CN112136302B - Mobile network operator authentication protocol - Google Patents

Abstract

A method is disclosed and includes receiving, by a server computer, a request for virtual access credentials for an interaction between a resource provider computer and a communication device operated by a user and associated with a mobile network operator computer system. The method also includes: transmitting, by the server computer, the virtual access credential request to an authorizing entity computer; receiving, by the server computer, a virtual access credential from the authorizing entity computer; and sending, by the server computer, the virtual Access credentials are transmitted to the communication device or the resource provider computer.

Description

Mobile Network Operator Authentication Protocol

Related Application Cross Reference

This application claims the benefit of U.S. Provisional Application No. 62/671,325, filed May 14, 2018, which is hereby incorporated by reference in its entirety for all purposes.

Background technique

There are many situations where a user may not have the proper credentials but may wish to be able to access a resource. In one example, a person may wish to enter a building, but may not have the proper badge or key card for building access. In another example, a person may wish to purchase an item, but may not have an electronic debit or credit card to purchase the item. You want to provide users with access to resources for which they do not have access credentials.

Embodiments of the present invention address the above-referenced problems and others, individually and collectively.

Contents of the invention

Embodiments of the present disclosure relate to methods and systems for providing authentication and authorization of access. In some examples, the methods and systems will establish first and second levels of authentication, where the authorization entity can establish the first authentication and the mobile network operator computer can establish the second authentication. In other examples, the system will allow a user to initiate a purchase transaction or access a restricted area using a mobile network operator computer system associated with the user's communication device rather than a bank account.

One embodiment of the invention relates to a method or system comprising: receiving, by a server computer, virtual access to an interaction between a resource provider computer and a communication device operated by a user and associated with a mobile network operator computer system requesting a credential; transmitting, by the server computer, the virtual access credential request to an authorizing entity computer; receiving, by the server computer, a virtual access credential from the authorizing entity computer; transmitting, by the server computer, the virtual access credential to the communication device or the resource provider computer; receiving, by the server computer, an authorization request message including the virtual access credential, wherein the authorization request message requests authorization for the interaction; forwarding the authorization request message to the authorization entity computer; receiving an authorization response message from the authorization entity computer by the server computer; and forwarding the authorization response message to the resource provider computer by the server computer, wherein The authorizing entity computer then completes the interaction with the mobile network operator computer system.

Another embodiment of the invention involves receiving, by an authorizing entity computer, a request for virtual access credentials for an interaction between a resource provider computer and a communication device operated by a user and associated with a mobile network operator computer system; said authorizing entity computer generates a virtual access credential associated with the approved amount; said virtual access credential is transmitted by said authorizing entity computer to a processing network computer, wherein said virtual access credential is forwarded to said communication device or said a resource provider computer; receiving, by the authorizing entity computer, an authorization request message including the virtual access credential, wherein the authorization request message requests authorization for the interaction; combining the total amount of the authorization request with the virtual access The approved amount of the voucher is compared; the approval or rejection of the authorization request message is determined by the authorization entity computer based on the comparison; the authorization or rejection of the authorization request message is determined by the authorization entity computer based on the approval or rejection of the authorization request message generating an authorization response message; forwarding, by the server computer, the authorization response message to the processing network computer; and subsequently forwarding a completion message to the mobile network operator computer based on the approval or denial of the authorization request message system.

Other embodiments relate to server computers and systems adapted to perform the methods described above and others.

These and other embodiments of the invention are described in further detail below.

Description of drawings

Fig. 1 shows a block diagram of an authentication and authorization system according to an embodiment of the present invention.

Figure 2 shows a block diagram of a processing web server computer according to an embodiment of the present invention.

Fig. 3 shows a block diagram of a resource provider computer according to an embodiment of the present invention.

Fig. 4 shows a block diagram of an authorizing entity computer according to an embodiment of the invention.

Figure 5 shows a block diagram of a mobile network operator computer system according to an embodiment of the invention.

Fig. 6 shows a block diagram of a communication device according to an embodiment of the present invention.

Detailed ways

Before discussing the embodiments of the present invention, a further description of some terms may be helpful in understanding the embodiments of the present invention.

A "Virtual Access Credential" may be a credential with a limited lifetime or a limited number of uses. As described further below, a virtual access credential may have the form or attributes of a credential or payment credential, token or payment token. Virtual access credentials can be used to obtain resources such as goods, services, location and security data. Virtual access credentials may also be in any suitable form, including letters or numbers (eg, 16-digit numbers).

A "credential" may be any suitable information that serves as reliable evidence of value, title, identity, or authority. Credentials can be a string of numbers, letters, or any other suitable characters, and any object or document that can be used as a confirmation. Examples of credentials include value credentials such as payment credentials, identification cards, authentication documents, access cards, passwords and other login information, and the like.

"Payment credentials" may include any suitable information associated with an account (eg, the payment account and/or payment device associated with the account). Such information may be directly related to the account, or may be derived from information related to the account. Examples of account information may include PAN (Primary Account Number or "Account Number"), username, expiration date, and verification values such as CVV, dCVV, CVV2, dCVV2, and CVC3 values.

A "digital wallet" may include an electronic device that allows an individual to conduct electronic commerce transactions. An electronic wallet may store user profile information, payment credentials, bank account information, one or more digital wallet identifiers, etc., and may be used in a variety of transactions such as, but not limited to, e-commerce, social networking, transfer/personal payments, Mobile commerce, proximity payment, games, etc. for retail purchases, digital goods purchases, utility payments, purchase of games or game coupons from gaming sites, transfer of funds between users, etc. Digital wallets can be designed to simplify the purchasing and payment process. A digital wallet may allow a user to load one or more payment cards onto the digital wallet in order to make payments without entering an account number or presenting a physical card.

