Search

EP-4210274-B1 - EFFICIENT TOKEN PROVISIONING SYSTEM AND METHOD

EP4210274B1EP 4210274 B1EP4210274 B1EP 4210274B1EP-4210274-B1

Inventors

  • TOMAR, DEEPAK

Dates

Publication Date
20260513
Application Date
20230105

Claims (13)

  1. A method comprising: receiving, by a server computer, a cryptogram request message comprising a token associated with a first credential during an interaction between a user of a user device and a resource provider of a resource provider application on the user device; generating, by the server computer, a detokenization request message comprising the token; providing, by the server computer, the detokenization request message to a token service computer; receiving, by the server computer, a detokenization response message comprising a second credential from the token service computer, the token service computer having i) detokenized the token to obtain the first credential, ii) determined a user identifier that is stored in association with the first credential, iii) determined that the second credential is stored in association with the user identifier, iv) generated the detokenization response message comprising the second credential, and v) provided the second credential to the server computer; obtaining, by the server computer, a cryptogram for the interaction; generating, by the server computer, a cryptogram response message comprising the second credential and the cryptogram; and providing, by the server computer, the cryptogram response message in response to the cryptogram request message.
  2. The method of claim 1, wherein the server computer is a network processing computer.
  3. The method of claim 1 or 2, wherein the user identifier is a hashed value.
  4. The method of any of claims 1 to 3, wherein the token is a first token, and wherein the server computer provides the cryptogram response message comprising the second credential to a service provider application on the user device.
  5. The method of claim 4, wherein the method further comprises: receiving, by the server computer, a token request message generated by the service provider application, the token request message comprising the second credential; obtaining, by the server computer, a second token for the second credential; and storing, by the server computer, the second token.
  6. The method of claim 4 or 5 further comprising: generating, by the server computer, a token response message comprising the second token; and providing, by the server computer, the token response message comprising the second token to the service provider application.
  7. A server computer comprising: a processor; and a computer-readable medium coupled to the processor, the computer-readable medium comprising instructions executable by the processor to cause the processor to perform the method according to any of claims 1 to 6.
  8. The server computer of claim 7, wherein the server computer is a network processing computer.
  9. The server computer of claim 7 or 8, wherein the first credential and the second credential are associated with the user.
  10. The server computer of any of claims 7 to 9, wherein the instructions further cause the processor to: receive an authorization request message for the interaction from the resource provider application, the authorization request message comprising at least the token; obtain the first credential associated with the token; and provide the authorization request message comprising at least the first credential to an authorizing entity computer, wherein the authorizing entity computer determines whether or not to authorize the interaction.
  11. The server computer of any of claims 7 to 10, wherein the interaction is an access interaction or a data transfer interaction.
  12. A method comprising: receiving, by a token service computer, a detokenization request message comprising a first token from a network processing computer; determining, by the token service computer, a first credential that is stored in association with the first token in a database; determining, by the token service computer, a user identifier that is stored in association with the first credential in the database; determining, by the token service computer, that a second credential is stored in association with the user identifier; generating, by the token service computer, a detokenization response message comprising the second credential; and providing, by the token service computer, the detokenization response message to the network processing computer.
  13. A computer readable medium comprising instructions that, when executed by a server computer, cause the server computer to perform the method of any of claims 1 to 6.

Description

CROSS-REFERENCE TO RELATED APPLICATIONS BACKGROUND Currently, when a user device performs an interaction, the user device can interact utilizing a token that acts as the user's credentials. The user device can provide the token to a resource provider to proceed with an interaction. However, the user device must first generate request messages requesting the token. The user device needs to obtain the token prior to the interaction in a manual request. For example, the user of the user device may need to input their credentials directly into the user device. The user device then generates a token request using the credentials and sends the token request to a computer capable of providing tokens. The user device then needs to wait until tokens are provisioned before initiating any interactions. These steps can be time consuming for end users and can also require additional communications and the use of excess computing resources. Embodiments of the disclosure address this problem and other problems individually and collectively. The document WO 2016/134016, 25th August 2016 (2016-08-25), describes a cloud-based token processing system for secure transactions. SUMMARY The invention is defined by the independent claims. Further embodiments are described by the dependent claims. Further details regarding embodiments of the disclosure can be found in the Detailed Description and the Figures. BRIEF DESCRIPTION OF THE DRAWINGS FIG. 1 shows a block diagram of an interaction processing system according to embodiments.FIG. 2 shows a block diagram of components of a network processing computer according to embodiments.FIG. 3 shows a block diagram of components of a token service computer according to embodiments.FIG. 4 shows a flowchart of an enrollment method according to embodiments.FIGs. 5A-5C show a flowchart of an inner-interaction token provisioning method according to embodiments.FIG. 6 shows a block diagram of components of a user device according to embodiments. DETAILED DESCRIPTION Prior to discussing embodiments of the disclosure, some terms can be described in further detail. A "user" may include an individual. In some embodiments, a user may be associated with one or more personal accounts and/or mobile devices. The user may also be referred to as a cardholder, account holder, or consumer in some embodiments. A "user device" may be a device that is operated by a user. Examples of user devices may include a mobile phone, a smart phone, a card, a personal digital assistant (PDA), a laptop computer, a desktop computer, a server computer, a vehicle such as an automobile, a thin-client device, a tablet PC, etc. Additionally, user devices may be any type of wearable technology device, such as a watch, earpiece, glasses, etc. The user device may include one or more processors capable of processing user input. The user device may also include one or more input sensors for receiving user input. As is known in the art, there are a variety of input sensors capable of detecting user input, such as accelerometers, cameras, microphones, etc. The user input obtained by the input sensors may be from a variety of data input types, including, but not limited to, audio data, visual data, or biometric data. The user device may comprise any electronic device that may be operated by a user, which may also provide remote communication capabilities to a network. Examples of remote communication capabilities include using a mobile phone (wireless) network, wireless data network (e.g., 3G, 4G or similar networks), Wi-Fi, Wi-Max, or any other communication medium that may provide access to a network such as the Internet or a private network. A "user identifier" can include any piece of data that can identify a user. A user identifier can comprise any suitable alphanumeric string of characters. In some embodiments, the user identifier may be derived from user identifying information. In some embodiments, a user identifier can include an account identifier associated with the user. For example, a user can be associated with an account, which has an account identifier, maintained by an authorizing entity computer. An "interaction" may include a reciprocal action or influence. An interaction can include a communication, contact, or exchange between parties, devices, and/or entities. Example interactions include a transaction between two parties and a data exchange between two devices. In some embodiments, an interaction can include a user requesting access to secure data, a secure webpage, a secure location, and the like. In other embodiments, an interaction can include a payment transaction in which two devices can interact to facilitate a payment. An interaction can include a transaction interaction, a data transfer interaction, an access interaction, etc. "Interaction data" can include data related to and/or recorded during an interaction. Interaction data can include an amount, a date, a time, a resource identifier, a resource provid