Abstract: A computer system for verifying whether two existing sets of confidential electronic data are identical by transforming the two existing sets of confidential electronic data into two new sets of electronic data that are no longer confidential, and then comparing the two new sets of electronic data. As a result, the confidentiality of the two existing sets of electronic data is maintained.

Abstract: In one embodiment, a method includes establishing, by an identity agent installed on a device, a connection to a browser installed on the device and generating, by the identity agent, first device information, a public key, and a private key. The method also includes communicating, by the identity agent, the first device information and the public key to an authentication service and receiving, by the identity agent, a unique identifier from the authentication service. The method further includes generating, by the identity agent, a first signature of the first device information and communicating, by the identity agent, the first signature, the first device information, and the unique identifier to the browser.

Abstract: A computer system (10) comprises a plurality of computers (20a, 20b, 20c, 20d). Each of the computers (20a, 20b, 20c, 20d) comprises a store (22, 24, 26, 28). Each of the computers is configured to provide one or more labels to replace determined data in documents stored in the store (22, 24, 26, 28), and to produce encoded documents including the one or more labels to replace the determined data in the documents. The computer system (10) further comprises a machine learning computer system (30) configured to train the plurality of computers (20a, 20b, 20c, 20d) based on the encoded documents from the plurality of computers (20a, 20b, 20c, 20d).

Abstract: A method of data transfer from a tenant to a service provider comprises encrypting the data with a public key of a key pair generated by a secure device within the service provider system. The data thus cannot be accessed by the service provider during transmission. The data is generated with a corresponding access control list, which specifies that a valid certificate must be presented in order to grant a particular use of the data once stored. The tenant can thus retain control of the use of the data even though it has been transferred out of the tenant system. A method of controlling use of data securely stored in the service provider system comprises issuing a use certificate having an expiry time to the party requesting use of the data. The use certificate must be validated before use of the stored data is granted. This enables the tenant to grant use of the stored data for a limited time period.

Abstract: An apparatus for detecting a phishing website based on website icons is disclosed. A disclosed example apparatus includes parser circuitry to parse code of a first website, detector circuitry to detect, based on the parsed code, a first website icon and a first Uniform Resource Locator (URL) corresponding to the first website, and hash generator circuitry to generate a first hash of the first website icon, and store the first hash in association with the first URL in a hash entry of an icon hash database, the hash entry to be used for determining that a second website is a phishing website when (a) the first hash matches a second hash of a second website icon corresponding to the second website, and (b) a first portion of the first URL matches a second portion of a second URL corresponding to the second website.

Abstract: A system and method for conducting a privileged communication session between a client user and an attorney subscriber includes initiating a communication session between the client user and the attorney member in response to a communication session request, via a communication application where the communication session is configured to be selectively conducted via the communication application in a non-privileged mode and in a privileged mode such that in the non-privileged mode, the communication session is conducted via a communication server in communication with a user client computing device and an attorney computing device, and such that in the privileged mode the communication session is conducted via a direct communication link initiated via the communication application such that, in the privileged mode the communication server is disconnected from the direct communication link.

Abstract: Embodiments include a provider computing system associated with a provider including at least one processing circuit configured to present, by a graphical user interface while a bill pay application is in an unlaunched state, a notification including a plurality of summaries of at least one bill, automatically launch the bill pay application in response to the customer selecting a summary of the plurality of summaries of at least one bill, and automatically navigate to a sub-screen presenting the selected summary. The least one processing circuit further configured to receive, via the bill pay application, a request to pay an amount of funds to a biller, generate a payment request, provide at least one post to a funds account circuit based on the payment request, and generate and provide a payment data object to a biller computing system.

Abstract: A certificate revocation manager performs scheduled synchronization of a certificate revocation table with certificate revocation lists (CRLs) independent of connection requests from clients. The certificate revocation table includes entries that each indicate a client certificate that has been revoked by a certificate authority (CA). On a scheduled basis, the certificate revocation manager synchronizes the entries of the certificate revocation table with current CRLs obtained from different CAs. When a service at receives a request from a client to establish a connection, the service generates a composite key based on a CA identifier and a certificate identifier of a client certificate provided by the client. The service performs a lookup on the certificate revocation table based on the composite key. Based on a result of the lookup, the certificate revocation manager determines whether the client certificate is revoked.

