables from the token server 202 A via the token server 202C, or can generate the same token tables using the device information and/or session information (for instance, if the device information and session information is also stored at the central communication system 114, or in response to requesting and receiving such information from the mobile device). In one embodiment, the token servers 202 A and 202C synchronize token tables stored at the token tables storage modules 204A and 204C periodically.
[0059] Fig. 3 is a flowchart of a process for the tokenization of data in a mobile environment, according to one embodiment. A mobile device identifies 300 communication data to be communicated. The communication data can be data entered by a user of the mobile device (such as a text message or email), can be data required for the establishment of a communication session (such as authentication information), or can be data required for communication using a particular communication protocol (such as WiFi or VoIP).
[0060] The mobile device retrieves 310 device information and/or session information associated with the mobile device, for instance based on a received security protocol.
Examples of device information include a phone number of the mobile device, a SIM card number of the device, and a serial number of the mobile device. Examples of session information include a date and time of a previous communication session by the mobile device, a communication session count, and a session identifier.
[0061] The mobile device identifies 320 one or more tokenization parameters based on the retrieved device information and/or session information, for instance as specified in a received security protocol. For example, one or more token tables can be retrieved or generated based on a phone number of the mobile device, an IV can be generated based on the session count associated with the mobile device, and an encryption key can be generated for use in encrypting the tokenized data prior to communication based on an identity of the user of the mobile device. The mobile device tokenizes 330 the identified data based on the identified tokenized parameters, and transmits 340 the tokenized data to a central
communication system.
TOKENIZATION IN A PAYMENT ENVIRONMENT
[0062] Returning to Fig. 2, a user 200 can use the payment terminal 104 to conduct a financial transaction. In addition to the token server 202B and token tables storage module 204B as described above, the payment terminal includes a payment application 214 and a transactions storage module 216. The payment application is configured to receive payment information from the user, to tokenize the payment information, and to store or transmit the tokenized payment information. The payment application can include, for example, a user interface presenting the user with various selectable transaction information (such as a description of a good or service, a price associated with the transaction, and various options for providing payment information). In various embodiments, the user selects one or more options associated with a transaction, is presented with a price associated with the transaction, and provides payment information by swiping a credit card at a card reader of the payment terminal.
[0063] The payment terminal 104 transmits tokenized payment information to and otherwise communicates with the central payment system 106. The payment terminal can alternate between being communicatively coupled and communicatively uncoupled from the central payment system. For example, the payment terminal may communicatively couple to the central payment system periodically, such as once an hour or once a day, or may communicatively couple to the central payment system at a pre-determined time or in response to a request from the central payment system. The payment terminal is referred to herein as "online" when communicatively coupled to the central payment system, and "offline" when communicatively uncoupled from the central payment system.
[0064] The payment application 214 is configured to allow a user 200 to conduct transactions when the payment terminal 104 is both online and offline. Upon receiving a request for a transaction from a user, the payment application can receive payment information from the user, can tokenize the received payment information, and can determine whether the payment terminal is online or offline. In response to a determination that the payment terminal is offline, the payment application can store the tokenized payment information in the transactions storage module 216. In response to a determination that the payment terminal is online, the payment application can transmit the tokenized payment information to the central payment system 106.
[0065] The payment application 214 tokenizes the received payment information by accessing one or more token tables (identified, for instance, by one or more tokenization parameters as described below) and tokenizing all or part of the payment information using the accessed token tables. To access the token tables, the payment application can request token tables from the token server 202B, which, as described above, is configured to retrieve the requested token tables from the token tables storage module 204B. Upon retrieving the requested token tables, the token server 202B provides the retrieved token tables to the payment application.
[0066] The payment application 214 identifies one or more tokenization parameters for use in tokenizing the received payment information. In one embodiment, the tokenization parameters are identified based on transaction information associated with the transaction being conducted. It should be noted that any tokenization parameter can be identified based on any combination of transaction information. The payment application may also identify one or more tokenization parameters based on default or requested security protocols, or based on any other suitable factor.
[0067] The payment application can identify one or more token tables for retrieval or generation by the token server 202B based on the transaction information. For example, the payment application can identify a token table identifier or a seed value for generating token tables based on a time of transaction or a transaction price. Similarly, the payment application can identify, based on transaction information, an IV for use in tokenization, a type of modification to perform on the payment information based on an IV, a portion of the payment information to tokenize, a type of tokenization or number of tokenization iterations to perform, an encryption algorithm and/or encryption key for use in encrypting the payment information before or after tokenization, transaction information to combine with the payment information before or after tokenization, or any other tokenization parameter. In one embodiment, instead of identifying tokenization parameters based on transaction information, the payment application can identify tokenization parameters based on a default security protocol or based on a security protocol implemented by the central payment system 106.
[0068] Upon identifying one or more tokenization parameters, the payment application 214 tokenizes the payment information based on the tokenization parameters. For example, if the identified tokenization parameters include the identity of token tables retrieved from the token tables storage module 204B and an encryption algorithm and key, the payment application encrypts the payment information using the encryption algorithm and key, and tokenizes the encrypted payment information using the retrieved token tables. As noted above, the payment terminal can store the tokenized payment information in the transactions storage module 216 if the payment terminal is offline, and can transmit the tokenized payment information to the central payment system 106 if the payment terminal is online. Tokenized payment information stored at the transactions storage module can be stored until the payment terminal comes online (e.g., when the payment terminal becomes
communicatively coupled to the central payment system 106), in response to which the payment application can output the stored tokenized payment information to the central payment system. Alternatively, the payment terminal can output the stored tokenized payment information upon a request from the central payment system, or after tokenized payment information representing a threshold number of transactions is stored.
[0069] In addition to the token server 202B and the token tables storage module 204B as described above, the central payment system 106 includes a payment interface 218 and a transactions storage module 220. The payment interface is configured to receive tokenized payment information from the payment application payment terminal 104, and to route payment information to one or more financial entities, such as the payment network 108, the bank 110, the authorization entity 112, or any other financial entity not illustrated in the embodiment of Fig. 2. In an example transaction, upon the swiping of a credit card by a user 200 and the subsequent tokenization and outputting of the credit card number to the central payment system, the payment interface can route the tokenized credit card number to the authorization entity, can receive authorization for the transaction, and can output the tokenized credit card number to the payment network for processing and completion of the transaction.
[0070] The payment interface 218, prior to routing received tokenized payment information, can store the tokenized payment information in the transactions storage module 220. Tokenized payment information associated with multiple transactions can be aggregated at the transactions storage module, and the payment interface can route the aggregated tokenized payment information periodically, at a pre-determined time, after a threshold number of transactions, or in response to a request from a payment entity, such as the payment network 108, the bank 110, or the authorization entity 112. In an example where the payment terminal 104 is an ATM terminal, the central payment system can store and aggregate tokenized payment information at the transactions storage module until tokenized payment information associated with 100 transactions is stored, upon which the payment interface outputs the tokenized payment information representing the 100 transactions to the bank. In some embodiments not described further herein, the payment terminal
communicatively couples directly to and transmits tokenized payment information to the payment network, the bank, or the authorization entity, bypassing the central payment system.
[0071] In one embodiment, the payment interface 218 detokenizes received tokenized payment information prior to storing the payment information at the transactions storage module 220, or prior to routing the payment information. In such an embodiment, the payment interface can re-tokenize detokenized payment information prior to storage or routing, for instance based on more robust tokenization parameters. Alternatively, instead of detokenizing received tokenized payment information, the payment interface can perform secondary tokenization on the tokenized payment information, thus increasing the security of the tokenized payment information further. In one embodiment, the payment application 214 can provide the tokenization parameters used to tokenize the payment information for each transaction to the payment interface for use in detokenizing the tokenized payment information. For example, if the payment application selects one or more token tables for use in tokenizing payment information based on the identity of the user 200, the payment application can output the identity of the user along with the tokenized payment information. The payment interface can then access the one or more tables used to tokenize the payment information based on the identity of the user for use in detokenizing the payment information.
[0072] The token tables used by the payment application 214 to tokenize payment information, and/or used by the payment interface 218 to detokenize, re-tokenize or secondarily tokenize payment information can be received from the central security system 116 as noted above. Received token tables are stored at the token tables storage module 204B and 204D. In one embodiment, the central payment system 106 receives token tables from the central security system or generates token tables, and provides token tables to the payment terminal 104 for use in tokenization. For example, the central payment system can provide new or updated token tables to the payment terminal upon the payment terminal coming online. In this example, upon the receipt of token tables from the central payment system by the payment terminal after coming online, the payment application uses the new or updated token tables for tokenization upon the payment terminal subsequently going offline until the payment terminal comes online again.
[0073] In one embodiment, after coming online after performing transactions while offline, the payment terminal 104 outputs stored tokenized payment information to the central payment system 106, and in response, the central payment system outputs a set of token tables to the payment terminal for use in subsequent tokenization. In embodiments where the payment application 214 generates token tables for use in tokenization, the payment terminal can output the generated token tables along with stored tokenized payment information to the central payment system, and the payment interface 218 can use the received token tables in detokenizing the tokenized payment information. It should be noted that the central payment system may be required to access the token tables used by the payment application to tokenize payment information before the payment interface 218 can detokenize the tokenized payment information.
[0074] Beneficially, tokenizing payment information prior to transmitting the payment information may eliminate various audit requirements imposed within financial institutions and systems. Though tokenization may be combined with encryption, tokenized data itself is not an encrypted representation of the original data. As described above, tokenized data includes one or more portions of the original data replaced with tokens within token table entries associated with the one or more portions of the original data. Thus, without access to the one or more token tables, the original data cannot be derived from the tokenized data. Accordingly, as unauthorized entities that intercept tokenized data cannot detokenize the data without access to the token tables used to tokenize the data, the need for various audits required by financial institutions and systems can be preempted.
[0075] Fig. 4 is a flowchart of a process for the tokenization of data in a payment environment, according to one embodiment. A transaction can be requested by a user, for instance at a payment terminal, and in response, the payment terminal can prompt the user for payment information. The payment terminal receives 400 payment information associated with a transaction. The payment information can be a credit card number, a bank account number, or the like. The payment terminal identifies 410 transaction information associated with the transaction. Transaction information can include the time and date of the transaction, the identity of the user performing the transaction, the identity of a merchant associated with the transaction, the transaction payment method, the transaction amount/cost, and the like.
[0076] The payment terminal identifies 420 one or more tokenization parameters based on the transaction information. For example, one or more token tables can be identified based on a PIN number associated with the transaction, one or more token tables can be generated based on a user name associated with the user, a number of tokenization iterations can be identified based on the time of day of the transaction, and the like. The payment terminal tokenizes 430 the payment information based on the identified tokenization parameters. For example, if the tokenization parameters identify a set of token tables and an encryption algorithm, the payment information is tokenized using the set of token tables and the tokenized payment information is subsequently encrypted using the encryption algorithm.
[0077] In response to the payment terminal being communicatively uncoupled
("offline") from a central payment system associated with the payment terminal, the payment terminal stores 440 the tokenized payment information until the payment terminal becomes communicatively coupled to the central payment system. In response to the payment terminal being communicatively coupled ("online") to the central payment system, the payment terminal transmits 450 the tokenized payment information to the central payment system. In one embodiment, the tokenized payment information is transmitted from the payment terminal when coupled to the central payment system at a pre-determined time, at periodic intervals, or in response to a request from the central payment system. TOKENIZATION IN A DISTRIBUTED PAYMENT ENVIRONMENT
[0078] Fig. 5 illustrates a centralized security system in a distributed payment tokenization environment, according to one embodiment. It should be noted that the payment tokenization environment of Fig. 2 can be implemented within the distributed payment tokenization environment of Fig. 5. Accordingly, the features and functionalities described in conjunction to Fig. 2 are equally applicable to the environment of Fig. 5.
[0079] The environment of Fig. 5 includes a variety of payment entities, such as a payment terminal 104, a payment application 212, a central payment system 106, a payment network 108, and a bank 110. Other embodiments of the environment of Fig. 5 can include fewer, additional, or different entities than those shown in Fig. 2. Each payment entity is communicatively coupled to a central security system 116, and is configured to receive token tables and/or tokenization parameters from the central security system, as will be described herein in greater detail.
[0080] The payment terminal 104 receives payment information from a user 200 during the performance of a transaction, for instance at a card reader or other input interface associated with the payment terminal. The payment terminal includes the payment application 212, for instance running on the payment terminal or running in a computing system communicatively coupled to the payment terminal. The payment application receives the payment information from the payment terminal and sends the payment information to the central payment system 106 (as described above). For example, the payment application may store the payment information when the payment terminal is offline, and may send the payment information to the central payment system when the payment terminal is online, for instance in response to a request from the central payment system or after payment information representing a threshold number of transactions is stored by the payment application.
[0081] The central payment system 106 can store received payment information for subsequent routing to the payment network 108, or can immediately send received payment information to the payment network. Likewise, the payment network can store received payment information for subsequent routing to the bank 110, or can immediately send received payment information to the bank. The bank can process the transaction associated with the payment information by, for example, appropriating or transferring funds based on the received payment information. It should be noted that the payment network to which the central payment system sends the payment information can be based on information associated with or characteristics of the transaction ("transaction information" as used above). Similarly, the bank to which the payment network sends the payment information can be based on transaction information associated with the transaction.
[0082] In an example embodiment, a user with a Visa debit card associated with a Wells Fargo bank account can swipe the debit card at the grocery store checkout line card reader, and a payment application running on the card reader can send the debit card information to the grocery store's central payment system. The central payment system of the grocery store can be configured to, at a pre-determined time of day, send the debit card information to a payment network associated with Visa, which in turn is configured to send the debit card information to a bank server associated with Wells Fargo.
[0083] Any of the payment entities of the embodiment of Fig. 5 can tokenize payment information received from another payment entity. Further, any of the payment entities can implement one or more additional security measures, such as data modification (for instance, using IV s), encryption before or after tokenization, and the like. Accordingly, each payment entity in the embodiment of Fig. 5 can be configured to receive a set of token tables and/or a set of tokenization parameters from the central security system, and can tokenize received payment information based on the set of token tables and received tokenization parameters.
[0084] In some embodiments, a payment entity can receive payment information tokenized with a first set of token tables and according to a first set of tokenization parameters, and can tokenize the tokenized payment information using a second set of token tables and according to a second set of tokenization parameters. Payment entities can also detokenize payment information tokenized with a first set of token tables and according to a first set of tokenization parameters, and can re-tokenize the detokenized payment information using a second set of token tables and according to a second set of tokenization parameters. Although the term "tokenization parameters" is used herein, in some embodiments, a payment entity can receive an encryption algorithm and/or encryption key, and can encrypt/decrypt received payment information without explicitly performing tokenization.
[0085] The central security system 116 includes a central token server 500, a token generation module 502, a security interface 504, a token tables storage module 506, and a tokenization parameters storage module 508. In other embodiments, the central security system includes components other than those described herein.
[0086] The central token server 500 retrieves, in response to a request from the security interface 504, one or more token tables received stored in the token tables storage module 506, and serves the retrieved token tables to the payment entities of Fig. 5. The central token server can also receive token tables from the payment entities of Fig. 5, and can store the received token tables in the token tables storage module 506. For example, in an embodiment in which the payment application 212 generates token tables for use in tokenizing payment information, the payment application can output the generated token tables, and the central token server can receive and store the generated token tables for subsequent retrieval and serving to a payment entity for use in detokenizing payment information tokenized with the generated token tables (such as the payment network 108 or the bank 110).
[0087] The token generation module 502 generates token tables, for instance in response to a request from the security interface 504. Token tables generated by the token generation module are sent to one or more payment entities and/or stored in the token tables storage module 506 by the central token server 500. In one embodiment, the security interface provides a token table seed value to the token generation module, and the token generation module generates token tables based on the token table seed value.
[0088] The security interface 504 provides sets of token tables (via the central token server 500) and/or sets of tokenization parameters to the payment entities of the Fig. 5 for use in tokenizing payment information. As described above, each set of tokenization parameters can include an identity of one or more token tables for use in tokenization, a number of tokenization iterations to perform, a type of tokenization to perform, a data modification to perform (for instance, an IV modification), an encryption to perform, and any other property of tokenization. The security interface can provide a set of tokenization parameters stored in the tokenization parameters storage module 508, or can generate a set of tokenization parameters and provide the generated set of tokenization parameters.
[0089] The security interface 504 can select a set of token tables and a set of tokenization parameters to provide to a payment entity based on a variety of factors. For example, the security interface can select a set of token tables and/or a set of tokenization parameters based on properties associated with the payment entity (such as the identity of the payment entity, a company or person associated with the payment entity, or a security level requested by the payment entity), properties associated with the user 200 (such as the identity of the user, a user name associated with the user, and the like), or transaction information (such as an amount of the transaction, a payment method, and the like). The security interface can select a different set of token tables and a different set of tokenization parameters for each payment entity in Fig. 5, or can select the same set of token tables and/or tokenization parameters for one or more payment entities.
[0090] Any payment entity of Fig. 5 can tokenize received payment information and/or can detokenize payment information tokenized by a preceding payment entity. In addition, any payment entity can encrypt received payment information, can decrypt payment information encrypted by a preceding payment entity, can modify received payment information, and/or can de-modify payment information modified by a preceding payment entity. Further, any payment entity can tokenize previously tokenized payment information, resulting in payment information that is tokenized two, three, or more times. Similarly, any payment entity can encrypt previously encrypted information, and can modify previously modified information.
[0091] As used herein, a "preceding payment entity", relative to a second payment entity, refers to a payment entity within Fig. 5 that receives payment information in the performance of a transaction before the second payment entity. For example, the payment application 212 is a preceding payment entity relative to the central payment system 106, the payment network 108, and the bank 110. Further, it should be noted that in the context of Fig. 5, "payment information" may refer to tokenized or untokenized payment information.
[0092] It should be noted that the security interface 504 can provide sets of token tables and tokenization parameters to the payment entities of Fig. 5 in response to a transaction request by the user, in response to the receipt of payment application at the payment terminal 104, or in response to requests from the payment entities of Fig. 5. In addition, the central security system can provide sets of token tables and/or tokenization parameters to the payment entities of Fig. 5 in advance of a particular transaction, for instance periodically or after a set number of transactions.
[0093] In a first example embodiment, the payment terminal 104 receives payment information in association with a transaction, and forwards the payment information to the payment application 212. The payment application receives a first set of tokenization parameters identifying a first token table stored at the payment application, and identifying a first portion of the payment information to tokenize. In response, the payment application tokenizes the first portion of the payment information using the first token table to produce first tokenized payment information, and sends the first tokenized payment information to the central payment system 106. The central payment system receives a second set of
tokenization parameters identifying a second token table stored at the central payment system and a second portion of the first tokenized payment information to tokenize. In response, the central payment system tokenizes the second portion of the tokenized payment information using the second token table to produce second tokenized payment information, and sends the second tokenized payment information to the payment network 108. The payment network sends the second tokenized payment information to the bank 110, which receives a third set of tokenization parameters identifying the token tables and payment information portions identified by the first and second sets of tokenization parameters. The bank retrieves the first and second token tables (for instance, from a token table storage module at the bank, or by requesting the token tables from the payment application and central payment system or from the central security system), and detokenizes the second tokenized payment information using the first and second token tables and based on the identified first and second payment information portions to obtain the original payment information for processing.
[0094] In a second example embodiment, the payment terminal 104 receives payment information from the user 200, and tokenizes the payment information using a first set of token tables stored at the payment terminal to produce first tokenized payment information. The payment application 212 receives an encryption algorithm from the central security system 116, encrypts the first tokenized payment information, and outputs the encrypted payment information. The central payment system 106 receives the encryption algorithm and a second set of token tables from the central security system, decrypts the encrypted payment information using the encryption algorithm, tokenizes the decrypted payment information using the second set of token tables, and outputs the second tokenized payment information. The payment network 108 receives the second set of token tables from the central security system, detokenizes the second tokenized payment information, and outputs the detokenized payment information. The bank 110 receives the first set of token tables from the central security system, and detokenizes the detokenized payment information with the first set of token tables to produce the original payment information.
