Abstract: A mobile computing device has at least one processor and at least one memory together providing a first execution environment and a second execution environment logically isolated from the first execution environment. The following approach is taken to manage data items for an application executing the first execution environment. A trust relationship is established between a trust client in the second execution environment and a remote trusted party and the trust client receives one or more data items from the remote trusted party. On executing the application in the first execution environment, the trust client provides the data items or further data items derived therefrom to the application. Provision of these data items may be conditional upon a user authentication process. A suitable mobile computing device is also described.

Abstract: Currently, many aspects of electronic transactions have become digital, and may therefore be performed online using mobile devices. However, many of these possibilities have been adopted by no longer supporting legacy systems—in the newer and emerging economies, this does not create a major problem as they have few consumers using legacy systems and methods. But this lack of interoperability limits the adoption of legacy-compatible systems and method. It also restricts their adoption in other countries. In addition, the increased use of payment through such electronic transactions is increasing the frequency and amount of fraudulent transactions.

Abstract: A cryptographic method of performing a tokenised transaction between a payment offering party and a payment accepting party is described. The tokenised transaction is mediated by a transaction scheme. The payment accepting party is provided with a merchant identity and a merchant certificate associated with that identity by the transaction scheme provider. The payment accepting party provides the merchant identity and transaction seed data to the payment offering party. The payment offering party validates the merchant identity and uses the merchant identity and the transaction seed data to generate a cryptogram for the tokenised transaction. The payment offering party provides the cryptogram to the payment accepting party for transmission to the transaction scheme provider for authorisation of the tokenised transaction. A suitable user computing device and merchant computing device for acting as payment offering party and payment accepting party respectively are also described.

Abstract: According to some embodiments, systems, methods and computer program code are provided to generate a retail message authentication code (MAC) which includes loading a first key, loading a second key, issuing a first call to a cloud hardware security module (HSM) to invoke a DES3 encryption operation, the call including the first key and a first input set of data, receiving an output of the first call, issuing a second call to a cloud HSM to invoke a DES3 encryption operation, the call including the second key and a second input set of data, the second input set of data including data associated with the output of the first call, receiving the generated retail MAC.

Abstract: According to some embodiments, systems, methods and computer program code are provided to generate a cipher-based message authentication code (“CMAC”) which may be used with cloud hardware security modules (“HSM”). Pursuant to some embodiments, a process for generating a CMAC includes preparing a first input set of data, issuing a first call to the HSM, the call including a key and the first input set of data, receiving an output of the first call, preparing a second input set of data, the second set including data from the output of the first call, issuing a second call to the HSM, the call including the key and the second input set of data, and receiving a cipher-based message authentication code.

Abstract: A method for generating and provisioning payment credentials to a mobile device lacking a secure element includes: generating a card profile associated with a payment account, wherein the card profile includes at least payment credentials corresponding to the associated payment account and a profile identifier; provisioning, to a mobile device lacking a secure element, the generated card profile; receiving, from the mobile device, a key request, wherein the key request includes at least a mobile identification number (PIN) and the profile identifier; using the mobile PIN; generating a single use key, wherein the single use key includes at least the profile identifier, an application transaction counter, and a generating key for use in generating a payment cryptogram valid for a single financial transaction; and transmitting the generated single use key to the mobile device.

Abstract: A transaction processing system for sending user information data to a personal device, and an associated method are provided. The system comprises: a personal device, such as a balance display card; an interface device, such as a card reader for transmitting data to and from the card; a communications network connecting to the interface device; an issuer processor connected to the communications network; and a trusted network processor (TNP) processor connected to the communications network, interposed between the interface device and the issuer processor. The TNP processor is arranged to receive a transaction request message from a card user and to transmit a response message back to the personal device, the response message typically being a transaction authorization together with information for display on the card.

Abstract: A method for generating and provisioning payment credentials to a mobile device lacking a secure element includes: generating a card profile associated with a payment account, wherein the card profile includes at least payment credentials corresponding to the associated payment account and a profile identifier; provisioning, to a mobile device lacking a secure element, the generated card profile; receiving, from the mobile device, a key request, wherein the key request includes at least a mobile identification number (PIN) and the profile identifier; using the mobile PIN; generating a single use key, wherein the single use key includes at least the profile identifier, an application transaction counter, and a generating key for use in generating a payment cryptogram valid for a single financial transaction; and transmitting the generated single use key to the mobile device.

Abstract: A method is described for providing user authentication and user consent for a transaction made with a payment device. A user authentication step is taken to verify that a user is entitled to use the payment device, and a user consent step is taken to verify that the user consents to the transaction. The user authentication step is discrete from the user consent step. A payment device adapted to perform this method is also described.

Abstract: A transaction processing system for sending user information data to a personal device, and an associated method are provided. The system comprises: a personal device, such as a balance display card; an interface device, such as a card reader for transmitting data to and from the card; a communications network connecting to the interface device; an issuer processor connected to the communications network; and a trusted network processor (TNP) processor connected to the communications network, interposed between the interface device and the issuer processor. The TNP processor is arranged to receive a transaction request message from a card user and to transmit a response message back to the personal device, the response message typically being a transaction authorization together with information for display on the card.

