US20140279554A1

Movatterモバイル変換

Info

Publication number: US20140279554A1
Application number: US13/797,287
Authority: US
Inventors: Seth Priebatsch; Charles Carter Jernigan
Original assignee: Individual
Current assignee: SCVNGR Inc
Priority date: 2013-03-12
Filing date: 2013-03-12
Publication date: 2014-09-18
Also published as: US20200151698A1; US11587057B2; US20140279556A1

Abstract

Payment tokens designed for display on a consumer's mobile device include dynamic trust data (e.g., transaction history and/or token generation date) along with financial account information, enabling merchants to make an informed decision about whether to accept payment without communication with the central processing system, and also protecting the consumer's account information from theft.

Description

BACKGROUND

It is common practice for consumers to pay a merchant electronically for goods or services received. Electronic payments are typically made with a token that identifies a source of funding. For example, a credit card containing a magnetic strip is a token. Payment tokens usually contain static information, such as an account number, identifying a source of payment. When a credit card is swiped, the card number is transmitted to a centralized payment processing system. Before authorizing payment, the centralized payment processing system may verify whether the account exists and is active, whether the account can fund the transaction, or whether the transaction may be fraudulent. A physical token such as a credit card cannot be easily modified and, in the event that it is lost or stolen, the consumer must report the lost card and wait for a replacement to be mailed. As a result, systems that allow a consumer to pay for a transaction at the point of sale (POS), using a mobile device to display a token (usually in the form of a barcode or QR code), are becoming widely accepted. Similar to credit-card tokens, mobile device tokens typically contain static information that must be transmitted to a centralized payment processing system for authentication and payment authorization.

If the centralized payment-processing system or the merchant system loses network access (e.g., a network problem, a system power outage, a system fire, a system bug, or the like), however, the token cannot be used for payment without significant risk of fraud. Some merchants may copy (e.g., take a credit-card imprint) or otherwise save the consumer's account information or token, deliver goods to the consumer, and attempt to process the payment at a later time when the network is restored. But if the token is a fraud, the merchant will not get paid. In addition, the mere act of copying account information creates a risk of theft for the owner of the token.

Accordingly, a system that protects both the consumer and the merchant from the risk of fraud regardless of network availability is needed.

SUMMARY

The present invention addresses these problems by encrypting a payment token for display on a consumer's mobile device with dynamic trust data (e.g., transaction history and/or token generation date) along with the financial account information. This approach not only enables the merchant system to make an informed decision about whether to accept payment without communication with the central processing system, but also protects the consumer's account information from theft.

Accordingly, in one aspect, the invention pertains to a method of processing a transaction among a consumer, a merchant point-of-sale system and a transaction-processing entity. In representative embodiments, the method includes generating a token encrypted with data identifying a financial account of the consumer and trust data for the consumer; receiving and storing the token by a device of the consumer; reading and decrypting, by the merchant system, the token upon presentation thereof by the consumer's device in connection with the transaction; authorizing, by the merchant system, the transaction based on (i) successful decryption of the token and (ii) the trust level without communication with the transaction-processing entity; subsequent to authorization of the transaction by the merchant system, communicating, by the merchant to the transaction-processing entity, a record of the transaction and authorization thereof; and following the communication from the merchant system to the transaction-processing entity, completing the authorized transaction by causing funds to be transferred from the consumer's financial account to the merchant. The authorized transaction may be completed upon approval by the transaction-processing entity of a basis for the authorization by the merchant system. Additionally, the approval by the merchant system may also be based on a time of generation of the token and a time of the reading.

In various embodiments, the trust data contains at least a token generation time, a transaction history of the consumer, a spending limit of the consumer or, a home region of the consumer. The trust data may be a single trust-factor value. The token may be encrypted using public key cryptography. As an alternative to encryption, the token may be signed with a digital signature. The token may be displayed as a “Quick Response” (QR) code on the consumer device, and may be a one-time-use token.