[0095] Fig. 6 is a flowchart of a process for the tokenization and transmission of data by payment entities coupled to a central security system, according to one embodiment. A payment terminal receives 600 payment information associated with a transaction. The payment terminal also receives 610 a first set of tokenization parameters from a central security system. The payment terminal tokenizes 620 the payment information based on the first set of tokenization parameters, and transmits 630 the tokenized payment information to a centralized payment system coupled to a payment network associated with the transaction.
[0096] The centralized payment system receives 640 the first set of tokenization parameters and a second set of tokenization parameters from the central security system. The centralized payment system detokenizes 650 the tokenized payment information based on the first set of tokenization parameters, and re -tokenizes 660 the detokenized payment information based on the second set of tokenization parameters. The centralized payment system transmits 670 the re-tokenized payment information to the payment network. ΤθΚΕΝΙΖΑΤΙΟΝ OF PAYMENT INFORMATION IN MOBILE ENVIRONMENTS
[0097] Fig. 7 illustrates data flow in a mobile and payment tokenization environment, according to one embodiment. The environment of Fig. 7 includes a mobile device 102, a central payment system 106, a payment network 108, an authorization entity 112, and a central security system 1 16. Other embodiments of the environment of Fig. 7 can include fewer, additional, or different entities than those shown in Fig. 2.
[0098] A user 200 can register one or more credit card numbers, bank account numbers, or other payment information with the central security system 116, which provides tokenized representations of the payment information (hereinafter, "token cards") to the user's mobile device 102 for use in subsequent transactions. The central security system includes a central token server 500, a token tables storage module 506, a tokenization module 702, and a use rules storage module 704. The central security system as described in the embodiment of Fig. 7 can be a credit card company or bank interface (such as a website or computing system interface), a third-party tokenization broker (an entity configured to receive payment information from users and provide token cards based on the payment information) not affiliated with a credit card company or bank, or any other entity configured to provide a user with an interface to create token cards.
[0099] The central token server 500 retrieves token tables stored in the token tables storage module 506 in response to a request from the tokenization module 702 or the central payment system 106. The token tables storage module 506 stores a plurality of token tables, and each token table can be associated with one or more use rules. For instance, each token table can include a metadata field storing a description of one or more use rules, or a use rules table can map token table identifiers to use rules associated with each token table.
[0100] The use rules storage module 704 stores a plurality of use rules. As used herein, a "use rule" defines a limitation or restriction of the use of payment information based on transaction information. For instance, use rules can limit the use of payment information by business identity (a particular store, restaurant, and the like), by business type (e.g., movie theater, grocery store, hair salon), by geographic location (e.g., a particular city, state, or country), by transaction amount (the cost of a purchase or the amount of a transfer of funds), by date (e.g., day of the week, week, month, or particular date), by time (e.g., before 7pm, or between 1 lam and 1pm), by item/service purchase (e.g., groceries, gasoline), by merchant type (e.g., online or in-store), or by any other transaction characteristic. The use rules storage module can also store a use rules table mapping token table identifiers to use rules. For example, for a token table that is used to tokenize payment information to produce token cards for use in transactions under $100, a token table identifier for the token table can be mapped to the use rule "under $100" in the use rules table.
[0101] The user 200 can request a token card through an interface provided by the tokenization module 702. The tokenization module can prompt the user to enter payment information and to select one or more use rules. In one embodiment, the tokenization module retrieves example use rules from the use rules storage module 704 for display to a user, and the user can select from among the displayed use rules. Alternatively, the user can create customized use rules that are subsequently stored in the use rules storage module. The tokenization module receives payment information and a selection of one or more use rules 700. For example, the tokenization module may receive a credit card number and a selection of use rules restricting the use of a token card associated with the credit card number to gas stations and for purchases under $50.
[0102] The tokenization module 702 identifies (via the central token server 500) a token table stored at the token tables storage module 506 associated with the selected use rules. In one embodiment, the central token server queries metadata fields associated with each token table stored in the token tables storage module to identify a token table associated with the selected use rules. Alternatively, the central token server can query a use rules table to identify a token table associated with the selected use rules. An identified token table associated with the selected use rules is retrieved by the central token server and provided to the tokenization module. It should be noted that while the remainder of the description herein is limited to the identification of one table based on selected use rules for use in tokenizing payment information, other embodiments may identify multiple token tables associated with selected use rules for use in tokenizing payment information according to the principles described herein.
[0103] The tokenization module tokenizes the received payment information using the identified token table to produce a token card 706, and provides the token card to a mobile device 102 of the user. The tokenization module can tokenize the received payment information by querying the identified token table with a data string representing the payment information, and by outputting the token mapped to the data string in the identified token table as the token card. In other embodiments not described further herein, the tokenization module can produce a token card by querying the identified token table with a portion of the data string representing the payment information, by replacing the portion of the data string with the token mapped to the data string portion in the identified token table, and by outputting the partial tokenized payment information as the token card. Similarly, any tokenization parameters can be used by the tokenization module to tokenize the received payment information, though further description of such embodiments is not included for the purposes of simplicity.
[0104] It should be noted that a user can create multiple token cards using the same payment information (e.g., the same credit card number) by selecting different use rules in each instance of creating a token card for the payment information. For example, a first token card limiting transactions to grocery store purchases can be generated for a credit card number limiting purchases to grocery stores, a second token card limiting transactions to restaurant purchases under $75 can be generated for the credit card number, and so forth.
[0105] As will be described below in greater detail, the selected use rules used to detokenize a token card are identified by first identifying the token table used to generate the token card, and then identifying the use rules associated with the token table (for instance by querying the metadata field of the token table or querying a use rules table as described above). Accordingly, in order to identify the token table used to generate the token card, the token tables stored at the token tables storage module 506 are queried to identify the token table that includes the token used to generate the token card. Thus, in some embodiments, no two token tables stored at the token tables storage module include the same token, allowing each token table to be uniquely identified by any of the tokens included in the token table.
[0106] In one embodiment, the tokenization module allows the user to provide a name for a token card for display on the mobile device. For example, for a use rule restricting the use of a bank account number to purchases in Toronto, Canada, a user can provide the token card name "Toronto vacation", the tokenization module can store the token card name within the token card (for instance, in a metadata field), and the mobile device can display the token card name "Toronto vacation" in a list of token card names associated with token cards at the mobile device.
[0107] Accordingly, the user 200 can register a plurality of credit cards, debit cards, bank accounts, and other payment information with the central security system 116 in advance of conducting transactions associated with the registered payment information. The central security system generates a token card each time the user provides payment information based on the use rules selected by the user, and the token cards are sent to the user's mobile device 102 for storage. Beneficially, the payment information itself is not stored at the mobile device, limiting the exposure and risk of conducting transactions with the mobile device. In addition, by generating token cards based on use rules, the user further limits the risk of an unauthorized entity conducting transactions with the mobile device in the event the mobile device is lost by the user. An unauthorized entity that gains access to the mobile device will be restricting in the use of the payment information based on the use rules selected by the user.
[0108] The user 200 uses the mobile device 102 to conduct a transaction using a token card stored at the mobile device. The mobile device includes a user interface 710, a token cards storage module 712, a payment application 214, and an authorization interface 728. In other embodiments, the mobile device includes different components than those shown in the embodiment of Fig. 7.
[0109] The payment application 214 of the mobile device 102 is an application configured to allow the user 200 to conduct a transaction with a token card stored in the token cards storage module 712. The token cards storage module stores token cards received from the central security system. The payment application presents one or more stored token cards to the user via the user interface 710. The user interface includes a display configured to display token cards presented by the payment application and input means configured to allow the user to select a presented token card.
[0110] Upon receiving a request for a transaction from the user 200, the payment application 214 displays one or more stored token cards (for instance, all token cards stored at the token cards storage module, or a subset of stored token cards selected based on transaction information associated with the transaction) via the user interface 710. In response, the user can provide a token card selection 708 to the payment application via the user interface. The payment application retrieves the selected token card from the token cards storage module 712 and outputs the selected token card and associated transaction
information 714 to the central payment system 106. As noted above, the transaction information includes various characteristics of the transaction, for instance, the cost of the transaction, the merchant associated with the transaction, the geographic location of the transaction, and the like.
[0111] The central payment system 106 includes a payment interface 218, a token tables storage module 204D, a verification module 718, and a detokenization module 720. In other embodiments, the central payment system includes different components than those shown in the embodiment of Fig. 7. The payment interface, as described above, is configured to receive tokenized payment information (e.g., a selected token card), and to route payment
information 720 to the payment network 108. The token tables storage module 204D stores token tables 716 received from the central security system 116. The central security system can provide token tables stored at the token tables storage module 506 to the token tables storage module 204D in advance of a particular transaction, in response to a request to create a token card from the user 200, or in response to a request from the central payment system. The central security system can provide all token tables to the central payment system, or can provide just the token tables used in the creation of token cards. The central security can also provide a use rules table to the central payment system for use in identifying token tables used in the generation of token cards.
[0112] The verification module 718 is configured to receive the selected token card and transaction information 714 from the payment interface 218. In response to receiving the selected token card, the verification module identifies the token table used to generate the selected token card. The verification module queries the token tables stored in the token tables storage module 204D to identify the token table including the selected token card as a token. In alternative embodiments, the verification module queries the central security system 116 to identify a token table stored in the token tables storage module 506 that includes the token equivalent to the selected token card. In embodiments in which the tokenization module 702 tokenizes payment information based on a set of tokenization parameters including tokenization operations other than the replacement of payment information with a token, the verification module retrieves the set of tokenization parameters and identifies the token table used to generate the selected token card based on the set of tokenization parameters.
[0113] Upon identifying the token table used to generate the selected token card, the verification module 718 identifies the use rules associated with the token table. In
embodiments in which the use rules are stored in a metadata field of each token table, the verification module accesses the metadata field of the identified token table to identify the stored use rules. In embodiments in which the use rules are stored in a use rules table mapping token table identifiers to use rules associated with token tables, the verification module queries the use rules table with an identifier of the identified token table to identify use rules associated with the identified token table.
[0114] In response to identifying use rules associated with the identified token table used to generate the selected token card, the verification module 718 determines whether the identified use rules are satisfied based on the received transaction information and approves or denies the transaction based on the determination. For example, if the transaction information identifies that the transaction request is originating from Oregon, and the identified use rules limit use of the selected token card to transactions originating from California, the verification module determines that the use rules are not satisfied by the received transaction information and denies the transaction. In another example, if the transaction information identifies that the transaction is for $16, and the identified use rules limit use of the selected token card to transactions under $20, the verification module determines that the use rules are satisfied by the received transaction information and allows the transaction. In one embodiment, the verification module only verifies the transaction if all identified use rules are satisfied by the received transaction information.
[0115] In response to the approval of the transaction by the verification module 718, the detokenization module 720 detokenizes the selected token card using the identified token table to produce the payment information associated with the selected token card. The payment interface 218 transmits the payment information 722 to the payment network 108. In some embodiments, prior to processing the transaction, the payment network can seek authorization for the transaction from an authorization entity 112. Accordingly, the payment network can send an authorization request 724 including, for example, the amount of the transaction, the identity of the merchant, and any other suitable transaction information to the authorization entity.
[0116] The authorization entity 112, in response to receiving the authorization request 724, can authorize the transaction based on the transaction information included in the authorization request. For instance, if the transaction is for an amount below a threshold or within a geographic region associated with the user 200, the authorization entity can authorize the transaction without further input from the user. The authorization entity can also require user authorization from the user based on the transaction information included in the authorization request prior to authorizing the transaction. Continuing with the previous example, if the transaction is for an amount above the threshold or outside the geographic region associated with the user, the authorization entity can prompt the user to provide user authorization before the authorization entity authorizes the transaction.
[0117] Upon determining that user authorization is required to authorize a transaction, the authorization entity 112 can send a user authorization request 726 to the mobile device 102 of the user 200. The authorization interface 728 of the mobile device can receive the user authorization request and can prompt the user via the user interface 710 to authorize the transaction. For example, the authorization interface can display text via the user interface indicating that user authorization is required, and can receive via the user interface user input authorization the transaction. The authorization entity can specify via the user authorization request a type of authorization required. For instance, the authorization entity can require the user to enter a PIN, password, or other user credentials associated with the user and known to the authorization entity in order to authorize the transaction, or can merely require the user to select an "authorize" button in order to authorize the transaction. The authorization interface can display a request for user credentials via the user interface and based on the authorization requirements of the authorization entity.
[0118] The user 200 can authorize the transaction via the mobile device 102, for instance by entering required user credentials, by selecting an "authorize" button, or by providing any other authorization information. Upon receiving authorization information from the user, the authorization interface 728 sends a user authorization 730 to the authorization entity 112. The user authorization can include authorization information such as a PIN, password, or other user credentials. In addition, the user can reject the transaction, for instance, by selecting a "do not authorize" button provided by the authorization interface, or by taking no action with regards to the displayed authorization request. In response, the authorization interface can send the authorization rejection to the authorization entity, and in response, the authorization entity can deny authorization to the payment network.
[0119] If the authorization entity 112 does not require that the user 200 provide various user credentials when authorizing the transaction, the authorization entity can authorize the transaction upon receiving the user authorization 730. If the authorization entity requires that the user provide various user credentials (such as a PIN or password), the authorization entity can determine whether the user credentials match known user credentials associated with the user, and can authorize the transaction based on the determination. If the authorization entity authorizes the transaction, the authorization entity outputs the authorization 732 to the payment network 108, and the payment network processes the transaction.
[0120] In one embodiment, the use rules selected by a user 200 in the creation of a token card 706 can specify a level of authorization required for a transaction. For example, a user rule can specify that a PIN number or password be entered by the user at the mobile device before the transaction can be authorized. Accordingly, the central payment system 106, upon receiving a selected token card generated based on such a use rule, can indicate to the payment network 108 that a particular authorization is required. The payment network in turn can send an authorization request 724 to the authorization entity 112 specifying the required authorization, and the authorization entity 112 can send a user authorization request 726 based on the required authorization.
[0121] In an alternative embodiment, the central security system 116 can generate token cards 706 based on selected use rules, and can generate a token card table associating each token card with the use rules selected in the generation of the each token card. The central security system can then send the token card table to the central payment system 106, and the verification module 718 can identify the user rules associated with a selected token card by querying the token card table with the selected token card. In such an embodiment, token tables used in the generation of token cards are not necessarily associated with use rules. In addition, the token card table can associate each token card with the identities of the one or more token tables used to generate the token card, allowing the verification module to identify the token tables used to generate a selected token card by querying the token card table with the selected token card. In such an embodiment, if the verification module identifies a token table used to generate a selected token card that is not stored at the token tables storage module 204D, the verification module can request and receive the identified token table from the central security system 116.
[0122] Fig. 8 is a flowchart of a process for using tokenized payment information stored on a mobile device in a financial transaction, according to one embodiment. A user provides 800 payment information and a selection of use rules to a central security system. The payment information can be, for example, a credit card number, and the selected use rules can restrict, for example, the use of payment information to transactions under a threshold amount and within a geographic region. The central security system can identify a token table associated with the selected use rules, and tokenize the payment information using the identified token table to generate a token card.
[0123] A mobile device of the user receives 810 a token card based on the provided payment information and the selected use rules. A user selects 820 the token card, for instance from among a plurality of token cards stored at the mobile device, for use in a transaction. The mobile device transmits 830 the selected token card to a central payment system for verification. The mobile device can also transmit various transaction information associated with the transaction.
[0124] The central payment system identifies 840 the token table used to generate the selected token card, for instance by querying token tables stored at the central payment system or by querying the central security system with the selected token card. The central payment system then identifies 850 the use rules associated with the identified token table, for instance by querying a metadata field of the identified token table storing the use rules or by querying a use rules table mapping token table identities to use rules.
[0125] The central payment system determines 860 if the identified use rules are satisfied by the transaction. For example, the central payment system ensures that the transaction information associated with the transaction do not violate the restrictions of the use rules. Responsive to a determination that the use rules are satisfied, the central payment system detokenizes 870 the selected token card using the identified token table to obtain the original payment information, and transmits 880 the payment information to a payment network. In some embodiments, the payment network requires authorization from an authorization entity and/or the user, and the user is prompted via the mobile device to provide authorization for the transaction (for instance by entering a PIN or password into the mobile device).
ADDITIONAL CONSIDERATIONS
[0126] The present invention has been described in particular detail with respect to one possible embodiment. Those of skill in the art will appreciate that the invention may be practiced in other embodiments. First, the particular naming of the components and variables, capitalization of terms, the attributes, data structures, or any other programming or structural aspect is not mandatory or significant, and the mechanisms that implement the invention or its features may have different names, formats, or protocols. Also, the particular division of functionality between the various system components described herein is merely exemplary, and not mandatory; functions performed by a single system component may instead be performed by multiple components, and functions performed by multiple components may instead performed by a single component.
[0127] Some portions of above description present the features of the present invention in terms of algorithms and symbolic representations of operations on information. These algorithmic descriptions and representations are the means used by those skilled in the data processing arts to most effectively convey the substance of their work to others skilled in the art. These operations, while described functionally or logically, are understood to be implemented by computer programs. Furthermore, it has also proven convenient at times, to refer to these arrangements of operations as modules or by functional names, without loss of generality.
[0128] Unless specifically stated otherwise as apparent from the above discussion, it is appreciated that throughout the description, discussions utilizing terms such as "determine" refer to the action and processes of a computer system, or similar electronic computing device, that manipulates and transforms data represented as physical (electronic) quantities within the computer system memories or registers or other such information storage, transmission or display devices.
[0129] Certain aspects of the present invention include process steps and instructions described herein in the form of an algorithm. It should be noted that the process steps and instructions of the present invention could be embodied in software, firmware or hardware, and when embodied in software, could be downloaded to reside on and be operated from different platforms used by real time network operating systems.
[0130] The present invention also relates to an apparatus for performing the operations herein. This apparatus may be specially constructed for the required purposes, or it may comprise a general-purpose computer selectively activated or reconfigured by a computer program stored on a non-transitory computer readable medium that can be accessed by the computer. Such a computer program may be stored in a computer readable storage medium, such as, but is not limited to, any type of disk including floppy disks, optical disks, CD- ROMs, magnetic-optical disks, read-only memories (ROMs), random access memories (RAMs), EPROMs, EEPROMs, magnetic or optical cards, application specific integrated circuits (ASICs), or any type of computer-readable storage medium suitable for storing electronic instructions, and each coupled to a computer system bus. Furthermore, the computers referred to in the specification may include a single processor or may be architectures employing multiple processor designs for increased computing capability.
[0131] The algorithms and operations presented herein are not inherently related to any particular computer or other apparatus. Various general-purpose systems may also be used with programs in accordance with the teachings herein, or it may prove convenient to construct more specialized apparatus to perform the required method steps. The required structure for a variety of these systems will be apparent to those of skill in the art, along with equivalent variations. In addition, the present invention is not described with reference to any particular programming language. It is appreciated that a variety of programming languages may be used to implement the teachings of the present invention as described herein, and any references to specific languages are provided for invention of enablement and best mode of the present invention.
[0132] The present invention is well suited to a wide variety of computer network systems over numerous topologies. Within this field, the configuration and management of large networks comprise storage devices and computers that are communicatively coupled to dissimilar computers and storage devices over a network, such as the Internet.
[0133] Finally, it should be noted that the language used in the specification has been principally selected for readability and instructional purposes, and may not have been selected to delineate or circumscribe the inventive subject matter. Accordingly, the disclosure of the present invention is intended to be illustrative, but not limiting, of the scope of the invention, which is set forth in the following claims.