Abstract: A method for enhanced validation of cryptograms for varying account number lengths includes: storing one or more primary account numbers and a plurality of formatting templates, each template being associated with an account number length; receiving a selection indicating a specific primary account number; identifying a specific formatting template where the associated account number length corresponds to a length of the specific primary account number; receiving an unpredictable number from a point of sale device; generating a cryptogram based on at least the unpredictable number and one or more algorithms; generating a data string, wherein the data string includes at least the generated cryptogram, the specific primary account number, and the unpredictable number, and wherein the data string is formatted based on the identified specific formatting template; and electronically transmitting the generated data string to the point of sale device.

Abstract: Instead of requiring key exchange between a trusted biometric application in a TEE and an external application outside of the TEE that provides access to a secured function, the trusted application is preconfigured with security data such as (in a first implementation) authentication credentials (e.g. a PIN) or (in a second implementation) a cryptographic key. This security data is then used to authenticate a biometric validation obtained by the trusted application to the external application.

Abstract: A method for generating cryptograms in a webservice environment includes: receiving, in a first environment of a computing system, a credential request transmitted by an external computing device using a secure communication protocol, the credential request including a transaction identifier and account identifier; transmitting, by the first environment, a data request to a second environment of the computing system, the data request including the account identifier; receiving, by the first environment, an account profile and session key from the second environment; transmitting, by the first environment, a cryptogram request to a third environment of the computing system, the cryptogram request including the account profile and session key; receiving, by the first environment, a cryptogram from the third environment generated using the account profile and session key; and transmitting, by the first environment, the cryptogram and transaction identifier to the external computing device via the secure communic

Abstract: A transaction request is received. The transaction request is for a transaction to charge a payment account managed by a payment entity. It is detected that the transaction request exceeds a transaction limit that is applicable to the payment account. A message is transmitted to the payment entity to indicate that the transaction request exceeds the transaction limit.

Abstract: Back-up credentials data is stored for a user. A communication channel is established with a mobile device. A cryptogram is received from the mobile device, such that the cryptogram is relayed by the mobile device from an authentication device that interacted with the mobile device. The authentication device is associated with the user. The cryptogram is verified. In response to the verification of the cryptogram, the stored back-up credentials data is made accessible to the mobile device.

Abstract: A method for generating cryptograms in a webservice environment includes: receiving, in a first environment of a computing system, a credential request transmitted by an external computing device using a secure communication protocol, the credential request including a transaction identifier and account identifier; transmitting, by the first environment, a data request to a second environment of the computing system, the data request including the account identifier; receiving, by the first environment, an account profile and session key from the second environment; transmitting, by the first environment, a cryptogram request to a third environment of the computing system, the cryptogram request including the account profile and session key; receiving, by the first environment, a cryptogram from the third environment generated using the account profile and session key; and transmitting, by the first environment, the cryptogram and transaction identifier to the external computing device via the secure communic

Abstract: A method for enhanced validation of cryptograms for varying account number lengths includes: storing one or more primary account numbers and a plurality of formatting templates, each template being associated with an account number length; receiving a selection indicating a specific primary account number; identifying a specific formatting template where the associated account number length corresponds to a length of the specific primary account number; receiving an unpredictable number from a point of sale device; generating a cryptogram based on at least the unpredictable number and one or more algorithms; generating a data string, wherein the data string includes at least the generated cryptogram, the specific primary account number, and the unpredictable number, and wherein the data string is formatted based on the identified specific formatting template; and electronically transmitting the generated data string to the point of sale device.

Abstract: Back-up credentials data is stored for a user. A communication channel is established with a mobile device. A cryptogram is received from the mobile device, such that the cryptogram is relayed by the mobile device from an authentication device that interacted with the mobile device. The authentication device is associated with the user. The cryptogram is verified. In response to the verification of the cryptogram, the stored back-up credentials data is made accessible to the mobile device.

Abstract: A method for enhanced validation of cryptograms for varying account number lengths includes: storing one or more primary account numbers and a plurality of formatting templates, each template being associated with an account number length; receiving a selection indicating a specific primary account number; identifying a specific formatting template where the associated account number length corresponds to a length of the specific primary account number; receiving an unpredictable number from a point of sale device; generating a cryptogram based on at least the unpredictable number and one or more algorithms; generating a data string, wherein the data string includes at least the generated cryptogram, the specific primary account number, and the unpredictable number, and wherein the data string is formatted based on the identified specific formatting template; and electronically transmitting the generated data string to the point of sale device.

Abstract: Back-up credentials data is stored for a user. A communication channel is established with a mobile device. A cryptogram is received from the mobile device, such that the cryptogram is relayed by the mobile device from an authentication device that interacted with the mobile device. The authentication device is associated with the user. The cryptogram is verified. In response to the verification of the cryptogram, the stored back-up credentials data is made accessible to the mobile device.