A "token" may be a replacement value for a credential. A token can be a string of numbers, letters, or any other suitable characters. Examples of tokens include payment tokens, access tokens, personal identification tokens, etc.

A "payment token" may include an identifier of a payment account, which is a replacement for an account identifier, such as a primary account number (PAN). For example, a payment token may include a series of alphanumeric characters that may be used as a replacement for the original account identifier. For example, token "4900 0000 0000 0001" can be used in place of PAN "4147 0900 0000 1234". In some embodiments, payment tokens may be "format reserved" and may have a numerical format consistent with account identifiers used in existing transaction processing networks (eg, ISO 8583 financial transaction message format). In some embodiments, a payment token may be used in place of a PAN to initiate, authorize, settle, or resolve a payment transaction, or to represent an original credential in other systems where the original credential would normally be provided. In some embodiments, payment tokens may be generated such that recovery of the original PAN or other account identifier may not be computationally derivable from the token value. Additionally, in some embodiments, the token format may be configured to allow the entity receiving the token to identify it as a token and to recognize the entity issuing the token.

"Tokenization" is the process of replacing data with replacement data. For example, a payment account identifier (eg, primary account number (PAN)) can be tokenized by replacing the primary account identifier with a replacement number (eg, token) that can be associated with the payment account identifier. Furthermore, tokenization can be applied to any other information that can be replaced with a replacement value (ie, a token). Tokenization increases transaction efficiency and security.

A "virtual access credential request message" may be an electronic message requesting a virtual access credential. The virtual access credential request message may include information that can be used to identify the payment account or digital wallet, and/or information that can be used to generate the virtual access credential. For example, a virtual access credential request message may include payment credentials, mobile device identification information (e.g., phone number or MSISDN), digital wallet identifier, information identifying a tokenization service provider, merchant identifier, password, and/or any other appropriate information. Information included in the virtual access credential request message may be encrypted (eg, using an authorization entity specific key). In some examples, the virtual access credential request message may include an approved amount (e.g., a debit amount, etc.) provided to the user on behalf of the authorized entity computer, and the approved amount is stored in the user profile at the authorized entity computer to It is compared at a later time with the total amount included in the authorization request message.

The "virtual access credential response message" may be a message in response to a virtual access credential request. The virtual access credential response message may include an indication that the virtual access credential request was approved or denied. The virtual access credential response message may also include a virtual access credential, mobile device identification information (e.g., phone number or MSISDN), a digital wallet identifier, information identifying a tokenization service provider, a resource provider identifier, a password, and/or any other suitable information. Information included in the virtual access credential response message may be encrypted (eg, using an issuer-specific key).

"User" may include individuals. In some embodiments, a user may be associated with one or more personal accounts and/or mobile devices. In some embodiments, a user may also be referred to as a cardholder, account holder, or customer.

An "authorization request message" may be an electronic message requesting authorization for a transaction. In some embodiments, an authorization request message is sent to the transaction processing computer and/or the issuer of the payment card to request authorization of the transaction. Authorization request messages according to some embodiments may comply with ISO8583, a standard for systems exchanging electronic transaction information associated with payments made by users using payment devices or payment accounts. The authorization request message may include an issuer account identifier that may be associated with the payment device or payment account. The Authorization Request message may also include additional data elements corresponding to "Identification Information", including (for example only): Service Code, CVV (Card Verification Value), dCVV (Dynamic Card Verification Value), PAN (Primary Account Number or "Account Number") ”), payment token, username, expiry date, etc. The authorization request message may also include "transaction information," such as any information associated with the current transaction, such as the total amount of the transaction, merchant identifier, merchant location, acquirer bank identification number (BIN), card acceptor ID, identifying the and any other information that may be used to determine whether to identify and/or authorize a transaction.

The "authorization response message" may be a message in response to an authorization request. In some cases, the authorization response message may be an electronic message reply to the authorization request message generated by the issuing financial institution or the transaction processing computer. By way of example only, the Authorization Response message may include one or more of the following status indicators: Approved - the transaction is approved; Rejected - the transaction is not approved; or Call Center - for more information on a response pending, the merchant must call Authorized phone number. The authorization response message may also include an authorization code, which may be an indication that the credit card issuing bank returned to the merchant's access device (e.g., a POS device) in response to the authorization request message in an electronic message (either directly or through the transaction processing computer) The code with which the transaction was approved. The code can serve as proof of authorization.

A "server computer" may include a powerful computer or computer cluster. For example, a server computer can be a mainframe, a cluster of small computers, or a group of servers that function as a unit. In one example, the server computer may be a database server coupled to a web server. A server computer may include one or more computing devices and may employ any of a variety of computing architectures, arrangements, and compilations to service requests from one or more client computers.

Embodiments of the present disclosure include methods and systems that provide authentication and authorization of access. In some examples, the system will establish first and second levels of authentication, where the authorization entity can establish the first authentication and the mobile network operator computer can establish the second authentication. In other examples, the system will allow a user to initiate a purchase transaction or access a restricted area using a mobile network operator computer system associated with the user's communication device rather than a bank account.

Fig. 1 shows a block diagram of an authentication and authorization system according to an embodiment of the present invention. As shown, the system may include a communication device 102 , a resource provider computer 110 , a transmitting computer 115 , a processing network server computer 120 , an authorizing entity computer 130 , and a mobile network operator computer system 140 .

The system of FIG. 1 may include a processing web server computer 120 . The example processing web server computer 120 of FIG. 1 is shown in FIG. 2 . Processing network server computer 120 may include one or more server computers, as well as data processing subsystems, networks, and operations for supporting and delivering authorization services, exception file services, and clearing and settlement services. An exemplary processing network may include VisaNet ^™ . Processing networks such as VisaNet( ^TM) are capable of processing credit card transactions, debit card transactions, and other types of commercial transactions. VisaNet ^TM specifically includes the VIP system (Visa Integrated Payment System) that handles authorization requests, and the Base II system that performs clearing and settlement services. The processing network may use any suitable wired or wireless network including the Internet.

