Européiisches Patentamt
`
`(19)
`
`0’
`
`European Patent Office
`
`Office européen des brevets
`
`(11)
`
`EP 1 028 401 A2
`
`(12)
`
`EUROPEAN PATENT APPLICATION
`
`(43) Date of publication:
`16.08.2000 Bulletin 2000/33
`
`(21) Application number: 002004489
`
`(22) Date of filing: 10.02.2000
`
`(51)
`
`Int. CI.7: G07F 19/00, G07F 7/08
`
`(84) Designated Contracting States:
`AT BE CH CY DE DK ES FI FR GB GR IE IT LI LU
`MC NL PT SE
`
`Designated Extension States:
`AL LT LV MK RO SI
`
`(30) Priority: 12.02.1999 US 119818 P
`21.07.1999 US 144927 P
`
`(71) Applicant: CITIBANK, N.A.
`New York, New York 10043 (US)
`
`Inventors:
`(72)
`- Schutzer, Dan
`New York 10583 (US)
`
`- Slater, Alan
`East Brunswick, New Jersey 08816 (US)
`- Cirillo, Thomas
`Greenwich, Connecticut 06830 (US)
`- Derodes, Robert
`Peachtree City, Georgia 30269 (US)
`- Dancanet, Lucien
`Los Angeles, Califonia 90045 (US)
`
`(74) Representative: Hynell, Magnus
`Hynell Patenttjanst AB,
`Patron Carts v59 2
`683 40 Hagtors/Uddeholm (SE)
`
`
`
`(54)
`
`Method and system for performing a bankcard transaction
`
`A method and system for performing a bank-
`(57)
`card transaction provides a transaction card system for
`use, for example, on the Internet that allows a transac-
`tion card user to input authentication information to a
`transaction card issuer, which generates an anonymous
`or alternate card number and maintains a link between
`
`the anonymous or alternate card number and the trans-
`action card user's transaction card number. An alternate
`U
`
`lSSUING /
`BANK
`ISSUING BANK
`SERVER
`
`aspect makes use, for example, of software on a local
`computing device, such as the transaction card user‘s
`personal computer or a point of sale terminal, which
`authenticates the transaction card user and generates
`the anonymous or alternate card number in sequence
`synchronization with the transaction card issuer‘s
`server.
`
`MERCHANT _.a
`(ACQUIRING)
`BANK
`
`
`
`MERCHANT
`(ACOUlRING)
`BANK
`SERVER
`
`EP1028401A2
`
`'0
`
`COMPUTING
`
`DEVICE USER — 1
`
`FIG. 1
`
`MERCHANT
`SERVER
`
`MERCHANT — 4
`
`Printed by Xerox (UK) Business Seerces
`2.16.7 (l-lFlS)/3.6
`
`Apple 1115
`
`

`

`1
`
`EP 1 028 401 A2
`
`2
`
`Description
`
`Cross-Reference [0 Related Applications
`
`This application claims priority to applicant's
`[0001]
`application
`having us.
`Serial No.
`co-pending
`60/119,818 filed February 12, 1999 and applicant's co-
`pending application having us. Serial No. 60/144,927
`filed July 21. 1999.
`
`Field of the Invention:
`
`The present invention relates generally to
`[0002]
`the field of bankcard transactions and more particularly
`to a method and system for securely performing a bank-
`card transaction utilizing an anonymous or alternate
`card number.
`
`Background of the Invention
`
`Transaction card transactions that occur
`[0003]
`over the Internet today utilizing the transaction card
`infrastructure are most commonly performed, for exam-
`ple, by a cardholder transmitting his or her credit or debit
`card number over an encrypted link. using a standard
`universally available web browser and server capability
`such as Secure Sockets Layer (SSL) to the merchant
`server. The link between the cardholder and the mer-
`
`chant must be encrypted to prevent the card number
`from being intercepted and fraudulently read by an
`unauthorized third party. This type of fraud is sometimes
`referred to as the man-in-the-middle attack. The link is
`
`encrypted so that no eavesdropper can listen in and
`steal the card number. However. this method has a
`number of disadvantages.
`[0004]
`For example, the cardholder must trust the
`merchant with safeguarding the card number. This
`leaves the cardholder vulnerable to a risk of fraud by a
`merchant or its employees or a merchant who is honest
`but who is nevertheless negligent in maintaining the
`merchant‘s web site against break-ins. This risk is great
`enough to discourage customers from giving their card
`numbers to merchant web sites over the Internet whom
`
`they do not know or with whom they have no previous
`experience.