In various embodiments, the method may additionally include generating and storing, on the consumer device, a plurality of tokens. Following a triggering event, such as expiration of a pre-set time period or presentation of the token, a first token may be marked for deletion and a second token may be marked for display on a subsequent presentation. The presentation of the first token may comprise receiving confirmation from the merchant system that the token was received. Additionally, the method may include generating a token to replace the token marked for deletion. In various embodiments, the token may not be marked for deletion until a deletion communication is received from the transaction-processing entity. Alternatively, following presentation of a first token, the first token may be marked for deletion and a second token is marked for display after a predetermined time period. The tokens may be used by removing them from the stack and used tokens are replaced with new tokens. In various embodiments, the tokens may be stored in a stack for sequential access on a first in, first out basis. Alternatively, the tokens are stored in a stack for sequential access on a first in, last out basis.

In various embodiments, the consumer may be identified prior to generating the token.

In another aspect, the invention relates to a system for processing a transaction among a consumer, a merchant and a transaction-processing entity. In various embodiments the system includes a token server for (i) generating a token encrypted with data identifying a financial account of the consumer and trust data for the consumer, and (ii) communicating the token to a device of the consumer; a point-of-sale system for reading and decrypting the token upon presentation thereof by the consumer in connection with the transaction, the point-of-sale system being configured to authorize the transaction based on (i) successful decryption of the token and (ii) the trust level without communication with the transaction-processing entity; and a transaction-processing server configured to (i) receive, from the point-of-sale system subsequent to transaction authorization, a record of the transaction and authorization thereof, and (ii) cause completion of the authorized transaction by causing funds to be transferred from the consumer's financial account to the merchant. The point-of-sale system may be configured to authorize the transaction based at least in part on a time of generation of the token and a time of the reading. The token server may be configured to encrypt the token using private key cryptography.

In various embodiments, the token server may be configured to embed an expiration time in the generated token. Additionally, the token server may be configured to embed a creation time in the generated token. The token server may be configured to generate and communicate a series of tokens to the device. In various embodiments, the token server may be configured to verify the consumer's identity prior to token generation.

In another aspect, the invention pertains to a method of processing a transaction among a consumer, a merchant point-of-sale system and a transaction-processing entity. In representative embodiments, the method includes generating a token with a digital signature, encrypted using a private key, with data identifying a financial account of the consumer and trust data for the consumer; receiving and storing the token and the signature by a device of the consumer; reading the token and decrypting the signature, by the merchant system, upon presentation of the token by the consumer's device in connection with the transaction; authorizing, by the merchant system, the transaction based on (i) successful verification of the signature and (ii) the trust level without communication with the transaction-processing entity; subsequent to authorization of the transaction by the merchant system, communicating, by the merchant to the transaction-processing entity, a record of the transaction and authorization thereof; and following the communication from the merchant system to the transaction-processing entity, completing the authorized transaction by causing funds to be transferred from the consumer's financial account to the merchant.

In another aspect, the invention relates to a system for processing a transaction among a consumer, a merchant and a transaction-processing entity. In various embodiments the system includes a token server for (i) generating a token with a digital signature, encrypted using a private key, with data identifying a financial account of the consumer and trust data for the consumer, and (ii) communicating the token to a device of the consumer; a point-of-sale system for reading and decrypting the signature upon presentation of the token by the consumer in connection with the transaction, the point-of-sale system being configured to authorize the transaction based on (i) successful verification of the signature and (ii) the trust level without communication with the transaction-processing entity; and a transaction-processing server configured to (i) receive, from the point-of-sale system subsequent to transaction authorization, a record of the transaction and authorization thereof, and (ii) cause completion of the authorized transaction by causing funds to be transferred from the consumer's financial account to the merchant.