The processing network server computer may include subsystems or components interconnected via system bus 210 as shown in FIG. 2 . The interconnection via system bus 210 allows processor 212 to communicate with each subsystem and to control the execution of instructions from system memory 214 . System memory 214 may embody computer readable media. Communication interface 216 may be used to connect the server computer to a wide area network such as the Internet or other I/O devices associated with the computer system. The system bus 210 may also connect to one or more modules or engines embodied in memory, including a communication module 230 , a virtual access credential module 232 and/or an interaction engine 234 .

Communications module 230 may be configured to receive and transmit electronic messages from other computers and devices throughout the system shown in FIG. 1 . For example, the communication module 230 may be configured to receive a virtual access credential request from the communication device 102, transmit the virtual access credential request to the authorizing entity computer 130, receive and transmit the virtual access credential, receive and transmit an authorization request message, and receive and transmit Authorization response message.

The virtual access credential module 232 may be configured to parse the virtual access credential request to determine a user identifier associated with the communication device 102 operated by the user. The user identifier may correspond to the mobile network operator computer system 140 to receive additional information associated with the user identifier. Additional information may include order history, location history, or user profile information for the communication device registered with the mobile network operator computer system 140 . The virtual access credential module 232 may determine whether to generate a virtual access credential based on the additional information.

The interaction engine 234 may be configured to identify the authorizing entity computer 130 based on the virtual access credentials, and to route authorization request messages to the appropriate authorizing entity computer 130 . For example, the authorization request message may include a credential including a bank identification number (BIN) that uniquely identifies an authorizing entity computer of a plurality of authorizing entity computers. Interaction engine 234 may associate the received BIN with appropriate routing information to the authorization entity computer and enable transmission of the authorization request message to the appropriate authorization entity computer.

The system of FIG. 1 may also include a resource provider computer 110 . The example resource provider computer 110 of FIG. 1 is shown in FIG. 3 . A resource provider computer may be an entity that may provide resources such as goods, services, information and/or access. Examples of resource providers include merchants, data providers, shipping agents, government entities, venue and residential operators, and more. A merchant may generally be an entity that participates in a transaction and is capable of selling or providing access to goods or services.

The resource provider computer may include subsystems or components interconnected via system bus 310 as shown in FIG. 3 . The interconnection via system bus 310 allows processor 312 to communicate with each subsystem and to control the execution of instructions from system memory 314 . System memory 314 may embody computer readable media. Communication interface 316 may be used to connect the resource provider computer to a wide area network such as the Internet or other I/O devices associated with the resource provider computer. System bus 310 may also connect to one or more modules or engines embodied in memory, including communication module 330 , request engine 332 and/or interaction engine 334 . One or more databases may store information received, maintained and transmitted by resource provider computers, including item database 350 .

Communications module 330 may be configured to receive and transmit electronic messages from other computers and devices throughout the system shown in FIG. 1 . For example, the communication module may be configured to receive a request to order an item or service at the interaction site 112, receive an indication of an interaction at the interaction site 112 (e.g., select a "bill me" button, etc.), The virtual access credential request is transmitted to the processing web server computer 120 and the authorization request message is transmitted to the transmitting computer 115 .

Request engine 332 may be configured to generate virtual access credential requests associated with interactions between communication device 102 and interaction site 112 (not shown in FIG. 3 ). The virtual access credential request may include information associated with the communication device operated by the user. In some embodiments, a virtual access credential may correspond to an approved amount associated with a request to access a resource requested by communication device 102 . The amount may be approved by the authorized entity computer 130 .

Request engine 332 may also be configured to generate an authorization request message that includes the virtual access credentials received from authorizing entity computer 130 and the total amount associated with the resource requested by communication device 102 . Request engine 332 may associate the authorization request message with one or more resources (eg, items or services, etc.) offered by resource provider computer 110 . The resources may correspond to item descriptions, value amounts, and other relevant information stored in the item database 350 .

Interaction engine 334 may be configured to allow access to resources upon authentication of virtual access credentials and authorization associated with an authorization response message including an approval determination from authorization entity computer 130 .

Resource provider computer 110 may also be associated with an access device. The access means may be operated by a resource provider and may include any suitable means for providing access to remote systems. The access device may also be used to communicate with a resource provider computer 110, a transaction processing computer, an authentication computer, or any other suitable system. The access device may generally be located at any suitable location, for example at the resource provider's location. The access device may take any suitable form. Some examples of access devices include POS or point-of-sale devices (e.g., POS terminals), cellular phones, PDAs, personal computers (PCs), tablet PCs, handheld application-specific readers, set-top boxes, electronic cash registers (ECRs), automatic Teller Machine (ATM), Virtual Cash Register (VCR), Inquiry Machine, Security System, Access System, etc. The access device may use any suitable contact or contactless mode of operation to send or receive data from or associated with the mobile communication device or payment device. In some embodiments where the access device may include a POS terminal, any suitable POS terminal may be used and may include a reader, a processor, and a computer readable medium. The reader may include any suitable contact or contactless mode of operation. For example, exemplary card readers may include radio frequency (RF) antennas, optical scanners, barcode readers, or magnetic stripe readers to interface with the payment device and/or mobile device. In some embodiments, a cell phone, tablet, or other dedicated wireless device used as a POS terminal may be referred to as a mobile point-of-sale or "mPOS" terminal.

The system of FIG. 1 may also include a transfer computer 115 . Transmitting computer 115 may be operated by an acquirer or a business entity (eg, a merchant bank) that has a business relationship with a particular merchant or other entity. Some entities may perform both issuer and acquirer functions. Some embodiments may cover such a single entity issuer-acquirer.

