Abstract: A method is disclosed. The method includes receiving, by a processing network computer from a relying party computer associated with a relying party, a request for data associated with a user operating a user device. The processing network computer may retrieve first encrypted data of the user having a user-layer of encryption. The processing computer can then generate a second symmetric key to add a relying party-layer of encryption to the first encrypted data using a stream cipher. The doubly encrypted data may be transmitted to a user device that removes the user-layer of encryption on the first doubly encrypted data, and then adds a second relying party-layer of encryption to form second doubly encrypted data. The second doubly encrypted data may be transmitted to the relying party computer, which can remove both relying party-layers of encryption to gain access to the data associated with the user.

Abstract: Systems and methods are disclosed for securely communicating sensitive such as an identifier. A user device may receive a first message comprising a terminal type indicator. For certain values of the terminal type indicator, the user device may be configured to transmit a request message comprising a first identifier and an encrypted identifier. For other values of the terminal type indicator, the user device may be configured to generating an obfuscated identifier based at least in part on a first portion of a second identifier and a second portion of the encrypted identifier. The user device may then transmit a request message that includes the obfuscated identifier and the encrypted identifier.

Abstract: Systems and methods for threshold authenticated encryption are provided. A collection of cryptographic devices may encrypt or decrypt a message, provided that a threshold number of those devices participate in the encryption process. One cryptographic device may generate a commitment message and transmit it to the other selected devices. Those devices may each perform a partial computation using the commitment message, and transmit the partial computations back to the encrypting or decrypting device. The encrypting or decrypting device may use those partial computations to produce a cryptographic key, which may then be used to encrypt or decrypt the message.

Abstract: Systems and methods provide dynamic application selection based on contextual data of a transaction. A portable device may include multiple applications with which a transaction may be processed. These applications may be associated with a variety of priorities. The portable device may provide a list of these applications to an access device from which one application may be selected.

Abstract: Methods and systems for privacy-preserving identity attribute verification are presented. During an interaction between a relying entity and a user, a relying entity computer can transmit a policy token to a user device. The policy token may indicate the information needed by the relying entity in order to perform the interaction. The user device can verify the policy token, then use the policy token in conjunction with an identity token to generate a zero-knowledge proof. The user device may transmit the zero-knowledge proof to an identity service provider computer. The identity service provider computer may verify the zero-knowledge proof, then generate a verification message. The identity service provider computer may sign the verification message and transmit the signed verification message to the relying entity computer. The relying entity computer may verify the verification message and complete the interaction with the user.

Abstract: Systems and methods are provided to enable a user to conduct a transaction using their credentials stored on a secure server computer (e.g., a computer associated with a partner such as another merchant) by merely presenting their authentication data at a physical location via an auxiliary device. An auxiliary device may be provided for interfacing with a partners backend server (e.g., the secure server computer). In some embodiments, biometric authentication may provide a mechanism for a true seamless and potentially frictionless (in the case of modalities that do not require physical contact) interaction. Payment can occur without any need for a card, phone, wearable, or any other user device as long as the auxiliary device is able to recognize the user and retrieve a credential that can be linked to that user.

Abstract: Described herein are a system and techniques for detecting whether biometric data provided in an access request is genuine or a replay. In some embodiments, the system uses an machine learning model trained using genuine and replay sample data which is optimized in order to produce a result set in which results for the genuine samples are pulled closer to a genuine center and results for the replay samples are pushed away from the genuine center. Subjecting input biometric data (e.g., an audio sample) to the trained model results in a classification of the input biometric data as genuine or replay, which can then be used to determine whether or not to verify the input biometric data.

Abstract: A method is disclosed. The method comprises transmitting, by an access device to a communication device, a resource provider certificate and an access device certificate. Then, establishing a secure channel between the access device and the communication device using data from the resource provider certificate and the access device certificate. Then, transmitting to or receiving data from the communication device using the secure channel.

Abstract: A computer-implemented method performed by a user device is provided. The computer-implemented method includes receiving a message including an encrypted credential from a server computer; determining a response shared secret using a private key and a server public key; decrypting the encrypted credential using the response shared secret to determine a credential; obtaining a key derivation parameter from the credential; determining a first cryptogram key using the key derivation parameter; generating a first cryptogram using the first cryptogram key; and sending the first cryptogram to a second computer.

Abstract: A technique for embedding and utilizing credentials in a network address may include requesting a network address for a client device by providing an account identifier to a server computer associated with a service provider. A network address that is mapped to the account identifier can be assigned to the client device. The network address may include a routing prefix field and a network interface identifier field. The routing prefix field may include an issuer identifier of an issuer of the account, and the network interface identifier field may include an interface identifier that maps to the account identifier. By embedding credentials such as an account identifier in the network address, the actual account identifier need not be transmitted to perform actions on the account.

