Abstract: A computer server includes a processor that is configured to receive an incoming authorization request that includes an original numeric value and an identification number, and locate a profile that is associated with the identification number. The located profile includes at least one adjustment criterion. The processor is configured to determine a primary numeric value and a secondary numeric value from the original numeric value and the adjustment criterion, confirm that the secondary numeric value is not greater than a balance value in a loyalty points account associated with the identification number, and reduce the balance value in the loyalty points account by the secondary numeric value. The processor is configured to, after confirming the secondary numeric value, generate a revised authorization request and transmit the revised authorization request to an authorization server. The revised authorization request includes the identification number and the primary numeric value.

Abstract: In some implementations, a method of providing contactless payments at a point of sale terminal includes: causing a point-of-sale terminal processing a transaction to display a machine-readable code, the machine-readable code encoding a web address; receiving a request from a device that scanned the machine-readable code, the request received at the web address; in response to receiving the request, causing the device that scanned the machine-readable code to output an interface that includes a prompt for input required to complete the transaction; receiving a response to the prompt; and sending an indication of the response to the prompt to the point-of-sale terminal to allow for completion of the transaction based on the response at the point-of-sale terminal through use of a physical token at the point-of-sale terminal.

Abstract: The disclosed exemplary embodiments include computer-implemented systems, apparatuses, and processes that, among other things, authenticate device identity and authorize exchanges of data in real-time based on dynamically generated cryptographic data. For example, an apparatus may receive a first signal that includes a first cryptogram associated with a client device, and may perform operations that authenticate an identity of the client device based on a comparison of the received first cryptogram and a second cryptogram generated by a computing system associated with an application program executed by the client device. In response to the authenticated identity, the apparatus may load profile data associated with the client device from a storage unit, and perform operations consistent with the profile data in accordance with the authenticated identity.

Abstract: A payment terminal includes a card interface and a transaction processor. The terminal receives a preliminary authorization amount, and receives application data from a payment card that is interfaced with the card interface. The application data includes an account number that is uniquely associated with the payment card. The processor generates an adjusted authorization amount from the account number and the preliminary authorization amount, determines whether the adjusted authorization amount can be authorized offline, and transmits a cryptogram request to the payment card. The adjusted authorization amount is different from the preliminary authorization amount. The cryptogram request includes the adjusted authorization amount.

Abstract: A clearing network includes a server, a POS terminal, and a computer network interconnecting the server and the POS terminal. The sever is configured to receive account numbers over the computer network, determine that an occurrence of one of the account numbers in the plurality of account numbers exceeds a maximum limit, and via the computer network update the pre-authorization database with the account number. The POS terminal is configured to receive a pre-authorization request that includes an authorization amount and the account number, query the pre-authorization database with the account number, and after locating the account number in the pre-authorization database from the query (a) confirm that the authorization amount is not greater than an authorization threshold, and (b) without generating an online authorization request, save in a clearing database an authorization confirmation message that includes the account number and the authorization amount.

Abstract: The disclosed exemplary embodiments include computer-implemented systems, apparatuses, and processes that, among other things, authenticate device identity and authorize exchanges of data in real-time based on dynamically generated cryptographic data. For example, an apparatus may receive a first signal that includes a first cryptogram associated with a client device, and may perform operations that authenticate an identity of the client device based on a comparison of the received first cryptogram and a second cryptogram generated by a computing system associated with an application program executed by the client device. In response to the authenticated identity, the apparatus may load profile data associated with the client device from a storage unit, and perform operations consistent with the profile data in accordance with the authenticated identity.

Abstract: A data set integration system receives a first data set that includes a user identifier and a message type code. The integration system locates an object profile that is associated with the terminal identifier in a data repository. The located object profile includes a tracking identifier and a counter value. The integration system updates the counter value in the object profile in accordance with a value of the message type code. The integration system updates receives a second data set from a communications device. The second data set includes the tracking identifier. The integration system locates the counter value in the object profile that is associated with the tracking identifier, and transmits to the communications device a data payload that includes the updated counter value.