The system of FIG. 1 may also include an authorization entity computer 130 . An example authorized entity computer 130 is shown in FIG. 4 . An authorizing entity may be an entity that authorizes the request. Examples of authorized entities may be issuers, government agencies, file repositories, access administrators, banks, etc. Authorizing entity computer 130 may generally refer to a business entity (eg, a bank or issuer computer) that maintains user accounts.

The authorized entity computer may include subsystems or components interconnected via system bus 410 as shown in FIG. 4 . The interconnection via system bus 410 allows processor 412 to communicate with each subsystem and to control the execution of instructions from system memory 414 . System memory 414 may embody computer readable media. Communication interface 416 may be used to connect the authorizing entity computer to a wide area network such as the Internet or other I/O devices associated with the authorizing entity computer. The system bus 410 may also connect to one or more modules or engines embodied in memory, including a communication module 430 , a virtual access credential module 432 and/or an authorization module 434 . One or more databases may store information received, maintained and transmitted by authorized entity computers, including credential database 450 .

Communications module 430 may be configured to receive and transmit electronic messages from other computers and devices throughout the system shown in FIG. 1 . For example, communication module 430 may be configured to receive a virtual access credential request from processing web server computer 120, transmit the virtual access credential to processing web server computer 120, receive an authorization request message, generate and transmit an authorization response message, and Electronic messages associated with clearing and settlement are transmitted after the interaction with the resource provider computer 110 has occurred.

The virtual access credentials module 432 may be configured to generate virtual access credentials and issue the virtual access credentials to a communication device 102, such as a cell phone, smart card, tablet computer, or laptop computer. The virtual access credentials may include a user identifier associated with a communication device operated by the user. The user identifier may correspond to a user account registered with the mobile network operator computer system 140 . The virtual access voucher may also correspond to an approved amount for ordering resources provided by the resource provider computer 110 .

The authorization module 434 may be configured to determine whether to allow or deny access to the resource provider based at least in part on comparing a first virtual access credential provided in response to the virtual access credential request with a second virtual access credential received with the authorization request message. Computer 110 provides access to resources. Virtual access credentials may be stored in a credentials database 450 and associated with a communication device 102 or a user.

Authorization module 434 may also be configured to determine whether to allow or deny an offer to resource provider computer 110 based at least in part on comparing the total amount included in the authorization request message with an approved amount provided to the user on behalf of the authorizing entity computer. resource access. The approved amount may be stored in the user profile and virtual access credentials at the authorized entity computer 130 .

The system of FIG. 1 may also include a mobile network operator computer system 140 . An example mobile network operator computer system 140 is shown in FIG. 5 . Mobile network operator computer system 140 may include an entity that provides mobile network services to mobile devices, including communication device 102 . Mobile network operator computer system 140 may perform radio spectrum allocation, wireless network infrastructure, and the like. The mobile network operator computer system 140 may identify the mobile device through a user account associated with one or more corresponding users of the mobile device. The mobile network operator computer system 140 may also provide an invoice or bill to the user in exchange for providing mobile network services.

The mobile network operator computer system may include subsystems or components interconnected via a system bus 510 as shown in FIG. 5 . The interconnection via system bus 410 allows processor 512 to communicate with each subsystem and to control the execution of instructions from system memory 514 . System memory 514 may embody computer readable media. Communication interface 516 may be used to connect the resource provider computer to a wide area network such as the Internet or other I/O devices associated with the resource provider computer. System bus 510 may also connect to one or more modules or engines embodied in memory, including communication module 530 , interaction engine 532 and/or network operations engine 534 . One or more databases may store information received, maintained and transmitted by mobile network operator computer systems (including subscriber database 550).

Communications module 530 may be configured to receive and transmit electronic messages from other computers and devices throughout the system shown in FIG. 1 . For example, communication module 530 may be configured to provide mobile network services to communication device 102, receive communications from communication device 102 including payment of an invoice for provision of mobile network services, and receive and transmit communications with authorized entity computer 130, including communications with billing and Messages associated with the liquidation process.

Interaction engine 532 may be configured to determine order history, location history, or user profile information associated with communication device 102 through the course of providing mobile network communication services. For example, a user may periodically subscribe to mobile network communication services from the mobile network operator computer system 140 . A history of ordering services may be received and processed by the profile engine 142 and stored in the user database 550 . In some examples, communication device 102 may transmit location information that is received by mobile network operator computer system 140 and stored in subscriber database 550 to generate a history of location information associated with communication device 102 .

Network operations engine 534 may be configured to perform radio spectrum allocation, wireless network infrastructure, and the like. The network operations engine 534 may identify the communication device 102 through a user account associated with one or more corresponding users of the device.

The system of FIG. 1 may include a communication device 120 . The example communication device 102 of FIG. 1 is shown in FIG. 6 . The communication device may comprise any suitable electronic device operable by a user that also provides remote communication functionality with a network. A mobile communication device may be an example of an easily transportable communication device. Examples of remote communication capabilities include the use of mobile phone (wireless) networks, wireless data networks (e.g., 3G, 4G or similar networks), Wi-Fi, Wi-Max, or those that can provide access to networks such as the Internet or private networks any other communication medium. Examples of mobile communication devices include mobile phones (eg, cellular phones), PDAs, tablet computers, netbooks, notebook computers, personal music players, handheld application-specific readers, and the like. Other examples of mobile communication devices include wearable devices such as smart watches, fitness bracelets, anklets, rings, earrings, etc., and cars with telematics capabilities. In some embodiments, a mobile communication device may act as a payment device (eg, the mobile communication device may store and be able to transmit payment credentials for a transaction).

