WO2019222090A1

WO2019222090A1 - Mobile network operator authentication protocol

Info

Publication number: WO2019222090A1
Application number: PCT/US2019/031998
Authority: WO
Inventors: Otto Williams
Original assignee: Visa International Service Association
Priority date: 2018-05-14
Filing date: 2019-05-13
Publication date: 2019-11-21
Also published as: CN112136302A; CN116527384A; CN112136302B

Abstract

A method is disclosed and includes receiving, by a server computer, a virtual access credential request for an interaction conducted between a resource provider computer and a communication device operated by a user and associated with a mobile network operator computer system. The method also includes transmitting, by the server computer, the virtual access credential request to an authorizing entity computer, receiving, by the server computer, a virtual access credential from the authorizing entity computer, and transmitting, by the server computer, the virtual access credential to the communication device or the resource provider computer.

Description

MOBILE NETWORK OPERATOR AUTHENTICATION PROTOCOL

CROSS-REFERENCE TO RELATED APPLICATIONS

[0001] This application claims the benefit of U.S. Provisional Application No. 62/671 ,325, filed May 14, 2018, which is herein incorporated by reference in its entirety for all purposes.

BACKGROUND

[0002] There are many instances in which users may not be in possession of appropriate credentials, but may wish to be provided with the ability to access resources. In one example, a person may wish to enter a building, but may not have an appropriate badge or keycard to access the building. In another example, a person may wish to purchase an item, but then may not have an electronic debit or credit card to purchase that item. It would be desirable to provide users with access to resources in situations where the user does not have an access credential.

[0003] Embodiments of the invention address the above problems and other problems, individually and collectively.

BRIEF SUMMARY

[0004] Embodiments of the present disclosure are directed to methods and systems that provide authentication and authorization for access. In some examples, the methods and systems will establish a first and second level of authentication, where an authorizing entity can establish a first authentication and mobile network operator computer can establish a second authentication. In other examples, the systems will allow a user to initiate purchase transactions or access restricted areas using a mobile network operator computer system associated with the user’s communication device, rather than an account at a bank.

[0005] One embodiment of the invention is directed to a method or system comprising: receiving, by a server computer, a virtual access credential request for an interaction conducted between a resource provider computer and a communication device operated by a user and associated with a mobile network operator computer system; transmitting, by the server computer, the virtual access credential request to an authorizing entity computer; receiving, by the server computer, a virtual access credential from the authorizing entity computer; transmitting, by the server computer, the virtual access credential to the communication device or the resource provider computer; receiving, by the server computer, an authorization request message comprising the virtual access credential, wherein the authorization request message requests authorization for the interaction; forwarding, by the server computer, the authorization request message to the authorizing entity computer; receiving, by the server computer, an authorization response message from the authorizing entity computer; and forwarding, by the server computer, the authorization response message to the resource provider computer, wherein the authorization entity computer

subsequently completes the interaction with the mobile network operator computer system .

[0006] Another embodiment of the invention is directed to: receiving, by an authorizing entity computer, a virtual access credential request for an interaction conducted between a resource provider computer and a communication device operated by a user and associated with a mobile network operator computer system; generating, by the authorizing entity computer, a virtual access credential associated with an approved amount; transmitting, by the authorizing entity computer, the virtual access credential to a processing network computer, wherein the virtual access credential is forwarded to the communication device or the resource provider computer; receiving, by the authorizing entity computer, an authorization request message comprising the virtual access credential, wherein the authorization request message requests authorization for the interaction; comparing a total amount with the

authorization request with the approved amount of the virtual access credential;

determining, by the authorizing entity computer, an approval or denial of the

authorization request message based on the comparison; generating, by the authorizing entity computer, an authorization response message based on the approval or denial of the authorization request message; forwarding, by the server computer, the authorization response message to the processing network computer; and subsequently forwarding a completion message to the mobile network operator computer system based on the approval or denial of the authorization request message.

[0007] Other embodiments are directed to server computers and systems, adapted to perform the above-noted method and other methods.

[0008] These and other embodiments of the invention are described in further detail below.

BRIEF DESCRIPTION OF THE DRAWINGS

[0009] FIG. 1 shows a block diagram of an authentication and authorization system according to an embodiment of the invention.

[0010] FIG. 2 shows a block diagram of a processing network server computer according to an embodiment of the invention.

[0011] FIG. 3 shows a block diagram of a resource provider computer according to an embodiment of the invention.

[0012] FIG. 4 shows a block diagram of an authorizing entity computer according to an embodiment of the invention.

[0013] FIG. 5 shows a block diagram of a mobile network operator computer system according to an embodiment of the invention.

[0014] FIG. 6 shows a block diagram of a communication device according to an embodiment of the invention.

DETAILED DESCRIPTION

[0015] Prior to discussing embodiments of the invention, a further description of some terms may be helpful in understanding embodiments of the invention. [0016] A“virtual access credential” can be a credential that has a limited lifetime or limited number of uses. The virtual access credential may have the form or attributes of a credential or payment credential, token, or payment token, as further described below. A virtual access credential can be used to gain access to a resource such as good, services, locations, and secure data. Virtual access credentials may also have any suitable form including letters or numbers (e.g., 16 digits of numbers).

[0017] A“credential” may be any suitable information that serves as reliable evidence of worth, ownership, identity, or authority. A credential may be a string of numbers, letters, or any other suitable characters, as well as any object or document that can serve as confirmation. Examples of credentials include value credentials such as payment credentials, identification cards, certified documents, access cards, passcodes and other login information, etc.

[0018] “Payment credentials” may include any suitable information associated with an account (e.g., a payment account and/or payment device associated with the account). Such information may be directly related to the account or may be derived from information related to the account. Examples of account information may include a PAN (primary account number or“account number”), user name, expiration date, and verification values such as CW, dCW, CW2, dCW2, and CVC3 values.