Abstract: An identity verification device for verification of a digital credential includes a user device communication interface for operative communication with a user device associated with a human user. The user device communication interface is operative to receive from the user device the digital credential of the human user stored locally on the user device. The device also includes a relying party communication interface operative to send a request to an intermediary credential service platform for verification of the digital credential presented by the user device, and to receive verification of the digital credential from the platform after application of an issuing authority credentialing standard to the digital credential. The device further includes a verification indicator operative to provide an indication of verification status of the digital credential to the relying party associated with the identity verification device.

Abstract: A data mining method, system, and non-transitory computer readable medium include obtaining a subset of public records of data in a public domain and performing data mining, via private domain data, within the subset of the public records of data to find data in the public domain corresponding to a particular individual.

Abstract: A method for consumer-initiated transactions with encrypted tokens includes: storing a first cryptographic key pair comprising an account public key and an account private key, a merchant public key, an account token associated with a transaction account, an account identifier, and an issuing institution identifier; receiving transaction data for a proposed payment transaction including a transaction amount; generating a transaction order including the transaction data; generating a cryptographic checksum for the generated transaction order; generating a digital signature over the cryptographic checksum using the account private key; generating a payment token including the issuing institution identifier, the account identifier, the transaction amount, and the account token; encrypting the payment token using the account private key; and transmitting the encrypted payment token and signed cryptographic checksum to a point of sale device.

Abstract: A device may receive, from client devices of users, user data identifying the users, client device data identifying the client devices, and transaction card data identifying transaction cards, and may receive transaction account data identifying transaction accounts. The device may process the user data, the client device data, the transaction card data, and the transaction account data, with a machine learning model, to determine trust scores for the transaction cards, and may identify trusted transaction cards based on the trust scores. The device may receive, from trusted client devices associated with the trusted transaction cards, location data identifying locations of the trusted client devices and communication data indicating communications between the trusted transaction cards and the trusted client devices. The device may generate a card mapping for the trusted transaction cards based on the location data and the communication data, and may perform actions based on the card mapping.

Abstract: According to certain embodiments, a method performed by a trust anchor comprises determining a random value (K), encrypting the random value (K) using a long-term key associated with a hardware component in order to yield an encrypted value, communicating the encrypted value to the hardware component, and receiving a response encrypted using the random value (K). The response is received from the hardware component. The method further comprise encrypting a schema using the random value (K) and sending the encrypted schema to the hardware component. The schema indicates functionality that the hardware component is authorized to enable.

Abstract: Securing digital assets in a vault that interfaces with multiple different third-party wallets to store keys/mnemonics. The vault interface accepts input from multiple different party wallets to combine multiple encryptions and secure storage techniques. Numerous cryptographic mechanisms are employed to securely pull a mnemonic phrase from a third-party wallet and into an institution's vault. A customer's mnemonic phrase is securely transported from a personal wallet into a secured institution's encrypted vault using the power of HSM to encrypt and decrypt a customer's mnemonic phrase securely.

Abstract: A device may receive a uniform resource locator (URL) and encrypted data. The device may download a first application from an application server based on the URL. The device may download and execute the first application. The first application may receive the encrypted data.

Abstract: Systems and methods are provided to enable a user to conduct a transaction using their credentials stored on a secure server computer (e.g., a computer associated with a partner such as another merchant) by merely presenting their authentication data at a physical location via an auxiliary device. An auxiliary device may be provided for interfacing with a partners backend server (e.g., the secure server computer). In some embodiments, biometric authentication may provide a mechanism for a true seamless and potentially frictionless (in the case of modalities that do not require physical contact) interaction. Payment can occur without any need for a card, phone, wearable, or any other user device as long as the auxiliary device is able to recognize the user and retrieve a credential that can be linked to that user.

Abstract: A first document including a decrypting version of a first key and a second document including a representation of a login token are received from the first compute device. An encrypted second key that has been encrypted by an encrypting version of the first key is received after receiving the login token from a second compute device. The second compute device stores the encrypting version of the first key before the receiving of the first document. The encrypted second key is decrypted using the decrypting version of the first key to obtain a plaintext second key. Encrypted sensor data that includes plaintext sensor data that has been (1) captured prior to the receiving of the first document, and (2) encrypted by the plaintext second key is received from the second compute device. The encrypted sensor data is decrypted using the plaintext second key to obtain the plaintext sensor data.

Abstract: More effective authentication protocols for provisioning electronic devices are provided. An approval signal responsive to a provisioning request may be transmitted in real-time, such as under four seconds in certain embodiments. An authentication score for the provisioning request may be calculated even after transmitting the approval signal. In certain embodiments, information gathered from the successful provisioning of a device can be used in the authentication scoring process. Authentication scores deemed to fall below a requisite threshold may be used to suspend the provisioned device, therefore, limit the ability for the device to utilize the account, however, without withdrawing the approval or granted digital token. Certain implementations may negate the need to transmit further approvals or confirmations following determining an authentication score met a threshold.