A payment device may incorporate communication device 102 and include any suitable device that may be used to conduct a financial transaction to provide payment credentials to a merchant. A payment device may be a software object (eg, a payment application associated with a credit, debit, or prepaid account), a hardware object, or a physical object. A payment device may be associated with a value such as a monetary value, discount, or store credit, and a payment device may be associated with an entity such as a bank, merchant, payment processing network, or individual.

The communication device 600 in FIG. 6 may include a processor 602 and a main body 614 . It may also include computer readable media 604 . The computer readable medium 604 may be in the form of (or may include within) memory that stores transaction data, and may be in any suitable form including magnetic strips, memory chips, and the like. The memory may store information such as financial information, including bank account information, account balance information, expiration dates, or consumer information, such as account holder's name, date of birth, and the like. Any of this information may be transmitted by communication device 600 via antenna 618 .

The communication device 600 may further include a non-contact element 612 which may be implemented in the form of a semiconductor chip or other data storage element with an associated wireless transfer (eg, data transmission) element such as an antenna 618 . The contactless element 612 may be associated with or embedded within the communication device 600 . Data or control instructions may be transmitted via the cellular network and applied to the contactless element 612 by means of a contactless element interface (not shown). A contactless element interface may be used to allow data and/or control instructions to be exchanged between the device circuitry (and thus the cellular network) and the optional contactless element.

The contactless element 612 may be capable of communicating and receiving data using near field communication (NFC) according to a standardized protocol or data transfer mechanism (eg, ISO14443/NFC). Near field communication functionality may include short-range communication functionality, including RFID, Bluetooth, infrared, or other data transfer functionality that may be used to exchange data between the communication device and the interrogation device. Accordingly, the communication device may be capable of communicating and communicating data and/or control instructions via the cellular network through near field communication.

The communication device may also include a processor 602 for processing functions of the communication device. The communication device may also include a display 606 that allows a user to see information and messages via a user interface. The communication device may further include an input element 608 that allows the user to provide information to the communication device, a speaker 610 that allows the user to engage in secure voice communications, music, and the like. The communication device may also include a microphone 616 that allows the user to transmit his or her voice or other sound files through the communication device. The communication device may also include an antenna 618 for wireless data transfer and transmission.

Returning to step 1 of FIG. 1 , the communication device 102 operated by the user may interact with the resource provider computer 110 . The resource provider computer 110 may provide an interaction site 112 to receive one or more interactions from the communication device 102 . In some examples, resource provider computer 110 may provide an application program that may be stored in and executed by communication device 102 . The communication device 102 may present the application at a display of the communication device 102 to receive interaction from a user at the communication device 102 .

Interaction site 112 (or application) may offer one or more items or services for ordering. The communication device 102 can interact with one or more items or services, adding the items to an electronic shopping cart attached to the interaction site 112 of the resource provider computer 110 . The interactive site 112 (or application) may also provide a "Bill Me" button. The "Bill Me" button, when selected, may initiate a transaction with the processing web server computer 120 for the items included in the electronic shopping cart.

Resource provider computer 110 may receive interactions from communication device 102 through a "Bill Me" button provided at interaction site 112 . For example, after a user selects items to add to an electronic shopping cart on resource provider computer 110, the user may select the button to initiate an order for the items. Interactions can be associated with the total value of items added to the electronic shopping cart.

In some examples, the user may not have a pre-existing credit or debit account, or may not be able to use a pre-existing credit or debit account to make this particular purchase. In these examples, the user associated with the communication device 102 may not have a user account with an authorized entity computer. Thus, when the interaction site 112 provides a "Bill Me" button and this button is selected, the user may not correspond to a credit or debit account to complete the purchase of the item or service.

In step 2, once the "Bill me" button is selected via the communication device 102, a virtual access credential request will be sent (via the interaction site 112 or an application stored at the communication device 102) from the resource provider computer 110 to the processing network server computer 120 . In some examples, the virtual access credential request may identify a user corresponding to the communication device 102 to support a request for interaction authorization (e.g., completion of an item or service in an electronic shopping cart when a "Bill Me" button is activated) transactions, etc.). In some examples, the total value of items added to the electronic shopping cart may be included in the virtual access credential request.

Upon receiving the request, the processing web server computer 120 may initiate the generation of virtual access credentials. The virtual access credentials may not be tied to the user's pre-existing account prior to the transaction. In some cases, a user may be considered "unbanked" and may not have any type of bank account with any bank, but may have an account with the mobile network operator computer system 140 .

At step 3, the processing web server computer 120 may communicate with the authorizing entity computer 130, which may then generate virtual access credentials. The virtual access credentials may be associated with the mobile network operator computer system 140 associated with the user operating the communication device 102 rather than the user itself. For example, authorizing entity computer 130 may extend enterprise credit to mobile network operator computer system 140 instead of the user. The mobile network operator computer system 140 may be a party to the transaction on behalf of the user.

Prior to generating virtual access credentials, authorizing entity computer 130 may execute a set of rules associated with the user to determine whether virtual access credentials may be issued to mobile network operator computer system 140 . For example, authorization entity computer 130 may determine whether mobile network operator computer system 140 offers "opt-in" communications to provide credit to its subscribers. In some examples, an "opt-out" communication may identify that the mobile network operator computer system 140 will not support the issuance of virtual access credentials for its users.

Mobile network operator computer system 140 may also execute a rule set associated with a user to determine whether a virtual access ticket may be issued to a user operating a communication device associated with mobile network operator computer system 140 . Mobile network operator computer system 140 may identify suitable information, such as device information for communication device 102, any data mobile network operator computer system 140 or resource provider computer 110 may have about the user, historical order or payment information, and the like.

In some examples, mobile network operator computer system 140 may execute a rule set associated with a user to determine whether a virtual access credential may be issued. Authorizing entity computer 130 may correspond to mobile network operator computer system 140 to receive a determination by mobile network operator computer system 140 of whether to issue a virtual access credential to the user based on execution of a set of rules associated with the user. Based on the determination of the mobile network operator computer system 140, the authorizing entity computer 130 may generate virtual access credentials.