As used herein, the term “or” is intended to mean an inclusive “or” rather than an exclusive “or.” That is, unless specified otherwise, or clear from context, “X employs A or B” is intended to mean any of the natural inclusive permutations. That is, if X employs A; X employs B; or X employs both A and B, then “X employs A or B” is satisfied under any of the foregoing instances. Moreover, articles “a” and “an” as used in the subject specification and annexed drawings should generally be construed to mean “one or more” unless specified otherwise or clear from context to be directed to a singular form. In addition, the terms like “consumer equipment,” “mobile station,” “mobile,” “communication device,” “access terminal,” “terminal,” “handset,” and similar terminology, refer to a wireless device (e.g., cellular phone, smart phone, computer, PDA, set-top box, Internet Protocol Television (IPTV), electronic gaming device, printer, and so forth) utilized by a consumer of a wireless communication service to receive or convey data, control, voice, video, sound, gaming, or substantially any data-stream or signaling-stream. The foregoing terms are utilized interchangeably in the subject specification and related drawings. The terms “component,” “system,” “platform,” “module,” and the like refer broadly to a computer-related entity or an entity related to an operational machine with one or more specific functionalities. Such entities can be hardware, a combination of hardware and software, software, or software in execution. For example, a component may be, but is not limited to being, a process running on a processor, a processor, an object, an executable, a thread of execution, a program, and/or a computer. By way of illustration, both an application running on a server and the server can be a component. One or more components may reside within a process and/or thread of execution and a component may be localized on one computer and/or distributed between two or more computers. Also, these components can execute from various computer readable media having various data structures stored thereon. The components may communicate via local and/or remote processes such as in accordance with a signal having one or more data packets (e.g., data from one component interacting with another component in a local system, distributed system, and/or across a network such as the Internet with other systems via the signal).

BRIEF DESCRIPTION OF THE DRAWINGS

In the drawings, like reference characters generally refer to the same parts throughout the different views. Also, the drawings are not necessarily to scale, with an emphasis instead generally being placed upon illustrating the principles of the invention. In the following description, various embodiments of the present invention are described with reference to the following drawings, in which:

FIG. 1 is a block diagram of an exemplary network in accordance with an embodiment of the invention;

FIGS. 2A,2B, and2C are block diagrams of an exemplary consumer device, token-generation server, and merchant system, respectively, in accordance with an embodiment of the invention;

FIG. 3 depicts an exemplary system for performing secure payment transactions in accordance with an embodiment of the invention; and

FIGS. 4A,4B, and4C are flowcharts illustrating performance of secure payment transactions in accordance with an embodiment of the invention.

DETAILED DESCRIPTION

Refer first toFIG. 1, which depicts an exemplary mobile-payment transaction network100 including a consumer device (e.g., a mobile device)102 linked to a network104 (e.g., a cellular telephone network, the Internet, or any wide-area network or combination of networks capable of supporting point-to-point data transfer and communication) that supports wired, wireless, or any two-way communication. Thenetwork104 connects various devices, including a token-generation server106, one or more merchant systems (e.g., POS terminals)108, and apayment processor110 utilizing, again, wired, wireless, or any two-way communications. The token-generation server106 is responsible for generating encrypted, unique payment tokens associated with the consumer. Eachmerchant system108 may be associated with a merchant who offers goods or services for sale to the consumer possessing themobile device102. In one embodiment, themerchant system108 is a POS system (e.g., an electronic cash register) that connects to a code reader or scanner (hereafter “reader”)112. Thereader112 may be capable of reading and/or decoding a payment token, in the form of, for example, a barcode, a radio frequency identification (RFID) code, or a QR code, and/or receiving signals, such as NFC signals, acoustic signals, or infrared signals. In addition, thereader112 may be mobile or physically associated with themerchant system108. Themerchant system108 may be responsible for decrypting the decoded payment token information and authenticating the payment transaction based on information provided therein. Thepayment processor110 may be responsible for actually performing the payment transaction and, in some cases, for decrypting the payment token. For example, a so-called “direct” payment processor represents the financial-processing backend provider to credit-card issuers and payment services such as PAYPAL. An “indirect” payment processor is an independent entity processing transactions for multiple payment services and maintains its own records and data. Thepayment processor110 may also be configured to decrypt and authenticate the token as a second verification layer.