Abstract: A system and method is disclosed for providing vendors an alternative to a password-based security system. The system and method also allows vendors to manage secure transactions by leveraging various message authentication techniques while allowing the vendor full control over related processes such as payment processing and fulfillment. The system and method also monitors message requests from customers for the vendor to guarantee that the communication has not been compromised. Consolidating the authentication of users to their messaging minimizes the need for each individual vendor to maintain their own password for access to a customer account. This eliminates the requirement that customers generate a password thus increasing convenience and decreasing security risks associated with the use of passwords. This decreases risk not only for customer and vendor but also decreases the risk exposure across the internet-as the system scales.

Abstract: The subject matter of this specification generally relates to cloud-hosted certificate lifecycle management (CLM) to on-premises certificate authority (CA) communication. In some implementations, a method includes receiving a task request specifying a requested task and an identifier specifying a location for task execution, determining the requested task and that the location for task execution for the requested task is at an on-premises CA device, in response to determining the requested task and that the location of the task is at the on-premises CA device, storing a request task data entry that links the task request to the location for task execution, providing a notification to an on-premises CA gateway, and in response to the notification, providing the requested task for task execution. In some implementations, the remote CA gateway plug-in module maintains a constant communication connection with the on-premises CA gateway via a persistent client-initiated communication protocol.

Abstract: A system includes masking servers, transport servers, and signal servers. Each transport server stores masking server Internet Protocol (IP) addresses. Each signal server is configured to store transport server IP addresses, receive an update request from a client, and send the transport server IP addresses to the client in response to the update request. Each transport server is configured to receive a request data payload for a destination target server from the client, select a masking server, and send the request data payload to the selected masking server. The selected masking server is configured to send the request data payload to the target server, receive a response data payload from the target server, and send the response data payload to the transport server from which the request data payload was received. The transport server that receives the response data payload sends the response data payload to the client.

Abstract: A computer-based method for providing a loyalty identifier to a merchant using a payment network is described. The method includes storing data including at least one loyalty identifier associated with a cardholder enrolled in a loyalty program and a corresponding payment card identifier, receiving a first authorization request message for a payment transaction initiated by a first cardholder using a first payment card at an originating merchant, the first authorization request message including a first merchant identifier and a first payment card identifier, determining a first loyalty program associated with the originating merchant based in part on the first merchant identifier and the data stored in the memory, determining a first loyalty identifier associated with the first cardholder for the first loyalty program based in part on the first payment card identifier and the data stored in the memory, and providing the first loyalty identifier to the originating merchant.

Abstract: A system for managing a financial account in a low cash mode. The system may include a memory storing instructions, and a processor configured to execute the instructions to perform operations. The operations may include providing an interface; providing a notification to a user when a balance in the first account is deemed to be in low cash mode; presenting, when the first account balance is deemed to be in low cash mode, an option for a transfer request; receiving, a selection of the option for the transfer request to connect the first account with a second account; transferring funds from the second account to the first account; notifying the user that funds have been transferred from the second account to the first account; and further notifying the user that the balance in the first account is greater than the threshold value.

Abstract: The present disclosure provides a system for generation and verification of signatures via user specific tokens. This system allows a user to create a token to include with or use instead of a signature, with the token generally called a “Signature Token.” The Signature Token may be a numeric token, alphanumeric token, or other appropriate character set. The system may additionally determine or assign a signature level to a signature token based on the user device information, signature information, or some combination thereof. A Signature Token can be verified by a third party, thereby authenticating the user's signature. The system provides easy access for the creation of signature tokens and verifying the tokens.

Abstract: A request may be received to transfer from a first entity to a second entity a right related to a digital asset stored in an on-demand database system. The on-demand database system may provide computing services to a plurality of entities via the internet. A token associated with the digital asset may be identified. The token may being included in a smart contract recorded within a distributed trust ledger and may be owned by a first distributed trust ledger account. The smart contract may be executed within the distributed trust ledger to record a transfer of the token from the first distributed trust ledger account to a second distributed trust ledger account. The on-demand database system may be updated to include one or more database entries reflecting the recorded transfer.