`[0005]
`The particular risk is limited with credit cards
`and debit cards by consumer protection laws and asso-
`ciation rules to a maximum exposure, such as $50 limit.
`Further, the cardholder has an opportunity, for example.
`with a credit card to dispute a charge before it is actually
`deducted from the cardholder's account. However, it is
`still a nuisance and a risk, and in the event of fraud, it
`may be necessary for the cardholder to be issued a new
`card and card number. The risk is greater with debit
`cards, because the limitation of liability is not as clear,
`and the charge is deducted from the cardholder's
`account before he or she is informed. Thus, with a debit
`card. the cardholder is placed in the position of having
`
`10
`
`15
`
`20
`
`25
`
`30
`
`35
`
`40
`
`45
`
`50
`
`55
`
`to dispute the deduction in order to regain his or her sto-
`len funds.
`
`is that
`Another disadvantage, for example,
`[0006]
`when a merchant accepts a card number from a cus-
`tomer over the Internet, the merchant has no way of
`authenticating that the customer making the purchase is
`the actual cardholder. The transaction is treated as a
`
`Mail Order/Telephone Order (MOTO) transaction, also
`known as a "card not present" transaction.
`In such a
`transaction, the merchant‘s transaction cost and expo-
`sure is much greater than when a customer is physically
`present at the point-of-sale. If the customer successfully
`disputes having made the transaction,
`the merchant
`payment is reversed by the card issuer.
`[0007]
`These disadvantages provide incentives for
`a better approach to security for bankcard transactions
`from the standpoint of both cardholders and merchants,
`provided it is fast, simple and inexpensive. Many solu-
`tions have been proposed to address this need, most
`notably the Credit Card Association‘s standard specifi-
`cation. Secure Electronic Transaction (SET) protocol. A
`problem with solutions such as SET is that they impose
`a significant cost and performance penalty, requiring
`both cardholders and merchants to install special soft-
`ware and/or hardware that add significantly to transac-
`tion costs, in terms of both money and time.
`
`Summary of the Invention
`
`It is a feature and advantage of the present
`[0008]
`invention to provide method and system for securely
`performing a bankcard transaction which affords all of
`the account number of security of the SET protocol as
`well as the ability to authenticate the customer. while
`maintaining the simplicity of sending a transaction card
`number over an encrypted link, such as SSL.
`[0009]
`It is another feature and advantage of the
`present invention to provide a method and system for
`securely performing a bankcard transaction which elim-
`inates transmitting the customer's actual card number
`over the Internet to the merchant and likewise elimi-
`nates the need for a secure link between the customer
`and the merchant.
`
`It is a further feature and advantage of the
`[0010]
`present invention to provide a method and system for
`securely performing a bankcard transaction, such as a
`credit card or debit card transaction, that is fast and
`easy to implement and that requires little, if any, modifi-
`cation to the existing Internet infrastructure.
`[0011]
`To achieve the stated and other features,
`advantages and objects, an embodiment of the present
`invention provides a method and system for securely
`performing an bankcard transaction in which a transac-
`tion card user receives an alternate or anonymous card
`number fat is not the user's actual card number but tat is
`
`to pass any validity checks
`for example,
`designed,
`made by a merchant or the merchant's bank. The alter-
`nate or anonymous card number can be used only once
`
`

`

`3
`
`EP 1 028 401 A2
`
`4
`
`within a limited time period and cannot be copied and
`replayed. Upon receipt of the anonymous or alternate
`card number by the transaction card issuer, the anony-
`mous card number can be associated by the card issuer
`with the proper cardholder and the cardholder's account
`can be authorized.
`
`In an embodiment of the present invention,
`[0012]
`the transaction card user authenticates himself or her-
`
`self, for example, to an authenticator of the transaction
`card issuer's server. The transaction card user can
`
`10
`
`authenticate himself or herself, for example, by entering
`transaction card user information at a computing device,
`such as a personal computer, a personal digital assist-
`ant, or a smart card, coupled to the card issuer‘s server
`over a network, such as the Internet.
`[0013]
`In addition, in an embodiment of the present
`invention, an electronic wallet application of the comput-
`ing device can be utilized by the transaction card user
`for sending the transaction card user information to the
`transaction card issuer's server for user authentication.
