Abstract: Embodiments of the present invention relate to systems and methods that allow users to use their communication devices to perform transactions (e.g., payment transactions, access transactions, etc.). To complete a transaction, a resource provider electronically generates a code representing transaction data and displays it on an access device. The user scans the code with his or her communication device using a camera associated with the communication device, for example. The code is interpreted by an application on the communication device. The user may request and receive a token at the communication device corresponding to sensitive information selected to perform the transaction (e.g., a primary account number). The user may then provide the token and the transaction data via the communication device to a server computer, which may facilitate completion of the transaction between the user and the resource provider using the transaction data and the token.

Abstract: Systems, methods, and devices are disclosed for preventing relay attacks. A user device may receive (e.g., when proximate to the first access device), from an intervening device, device identification data for a first access device. A message may be received from a second access device via the intervening device. The message may include a digital signature generated based at least in part on second access device identification data. The user device may validate the message utilizing the digital signature and a public key. If the message is invalid, the user device may discard the message. If the message is valid, (e.g., unaltered), the user device may determine that the user has not confirmed an intent to interact with the second access device and may terminate an further interaction with the second access device accordingly.

Abstract: Encryption key exchange processes are disclosed. A disclosed method includes initiating communication between a portable communication device including a token and a first limited use encryption key, and an access device. After communication is initiated, the portable communication device receives a second limited use key from a remote server via the access device. The portable communication device then replaces the first limited use key with the second limited use key. The second limited use key is thereafter used to create access data such as cryptograms that can be used to conduct access transactions.

Abstract: Systems, methods, and devices are disclosed for preventing relay attacks. A user device may receive (e.g., when proximate to the first access device), from an intervening device, device identification data for a first access device. A message may be received from a second access device via the intervening device. The message may include a digital signature generated based at least in part on second access device identification data. The user device may validate the message utilizing the digital signature and a public key. If the message is invalid, the user device may discard the message. If the message is valid, (e.g., unaltered), the user device may determine that the user has not confirmed an intent to interact with the second access device and may terminate an further interaction with the second access device accordingly.

Abstract: A method includes forming a communication channel between a user device and an access device. The communication channel is then secured using a user device key pair in the user device and an access device ephemeral key pair in the access device. The access device then generates a session key using at least a private cryptographic key in the access device ephemeral key pair, and a public key in the user device key pair. The access device then uses the session key to secure an ultra-wideband communication channel between the user device and the access device.

Abstract: A biometric verification system is disclosed. The system includes a portable device which stores a biometric reference template and authentication preferences, The portable device can be used with an access device. The access device can prompt the user for a biometric sample, The access device may create a biometric sample template from the biometric sample, and the biometric sample template can be compared to the biometric reference template to determine if a user is authentic.

Abstract: A method is disclosed. The method includes receiving, by an access control server, an authentication request message comprising a credential or a token from an access device, after the access device receives the credential or the token from a portable device of a user. The method also includes responsive to receiving the authentication request message, transmitting, by the access control server, a challenge message to a user device associated with the user; generating, by the access control server, an authentication indicator. The method also includes transmitting, by the access control server, an authentication response message including the authentication indicator to the access device.

Abstract: Embodiments of the present invention provide methods and systems to enable a digital wallet identifier to be present in communications associated with transaction data for transactions that are facilitated by a digital wallet provider. In one embodiment, a communication device of a user receives a request for payment credentials required to conduct a transaction and obtains the payment credentials. The payment credentials include a digital wallet identifier and at least some of the payment credentials are obtained from a trusted execution environment associated with the communication device. The obtained payment credentials are provided to an access device associated with a merchant. The access device is configured to initiate the transaction by generating an authorization request message including the payment credentials for onward transmission to an issuer computer.

Abstract: Embodiments relate to systems, apparatuses, and methods for performing access interactions between a user device and an access device. A method comprises receiving, by an access device with a single universal kernel comprising a plurality of interaction functionalities and a plurality of sub-kernels, data comprising a kernel identifier identifying a requested kernel of a plurality of kernels to perform an interaction. The access device with the single kernel may determine a first sub-kernel of a plurality of sub-kernels corresponding to an interaction functionality based on the kernel identifier. The access device with the single universal kernel may then process the interaction according to the interaction functionality corresponding to the determined sub-kernel.

Abstract: A system, apparatus, and method for processing payment transactions that are conducted using a mobile device that includes a contactless element, such as an integrated circuit chip. The invention enables the updating, correction or synchronization of transaction data maintained by an Issuer with that stored on the device. This is accomplished by using a wireless (cellular) network as a data communication channel for data provided by an Issuer to the mobile device, and is particularly advantageous in circumstances in which the contactless element is not presently capable of communication with a device reader or point of sale terminal that uses a near field communications mechanism. Data transferred between the mobile device and Issuer may be encrypted and decrypted to provide additional security and protect the data from being accessed by other users or applications.