Claims

What is claimed is:
1. A method for processing payment information, comprising:
receiving, at a payment terminal, payment information associated with a transaction; identifying transaction information associated with the transaction;
identifying a set of tokenization parameters based on the transaction information; tokenizing the payment information based on the set of tokenization parameters; and responsive to the payment terminal being communicatively coupled to a central
payment system, transmitting the tokenized payment information to the central payment system.
2. The method of claim 1, wherein the received payment information comprises a credit card number.
3. The method of claim 1, wherein the received payment information comprises a bank account number.
4. The method of claim 1, wherein the identified transaction information comprises a transaction cost.
5. The method of claim 1, wherein the identified transaction information comprises the identity of a merchant associated with the transaction.
6. The method of claim 1, wherein the identified transaction information comprises the identity of a user associated with the transaction.
7. The method of claim 1, wherein the identified transaction information comprises a payment method associated with the received payment information.
8. The method of claim 1, wherein the identified transaction information comprises a time and date associated with the transaction.
9. The method of claim 1, wherein the set of tokenization parameters comprises an identity of one or more token tables stored at the payment terminal.
10. The method of claim 9, wherein tokenizing the payment information comprises:
querying an identified token table with a portion of the payment information to obtain a token; and replacing the portion of the payment information with the token.
11. The method of claim 1 , wherein the set of tokenization parameters comprises a number of tokenization iterations.
12. The method of claim 1, wherein the set of tokenization parameters comprises a token table seed value, and wherein tokenizing the payment information comprises:
generating one or more token tables based on the token table seed value; and tokenizing the payment information using the one or more generated token tables.
13. The method of claim 1, wherein the central payment system is configured to store tokenized payment information associated with a plurality of transactions.
14. The method of claim 13, wherein, in response to the central payment system storing tokenized payment information associated with a threshold number of transactions, the central payment system is configured to transmit the stored tokenized payment information to a payment entity associated with the transactions.
15. The method of claim 1, further comprising:
responsive to the payment terminal being communicatively uncoupled from the
central payment system, storing the tokenized payment information at the payment terminal; and
in response to the payment terminal being subsequently communicatively coupled to the central payment system, transmitting the stored tokenized payment information to the central payment system.
16. The method of claim 1 , wherein transmitting the tokenized payment information to the central payment system comprises:
receiving a request for tokenized payment information from the central payment system; and
transmitting the tokenized payment information in response to the received request.
17. The method of claim 1, further comprising:
receiving, from the central payment system, a set of token tables for use in tokenizing the payment information.
18. A payment terminal for processing payment information, configured to: receive payment information associated with a transaction;
identify transaction information associated with the transaction;
identify a set of tokenization parameters based on the transaction information;
tokenize the payment information based on the set of tokenization parameters; and responsive to the being communicatively coupled to a central payment system,
transmit the tokenized payment information to the central payment system.
19. A method for processing payment information, comprising:
receiving, at a payment terminal, payment information associated with a transaction; accessing a set of token tables based on the transaction;
tokenize the payment information using the set of token tables; and
responsive to the payment terminal being communicatively coupled to a central
payment system, transmitting the tokenized payment information to the central payment system.
20. A payment terminal for processing payment information, configured to:
receive payment information associated with a transaction;
access a set of token tables based on the transaction;
tokenize the payment information using the set of token tables; and
responsive to being communicatively coupled to a central payment system, transmit the tokenized payment information to the central payment system.
21. A method for tokenizing data, comprising:
identifying data for communication by a mobile device;
retrieving, by the mobile device, device information and session information, the device information comprising information associated with the mobile device and the session information comprising information associated with a communication session by the mobile device;
identifying one or more tokenization parameters based on the retrieved device
information and the retrieved session information, the tokenization parameters identifying properties of a tokenization operation;
tokenizing the identified data based on the identified tokenization parameters; and transmitting the tokenized data to a communication system.
22. The method of claim 21, wherein the identified data comprises communication data entered at the mobile device by a user of the mobile device.
23. The method of claim 21, wherein the identified data comprises authenticating data identifying the mobile device or a user of the mobile device.
24. The method of claim 21, wherein the retrieved device information comprises a phone number of the mobile device.
25. The method of claim 21, wherein the retrieved device information comprises a SIM card number of the mobile device.
26. The method of claim 21, wherein the retrieved device information comprises a serial number of the mobile device.
27. The method of claim 21, wherein the retrieved device information comprises an identity of a user of the mobile device.
28. The method of claim 21, wherein the retrieved session information comprises a count of communication sessions between the mobile device and the communication system.
29. The method of claim 21, wherein the retrieved session information comprises a date and time of a previous communication session between the mobile device and the communication system.
30. The method of claim 21, wherein an identified tokenization parameter comprises an identity of one or more token tables stored at the mobile device.
31. The method of claim 30, further comprising:
retrieving the identified one or more token tables; and
tokenizing the identified data using the retrieved one or more token tables.
32. The method of claim 21, wherein an identified tokenization parameter comprises a seed value for use in generating one or more token tables.
33. The method of claim 32, further comprising:
generating one or more token tables using the seed value; and
tokenizing the identified data using the generated one or more token tables.
34. The method of claim 21, wherein an identified tokenization parameter comprises a number of tokenization iterations.
35. The method of claim 21, wherein an identified tokenization parameter comprises an IV.
36. The method of claim 21, wherein an identified tokenization parameter comprises an encryption key, and further comprising:
encrypting the tokenized data prior to transmitting the tokenized data to the
communication system.
37. The method of claim 21, wherein the communication system specifies at least one communication parameter.
38. A mobile device for tokenizing data, configured to:
identify data for communication;
retrieve device information and session information, the device information
comprising information associated with the mobile device and the session information comprising information associated with a communication session by the mobile device;
identify one or more tokenization parameters based on the retrieved device
information and the retrieved session information, the tokenization parameters identifying properties of a tokenization operation;
tokenize the identified data based on the identified tokenization parameters; and transmit the tokenized data to a communication system.
39. A method for tokenizing data, comprising:
identifying data for communication by a mobile device;
retrieving, by the mobile device, device information comprising information
associated with the mobile device;
accessing one or more token tables based on the retrieved device information;
tokenizing the identified data using the accessed token tables; and
transmitting the tokenized data to a communication system.
40. A mobile device for tokenizing data, configured to:
identify data for communication; retrieve device information comprising information associated with the mobile device;
access one or more token tables based on the retrieved device information;
tokenize the identified data using the accessed token tables; and
transmit the tokenized data to a communication system.
41. A method for processing payment information, comprising:
receiving, at a payment terminal, payment information associated with a transaction; receiving, at the payment terminal, a first set of tokenization parameters from a
central security system;
tokenizing, by the payment terminal, the payment information based on the first set of tokenization parameters to form first tokenized payment information;
transmitting, by the payment terminal, the first tokenized payment information to a central payment system communicatively coupled to a payment network associated with the transaction;
receiving, at the central payment system, the first set of tokenization parameters and a second set of tokenization parameters from the central security system;
detokenizing, by the central payment system, the first tokenized payment information based on the first set of tokenization parameters;
tokenizing, by the central payment system, the detokenized payment information based on the second set of tokenization parameters to form second tokenized payment information; and
transmitting, by the central payment system, the second tokenized payment
information to the payment network.
42. The method of claim 41, wherein the received payment information comprises a credit card number.
43. The method of claim 41 , wherein the received payment information comprises a bank account number.
44. The method of claim 41, wherein the first set of tokenization parameters and the second set of tokenization parameters each comprise a set of token tables.
45. The method of claim 41, wherein the first set of tokenization parameters comprises a first encryption algorithm and wherein the second set of tokenization parameters comprises a second encryption algorithm.
46. The method of claim 45, further comprising:
encrypting, by the payment terminal, the first tokenized payment information based on the first encryption algorithm;
decrypting, by the central payment system, the first tokenized payment information based on the first encryption algorithm; and
encrypting, by the central payment system, the second tokenized payment information based on the second encryption algorithm.
47. The method of claim 41, wherein the first set of tokenization parameters comprises a first initialization vector ("IV") and a first IV modification operation, and wherein the second set of tokenization parameters comprises a second IV and a second IV modification operation.
48. The method of claim 47, further comprising:
modifying, by the payment terminal, the first tokenized payment information with the first IV based on the first IV modification operation;
demodifying, by the central payment system, the first tokenized payment information with the first IV based on the first IV modification operation; and modifying, by the central payment system, the second tokenized payment information with the second IV based on the second IV modification operation.
49. The method of claim 41 , wherein the payment terminal requests tokenization parameters from the central payment system, and wherein the central payment system provides the first set of tokenization parameters to the payment terminal in response to the request.
50. A system for processing payment information, comprising:
a payment terminal, configured to:
receive payment information associated with a transaction;
receive a first set of tokenization parameters from a central security system; tokenize the payment information based on the first set of tokenization
parameters to form first tokenized payment information; and output the first tokenized payment information; and
a central payment system communicatively coupled to a payment network associated with the transaction, and configured to:
receive the first set of tokenization parameters and a second set of tokenization parameters from the central security system;
detokenize the first tokenized payment information based on the first set of tokenization parameters;
tokenize the detokenized payment information based on the second set of tokenization parameters to form second tokenized payment
information; and
output the second tokenized payment information to the payment network.
51. A method for processing payment information, comprising:
receiving, at a central payment system, first tokenized payment information from a payment terminal, the payment terminal configured to:
receive payment information;
access a first set of token tables;
tokenize the payment information using the first set of token tables;
transmit the first set of token tables to a central security system; and output the tokenized payment information;
receiving, at the central payment system, the first set of token tables from the central security system;
detokenizing, by the central payment system, the first tokenized payment information using the first set of token tables;
accessing, by the central payment system, a second set of token tables;
tokenizing, by the central payment system, the detokenized payment information with the second set of tables to form second tokenized payment information; and outputting, by the central payment system, the second tokenized payment information.
52. The method of claim 51 , wherein the received payment information comprises a credit card number.
53. The method of claim 51 , wherein the received payment information comprises a bank account number.
54. The method of claim 51 , wherein accessing a first set of token tables comprises retrieving the first set of token tables from a non-transitory computer-readable storage medium at the payment terminal.
55. The method of claim 51 , wherein accessing a first set of token tables comprises generating the first set of token tables.
56. The method of claim 51 , wherein the payment terminal is further configured to: encrypt the first tokenized payment information based on an encryption algorithm stored at the payment terminal; and
transmit the first encryption algorithm to the central security system.
57. The method of claim 56, further comprising:
receiving, at the central payment system, the first encryption algorithm from the central security system; and
decrypting, by the central payment system, the first tokenized payment information based on the first encryption algorithm.
58. A central payment system for processing payment information, configured to:
receive first tokenized payment information from a payment terminal, the payment terminal configured to:
receive payment information;
access a first set of token tables;
tokenize the payment information using the first set of token tables;
transmit the first set of token tables to a central security system; and output the tokenized payment information;
receive the first set of token tables from the central security system;
detokenize the first tokenized payment information using the first set of token tables; access a second set of token tables;
tokenize the detokenized payment information with the second set of tables to form second tokenized payment information; and
output the second tokenized payment information.
59. The method of claim 58, wherein the received payment information comprises a credit card number.
60. The method of claim 58, wherein the received payment information comprises a bank account number.
61. A method for processing payment information, comprising:
receiving, at a central security system, payment information and a use rule selection specifying one or more use rules, wherein the central security system is configured to:
identify a token table associated with the selected use rules;
tokenize the payment information using the identified token table to generate a token card; and
transmit the token card to a mobile device;
receiving, at the mobile device, the token card from the central security system;
receiving, at the mobile device, a request to use the token card in a transaction;
transmitting, by the mobile device, the token card to a central payment system,
wherein the central payment system is configured to:
identify the token table used to generate the token card;
identify the use rules associated with the identified token table; determine if the identified use rules are satisfied by the transaction;
responsive to a determination that the use rules are satisfied by the transaction, detokenize the token card using the identified token table; and transmit the detokenized token card to a payment network associated with the transaction and communicatively coupled to the central payment system.
62. The method of claim 61, wherein the payment information comprises a credit card number.
63. The method of claim 61, wherein the payment information comprises a bank account number.
64. The method of claim 61 , wherein the selected use rules comprise a rule specifying a maximum purchase amount.
65. The method of claim 61 , wherein the selected use rules comprise a rule specifying a geographic region.
66. The method of claim 61 , wherein the selected use rules comprise a rule specifying a business.
67. The method of claim 61, wherein identifying a token table associated with the selected use rules comprises identifying a token table storing the selected use rules in a metadata field of the token table.
68. The method of claim 61, wherein identifying a token table associated with the selected use rules comprises querying a use rules table mapping use rules to associated token tables with the selected use rules to identify a token table associated with the selected use rules.
69. The method of claim 61, wherein the mobile device is configured to:
store a plurality of token cards;
in response to receiving a request to use a token card in a transaction, display a
representation of one or more of the stored plurality of token cards; and receive a selection of a displayed representation of a token card.
70. The method of claim 69, wherein each displayed representation of a stored token card comprises a display of description text associated with the token card entered by a user at the central security system.
71. The method of claim 61 , wherein identifying the token table used to generate the token card comprises querying stored token tables to identify a token table including the token card as a token.
72. The method of claim 61, wherein identifying the token table used to generate the token card comprises querying, by the central payment system, the central security system with the token card to identify token table including the token card as a token.
73. The method of claim 61, wherein identifying the use rules associated with the identified token table comprises querying a metadata field of the identified token table storing use rules associated with the identified token table.
74. The method of claim 61, wherein identifying the use rules associated with the identified token table comprises querying a use rules table mapping use rules to associated token tables with an identifier for the identified token table.
75. The method of claim 61, wherein determining if the identified use rules are satisfied by the transaction comprises, for each use rule:
identifying a transaction restriction associated with each use rule; and
determining if the transaction exceeds the transaction restriction.
76. The method of claim 61, wherein the payment network is configured to authorize the transaction.
77. The method of claim 76, wherein authorizing the transaction comprises:
sending, from the payment network, an authorization request to the mobile device; receiving, at the mobile device, an authorization in response to the authorization
request; and
sending, from the mobile device, the authorization to the payment network.
78. The method of claim 77, wherein receiving an authorization comprises receiving user credentials at the mobile device.
79. A mobile device for providing payment information, configured to:
receive, from a central security system, one or more token cards, each token card associated with a set of payment information, and generated based on an associated set of use rules, the use rules specifying one or more transaction restrictions configured to restrict use of the token card in a transaction;
receive a request from a user of the mobile device to perform a transaction;
receiving from the user a selection of a token card stored at the mobile device;
transmit the selected token card to a central payment system configured to:
identify the use rules associated with the selected token card;
determine if the identified use rules are satisfied by the transaction;
responsive to a determination that the use rules are satisfied by the transaction, detokenize the token card; and
transmit the detokenized token card to a payment network associated with the transaction and communicatively coupled to the central payment system.
80. A method for processing payment information, comprising:
receiving, at a mobile device, a request to perform a transaction; receiving, at the mobile device, a selection of a token card, the token card comprising payment information tokenized based on a set of use rules restricting the use of the token card in transactions;
transmitting, by the mobile device, the token card to a central payment system
configured to detokenize the token card and transmit the payment information to a payment network associated with the transaction in response to the set of use rules being satisfied by the transaction.
PCT/US2013/025289 2012-02-10 2013-02-08 Tokenization in mobile and payment environments WO2013119914A1 (en)