[0019] A“digital wallet” can include an electronic device that allows an individual to conduct electronic commerce transactions. A digital wallet may store user profile information, payment credentials, bank account information, one or more digital wallet identifiers and/or the like and can be used in a variety of transactions, such as but not limited to eCommerce, social networks, money transfer/ personal payments, mobile commerce, proximity payments, gaming, and/or the like for retail purchases, digital goods purchases, utility payments, purchasing games or gaming credits from gaming websites, transferring funds between users, and/or the like. A digital wallet may be designed to streamline the purchase and payment process. A digital wallet may allow the user to load one or more payment cards onto the digital wallet so as to make a payment without having to enter an account number or present a physical card. [0020] A“token” may be a substitute value for a credential. A token may be a string of numbers, letters, or any other suitable characters. Examples of tokens include payment tokens, access tokens, personal identification tokens, etc.

[0021] A "payment token” may include an identifier for a payment account that is a substitute for an account identifier, such as a primary account number (PAN). For example, a payment token may include a series of alphanumeric characters that may be used as a substitute for an original account identifier. For example, a token“4900 0000 0000 0001 may be used in place of a PAN“4147 0900 0000 1234 In some

embodiments, a payment token may be“format preserving” and may have a numeric format that conforms to the account identifiers used in existing transaction processing networks (e.g., ISO 8583 financial transaction message format). In some embodiments, a payment token may be used in place of a PAN to initiate, authorize, settle or resolve a payment transaction or represent the original credential in other systems where the original credential would typically be provided. In some embodiments, a payment token may be generated such that the recovery of the original PAN or other account identifier from the token value may not be computationally derived. Further, in some

embodiments, the token format may be configured to allow the entity receiving the token to identify it as a token and recognize the entity that issued the token.

[0022] “Tokenization” is a process by which data is replaced with substitute data. For example, a payment account identifier (e.g., PAN) may be tokenized by replacing the primary account identifier with a substitute number (e.g., a token) that may be associated with the payment account identifier. Further, tokenization may be applied to any other information that may be replaced with a substitute value (i.e. , token).

Tokenization enhances transaction efficiency and security.

[0023] A“virtual access credential request message” may be an electronic message for requesting a virtual access credential. A virtual access credential request message may include information usable for identifying a payment account or digital wallet, and/or information for generating a virtual access credential. For example, a virtual access credential request message may include payment credentials, mobile device identification information (e.g., a phone number or MSISDN), a digital wallet identifier, information identifying a tokenization service provider, a merchant identifier, a cryptogram, and/or any other suitable information. Information included in a virtual access credential request message can be encrypted (e.g., with an authorizing entity- specific key). In some examples, the virtual access credential request message may include an approved amount that is provided on behalf of an authorizing entity computer to a user (e.g., a loaned amount, etc.) and stored with a user profile at the authorizing entity computer to compare at a later time with a total amount included in an

authorization request message.

[0024] A“virtual access credential response message” may be a message that responds to a virtual access credential request. A virtual access credential response message may include an indication that a virtual access credential request was approved or denied. A virtual access credential response message may also include a virtual access credential, mobile device identification information (e.g., a phone number or MSISDN), a digital wallet identifier, information identifying a tokenization service provider, a resource provider identifier, a cryptogram, and/or any other suitable information. Information included in a virtual access credential response message can be encrypted (e.g., with an issuer-specific key).

[0025] A“user” may include an individual. In some embodiments, a user may be associated with one or more personal accounts and/or mobile devices. The user may also be referred to as a cardholder, account holder, or consumer in some embodiments.

[0026] An“authorization request message” may be an electronic message that requests authorization for a transaction. In some embodiments, it is sent to a

transaction processing computer and/or an issuer of a payment card to request authorization for a transaction. An authorization request message according to some embodiments may comply with ISO 8583, which is a standard for systems that exchange electronic transaction information associated with a payment made by a user using a payment device or payment account. The authorization request message may include an issuer account identifier that may be associated with a payment device or payment account. An authorization request message may also comprise additional data elements corresponding to“identification information” including, by way of example only: a service code, a CVV (card verification value), a dCW (dynamic card verification value), a PAN (primary account number or“account number”), a payment token, a user name, an expiration date, etc. An authorization request message may also comprise “transaction information,” such as any information associated with a current transaction, such as the transaction total amount, merchant identifier, merchant location, acquirer bank identification number (BIN), card acceptor ID, information identifying items being purchased, etc., as well as any other information that may be utilized in determining whether to identify and/or authorize a transaction.

[0027] An“authorization response message” may be a message that responds to an authorization request. In some cases, it may be an electronic message reply to an authorization request message generated by an issuing financial institution or a transaction processing computer. The authorization response message may include, by way of example only, one or more of the following status indicators: Approval -- transaction was approved; Decline -- transaction was not approved; or Call Center -- response pending more information, merchant must call the toll-free authorization phone number. The authorization response message may also include an authorization code, which may be a code that a credit card issuing bank returns in response to an authorization request message in an electronic message (either directly or through the transaction processing computer) to the merchant's access device (e.g.,POS

equipment) that indicates approval of the transaction. The code may serve as proof of authorization.

[0028] A“server computer” may include a powerful computer or cluster of computers. For example, the server computer can be a large mainframe, a

minicomputer cluster, or a group of servers functioning as a unit. In one example, the server computer may be a database server coupled to a Web server. The server computer may comprise one or more computational apparatuses and may use any of a variety of computing structures, arrangements, and compilations for servicing the requests from one or more client computers.

[0029] Embodiments of the present disclosure are include methods and systems that provide authentication and authorization for access. In some examples, the systems will establish a first and second level of authentication, where an authorizing entity can establish a first authentication and mobile network operator computer can establish a second authentication. In other examples, the systems will allow a user to initiate purchase transactions or access restricted areas using a mobile network operator computer system associated with the user’s communication device, rather than an account at a bank.