Virtual access credentials may include reusable or one-time use account identifiers. When the virtual access credential is reusable, the credential may be stored in and associated with a user profile at the mobile network operator computer system 140 and used for more than one transaction. When the virtual access credential is a one-time use account identifier, a virtual access credential request may be transmitted between resource provider computer 110 and processing web server computer 120 for each potential transaction. In either example, the virtual access credentials may be stored in the credentials database 450 of the authorizing entity computer 130 for retrieval and use during the authorization process. In some examples, virtual access credentials may be stored at authorizing entity computer 130 with the user account. The user account may include the total value requested by the virtual access credential.

At step 4, the authorizing entity computer 130 may provide the processing web server computer 120 with virtual access credentials. Processing web server computer 120 may obtain virtual access credentials from authorizing entity computer 130 .

At step 5, the processing web server computer 120 may transmit the virtual access credentials from the authorizing entity computer 130 to the resource provider computer 110 or the communication device 102 for processing. Via its mobile application or interaction site 112, the resource provider computer 110 can process transactions using virtual access credentials. For example, resource provider computer 110 may generate an authorization request message that includes virtual access credentials. Resource provider computer 110 may include virtual access credentials in the authorization request message to initiate transactions for items and services associated with the "Bill Me" button and located in the electronic shopping cart.

In some examples, a "Bill Me" button is located at an application program stored at the communication device 102 . The virtual access credentials may be provided to an application of the communication device 102 and the application may generate an authorization request message including the virtual access credentials originating from the application at the communication device 102 . An authorization request message may be transmitted from the communication device 102 to the resource provider computer 110 .

At step 6 , the resource provider computer 110 may transmit an authorization request message including the virtual access credentials to the transmitting computer 115 . Transmitting computer 115 may transmit the authorization request message to processing web server computer 120 . Processing web server computer 120 may receive an authorization request message including virtual access credentials, wherein the authorization request message requests authorization for the interaction.

In some examples, processing web server computer 120 may identify authorizing entity computer 130 based on resolving the virtual access credentials. For example, the virtual access credentials may include a substring that uniquely identifies the authorized entity handling the web server computer 120 . The substring may be similar to a bank identification number (BIN) stored in the processing web server computer 120 . When the substring of the virtual access credential matches the stored information, the processing web server computer 120 can identify the location of the appropriate authorization entity to transmit the authorization request message.

At step 7 , the processing web server computer 120 may forward the authorization request message to the authorization entity computer 130 . Authorizing entity computer 130 may determine whether to approve or deny the transaction. For example, during the approval or rejection process, the authorization entity computer 130 may compare the transaction value included in the authorization request message with the total value included in the virtual access credential and stored in the user's account. When the transaction value is within a threshold range of the total value, the transaction may be approved. Otherwise, the transaction may be rejected due to a mismatch between the transaction value included in the transaction's authorization request message and the total value included in the virtual access credential request.

At step 8, the authorization entity computer 130 may generate an authorization response message to the processing web server computer 120 including approval or denial of the transaction. Processing web server computer 120 may receive an authorization response message from authorization entity computer 130 .

At step 9 , the processing web server computer 120 may forward the authorization response message to the transmitting computer 115 and then to the resource provider computer 110 . The processing network server computer 120 may also transmit a message to the mobile network operator computer system 140 informing the mobile network operator computer system 140 that a transaction has just been conducted.

In some examples, authorization entity computer 130 may then complete the interaction with mobile network operator computer system 140 . This may include transferring funds between the mobile network operator computer system 140 and the authorized entity computer 130 during clearing and settlement procedures.

At step 10, a clearing and settlement process may take place. Settlement may be made between the transmitting computer 115 and the authorizing entity computer 130 at the end of the day or at any other suitable time period, or may be settled directly with the mobile network operator computer system 140 . If the authorizing entity computer 130 settles with the transmitting computer 115, the authorizing entity computer 130 may request reimbursement (for any fee adjustments) from the mobile network operator computer system 140 . The mobile network operator computer system 140 may then invoice the user along with the user's monthly telephone bill invoice provided by the mobile network operator computer system 140 .

The mobile network operator computer system 140 may generate an invoice for the user of the communication device 102 . The invoice may include any transaction made between the communication device 102 and the mobile network operator computer system 140, as well as any transaction made between the communication device 102 in any resource provider computer. The transactions listed in the invoice may be aggregated for the resource provider computer 110, or provided separately based on the transaction and the time the transaction was performed. The user may provide the mobile network operator computer system 140 with reimbursement of expenses.

Fees can also be exchanged. For example, the authorizing entity computer 130 may pay the processing web server computer 120 a commission. Resource provider computer 110 may pay authorization entity computer 130 a commission based at least in part on the crediting and establishment of a user account corresponding to the approved amount bound to the virtual access credential. Authorizing entity computer 130 may request reimbursement from mobile network operator computer system 140 . The mobile network operator computer system 140 may bill the user of the communication device 102 using the telephone bill.

Other embodiments may also be described using FIG. 1 . For example, at step 1 of the additional embodiment of FIG. 1 , communication device 102 may interact with resource provider computer 110 to access resources managed by the resource provider computer. Communication device 102 may interact with resource provider computer 110 via interaction site 112 or an application on a display screen of communication device 102 .

At step 2 , the resource provider computer 110 may generate and transmit a virtual access credential request to the processing web server computer 120 . The virtual access credential request may identify the user as corresponding to the communication device 102 . This information can support requests for interaction authorization (eg, gaining access to restricted areas or resources, etc.).

At step 3, the processing web server computer 120 may communicate with the authorized entity computer 130 to request access. Authorizing entity computer 130 may generate virtual access credentials.