`The transaction card user information includes,
`for
`example, one or more of a personal
`identification
`number, a password, a biometric sample, a digital sig-
`nature or the transaction card number for the transac-
`tion card user, and the transaction card user information
`can be encrypted.
`[0014]
`In an alternative aspect for an embodiment
`of the present
`invention,
`the transaction card user
`authenticates himself or herself with the transaction
`
`card user information at a local computing device, such
`as a personal computer, a personal digital assistant, or
`a smart card of the transaction card user. In this aspect,
`the transaction card user authenticates himself or her-
`
`self on an application of the transaction card user's local
`computing device, such as an electronic wallet applica-
`tion, by entering the transaction card user information
`on the application at the local computing device.
`[0015]
`In an embodiment of the present invention,
`when the transaction card user is authenticated by the
`transaction card issuer, a number generator of the
`transaction card issuer's server generates an anony-
`mous card number for the transaction card user. How-
`
`in the alternative aspect in which the transaction
`ever,
`card user authenticates himself or herself on an applica-
`tion of
`the transaction card user's local computing
`device, the anonymous card number is likewise gener-
`ated at the local computing device, for example, by a
`number generating application of the local computing
`device which is synchronized with the number generator
`of the transaction card issuer's server.
`
`The anonymous card number for an embod-
`[0016]
`iment of the present invention is generated according to
`a number generating scheme, such as a random
`number generating algorithm, a random sequence gen-
`erator, and/or a secure-hashing algorithm. Further, the
`anonymous card number is generated according to pre-
`defined parameters limiting its use to the particular
`transaction and/or for a predetermined time period.
`
`15
`
`20
`
`25
`
`30
`
`35
`
`40
`
`45
`
`50
`
`55
`
`In an embodiment of the present invention,
`[0017]
`the anonymous card number generated by the transac-
`tion card issuer is associated with a transaction card
`
`number of the transaction card user, for example, by
`linking the anonymous card number with the transaction
`card number by either or both of the number generator
`or the authorization processor of the transaction card
`issuer‘s server.
`
`in the alternative aspect in which
`However,
`[0018]
`the anonymous card number is generated at the trans-
`action card user's local computing device, the anony-
`mous card number is linked with the transaction card
`
`number according to a pre-defined sequence synchro-
`nization between the number generator of the local
`computing device and the transaction card issuers
`server.
`
`In an embodiment of the present invention,
`[0019]
`the anonymous or alternate card number is used in a
`transaction by the transaction card user in place of the
`transaction card user's transaction card number. For
`
`example, the transaction card user sends the anony-
`mous card number to the merchant, which in turn sends
`it to the merchant' bank with a request for authorization.
`The merchant's bank sends the anonymous card
`number over the card association network to the trans-
`action card issuer. The transaction card issuer's author-
`
`ization processor receives the anonymous card number
`linked with the transaction card number and sends an
`authorization back to the merchant via the card associ-
`ation network and the merchant's bank.
`
`In another embodiment of the present im/en-
`[0020]
`tion, the anonymous or alternate card number is used in
`a transaction by the transaction card issuer after
`authenticating the user. For example, the transaction
`card user authenticates himself to the issuing bank, and
`the issuing bank sends the anonymous card number
`directly to the merchant which,
`in turn, sends it to the
`merchant's bank with a request for authorization.
`[0021]
`In another embodiment of the present inven-
`tion, the transaction card user authenticates himself to
`the transaction card issuer, and the transaction card
`issuer sends the anonymous card number, along with
`an authorization, directly to the merchant which, in turn,
`sends both the anonymous card number and the
`authorization to the merchant's bankfor verification and
`
`processing. The transaction card user uses the actual
`transaction card number and the alternate card number
`
`for billing and communicating to its transaction card
`user, and the alternate card number and authorization
`number for settlement with the merchant bank and card
`
`processing network.
`[0022]
`Additional objects, advantages and novel
`features of the invention will be set forth in part in the
`description which follows, and in part will become more
`apparent to those skilled in the art upon examination of
`the following or may be learned by practice of the inven-
`tion.
`
`

`

`5
`
`EP 1 028 401 A2
`
`6
`
`Brief Description of the Drawings
`
`[0023]
`
`is a schematic diagram which illustrates an
`1
`Fig.