[0030] FIG. 1 shows a block diagram of an authentication and authorization system according to an embodiment of the invention. As illustrated, the system may comprise a communication device 102, resource provider computer 110, transport computer 115, processing network server computer 120, authorizing entity computer 130, and a mobile network operator computer system 140.

[0031] The system of FIG. 1 may include a processing network server computer 120. An example processing network server computer 120 of FIG. 1 is illustrated with FIG. 2. A processing network server computer 120 may include one or more server computers, as well as data processing subsystems, networks, and operations used to support and deliver authorization services, exception file services, and clearing and settlement services. An exemplary processing network may include VisaNet™.

Processing networks such as VisaNet™ are able to process credit card transactions, debit card transactions, and other types of commercial transactions. VisaNet™, in particular, includes a VIP system (Visa Integrated Payments system) which processes authorization requests and a Base II system which performs clearing and settlement services. The processing network may use any suitable wired or wireless network, including the Internet.

[0032] The processing network server computer(s) may comprise subsystems or components as shown in FIG. 2 interconnected via system bus 210. The interconnection via the system bus 210 may allow the processor 212 to communicate with each subsystem and to control execution of instructions from system memory 214. The system memory 214 may embody a computer readable medium. The

communication interface 216 can be used to connect the server computers to a wide area network such as the Internet or other I/O devices associated with the computer system. The system bus 210 may also connect one or more modules or engines embodied in memory, including a communication module 230, a virtual access credential module 232, and/or an interaction engine 234.

[0033] The communication module 230 may be configured to receive and transmit electronic messages from other computers and devices throughout the system illustrated in FIG. 1. For example, the communication module 230 may be configured to receive a virtual access credential request from a communication device 102, transmit the virtual access credential request to an authorizing entity computer 130, receive and transmit a virtual access credential, receive and transmit an authorization request message, and receive and transmit an authorization response message.

[0034] The virtual access credential module 232 may be configured to parse a virtual access credential request to determine a user identifier associated with a communication device 102 operated by a user. The user identifier may correspond with mobile network operator computer system 140 to receive additional information associated with the user identifier. The additional information may include order history, location history, or user profile information of the communication device that is registered with the mobile network operator computer system 140. The virtual access credential module 232 may determine whether to generate the virtual access credential based on the additional information.

[0035] The interaction engine 234 may be configured to identify an authorizing entity computer 130 based on a virtual access credential and route an authorization request message to the appropriate authorizing entity computer 130. For example, the authorization request message may comprise a credential comprising a bank

identification number (BIN) that uniquely identifies an authorizing entity computer in a plurality of authorizing entity computers. The interaction engine 234 may correlate the received BIN with the appropriate routing information to the authorizing entity computer and enable the transmission of the authorization request message to the appropriate authorizing entity computer.

[0036] The system of FIG. 1 may also include a resource provider computer 110. An example resource provider computer 110 of FIG. 1 is illustrated with FIG. 3. A resource provider computer may be an entity that can provide a resource such as goods, services, information, and/or access. Examples of resource providers includes merchants, data providers, transit agencies, governmental entities, venue and dwelling operators, etc. A merchant may typically be an entity that engages in transactions and can sell goods or services, or provide access to goods or services.

[0037] The resource provider computer may comprise subsystems or

components as shown in FIG. 3 interconnected via system bus 310. The

interconnection via the system bus 310 may allow the processor 312 to communicate with each subsystem and to control execution of instructions from system memory 314. The system memory 314 may embody a computer readable medium. The

communication interface 316 can be used to connect the resource provider computer to a wide area network such as the Internet or other I/O devices associated with the resource provider computer. The system bus 310 may also connect one or more modules or engines embodied in memory, including a communication module 330, a request engine 332, and/or an interaction engine 334. One or more databases may store information received, maintained, and transmitted by the resource provider computer, including an item database 350.

[0038] The communication module 330 may be configured to receive and transmit electronic messages from other computers and devices throughout the system illustrated in FIG. 1. For example, the communication module may be configured to receive a request for an order for an item or service at an interaction site 112, receive an indication of an interaction at the interaction site 112 (e.g., selecting a“bill me” button, etc.), transmit a virtual access credential request to a processing network server computer 120, and transmit an authorization request message to a transport computer 115.

[0039] The request engine 332 may be configured to generate a virtual access credential request associated with an interaction between a communication device 102 and an interaction site 112 (not shown in FIG. 3). The virtual access credential request may comprise information associated with a communication device operated by a user. In some embodiments, the virtual access credential may correspond with an approved amount associated with a request for access to a resource requested by the

communication device 102. The amount may be approved by the authorizing entity computer 130.

[0040] The request engine 332 may also be configured to generate an

authorization request message that comprises the virtual access credential received from the authorizing entity computer 130 and a total amount associated with a resource request by the communication device 102. The request engine 332 may correlate the authorization request message with one or more resources (e.g., items or services, etc.) offered by the resource provider computer 110. The resources may correspond with an item description, value amount, and other relevant information stored in an items database 350.

[0041] The interaction engine 334 may be configured to permit access to the resource upon authentication of the virtual access credential as well as authorization associated with an authorization response message that includes an approval determination from the authorizing entity computer 130.