Abstract: The disclosed exemplary embodiments include computer-implemented systems, apparatuses, and processes that, among other things, authorize initiated exchanges of data based on tokenized data characterized by a limited temporal or geographic validity. For example, an apparatus may receive a first signal that includes first information identifying a first geographic position of a client device. The apparatus may also obtain a digital token representative of a pre-authorization of a data exchange between the client device and a terminal device during a corresponding temporal interval. The terminal device may, for example, be disposed within a geographic region that includes the first geographic position of the client device. The apparatus may generate and transmit a second signal that includes the digital token to the client device. In some examples, the apparatus may transmit the second signal being through a programmatic interface associated with an application program executed by the client device.

Abstract: A data set integration system receives a data set that includes a user identifier and a message type code. The integration system selects a terminal profile from a profile database. The selected terminal profile is associated with the user identifier and includes a tracking identifier. The integration system locates the tracking identifier in the selected terminal profile. The integration system selects an object profile from a data repository. The selected object profile is associated with the located tracking identifier and includes the located tracking identifier and an associated counter. The integration system updates the counter in the selected object profile in accordance with a value of the message type code.

Abstract: The disclosed exemplary embodiments include computer-implemented systems, apparatuses, and processes that, among other things, authorize initiated exchanges of data based on tokenized data characterized by a limited temporal or geographic validity. For example, an apparatus may receive a first signal that includes first information identifying a first geographic position of a client device. The apparatus may also obtain a digital token representative of a pre-authorization of a data exchange between the client device and a terminal device during a corresponding temporal interval. The terminal device may, for example, be disposed within a geographic region that includes the first geographic position of the client device. The apparatus may generate and transmit a second signal that includes the digital token to the client device. In some examples, the apparatus may transmit the second signal being through a programmatic interface associated with an application program executed by the client device.

Abstract: A method for authenticating a wearable device is disclosed. The method includes: receiving, from a tokenization service provider (TSP), a signal representing a first code derived by the TSP from decrypting a security token previously provisioned in the computing device, wherein the security token was received at a terminal from the computing device and transmitted to the TSP; obtaining, based on the received signal representing the first code, a device identifier of the computing device and an identifier of an account; querying a device database to verify that the computing device is associated with a first status; verifying that the account is enabled for an operation initiated using the computing device; and transmitting an authorization message to the terminal, the authorization message authorizing the operation.

Abstract: An on-boarding server is configured to receive a data set and a manufacturer identifier from a communications device, validate an identity from the data set, and locate a first terminal cryptographic key associated with the manufacturer identifier in a terminal database. The on-boarding server is configured to confirm, using the located first terminal cryptographic key, that the manufacturer identifier received from the communications device was signed with a second terminal cryptographic key. The located first terminal cryptographic key and the second terminal cryptographic key are an asymmetric cryptographic key pair. The on-boarding server is configured to determine an acquirer server from the data set, provide the acquirer server with a merchant identifier, and download to the communications device a payload that includes the merchant identifier.

Abstract: A terminal configuration server is configured to associate a terminal identifier with a cryptographic key set, and to provide a communications device with the terminal identifier and the cryptographic key set. The terminal configuration server is configured to receive the terminal identifier from the communications device via a communications network, and establish an encrypted tunnel with a terminal via the communications device and the cryptographic key set. The encrypted tunnel is encrypted end-to-end between the terminal configuration server and the terminal. The terminal configuration server is configured to receive a payload request from the terminal via the encrypted tunnel, locate a payload that is associated with the terminal identifier in the payload database, and download the located payload to the terminal via the encrypted tunnel.

Abstract: A terminal configuration server is configured to save a manufacturer identifier in a terminal database, in association with a merchant identifier. The manufacturer identifier identifies a terminal. The terminal configuration server is configured to transmit the merchant identifier to a communications device via a communications network, and to receive from the communications device via the communications network, a terminal identifier request that includes the manufacturer identifier and the merchant identifier. The terminal configuration server is configured to verify that the manufacturer identifier, included in the terminal identifier request, is associated with the merchant identifier in the terminal database, and to download a payload to the terminal via the communications device after verifying the manufacturer identifier.

Abstract: A method for authenticating a wearable device is disclosed. The method includes: receiving, a signal representing an indication that the wearable device is in active use; in response to receiving the signal, updating a device database to associate a first status with the wearable device; receiving, from a tokenization service provider (TSP), a signal representing a first code derived by the TSP from decrypting a security token previously provisioned in the wearable device, wherein the security token was received at a terminal from the wearable device and transmitted to the TSP; obtaining, based on the received first code, a device identifier of the wearable device and an identifier of an account; querying the device database to verify that the wearable device is associated with the first status; verifying that the account is enabled for an operation initiated using the wearable device; and transmitting an authorization message to the terminal, the authorization message authorizing the operation.

Abstract: A terminal configuration apparatus is configured to receive a merchant identifier and a manufacturer identifier from a communications device, and to locate a first terminal cryptographic key that is associated with the manufacturer identifier in a terminal database. The terminal configuration apparatus is configured to confirm, using the located first terminal cryptographic key, that the merchant identifier was signed with a second terminal cryptographic key, and to download a payload to a terminal via the communications device. The located first terminal cryptographic key and the second terminal cryptographic key are an asymmetric cryptographic key pair.

Abstract: A computer server includes a processor that is configured to receive an incoming authorization request that includes an original numeric value and an identification number, and locate a profile that is associated with the identification number. The located profile includes at least one adjustment criterion. The processor is configured to determine a primary numeric value and a secondary numeric value from the original numeric value and the adjustment criterion, confirm that the secondary numeric value is not greater than a balance value in a loyalty points account associated with the identification number, and reduce the balance value in the loyalty points account by the secondary numeric value. The processor is configured to, after confirming the secondary numeric value, generate a revised authorization request and transmit the revised authorization request to an authorization server. The revised authorization request includes the identification number and the primary numeric value.

Abstract: A clearing network includes a server, a POS terminal, and a computer network interconnecting the server and the POS terminal. The sever is configured to receive account numbers over the computer network, determine that an occurrence of one of the account numbers in the plurality of account numbers exceeds a maximum limit, and via the computer network update the pre-authorization database with the account number. The POS terminal is configured to receive a pre-authorization request that includes an authorization amount and the account number, query the pre-authorization database with the account number, and after locating the account number in the pre-authorization database from the query (a) confirm that the authorization amount is not greater than an authorization threshold, and (b) without generating an online authorization request, save in a clearing database an authorization confirmation message that includes the account number and the authorization amount.

Abstract: A method of remotely configuring a pin-pad terminal involves a computer server receiving a merchant identifier over a network from a communications device associated with the pin-pad terminal. The computer server confirms from the merchant identifier that an entity associated with the communications device is authorized to use the pin-pad terminal, and authenticates the pin-pad terminal from a cryptographically-signed datum received from the communications device. The computer server then transmits to the pin-pad terminal via the communications device a configuration payload for installation in the pin-pad terminal. The configuration payload includes at least a payment symmetric cryptographic key set uniquely associated with the pin-pad terminal. The payment symmetric key set configures the pin-pad terminal to effect secure electronic payment via the communications device.

Abstract: A computer server includes a transaction processor that is configured to receive from a POS terminal an incoming authorization request that includes an original numeric value, a token cryptogram and an identification number identifying an identity token; confirm that the token cryptogram was generated from the original numeric value and a cryptographic key associated with the token; determine primary and secondary numeric values from the original numeric value and a user profile associated with the identification number; confirm that the secondary numeric value is not greater than the balance in a loyalty points account associated with the identification number; transmit to an authorization server a revised authorization request that includes the identification number and the primary numeric value; and receive from the authorization server a confirmation message confirming that the primary numeric value is not greater than the balance in a payment account associated with the identification number.