`overview of examples of key components and the
`flow of information between the key components for
`an embodiment of the present invention in which an
`anonymous or alternate card number is sent to a
`cardholder by a card issuer for use in an on-Iine
`bankcard transaction;
`Fig. 2 is a flow chart which illustrates an example of
`the process of the cardholder performing a bank-
`card transaction using the anonymous or alternate
`card number which was sent to the cardholder by
`the card issuer for an embodiment of the present
`invention;
`Fig. 3 is a schematic diagram which illustrates an
`overview of examples of key components and the
`flow of information between the key components for
`an embodiment of the present invention in which an
`anonymous or alternate card number is generated
`at the cardholder‘s computing device for use in an
`on-Iine bankcard transaction;
`Fig. 4 is a flow chart which illustrates an example of
`the process of the cardholder performing a bank-
`card transaction using the anonymous or alternate
`card number which was generated at the card-
`holder‘s computing device for an embodiment of the
`present invention;
`Fig. 5 is a schematic diagram which illustrates an
`overview of examples of key components and the
`flow of information between the key components for
`an embodiment of the present invention in which an
`anonymous or alternate card number is generated
`a point of sale for the cardholder; and
`Fig. 6 is a diagram which illustrates a sample of a
`Linear Feedback Shift Register used to generate
`anonymous or alternate card numbers for an
`embodiment of the present invention.
`
`Detailed Description of the Invention
`
`Referring now in detail to an embodiment of
`[0024]
`the invention, an example of which is illustrated in the
`accompanying drawings, Fig. 1
`is a schematic diagram
`which illustrates an overview of examples of key compo-
`nents and the flow of information between the key com-
`ponents for an embodiment of the present invention in
`which an anonymous card number is sent to a card-
`holder by a card issuer for use in an on-line bankcard
`transaction. An embodiment of the present invention
`involves a number of entities, such as a cardholder 2, a
`merchant 4, a merchant (acquiring) bank 6, and a card
`issuer 8. An embodiment of the present invention also
`makes use, for example, of computer hardware and
`software, such as a cardholder's computing device 10. a
`merchant‘s website server 12. and a card issuer's
`
`server 14, each coupled over a network, such as the
`Internet 16, as well as a merchant (acquiring) bank
`server 18 coupled to the merchant server 12 and also
`coupled to the issuing bank server 14 over a card asso-
`ciation network 20. In addition, the card issuer's server
`comprises, for example, an authenticator 22, an alter-
`nate card number generator 24, and an authorization
`processor 26.
`[0025]
`In an embodiment of the present invention,
`the cardholder 2 receives an alternate card number
`
`(referred to herein as either "anonymous card number"
`or "alternate card number") from the cardholder‘s issu-
`ing bank 8 that
`is not the cardholder's actual card
`number. The anonymous card number is issued after
`the cardholder 2 authenticates himself or herself directly
`to the cardholder's card issuer 8. The anonymous card
`number is utilized only once within a limited period of
`time. It is designed to pass any validity checks made by
`the merchant 4 and the merchant's bank 6 and cannot
`
`be copied and replayed. Upon receipt of the anonymous
`card number for authorization,
`the anonymous card
`number can be associated by the issuing bank 8 with
`the proper cardholder 2 and the cardholder's account
`and can be authorized.
`
`Fig. 2 is a flow chart which illustrates an
`[0026]
`example of the process of the user 2 performing a bank-
`card transaction using the anonymous or alternate card
`number for an embodiment of the present invention in
`which the anonymous card number is sent to the card-
`holder 2 by the card issuer 8. At S1, the merchant‘s
`server 12 sends a request over the Internet 16 to the
`user 2 at the user's computing device 10 for a transac-
`tion card number in connection with an on-Iine transac-
`
`tion for the user 2. At 32, the user 2 receives the request
`at the user‘s computing device 10 and sends a request
`over the Internet 16 to the card issuer‘s server 14 for an
`alternate card number. At SB, the card issuer's authen-
`ticator 22 receives the request, authenticates the user 2
`and obtains an alternate card number linked to the
`user's actual card number from the card issuer‘s
`
`number generator 24, and sends the alternate card
`number over the Internet 16 to the user 2 at the user‘s
`
`computing device 10. At S4, the user 2 at the user‘s
`computing device 10 sends the alternate card number
`over the Internet 16 to the merchant' server 12.