Abstract: Systems, apparatuses, and methods for performing transactions through mobile communication devices using either telecommunications networks or proximity near-field communications systems are disclosed. A mobile communication device may display an application authentication element. The application authentication element may include a pre-selected authentication element and transaction data associated with a transaction conducted by a mobile communication device. The mobile communication device may obtain the pre-selected authentication element by either transmitting a request to a server computer or retrieving the pre-selected authentication element from a secure memory in the mobile communication device. A user authentication token may be received by the mobile communication device from the user. The mobile communication device may generate a secret token that is derived from the user authentication token. If the secret token is correlated to a secret reference token, then a transaction may be conducted.

Abstract: Methods and systems for dynamically generating a verification value for a transaction and for utilizing such value to verify the authenticity of the payment service application. The dynamically created verification value may be generated on a payment device, such as an integrated circuit credit card or smart card, embedded into the payment data, and transmitted to a point of sale terminal. Alternatively, payment data is sent by a payment device to a point of sale terminal, which generates a verification value and embeds it into the payment data. The embedded verification value is used by a service provider to verify the authenticity of the transaction. The methods and systems may be used in a contactless (wireless) environment or a non-wireless environment.

Abstract: A method is disclosed. The method includes receiving, by a user device from an access device, an available applications request message. The available applications request message includes an access device type identifier. The method also includes determining whether an association exists between the access device type identifier and one or more application identifiers of a plurality of application identifiers stored on the user device. The plurality of application identifiers respectively correspond to different applications on the user device. The method also includes transmitting, by the user device, to the access device, based in part on whether the association exists, an available applications response. The available applications response includes the one or more application identifiers of the plurality of application identifiers associated with the access device type identifier.

Abstract: A reader device may include a midrange wireless transceiver, a controller coupled to the midrange wireless transceiver, and a memory coupled to the controller. The memory may store executable code, which when executed by the controller, causes the reader device to implement various operations including maintaining a transaction service attributes database in the memory. The operations may also include broadcasting a beacon including a transaction service indicator at a periodic interval using the midrange wireless transceiver, receiving a connection request from a communication device, and establishing a wireless connection with the communication device. The operations may further include performing an application selection process with the communication device, performing application data processing with the communication device, and performing authorization request processing for the communication device.

Abstract: Embodiments of the invention provision multiple payment tokens on a communication device. The communication device may be provisioned with multiple limited use keys (LUK), each LUK being associated with a specific type of transaction. When the communication device is used for a transaction, the communication device automatically determines a type of the transaction and selects an appropriate LUK based on the determined transaction type. The selected LUK may be used to create a cryptogram, which can be used to verify the transaction.

Abstract: A system, apparatus, and method for processing payment transactions that are conducted using a mobile device that includes a contactless element, such as an integrated circuit chip. The invention enables the updating, correction or synchronization of transaction data maintained by an Issuer with that stored on the device. This is accomplished by using a wireless (cellular) network as a data communication channel for data provided by an Issuer to the mobile device, and is particularly advantageous in circumstances in which the contactless element is not presently capable of communication with a device reader or point of sale terminal that uses a near field communications mechanism. Data transferred between the mobile device and Issuer may be encrypted and decrypted to provide additional security and protect the data from being accessed by other users or applications.

Abstract: A reader device may include a midrange wireless transceiver, a controller coupled to the midrange wireless transceiver, and a memory coupled to the controller. The memory may store executable code, which when executed by the controller, causes the reader device to implement various operations including maintaining a transaction service attributes database in the memory. The operations may also include broadcasting a beacon including a transaction service indicator at a periodic interval using the midrange wireless transceiver, receiving a connection request from a communication device, and establishing a wireless connection with the communication device. The operations may further include performing an application selection process with the communication device, performing application data processing with the communication device, and performing authorization request processing for the communication device.

Abstract: A system, apparatus, and method for processing payment transactions that are conducted using a mobile payment device that includes a contactless element, such as an integrated circuit chip. The invention enables one or more of the operations of activation of a payment application, transfer of transaction data, updating of account records, setting or re-setting of a payment application counter or register, or transfer or processing of a script, command, or instruction, with these functions being performed with minimal impact on a consumer. This is accomplished by introducing a pre-tap and/or two-tap operation prior to, or as part of, the transaction flow.

Abstract: Encryption key exchange processes are disclosed. A disclosed method includes initiating communication between a portable communication device including a token and a first limited use encryption key, and an access device. After communication is initiated, the portable communication device receives a second limited use key from a remote server via the access device. The portable communication device then replaces the first limited use key with the second limited use key. The second limited use key is thereafter used to create access data such as cryptograms that can be used to conduct access transactions.

Abstract: Embodiments of the invention provision multiple payment tokens on a communication device. The communication device may be provisioned with multiple limited use keys (LUK), each LUK being associated with a specific type of transaction. When the communication device is used for a transaction, the communication device automatically determines a type of the transaction and selects an appropriate LUK based on the determined transaction type. The selected LUK may be used to create a cryptogram, which can be used to verify the transaction.