Priority Applications (2)

Application Number Priority Date Filing Date Title
AU2013216868A AU2013216868B2 (en) 2012-02-10 2013-02-08 Tokenization in mobile and payment environments
EP13747085.2A EP2812821A4 (en) 2012-02-10 2013-02-08 Tokenization in mobile and payment environments

Applications Claiming Priority (14)

Application Number Priority Date Filing Date Title
US201261597592P 2012-02-10 2012-02-10
US201261597588P 2012-02-10 2012-02-10
US61/597,592 2012-02-10
US61/597,588 2012-02-10
US201261609677P 2012-03-12 2012-03-12
US61/609,677 2012-03-12
US13/761,020 2013-02-06
US13/761,028 2013-02-06
US13/761,011 US8893250B2 (en) 2012-02-10 2013-02-06 Tokenization in mobile environments
US13/761,009 2013-02-06
US13/761,011 2013-02-06
US13/761,009 US20130212007A1 (en) 2012-02-10 2013-02-06 Tokenization in payment environments
US13/761,020 US20130212024A1 (en) 2012-02-10 2013-02-06 Tokenization in distributed payment environments
US13/761,028 US20130212019A1 (en) 2012-02-10 2013-02-06 Tokenization of payment information in mobile environments

Publications (1)

Publication Number Publication Date
WO2013119914A1 true WO2013119914A1 (en) 2013-08-15

Family

ID=48946474

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/US2013/025289 WO2013119914A1 (en) 2012-02-10 2013-02-08 Tokenization in mobile and payment environments

Country Status (4)

Country Link
US (11) US20130212024A1 (en)
EP (1) EP2812821A4 (en)
AU (1) AU2013216868B2 (en)
WO (1) WO2013119914A1 (en)

Cited By (122)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US8827154B2 (en) 2009-05-15 2014-09-09 Visa International Service Association Verification of portable consumer devices
WO2015054697A1 (en) 2013-10-11 2015-04-16 Visa International Service Association Network token system
US9038886B2 (en) 2009-05-15 2015-05-26 Visa International Service Association Verification of portable consumer devices
US9256871B2 (en) 2012-07-26 2016-02-09 Visa U.S.A. Inc. Configurable payment tokens
US9280765B2 (en) 2011-04-11 2016-03-08 Visa International Service Association Multiple tokenization for authentication
US9317848B2 (en) 2009-05-15 2016-04-19 Visa International Service Association Integration of verification tokens with mobile communication devices
US9372971B2 (en) 2009-05-15 2016-06-21 Visa International Service Association Integration of verification tokens with portable computing devices
US9424413B2 (en) 2010-02-24 2016-08-23 Visa International Service Association Integration of payment capability into secure elements of computers
US9516487B2 (en) 2013-11-19 2016-12-06 Visa International Service Association Automated account provisioning
US9524501B2 (en) 2012-06-06 2016-12-20 Visa International Service Association Method and system for correlating diverse transaction data
US9530131B2 (en) 2008-07-29 2016-12-27 Visa U.S.A. Inc. Transaction processing using a global unique identifier
US9530289B2 (en) 2013-07-11 2016-12-27 Scvngr, Inc. Payment processing with automatic no-touch mode selection
US9547769B2 (en) 2012-07-03 2017-01-17 Visa International Service Association Data protection hub
US9582801B2 (en) 2009-05-15 2017-02-28 Visa International Service Association Secure communication of payment information to merchants using a verification token
US9665722B2 (en) 2012-08-10 2017-05-30 Visa International Service Association Privacy firewall
US9680942B2 (en) 2014-05-01 2017-06-13 Visa International Service Association Data verification using access device
US9704155B2 (en) 2011-07-29 2017-07-11 Visa International Service Association Passing payment tokens through an hop/sop
US9715681B2 (en) 2009-04-28 2017-07-25 Visa International Service Association Verification of portable consumer devices
US9741051B2 (en) 2013-01-02 2017-08-22 Visa International Service Association Tokenization and third-party interaction
US9775029B2 (en) 2014-08-22 2017-09-26 Visa International Service Association Embedding cloud-based functionalities in a communication device
US9780953B2 (en) 2014-07-23 2017-10-03 Visa International Service Association Systems and methods for secure detokenization
US9792611B2 (en) 2009-05-15 2017-10-17 Visa International Service Association Secure authentication system and method
US9830595B2 (en) 2012-01-26 2017-11-28 Visa International Service Association System and method of providing tokenization as a service
US9846878B2 (en) 2014-01-14 2017-12-19 Visa International Service Association Payment account identifier system
US9848052B2 (en) 2014-05-05 2017-12-19 Visa International Service Association System and method for token domain control
US9846861B2 (en) 2012-07-25 2017-12-19 Visa International Service Association Upstream and downstream data conversion
US9898740B2 (en) 2008-11-06 2018-02-20 Visa International Service Association Online challenge-response
US9911118B2 (en) 2012-11-21 2018-03-06 Visa International Service Association Device pairing via trusted intermediary
US9922322B2 (en) 2013-12-19 2018-03-20 Visa International Service Association Cloud-based transactions with magnetic secure transmission
US9942043B2 (en) 2014-04-23 2018-04-10 Visa International Service Association Token security on a communication device
US9959531B2 (en) 2011-08-18 2018-05-01 Visa International Service Association Multi-directional wallet connector apparatuses, methods and systems
US9972005B2 (en) 2013-12-19 2018-05-15 Visa International Service Association Cloud-based transactions methods and systems
US9978062B2 (en) 2013-05-15 2018-05-22 Visa International Service Association Mobile tokenization hub
US9978094B2 (en) 2013-10-11 2018-05-22 Visa International Service Association Tokenization revocation list
US9996835B2 (en) 2013-07-24 2018-06-12 Visa International Service Association Systems and methods for communicating token attributes associated with a token vault
WO2018111425A1 (en) * 2016-12-12 2018-06-21 Citibank, N.A. Systems and methods for pre-staging atm transactions
US10015147B2 (en) 2014-10-22 2018-07-03 Visa International Service Association Token enrollment system and method
US10026087B2 (en) 2014-04-08 2018-07-17 Visa International Service Association Data passed in an interaction
US10043178B2 (en) 2007-06-25 2018-08-07 Visa International Service Association Secure mobile payment system
US10078832B2 (en) 2011-08-24 2018-09-18 Visa International Service Association Method for using barcodes and mobile devices to conduct payment transactions
US10096009B2 (en) 2015-01-20 2018-10-09 Visa International Service Association Secure payment processing using authorization request
US10121129B2 (en) 2011-07-05 2018-11-06 Visa International Service Association Electronic wallet checkout platform apparatuses, methods and systems
US10140615B2 (en) 2014-09-22 2018-11-27 Visa International Service Association Secure mobile device credential provisioning using risk decision non-overrides
US10147089B2 (en) 2012-01-05 2018-12-04 Visa International Service Association Data protection with translation
US10154084B2 (en) 2011-07-05 2018-12-11 Visa International Service Association Hybrid applications utilizing distributed models and views apparatuses, methods and systems
US10164996B2 (en) 2015-03-12 2018-12-25 Visa International Service Association Methods and systems for providing a low value token buffer
US10176478B2 (en) 2012-10-23 2019-01-08 Visa International Service Association Transaction initiation determination system utilizing transaction data elements
US10187363B2 (en) 2014-12-31 2019-01-22 Visa International Service Association Hybrid integration of software development kit with secure execution environment
US10192216B2 (en) 2012-09-11 2019-01-29 Visa International Service Association Cloud-based virtual wallet NFC apparatuses, methods and systems
US10223691B2 (en) 2011-02-22 2019-03-05 Visa International Service Association Universal electronic payment apparatuses, methods and systems
US10223710B2 (en) 2013-01-04 2019-03-05 Visa International Service Association Wearable intelligent vision device apparatuses, methods and systems
US10223730B2 (en) 2011-09-23 2019-03-05 Visa International Service Association E-wallet store injection search apparatuses, methods and systems
US10242358B2 (en) 2011-08-18 2019-03-26 Visa International Service Association Remote decoupled application persistent state apparatuses, methods and systems
US10243958B2 (en) 2016-01-07 2019-03-26 Visa International Service Association Systems and methods for device push provisoning
US10255456B2 (en) 2014-09-26 2019-04-09 Visa International Service Association Remote server encrypted data provisioning system and methods
US10255591B2 (en) 2009-12-18 2019-04-09 Visa International Service Association Payment channel returning limited use proxy dynamic value
US10257185B2 (en) 2014-12-12 2019-04-09 Visa International Service Association Automated access data provisioning
US10255601B2 (en) 2010-02-25 2019-04-09 Visa International Service Association Multifactor authentication using a directory server
US10262308B2 (en) 2007-06-25 2019-04-16 Visa U.S.A. Inc. Cardless challenge systems and methods
US10262001B2 (en) 2012-02-02 2019-04-16 Visa International Service Association Multi-source, multi-dimensional, cross-entity, multimedia merchant analytics database platform apparatuses, methods and systems
US10282724B2 (en) 2012-03-06 2019-05-07 Visa International Service Association Security system incorporating mobile device
US10289999B2 (en) 2005-09-06 2019-05-14 Visa U.S.A. Inc. System and method for secured account numbers in proximity devices
US10304047B2 (en) 2012-12-07 2019-05-28 Visa International Service Association Token generating component
WO2019103793A1 (en) * 2017-11-22 2019-05-31 Mastercard International Incorporated Bin-conserving tokenization techniques generating tokens in reverse order and employing common device pan with differing pan sequence number values across token instances
US10313321B2 (en) 2016-04-07 2019-06-04 Visa International Service Association Tokenization of co-network accounts
US10325261B2 (en) 2014-11-25 2019-06-18 Visa International Service Association Systems communications with non-sensitive identifiers
US10333921B2 (en) 2015-04-10 2019-06-25 Visa International Service Association Browser integration with Cryptogram
US10361856B2 (en) 2016-06-24 2019-07-23 Visa International Service Association Unique token authentication cryptogram
US10366387B2 (en) 2013-10-29 2019-07-30 Visa International Service Association Digital wallet system and method
US10373133B2 (en) 2010-03-03 2019-08-06 Visa International Service Association Portable account number for consumer payment account
US10433128B2 (en) 2014-01-07 2019-10-01 Visa International Service Association Methods and systems for provisioning multiple devices
US10484345B2 (en) 2014-07-31 2019-11-19 Visa International Service Association System and method for identity verification across mobile applications
US10489779B2 (en) 2013-10-21 2019-11-26 Visa International Service Association Multi-network token bin routing with defined verification parameters
US10491389B2 (en) 2017-07-14 2019-11-26 Visa International Service Association Token provisioning utilizing a secure authentication system
US10496986B2 (en) 2013-08-08 2019-12-03 Visa International Service Association Multi-network tokenization processing
US10509779B2 (en) 2016-09-14 2019-12-17 Visa International Service Association Self-cleaning token vault
US10510073B2 (en) 2013-08-08 2019-12-17 Visa International Service Association Methods and systems for provisioning mobile devices with payment credentials
US10515358B2 (en) 2013-10-18 2019-12-24 Visa International Service Association Contextual transaction token methods and systems
US10552834B2 (en) 2015-04-30 2020-02-04 Visa International Service Association Tokenization capable authentication framework
US10568016B2 (en) 2015-04-16 2020-02-18 Visa International Service Association Systems and methods for processing dormant virtual access devices
US10586227B2 (en) 2011-02-16 2020-03-10 Visa International Service Association Snap mobile payment apparatuses, methods and systems
US10586229B2 (en) 2010-01-12 2020-03-10 Visa International Service Association Anytime validation tokens
US10664844B2 (en) 2015-12-04 2020-05-26 Visa International Service Association Unique code for token verification
US10726413B2 (en) 2010-08-12 2020-07-28 Visa International Service Association Securing external systems with account token substitution
US10733604B2 (en) 2007-09-13 2020-08-04 Visa U.S.A. Inc. Account permanence
US10740731B2 (en) 2013-01-02 2020-08-11 Visa International Service Association Third party settlement
US10769628B2 (en) 2014-10-24 2020-09-08 Visa Europe Limited Transaction messaging
US10825001B2 (en) 2011-08-18 2020-11-03 Visa International Service Association Multi-directional wallet connector apparatuses, methods and systems
US10846683B2 (en) 2009-05-15 2020-11-24 Visa International Service Association Integration of verification tokens with mobile communication devices
US10846694B2 (en) 2014-05-21 2020-11-24 Visa International Service Association Offline authentication
US10878422B2 (en) 2013-06-17 2020-12-29 Visa International Service Association System and method using merchant token
US10902418B2 (en) 2017-05-02 2021-01-26 Visa International Service Association System and method using interaction token
US10902421B2 (en) 2013-07-26 2021-01-26 Visa International Service Association Provisioning payment credentials to a consumer
US10915899B2 (en) 2017-03-17 2021-02-09 Visa International Service Association Replacing token on a multi-token user device
US10937031B2 (en) 2012-05-04 2021-03-02 Visa International Service Association System and method for local data conversion
US10977657B2 (en) 2015-02-09 2021-04-13 Visa International Service Association Token processing utilizing multiple authorizations
US10990967B2 (en) 2016-07-19 2021-04-27 Visa International Service Association Method of distributing tokens and managing token relationships
US11004043B2 (en) 2009-05-20 2021-05-11 Visa International Service Association Device including encrypted data for expiration date and verification value creation
US11023890B2 (en) 2014-06-05 2021-06-01 Visa International Service Association Identification and verification for provisioning mobile application
US11037138B2 (en) 2011-08-18 2021-06-15 Visa International Service Association Third-party value added wallet features and interfaces apparatuses, methods, and systems
US11055710B2 (en) 2013-05-02 2021-07-06 Visa International Service Association Systems and methods for verifying and processing transactions using virtual currency
US11068889B2 (en) 2015-10-15 2021-07-20 Visa International Service Association Instant token issuance
US11068578B2 (en) 2016-06-03 2021-07-20 Visa International Service Association Subtoken management system for connected devices
US11068899B2 (en) 2016-06-17 2021-07-20 Visa International Service Association Token aggregation for multi-party transactions
US11080696B2 (en) 2016-02-01 2021-08-03 Visa International Service Association Systems and methods for code display and use
US11176554B2 (en) 2015-02-03 2021-11-16 Visa International Service Association Validation identity tokens for transactions
US11238140B2 (en) 2016-07-11 2022-02-01 Visa International Service Association Encryption key exchange process using access device
US11250391B2 (en) 2015-01-30 2022-02-15 Visa International Service Association Token check offline
US11250424B2 (en) 2016-05-19 2022-02-15 Visa International Service Association Systems and methods for creating subtokens using primary tokens
US11257074B2 (en) 2014-09-29 2022-02-22 Visa International Service Association Transaction risk based token
US11256789B2 (en) 2018-06-18 2022-02-22 Visa International Service Association Recurring token transactions
US11288661B2 (en) 2011-02-16 2022-03-29 Visa International Service Association Snap mobile payment apparatuses, methods and systems
US11323443B2 (en) 2016-11-28 2022-05-03 Visa International Service Association Access identifier provisioning to application
US11356257B2 (en) 2018-03-07 2022-06-07 Visa International Service Association Secure remote token release with online authentication
US11386421B2 (en) 2016-04-19 2022-07-12 Visa International Service Association Systems and methods for performing push transactions
US11481754B2 (en) 2012-07-13 2022-10-25 Scvngr, Inc. Secure payment method and system
US11494765B2 (en) 2017-05-11 2022-11-08 Visa International Service Association Secure remote transaction system using mobile devices
US11580519B2 (en) 2014-12-12 2023-02-14 Visa International Service Association Provisioning platform for machine-to-machine devices
US11620643B2 (en) 2014-11-26 2023-04-04 Visa International Service Association Tokenization request via access device
US11849042B2 (en) 2019-05-17 2023-12-19 Visa International Service Association Virtual access credential interaction system and method
US11900361B2 (en) 2016-02-09 2024-02-13 Visa International Service Association Resource provider account token provisioning and processing
US12028337B2 (en) 2018-10-08 2024-07-02 Visa International Service Association Techniques for token proximity transactions

