Search

US-12619977-B2 - Systems and methods for using a cryptogram lockbox

US12619977B2US 12619977 B2US12619977 B2US 12619977B2US-12619977-B2

Abstract

Systems and methods for using a cryptogram lockbox are disclosed. In one embodiment, in a merchant-specific cryptogram lockbox comprising at least one computer processor, a method for generating a cryptogram locally using a cryptogram lockbox may include: (1) receiving, from merchant backend, a request for a cryptogram comprising an account identifier received from a customer in a transaction; (2) generating a cryptogram for the account identifier using a limited use key for the account identifier; and (3) returning the cryptogram to the merchant backend. The merchant may conduct the transaction using the cryptogram.

Inventors

  • Howard Spector
  • Mervin Majella FELIX
  • Ajith CHANDRAN KARUVATHIL
  • Arun NEELAN
  • Rajeeva Chandra NAGARAKANTI
  • Venkata KUNAM
  • Eric L. Connolly
  • David Christopher Carey
  • Gayathri SUNDAR
  • Raghuram Vudathu
  • Ankur KULSHRESHTHA
  • Ishank PAHARIA
  • Pavan MUMMAREDDI
  • Benjamin Brandt

Assignees

  • JPMORGAN CHASE BANK, N.A.

Dates

Publication Date
20260505
Application Date
20240422

Claims (14)

  1. 1 . A method for activating a merchant-specific cryptogram lockbox, comprising: receiving, by a merchant backend for a merchant in a physical merchant datacenter and from a financial institution backend and using a merchant general gateway, a startup code comprising a unique value that authorizes use of a merchant-specific cryptogram lockbox by the merchant, the merchant backend in communication with a plurality of merchant point of sale devices and wherein the merchant-specific cryptogram lockbox generates cryptograms for the plurality of merchant point of sale devices; communicating, by the merchant backend, the startup code to the merchant-specific cryptogram lockbox; calling, by the merchant-specific cryptogram lockbox in the physical merchant datacenter and using a merchant outbound gateway, the financial institution backend with the startup code and cryptogram lockbox metadata for the merchant-specific cryptogram lockbox; establishing, by the merchant-specific cryptogram lockbox, a secure communication channel with the financial institution backend, wherein the secure communication channel uses IP whitelisting; receiving, by the merchant-specific cryptogram lockbox, limited use keys from the financial institution backend over the secure communication channel; receiving, by the merchant-specific cryptogram lockbox and from one of the plurality of merchant point of sale devices, a call comprising a request for a cryptogram and a payment token for an account in a transaction; generating, by the merchant-specific cryptogram lockbox, the cryptogram for the payment token using the limited use keys; returning, by the merchant-specific cryptogram lockbox, the cryptogram to the merchant backend; and conducting, by the merchant backend, the transaction with the cryptogram and the payment token.
  2. 2 . The method of claim 1 , wherein the startup code is provided out-of-band.
  3. 3 . The method of claim 1 , wherein the merchant-specific cryptogram lockbox is implemented in hardware and comprises a secure cryptogram processing engine.
  4. 4 . The method of claim 1 , wherein the merchant-specific cryptogram lockbox is implemented in software.
  5. 5 . The method of claim 1 , wherein the cryptogram lockbox metadata comprises at least one of a merchant-specific cryptogram lockbox identifier, a merchant-specific cryptogram lockbox location, and a merchant identifier.
  6. 6 . A system, comprising: a plurality of merchant point of sale devices; a merchant datacenter comprising: a merchant-specific cryptogram lockbox executing a lockbox computer program, wherein the merchant-specific cryptogram lockbox generates cryptograms for a plurality of merchant point of sale devices; a merchant backend in communication with a plurality of merchant point of sale devices; a merchant general gateway; and a merchant outbound gateway; and a financial institution backend; wherein: the financial institution backend provides a startup code comprising a unique value that authorizes use of the merchant-specific cryptogram lockbox by a merchant to the merchant backend using the merchant general gateway; the merchant backend communicates the startup code to the merchant-specific cryptogram lockbox; the lockbox computer program calls the financial institution backend with the startup code and cryptogram lockbox metadata for the merchant-specific cryptogram lockbox using the merchant outbound gateway; the lockbox computer program establishes a secure communication channel with the financial institution backend, wherein the secure communication channel uses IP whitelisting; the merchant-specific cryptogram lockbox receives limited use keys from the financial institution backend over the secure communication channel; the merchant-specific cryptogram lockbox receives a call comprising a request for a cryptogram and a payment token for an account in a transaction from one of the plurality of merchant point of sale devices; the merchant-specific cryptogram lockbox generates the cryptogram for the payment token using the limited use keys; the merchant-specific cryptogram lockbox returns the cryptogram to a merchant backend; and the merchant backend conducts the transaction with the cryptogram and the payment token.
  7. 7 . The system of claim 6 , wherein the startup code is provided out-of-band.
  8. 8 . The system of claim 6 , wherein the merchant-specific cryptogram lockbox is implemented in hardware and comprises a secure cryptogram processing engine.
  9. 9 . The system of claim 6 , wherein the merchant-specific cryptogram lockbox is implemented in software.
  10. 10 . The system of claim 6 , wherein the cryptogram lockbox metadata comprises at least one of a merchant-specific cryptogram lockbox identifier, a merchant-specific cryptogram lockbox location, and a merchant identifier.
  11. 11 . A non-transitory computer readable storage medium, including instructions stored thereon, which when read and executed by one or more computer processors, cause the one or more computer processors to perform steps comprising: receiving a startup code comprising a unique value that authorizes use of a merchant-specific cryptogram lockbox by a merchant from a financial institution backend via a merchant general gateway, wherein the merchant-specific cryptogram lockbox generates cryptograms for a plurality of merchant point of sale devices; calling the financial institution backend with the startup code and cryptogram lockbox metadata for the merchant-specific cryptogram lockbox using a merchant outbound gateway; establishing a secure communication channel with the financial institution backend, wherein the secure communication channel uses IP whitelisting; receiving, by the merchant-specific cryptogram lockbox, limited use keys from the financial institution backend over the secure communication channel; receiving, from one of a plurality of merchant point of sale devices, a call comprising a request for a cryptogram and a payment token for an account in a transaction; generating the cryptogram for the payment token using the limited use keys; and conducting the transaction with the cryptogram and the payment token.
  12. 12 . The non-transitory computer readable storage medium of claim 11 , wherein the startup code is provided out-of-band.
  13. 13 . The non-transitory computer readable storage medium of claim 11 , wherein the merchant-specific cryptogram lockbox is implemented in hardware and comprises a secure cryptogram processing engine.
  14. 14 . The non-transitory computer readable storage medium of claim 11 , wherein the cryptogram lockbox metadata comprises at least one of a merchant-specific cryptogram lockbox identifier, a merchant-specific cryptogram lockbox location, and a merchant identifier.