Themobile device102 acts as a gateway for transmitting the consumer's data to thenetwork104. Themobile device102 can support multiple communication channels for exchanging multimedia and other data with theserver106 and other devices using a Wi-Fi LAN (e.g., IEEE 802.11 standard) for Internet access, a short-range Bluetooth wireless connection for point-to-point access, and/or an NFC channel for close-proximity access. Referring toFIG. 2A, in various embodiments, themobile device102 includes aconventional display screen202, auser interface204, aprocessor206, atransceiver208, and amemory210. Thetransceiver208 may be a conventional component (e.g., a network interface or transceiver) designed to provide communications with a network, such as the Internet and/or any other land-based or wireless telecommunications network or system, and, through the network, with the token-generation server106. Thememory210 includes an operating system (OS)212, such as GOOGLE ANDROID, NOKIA SYMBIAN, BLACKBERRY RIM or MICROSOFT WINDOWS MOBILE, and acode process214 that implements the device-side functions as further described below. Additional transactional information may be embedded in thecode process212 for transmission through thenetwork104 for later processing on a back-end server (e.g., the token-generation server106). As used herein, the term “mobile device” used for transacting a mobile payment refers to a “smart phone” or tablet with advanced computing ability that, generally, facilitates bi-directional communication and data transfer using a mobile telecommunication network, and is capable of executing locally stored applications and/or payment transactions. Mobile devices include, for example, IPHONES (available from Apple Inc., Cupertino, Calif.), BLACKBERRY devices (available from Research in Motion, Waterloo, Ontario, Canada), or any smart phones equipped with the ANDROID platform (available from Google Inc., Mountain View, Calif.), tablets, such as the IPAD and KINDLE FIRE, and personal digital assistants (PDAs). Thememory210 may include computer storage media in the form of volatile and/or nonvolatile memory such as read only memory (ROM) and random access memory (RAM). A basic input/output system (BIOS), containing the basic routines that help to transfer information between elements, such as during start-up, is typically stored in ROM. RAM typically contains data and/or program modules that are immediately accessible to and/or presently being operated on by processing unit.

The token-generation server106 is a trusted system that generates encrypted payment tokens. In response to requests made by a registered user via theconsumer device102, theserver106 generates tokens and transmits them to theconsumer device102 for presentation to complete a transaction. Referring toFIG. 2B, in various embodiments, the token-generation server106 includes aprocessor222 and a memory224, which may include volatile and non-volatile portions. The memory224 contains instructions, conceptually illustrated as a group of modules, that control the operation of theprocessor222 and its interaction with hardware components. Anoperating system226 directs the execution of low-level, basic system functions such as memory allocation, file management and operation of mass storage devices. At a higher level, a look-upmodule228, aPKI module230, aweb server block234, and acommunication module236 perform the basis system functions described in greater detail below. Thecommunication module234 may be a conventional component (e.g., a network interface or transceiver) designed to provide communications with a network, such as the Internet and/or any other land-based or wireless telecommunications network or system, and, through the network, with themobile device102, themerchant system108, and thepayment processor110. The web-server block236 enables web-based communication with themobile device102, and can be a conventional web-server application executed by theprocessor222.

Aconsumer database240 may reside in astorage device238 and/or an external mass-storage device242 accessible to the token-generation server106; theconsumer database240 stores, for example, a record associated with each registered consumer, or device, with associated trust data (e.g., transactional data). Thedatabase240 is responsive to queries fromlookup module228.

In operation, the user operates an executable, interactive application (an “app”) on themobile device102 identifies himself to theserver106, e.g., using a password or other strong form of authentication. The look-upmodule228 obtains the user's account records from thedatabase240 and, using thePKI module230, generates an encrypted token for that user using a private key. The encrypted token contains information to uniquely identify the token or the user of the token, as well as trust data from the user's database record. Trust data may also reflect the time the token was generated, since more recently created tokens are considered more trustworthy (since the likelihood of fraudulent access or use increases over time). In general, trust data reflects a probability that thepayment processor110 will ultimately authorize the desired payment on the user's behalf. For example, the trust data may specify how many transactions the consumer has processed in the past (in some embodiments, more recent transactions may receive a greater trust weight), the spending limit of the consumer, the home region of the consumer, the transaction history of the consumer (in some embodiments, transactions at merchants where the consumer has transacted previously may receive a greater trust weight), the age of the consumer's account (which may be correlated with the user's transaction history, but is a distinct piece of information which is much smaller to store), and other demographic information. Additional trust factors can include trust levels of other individuals with whom the user is somehow associated (e.g., social network “friends”), as well as trust levels associated with those individuals' friends and the number of funding sources the user has. For example, a user with only a single funding source may be a higher risk than a user with multiple funding sources (e.g., one credit card or bank account on file, versus many different accounts on file). This may also be based on the institutions in which the accounts are held, as it is less likely for a user to close accounts across different institutions simultaneously. In some embodiments, an aggregated “trust-factor” value is calculated that collapses all of these various metrics into a single value to be included in the token. The trust-factor value may be numeric or may simply be a coarse level, e.g., low, medium, or high.

