Abstract: One embodiment of the invention is directed to a computer-implemented method comprising, receiving a first request that includes a token associated with a first computing device to utilize a shared resource implemented by a federated network of computing devices. The method further comprises identifying that the first computing device is an unknown entity based in part on the token and one or more signature used to sign the token. The method further comprises transmitting, to a trust management system, a second request to authenticate the first computing device using the token. The method further comprises, receiving an authentication message that verifies the first computing device within an open trust network. The authentication message may be generated in response to the trust management system communicating with a plurality of registrar computers in the open trust network about the signatures associated with the token.

Abstract: A method includes receiving, by a server computer, data of a communication device; training, by the server computer, a neural network model based on the data of the communication device and communication device metadata from one or more additional communication devices, to generate a machine learning model configured to determine, based on a metadata associated with an application, a security value related to an indication of a security threat; and transmitting the machine learning model to the communication device. The communication device can use the machine learning model to determine the security value, by inputting the metadata associated with the application, as a vectorized data into the machine learning model. The communication device can determine whether to run or install the application based upon the security value.

Abstract: An issuing authority (IA) may validate the identity of a user and issue a digital license to the user. IA may generate IA public-private key pair, and provide IA public key to the certification authority (CA). IA may sign the digital license with IA private key, and provision the signed digital license on the user device. IA may request CA to certify the digital license. CA may use IA public key to validate the digital license, and sign IA public key with CA private key, thereby generating a digital certificate associated with the issuing authority that is linked to the digital license. A relying party may use CA public key to validate the digital license. The relying party can retrieve the information from the digital license and trust that the retrieved information is legitimate.

Abstract: Described are a system, method, and computer program product for updating and processing payment device transaction tokens. The method includes receiving a first notification based on issuance of a first new payment device, generating a first new token associated with the first new payment device, and linking the first new token to a previous token. The method also includes receiving a second notification based on issuance of a second new payment device, generating a second new token associated with the second new payment device, and linking the second new token to the first new token in a chain. The method further includes determining to deactivate the first new payment device and modifying the chain to remove the first new token. The method further includes receiving a transaction request and processing the transaction request by communicating second new token to an issuer.

Abstract: Systems and methods are for confidentially and securely provisioning data to an authenticated user device. A user device may register an authentication public key with an authentication server. The authentication public key may be signed by an attestation private key maintained by the user device. Once the user device is registered, a provisioning server may send an authentication request message including a challenge to the user device. The user device may sign the challenge using an authentication private key corresponding to the registered authentication public key, and may return the signed challenge to the provisioning server. In response, the provisioning server may provide provisioning data to the user device. The registration, authentication, and provisioning process may use public key cryptography while maintaining confidentiality of the user device, the provisioning server, and then authentication server.

Abstract: Methods and systems for performing on demand access transactions are disclosed. In one example, the method includes receiving, by a directory service computer from an authorizing computer, a file including a primary access identifiers and virtual access identifiers, the virtual access identifiers not being capable of being used at resource providers to conduct transactions. The method also includes receiving a request to provide an access token that is associated with an account, the request comprising information that identifies the account. The method further includes retrieving a virtual access identifier based on the identifying information; and requesting, by the directory service computer to a token service computer, that the access token be provisioned on the user device or an application computer associated with an application on the user device.

Abstract: A cross-wallet system generate a cross-platform key or a virtual account number for a first digital wallet provider to be used by the consumer when the consumer wishes to send payment to a second digital wallet provider with which the consumer does not possess an account. Moreover, the virtual account number, in one example, may only include a partial set of card number that does not include the typical set of card number. The virtual account number created by embodiments of the invention further enable security features that prevent fraud and protect the consumer's financial assets.

Abstract: A disclosed method includes a data distribution computer receiving a data packet comprising a plurality of data values in response to an interaction between a resource provider and a user. The data distribution computer can then determine a data item for each data value of the plurality of data values and associate each data value to a processing computer using the data item for each data value. It can generate a plurality of authorization request messages comprising at least one data value. It can then transmit the plurality of authorization request messages to a plurality of processing computers adapted to process the data values in the respective authorization request messages, where the plurality of processing computers process the data values in the respective authorization request messages. The plurality of authorization request messages are subsequently forwarded to the authorization computer. The authorization computer then analyzes each authorization request message.

Abstract: Provided is a method for normalizing embeddings for cross-embedding alignment. The method may include applying mean centering to the at least one embedding set, applying spectral normalization to the at least one embedding set, and/or applying length normalization to the at least one embedding set. Spectral normalization may include decomposing the at least one embedding set, determining an average singular value of the at least one embedding set, determining a respective substitute singular value for each respective singular value of a diagonal matrix, and/or replacing the at least one embedding set with a product of the at least one embedding set, a right singular vector, and an inverse of the substitute diagonal matrix. The mean centering, spectral normalization, and/or length normalization may be iteratively repeated for a configurable number of iterations. A system and computer program product are also disclosed.

Abstract: Methods and systems are described. A method includes accessing a first identifier of a payment requester and a first identifier of an electronic communication from an electronic communication client that identifies a payment requester and an electronic communication, authenticating the payment requester as being registered to receive payments, if the payment requester is authenticated, automatically identifying a payment service that is registered as an approved payer, and authenticating the payment service as being approved to make payments to the payment requester. In response to a selection of a funds transfer triggering component in the electronic communication, causing a transfer of funds from the approved payment service to the payment requester.

Abstract: Embodiments include apparatuses, methods, and systems for performing security protection of association between a user device and a user. A computing system receives from a service provider a notification that an identifier of a user device has been activated in the user device to be associated with a user identifier to replace an existing identifier of the user device associated with the user identifier. The computing system further receives from the user device a request for information associated with the user identifier to be sent to the user device associated with the identifier of the user device. Before sending the requested information to the user device, the computing system verifies the identifier of the user device has been activated by the user by an additional authentication of the user through a communication path between the user and the computing system. Other embodiments may also be described and claimed.

Abstract: Blockchain-based, smart contract platforms have great promise to remove trust and add transparency to distributed applications. However, this benefit often comes at the cost of greatly reduced privacy. Techniques for implementing a privacy-preserving smart contract is described. The system can keep accounts private while not losing functionality and with only a limited performance overhead. This is achieved by building a confidential and anonymous token on top of a cryptocurrency. Multiple complex applications can also be built using the smart contract system.

Abstract: Embodiments of the present invention relate to systems and methods for implementing a mobile tokenization hub with a common tokenization capabilities (CTC) module that may provide tokenization for various entities in various contexts. For example, the CTC module can provide and store tokens for mobile payment transactions, transit transactions, digital wallet applications, merchant point of sale (POS) applications, personalization services, and the like.

Abstract: A method for utilizing a registration authority computer to facilitate a certificate signing request is provided. A registration authority computer may receive a certificate signing request associated with a token requestor. The registration authority computer may authenticate the identity of the token requestor and forward the certificate signing request to a certificate authority computer. A token requestor ID and a signed certificate may be provided by the certificate authority computer and forwarded to the token requestor. The token requestor ID may be utilized by the token requestor to generate digital signatures for subsequent token-based transactions.

Abstract: In some embodiments, a method includes receiving, from a user of a user device, a request for an authorization-by-proxy payment on delivery (POD); requesting, at the user device, the user identify an authorized proxy for the authorization-by-proxy POD; generating an authorization-by-proxy code based upon buyer-controlled payment control parameters; and using the buyer-controlled payment parameters to control processing of a payment for the authorization-by-proxy POD. In some embodiments, the method further includes pre-authorizing, at shipment time of merchandise associated with the authorization-by-proxy POD, a hold on a monetary amount associated with an order of the merchandise associated with the authorization-by-proxy POD.

Abstract: Embodiments can provide methods for securely provisioning sensitive credential data, such as a limited use key (LUK) onto a user device. In some embodiments, the credential data can be encrypted using a separate storage protection key and decrypted only at the time of a transaction to generate a cryptogram for the transaction. Thus, end-to-end protection can be provided during the transit and storage of the credential data, limiting the exposure of the credential data only when the credential data is required, thereby reducing the risk of compromise of the credential data.

Abstract: A method is disclosed. The method includes receiving, at a computing system, from a user, a request for an access code and one or more constraints on a use of the access code, and identifying a portable device to be associated with the access code. The method also includes obtaining, using the portable device, authorization for one or more potential interactions using the access code. Upon obtaining authorization for the one or more interactions, the method includes generating the access code, which includes an identifier that causes an access request that includes the access code be routed to the computing system. The method also includes receiving, from an access device, an access request comprising the access code in an interaction. Upon determining that the interaction complies with the one or more transaction constraints, the computing system provides an indication to the access device that the interaction is authorized.

Abstract: A method is disclosed and includes receiving, by a first communication device, a first local authentication model, the first local authentication model being derived from a master authentication model at a remote server computer, and receiving a request to perform an interaction with a second communication device, the interaction being performed in an offline manner. The method may further include applying, by the first communication device, the first local authentication model to the interaction to determine a first authentication result and determining whether or not to allow the interaction to proceed based upon the first authentication result. The method may also include updating the first local authentication model using the master authentication model when the first communication device is online.

Abstract: Disclosed is a system to optimize rule weights for classifying access requests so as to manage rates of false positives and false negative classifications. A rules suggestion engine may suggest a profile of classification rules to a merchant for access requests. The system can optimize weights for the profile of rules using a cost function based on a training set of historical access requests, for example using stepwise regression or machine learning (ML). The system can compute a profile score based on the optimized weights, for example by summing the weights. The system statistically analyzes the profile score using classification thresholds and the historical access requests. The system can perform receiver operating characteristic (ROC) analysis for various threshold values, enabling a user to select a suitable threshold. The system can further optimize by adding or removing rules from the profile of rules.