[0042] The resource provider computer 110 may also be associated with an access device. An access device may be operated by a resource provider and can include any suitable device that provides access to a remote system. An access device may also be used for communicating with a resource provider computer 110, a transaction processing computer, an authentication computer, or any other suitable system. An access device may generally be located in any suitable location, such as at the location of a resource provider. An access device may be in any suitable form. Some examples of access devices include POS or point of sale devices (e.g., POS terminals), cellular phones, PDAs, personal computers (PCs), tablet PCs, hand-held specialized readers, set-top boxes, electronic cash registers (ECRs), automated teller machines (ATMs), virtual cash registers (VCRs), kiosks, security systems, access systems, and the like. An access device may use any suitable contact or contactless mode of operation to send or receive data from, or associated with, a mobile

communication or payment device. In some embodiments, where an access device may comprise a POS terminal, any suitable POS terminal may be used and may include a reader, a processor, and a computer-readable medium. A reader may include any suitable contact or contactless mode of operation. For example, exemplary card readers can include radio frequency (RF) antennas, optical scanners, bar code readers, or magnetic stripe readers to interact with a payment device and/or mobile device. In some embodiments, a cellular phone, tablet, or other dedicated wireless device used as a POS terminal may be referred to as a mobile point of sale or an“mPOS” terminal.

[0043] The system of FIG. 1 may also include a transport computer 115. A transport computer 115 may be operated by an acquirer or other business entity (e.g., a commercial bank) that has a business relationship with a particular merchant or other entity. Some entities can perform both issuer and acquirer functions. Some

embodiments may encompass such single entity issuer-acquirers.

[0044] The system of FIG. 1 may also include an authorizing entity computer 130. An example authorizing entity computer 130 is illustrated with FIG. 4. An authorizing entity may be an entity that authorizes a request. Examples of an authorizing entity may be an issuer, a governmental agency, a document repository, an access

administrator, a bank, etc. An authorizing entity computer 130 may typically refer to a business entity (e.g., a bank or issuer computer) that maintains an account for a user.

[0045] The authorizing entity computer may comprise subsystems or components as shown in FIG. 4 interconnected via system bus 410. The interconnection via the system bus 410 may allow the processor 412 to communicate with each subsystem and to control execution of instructions from system memory 414. The system memory 414 may embody a computer readable medium. The communication interface 416 can be used to connect the authorizing entity computer to a wide area network such as the Internet or other I/O devices associated with the authorizing entity computer. The system bus 410 may also connect one or more modules or engines embodied in memory, including a communication module 430, virtual access credential module 432, and/or authorization module 434. One or more databases may store information received, maintained, and transmitted by the authorizing entity computer, including an credential database 450.

[0046] The communication module 430 may be configured to receive and transmit electronic messages from other computers and devices throughout the system illustrated in FIG. 1. For example, the communication module 430 may be configured to receive a virtual access credential request from a processing network server computer 120, transmit a virtual access credential to the processing network server computer 120, receive an authorization request message, generate and transmit an authorization response message, and transmit electronic messages associated with clearing and settlement after an interaction has occurred between the communication device 102 and the resource provider computer 110.

[0047] The virtual access credential module 432 may be configured to generate and issue a virtual access credential to a communication device 102, such as a cellular telephone, smart card, tablet, or laptop. The virtual access credential may include a user identifier associated with a communication device operated by a user. The user identifier may correspond with a user account registered with a mobile network operator computer system 140. The virtual access credential may also correspond with an approved amount of an order for resources offered by the resource provider computer 110.

[0048] The authorization module 434 may be configured to determine if access to resources provided by the resource provider computer 110 are permitted or declined, based at least in part on comparing a first virtual access credential provided in response to a virtual access credential request with a second virtual access credential received with an authorization request message. The virtual access credential may be stored with a credential database 450 and associated with communication device 102 or user.

[0049] The authorization module 434 may also be configured to determine if access to resources provided by the resource provider computer 110 are permitted or declined based at least in part on comparing a total amount included in an authorization request message with an approved amount that is provided on behalf of the authorizing entity computer to a user. The approved amount may be stored with a user profile and virtual access credential at the authorizing entity computer 130.

[0050] The system of FIG. 1 may also include a mobile network operator computer system 140. An example mobile network operator computer system 140 is illustrated with FIG. 5. A mobile network operator computer system 140 may include an entity that provides mobile network services for mobile devices, including

communication device 102. The mobile network operator computer system 140 may perform radio spectrum allocation, wireless network infrastructure, and the like. The mobile network operator computer system 140 may identify the mobile devices by a user account associated with one or more corresponding users of the mobile device. The mobile network operator computer system 140 may also provide an invoice or billing statement to the users in exchange for providing the mobile network services.

[0051] The mobile network operator computer system may comprise subsystems or components as shown in FIG. 5 interconnected via system bus 510. The

interconnection via the system bus 410 may allow the processor 512 to communicate with each subsystem and to control execution of instructions from system memory 514. The system memory 514 may embody a computer readable medium. The

communication interface 516 can be used to connect the resource provider computer to a wide area network such as the Internet or other I/O devices associated with the resource provider computer. The system bus 510 may also connect one or more modules or engines embodied in memory, including a communication module 530, interaction engine 532, and/or network operations engine 534. One or more databases may store information received, maintained, and transmitted by the mobile network operator computer system, including a user database 550.

[0052] The communication module 530 may be configured to receive and transmit electronic messages from other computers and devices throughout the system illustrated in FIG. 1. For example, the communication module 530 may be configured to provide mobile network services to the communication device 102, receive

communications from the communication device 102 including payment of invoices for providing mobile network services, and receive and transmit communications with the authorizing entity computer 130 including messages associated with settlement and clearing processes.

[0053] The interaction engine 532 may be configured to determine order history, location history, or user profile information associated with the communication device 102 through the process of providing mobile network communication services. For example, the user may order mobile network communication services on a recurring basis from the mobile network operator computer system 140. The history of ordering the services may be received and processed by a profile engine 142 and stored with a user database 550. In some examples, the communication device 102 may transmit location messages that are received by the mobile network operator computer system 140 and stored with the user database 550 to generate a history of location information associated with the communication device 102.