Abstract: A method for verifying that event can take place before the event is executed is disclosed. A verification system is incorporated into an event processing network, such that the verification system can identify newly proposed events and determine whether they can be completed. The verification system can inform the network about verification results through distributed blockchain records. Other changes in event status can also be communicated through and stored in blockchain records.

Abstract: Provided are systems for authenticating an individual using image feature templates that include at least one processor to train a first machine learning model based on a training dataset of a plurality of images of a user, generate a plurality of image feature templates using the first machine learning model, wherein each image feature template of the plurality of image feature templates is associated with a positive authentication of the identity of the user during a time interval, generate a second machine learning model based on the plurality of image feature templates, generate a predicted image feature template using the second machine learning model, determine whether to authenticate the identity of the user based on an input image of the user, and perform an action based on determining whether to authenticate the identity of the user. Methods and computer program products are also provided.

Abstract: Embodiments of the invention relate to efficient methods for authenticated communication. In one embodiment, a first computing device can generate a key pair comprising a public key and a private key. The first computing device can generate a first shared secret using the private key and a static second device public key. The first computing device can encrypt request data using the first shared secret to obtain encrypted request data. The first computing device can send a request message including the encrypted request data and the public key to a server computer. Upon receiving a response message from the server computer, the first computing device can determine a second shared secret using the private key and the blinded static second device public key. The first computing device can then decrypt the encrypted response data from the response message to obtain response data.

Abstract: A computer implemented method for masking a primary account number between a party and a service provider. A plurality of transaction records from a database is retrieved. A masking value is generated in response to having a first hash function executed on a primary account number. The receiving, at the service provider, the masking value from the client execution environment without the primary account number; wherein the server execution environment lacks identification of the affiliation between the primary account number and the party. Upon confirming that the first hash function is identical to the second hash function, matching the masking value to the second masking value. In response to a match, querying the database for transaction history associated with the masking value. An analysis report is generated.

Abstract: Embodiments of the invention are directed to systems and methods for utilizing a multi-tiered caching architecture in a multi-tenant caching system. A portion of the in-memory cache may be allocated as dedicated shares (e.g., dedicated allocations) that are each dedicated to a particular tenant, while another portion of the in-memory cache (e.g., a shared allocation) can be shared by all tenants in the system. When a threshold period of time has elapsed since data stored in a dedicated allocation has last been accessed, the data may be migrated to the shared allocation. If data is accessed from the shared allocation, it may be migrated back to the dedicated allocation Utilizing the techniques for providing a multi-tiered approach to a multi-tenant caching system can increase performance and decrease latency with respect to conventional caching systems.

Abstract: A method for providing identification using an endpoint device is disclosed. The endpoint device may include an electronic identity that is unique and can be securely stored. The electronic identity may be passed to an access device along with signed interaction data and a cryptogram. The access device may generate an authorization request with the cryptogram and may send it to a remote server computer for further processing.

Abstract: Methods and systems disclosed herein related to analyzing the risk of an identity-based transaction and offering the identity-based transaction to a risk exchange. An identity-based transaction may be a transaction that is initiated with a digital identity, and an assertions model manager may provide assertions about the digital identity for completing the identity-based transaction. The assertions model manager may use the assertions and information about the identity-based transaction to analyze transaction risk. A risk score for the identity-based transaction can be calculated, and then the identity-based transaction may be offered on a risk exchange.

Abstract: A network topology is provided that includes multiple data centers for building blockchain blocks. The data centers can process different subgroups of blocks, and then send updates to one another with information about new blocks. Additionally, some data centers may protect sensitive block body information, and instead may only share block headers.

Abstract: A method for conducting a transaction is disclosed. A processor in a thin client may receive transaction data from a portable device of a first portable device type. The processor may determine that the portable device is the first portable device type. The processor may apply an encryption protocol associated with a second portable device type to the transaction data to create encrypted data. The processor may transmit the encrypted data to a remote computer, wherein the remote computer utilizes the encryption protocol to decrypt the transaction data, and thereafter process the transaction data to conduct the transaction.

Abstract: A method is disclosed. The method comprises receiving, by an identity network computer, a query set including a plurality of test identity attributes. After receiving the query set, the identity network computer may retrieve derivatives of identity attributes associated with a user, and an encrypted trapdoor, then compute an obscured query set using the query set, and optionally the derivatives of identity attributes. The identity network computer may transmit the obscured query set (i) and the encrypted trapdoor to a user device associated with the user, which generates and transmits a first modified trapdoor and the obscured query set to a relying party computer, or (ii) and a second modified trapdoor to the relying party computer. The relying party computer may thereafter use the obscured query set, and the first modified trapdoor or the second modified trapdoor, to determine if the identity attributes is a member of the query set.