Abstract: A transaction device for establishing a shared secret with a point of interaction (POI) over a communications network to enable encrypted communications between the transaction device and the point of interaction, the device comprising: an input arranged to receive communications from the point of interaction; a processor arranged to generate a first communication according to a Diffie-Hellman protocol; an output arranged to send the first communication to the point of interaction; wherein the processor is arranged to apply a randomly generated blinding factor, r, when generating the first communication and wherein, in response to receiving a second communication from the point of interaction at the input, the second communication having been generated according to the Diffie-Hellman protocol, the processor is arranged to apply the randomly generated blinding factor and generate a shared secret according to the Diffie-Hellman protocol in dependence on data contained within the second communication.

Abstract: A mobile computing device having at least one processor and at least one memory, together providing a first execution environment and a second execution environment logically isolated from the first execution environment, the mobile computing device comprising: a first application executable within the first execution environment; a second trusted application executable within the second execution environment; and a secure communications channel between the first application and the second trusted application, wherein the second trusted application is configured to generate one or more data items and to provide the one or more data items to the first application via the secure communications channel.

Abstract: A method for generating cryptograms in a webservice environment includes: receiving, in a first environment of a computing system, a credential request transmitted by an external computing device using a secure communication protocol, the credential request including a transaction identifier and account identifier; transmitting, by the first environment, a data request to a second environment of the computing system, the data request including the account identifier; receiving, by the first environment, an account profile and session key from the second environment; transmitting, by the first environment, a cryptogram request to a third environment of the computing system, the cryptogram request including the account profile and session key; receiving, by the first environment, a cryptogram from the third environment generated using the account profile and session key; and transmitting, by the first environment, the cryptogram and transaction identifier to the external computing device via the secure communic

Abstract: A system and method of authenticating a communication network comprising a first computing device, a second computing device and an intermediary computing device, wherein there is a first path between the first computing device and the intermediary computing device and a second path between the second computing device and the intermediary computing device. The method is executed at the intermediary computing device, and comprises receiving, from the first computing device, a first session key generated by the first computing device using a function, wherein an input to the function comprises an incremented variable; receiving, from the second computing device, data associated with a second session key generated by the second computing device using the function; determining that the first session key and the second session key are the same; and defining the communication network as authentic when the first session key and the second session key are the same.

Abstract: A contactless card reader system comprises the a contactless card reader for short range wireless communication with a payment device using a contactless card protocol. The reader also comprises a terminal for exchanging data with the payment device and with a remote server to perform a contactless card transaction. The terminal is comprised in a personal computing device. The remote server may provide functionality to the terminal in performance of the transaction. A method of performing a transaction is also described.

Abstract: A mobile computing device has at least one processor and at least one memory together providing a first execution environment and a second execution environment logically isolated from the first execution environment. The following approach is taken to manage data items for an application executing the first execution environment. A trust relationship is established between a trust client in the second execution environment and a remote trusted party and the trust client receives one or more data items from the remote trusted party. On executing the application in the first execution environment, the trust client provides the data items or further data items derived therefrom to the application 213. Provision of these data items may be conditional upon a user authentication process. A suitable mobile computing device is also described.

Abstract: A method of matching transaction data with a transaction receipt using one of a plurality of transaction-specific elements is described. Transaction-specific elements are determined (210) from a transaction between a payment token of a user and a terminal. Transaction identifiers are then formed (220), each from a separate transaction-specific element. At least one of the transaction identifiers is then received or generated (230) in a transaction processing system. The transaction processing system provides transaction data associated with this transaction identifier. Each of the transaction identifiers used by the transaction processing system is combined (240) to form a composite transaction identifier comprising a plurality of transaction identifier elements. Each transaction identifier is matched (250) against each transaction identifier element to identify the transaction and to associate the transaction data with a transaction receipt.

Abstract: Instead of requiring key exchange between a trusted biometric application in a TEE and an external application outside of the TEE that provides access to a secured function, the trusted application is preconfigured with security data such as (in a first implementation) authentication credentials (e.g. a PIN) or (in a second implementation) a cryptographic key. This security data is then used to authenticate a biometric validation obtained by the trusted application to the external application.

Abstract: A method and associated system for performing a transaction using biometric input from a cardholder 20 to establish both the presence of the cardholder at a point of sale 10, cardholder identification, and the cardholder's informed consent to a particular transaction, cardholder consent. In some embodiments, a single, unusual biometric input, such as placing the little fingers of both hands on a fingerprint scanner 24a, is detected at the point of sale 10 to establish both cardholder identity and cardholder consent in a single, convenient action.

Abstract: A method for generating payment credentials in a payment transaction includes: storing, in a memory, at least a single use key associated with a transaction account; receiving, by a receiving device, a personal identification number; identifying, by a processing device, a first session key; generating, by the processing device, a second session key based on at least the stored single use key and the received personal identification number; generating, by the processing device, a first application cryptogram based on at least the first session key; generating, by the processing device, a second application cryptogram based on at least the second session key; and transmitting, by a transmitting device, at least the first application cryptogram and second application cryptogram for use in a payment transaction.