Trust data may be updated when the registered user initiates or completes a new transaction, e.g., when theserver106 receives a record of a new transaction from thepayment processor110 via thecommunication module234. In another embodiment, the trust data is updated periodically in a predetermined time period. For example, the trust data may be updated at a set time each day based on transactions that the user has completed within the previous 24 hours. The trust data may also be updated continuously based on patterns from all transactions processed, including transactions not involving the particular user. Similarly, the trust data may be updated continuously based on the trust factor of that person's social network “friends.”

Theserver106 transmits the generated token back to themobile device102 via thecommunication module234. As is well understood in the art, the token, encrypted using the private key, may be decrypted using a public key; the latter is made available tomerchant systems108 to use in the course of transactions in accordance herewith. In one embodiment, the private key and associated public key (the private/public key pair) are reset periodically (e.g., in a predetermined period of time) for security purposes; the public key is communicated, viacommunication module234, to themerchant system108 upon every reset. In another embodiment, the private/public key pair is unchangeable. The token may be an authentication that is read directly by themerchant system108 using, for example, NFC; may encode an optically readable “mature code” (e.g., a QR code or a bar code) that is displayed on the screen of themobile device102; or may be a “seed code” from which the mobile device106 (via the app) can generate a mature code later.

Referring toFIG. 2C, in various embodiments, themerchant system108 includes aprocessor252, amemory254, anoperating system256, adecision module258, adecryption module260, aweb server block264, acommunication module266, and astorage device268. As described above, the various functional modules are typically implemented as stored instructions that operate as running processes via theprocessor252. Themerchant system108 may be connected to or include thereader112, which is capable of reading payment tokens according to any suitable modality (optical, NFC, etc.) from a consumer'smobile device102. Thedecryption module260 stores the public key and decrypts the token obtained by thereader112. If decryption is successful, thedecision module258 may, in some embodiments, further authenticate the token or the consumer if decryption is successful (e.g., by requesting a password or biometric indicium, such as a fingerprint, from the consumer). In instances where themerchant system108 does not or presently cannot communicate with thepayment processor110, thedecision module258 decides, based on the decrypted trust data, whether to authorize the transaction as further described below. Accordingly, themerchant system108 does not require continuous network access in order to authorize transactions. The transaction may be authorized based on the trust data and transactional information saved instorage device268 for later transmission through thenetwork104 for processing on a back-end server (e.g., the payment processor110).

As illustrated inFIG. 3, payment transactions in accordance herewith may involve different stages that need not take place in tandem or at specific times, but instead may occur whenever a network connection can be established: a token-generation stage302, a payment-initiation stage304, a payment-authorization stage306, a funds-transfer stage308, and a database-update stage310. For example, thepayment initiation stage304 does not require a network connection when the encrypted token is read from themobile device102 by aPOS merchant system108. The various stages are described in further detail below.

Arepresentative method400 for safely transacting a payment without continuous network access in accordance with embodiments of the current invention is shown inFIGS. 4A,4B, and4C (with additional reference to FIGS.1 and2A-2C). Assuming the consumer is registered with the token-generation server106, the consumer, or an application acting on behalf of the consumer, can log in to theserver106 to retrieve a payment token. For example, the consumer may download an app onto her mobile device102 (step402); the app, when executed on themobile device102, communicates with the token-generation server106 and allows the user to log in by supplying a proof of identify, such as a username/password pair (step404)—either to the app, which then transmits the log-in information to theserver106, or to theserver106 directly via, for example, a web session—and request a token. This request is transmitted to the token-generation server106 (step406). The identifying information is verified (step408), once again either by the app or by the token-generation server106, and the look-upmodule228 of the token-generation server106 looks up the consumer's account data stored in database240 (step410) and generates a token for the consumer. The token contains data that identifies the consumer and/or the token as well as trust data for the consumer. The token may contain actual financial account information of the consumer or may instead contain information (such as an email address, telephone number, or random unique data) that can be mapped to the consumer's account by thepayment processor110. Before being sent, the token is encrypted using the private key (step414). The encrypted token is then transmitted to the mobile device102 (step416). Although the discussion herein focuses on a private/public key pair method of encryption for purposes of illustration, the present invention may be implemented using any asymmetric encryption method in which a secret key is known only to the token-generation server106. In other embodiments, the private key may be used to digitally sign the token and successful verification of the signature proves the token's authenticity. Digital signatures utilize the public key infrastructure to ensure authenticity (i.e., that no one has tampered with the token in transit and that the token was indeed generated by the token-generation server106.)