Families Citing this family (171)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20140019352A1 (en) 2011-02-22 2014-01-16 Visa International Service Association Multi-purpose virtual card transaction apparatuses, methods and systems
US20100114768A1 (en) 2008-10-31 2010-05-06 Wachovia Corporation Payment vehicle with on and off function
US10867298B1 (en) 2008-10-31 2020-12-15 Wells Fargo Bank, N.A. Payment vehicle with on and off function
US9558494B2 (en) * 2010-04-19 2017-01-31 Tokenex, L.L.C. Devices, systems, and methods for tokenizing sensitive information
GB201105765D0 (en) 2011-04-05 2011-05-18 Visa Europe Ltd Payment system
US8943574B2 (en) 2011-05-27 2015-01-27 Vantiv, Llc Tokenizing sensitive data
US10482457B2 (en) 2011-10-17 2019-11-19 Capital One Services, Llc System and method for token-based payments
US20130212024A1 (en) 2012-02-10 2013-08-15 Protegrity Corporation Tokenization in distributed payment environments
US20160352594A9 (en) * 2012-03-01 2016-12-01 Access Layers Ltd. System and method for network access monitoring
US9081978B1 (en) * 2013-05-30 2015-07-14 Amazon Technologies, Inc. Storing tokenized information in untrusted environments
US9736131B2 (en) * 2013-09-24 2017-08-15 Cellco Partnership Secure login for subscriber devices
US9313195B2 (en) 2013-09-30 2016-04-12 Protegrity Corporation Collision avoidance in a distributed tokenization environment
US9229987B2 (en) * 2013-09-30 2016-01-05 Protegrity Corporation Mapping between tokenization domains
AU2014240197B2 (en) * 2013-09-30 2016-05-05 Protegrity Us Holding, Llc Collision avoidance in a distributed tokenization environment
US9111116B2 (en) 2013-09-30 2015-08-18 Protegrity Corporation Collision avoidance in a distributed tokenization environment
US20150096039A1 (en) * 2013-09-30 2015-04-02 Protegrity Corporation Dynamic tokenization with multiple token tables
CA2934342C (en) * 2013-12-18 2023-02-28 Capital One Financial Corporation Systems and methods for generating offers from tokenized contactless payments
US9922318B2 (en) * 2014-01-27 2018-03-20 Capital One Services, Llc Systems and methods for providing transaction tokens for mobile devices
US9286450B2 (en) 2014-02-07 2016-03-15 Bank Of America Corporation Self-selected user access based on specific authentication types
US9223951B2 (en) 2014-02-07 2015-12-29 Bank Of America Corporation User authentication based on other applications
US9390242B2 (en) 2014-02-07 2016-07-12 Bank Of America Corporation Determining user authentication requirements based on the current location of the user being within a predetermined area requiring altered authentication requirements
US9208301B2 (en) 2014-02-07 2015-12-08 Bank Of America Corporation Determining user authentication requirements based on the current location of the user in comparison to the users's normal boundary of location
US9965606B2 (en) 2014-02-07 2018-05-08 Bank Of America Corporation Determining user authentication based on user/device interaction
US9317674B2 (en) 2014-02-07 2016-04-19 Bank Of America Corporation User authentication based on fob/indicia scan
US9305149B2 (en) 2014-02-07 2016-04-05 Bank Of America Corporation Sorting mobile banking functions into authentication buckets
US9213974B2 (en) 2014-02-07 2015-12-15 Bank Of America Corporation Remote revocation of application access based on non-co-location of a transaction vehicle and a mobile device
US9647999B2 (en) 2014-02-07 2017-05-09 Bank Of America Corporation Authentication level of function bucket based on circumstances
US20150254658A1 (en) * 2014-03-04 2015-09-10 Bank Of America Corporation Limiting token collaboration network usage by token
US9600844B2 (en) 2014-03-04 2017-03-21 Bank Of America Corporation Foreign cross-issued token
US9600817B2 (en) 2014-03-04 2017-03-21 Bank Of America Corporation Foreign exchange token
US9424572B2 (en) 2014-03-04 2016-08-23 Bank Of America Corporation Online banking digital wallet management
US9406065B2 (en) 2014-03-04 2016-08-02 Bank Of America Corporation Customer token preferences interface
US9721248B2 (en) 2014-03-04 2017-08-01 Bank Of America Corporation ATM token cash withdrawal
US9830597B2 (en) 2014-03-04 2017-11-28 Bank Of America Corporation Formation and funding of a shared token
US10002352B2 (en) 2014-03-04 2018-06-19 Bank Of America Corporation Digital wallet exposure reduction
US20150254641A1 (en) * 2014-03-04 2015-09-10 Bank Of America Corporation Mobile device credential exposure reduction
US9721268B2 (en) 2014-03-04 2017-08-01 Bank Of America Corporation Providing offers associated with payment credentials authenticated in a specific digital wallet
US10664833B2 (en) * 2014-03-05 2020-05-26 Mastercard International Incorporated Transactions utilizing multiple digital wallets
US20150254577A1 (en) * 2014-03-07 2015-09-10 NetSuite Inc. System and methods for location based management of cloud platform data
WO2015143017A1 (en) * 2014-03-18 2015-09-24 Visa International Service Association Systems and methods for locally derived tokens
US11256798B2 (en) 2014-03-19 2022-02-22 Bluefin Payment Systems Llc Systems and methods for decryption as a service
US9785994B2 (en) 2014-04-10 2017-10-10 Bank Of America Corporation Providing comparison shopping experiences through an optical head-mounted displays in a wearable computer
US9262759B2 (en) 2014-04-10 2016-02-16 Bank Of America Corporation Wearable device as a payment vehicle
US9213819B2 (en) 2014-04-10 2015-12-15 Bank Of America Corporation Rhythm-based user authentication
US9424575B2 (en) 2014-04-11 2016-08-23 Bank Of America Corporation User authentication by operating system-level token
US9514463B2 (en) 2014-04-11 2016-12-06 Bank Of America Corporation Determination of customer presence based on communication of a mobile communication device digital signature
US10121142B2 (en) 2014-04-11 2018-11-06 Bank Of America Corporation User authentication by token and comparison to visitation pattern
US9588342B2 (en) 2014-04-11 2017-03-07 Bank Of America Corporation Customer recognition through use of an optical head-mounted display in a wearable computing device
WO2016003018A1 (en) * 2014-07-02 2016-01-07 엘지전자(주) Mobile terminal and control method therefor
KR102214118B1 (en) * 2014-07-09 2021-02-09 엘지전자 주식회사 Mobile terminal and method for controlling the same
US20170220819A1 (en) * 2014-08-12 2017-08-03 Hewlett Packard Enterprise Development Lp Information exchange gateway
US10445710B2 (en) * 2014-08-26 2019-10-15 Ncr Corporation Security device key management
EP2993607B1 (en) * 2014-09-02 2016-12-28 Eckehard Kraska Privacy compliant event analysis
US9202212B1 (en) 2014-09-23 2015-12-01 Sony Corporation Using mobile device to monitor for electronic bank card communication
US9953323B2 (en) 2014-09-23 2018-04-24 Sony Corporation Limiting e-card transactions based on lack of proximity to associated CE device
US9292875B1 (en) 2014-09-23 2016-03-22 Sony Corporation Using CE device record of E-card transactions to reconcile bank record
US9378502B2 (en) 2014-09-23 2016-06-28 Sony Corporation Using biometrics to recover password in customer mobile device
US10262316B2 (en) 2014-09-23 2019-04-16 Sony Corporation Automatic notification of transaction by bank card to customer device
US9355424B2 (en) 2014-09-23 2016-05-31 Sony Corporation Analyzing hack attempts of E-cards
US9367845B2 (en) 2014-09-23 2016-06-14 Sony Corporation Messaging customer mobile device when electronic bank card used
US9646307B2 (en) * 2014-09-23 2017-05-09 Sony Corporation Receiving fingerprints through touch screen of CE device
US9317847B2 (en) 2014-09-23 2016-04-19 Sony Corporation E-card transaction authorization based on geographic location
US9558488B2 (en) 2014-09-23 2017-01-31 Sony Corporation Customer's CE device interrogating customer's e-card for transaction information
US20160217461A1 (en) * 2015-01-23 2016-07-28 Ajit Gaddam Transaction utilizing anonymized user data
US10147087B2 (en) * 2015-03-06 2018-12-04 Mastercard International Incorporated Primary account number (PAN) length issuer identifier in payment account number data field of a transaction authorization request message
US11429975B1 (en) 2015-03-27 2022-08-30 Wells Fargo Bank, N.A. Token management system
EP3281165A1 (en) 2015-04-07 2018-02-14 OmnyWay, Inc. Methods and systems for using a mobile device to effect a secure electronic transaction
WO2016172432A1 (en) * 2015-04-24 2016-10-27 Capital One Services, Llc One use wearable
WO2016179012A1 (en) 2015-05-01 2016-11-10 Pay2Day Solutions, Inc. Methods and systems for message-based bill payment
US10878411B2 (en) * 2015-05-13 2020-12-29 Sony Corporation Method and apparatus for issued token management
US20160342991A1 (en) * 2015-05-22 2016-11-24 OmnyPay Inc. Methods and systems for performing an ecommerce transaction at a physical store using a mobile device
US9942217B2 (en) 2015-06-03 2018-04-10 At&T Intellectual Property I, L.P. System and method for generating a service provider based secure token
EP3326127A1 (en) * 2015-07-17 2018-05-30 Cardinal Commerce Corporation System and method for tokenization
US9736693B2 (en) * 2015-07-21 2017-08-15 Motorola Solutions, Inc. Systems and methods for monitoring an operating system of a mobile wireless communication device for unauthorized modifications
US11170364B1 (en) 2015-07-31 2021-11-09 Wells Fargo Bank, N.A. Connected payment card systems and methods
US11308485B2 (en) 2016-07-15 2022-04-19 Paypal, Inc. Processing a transaction using electronic tokens
US11308483B2 (en) 2015-08-25 2022-04-19 Paypal, Inc. Token service provider for electronic/mobile commerce transactions
AU2016310500A1 (en) * 2015-08-25 2018-04-19 Paypal, Inc. Token service provider for electronic/mobile commerce transactions
US10922693B2 (en) * 2015-09-02 2021-02-16 Jpmorgan Chase Bank, N.A. System and method for mobile device limits
US10467615B1 (en) * 2015-09-30 2019-11-05 Square, Inc. Friction-less purchasing technology
US10021565B2 (en) 2015-10-30 2018-07-10 Bank Of America Corporation Integrated full and partial shutdown application programming interface
US9729536B2 (en) 2015-10-30 2017-08-08 Bank Of America Corporation Tiered identification federated authentication network system
US9820148B2 (en) 2015-10-30 2017-11-14 Bank Of America Corporation Permanently affixed un-decryptable identifier associated with mobile device
US9641539B1 (en) 2015-10-30 2017-05-02 Bank Of America Corporation Passive based security escalation to shut off of application based on rules event triggering
CN106855812A (en) * 2015-12-08 2017-06-16 北京三星通信技术研究有限公司 The method and apparatus for configuring user terminal
US11468433B1 (en) * 2015-12-28 2022-10-11 Jpmorgan Chase Bank, N.A. Systems and methods for biometric payments and authentication
US12118532B2 (en) * 2016-03-14 2024-10-15 Vray Inc. Online mobile payment system and method using a server between the personal comuter and the mobile payment device
FR3050348A1 (en) * 2016-04-18 2017-10-20 Orange METHOD FOR OBTAINING A SECURITY TOKEN BY A MOBILE TERMINAL
US10460367B2 (en) 2016-04-29 2019-10-29 Bank Of America Corporation System for user authentication based on linking a randomly generated number to the user and a physical item
US20170337550A1 (en) * 2016-05-18 2017-11-23 Amadeus S.A.S. Secure exchange of a sensitive data over a network based on barcodes and tokens
KR101806390B1 (en) * 2016-05-31 2017-12-07 주식회사지니 Card payment system and method for using body information
US10268635B2 (en) 2016-06-17 2019-04-23 Bank Of America Corporation System for data rotation through tokenization
US11886611B1 (en) 2016-07-01 2024-01-30 Wells Fargo Bank, N.A. Control tower for virtual rewards currency
US11386223B1 (en) 2016-07-01 2022-07-12 Wells Fargo Bank, N.A. Access control tower
US11615402B1 (en) 2016-07-01 2023-03-28 Wells Fargo Bank, N.A. Access control tower
US10992679B1 (en) 2016-07-01 2021-04-27 Wells Fargo Bank, N.A. Access control tower
US11935020B1 (en) 2016-07-01 2024-03-19 Wells Fargo Bank, N.A. Control tower for prospective transactions
AU2017311606A1 (en) * 2016-08-12 2019-01-17 Visa International Service Association Mirrored token vault
US10389688B2 (en) * 2016-08-23 2019-08-20 NXT-Security, LLC Vaultless tokenization engine
WO2018057592A1 (en) * 2016-09-21 2018-03-29 Wal-Mart Stores, Inc. System and methods for point to point encryption and tokenization
US11361312B2 (en) 2016-09-21 2022-06-14 Walmart Apollo, Llc System and methods for point to point encryption and tokenization using a mobile device
US10659433B2 (en) * 2016-11-30 2020-05-19 Salesforce.Com, Inc. Encrypting and securing data with reverse proxies across frames in an on-demand services environment
US10404703B1 (en) * 2016-12-02 2019-09-03 Worldpay, Llc Systems and methods for third-party interoperability in secure network transactions using tokenized data
US10402808B1 (en) 2016-12-02 2019-09-03 Worldpay, Llc Systems and methods for linking high-value tokens using a low-value token
US11341489B1 (en) 2016-12-19 2022-05-24 Amazon Technologies, Inc. Multi-path back-end system for payment processing
US11354659B1 (en) * 2016-12-19 2022-06-07 Amazon Technologies, Inc. Securing transaction messages based on a dynamic key selection
US11829994B1 (en) 2017-02-14 2023-11-28 Wells Fargo Bank, N.A. Instant wallet credit card
US11556936B1 (en) 2017-04-25 2023-01-17 Wells Fargo Bank, N.A. System and method for card control
US10706410B2 (en) * 2017-05-09 2020-07-07 Microsoft Technology Licensing, Llc Service-hosted payment request
US11070534B2 (en) * 2019-05-13 2021-07-20 Bluefin Payment Systems Llc Systems and processes for vaultless tokenization and encryption
US10311421B2 (en) 2017-06-02 2019-06-04 Bluefin Payment Systems Llc Systems and methods for managing a payment terminal via a web browser
US11711350B2 (en) 2017-06-02 2023-07-25 Bluefin Payment Systems Llc Systems and processes for vaultless tokenization and encryption
US10524165B2 (en) 2017-06-22 2019-12-31 Bank Of America Corporation Dynamic utilization of alternative resources based on token association
US10511692B2 (en) 2017-06-22 2019-12-17 Bank Of America Corporation Data transmission to a networked resource based on contextual information
US10313480B2 (en) 2017-06-22 2019-06-04 Bank Of America Corporation Data transmission between networked resources
US11062388B1 (en) 2017-07-06 2021-07-13 Wells Fargo Bank, N.A Data control tower
US10911233B2 (en) * 2017-09-11 2021-02-02 Zscaler, Inc. Identification of related tokens in a byte stream using structured signature data
US11151547B2 (en) * 2017-09-20 2021-10-19 Paypal, Inc. Using a consumer digital wallet as a payment method in a merchant digital wallet
US11935040B1 (en) * 2017-10-20 2024-03-19 Stripe, Inc. Offline mode for distribution of encryption keys
US10819519B2 (en) 2017-11-21 2020-10-27 Protegrity Corporation Multi-tenant data protection in a centralized network environment
GB2583250B (en) 2017-11-24 2022-05-11 Wolverton Jerry Devices, systems, and methods for securely storing and managing sensitive information
US11301857B1 (en) * 2017-11-27 2022-04-12 United Services Automobile Association (Usaa) Dynamic code payment card verification
US11429966B1 (en) 2017-11-27 2022-08-30 United Services Automobile Association (Usaa) Dynamic code payment card verification methods and systems
US11126988B2 (en) * 2017-12-04 2021-09-21 The Toronto-Dominion Bank Real-time delegated approval of initiated data exchanges by network-connected devices
US11240236B2 (en) * 2017-12-22 2022-02-01 Mastercard International Incorporated Methods for authorizing use of an application on a device
US11329963B2 (en) 2018-02-22 2022-05-10 Eclypses, Inc. System and method for securely transferring data
US11875418B2 (en) * 2018-06-07 2024-01-16 American Express Travel Related Services Company, Inc. Automated remote payments between a vehicle and a refueling station
US11210652B2 (en) 2018-06-21 2021-12-28 Celligence International Llc Systems and methods for processing purchase transactions using a mobile device
US20200065819A1 (en) * 2018-08-21 2020-02-27 Mastercard International Incorporated System and method for linking payment card to payment account
EP3841498B1 (en) 2018-08-22 2024-05-01 Visa International Service Association Method and system for token provisioning and processing
US11470084B2 (en) * 2018-09-18 2022-10-11 Cyral Inc. Query analysis using a protective layer at the data source
CN116074089A (en) 2018-11-14 2023-05-05 维萨国际服务协会 Cloud token provisioning for multiple tokens
US11070548B2 (en) * 2018-12-21 2021-07-20 Paypal, Inc. Tokenized online application sessions
US20200234302A1 (en) * 2019-01-23 2020-07-23 International Business Machines Corporation Password verification
US20200242597A1 (en) * 2019-01-29 2020-07-30 Alessandro Baretta Auditing system using a trusted and cryptographically secure database
US11159551B2 (en) * 2019-04-19 2021-10-26 Microsoft Technology Licensing, Llc Sensitive data detection in communication data
US10998937B2 (en) 2019-04-30 2021-05-04 Bank Of America Corporation Embedded tag for resource distribution
US11234235B2 (en) 2019-04-30 2022-01-25 Bank Of America Corporation Resource distribution hub generation on a mobile device
US11196737B2 (en) 2019-04-30 2021-12-07 Bank Of America Corporation System for secondary authentication via contactless distribution of dynamic resources
US20200364720A1 (en) * 2019-05-14 2020-11-19 Radtab, Inc. Method and apparatus for facilitating commerce
US11769132B1 (en) 2019-05-22 2023-09-26 Wells Fargo Bank, N.A. P2P payments via integrated 3rd party APIs
SG11202108413WA (en) * 2019-06-18 2021-08-30 Visa Int Service Ass Cross-border quick response (qr) payment flow for encrypted primary account number (pan) payment flow
US11250414B2 (en) 2019-08-02 2022-02-15 Omnyway, Inc. Cloud based system for engaging shoppers at or near physical stores
US11468432B2 (en) 2019-08-09 2022-10-11 Omnyway, Inc. Virtual-to-physical secure remote payment to a physical location
US20210042742A1 (en) * 2019-08-09 2021-02-11 Capital One Services, Llc System and method for generating time-series token data
US20220343311A1 (en) * 2019-09-05 2022-10-27 Joint Stock Company ‘BISMART’ Method for Payment Transaction Execution Using Customer's Mobile Device
FR3102272B1 (en) * 2019-10-17 2022-07-15 Amadeus PERIODIC RANDOM FUNCTION GENERATION IN CLOUD COMPUTER
US12093944B2 (en) * 2019-10-18 2024-09-17 Mastercard International Incorporated Methods and systems for provisioning consumer payment credentials to token requestors
US20220374899A1 (en) * 2019-11-13 2022-11-24 Visa International Service Association System and Computer Implemented Method for Generating and Transmitting Tokenized Card Information
US11405203B2 (en) 2020-02-17 2022-08-02 Eclypses, Inc. System and method for securely transferring data using generated encryption keys
US11201737B1 (en) * 2020-05-19 2021-12-14 Acronis International Gmbh Systems and methods for generating tokens using secure multiparty computation engines
US10992606B1 (en) 2020-09-04 2021-04-27 Wells Fargo Bank, N.A. Synchronous interfacing with unaffiliated networked systems to alter functionality of sets of electronic assets
US20220148031A1 (en) * 2020-11-11 2022-05-12 Mastercard International Incorporated Tri-party process flow for control trials analytics
US20220198440A1 (en) * 2020-12-18 2022-06-23 Visa International Service Association Method, System, and Computer Program Product for Generating a Token for a User Based on Another Token of Another User
US11546338B1 (en) 2021-01-05 2023-01-03 Wells Fargo Bank, N.A. Digital account controls portal and protocols for federated and non-federated systems and devices
US11809493B2 (en) * 2021-01-19 2023-11-07 Micro Focus Llc System and method for tokenization of data
US11720693B2 (en) * 2021-03-05 2023-08-08 Eclypses, Inc. System and method for securely transferring data
US11775677B2 (en) * 2021-04-23 2023-10-03 Goldman Sachs & Co. LLC Tokenization and encryption for secure data transfer
US20220391889A1 (en) * 2021-06-04 2022-12-08 Qualcomm Incorporated Systems and methods for management of non-fungible tokens and corresponding digital assets
US12058243B2 (en) * 2021-06-09 2024-08-06 Whitestar Communications, Inc. Identity management system establishing two-way trusted relationships in a secure peer-to-peer data network
US20240348695A1 (en) * 2021-08-13 2024-10-17 Visa International Sevice Association Device recognition using recognition identifier
WO2023034655A1 (en) * 2021-09-03 2023-03-09 Verifone, Inc. Systems and methods for open banking based-subscription via a universal gateway
WO2023119144A1 (en) * 2021-12-22 2023-06-29 Mandar Agashe A system for secure transaction processing and a method thereof
US11822944B2 (en) 2022-02-15 2023-11-21 Concept Source, Inc. Tokenization of software applications and techniques for providing application functionality via webpage non-fungible tokens
US12021853B2 (en) 2022-02-15 2024-06-25 Concept Source, Inc. Techniques for providing authenticity graphical user interface display areas via unique asset token webpages
US12051069B2 (en) 2022-02-15 2024-07-30 Concept Source, Inc. Web-based order processing system and techniques for processing orders via webpage non-fungible tokens
US11875015B2 (en) * 2022-04-13 2024-01-16 Truist Bank Access card with configurable transaction rules
US11550450B1 (en) 2022-04-13 2023-01-10 Truist Bank Graphical user interface for configuring card controls for a card
US11716290B1 (en) 2022-05-12 2023-08-01 Bank Of America Corporation Electronic system for dynamic linking of resource data structures across distributed networks
EP4362392A1 (en) 2022-10-26 2024-05-01 Amadeus S.A.S. Tokenization system with common bus architecture
EP4435624A1 (en) * 2023-03-24 2024-09-25 Amadeus S.A.S. Mobile device to retrieve results to pre-programmed search queries