[0054] The network operations engine 534 may be configured to perform radio spectrum allocation, wireless network infrastructure, and the like. The network operations engine 534 may identify the communication device 102 by a user account associated with one or more corresponding users of the device.

[0055] The system of FIG. 1 may include a communication device 120. An example communication device 102 of FIG. 1 is illustrated with FIG. 6. A

communication device may comprise any suitable electronic device that may be operated by a user, which may also provide remote communication capabilities to a network. A mobile communication device may be an example of a communication device that can be easily transported. Examples of remote communication capabilities include using a mobile phone (wireless) network, wireless data network (e.g., 3G, 4G or similar networks), Wi-Fi, Wi-Max, or any other communication medium that may provide access to a network such as the Internet or a private network. Examples of mobile communication devices include mobile phones (e.g., cellular phones), PDAs, tablet computers, net books, laptop computers, personal music players, hand-held specialized readers, etc. Further examples of mobile communication devices include wearable devices, such as smart watches, fitness bands, ankle bracelets, rings, earrings, etc., as well as automobiles with remote communication capabilities. In some embodiments, a mobile communication device can function as a payment device (e.g., a mobile communication device can store and be able to transmit payment credentials for a transaction).

[0056] A payment device may be incorporated with the communication device 102 and include any suitable device that may be used to conduct a financial transaction, such as to provide payment credentials to a merchant. The payment device may be a software object (e.g., a payment application associated with a credit, debit, or pre-paid account), a hardware object, or a physical object. A payment device may be associated with a value such as a monetary value, a discount, or store credit, and a payment device may be associated with an entity such as a bank, a merchant, a payment processing network, or a person.

[0057] The communication device 600 of FIG. 6 may comprise a processor 602 and body 614. It may also comprise a computer readable medium 604. The computer readable medium 604 may be in the form of (or may be included in) a memory that stores transaction data and may be in any suitable form including a magnetic stripe, a memory chip, etc. The memory may store information such as financial information, including bank account information, account balance information, an expiration date, or consumer information such as an account holder’s name, date of birth, etc. Any of this information may be transmitted by the communication device 600 via antenna 618. [0058] The communication device 600 may further include a contactless element 612, which may be implemented in the form of a semiconductor chip or other data storage element with an associated wireless transfer (e.g., data transmission) element, such as antenna 618. The contactless element 612 may be associated with or embedded within the communication device 600. Data or control instructions may be transmitted via a cellular network and may be applied to the contactless element 612 by means of a contactless element interface (not shown). The contactless element interface may function to permit the exchange of data and/or control instructions between the device circuitry (and hence the cellular network) and the optional contactless element.

[0059] The contactless element 612 may be capable of transferring and receiving data using near field communications (NFC) in accordance with standardized protocol or data transfer mechanism (e.g., ISO 14443/NFC). Near field communications capability may include short range communications capabilities, including RFID, Bluetooth, infrared, or other data transfer capability that can be used to exchange data between the communication device and an interrogation device. Thus, the

communication device may be capable of communicating and transferring data and/or control instructions via a cellular network via the near field communications.

[0060] The communication device may also include a processor 602 for processing the functions of the communication device. The communication device may also include a display 606 to allow a user to see information and messages via a user interface. The communication device may further include input elements 608 to allow a user to provide information to the communication device, a speaker 610 to allow a user to secure voice communications, music, and the like. The communication device may also include a microphone 616 to allow the user to transmit their voice or other audible files through the communication device. The communication device may also include an antenna 618 for wireless data transfer and transmissions.

[0061] Returning to step 1 of FIG. 1 , a communication device 102 operated by a user may interact with a resource provider computer 110. The resource provider computer 110 can provide an interaction site 112 to receive one or more interactions from the communication device 102. In some examples, the resource provider computer 110 may provide an application that can be stored with and executed by the communication device 102. The communication device 102 may present the

application at the display of the communication device 102 to receive interactions from the user at the communication device 102.

[0062] The interaction site 112 (or application) may provide one or more items or services for ordering. The communication device 102 may interact with one or more items or services to add the items an electronic cart provided with the interaction site 112 of the resource provider computer 110. The interaction site 112 (or application) may also provide a“bill me” button. When selected, the“bill me” button may initiate a transaction with a processing network server computer 120 for the items included with the electronic cart.

[0063] The resource provider computer 110 may receive an interaction from the communication device 102 with the“bill me” button provided at the interaction site 112. For example, after the user has selected items to add to the electronic cart on the resource provider computer 110, the user may select the button to initiate ordering the items. The interaction may be associated with a total value of items added to the electronic cart.

[0064] In some examples, the user may not have a pre-existing credit or debit account, or may not use a pre-existing credit or debit account for this particular purchase. In these examples, the user associated with the communication device 102 may not have a user account with an authorizing entity computer. As such, at the time that the“bill me” button is provided by the interaction site 112 and selected, the user may not correspond with a credit or debit account to complete the purchase of the items or services.

[0065] At step 2, once the“bill me” button has been selected via the

communication device 102, a virtual access credential request is sent from the resource provider computer 110 (via the interaction site 112 or the application stored at the communication device 102) to the processing network server computer 120. In some examples, the virtual access credential request may identify a user corresponding with the communication device 102 to support a request for authorization for the interaction (e.g., completing the transaction for the items or services in the electronic cart at the time the“bill me” button is activated, etc.). In some examples, the total value of items added to the electronic cart may be included with the virtual access credential request.

[0066] Upon receiving the request, the processing network server computer 120 may initiate the generation of a virtual access credential. The virtual access credential may not be tied to a pre-existing account of the user prior to the transaction. In some cases, the user may be considered“unbanked” and may not have any type of bank account with any bank, but may have an account with a mobile network operator computer system 140.