Abstract: The subject matter of this specification generally relates to cloud-hosted certificate lifecycle management (CLM) to on-premises certificate authority (CA) communication. In some implementations, a method includes receiving a task request specifying a requested task and an identifier specifying a location for task execution, determining the requested task and that the location for task execution for the requested task is at an on-premises CA device, in response to determining the requested task and that the location of the task is at the on-premises CA device, storing a request task data entry that links the task request to the location for task execution, providing a notification to an on-premises CA gateway, and in response to the notification, providing the requested task for task execution. In some implementations, the remote CA gateway plug-in module maintains a constant communication connection with the on-premises CA gateway via a persistent client-initiated communication protocol.

Abstract: Methods, systems, and media are provided for enabling encryption key distribution when a processor is in offline mode. When offline, key distribution servers can distribute private/public key pairs in place of the processor. The servers can distribute a private key to a first server for encryption of data and a public key to the processor, when it is online, to decrypt the data.

Abstract: Digital fingerprints include data indicative of interior features or structures of an object. The physical object may be rigid or malleable. The digital fingerprints may also include data indicative of features on an exterior surface of the object. Digital fingerprints may uniquely identify an object with respect to other objects, even with respect to other objects of a same type or class of objects. The technology may be relatively invariant to changes in scale, rotation, affine, homography, perspective, and illumination as between a reference digital fingerprint and a later acquired or generated digital fingerprint. Digital fingerprints may be used to authenticate an object as being a second instance or appearance of a previously digitally fingerprinted object.

Abstract: The system generates a validation tool in response to receiving an indication to initiate validation. The system identifies at least one media content item based on a user profile, and generates at least one question based on the at least one media content item. The at least one media content item may include an image, a video, text, or a combination thereof. The system determines at least one answer corresponding to the at least one question. The question and answer may be determined based on a question template. For example, the template may be selected based on attribute types or values of the at least one media content item. The system generates the at least one question for output on an output device. Upon receiving input indicative to an answer, the system compares the inputted answer to the determined answer to determine whether to validate the user.

Abstract: In some implementations, a masking device may receive rules and a document object model (DOM) structure. Each rule may indicate a corresponding element, a corresponding pattern, and a type of remediation. The DOM structure may include elements, where each element is associated with text. The masking device may traverse the DOM structure to identify elements that map to corresponding elements indicated by the rules. The masking device may determine whether text, associated with the identified elements, is sensitive information by determining whether the text maps to corresponding patterns indicated by the rules. The masking device may perform validation on the sensitive information. The masking device may modify the DOM structure based on the sensitive information, the validation, and a type of remediation indicated by the rules. Accordingly, the masking device may output the modified DOM structure.

Abstract: A payment managing system and method for enhancing the security of electronic user payment data can include employing a two factor authentication and keeping e-commerce host system outside the PCI scope. The two-factor authentication can include using a session ID and a one-time token (OTT). The session ID can identify a payment session that is initiated upon initiation of an e-commerce transaction. The payment managing system can provide a computing device initiating the transaction an iFrame to handle input user input data on an information resource. The OTT can be used to tokenize the user input data. The OTT can be included in payment authorization requests sent to the payment managing system. The payment managing system can obtain payment authorization without the user payment data being shared with e-commerce host systems.

Abstract: A media system replaces content in a first sequence of media content. The media system presents the first sequence of media content to an end-user and generates a fingerprint of the sequence of media content. The fingerprint is for comparison with a plurality of reference fingerprints so as to identify the first sequence of media content and determine a reference position within the first sequence of media content. The media system sends a request for a replacement sequence of content to a content replacement system, and receives replacement media content selected based on the identified first sequence of media content. The media system presents the replacement media content to the end-user instead of the first sequence of media content. Presenting the replacement media content begins at a position in the first sequence of media content that is determined based on the reference position.

Abstract: A method of data transfer from a tenant to a service provider comprises encrypting the data with a public key of a key pair generated by a secure device within the service provider system. The data thus cannot be accessed by the service provider during transmission. The data is generated with a corresponding access control list, which specifies that a valid certificate must be presented in order to grant a particular use of the data once stored. The tenant can thus retain control of the use of the data even though it has been transferred out of the tenant system. A method of controlling use of data securely stored in the service provider system comprises issuing a use certificate having an expiry time to the party requesting use of the data. The use certificate must be validated before use of the stored data is granted. This enables the tenant to grant use of the stored data for a limited time period.