The client app running on themobile device102 receives and stores the encrypted token (step418). The token-generation process may take place at any time after a consumer registers an account. The token may be delivered to themobile device102 at any time a network connection can be established. Generation of the token and delivery of the token may occur as two separate steps and may not happen at the same time. Thedevice102 need not be continuously connected to network104 and sporadic connectivity is sufficient to gain the benefits of the present invention. In addition, to reduce the risk of tokens being stolen, the token can be rotated. For example, the client app may be configured to check for network connectivity after a period of time, corresponding to the desired lifetime of a token, has elapsed since the token was received. If network connectivity is unavailable, the client app periodically checks until it detects a network connection. The client app may poll for connectivity, or the app may asynchronously monitor for connectivity changes. For example, the operating system of themobile device102 may have facilities to notify apps asynchronously when network connectivity returns. The app may also be programmed wait for a triggering event before communicating with the server. For example, this triggering event may be in the form of the user opening the app, the user clicking a button to refresh his token, or other triggers as determined by the app's programming. If two-way communication between the app and themerchant system108 is possible, the app may rotate the token after communicating the previous token to themerchant system108. At this point, without the involvement of the consumer, the app causes themobile device102 to communicate with the token-generation server106 to obtain a replacement token. In some embodiments, the app passively monitors for other network traffic on the device prior to communicating with the token-generation server106 in order to optimize power consumption. When the new token is received, the app causes the old one to be invalidated (so that the consumer uses only the newest token in a transaction). Alternatively, the rotation of tokens may be initiated by thepayment processor110. Thepayment processor110 may send a “push notification” message to the application, either periodically or after a triggering event. For example, the app may display a token but not know when that token has been successfully used to complete a transaction. When a transaction has been completed, thepayment processor110 may therefore send a push notification to the device to rotate the token. In accordance with this approach, the token may be contained in the push notification or, instead, the push notification may simply be a “tickle” to cause themobile device102 to initiate a request to obtain a new token. If themobile device102 is offline when the push notification is sent, delivery of the push notification may be queued for delivery once themobile device102 comes online again. The process of networked code rotation is far more secure than simple static tokens.

Alternatively, in response to a token request, the token-generation server106 may generate and deliver an encrypted, ordered stack—or “quiver”—of tokens for secure storage in themobile device102. Whenever the consumer displays a token on the mobile device102 (even if a payment transaction is not initiated), it is locally marked as displayed and the next token in the stack is marked for display. This process repeats each time a token is displayed. In some embodiments, each time a token is displayed, the app causes themobile device102 to attempt to establish a network connection and, when the connection is established, commands the token-generation server106 to mark the current token (i.e., the one on display) code for invalidation after a short period of time (e.g., in 60 minutes) and to invalidate all tokens preceding it in the stack (in case some had been displayed without a network connection). In this way, the current token—which is assumed to have been displayed because a transaction is imminent—is invalidated within a reasonable time to prevent fraud, since a token is at particular risk for fraudulent acquisition and use when displayed. The token-generation server106 may generate and transmit to themobile device102 enough new tokens to “refill” the quiver; the new tokens may be stored at the back end of the quiver so that older tokens are used on a first in, first out (FIFO) basis. FIFO operation ensures that the consumer always has newer tokens on hand. Alternatively, the new tokens may be stored at the front end of the quiver for last in, first out (LIFO) operation. While FIFO is preferred for extended periods of offline access, LIFO is generally better for security: newer tokens may have newer fraud information embedded in them, which benefits the payment network if they are used first. Since most devices tend to establish a network connection on each transaction, a reasonable quiver size is 30 tokens, which minimizes the likelihood of running out of tokens from the quiver. However, if all tokens in the quiver have been displayed without a network connection having been established, the last token is not marked as invalid and themobile device102 continues to display it. In some embodiments, each token in a quiver is given a sequence number (e.g., the first token is sequence1, the last token is sequence30). This sequence number may be embedded in the token itself, acting as a form of trust data. If themobile device102 goes a long period of time without connecting to the token-generation server106, the last token in the quiver may be used for a long period of time. In various embodiments, themerchant system108 is configured to reject the last token in a quiver when the mobile devices are operating in distributed mode and are not able to communicate with the payment processing system (e.g., the network is down). In various embodiments, each token in the quiver has a different validity period embedded in its trust data, and not all of the tokens in the quiver are valid simultaneously. This reduces the likelihood that any given token in the quiver can be stolen and used fraudulently.