Citations (10)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20040019571A1 (en) 2002-07-26 2004-01-29 Intel Corporation Mobile communication device with electronic token repository and method
US20040073688A1 (en) 2002-09-30 2004-04-15 Sampson Scott E. Electronic payment validation using Transaction Authorization Tokens
US20090172402A1 (en) 2007-12-31 2009-07-02 Nguyen Tho Tran Multi-factor authentication and certification system for electronic transactions
US20110113245A1 (en) 2009-11-12 2011-05-12 Arcot Systems, Inc. One time pin generation
US20110154466A1 (en) 2009-12-18 2011-06-23 Sabre Inc., Tokenized data security
US20110213807A1 (en) * 2010-03-01 2011-09-01 Ulf Mattsson System and method for distributed tokenization using several substitution steps
US20110211689A1 (en) * 2006-10-17 2011-09-01 Von Mueller Clay Werner System and method for variable length encryption
US20120016731A1 (en) * 2010-07-19 2012-01-19 Randy Smith Mobile system and method for payments and non-financial transactions
US20120030047A1 (en) * 2010-06-04 2012-02-02 Jacob Fuentes Payment tokenization apparatuses, methods and systems
US20120316992A1 (en) * 2011-06-07 2012-12-13 Oborne Timothy W Payment privacy tokenization apparatuses, methods and systems

Family Cites Families (91)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US5016277A (en) * 1988-12-09 1991-05-14 The Exchange System Limited Partnership Encryption key entry method in a microcomputer-based encryption system
US7222079B1 (en) 1994-06-23 2007-05-22 Ingenix, Inc. Method and system for generating statistically-based medical provider utilization profiles
US5943424A (en) * 1996-06-17 1999-08-24 Hewlett-Packard Company System, method and article of manufacture for processing a plurality of transactions from a single initiation point on a multichannel, extensible, flexible architecture
US5899981A (en) * 1996-12-27 1999-05-04 Northern Telecom Limited Method and system for processing expense vouchers
US20030064807A1 (en) * 2001-09-25 2003-04-03 Walker Jay S. Method and apparatus for linked play gaming
US7127741B2 (en) * 1998-11-03 2006-10-24 Tumbleweed Communications Corp. Method and system for e-mail message transmission
US6636833B1 (en) 1998-03-25 2003-10-21 Obis Patents Ltd. Credit card system and method
US6230201B1 (en) 1998-05-29 2001-05-08 Ip Net Solutions, Inc. Configurable transaction routing system and method
US6360254B1 (en) * 1998-09-15 2002-03-19 Amazon.Com Holdings, Inc. System and method for providing secure URL-based access to private resources
EP1410658A2 (en) * 1999-12-03 2004-04-21 First Hop Oy A method and a system for obtaining services using a cellular telecommunication system
EP1305750A1 (en) 2000-05-25 2003-05-02 Wilson How Kiap Gueh Transaction system and method
US6938019B1 (en) * 2000-08-29 2005-08-30 Uzo Chijioke Chukwuemeka Method and apparatus for making secure electronic payments
WO2003010951A1 (en) * 2001-07-24 2003-02-06 Citibank, N.A. Method and system for data management in electronic payments transactions
DE60130902T2 (en) 2001-11-23 2008-07-17 Protegrity Research & Development Method for detecting intrusion into a database system
US20030130921A1 (en) * 2002-01-08 2003-07-10 Bottomline Technologies (De) Inc. Electronic transaction processing server with trend based automated transaction evaluation
US7031969B2 (en) * 2002-02-20 2006-04-18 Lawrence Technologies, Llc System and method for identifying relationships between database records
US7274792B2 (en) * 2002-08-09 2007-09-25 Broadcom Corporation Methods and apparatus for initialization vector processing
US20060190380A1 (en) * 2002-08-30 2006-08-24 Bottomline Technologies (De) Inc. Electronic transaction processing server with automated transaction evaluation
JP4278614B2 (en) 2002-09-30 2009-06-17 ノキア シーメンス ネットワークス ゲゼルシャフト ミット ベシュレンクテル ハフツング ウント コンパニー コマンディトゲゼルシャフト Method for preventing DoS attack against access token and handover procedure supporting optimized quality of service using encryption token valid only within a predetermined range
US7010565B2 (en) * 2002-09-30 2006-03-07 Sampson Scott E Communication management using a token action log
US7599856B2 (en) * 2002-11-19 2009-10-06 Amazon Technologies, Inc. Detection of fraudulent attempts to initiate transactions using modified display objects
US7827101B2 (en) * 2003-01-10 2010-11-02 First Data Corporation Payment system clearing for transactions
US7185015B2 (en) * 2003-03-14 2007-02-27 Websense, Inc. System and method of monitoring and controlling application files
US7412541B1 (en) * 2003-07-18 2008-08-12 Core Mobility, Inc. Tokenized compression of session initiation protocol data
US9208495B2 (en) * 2003-10-06 2015-12-08 Yellowpages.Com Llc Methods and apparatuses for advertisement presentation
GB0407369D0 (en) * 2004-03-31 2004-05-05 British Telecomm Trust tokens
US7275685B2 (en) * 2004-04-12 2007-10-02 Rearden Capital Corporation Method for electronic payment
US7463792B2 (en) 2004-08-17 2008-12-09 Peterschmidt Eric T System and method of archiving family history
US7496761B2 (en) * 2004-09-29 2009-02-24 Microsoft Corporation Method and system for batch task creation and execution
US9390132B1 (en) * 2009-10-16 2016-07-12 Iqor Holdings, Inc. Apparatuses, methods and systems for a universal data librarian
US7788183B2 (en) * 2005-04-13 2010-08-31 The Galt Alliance, Inc Apparatus, system, and method for facilitating electronic communication based on a personal contact
US7596745B2 (en) * 2005-11-14 2009-09-29 Sun Microsystems, Inc. Programmable hardware finite state machine for facilitating tokenization of an XML document
US7716577B2 (en) * 2005-11-14 2010-05-11 Oracle America, Inc. Method and apparatus for hardware XML acceleration
US20070125840A1 (en) * 2005-12-06 2007-06-07 Boncle, Inc. Extended electronic wallet management
US10152712B2 (en) * 2006-05-10 2018-12-11 Paypal, Inc. Inspecting event indicators
AU2006222701A1 (en) * 2006-09-21 2008-04-10 Claudia Von Heesen Payment method and system
US8661263B2 (en) 2006-09-29 2014-02-25 Protegrity Corporation Meta-complete data storage
US8769279B2 (en) * 2006-10-17 2014-07-01 Verifone, Inc. System and method for variable length encryption
CN101584211A (en) 2007-01-19 2009-11-18 皇家飞利浦电子股份有限公司 Network configuration via a wireless device
US20080263645A1 (en) * 2007-04-23 2008-10-23 Telus Communications Company Privacy identifier remediation
JP5095281B2 (en) * 2007-07-11 2012-12-12 株式会社日立製作所 Character string anonymization device, character string anonymization method, and character string anonymization program
US20090063312A1 (en) * 2007-08-28 2009-03-05 Hurst Douglas J Method and System for Processing Secure Wireless Payment Transactions and for Providing a Virtual Terminal for Merchant Processing of Such Transactions
US7716429B2 (en) * 2007-09-14 2010-05-11 International Business Machines Corporation Apparatus, system, and method for dynamic address tracking
US20090198619A1 (en) * 2008-02-06 2009-08-06 Motorola, Inc. Aggregated hash-chain micropayment system
US9852426B2 (en) * 2008-02-20 2017-12-26 Collective Dynamics LLC Method and system for secure transactions
WO2009111490A1 (en) 2008-03-04 2009-09-11 Partnet, Inc. Systems and methods for enterprise purchasing and payment
US8578176B2 (en) 2008-03-26 2013-11-05 Protegrity Corporation Method and apparatus for tokenization of sensitive sets of characters
US20130091162A1 (en) 2008-07-25 2013-04-11 Jerzy Jozef Lewak Data Access Using Multilevel Selectors and Contextual Assistance
US9185109B2 (en) 2008-10-13 2015-11-10 Microsoft Technology Licensing, Llc Simple protocol for tangible security
US8162208B2 (en) * 2009-01-23 2012-04-24 HSBC Card Services Inc. Systems and methods for user identification string generation for selection of a function
US9049234B2 (en) * 2009-02-03 2015-06-02 Gary Stephen Shuster HTTP trigger for out-of-protocol action
US8590022B2 (en) * 2009-02-26 2013-11-19 Blackberry Limited Authentication using a wireless mobile communication device
US8584251B2 (en) * 2009-04-07 2013-11-12 Princeton Payment Solutions Token-based payment processing system
US8763142B2 (en) * 2009-04-07 2014-06-24 Princeton Payment Solutions Tokenized payment processing schemes
US8534564B2 (en) * 2009-05-15 2013-09-17 Ayman Hammad Integration of verification tokens with mobile communication devices
US20110060719A1 (en) 2009-09-05 2011-03-10 Vivek Kapoor Method for Transforming Setup Data in Business Applications
US8812482B1 (en) * 2009-10-16 2014-08-19 Vikas Kapoor Apparatuses, methods and systems for a data translator
US10438194B2 (en) * 2009-10-27 2019-10-08 Ncr Corporation Methods and apparatus for stored value token creation
US8380177B2 (en) * 2010-04-09 2013-02-19 Paydiant, Inc. Mobile phone payment processing methods and systems
US8489894B2 (en) * 2010-05-26 2013-07-16 Paymetric, Inc. Reference token service
US8397989B2 (en) 2010-06-01 2013-03-19 Alcatel Lucent Method and apparatus for using boarding passes to apply business rules
US8452965B1 (en) * 2010-06-29 2013-05-28 Emc Corporation Self-identification of tokens
US8655787B1 (en) * 2010-06-29 2014-02-18 Emc Corporation Automated detection of defined input values and transformation to tokens
US20120036042A1 (en) * 2010-08-05 2012-02-09 Roam Data Inc System and method for checkout and customer data capture in commerce applications
US8806615B2 (en) * 2010-11-04 2014-08-12 Mcafee, Inc. System and method for protecting specified data combinations
US8577336B2 (en) * 2010-11-18 2013-11-05 Mobilesphere Holdings LLC System and method for transaction authentication using a mobile communication device
US8751381B2 (en) * 2011-02-23 2014-06-10 Mastercard International Incorporated Demand deposit account payment system
US20120290415A1 (en) * 2011-05-11 2012-11-15 Riavera Corp. Mobile image payment system
US20120323717A1 (en) * 2011-06-16 2012-12-20 OneID, Inc. Method and system for determining authentication levels in transactions
US9275387B1 (en) * 2011-08-16 2016-03-01 Jpmogan Chase Bank, N.A. Systems and methods for processing transactions using a wallet
US20130103685A1 (en) 2011-09-01 2013-04-25 Protegrity Corporation Multiple Table Tokenization
US9183490B2 (en) * 2011-10-17 2015-11-10 Capital One Financial Corporation System and method for providing contactless payment with a near field communications attachment
US9830596B2 (en) * 2011-11-01 2017-11-28 Stripe, Inc. Method for conducting a transaction between a merchant site and a customer's electronic device without exposing payment information to a server-side application of the merchant site
US9785920B2 (en) * 2012-01-18 2017-10-10 Square, Inc. Acquisition of card information to enhance user experience
US20130212024A1 (en) 2012-02-10 2013-08-15 Protegrity Corporation Tokenization in distributed payment environments
WO2013142209A1 (en) * 2012-03-23 2013-09-26 Mackinnon Wendy Keith System and method for facilitating secure self payment transactions of retail goods
US10275764B2 (en) * 2012-05-04 2019-04-30 Mastercard International Incorporated Transaction data tokenization
WO2014008403A1 (en) * 2012-07-03 2014-01-09 Visa International Service Association Data protection hub
US9092777B1 (en) * 2012-11-21 2015-07-28 YapStone, Inc. Credit card tokenization techniques
CN105659558B (en) * 2013-09-20 2018-08-31 甲骨文国际公司 Computer implemented method, authorization server and computer-readable memory
US20150302404A1 (en) * 2014-04-17 2015-10-22 James F. Ruffer Secure electronic payment system
US20170140346A1 (en) * 2014-06-27 2017-05-18 Psi Systems, Inc. Systems and methods providing payment transactions
US9436839B2 (en) * 2014-07-21 2016-09-06 Intel Corporation Tokenization using multiple reversible transformations
SG10201500276VA (en) * 2015-01-14 2016-08-30 Mastercard Asia Pacific Pte Ltd Method and system for making a secure payment transaction
US10096011B2 (en) * 2015-01-22 2018-10-09 Ebay Inc. Smart table devices and accessories for determining ordering aspects and bills
US10762496B2 (en) * 2015-02-06 2020-09-01 Google Llc Providing payment account information associated with a digital wallet account to a user at a merchant point of sale device
EP3268913A4 (en) * 2015-03-12 2018-09-19 Mastercard International Incorporated Payment card storing tokenized information
EP3136329A1 (en) * 2015-08-28 2017-03-01 Mastercard International Incorporated Securing mo/to processing
KR20170035294A (en) * 2015-09-22 2017-03-30 삼성전자주식회사 Electronic device and payment method of providing security thereof
SG10201508517SA (en) * 2015-10-14 2017-05-30 Mastercard International Inc A Method And System For Selecting Consumers For Targeted Messages
GB2544998A (en) * 2015-12-02 2017-06-07 Eckoh Uk Ltd Tokenisation in cardholder - not - present transactions