`
`Referring further to Fig. 2, in an embodiment
`[0027]
`of the present invention, at SS, the merchant's server 12
`receives and sends the alternate card number to the
`
`merchant (acquiring) bank's server 18 with a request for
`authorization. At S6, the merchant (acquiring) bank‘s
`server 18 receives the request for authorization and
`sends the request with the alternate card number over
`the card association network 20 to the card issuer‘s
`
`server 14. At S7, the card issuer‘s authorization proces-
`sor 26 receives the request for authorization, links the
`alternate card number to the user's actual account for
`authorization, and sends an authorization for the alter-
`nate card number to the merchant (acquiring) bank‘s
`
`10
`
`15
`
`20
`
`25
`
`30
`
`35
`
`40
`
`45
`
`50
`
`55
`
`

`

`7
`
`EP 1 028 401 A2
`
`8
`
`server 18 over the card association network 20. At S8,
`the merchant (acquiring) bank's server 18 receives the
`authorization and sends it to the merchant's server 12.
`At 89, the merchant's server 12 receives the authoriza-
`tion and completes the transaction with the user 2.
`[0028]
`Referring again to Fig. 2, in an embodiment
`of the present invention, the cardholder 2 authenticates
`himself or herself on-line over a secure (encrypted) line
`with the cardholder's issuing bank 8 at S2, utilizing, for
`example, an electronic wallet 28 as shown in Fig. 1.
`When the cardholder 2 is authenticated, he or she
`receives the anonymous card number over the same
`line at S3. Alternatively, at SS, the cardholder 2 can
`have the anonymous card number sent by the card
`issuer 8 directly to the merchant 4, in which case, it is
`not necessary for the cardholder 2 to send the anony-
`mous card number to the merchant 4 at S4.
`
`Referring once more to Fig. 2, in an embodi-
`[0029]
`ment of the present invention, the cardholder 2 authen-
`ticates himself or herself to the cardholder's issuing
`bank 8 by typing in his or her card number and a secret
`PIN or password or hash of a PIN or password at the
`user's computing device 10 and sending it over an
`encrypted link to the issuing bank 8 at S2. The
`encrypted link ensures that no third party can eaves-
`drop and steal the card number and PIN. The card-
`holder 2 can feel secure that the card number, PIN or
`password or hashed PIN or password are safe with the
`issuing bank 8, as the issuing bank 8 already knows and
`safeguards this information. Because the cardholder 2
`authenticates himself or herself with a PIN or password,
`the issuing bank 8 can authenticate the cardholder 2 to
`the merchant 12.
`If the transaction or the customer's
`
`history warrants, the issuing bank 8 can require more
`secure authentication,
`such as additional
`secrets,
`matching biometrics, and/or digital signatures.
`[0030]
`In an alternative aspect of an embodiment of
`the present invention, the issuing bank 8 can install soft-
`ware on the cardholder's PC or information appliance
`10, such as a smart card or personal digital assistant
`(PDA) type computing device, that can generate the
`anonymous card number after the cardholder 2 identi-
`fies himself or herself to the software and/or appliance
`to. Fig. 3 is a schematic diagram which illustrates an
`overview of an example key components and the flow of
`information between the key components for an alter-
`nate aspect of an embodiment of the present invention
`in which an anonymous card number is generated at the
`cardholder's computing device 10 in an on-line transac-
`tion. In this aspect, the card issuer 8 can install software
`30 on the cardholder's computing device 10, which can
`be a personal computer (PC) or hardware token, such
`as a smartcard, that generates the anonymous card
`number locally upon authentication of the cardholder 2.
`[0031]
`Fig. 4 is a flow chart which illustrates an
`example of the process of the user 2 performing a bank-
`card transaction for an embodiment of
`the present
`invention in which the anonymous card number is gen-
`
`erated at the cardholder's computing device to. Refer-
`ring to Fig. 4, at Sto , the merchant server 12 sends a
`request for a transaction card number over the Internet
`16 to the cardholder 2 at the cardholder's computing
`device 10. At S1 1, the cardholder 2 receives the request
`at
`the cardholder's computing device 10, and the
`number generating software 30 at the cardholder's com-
`puting device 10 generates and sends an alternate card
`number to the merchant's server 12. At $12, the mer-
`chant's server 12 receives the alternate card number
`
`and sends a request for authorization with the alternate
`card number to the merchant (acquiring) bank's server
`18.
