Background of the Invention Stored value accounts, such as telephone calling cards, gas cards, duplication service cards, vending machine cards and other instruments have become a popular technique for recording and distributing commercial value. Many stored value accounts permit the card holder to freely use the amount stored on the instrument down to zero, and then permit the user to replenish'the value on the card by any of a variety of techniques. For instance, the user may call an (800) number and provide a credit card or other account from which the value may be transferred to the empty stored value instrument.

Similarly, a consumer who uses a. stored value account to execute purchases over the Internet may enter a credit card

number or other account number to have an online card distributor place new value on their stored value account, for instance to purchase movies, records, travel or other goods or services.

However, these types of stored value recharging techniques encroach on the flexibility and privacy of the consumer. That is, while the initial purchase of the stored value card or other instrument may be anonymous, such as by purchase at a gasoline station, convenience store or other location with cash, recharging via a credit card or other authorization may not necessarily be similarly private. The recharging action therefor involves the potential exposure of sensitive credit card information to vendors or intermediaries over the Internet or otherwise.

Likewise, the recording of the recharging action on the credit card may create a permanent record of the consumer's purchase activities which the consumer may not wish to be recorded or made public. Safer, more robust technology for replenishing stored value accounts is desirable.

Summary of the Invention The invention overcoming these and other problems in the art relates to a system and method for recharging stored value accounts via a transaction server and other infrastructure, in

which the identity of the party applying the new value to the stored value account may be anonymous to the card issuer, vendors executing purchases against that value and others in the transaction chain. According to the invention, the action of placing value on a stored value account may be separated from a vendor of goods or services, the issuer of the stored value card, and even the authentication entity providing validation of the account. In one embodiment, only the consumer and a bank or other financial institution of the consumer's choice may be aware of the consumer's identity, but under no circumstances does any party other than the consumer have sufficient information to tie together the consumer's identity, transaction identification number, the actual goods or services being purchased, bank account or other information.

Rather, separate pieces of information may be kept apart in a transaction matrix'according to which no one party may discern the card holder's identity without legal permission.

Privacy is therefore enhanced, and consumers may be encouraged to more freely recharge and make use of stored value accounts.

Detailed Description of the Drawings The invention will be described with reference to the accompanying drawings, in which like elements are referenced with like numerals.

Figure 1 illustrates the principle elements according to the. invention.

Figure 2 illustrates a the principle elements of the transactions involved in distribution, purchase and recharging actions for a stored value account according to the invention.

Figure 3 illustrates a matrix indicating the availability of transaction information to parties to the recharging action of the invention.

Figure 4 illustrates an overall architecture for transaction processing according to the invention.

Figure 5 illustrates an overall architecture for transaction processing according to the invention in another regard.

Detailed Description of Preferred Embodiments As illustrated in Figures 1 and 4, in an overall electronic commerce environment in which the invention may operate, a customer or consumer operating an Internet or other client 111 communicates via communication link 401 to one or more of a group of merchants 112 to execute transactions using

a stored value account identifier 121 as the method of payment. The stored value account identifier 121 may be or include an alphanumeric reference to a database, a telephone calling card, a vending card, a gasoline card, a frequent flier or other account, card or instrument representing commercial value and in general may be anonymously recharged, in general via a separately maintained account identifier 122.

The client 111 in the environment may be or include, for instance, a personal computer running the Microsoft Windows 95, 98, Millenium, NT, or 2000, Wìndows CE, PalmOS, Unix, Linux, Solaris OS/2'r"', BEOS MacOS'm or other operating system or platform. The client 102 may also be or include a network-enabled appliance such as a WebTVT unit, radio-enabled Palm Pilot or similar unit, a set-top box, a networkable game-playing console such as Sony PlaystationT or Sega Dreamcast", a browser-equipped cellular telephone, or other TCP/IP client, a magnetic swipe-card reader connected to a network via the Internet or a modem, a point of sale terminal, or other-device.

The communications link 401 to which client 111 is connected may be, include or interface to any one or more of, for instance, the Internet, an intranet, a PAN (Personal Area Network), a LAN (Local Area Network), a WAN (Wide Area Network) or a MAN (Metropolitan Area Network), a frame relay