In some examples, authorization entity computer 130 may act as an initial gateway to determine whether access rights (eg, access rights to restricted information of resource provider computer 110 ) should be granted. Authorization entity computer 130 may correspond directly to communication device 102 (or via processing web server computer 120) to request an initial authentication response from communication device 102, including the user's password or other unique identifier. Communications device 102 may respond to authorizing entity computer 130 with a password or other unique identifier, at which point authorizing entity computer 130 may generate virtual access credentials.

In some examples, authorized entity computer 130 may correspond to mobile network operator computer system 140 to access additional information about communication device 102 , including order history, location history, or a user profile associated with communication device 102 information. For example, mobile network operator computer system 140 may provide mobile network services to communication device 102 and store a history of location information using the Global Positioning System (GPS) associated with location tracking of communication device 102 . In some cases, mobile network operator computer system 140 may provide this information to authorization entity computer 130 to initiate a first authentication process with communication device 102 .

At step 4, the authorizing entity computer 130 may provide the virtual access credentials to the processing web server computer 120 (eg, upon receiving a password or other unique identifier, etc. from the user).

At step 5, the processing web server computer 120 may transmit the virtual access credentials from the authorizing entity computer 130 to the resource provider computer 110 or the communication device 102 for processing. Resource provider computer 110 may initiate a process to allow access to a resource based at least in part on receiving the virtual access credential. For example, resource provider computer 110 may generate an authorization request message that includes virtual access credentials.

At step 6 , the resource provider computer 110 may transmit an authorization request message including the virtual access credentials to the transmitting computer 115 . Transmitting computer 115 may transmit the authorization request message to processing web server computer 120 . Processing web server computer 120 may receive an authorization request message including virtual access credentials, wherein the authorization request message requests authorization for the interaction.

At step 7 , the processing web server computer 120 may forward the authorization request message to the authorization entity computer 130 . Authorizing entity computer 130 may determine whether to allow or deny access based at least in part on comparing the virtual access credentials from the initial authentication process with user information included in the authorization request message. This comparison and matching may correspond to a second level of authentication.

At step 8 , the authorization entity computer 130 may generate an authorization response message including approval or denial of access to the processing web server computer 120 . Processing web server computer 120 may receive an authorization response message from authorization entity computer 130 .

At step 9 , the processing web server computer 120 may forward the authorization response message to the transmitting computer 115 and then to the resource provider computer 110 .

At step 10 , additional interactions may take place between the authorizing entity computer 130 , the transmitting computer 115 and the mobile network operator computer system 140 , including allowing access to resources provided by the resource provider 110 .

It should be noted that while the above examples relate to payments, it should be understood that embodiments are not so limited. Other embodiments may relate to systems and methods that can generate virtual access credentials to access secure locations or secure data from remote server computers.

Technical improvements are described throughout the application. Conventional systems can provide a single authentication or authorization for an interaction. Embodiments of the present disclosure may include a dual authentication or authorization protocol comprising a first process performed by an authorization entity computer and a second process performed by a mobile network operator computer system. This two-tier authentication or authorization protocol can provide improved technical validation prior to interaction between a user and a resource, thereby providing greater security.

Additionally, embodiments allow users without credentials to obtain temporary credentials so they can access desired resources, such as data, locations, goods or services. Embodiments can do this without significant changes to the access infrastructure.

The computer systems described herein may be embodied in hardware and include one or more of the elements in the figures as may be adapted to carry out such functionality. Examples of such systems or components that may be integrated with a computing system may be interconnected via a system bus. Additional subsystems may be provided, such as printers, keyboards, fixed disks or other storage including computer readable media, monitors or other components. A monitor can be coupled with a display adapter. Peripherals and other input/output (I/O) devices can be coupled to the I/O controller and connected to the computer system by any number of means known in the art (eg, serial ports). For example, a serial port or other external interface can be used to connect the computer system to a wide area network such as the Internet, a mouse input device, or a scanner. The interconnection via the system bus allows the central processor to communicate with each system and control the execution of instructions from system memory or fixed disk and the exchange of information between subsystems. This is a memory and/or fixed disk that may embody a computer readable medium.

Furthermore, while the disclosure has been described using certain combinations of hardware and software in the form of control logic and programming code and instructions, it should be recognized that other combinations of hardware and software are within the scope of the present application. The present application can be realized only in hardware, only in software or a combination thereof.

Any software component or function described in this application may be implemented as software code executed by a processor using, for example, conventional or object-oriented techniques and using any suitable computer language (eg, Java, C++ or Perl). The software code may be stored as a series of instructions or commands on a computer readable medium such as random access memory (RAM), read only memory (ROM), magnetic media such as a hard drive or floppy disk, or optical media such as CD-ROM. Any such computer-readable media may reside on or within a single computing device, and may reside on or within different computing devices within a system or network.

The above description is illustrative rather than limiting. Many variations of the invention may become apparent to those skilled in the art upon review of the present disclosure. The scope of the invention, therefore, should be determined not with reference to the above description, but should be determined with reference to the appended claims along with their full scope or equivalents.

One or more features of any embodiment may be combined with one or more features of any other embodiment without departing from the scope of the invention.

The recitations "a" or "the" are intended to mean "one or more" unless clearly indicated to the contrary.

All patents, patent applications, publications, and descriptions mentioned above are hereby incorporated by reference in their entirety for all purposes. It is not an admission that they are prior art.