`
`Referring further to Fig. 4, in an embodiment
`[0032]
`of the present invention, at S13, the merchant (acquir-
`ing) bank's server 18 receives the request and sends
`the request over the card association network 20 to the
`card issuer's server 14. At $14, the card issuer's alter-
`nate card number generator 24 receives the request,
`generates the next number in sequence synchronized
`to the cardholder's software 30, links the alternate card
`number to the cardholder's actual card number, and
`sends the cardholder's actual card number to the card
`
`issuer's authorization processor 26. At S15, the card
`issuer's authorization processor 26 receives the card-
`holder's actual card number and sends an authorization
`over the card association network 20 to the merchant
`
`the merchant
`(acquiring) bank's server 18. At S16,
`(acquiring) bank's server 18 receives the authorization
`and sends it to the merchant's server 12. At $17, the
`merchant's server 12 receives the authorization and
`
`completes the transaction with the user 2.
`[0033]
`In another aspect of an embodiment of the
`present invention, the card issuer 8, such as a bank,
`provides an electronic wallet system,
`including,
`for
`example, an electronic wallet server. In this aspect, the
`issuing bank 8 matches the anonymous card number
`with the actual user account. It the electronic wallet gen-
`erates an anonymous card number for the cardholder 2
`for which the wallet server is not the issuing bank, then
`the anonymous card number is sent back to the wallet
`server for matching the anonymous card number with
`the actual user card number and for sending it to the
`issuing bank 8 for authorization.
`In this situation, the
`electronic wallet, in effect, performs an acquiring bank
`function.
`
`Another aspect of an embodiment of the
`[0034]
`present invention enables the cardholder 2 to perform a
`transaction, such as a purchase, at a physical point-of-
`sale without
`revealing the cardholder's true card
`number. Fig. 5 is a schematic diagram which illustrates
`an example of key components and the flow of informa-
`tion between the key components for an aspect of an
`embodiment of the present invention in which an alter-
`nate card number is generated at a point-of sale for a
`bankcard transaction. This aspect makes use, for exam-
`ple, of a card 32 with no embossed number but with an
`input device 34, such as a keypad, a display 36, such as
`
`10
`
`15
`
`20
`
`25
`
`30
`
`35
`
`40
`
`45
`
`50
`
`55
`
`

`

`9
`
`EP1 028 401 A2
`
`10
`
`a liquid crystal display (LCD), and a magnetic stripe 38
`whose recording can be altered by an internal micro-
`processor 40 in the card. This aspect utilizes a point-of
`sale card device 42 coupled to the merchant (acquiring)
`bank's server 18, which is coupled over the card associ-
`ation network 20 to the card issuer‘s server 14.
`
`Referring to Fig. 5, in the process of the user
`[0035]
`2 performing a point-of-sale bankcard transaction for an
`embodiment of the present invention, the user 2 enters
`a password onto the input device 34, such as the key-
`pad, or alternatively the user 2 enters a biometric, such
`as a fingerprint, onto the input device 34, such as a bio-
`metric input device. Upon entering the correct password
`or biometric onto the input device 34, the anonymous
`card number is displayed on the LCD 36 as the card
`number, and when the card 32 is dipped in the card
`device 42, the magnetic strip 38 outputs the anonymous
`card number. The remainder of the process for the
`point-of sale bankcard transaction is the similar to steps
`S11 through 817 of the process of the user performing
`an on-line bankcard transaction in which the anony-
`mous number is generated at the user‘s computing
`device 10 illustrated in Fig. 4.
`[0036]
`Alternatively,
`in the foregoing aspect of an
`embodiment of the present invention, when the card 32
`is dipped in the card device 42, it can produce the actual
`number of the cardholder, but the display 36 shows an
`anonymous number. In this situation, a fraudulent mer-
`chant cannot read the cardholder's actual card number.
`
`The anonymous number that is displayed can be for a
`one-time use, in case the number is manually entered at
`the point of sale, but it cannot be copied and reused. In
`this case, a fraudulent merchant can conceivably obtain
`the cardholder‘s actual card number by skimming the
`magnetic strip 38, but properties of the magnetic strip
`38 can be adjusted to make skimming and copying diffi-
`cult. The same process can be used, for example, for a
`telephone order in which, after user activation and
`authentication, the cardholder's device 10 transmits an
`alternate card number through the telephone system to
`the merchant 4.