Abstract: Disclosed are various embodiments for providing access to a recovery key of a managed device and rotating the recovery key after it has been accessed. In one example, among others, a system includes a computing device and program instructions. The program instructions can cause the computing device to authenticate a user on the computing device in order to unlock an operating system based on a first recovery key. A key rotation command can be received from the management service. The key rotation command can include an instruction to rotate the first recovery key. The computing device can generate a second recovery key and transmit the second recovery key to the management service.

Abstract: Systems and methods for fraud monitoring are disclosed, including: receiving a transaction request associated with a first instrument of a user; extracting, characteristics of the transaction request; identifying, by the first processor, user data based on the transaction request; determining a fraud severity value and notification value based on inputting the characteristics and user data into a fraud machine learning model; performing a first fraud action based on the fraud severity value; wherein the first fraud action is at least one selected from the group of locking the first instrument for a period of time, deactivating the first instrument, and electronically transmitting a first query message to a user device associated with the first instrument; and transmitting a fraud notification based on the notification value, wherein the fraud notification includes severity information associated with the fraud severity value.

Abstract: A method for creating a secure channel for updating a digital currency hardware wallet application: upon receiving a security operation execution instruction, obtaining a public key and a certificate number of a host computer from within the security operation execution instruction, obtaining a corresponding certificate of the host computer according to the certificate number, and verifying the certificate of the host computer using the public key of the host computer; when receiving a verification instruction, obtaining the public key of the host computer according to a key version number and a key ID in the verification instruction, generating a receipt according to a temporary public key of the host computer, the public key of the host computer and a generated session key which are in the verification instruction, and sending the receipt to the upper computer; upon receiving the application update instruction, using the session key to decrypt application data ciphertext in the application update instructio

Abstract: An automated voting platform can allow a user to register to vote, view information about candidates, and submit votes in an election using his or her own personal computing device. To minimize the likelihood of voter fraud, the automated voting platform can implement an authentication process that requires the user to submit biometric or other identification information prior to being enabled to access the user's account with the automated voting platform. This authentication process can also require the user to repeatedly submit biometric information thereby ensuring that the same user continues to use the computing device while accessing the user's account.

Abstract: A media system replaces content in a first sequence of media content. The media system presents the first sequence of media content to an end-user and generates a fingerprint of the sequence of media content. The fingerprint is for comparison with a plurality of reference fingerprints so as to identify the first sequence of media content and determine a reference position within the first sequence of media content. The media system sends a request for a replacement sequence of content to a content replacement system, and receives replacement media content selected based on the identified first sequence of media content. The media system presents the replacement media content to the end-user instead of the first sequence of media content. Presenting the replacement media content begins at a position in the first sequence of media content that is determined based on the reference position.

Abstract: An information processing apparatus in the present invention includes: an acquisition unit that acquires first history information indicating that a procedure related to boarding of a passenger in an airport was performed with biometric authentication and second history information indicating that the procedure was performed with reading of a medium; and an output unit that outputs usage status of the biometric authentication in the procedure based on the first history information and the second history information.

Abstract: Aspects of the disclosure relate to a smart contactless card to detect real-time suspicious card readers or other fraudulent devices. Prior to a transaction, the smart contactless card detects suspicious card readers or fraudulent devices. An alert may be generated upon detection of any suspicious or fraudulent card reader. In some arrangements, the smart contactless card may utilize machine learning models or machine learning capabilities to detect suspicious card readers. The smart contactless card may pair with other smart contactless cards to detect and alert users to suspicious card readers or other fraudulent devices. The paired smart contactless cards may share information regarding suspicious card readers or fraudulent devices over a semi-autonomous data-sharing network. A vulnerability score may be generated and used to determine if a card reader or other payment device is suspicious.

Abstract: A computing platform having at least one processor, a memory, and a communication interface may receive, via the communication interface, a transaction request from a participant. The computing platform may identify a user and one or more linked digital wallets associated with the transaction request. The computing platform then may execute an algorithm for comparing the transaction request to predetermined criteria associated with the one or more linked digital wallets. The computing platform may establish, via the communication interface, a first connection with a user computing device and, while the first connection is established, transmit to the user computing device transaction information which, when executed by the user computing device, causes a notification to be displayed on the user computing device.

Abstract: Ordering and purchasing processes are integrated into a messaging session between a user device and a merchant server. Within the messaging session, a dialogue is established between the user device and the merchant server. The merchant server obtains user information in order to communicate with a service provider to establish a transaction with an account associated with the user device. The merchant server obtains order information from the user device by interpretation of the dialogue, and creates an order. The user requests payment, and receives a payment link from the merchant server in order to make a transaction. The user provides payment information including identification of the account associated with the user device for the transaction to the merchant server. Once these actions have taken place, the merchant server uses the order information and the payment information to enable the transaction to be performed using the account.