Claims (20)

1. A method for authentication and authorization comprising: receiving, by a server computer, a request for virtual access credentials for an interaction between a resource provider computer and a communication device operated by a user associated with a mobile network operator computer system, wherein the virtual access credential request includes a request for the interaction the requested amount; transmitting, by the server computer, the virtual access credential request to an authorized entity computer; receiving, by the server computer, virtual access credentials from the authorizing entity computer, wherein the virtual access credentials are generated by the authorizing entity computer to be associated with an approved amount corresponding to the virtual access the amount requested in the credential request for the interaction; transmitting, by the server computer, the virtual access credential to the communication device or the resource provider computer; receiving, by the server computer, an authorization request message including the virtual access credential and a total interaction amount, wherein the authorization request message requests authorization for the interaction; forwarding, by the server computer, the authorization request message to the authorization entity computer; receiving, by the server computer, an authorization response message from the authorizing entity computer, wherein the authorization entity computer generates the authorization response message based at least in part on a comparison of the total interaction amount and the approved amount; and The authorization response message is forwarded by the server computer to the resource provider computer, wherein the authorization entity computer then completes the interaction with the mobile network operator computer system. 2. The method of claim 1, wherein the virtual access credentials include data usable to access location or security data. 3. The method of claim 1, wherein the communication device is a mobile phone. 4. The method of claim 1, wherein the mobile network operator computer system executes a set of rules associated with the user prior to determining the virtual access credentials by the authorizing entity computer. 5. The method of claim 1, further comprising: generating a user profile associated with said virtual access credentials; and Determinations made by the authorized entity computer are stored with the user profile. 6. A computer system for authentication and authorization, comprising: processor; and A computer-readable medium coupled to the processor, the computer-readable medium comprising code executable by the processor for implementing a method comprising: receiving a virtual access credential request for an interaction between a resource provider computer and a communication device operated by a user associated with a mobile network operator computer system, wherein the virtual access credential request includes an amount requested for the interaction ; transmitting said virtual access credential request to an authorized entity computer; A virtual access credential is received from the authorizing entity computer, wherein the virtual access credential is generated by the authorizing entity computer to be associated with an approved amount corresponding to the value in the virtual access credential request. said amount of said interaction request; transmitting the virtual access credential to the communication device or the resource provider computer; receiving an authorization request message including the virtual access credential and a total interaction amount, wherein the authorization request message requests authorization for the interaction; forwarding the authorization request message to the authorization entity computer; receiving an authorization response message from the authorization entity computer, wherein the authorization entity computer generates the authorization response message based at least in part on a comparison of the total interaction amount and the approved amount; and The authorization response message is forwarded to the resource provider computer, wherein the authorization entity computer then completes the interaction with the mobile network operator computer system. 7. The computer system of claim 6, wherein the virtual access credential is 16 digits in length. 8. The computer system of claim 6, wherein the mobile network operator computer system routes messages to a plurality of wireless module devices and from a plurality of wireless mobile devices. 9. The computer system of claim 6, wherein the mobile network operator computer system executes a set of rules associated with the user before the virtual access credentials are determined. 10. The computer system of claim 6, wherein the method further comprises: generating a user profile associated with said virtual access credentials; and Determinations made by the authorized entity computer are stored with the user profile. 11. A method for authentication and authorization comprising: receiving, by an authorizing entity computer, a virtual access credential request for an interaction between a resource provider computer and a communication device operated by a user associated with a mobile network operator computer system, wherein the virtual access credential request includes the the amount requested for the interaction; generating, by the authorizing entity computer, a virtual access credential associated with an approved amount corresponding to the amount requested for the interaction; transmitting, by the authorizing entity computer, the virtual access credential to a processing network computer, wherein the virtual access credential is forwarded to the communication device or the resource provider computer; receiving, by the authorization entity computer, an authorization request message including the virtual access credential, wherein the authorization request message requests authorization for the interaction and includes a total interaction amount; comparing, by the authorization entity computer, the total interaction amount contained in the authorization request message with the approved amount; determining, by the authorizing entity computer, approval or denial of the authorization request message based on the comparison; generating an authorization response message by said authorization entity computer based on said approval or said refusal of said authorization request message; forwarding, by the authorizing entity computer, the authorization response message to the processing network computer; and A completion message is then forwarded to the mobile network operator computer system based on the approval or the rejection of the authorization request message. 12. The method of claim 11, wherein the virtual access credentials allow access to secure data. 13. The method of claim 11, wherein the communication device is a mobile phone. 14. The method of claim 11, wherein the mobile network operator computer system executes a set of rules associated with the user before the virtual access credentials are determined. 15. The method of claim 11, further comprising: generating a user profile associated with said virtual access credentials; and The approval or the rejection of the authorization request message is stored with the user profile. 16. A computer system for authentication and authorization comprising: processor; and A computer-readable medium coupled to the processor and comprising code executable by the processor for implementing a method comprising the steps of: receiving a virtual access credential request for an interaction between a resource provider computer and a communication device operated by a user and associated with a mobile network operator computer system, wherein the virtual access credential request includes an amount requested for the interaction ; generating a virtual access voucher associated with an approved amount corresponding to the amount requested for the interaction; transmitting the virtual access credential to a processing network computer, wherein the virtual access credential is forwarded to the communication device or the resource provider computer; receiving an authorization request message including the virtual access credential, wherein the authorization request message requests authorization for the interaction and includes a total interaction amount; comparing said total interaction amount contained in said authorization request message with said approved amount; determining approval or denial of the authorization request message based on the comparison; generating an authorization response message based on said approval or said rejection of said authorization request message; forwarding the authorization response message to the processing network computer; and A completion message is then forwarded to the mobile network operator computer system based on the approval or the rejection of the authorization request message. 17. The computer system of claim 16, wherein the virtual access credentials allow access to a location. 18. The computer system of claim 16, wherein the communication device is a laptop computer. 19. The computer system of claim 16, wherein the mobile network operator computer system executes a set of rules associated with the user before the virtual access credentials are determined. 20. The computer system of claim 16, wherein the method further comprises: generating a user profile associated with said virtual access credentials; and The approval or the rejection of the authorization request message is stored with the user profile.

Images