Abstract: Reference equipment including a reference card and a reference reader is provided for testing electronic payment devices such as cards and card readers. The reference equipment includes reference cards and reference readers that respectively can be used to verify compliance of product cards and product readers with product specifications The product specifications may, for example, be the ISO 14443 Standard specifications which are commonly accepted in the electronic payment industry The reference equipment is designed to enhance interoperability of product payment devices whose functional behaviors may vary because of vendor customization of device specifications or due to manufacturing tolerances In some embodiments, the reference equipment includes a reference card for testing card readers The exemplary reference card can comprise a current mirror to permit an electronically adjustable variable load using an external controller The reference card electronic circuit can exhibit variable load conditions.

Abstract: Secure establishment of a key associated with a first facility identifier is facilitated. The key is shared between a device and an operator of a first facility, via a public key management infrastructure of a payment system operating according to the payment standard, during a first transaction, substantially in accordance with the payment standard, between the device and the first facility. Controlling access to a first facility is facilitated, via the device, using the key associated with the first facility identifier, substantially without reference to an issuer of the device and substantially without use of asymmetric keys of the device, during a plurality of subsequent transactions, substantially in accordance with the payment standard, between the device and the first facility.

Abstract: A system and method for operating a payment terminal, the method including receiving a list of eligible applications from a payment device; generating a candidate list including applications from the list of eligible applications received that are supported by the payment terminal; determining a reduced candidate list, the reduced candidate list including applications from the candidate list that match merchant-specified network preference criteria; determining a final selection of an application based on the reduced candidate list; and providing an indication of the final selection application.

Abstract: A transaction device for establishing a shared secret with a point of interaction (POI) over a communications network to enable encrypted communications between the transaction device and the point of interaction, the device comprising: an input arranged to receive communications from the point of interaction; a processor arranged to generate a first communication according to a Diffie-Hellman protocol; an output arranged to send the first communication to the point of interaction; wherein the processor is arranged to apply a randomly generated blinding factor, r, when generating the first communication and wherein, in response to receiving a second communication from the point of interaction at the input, the second communication having been generated according to the Diffie-Hellman protocol, the processor is arranged to apply the randomly generated blinding factor and generate a shared secret according to the Diffie-Hellman protocol in dependence on data contained within the second communication.

Abstract: A method of performing a transaction using first and second computing devices is described. A local data connection is established between the first computing device and the second computing device. An amount to transfer is identified at either the first computing device or the second computing device. A first account is identified at the first computing device and a second account at the second computing device. Credentials are provided at the first computing device to authorize the transaction, and encrypted and authenticated transaction data is sent to a payer account provider for value transfer between the first account provider and a second account provider. Confirmation of the completed transaction is then provided to the first computing device and the second computing device. Suitable computer program products and computing devices are provided. This method is particularly effective for providing local person to person value transfers in real time.

Abstract: Disclosed herein is a method for performing an integrated contactless point-of-sale transaction. More particularly, there is disclose a method comprising: receiving, by a mobile device 1, a seed number from a communications network; generating, by the mobile device 1, one or more session keys, in dependence on the received seed number, for use in encrypted communication with the mobile device 1; and/or generating, by the mobile device 1, a pre-image, in dependence on the received seed number, for use in generating an unpredictable number for use in secure communication with the mobile device. Advantageously, the generation of session keys and/or a pre-image in dependence on a seed number provided to the mobile device improves the security of the system since the source of the seed number can detect incorrect session keys and/or unpredictable number derived from an incorrect pre-image.

Abstract: A contactless card reader system comprises the a contactless card reader for short range wireless communication with a payment device using a contactless card protocol. The reader also comprises a terminal for exchanging data with the payment device and with a remote server to perform a contactless card transaction. The terminal is comprised in a personal computing device. The remote server may provide functionality to the terminal in performance of the transaction. A method of performing a transaction is also described.

Abstract: A payment-enabled mobile device receives, during a first tap of the mobile device on a proximity reader component of a point of sale (POS) terminal, first transaction context data for a current transaction, and receives during a second tap of the mobile device on the proximity reader component, second transaction context data for the current transaction. When the mobile device determines that the second tap is for the same transaction as the first tap, and that one of a customer verification method (CVM) status or a user acknowledgment status flag has been set, then it transmits a payment card account number to the POS terminal to consummate the transaction.

Abstract: A system and method for operating a payment terminal, the method including receiving a list of eligible applications from a payment device; generating a candidate list including applications from the list of eligible applications received that are supported by the payment terminal; determining a reduced candidate list, the reduced candidate list including applications from the candidate list that match merchant-specified network preference criteria; determining a final selection of an application based on the reduced candidate list; and providing an indication of the final selection application.

Abstract: A payment-enabled mobile device such as a “smart phone” incorporates risk management features that are applicable to its use in contactless payment transactions. Some features may govern when verification of the cardholder's identity is required for consummation of the current transaction. The features may be configurable by the payment card account issuer and/or the user of the mobile device.