[0067] At step 3, the processing network server computer 120 may communicate with the authorizing entity computer 130, which may then generate a virtual access credential. The virtual access credential may be associated with the mobile network operator computer system 140 associated with the user operating the communication device 102 and not with the user itself. For example, the authorizing entity computer 130 may extend corporate credit to the mobile network operator computer system 140 and not user. The mobile network operator computer system 140 may be a party to the transaction in place of user.

[0068] Before generating the virtual access credential, the authorizing entity computer 130 may execute a set of rules associated with the user to determine if a virtual access credential can be issued to the mobile network operator computer system 140. For example, the authorizing entity computer 130 may determine if the mobile network operator computer system 140 provided an“opt in” communication to provide credit for their users. In some examples, an“opt out” communication may identify that mobile network operator computer system 140 will not support issuance of a virtual access credential for its users. [0069] The mobile network operator computer system 140 may also execute a set of rules associated with the user to determine if the virtual access credential can be issued to the user operating the communication device associated with the mobile network operator computer system 140. The mobile network operator computer system 140 may identify suitable information such as device information of the communication device 102, any data that the mobile network operator computer system 140 or resource provider computer 110 may have about the user, historical order or payment information, etc.

[0070] In some examples, the mobile network operator computer system 140 may execute a set of rules associated with the user to determine if the virtual access credential can be issued. The authorizing entity computer 130 may correspond with the mobile network operator computer system 140 to receive a determination by the mobile network operator computer system 140 of whether to issue the virtual access credential to the user based on the execution of the set of rules associated with the user. Based on the determination by the mobile network operator computer system 140, the authorizing entity computer 130 may generate the virtual access credential.

[0071] The virtual access credential may comprise a reusable or one-time use account identifier. When the virtual access credential is reusable, the credential may be stored and associated with a user’s profile at the mobile network operator computer system 140 and used in more than one transaction. When the virtual access credential is a one-time use account identifier, the virtual access credential request may be transmitted between the resource provider computer 110 and processing network server computer 120 for each potential transaction. In either example, the virtual access credential may be stored with a credential database 450 of the authorizing entity computer 130 to be retrieved and used during the authorization process. In some examples, the virtual access credential may be stored with a user account at the authorizing entity computer 130. The user account may include the total value requested with the virtual access credential. [0072] At step 4, the authorizing entity computer 130 may provide the virtual access credential to the processing network server computer 120. The processing network server computer 120 may obtain the virtual access credential from the authorizing entity computer 130.

[0073] At step 5, the processing network server computer 120 may transmit the virtual access credential from the authorizing entity computer 130 to the resource provider computer 110 or the communication device 102 for processing. The resource provider computer 110, via its mobile application or interaction site 112, may then process the transaction using the virtual access credential. For example, the resource provider computer 110 can generate an authorization request message comprising the virtual access credential. The resource provider computer 110 may include the virtual access credential with the authorization request message to initiate a transaction for the items and services associated with the“bill me” button and located in the electronic cart.

[0074] In some examples, the“bill me” button is located at an application stored with the communication device 102. The virtual access credential may be provided to the application of the communication device 102 and the application may generate the authorization request message comprising the virtual access credential originating from the application with the communication device 102. The authorization request message may be transmitted to the resource provider computer 110 from the communication device 102.

[0075] At step 6, the resource provider computer 110 may transmit the

authorization request message that includes the virtual access credential to a transport computer 115. The transport computer 115 may transmit the authorization request message to the processing network server computer 120. The processing network server computer 120 may receive the authorization request message comprising the virtual access credential, where the authorization request message requests

authorization for the interaction.

[0076] In some examples, the processing network server computer 120 may identify the authorizing entity computer 130 based on parsing the virtual access credential. For example, the virtual access credential may include a substring that uniquely identifies authorizing entities for the processing network server computer 120. The substring may be similar to a bank identification number (BIN) stored with the processing network server computer 120. When the substring of the virtual access credential matches the stored information, the processing network server computer 120 may identify the location of the appropriate authorizing entity to transmit the

authorization request message.

[0077] At step 7, the processing network server computer 120 may forward the authorization request message to the authorizing entity computer 130. The authorizing entity computer 130 may determine if the transaction is approved or denied. For example, during the approval or denial process, the authorizing entity computer 130 may compare the transaction value included with the authorization request message with the total value included with the virtual access credential and stored with the user account. When the transaction value is within a threshold value of the total value, the transaction may be approved. Otherwise, the transaction may be declined since the transaction value included with the authorization request message of the transaction does not match the total value included with the virtual access credential request.

[0078] At step 8, the authorizing entity computer 130 may generate an

authorization response message that includes an approval or denial of the transaction to the processing network server computer 120. The processing network server computer 120 may receive the authorization response message from the authorizing entity computer 130.

[0079] At step 9, the processing network server computer 120 may forward the authorization response message to the transport computer 115, and then to the resource provider computer 110. The processing network server computer 120 may also transmit a message to the mobile network operator computer system 140 informing the mobile network operator computer system 140 that the transaction was just conducted. [0080] In some examples, the authorizing entity computer 130 may subsequently complete the interaction with the mobile network operator computer system 140. This may include transferring funds between the mobile network operator computer system 140 and the authorizing entity computer 130 upon clearing and settlement procedures.

[0081] At step 10, a clearing and settlement process can occur. At the end of the day or at any other suitable period of time, settlement can occur between the transport computer 115 and the authorizing entity computer 130, or possibly directly with the mobile network operator computer system 140. If the authorizing entity computer 130 settles with the transport computer 115, then the authorizing entity computer 130 may request reimbursement from the mobile network operator computer system 140

(adjusted for any fees). The mobile network operator computer system 140 can then invoice the user along with the user’s monthly phone bill provided by the mobile network operator computer system 140.

