US 12,033,151 B2
Authenticating transactions using risk scores derived from detailed device information
Karl Newland, Pacifica, CA (US); Douglas Fisher, Mountain View, CA (US); and Craig O'Connell, San Mateo, CA (US)
Assigned to Visa International Service Association, San Francisco, CA (US)
Filed by VISA INTERNATIONAL SERVICE ASSOCIATION, San Francisco, CA (US)
Filed on Jun. 22, 2021, as Appl. No. 17/354,965.
Application 17/354,965 is a continuation of application No. 15/572,770, granted, now 11,074,585, previously published as PCT/US2016/031029, filed on May 5, 2016.
Claims priority of provisional application 62/159,142, filed on May 8, 2015.
Prior Publication US 2021/0319450 A1, Oct. 14, 2021
This patent is subject to a terminal disclaimer.
Int. Cl. G06Q 20/40 (2012.01); G06Q 20/32 (2012.01); G06Q 20/38 (2012.01); H04L 9/40 (2022.01); H04L 29/06 (2006.01)
CPC G06Q 20/4016 (2013.01) [G06Q 20/326 (2020.05); G06Q 20/385 (2013.01); H04L 63/0853 (2013.01); H04L 63/0876 (2013.01); H04L 63/123 (2013.01)] 15 Claims
OG exemplary drawing
 
1. A method for secure authentication, the method comprising:
receiving, by a server computer from a portable device utilizing a processing network computer SDK and a resource provider application associated with a resource provider computer, an authentication request message for a transaction with the resource provider computer that is being initiated by the portable device utilizing the resource provider application, the resource provider application initiating the secure authentication for the transaction and invoking the processing network computer SDK prior to initiating the secure authentication, the processing network computer SDK being of the portable device and the resource provider application being of the portable device;
receiving, by the server computer, a transaction message including an identifier, user data, portable device data of the portable device, and transaction data for the transaction;
determining, by the server computer, that detailed device information of the portable device is required to authenticate the transaction;
retrieving, by the server computer from a rules database, privacy requirements for the transaction, the privacy requirements limiting the detailed device information retrievable by the server computer;
transmitting, by the server computer to the portable device, a message indicating that a remote server computer is to be accessed by the processing network computer SDK to retrieve the detailed device information, the message including the privacy requirements;
enabling, by the portable device via the processing network computer SDK, the remote server computer to access at least a portion of the detailed device information on the portable device using the identifier and based on the privacy requirements, the at least the portion of the detailed device information including operating system data for the portable device and mobile application data for the portable device;
retrieving, by the server computer from the remote server computer, the at least the portion of the detailed device information using the identifier, based on the privacy requirements;
modifying, by the server computer, the authentication request message to include the at least the portion of the detailed device information retrieved from the remote server computer;
transmitting, by the server computer, the modified authentication request message to an access control server computer, wherein upon receipt, by the access control server computer, of the modified authentication request message, the access control server computer calculates a risk score with respect to the transaction using at least the operating system data for the portable device and the mobile application data for the portable device; and
receiving, by the server computer, an authentication response message from the access control server computer prior to an authorization request message for the transaction being transmitted to an authorizing computer, the authentication response message comprising an indication relating to the risk score, wherein the indication indicates whether the transaction has been authenticated or not, wherein the method further comprises:
if the transaction has been authenticated, receiving, by the server computer, the authentication response message including a verification value for the transaction, as the indication that the transaction has been authenticated, and then transmitting, by the resource provider application, the authorization request message including the verification value to the authorizing computer to authorize the transaction,
otherwise:
if the transaction has not been authenticated, receiving, by the server computer, the authentication response message that does not include the verification value for the transaction, as the indication that the transaction has not been authenticated, generating, by the server computer, an advice message indicating reasons for rejection for the transaction and including the risk score, and transmitting, by the server computer to the resource provider application of the portable device, the advice message, wherein the resource provider computer thereafter terminates the transaction.