A payment transaction is initiated when the consumer presents a token (e.g., in the form of a QR code) stored in themobile device102 to the merchant system108 (step420). Themerchant system108 may scan the code using the reader112 (step422), and thereupon decrypts the token using the public key (step424). Any token that unsuccessfully decrypts is either fraudulent or corrupted, and the transaction is denied (step426). Any token that successfully decrypts is guaranteed to have been created with private key, and is assumed to have come from the token-generation server106. Themerchant system108 may then attempt to transmit the token along with information about the transaction (the amount to be paid, in particular) and the merchant's own identity to thepayment processor110, and await approval or denial. If a network connection cannot be established, however, themerchant system108 can itself approve the transaction based on the trust data in the token using the decision module258 (step428). Although this does not guarantee that thepayment processor110 will ultimately authorize the transaction, if the token decrypts successfully and was generated within a certain amount of time, and the trust data is satisfactory, the risk may be acceptable to the merchant.

The criteria applied in evaluating the trust data may be universal across thesystem100 or may be specific toparticular merchant systems108. For example, a merchant may choose only to accept tokens from consumers whose home region is within a set distance of the POS; tokens from consumers who have transacted with the merchant previously; tokens that have been generated within a set time period; and/or trust data reflecting a transaction history success rate above a threshold percentage or number. In the latter case, the transaction history may be weighted in favor of more recent transactions in determining whether the threshold acceptability level is reached. The threshold acceptability level may vary with the amount of the transaction, and different criteria may receive different weights that themselves vary with the transaction amount. The trust criteria may be selected and combined in accordance with the priorities and preferences of the merchant and programmed into thedecision module258, which scores each transaction accordingly. It should be emphasized that trust criteria can include any factors relevant to a risk score, e.g., the location of the merchant scored against local aggregated crime statistics from public databases.

If the criteria are satisfied, themerchant system108 authorizes the transaction (step430) and communicates the authorization along with the encrypted token and information about the transaction and the merchant's own identity to thepayment processor110 when a network connection is available (step432); assuming the consumer's financial account is in good standing, thepayment processor110 will transfer funds to the merchant. Until a network connection can be established, the token and transaction information are saved to thelocal storage268 in themerchant system108 for transmission when network connectivity is available (step434).

Various implementations of the systems and techniques described here can be realized in digital electronic circuitry, integrated circuitry, specially designed ASICs (application specific integrated circuits), computer hardware, firmware, software, and/or combinations thereof. These various implementations can include implementation in one or more computer programs that are executable and/or interpretable on a programmable system including at least one programmable processor, which may be special or general purpose, coupled to receive data and instructions from, and to transmit data and instructions to, a storage system, at least one input device, and at least one output device.

The various modules and apps described herein can include machine instructions for a programmable processor, and can be implemented in a high-level procedural and/or object-oriented programming language, and/or in assembly/machine language. As used herein, the terms “machine-readable medium” “computer-readable medium” refers to any computer program product, apparatus and/or device (e.g., magnetic discs, optical disks, memory, Programmable Logic Devices (PLDs)) used to provide machine instructions and/or data to a programmable processor, including a machine-readable medium that receives machine instructions as a machine-readable signal. The term “machine-readable signal” refers to any signal used to provide machine instructions and/or data to a programmable processor.

The terms and expressions employed herein are used as terms and expressions of description and not of limitation, and there is no intention, in the use of such terms and expressions, of excluding any equivalents of the features shown and described or portions thereof. In addition, having described certain embodiments of the invention, it will be apparent to those of ordinary skill in the art that other embodiments incorporating the concepts disclosed herein may be used without departing from the spirit and scope of the invention. Accordingly, the described embodiments are to be considered in all respects as only illustrative and not restrictive.