[0082] The mobile network operator computer system 140 may generate an invoice for the user of the communication device 102. The invoice may comprise any transactions conducted between the communication device 102 and the mobile network operator computer system 140, as well as any transactions conducted between the communication device 102 in any resource provider computers. The transactions listed in the invoice may be aggregated for the resource provider computer 110 or provided separately per transaction and time that the transaction occurred. The user may provide reimbursement for the charges to the mobile network operator computer system 140.

[0083] Interchange fees may be exchanged as well. For example, the

authorizing entity computer 130 may pay the interchange fee to the processing network server computer 120. The resource provider computer 110 may pay the interchange fee to the authorizing entity computer 130, based at least in part on the extension of credit and establishment of the user account corresponding with the approved amount tied to the virtual access credential. The authorizing entity computer 130 can request reimbursement from the mobile network operator computer system 140. The mobile network operator computer system 140 can invoice charges with the phone bill to the user of the communication device 102.

[0084] Other embodiments may be described with FIG. 1 as well. For example, at step 1 of an additional embodiment of FIG. 1 , the communication device 102 may interact with the resource provider computer 110 to access a resource managed by the resource provider computer. The communication device 102 may interact with the resource provider computer 110 via interaction site 112 or an application at a display screen of the communication device 102.

[0085] At step 2, the resource provider computer 110 may generate a virtual access credential request and transmit it to the processing network server computer 120. The virtual access credential request may identify that a user corresponding with the communication device 102. This information may support a request for

authorization for the interaction (e.g., acquiring access to a restricted area or resource, etc.).

[0086] At step 3, the processing network server computer 120 may communicate with the authorizing entity computer 130 to request the access. The authorizing entity computer 130 may generate a virtual access credential.

[0087] In some examples, the authorizing entity computer 130 may act as an initial gateway to determine whether access should be authorized (e.g., access to restricted information of the resource provider computer 110). The authorizing entity computer 130 may correspond with the communication device 102 directly (or via the processing network server computer 120) to request an initial authentication response from the communication device 102, including a password or other unique identifier of the user. The communication device 102 may respond to the authorizing entity computer 130 with the password or other unique identifier, upon which the authorizing entity computer 130 may generate the virtual access credential.

[0088] In some examples, the authorizing entity computer 130 may correspond with the mobile network operator computer system 140 to access additional information about the communication device 102, including order history, location history, or user profile information associated with the communication device 102. For example, the mobile network operator computer system 140 may provide mobile network services to the communication device 102 and store a history of location information using a global positioning system (GPS) associated with location tracking of the communication device 102. In some instances, the mobile network operator computer system 140 may provide this information to the authorizing entity computer 130 to initiate a first authentication process with the communication device 102.

[0089] At step 4, the authorizing entity computer 130 may provide the virtual access credential to the processing network server computer 120 (e.g., upon receiving a password or other unique identifier from the user, etc.).

[0090] At step 5, the processing network server computer 120 may transmit the virtual access credential from the authorizing entity computer 130 to the resource provider computer 110 or the communication device 102 for processing. The resource provider computer 110 may initiate a process to permit access to the resource based at least in part on receiving the virtual access credential. For example, the resource provider computer 110 can generate an authorization request message comprising the virtual access credential.

[0091] At step 6, the resource provider computer 110 may transmit the

authorization for the interaction.

[0092] At step 7, the processing network server computer 120 may forward the authorization request message to the authorizing entity computer 130. The authorizing entity computer 130 may determine if the access is permitted or declined, based at least in part on comparing the virtual access credential from the initial authentication process with the user information included with the authorization request message. This comparison and matching may correspond with a second level of authentication.

[0093] At step 8, the authorizing entity computer 130 may generate an

authorization response message that includes an approval or denial of the access to the processing network server computer 120. The processing network server computer 120 may receive the authorization response message from the authorizing entity computer 130.

[0094] At step 9, the processing network server computer 120 may forward the authorization response message to the transport computer 115, and then to the resource provider computer 110.

[0095] At step 10, additional interactions can occur between the authorizing entity computer 130, the transport computer 115, and the mobile network operator computer system 140, including allowing access to the resources provided by the resource provider 110.

[0096] It is noted that although the above examples relate to payments, it is understood that embodiments are not limited thereto. Other embodiments can be directed to systems and methods that can generate a virtual access credential to access a secure location or secure data from a remote server computer.

[0097] Technical improvements are described throughout the application.

Conventional systems may provide a single iteration of authentication or authorization for an interaction. Embodiments of the present disclosure may include a dual authentication or authorization protocol, including a first process conducted by an authorizing entity computer and a second process conducted by a mobile network operator computer system. This dual layer may provide an improved technical confirmation prior to an interaction between a user and a resource, providing greater security.

[0098] In addition, embodiments also allow for users that do not have credentials to obtain temporary credentials so that they may access desired resources such as data, locations, goods, or services. Embodiments can do this, without making significant changes to an access infrastructure.

[0099] The computer systems described herein may be embodied in hardware and include one or more elements in the figures that may be suitable to implement such functions. Examples of such systems or components that may be incorporated with the computing systems may be interconnected via a system bus. Additional subsystems such as a printer, a keyboard, fixed disk or other memory comprising computer readable media, monitor, or other components may be provided. The monitor may be coupled with a display adapter. Peripherals and other input/output (I/O) devices may be coupled with a I/O controller and can be connected to the computer system by any number of means known in the art, such as serial port. For example, serial ports or other external interfaces can be used to connect the computer systems to a wide area network such as the Internet, a mouse input device, or a scanner. The interconnection via system bus may allow a central processor to communicate with each system and to control execution of instructions from the system memory or the fixed disk, as well as the exchange of information between subsystems. This is the memory and/or the fixed disk may embody a computer readable medium.

[0100] Further, while the present disclosure has been described using a particular combination of hardware and software in the form of control logic and programming codes and instructions, it should be recognized that other combinations of hardware and software are also available within the scope of the present application. The present application may be implemented only in hardware, only in software, or using combinations thereof.