Patent Citations (10)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20040019571A1 (en) 2002-07-26 2004-01-29 Intel Corporation Mobile communication device with electronic token repository and method
US20040073688A1 (en) 2002-09-30 2004-04-15 Sampson Scott E. Electronic payment validation using Transaction Authorization Tokens
US20110211689A1 (en) * 2006-10-17 2011-09-01 Von Mueller Clay Werner System and method for variable length encryption
US20090172402A1 (en) 2007-12-31 2009-07-02 Nguyen Tho Tran Multi-factor authentication and certification system for electronic transactions
US20110113245A1 (en) 2009-11-12 2011-05-12 Arcot Systems, Inc. One time pin generation
US20110154466A1 (en) 2009-12-18 2011-06-23 Sabre Inc., Tokenized data security
US20110213807A1 (en) * 2010-03-01 2011-09-01 Ulf Mattsson System and method for distributed tokenization using several substitution steps
US20120030047A1 (en) * 2010-06-04 2012-02-02 Jacob Fuentes Payment tokenization apparatuses, methods and systems
US20120016731A1 (en) * 2010-07-19 2012-01-19 Randy Smith Mobile system and method for payments and non-financial transactions
US20120316992A1 (en) * 2011-06-07 2012-12-13 Oborne Timothy W Payment privacy tokenization apparatuses, methods and systems

Non-Patent Citations (1)

* Cited by examiner, † Cited by third party
Title
See also references of EP2812821A4

Cited By (236)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US12045812B2 (en) 2005-09-06 2024-07-23 Visa U.S.A. Inc. System and method for secured account numbers in wireless devices
US11605074B2 (en) 2005-09-06 2023-03-14 Visa U.S.A. Inc. System and method for secured account numbers in proximily devices
US10289999B2 (en) 2005-09-06 2019-05-14 Visa U.S.A. Inc. System and method for secured account numbers in proximity devices
US10043178B2 (en) 2007-06-25 2018-08-07 Visa International Service Association Secure mobile payment system
US10726416B2 (en) 2007-06-25 2020-07-28 Visa International Service Association Secure mobile payment system
US11481742B2 (en) 2007-06-25 2022-10-25 Visa U.S.A. Inc. Cardless challenge systems and methods
US10262308B2 (en) 2007-06-25 2019-04-16 Visa U.S.A. Inc. Cardless challenge systems and methods
US10733604B2 (en) 2007-09-13 2020-08-04 Visa U.S.A. Inc. Account permanence
US9530131B2 (en) 2008-07-29 2016-12-27 Visa U.S.A. Inc. Transaction processing using a global unique identifier
US9898740B2 (en) 2008-11-06 2018-02-20 Visa International Service Association Online challenge-response
US10572864B2 (en) 2009-04-28 2020-02-25 Visa International Service Association Verification of portable consumer devices
US9715681B2 (en) 2009-04-28 2017-07-25 Visa International Service Association Verification of portable consumer devices
US10997573B2 (en) 2009-04-28 2021-05-04 Visa International Service Association Verification of portable consumer devices
US10846683B2 (en) 2009-05-15 2020-11-24 Visa International Service Association Integration of verification tokens with mobile communication devices
US10049360B2 (en) 2009-05-15 2018-08-14 Visa International Service Association Secure communication of payment information to merchants using a verification token
US10043186B2 (en) 2009-05-15 2018-08-07 Visa International Service Association Secure authentication system and method
US9038886B2 (en) 2009-05-15 2015-05-26 Visa International Service Association Verification of portable consumer devices
US10009177B2 (en) 2009-05-15 2018-06-26 Visa International Service Association Integration of verification tokens with mobile communication devices
US9582801B2 (en) 2009-05-15 2017-02-28 Visa International Service Association Secure communication of payment information to merchants using a verification token
US8827154B2 (en) 2009-05-15 2014-09-09 Visa International Service Association Verification of portable consumer devices
US12086787B2 (en) 2009-05-15 2024-09-10 Visa International Service Association Integration of verification tokens with mobile communication devices
US11574312B2 (en) 2009-05-15 2023-02-07 Visa International Service Association Secure authentication system and method
US9372971B2 (en) 2009-05-15 2016-06-21 Visa International Service Association Integration of verification tokens with portable computing devices
US9792611B2 (en) 2009-05-15 2017-10-17 Visa International Service Association Secure authentication system and method
US9904919B2 (en) 2009-05-15 2018-02-27 Visa International Service Association Verification of portable consumer devices
US10387871B2 (en) 2009-05-15 2019-08-20 Visa International Service Association Integration of verification tokens with mobile communication devices
US9317848B2 (en) 2009-05-15 2016-04-19 Visa International Service Association Integration of verification tokens with mobile communication devices
US11004043B2 (en) 2009-05-20 2021-05-11 Visa International Service Association Device including encrypted data for expiration date and verification value creation
US11941591B2 (en) 2009-05-20 2024-03-26 Visa International Service Association Device including encrypted data for expiration date and verification value creation
US10255591B2 (en) 2009-12-18 2019-04-09 Visa International Service Association Payment channel returning limited use proxy dynamic value
US10586229B2 (en) 2010-01-12 2020-03-10 Visa International Service Association Anytime validation tokens
US9424413B2 (en) 2010-02-24 2016-08-23 Visa International Service Association Integration of payment capability into secure elements of computers
US9589268B2 (en) 2010-02-24 2017-03-07 Visa International Service Association Integration of payment capability into secure elements of computers
US10657528B2 (en) 2010-02-24 2020-05-19 Visa International Service Association Integration of payment capability into secure elements of computers
US10255601B2 (en) 2010-02-25 2019-04-09 Visa International Service Association Multifactor authentication using a directory server
US11900343B2 (en) 2010-03-03 2024-02-13 Visa International Service Association Portable account number for consumer payment account
US10373133B2 (en) 2010-03-03 2019-08-06 Visa International Service Association Portable account number for consumer payment account
US10726413B2 (en) 2010-08-12 2020-07-28 Visa International Service Association Securing external systems with account token substitution
US11847645B2 (en) 2010-08-12 2023-12-19 Visa International Service Association Securing external systems with account token substitution
US11803846B2 (en) 2010-08-12 2023-10-31 Visa International Service Association Securing external systems with account token substitution
US10586227B2 (en) 2011-02-16 2020-03-10 Visa International Service Association Snap mobile payment apparatuses, methods and systems
US11288661B2 (en) 2011-02-16 2022-03-29 Visa International Service Association Snap mobile payment apparatuses, methods and systems
US10223691B2 (en) 2011-02-22 2019-03-05 Visa International Service Association Universal electronic payment apparatuses, methods and systems
US11023886B2 (en) 2011-02-22 2021-06-01 Visa International Service Association Universal electronic payment apparatuses, methods and systems
US10552828B2 (en) 2011-04-11 2020-02-04 Visa International Service Association Multiple tokenization for authentication
US9280765B2 (en) 2011-04-11 2016-03-08 Visa International Service Association Multiple tokenization for authentication
US11010753B2 (en) 2011-07-05 2021-05-18 Visa International Service Association Electronic wallet checkout platform apparatuses, methods and systems
US10154084B2 (en) 2011-07-05 2018-12-11 Visa International Service Association Hybrid applications utilizing distributed models and views apparatuses, methods and systems
US11900359B2 (en) 2011-07-05 2024-02-13 Visa International Service Association Electronic wallet checkout platform apparatuses, methods and systems
US10121129B2 (en) 2011-07-05 2018-11-06 Visa International Service Association Electronic wallet checkout platform apparatuses, methods and systems
US10419529B2 (en) 2011-07-05 2019-09-17 Visa International Service Association Hybrid applications utilizing distributed models and views apparatuses, methods and systems
US10839374B2 (en) 2011-07-29 2020-11-17 Visa International Service Association Passing payment tokens through an HOP / SOP
US9704155B2 (en) 2011-07-29 2017-07-11 Visa International Service Association Passing payment tokens through an hop/sop
US11010756B2 (en) 2011-08-18 2021-05-18 Visa International Service Association Remote decoupled application persistent state apparatuses, methods and systems
US11037138B2 (en) 2011-08-18 2021-06-15 Visa International Service Association Third-party value added wallet features and interfaces apparatuses, methods, and systems
US9959531B2 (en) 2011-08-18 2018-05-01 Visa International Service Association Multi-directional wallet connector apparatuses, methods and systems
US11397931B2 (en) 2011-08-18 2022-07-26 Visa International Service Association Multi-directional wallet connector apparatuses, methods and systems
US11763294B2 (en) 2011-08-18 2023-09-19 Visa International Service Association Remote decoupled application persistent state apparatuses, methods and systems
US10354240B2 (en) 2011-08-18 2019-07-16 Visa International Service Association Multi-directional wallet connector apparatuses, methods and systems
US10242358B2 (en) 2011-08-18 2019-03-26 Visa International Service Association Remote decoupled application persistent state apparatuses, methods and systems
US10825001B2 (en) 2011-08-18 2020-11-03 Visa International Service Association Multi-directional wallet connector apparatuses, methods and systems
US11803825B2 (en) 2011-08-18 2023-10-31 Visa International Service Association Multi-directional wallet connector apparatuses, methods and systems
US10402815B2 (en) 2011-08-24 2019-09-03 Visa International Service Association Method for using barcodes and mobile devices to conduct payment transactions
US10078832B2 (en) 2011-08-24 2018-09-18 Visa International Service Association Method for using barcodes and mobile devices to conduct payment transactions
US11354723B2 (en) 2011-09-23 2022-06-07 Visa International Service Association Smart shopping cart with E-wallet store injection search
US10223730B2 (en) 2011-09-23 2019-03-05 Visa International Service Association E-wallet store injection search apparatuses, methods and systems
US11276058B2 (en) 2012-01-05 2022-03-15 Visa International Service Association Data protection with translation
US10685379B2 (en) 2012-01-05 2020-06-16 Visa International Service Association Wearable intelligent vision device apparatuses, methods and systems
US10147089B2 (en) 2012-01-05 2018-12-04 Visa International Service Association Data protection with translation
US9830595B2 (en) 2012-01-26 2017-11-28 Visa International Service Association System and method of providing tokenization as a service
US10607217B2 (en) 2012-01-26 2020-03-31 Visa International Service Association System and method of providing tokenization as a service
US10430381B2 (en) 2012-02-02 2019-10-01 Visa International Service Association Multi-source, multi-dimensional, cross-entity, multimedia centralized personal information database platform apparatuses, methods and systems
US10262001B2 (en) 2012-02-02 2019-04-16 Visa International Service Association Multi-source, multi-dimensional, cross-entity, multimedia merchant analytics database platform apparatuses, methods and systems
US11074218B2 (en) 2012-02-02 2021-07-27 Visa International Service Association Multi-source, multi-dimensional, cross-entity, multimedia merchant analytics database platform apparatuses, methods and systems
US11036681B2 (en) 2012-02-02 2021-06-15 Visa International Service Association Multi-source, multi-dimensional, cross-entity, multimedia analytical model sharing database platform apparatuses, methods and systems
US10983960B2 (en) 2012-02-02 2021-04-20 Visa International Service Association Multi-source, multi-dimensional, cross-entity, multimedia centralized personal information database platform apparatuses, methods and systems
US11995633B2 (en) 2012-03-06 2024-05-28 Visa International Service Association Security system incorporating mobile device
US10282724B2 (en) 2012-03-06 2019-05-07 Visa International Service Association Security system incorporating mobile device
US10937031B2 (en) 2012-05-04 2021-03-02 Visa International Service Association System and method for local data conversion
US9524501B2 (en) 2012-06-06 2016-12-20 Visa International Service Association Method and system for correlating diverse transaction data
US10296904B2 (en) 2012-06-06 2019-05-21 Visa International Service Association Method and system for correlating diverse transaction data
US11037140B2 (en) 2012-06-06 2021-06-15 Visa International Service Association Method and system for correlating diverse transaction data
US9547769B2 (en) 2012-07-03 2017-01-17 Visa International Service Association Data protection hub
US11481754B2 (en) 2012-07-13 2022-10-25 Scvngr, Inc. Secure payment method and system
US9846861B2 (en) 2012-07-25 2017-12-19 Visa International Service Association Upstream and downstream data conversion
US9256871B2 (en) 2012-07-26 2016-02-09 Visa U.S.A. Inc. Configurable payment tokens
US9727858B2 (en) 2012-07-26 2017-08-08 Visa U.S.A. Inc. Configurable payment tokens
US9665722B2 (en) 2012-08-10 2017-05-30 Visa International Service Association Privacy firewall
US10204227B2 (en) 2012-08-10 2019-02-12 Visa International Service Association Privacy firewall
US10586054B2 (en) 2012-08-10 2020-03-10 Visa International Service Association Privacy firewall
US11715097B2 (en) 2012-09-11 2023-08-01 Visa International Service Association Cloud-based virtual wallet NFC apparatuses, methods and systems
US10192216B2 (en) 2012-09-11 2019-01-29 Visa International Service Association Cloud-based virtual wallet NFC apparatuses, methods and systems
US10853797B2 (en) 2012-09-11 2020-12-01 Visa International Service Association Cloud-based virtual wallet NFC apparatuses, methods and systems
US10614460B2 (en) 2012-10-23 2020-04-07 Visa International Service Association Transaction initiation determination system utilizing transaction data elements
US10176478B2 (en) 2012-10-23 2019-01-08 Visa International Service Association Transaction initiation determination system utilizing transaction data elements
US10692076B2 (en) 2012-11-21 2020-06-23 Visa International Service Association Device pairing via trusted intermediary
US9911118B2 (en) 2012-11-21 2018-03-06 Visa International Service Association Device pairing via trusted intermediary
US10304047B2 (en) 2012-12-07 2019-05-28 Visa International Service Association Token generating component
US10740731B2 (en) 2013-01-02 2020-08-11 Visa International Service Association Third party settlement
US9741051B2 (en) 2013-01-02 2017-08-22 Visa International Service Association Tokenization and third-party interaction
US10223710B2 (en) 2013-01-04 2019-03-05 Visa International Service Association Wearable intelligent vision device apparatuses, methods and systems
US11055710B2 (en) 2013-05-02 2021-07-06 Visa International Service Association Systems and methods for verifying and processing transactions using virtual currency
US11341491B2 (en) 2013-05-15 2022-05-24 Visa International Service Association Mobile tokenization hub using dynamic identity information
US9978062B2 (en) 2013-05-15 2018-05-22 Visa International Service Association Mobile tokenization hub
US11861607B2 (en) 2013-05-15 2024-01-02 Visa International Service Association Mobile tokenization hub using dynamic identity information
US10878422B2 (en) 2013-06-17 2020-12-29 Visa International Service Association System and method using merchant token
US11017402B2 (en) 2013-06-17 2021-05-25 Visa International Service Association System and method using authorization and direct credit messaging
US9530289B2 (en) 2013-07-11 2016-12-27 Scvngr, Inc. Payment processing with automatic no-touch mode selection
US9996835B2 (en) 2013-07-24 2018-06-12 Visa International Service Association Systems and methods for communicating token attributes associated with a token vault
US11915235B2 (en) 2013-07-24 2024-02-27 Visa International Service Association Systems and methods for communicating token attributes associated with a token vault
US11093936B2 (en) 2013-07-24 2021-08-17 Visa International Service Association Systems and methods for communicating token attributes associated with a token vault
US10902421B2 (en) 2013-07-26 2021-01-26 Visa International Service Association Provisioning payment credentials to a consumer
US10496986B2 (en) 2013-08-08 2019-12-03 Visa International Service Association Multi-network tokenization processing
US11392939B2 (en) 2013-08-08 2022-07-19 Visa International Service Association Methods and systems for provisioning mobile devices with payment credentials
US10510073B2 (en) 2013-08-08 2019-12-17 Visa International Service Association Methods and systems for provisioning mobile devices with payment credentials
US11676138B2 (en) 2013-08-08 2023-06-13 Visa International Service Association Multi-network tokenization processing
US9978094B2 (en) 2013-10-11 2018-05-22 Visa International Service Association Tokenization revocation list
US11710119B2 (en) 2013-10-11 2023-07-25 Visa International Service Association Network token system
US10891610B2 (en) 2013-10-11 2021-01-12 Visa International Service Association Network token system
WO2015054697A1 (en) 2013-10-11 2015-04-16 Visa International Service Association Network token system
US10515358B2 (en) 2013-10-18 2019-12-24 Visa International Service Association Contextual transaction token methods and systems
US10489779B2 (en) 2013-10-21 2019-11-26 Visa International Service Association Multi-network token bin routing with defined verification parameters
US10366387B2 (en) 2013-10-29 2019-07-30 Visa International Service Association Digital wallet system and method
US9516487B2 (en) 2013-11-19 2016-12-06 Visa International Service Association Automated account provisioning
US10248952B2 (en) 2013-11-19 2019-04-02 Visa International Service Association Automated account provisioning
US9922322B2 (en) 2013-12-19 2018-03-20 Visa International Service Association Cloud-based transactions with magnetic secure transmission
US9972005B2 (en) 2013-12-19 2018-05-15 Visa International Service Association Cloud-based transactions methods and systems
US11017386B2 (en) 2013-12-19 2021-05-25 Visa International Service Association Cloud-based transactions with magnetic secure transmission
US11875344B2 (en) 2013-12-19 2024-01-16 Visa International Service Association Cloud-based transactions with magnetic secure transmission
US11164176B2 (en) 2013-12-19 2021-11-02 Visa International Service Association Limited-use keys and cryptograms
US10402814B2 (en) 2013-12-19 2019-09-03 Visa International Service Association Cloud-based transactions methods and systems
US10433128B2 (en) 2014-01-07 2019-10-01 Visa International Service Association Methods and systems for provisioning multiple devices
US10062079B2 (en) 2014-01-14 2018-08-28 Visa International Service Association Payment account identifier system
US9846878B2 (en) 2014-01-14 2017-12-19 Visa International Service Association Payment account identifier system
US10269018B2 (en) 2014-01-14 2019-04-23 Visa International Service Association Payment account identifier system
US10026087B2 (en) 2014-04-08 2018-07-17 Visa International Service Association Data passed in an interaction
US11100507B2 (en) 2014-04-08 2021-08-24 Visa International Service Association Data passed in an interaction
US10904002B2 (en) 2014-04-23 2021-01-26 Visa International Service Association Token security on a communication device
US9942043B2 (en) 2014-04-23 2018-04-10 Visa International Service Association Token security on a communication device
US10404461B2 (en) 2014-04-23 2019-09-03 Visa International Service Association Token security on a communication device
US11470164B2 (en) 2014-05-01 2022-10-11 Visa International Service Association Data verification using access device
US9680942B2 (en) 2014-05-01 2017-06-13 Visa International Service Association Data verification using access device
US11122133B2 (en) 2014-05-05 2021-09-14 Visa International Service Association System and method for token domain control
US9848052B2 (en) 2014-05-05 2017-12-19 Visa International Service Association System and method for token domain control
US10846694B2 (en) 2014-05-21 2020-11-24 Visa International Service Association Offline authentication
US11842350B2 (en) 2014-05-21 2023-12-12 Visa International Service Association Offline authentication
US11023890B2 (en) 2014-06-05 2021-06-01 Visa International Service Association Identification and verification for provisioning mobile application
US9780953B2 (en) 2014-07-23 2017-10-03 Visa International Service Association Systems and methods for secure detokenization
US10652028B2 (en) 2014-07-23 2020-05-12 Visa International Service Association Systems and methods for secure detokenization
US10038563B2 (en) 2014-07-23 2018-07-31 Visa International Service Association Systems and methods for secure detokenization
US11252136B2 (en) 2014-07-31 2022-02-15 Visa International Service Association System and method for identity verification across mobile applications
US11770369B2 (en) 2014-07-31 2023-09-26 Visa International Service Association System and method for identity verification across mobile applications
US10484345B2 (en) 2014-07-31 2019-11-19 Visa International Service Association System and method for identity verification across mobile applications
US10477393B2 (en) 2014-08-22 2019-11-12 Visa International Service Association Embedding cloud-based functionalities in a communication device
US10049353B2 (en) 2014-08-22 2018-08-14 Visa International Service Association Embedding cloud-based functionalities in a communication device
US11036873B2 (en) 2014-08-22 2021-06-15 Visa International Service Association Embedding cloud-based functionalities in a communication device
US11783061B2 (en) 2014-08-22 2023-10-10 Visa International Service Association Embedding cloud-based functionalities in a communication device
US9775029B2 (en) 2014-08-22 2017-09-26 Visa International Service Association Embedding cloud-based functionalities in a communication device
US11087328B2 (en) 2014-09-22 2021-08-10 Visa International Service Association Secure mobile device credential provisioning using risk decision non-overrides
US10140615B2 (en) 2014-09-22 2018-11-27 Visa International Service Association Secure mobile device credential provisioning using risk decision non-overrides
US11574311B2 (en) 2014-09-22 2023-02-07 Visa International Service Association Secure mobile device credential provisioning using risk decision non-overrides
US10643001B2 (en) 2014-09-26 2020-05-05 Visa International Service Association Remote server encrypted data provisioning system and methods
US10255456B2 (en) 2014-09-26 2019-04-09 Visa International Service Association Remote server encrypted data provisioning system and methods
US11257074B2 (en) 2014-09-29 2022-02-22 Visa International Service Association Transaction risk based token
US11734679B2 (en) 2014-09-29 2023-08-22 Visa International Service Association Transaction risk based token
US10412060B2 (en) 2014-10-22 2019-09-10 Visa International Service Association Token enrollment system and method
US10015147B2 (en) 2014-10-22 2018-07-03 Visa International Service Association Token enrollment system and method
US12051064B2 (en) 2014-10-24 2024-07-30 Visa Europe Limited Transaction messaging
US10769628B2 (en) 2014-10-24 2020-09-08 Visa Europe Limited Transaction messaging
US12002049B2 (en) 2014-11-25 2024-06-04 Visa International Service Association System communications with non-sensitive identifiers
US10325261B2 (en) 2014-11-25 2019-06-18 Visa International Service Association Systems communications with non-sensitive identifiers
US10990977B2 (en) 2014-11-25 2021-04-27 Visa International Service Association System communications with non-sensitive identifiers
US12112316B2 (en) 2014-11-26 2024-10-08 Visa International Service Association Tokenization request via access device
US11620643B2 (en) 2014-11-26 2023-04-04 Visa International Service Association Tokenization request via access device
US10785212B2 (en) 2014-12-12 2020-09-22 Visa International Service Association Automated access data provisioning
US10257185B2 (en) 2014-12-12 2019-04-09 Visa International Service Association Automated access data provisioning
US11580519B2 (en) 2014-12-12 2023-02-14 Visa International Service Association Provisioning platform for machine-to-machine devices
US11240219B2 (en) 2014-12-31 2022-02-01 Visa International Service Association Hybrid integration of software development kit with secure execution environment
US10187363B2 (en) 2014-12-31 2019-01-22 Visa International Service Association Hybrid integration of software development kit with secure execution environment
US10511583B2 (en) 2014-12-31 2019-12-17 Visa International Service Association Hybrid integration of software development kit with secure execution environment
US10096009B2 (en) 2015-01-20 2018-10-09 Visa International Service Association Secure payment processing using authorization request
US11010734B2 (en) 2015-01-20 2021-05-18 Visa International Service Association Secure payment processing using authorization request
US10496965B2 (en) 2015-01-20 2019-12-03 Visa International Service Association Secure payment processing using authorization request
US11250391B2 (en) 2015-01-30 2022-02-15 Visa International Service Association Token check offline
US11176554B2 (en) 2015-02-03 2021-11-16 Visa International Service Association Validation identity tokens for transactions
US11915243B2 (en) 2015-02-03 2024-02-27 Visa International Service Association Validation identity tokens for transactions
US10977657B2 (en) 2015-02-09 2021-04-13 Visa International Service Association Token processing utilizing multiple authorizations
US10164996B2 (en) 2015-03-12 2018-12-25 Visa International Service Association Methods and systems for providing a low value token buffer
US10333921B2 (en) 2015-04-10 2019-06-25 Visa International Service Association Browser integration with Cryptogram
US11271921B2 (en) 2015-04-10 2022-03-08 Visa International Service Association Browser integration with cryptogram
US10568016B2 (en) 2015-04-16 2020-02-18 Visa International Service Association Systems and methods for processing dormant virtual access devices
US10552834B2 (en) 2015-04-30 2020-02-04 Visa International Service Association Tokenization capable authentication framework
US11068889B2 (en) 2015-10-15 2021-07-20 Visa International Service Association Instant token issuance
US10664843B2 (en) 2015-12-04 2020-05-26 Visa International Service Association Unique code for token verification
US11127016B2 (en) 2015-12-04 2021-09-21 Visa International Service Association Unique code for token verification
US10664844B2 (en) 2015-12-04 2020-05-26 Visa International Service Association Unique code for token verification
US10243958B2 (en) 2016-01-07 2019-03-26 Visa International Service Association Systems and methods for device push provisoning
US10911456B2 (en) 2016-01-07 2021-02-02 Visa International Service Association Systems and methods for device push provisioning
US11720893B2 (en) 2016-02-01 2023-08-08 Visa International Service Association Systems and methods for code display and use
US11080696B2 (en) 2016-02-01 2021-08-03 Visa International Service Association Systems and methods for code display and use
US11900361B2 (en) 2016-02-09 2024-02-13 Visa International Service Association Resource provider account token provisioning and processing
US10313321B2 (en) 2016-04-07 2019-06-04 Visa International Service Association Tokenization of co-network accounts
US11386421B2 (en) 2016-04-19 2022-07-12 Visa International Service Association Systems and methods for performing push transactions
US11995649B2 (en) 2016-05-19 2024-05-28 Visa International Service Association Systems and methods for creating subtokens using primary tokens
US11250424B2 (en) 2016-05-19 2022-02-15 Visa International Service Association Systems and methods for creating subtokens using primary tokens
US11068578B2 (en) 2016-06-03 2021-07-20 Visa International Service Association Subtoken management system for connected devices
US11068899B2 (en) 2016-06-17 2021-07-20 Visa International Service Association Token aggregation for multi-party transactions
US11783343B2 (en) 2016-06-17 2023-10-10 Visa International Service Association Token aggregation for multi-party transactions
US11329822B2 (en) 2016-06-24 2022-05-10 Visa International Service Association Unique token authentication verification value
US10361856B2 (en) 2016-06-24 2019-07-23 Visa International Service Association Unique token authentication cryptogram
US11714885B2 (en) 2016-07-11 2023-08-01 Visa International Service Association Encryption key exchange process using access device
US11238140B2 (en) 2016-07-11 2022-02-01 Visa International Service Association Encryption key exchange process using access device
US10990967B2 (en) 2016-07-19 2021-04-27 Visa International Service Association Method of distributing tokens and managing token relationships
US12067558B2 (en) 2016-07-19 2024-08-20 Visa International Service Association Method of distributing tokens and managing token relationships
US10942918B2 (en) 2016-09-14 2021-03-09 Visa International Service Association Self-cleaning token vault
US10509779B2 (en) 2016-09-14 2019-12-17 Visa International Service Association Self-cleaning token vault
US11799862B2 (en) 2016-11-28 2023-10-24 Visa International Service Association Access identifier provisioning to application
US11323443B2 (en) 2016-11-28 2022-05-03 Visa International Service Association Access identifier provisioning to application
WO2018111425A1 (en) * 2016-12-12 2018-06-21 Citibank, N.A. Systems and methods for pre-staging atm transactions
US11348077B2 (en) 2016-12-12 2022-05-31 Citibank, N.A. Systems and methods for pre-staging ATM transactions
US11900371B2 (en) 2017-03-17 2024-02-13 Visa International Service Association Replacing token on a multi-token user device
US10915899B2 (en) 2017-03-17 2021-02-09 Visa International Service Association Replacing token on a multi-token user device
US11449862B2 (en) 2017-05-02 2022-09-20 Visa International Service Association System and method using interaction token
US10902418B2 (en) 2017-05-02 2021-01-26 Visa International Service Association System and method using interaction token
US12067562B2 (en) 2017-05-11 2024-08-20 Visa International Service Association Secure remote transaction system using mobile devices
US11494765B2 (en) 2017-05-11 2022-11-08 Visa International Service Association Secure remote transaction system using mobile devices
US10491389B2 (en) 2017-07-14 2019-11-26 Visa International Service Association Token provisioning utilizing a secure authentication system
US11398910B2 (en) 2017-07-14 2022-07-26 Visa International Service Association Token provisioning utilizing a secure authentication system
WO2019103793A1 (en) * 2017-11-22 2019-05-31 Mastercard International Incorporated Bin-conserving tokenization techniques generating tokens in reverse order and employing common device pan with differing pan sequence number values across token instances
US10963871B2 (en) 2017-11-22 2021-03-30 Mastercard International Incorporated Bin-conserving tokenization techniques generating tokens in reverse order and employing common device pan with differing pan sequence number values across token instances
US11356257B2 (en) 2018-03-07 2022-06-07 Visa International Service Association Secure remote token release with online authentication
US11743042B2 (en) 2018-03-07 2023-08-29 Visa International Service Association Secure remote token release with online authentication
US12008088B2 (en) 2018-06-18 2024-06-11 Visa International Service Association Recurring token transactions
US11256789B2 (en) 2018-06-18 2022-02-22 Visa International Service Association Recurring token transactions
US12028337B2 (en) 2018-10-08 2024-07-02 Visa International Service Association Techniques for token proximity transactions
US11849042B2 (en) 2019-05-17 2023-12-19 Visa International Service Association Virtual access credential interaction system and method

Also Published As

Publication number Publication date
US9430767B2 (en) 2016-08-30
US20170053270A1 (en) 2017-02-23
AU2013216868A1 (en) 2014-09-18
US9785941B2 (en) 2017-10-10
US20130212666A1 (en) 2013-08-15
US9697518B2 (en) 2017-07-04
AU2013216868B2 (en) 2015-11-19
US9721249B2 (en) 2017-08-01
US9514457B2 (en) 2016-12-06
US9904923B2 (en) 2018-02-27
US20150039519A1 (en) 2015-02-05
US8893250B2 (en) 2014-11-18
US20130212019A1 (en) 2013-08-15
US20170262843A1 (en) 2017-09-14
EP2812821A1 (en) 2014-12-17
US20130212024A1 (en) 2013-08-15
US20170293915A1 (en) 2017-10-12
US20180144343A1 (en) 2018-05-24
EP2812821A4 (en) 2015-07-29
US20130212007A1 (en) 2013-08-15
US20170053271A1 (en) 2017-02-23
US20160055482A1 (en) 2016-02-25

Similar Documents

Publication Publication Date Title
US9785941B2 (en) Tokenization in mobile environments
US11574311B2 (en) Secure mobile device credential provisioning using risk decision non-overrides
US11170379B2 (en) Peer forward authorization of digital requests
RU2663476C2 (en) Remote payment transactions protected processing, including authentication of consumers
US10135614B2 (en) Integrated contactless MPOS implementation
US20170308896A1 (en) Methods and apparatus for brokering a transaction
US20180285875A1 (en) Static token systems and methods for representing dynamic real credentials
US20120239928A1 (en) Online Security Systems and Methods
US20170213220A1 (en) Securing transactions on an insecure network
KR20200072559A (en) Secure remote payment transaction processing
US20220245262A1 (en) Secure information storage, transfer and computing
GB2536012A (en) Remote transaction system, method and point of sale terminal
Sung et al. Mobile Payment Based on Transaction Certificate Using Cloud Self‐Proxy Server
US20140143147A1 (en) Transaction fee negotiation for currency remittance

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 13747085

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE

WWE Wipo information: entry into national phase

Ref document number: 2013747085

Country of ref document: EP

ENP Entry into the national phase

Ref document number: 2013216868

Country of ref document: AU

Date of ref document: 20130208

Kind code of ref document: A