Description

RELATED APPLICATIONS This application is a Continuation of U.S. patent application Ser. No. 16/432,623, now U.S. Pat. No. 12,008,548, filed Jun. 5, 2019, which claims the benefit of and priority to U.S. Provisional Patent Application Ser. No. 62/680,674, filed Jun. 5, 2018, the disclosure of each which is hereby incorporated by reference in its entirety. BACKGROUND OF THE INVENTION 1. Field of the Invention The present disclosure generally relates to systems and methods for using a cryptogram lockbox. 2. Description of the Related Art Cryptograms are used in the authorization of credit card-based transactions. A cryptogram is a one-time code that is unique to a transaction. It is required to submit an authorization request to an issuer. Cryptograms are associated with a financial instrument, and are generated from a key. In general, to authorize a transaction, a merchant backend requests a cryptogram from a cryptogram issuer via the issuer backend, and, after receiving the cryptogram, sends the transaction authorization request with the cryptogram to the merchant's acquirer. The issuer then receives the cryptogram to authenticate the card and authorize the transaction. SUMMARY OF THE INVENTION Systems and methods for using a cryptogram lockbox are disclosed. In one embodiment, in an information processing apparatus comprising at least one computer processor, a method for activating a cryptogram lockbox may include: (1) providing a merchant-specific cryptogram lockbox to merchant, wherein the cryptogram lockbox generates a cryptogram for a transaction locally; (2) providing the merchant with a startup code; (3) receiving an activation call from the cryptogram lockbox, herein the activation call comprises the startup code; (4) receiving lockbox metadata from the cryptogram lockbox; (5) providing the cryptogram lockbox with an API secret for API calls; and (6) establishing a secure communication channel with the cryptogram lockbox. In one embodiment, the startup code may be provided out-of-band. In one embodiment, communication keys may encrypt communications between the cryptogram lockbox information processing apparatus. In one embodiment, the communications keys may be rotated. In one embodiment, the cryptogram lockbox may implemented in hardware and/or software. In one embodiment, the lockbox metadata may include a lockbox identifier, a lockbox location, and a merchant identifier. According to another embodiment, in an information processing apparatus comprising at least one computer processor, a method for provisioning a cryptogram lockbox may include: (1) receiving a token reference identifier for an account from a merchant backend; (2) requesting a token associated with the account and at least one limited use key from an issuing financial institution; (3) receiving, from the issuing financial institution, the token, a token expiration date, and at least one limited use key; and (4) storing the token number, the expiration date, and the at least one limited use key. In one embodiment, the method may further include refreshing the at least one limited use key. In one embodiment, the limited use key may be refreshed based on at least one of a number of transactions, a dollar amount of transactions, and a time in use for the limited use key. In one embodiment, the issuing financial institution may specify when the at least one limited use key is updated. In one embodiment, the method may further include informing the issuing financial institution that the at least one limited use key was refreshed. According to another embodiment, in a merchant-specific cryptogram lockbox comprising at least one computer processor, a method for generating a cryptogram locally using a cryptogram lockbox may include: (1) receiving, from merchant backend, a request for a cryptogram comprising an account identifier received from a customer in a transaction; (2) generating a cryptogram for the account identifier using a limited use key for the account identifier; and (3) returning the cryptogram to the merchant backend. The merchant may conduct the transaction using the cryptogram. In one embodiment, the cryptogram lockbox may be implemented in hardware and/or software. In one embodiment, the limited use key that is used to generate the cryptogram may be selected from a plurality of limited use keys stored by the cryptogram lockbox. In one embodiment, the account identifier may include a token reference identifier. In one embodiment, the method may further include sending a ping to the issuing financial institution; and initiating a self-destruction routine in response to an unsuccessful ping. In one embodiment, the method may further include sending a ping to the issuing financial institution; and receiving a limited key refresh from the issuing financial institution. BRIEF DESCRIPTION OF THE DRAWINGS For a more complete understanding of the present invention, the objects and advantages thereof, reference is now made to the fo