[0101] Any of the software components or functions described in this application, may be implemented as software code to be executed by a processor using any suitable computer language such as, for example, Java, C++ or Perl using, for example, conventional or object-oriented techniques. The software code may be stored as a series of instructions, or commands on a computer readable medium, such as a random access memory (RAM), a read only memory (ROM), a magnetic medium such as a hard-drive or a floppy disk, or an optical medium such as a CD-ROM. Any such computer readable medium may reside on or within a single computational apparatus, and may be present on or within different computational apparatuses within a system or network.

[0102] The above description is illustrative and is not restrictive. Many variations of the invention may become apparent to those skilled in the art upon review of the disclosure. The scope of the invention can, therefore, be determined not with reference to the above description, but instead can be determined with reference to the pending claims along with their full scope or equivalents.

[0103] One or more features from any embodiment may be combined with one or more features of any other embodiment without departing from the scope of the invention.

[0104] A recitation of "a", "an" or "the" is intended to mean "one or more" unless specifically indicated to the contrary.

[0105] All patents, patent applications, publications, and descriptions mentioned above are herein incorporated by reference in their entirety for all purposes. None is admitted to be prior art.

Claims

WHAT IS CLAIMED IS:

1. A method comprising:

receiving, by a server computer, a virtual access credential request for an interaction conducted between a resource provider computer and a communication device operated by a user and associated with a mobile network operator computer system ;

transmitting, by the server computer, the virtual access credential request to an authorizing entity computer;

receiving, by the server computer, a virtual access credential from the authorizing entity computer;

transmitting, by the server computer, the virtual access credential to the communication device or the resource provider computer;

receiving, by the server computer, an authorization request message comprising the virtual access credential, wherein the authorization request message requests authorization for the interaction;

forwarding, by the server computer, the authorization request message to the authorizing entity computer;

receiving, by the server computer, an authorization response message from the authorizing entity computer; and

forwarding, by the server computer, the authorization response message to the resource provider computer, wherein the authorization entity computer subsequently completes the interaction with the mobile network operator computer system .

2. The method of claim 1 , wherein the virtual access credential includes data that can be used to access a location or secure data.

3. The method of claim 1 , wherein the communication device is a mobile phone.

4. The method of claim 1 , wherein the mobile network operator computer system executes a set of rules associated with the user prior to the virtual access credential being determined by the authorizing entity computer.

5. The method of claim 1 , further comprising:

generating a user profile associated with the virtual access credential; and storing a determination by the authorizing entity computer with the user profile.

6. A computer system comprising:

a processor; and

a computer readable medium coupled to the processor, the computer readable medium comprising code, executable by the processor, for implementing a method , comprising:

receiving a virtual access credential request for an interaction conducted between a resource provider computer and a communication device operated by a user and associated with a mobile network operator computer system;

transmitting the virtual access credential request to an authorizing entity computer;

receiving a virtual access credential from the authorizing entity computer;

transmitting the virtual access credential to the communication device or the resource provider computer;

receiving an authorization request message comprising the virtual access credential, wherein the authorization request message requests authorization for the interaction;

forwarding the authorization request message to the authorizing entity computer; receiving an authorization response message from the authorizing entity computer; and

forwarding the authorization response message to the resource provider computer, wherein the authorization entity computer subsequently completes the interaction with the mobile network operator computer system.

7. The computer system of claim 6, wherein the virtual access credential is 16 digits long.

8. The computer system of claim 6, wherein the mobile network operator computer system routes messages to and from a plurality of wireless mobule devices.

9. The computer system of claim 6, wherein the mobile network operator computer system executes a set of rules associated with the user prior to the virtual access credential being determined.

10. The computer system of claim 6, further comprising:

11. A method comprising:

receiving, by an authorizing entity computer, a virtual access credential request for an interaction conducted between a resource provider computer and a communication device operated by a user and associated with a mobile network operator computer system;

generating, by the authorizing entity computer, a virtual access credential associated with an approved amount;

transmitting, by the authorizing entity computer, the virtual access credential to a processing network computer, wherein the virtual access credential is forwarded to the communication device or the resource provider computer; receiving, by the authorizing entity computer, an authorization request message comprising the virtual access credential, wherein the authorization request message requests authorization for the interaction;

comparing a total amount with the authorization request with the approved amount of the virtual access credential;

determining, by the authorizing entity computer, an approval or denial of the authorization request message based on the comparison;

generating, by the authorizing entity computer, an authorization response message based on the approval or denial of the authorization request message;

forwarding, by the server computer, the authorization response message to the processing network computer; and

subsequently forwarding a completion message to the mobile network operator computer system based on the approval or denial of the authorization request message.

12. The method of claim 11 , wherein the virtual access credential allows access to secure data.

13. The method of claim 11 , wherein the communication device is a mobile phone.

14. The method of claim 11 , wherein the mobile network operator computer system executes a set of rules associated with the user prior to the virtual access credential being determined.

15. The method of claim 11 , further comprising:

generating a user profile associated with the virtual access credential; and storing the approval or denial of the authorization request message with the user profile.

16. A computer system comprising:

transmitting, by the authorizing entity computer, the virtual access credential to a processing network computer, wherein the virtual access credential is forwarded to the communication device or the resource provider computer;

receiving, by the authorizing entity computer, an authorization request message comprising the virtual access credential, wherein the authorization request message requests authorization for the interaction;

17. The computer system of claim 16, wherein the virtual access credential allows access to a location.

18. The computer system of claim 16, wherein the communication device is a laptop computer.

19. The computer system of claim 16, wherein the mobile network operator computer system executes a set of rules associated with the user prior to the virtual access credential being determined.

20. The computer system of claim 16, further comprising: