Abstract: A method for generating payment credentials in a payment transaction includes storing, in a memory, at least a card master key associated with a transaction account. The method also includes generating, by a processing device, a first session key based on at least the stored card master key; generating, by the processing device, a second session key; generating, by the processing device, a first application cryptogram based on at least the first session key; generating, by the processing device, a second application cryptogram based on at least the second session key; and transmitting, by a transmitting device, at least the first application cryptogram and second application cryptogram for use in a payment transaction.

Abstract: A system and method authenticate payment transactions using risk based analysis modeling when multiple payment accounts are identified by input biometric data. An authentication request includes the biometric data associated with a user. Multiple user payment accounts associated with the biometric data are identified. A confidence score is generated for each of the multiple user payment accounts based on context data associated with the payment transaction. The payment account with the highest confidence score is selected. The selected payment account is authenticated for use in processing the payment transaction to ensure payment transactions are performed on the correct payment account.

Abstract: There is provided an authentication system for validating identity credentials of a user attempting to access a resource provided by a remote resource provision system. The authentication system includes an input configured to receive, from the resource provision system, an authentication request comprising a cryptographic representation of digital identity data of the user and an associated token identifier, where the digital identity data comprises at least one image of an identity credential of the user. The system also includes a processor configured to: determine a pre-stored cryptographic identifier corresponding to the token identifier; and compare the received cryptographic representation with the pre-stored cryptographic identifier.

Abstract: A method of performing a contactless transaction between a payment device and a terminal is described. The method comprises establishing a data connection between the payment device and the terminal and then establishing if the payment device and the terminal both support an enhanced security architecture. If they do not, they will then perform the contactless transaction according to a basic transaction flow using a first cryptographic system. If they do, they will perform the contactless transaction according to an enhanced transaction flow using a second cryptographic system. The first cryptographic system and the second cryptographic system comprise different asymmetric cryptographic systems. Suitable payment devices and terminals, and methods at the payment devices and terminals, are described.

Abstract: There is disclosed a computer implemented method (300) of managing user accounts at a biometric database, the biometric database comprising biometric data of a user. The method comprises the steps of: receiving (301), at the biometric database, a message from a user device to suspend a user's account, the message comprising a cryptographic parameter; suspending (303) the user's account, the step of suspending comprising: encrypting (305), at the biometric database, biometric data of the user associated with the user's account using the cryptographic parameter; storing (307), the encrypted biometric data; and discarding (309), at the biometric database, the cryptographic parameter; and transmitting (311), from the biometric database, a message to the user device indicating that the user's account has been suspended.

Abstract: A method for generating and provisioning payment credentials to a mobile device lacking a secure element includes: generating a card profile associated with a payment account, wherein the card profile includes at least payment credentials corresponding to the associated payment account and a profile identifier; provisioning, to a mobile device lacking a secure element, the generated card profile; receiving, from the mobile device, a key request, wherein the key request includes at least a mobile identification number (PIN) and the profile identifier; using the mobile PIN; generating a single use key, wherein the single use key includes at least the profile identifier, an application transaction counter, and a generating key for use in generating a payment cryptogram valid for a single financial transaction; and transmitting the generated single use key to the mobile device.

Abstract: Systems and methods are provided for extending dialogue between a mobile device and a point-of-interaction (POI). One example computer-implemented method includes receiving, by a by a host server, from a POI computing device, an identifier specific to an account of a user, a receipt for an interaction, and one or more encrypted actions. The method also includes decrypting, by the host server, the one or more encrypted actions and storing the receipt. The method then includes, based on the decrypted one or more actions, notifying, by the host server, the user, via a mobile device of the user, of the receipt and accessibility of the receipt.

Abstract: Systems and methods are provided for managing disputes in biometric-enabled network interactions. One example computer-implemented method includes receiving, at a biometric identity switch (BIS), a dispute notification for a biometric-enabled network interaction involving an account of a user, and retrieving biometric data specific to the biometric-enabled network interaction. The method also includes determining, by the BIS) whether the biometric data is representative of the user and, in response to the biometric data not being representative of the user, requesting, from a biometric service provider, a biometric identifier for an additional user, based on the biometric data.

Abstract: A method for generating cryptograms in a webservice environment includes: receiving, in a first environment of a computing system, a credential request transmitted by an external computing device using a secure communication protocol, the credential request including a transaction identifier and account identifier; transmitting, by the first environment, a data request to a second environment of the computing system, the data request including the account identifier; receiving, by the first environment, an account profile and session key from the second environment; transmitting, by the first environment, a cryptogram request to a third environment of the computing system, the cryptogram request including the account profile and session key; receiving, by the first environment, a cryptogram from the third environment generated using the account profile and session key; and transmitting, by the first environment, the cryptogram and transaction identifier to the external computing device via the secure communic

Abstract: A system and method for generating and provisioning payment credentials to a mobile device lacking a secure element includes receiving and storing by the mobile device a card profile from a remote system. The card profile may include payment credentials corresponding to a payment account and a profile identifier. The mobile device may receive a mobile personal identification number (PIN) input by a user of the mobile device and transmit a key request to the remote system. The mobile device may receive a single use key which may include an application transaction counter and a generating key from the remote system. The mobile device may generate a payment cryptogram valid for a single financial transaction based on the received single use key and the mobile PIN and transmit the payment credentials and the generated payment cryptogram to a point-of-sale terminal for use in a financial transaction.

Abstract: Systems and methods are provided for extending dialogue between a mobile device and a point-of-interaction (POI). One example computer-implemented method includes receiving, by a conduit server, from the POI, via a first connection between the conduit server and the POI, a request for an extended connection between the POI and the mobile device, and notifying a host server of the request. The method then includes receiving, from the mobile device, via a second connection between the conduit server and the mobile device, an identifier for the mobile device and pairing, based on the identifier, the first and second connections, to establish a wireless connection between the POI and the mobile device, via the conduit server. The method further includes submitting a wake-up call to the mobile device, whereby the mobile device publishes the identifier to establish a wireless connection directly between the POI and the mobile device.

Abstract: Methods, apparatus and systems for operating a payment-enabled mobile device to facilitate a payment transaction with a merchant server. In an embodiment, a mobile device processor of the payment-enabled mobile device receives a payment transaction request from a user, transmits a payment transaction initiation message directly to a merchant server of the merchant, and receives a request message from the merchant server that includes one of a request to provide an Authorization Request Cryptogram (ARQC) or a request to provide user consent information. The user consent information may include cardholder verification results or a request to provide an ARQC.

Abstract: There is provided an authentication system for validating identity credentials of a user attempting to access a resource provided by a remote resource provision system. The authentication system includes an input configured to receive, from the resource provision system, an authentication request comprising a cryptographic representation of digital identity data of the user and an associated token identifier, where the digital identity data comprises at least one image of an identity credential of the user. The system also includes a processor configured to: determine a pre-stored cryptographic identifier corresponding to the token identifier; and compare the received cryptographic representation with the pre-stored cryptographic identifier.

Abstract: Systems and methods are provided for facilitating biometric-enabled network interactions. One example computer-implemented method includes receiving, at a biometric identity switch, from a terminal associated with a party, a request for an enrollment of a biometric of a user for biometric-enabled network interactions, the request including a biometric template of the user, identifying a biometric service provider associated with the biometric template, requesting from the identified service biometric provider, a biometric identifier for the user, based on the biometric template, receiving the biometric identifier from the identified biometric service provider, and then storing the biometric identifier for the user in a user profile, whereby the user is enrolled for biometric-enabled network interactions using the biometric.

Abstract: There is provided an authentication system for validating identity credentials of a user attempting to access a resource provided by a remote resource provision system. The authentication system includes an input configured to receive, from the resource provision system, an authentication request comprising a cryptographic representation of digital identity data of the user and an associated token identifier, where the digital identity data comprises at least one image of an identity credential of the user. The system also includes a processor configured to: determine a pre-stored cryptographic identifier corresponding to the token identifier; and compare the received cryptographic representation with the pre-stored cryptographic identifier.

Abstract: A method of performing a contactless transaction between a payment device and a terminal is described. The method comprises establishing a data connection between the payment device and the terminal and then establishing if the payment device and the terminal both support an enhanced security architecture. If they do not, they will then perform the contactless transaction according to a basic transaction flow using a first cryptographic system. If they do, they will perform the contactless transaction according to an enhanced transaction flow using a second cryptographic system. The first cryptographic system and the second cryptographic system comprise different asymmetric cryptographic systems. Suitable payment devices and terminals, and methods at the payment devices and terminals, are described.

Abstract: Examples provide a system and method for initiating contactless communication sessions between computing devices using a variety of modalities. A user pre-registers a selected modality for triggering session initiation. A session initiation device generates trigger data based on a detected occurrence of a predetermined event corresponding to a user selected modality, such as, but not limited to, biometric data, a unique user identifier (ID), a vehicle identifier, or any other type of modality. The trigger data is mapped to a mobile device ID. The mobile device ID can be requested from a connection server. The communication session is established between the first computing device and the mobile user device using the mobile device identifier. The computing device transmits data to the mobile user device via the established communication session when the computing device is brought into proximity to the mobile user device.

Abstract: A method for processing an encoded one-time number via payment rails includes: receiving, by a receiving device interfaced with a computing system, a one-time number, wherein the one-time number is comprised of at least an identification value and a remaining value; executing, by a querying module of the computing system, a query on a memory of the computing system to identify a routing number based on at least a portion of the one-time number; generating, by a generation module of the computing system, a data value, wherein the data value includes at least the identified routing number and the remaining value; and electronically transmitting, by a transmitting device of the computing system, the generated data value to an external system via payment rails associated with a payment network.

Abstract: A method for generating payment credentials in a payment transaction includes storing, in a memory, at least a card master key associated with a transaction account. The method also includes generating, by a processing device, a first session key based on at least the stored card master key; generating, by the processing device, a second session key; generating, by the processing device, a first application cryptogram based on at least the first session key; generating, by the processing device, a second application cryptogram based on at least the second session key; and transmitting, by a transmitting device, at least the first application cryptogram and second application cryptogram for use in a payment transaction.

Abstract: A method for verification of a bearer of a credential device at a device reader is described. The method comprises first establishing a digital communication channel with the credential device, and then determining a set of verification options for the bearer and providing the set of verification options to the credential device over the digital communication channel. The credential device then selects a verification option from the set of verification options and communicates this to the device reader. The device reader can then verify the bearer of the credential device in accordance with the selected verification option. Methods at both the credential device and the device reader are described, as are suitably programmed credential devices and device readers.