Abstract: Optimizing file access includes a process for identifying a file access event for a first accessed file, and incrementing a first access counter in an access list in a memory, which also includes access counters for other accessed files. The process further includes exporting the first access counter to a performance monitoring dashboard, or exporting to a storage allocator and, based on the value, moving the first accessed file between a first storage and a second storage. The process also includes determining whether the value of the first access counter meets a first threshold, or a sum of values of the access counters for the other accessed files meets a second threshold. Based on meeting the first threshold or meeting the second threshold, the process includes persisting the access counters on a storage media. The access counters also provide security monitoring (e.g., identifying excessive file access).

Abstract: A method for registering and provisioning an electronic device is provided. The method includes a step of inserting a first keypair into a secure element of the electronic device. The first keypair includes a public key and a private key. The method further includes a step of requesting, from a server configured to register and provision connected devices, a provisioning of credentials of the electronic device. The method further includes a step of verifying, by the server, the electronic device credentials. The method further includes a step of registering, by the server, the electronic device. The method further includes a step of transmitting, from the server to the electronic device, a device certificate. The method further includes steps of installing the transmitted device certificate within the secure element of the electronic device, and provisioning the electronic device according to the installed device certificate.

Abstract: There is provided systems and methods for generating a multi-layered watermark. The watermark incorporating one or more symbols for placement on a document. The method including: positioning a base layer of the watermark at one or more locations on the document; positioning the one or more symbols overtop of at least a portion of the base layer; and positioning a braid layer of the watermark overtop of the ID, the braid layer and the base layer are substantially aligned, the braid layer including a copy of the base layer incorporating a pattern. The pattern can include one or more of discolorations, holes, and sections of increased opacity.

Abstract: Measures, including methods, apparatus and computer software are provided for processing electronic tokens. An authorization request is received in relation to processing of an electronic token. An identifier for a user terminal associated with the electronic token, and an account, are determined on the basis of the authorization request. In some arrangements, a location query for the user terminal is performed on the basis of the determined identifier, whereby to determine a location of the user terminal on the basis of a proximity of the user terminal to one or more base stations in a cellular telecommunications network. In some arrangements, a challenge message is sent to the user terminal, to establish a confidence that the transacting user terminal is the designated user terminal. Processing of the electronic token in relation to the account is selectively authorized on the basis of the result of the location query or challenge response.

Abstract: A producer system may insert an encrypted value in a field in a message, where the message is associated with a schema that specifies a public key used to encrypt the encrypted value of the field and further specifies a type of an unencrypted form of the encrypted value, insert one or more unencrypted values in one or more fields in the message, and send the message to an external computing system. A consumer system may receive the message, determine, based at least in part on the public key specified by the schema, a private key associated with the public key, and decrypt, using the private key, the encrypted value of the field into the unencrypted form of the encrypted value.

Abstract: A certificate revocation manager performs scheduled synchronization of a certificate revocation table with certificate revocation lists (CRLs) independent of connection requests from clients. The certificate revocation table includes entries that each indicate a client certificate that has been revoked by a certificate authority (CA). On a scheduled basis, the certificate revocation manager synchronizes the entries of the certificate revocation table with current CRLs obtained from different CAs. When a service at receives a request from a client to establish a connection, the service generates a composite key based on a CA identifier and a certificate identifier of a client certificate provided by the client. The service performs a lookup on the certificate revocation table based on the composite key. Based on a result of the lookup, the certificate revocation manager determines whether the client certificate is revoked.

Abstract: A method including receiving a funds transfer request initiated by a sender to facilitate a transfer of funds to a recipient. The funds can be transferred from a sender account of the sender at a sender financial institution to a recipient account of the recipient at a recipient financial institution. The funds transfer request can include a public token for the recipient but not including an account number of the recipient account at the recipient financial institution. The public token for the recipient can be confirmed as useable to contact the recipient based on one or more responses by the recipient to one or more authentication request messages provided to the recipient using the public token. The method also can include determining a private token for the recipient account using an information directory based on the public token. The private token can be embedded with information that identifies the recipient financial institution.

Abstract: Systems and methods for creating accounts at a plurality of payment processors include a method that receives a first request to create a new account, and identifies a payment processor of the plurality of payment processors to handle the first request. The method determines whether a proxy for the new account exists in a local storage and sends a second request to the identified payment processor to create the new account, where the second request includes the proxy when the proxy for the new account exists.