Claims

What is claimed is:

1. A method of processing a transaction among a consumer, a merchant point-of-sale system and a transaction-processing entity, the method comprising:

generating a token encrypted with data identifying the consumer and trust data for the consumer and at least one individual with whom the consumer is associated;

receiving and storing the token by a device of the consumer;

reading and decrypting, by the merchant system, the token upon presentation thereof by the consumer's device in connection with the transaction;

authorizing, by the merchant system, the transaction based on (i) successful decryption of the token and (ii) the trust level of the consumer and the at least one associated individual without communication with the transaction-processing entity;

subsequent to authorization of the transaction by the merchant system, communicating, by the merchant to the transaction-processing entity, a record of the transaction and authorization thereof; and

following the communication from the merchant system to the transaction-processing entity, completing the authorized transaction by causing funds to be transferred from the consumer's financial account to the merchant.

2. The method ofclaim 1, wherein the authorized transaction is completed upon approval by the transaction-processing entity of a basis for the authorization by the merchant system.

3. The method ofclaim 1, wherein approval by the merchant system is also based on a time of generation of the token and a time of the reading.

4. The method ofclaim 1, wherein the trust data contains at least one of (i) a token generation time, (ii) a transaction history of the consumer, (iii) a spending limit of the consumer or (iv) a home region of the consumer.

5. The method ofclaim 1, wherein the trust data is a single trust-factor value.

6. The method ofclaim 1, wherein the token is encrypted using public key cryptography.

7. The method ofclaim 1, wherein the token is displayed as a QR code on the consumer device.

8. The method ofclaim 1, wherein the token is a one-time-use token.

9. The method ofclaim 1, further comprising generating and storing, on the consumer device, a plurality of tokens.

10. The method ofclaim 9, wherein following presentation of a first token, the first token is marked for deletion and a second token is marked for display on a subsequent presentation.

11. The method ofclaim 10, wherein presentation of the first token comprises receiving confirmation from the merchant system that the token was received.

12. The method ofclaim 10, wherein the token is not marked for deletion until a deletion communication is received from the transaction-processing entity.

13. The method ofclaim 9, wherein following presentation of a first token, the first token is marked for deletion and a second token is marked for display after a predetermined time period.

14. The method ofclaim 1, further comprising marking a token for deletion and generating a token to replace the token marked for deletion.

15. The method ofclaim 1, further comprising identifying the consumer prior to generating the token.

16. A system for processing a transaction among a consumer, a merchant and a transaction-processing entity, the system comprising:

a token server for (i) generating a token encrypted with data identifying the consumer and trust data for the consumer and at least one individual with whom the consumer is associated, and (ii) communicating the token to a device of the consumer;

a point-of-sale system for reading and decrypting the token upon presentation thereof by the consumer in connection with the transaction, the point-of-sale system being configured to authorize the transaction based on (i) successful decryption of the token and (ii) the trust level of the consumer and the at least one associated individual without communication with the transaction-processing entity; and

a transaction-processing server configured to (i) receive, from the point-of-sale system subsequent to transaction authorization, a record of the transaction and authorization thereof, and (ii) cause completion of the authorized transaction by causing funds to be transferred from the consumer's financial account to the merchant.

17. The system ofclaim 16, wherein the point-of-sale system is configured to authorize the transaction based at least in part on a time of generation of the token and a time of the reading.

18. The system ofclaim 16, wherein the token server is configured to encrypt the token using private key cryptography.

19. The system ofclaim 16, wherein the token server is configured to embed an expiration time in the generated token.

20. The system ofclaim 16, wherein the token server is configured to embed a creation time in the generated token.

21. The system ofclaim 16, wherein the token server is configured to generate and communicate a series of tokens to the device.

22. The system ofclaim 16, wherein the token server is configured to verify the consumer's identity prior to token generation.

23-24. (canceled)

25. The method ofclaim 1, wherein the tokens are stored in a stack for sequential access on a first in, first out basis.

26. The method ofclaim 1, wherein the tokens are stored in a stack for sequential access on a first in, last out basis.

27. The method ofclaim 1, wherein the at least one individual is associated with the consumer via social media.

28. The system ofclaim 16, wherein the at least one individual is associated with the consumer via social media.