`
`In an embodiment of the present invention,
`[0037]
`the assigned one-time use anonymous card number
`passes validation by the merchant 4 and the merchant's
`bank 6, because it has all the required digits in the
`proper position. The anonymous card number also has
`the proper routing digits to ensure that the transaction is
`sent to the correct issuing bank 8 for authentication and
`authorization approval. When the issuing bank 8
`receives the number and requested charge for authori-
`zation, it sends the anonymous card number to a spe-
`cial front-end processor 24. The processor 24 can be
`implemented as a standalone hardware processor, or it
`can simply be,
`for example, a software module co-
`located inside the main authorization processor 26.
`[0038]
`The front-end processor 24 for an embodi-
`ment of the present invention maintains a link between
`the actual card number and the generated anonymous
`
`card number and the time frame during which the link is
`valid.
`If a match occurs, and the anonymous card
`number has not already been used or expired,
`it
`is
`replaced with the actual card number and sent on to the
`normal card processing authorization system 26.
`Therefore, the requested transaction charge is author-
`ized and linked to the cardholder‘s account by the card-
`holder's issuing bank 8 as long as the anonymous
`number matches the number provided by the issuing
`bank 8 or its hardware/software token 30 and as long as
`it has not already been used or passed the expiration
`period.
`In an embodiment of the present invention, if
`[0039]
`the transaction is rejected, the cardholder 2 must go, for
`example, to a website of the cardholder's issuing bank 8
`and request a new anonymous card number. The ran-
`domly selected anonymous card number is good only
`for one validation, and a new randomly selected number
`will not be assigned until the first randomly assigned
`number is either used or expires, whichever occurs first.
`Any receipts provided to the customer 2 must show the
`anonymous account number and the time of the trans-
`action. The issuing bank 8 maintains the anonymous
`numbers and their links to true account numbers and
`the date and time of the transaction in order to investi-
`
`gate transactions disputed by the customer 2.
`[0040]
`In the implementation of the method and
`system for an embodiment of the present invention, the
`anonymous or alternate card number is a number that is
`not the cardholder's actual card number. The issuing
`bank 8 associates the number with the cardholder‘s
`actual card number for one-time use over a limited time-
`
`duration, such as 15 to 30 minutes. The anonymous
`card number is generated by substituting new anony-
`mous numbers for the actual numbers in selected posi-
`tions of the cardholder‘s number.
`
`There are a number of ways the anonymous
`[0041]
`card numbers are generated for an embodiment of the
`present invention. The generation of anonymous card
`numbers involves, for example, using a random number
`generation scheme with the additional requirement that
`the same number cannot be valid for more than one
`
`transaction during the same time period. Associated
`with the particular random number is the time that it was
`generated, along with a fixed period of time for which
`the number can be validly associated with the card-
`holder 2.
`
`The assigned anonymous or alternate card
`[0042]
`number for an embodiment of the present invention can
`comprise, for example, 9 to 11 digits. For example, the
`ISO 7812 Identification Cards - Numbering System and
`Registration Procedure for issuer identifiers specifies
`that a valid card number consists of a bank identification
`
`identifier, plus a
`number, plus an individual account
`check digit. The bank identification number (BIN) is the
`first four or six digits of the number and is used for rout-
`ing to the proper bank, such as the card issuer 8. The
`individual account identifier is a personal or individual
`
`10
`
`15
`
`20
`
`25
`
`30
`
`35
`
`40
`
`45
`
`50
`
`55
`
`

`

`11
`
`EP1 028 401 A2
`
`12
`
`number assigned by the card issuing institution 8 for
`purposes of
`identifying an individual account. The
`check digit is the checksum calculated from the rest of
`the number.
`
`Most commonly issued credit card numbers
`[0043]
`comprise 16 digits. For example, a valid credit card
`number for a financial institution, such as issuing bank
`8, can be AAAAAA XXXXXXXXX C, where AAAAAA
`represents the BIN and is fixed, XXXXXXXXX are nine
`arbitrarily assigned digits, and C represents the check-
`sum and is calculated from the other digits. Thus, the
`card issuer 8 can arbitrarily set 9 or 11 of the 16 digits to
`any number for the one-time use, adjust the checksum
`to its new correct value, and the card number will check
`out as valid by the validation systems of the merchant 4
`and the merchant's bank 6. A bank desiring to use this
`scheme must obtain a new BIN to be used exclusively
`for Internet transactions. This eliminates the need of
`
`preventing the issuance of a one-time use number that
`is duplicative of existing or hot-carded numbers.
`the
`[0044]
`Alternatively,
`in an embodiment of
`present invention. the bank, such as issui