connection, an Advanced Intelligent Network (AIN) connection, a synchronous optical network (SONET) connection, a digital T1, T3 or E1 line, Digital Data Service (DDS) connection, DSL (Digital Subscriber Line) connection, an Ethernet connection, an ISDN (Integrated Services Digital Network) line, a dial-up port such as a V. 90, V. 34 or V. 34bis analog modem connection, a cable modem, an ATM (Asynchronous Transfer Mode) connection, or FDDI (Fiber Distributed Data Interface) or CDDI (Copper Distributed Data Interface) connections. The communications link 401 may furthermore be, include or interface to any one or more of a WAP (Wireless Application Protocol) link, a GPRS (General Packet Radio Service) link, a GSM (Global System for Mobile Communication) link, a CDMA (Code Division Multiple Access) or TDMA (Time Division Multiple Access) link such as a cellular phone channel, a GPS (Global Positioning System) link, CDPD (cellular digital packet data), a RIM (Research in Motion, Limited) duplex paging type device, a Bluetooth radio link, or an IEEE 802.11-based radio frequency link. The communications link 401 may yet further be, include or interface to any one or more of an RS-232 serial connection, an IEEE-1394 (Firewire) connection, an IrDA (infrared) port, a SCSI (Small Computer Serial Interface) connection, s. USB (Universal Serial Bus) connection or other wired or wireless,

digital or analog interface or connection. Other illustrated communications links may include the same types of resources.

The communications like 401 and other communications link described herein may employ security measures as desired, such as by public key encryption techniques, e. g. Secure Socket Layer (SSL) via the Internet, DES or other measures.

In the illustrated embodiment, including as illustrated in Figure 4, other communications resources may include communications link 410, which may connect a consumer or user to a bank or other financial institution, such as by any of the above Internet protocols or via an ATM, deposit slip, personal check, wire transfer or any other acceptable funds transfer mechanism.

The communications link 402 may connect the merchant or vendor to the network, and the communications link 403 may connect the consumer to the via a point of sale terminal such as those used for debit card transactions. The communications links 411,412 may connect participating banks to banks, a bank to a business and may be or employ virtual private networks, wire transfer or other techniques.

The communications links 433, 434, 435 may be physical ; or may be software database, logical or memory linkages in the case that all functions are integrated in certain implementations. The communications link 435 may be or

interface to the common channel signaling number 7 (CCS#7) protocol. The communications links 441, 442 may involve non- electronic transfer of physical goods (e. g. plastic or paper cards), or may involve electronic transfer of information.

The vendor or vendors 112 communicate with the network account manager 110 sub-element transaction server 421 via communication link 402, to prepare transaction information for recording and collection. The transaction server 421 may be or include, for instance, a workstation running the Microsoft WindowsT NTTM, WindowsrM 2000, Unix, Linux, Xenix, IBM AIX, Hewlett-Packard UX, Novell NetwaretM, Sun Microsystems Solaris>, OS/2, E3eOS'rm, Mach, Apache, OpenStepT or other operating system or platform. The transaction server 421 is in turn connected and acts as a front end resource to the stored value account database 120 via communications link 431.

The stored value account 120 in turn may consist of a network of database functions, shown separately as three discrete elements, namely the recharge database network 422 (indexed by Recharge ID 122), the stored value account database network 423 which provides an association between recharge ID 122 and transaction ID 121, and the transaction authentication database network 424, (indexed by transaction ID 121).

The stored value account database network 424 may be or include a Nortel Networks DMS'M 100,200,300 or other series hardware dedicated to switching and processing telecommunications resources, and may furthermore be or include, for instance, a workstation running the Microsoft Windows NTtM, WindowstM 2000, Unix, Linux, Xenix, IBM AIX, Hewlett-Packard UX, Novell Netware Sun Microsystems SolarisTM, OS/2T'", BeOST", Mach, Apache, OpenStep or other operating. system or platform. The network interface 422 itself communicates via communications link 432 with network database 120 for purposes of transaction validation.

The transaction authentication database network 424 may be, include or interface to a line information data base (LIDB)-type resource operating under the SS7 signaling standard and accessible in the public telecommunications network, as understood by persons skilled in the art, for purposes of authentication, authorization or other transaction functions against a stored value calling card, vending card or other value account identifier 121. Transaction authentication database network 424 may likewise be, include or interface to resources such as the ATT Corp. Billing Validation Application (BVA) or the U. S. West Business Validation Service (BVS), or others. The authentication database 110 may further be, include or interface'to, for

example, the Oracle relational database sold commercially by Oracle Corp. Other databases, such as Informix>, DB2 (Database 2) or other data storage or query formats or platforms such as OLAP (On Line Analytical Processing), SQL (Standard Query Language), Microsoft Access or others may also be used, incorporated or accessed in the invention.

The recharge database network 422 may be or include similar resources as the transaction authentication database network 424, configured to manage the bank or other financial accounts, or a database of such accounts, maintained by or on behalf of the network account manager 110 for replenishment of the stored value accounts.

In general, according to the invention the stored value account 123 to be offered in payment for transactions with the merchants 112 using transaction identifier 121 may be rechargeable by transferring value from another account or resource using recharge identifier 122. Transaction identifier 121 may be or include multi-part keys, consisting of a public identifier such as an account number and a secret private identifier such as a PIN, or otherwise according to a variety of available schemes for authenticating the usage of an ID over an insecure public infrastructure.

The recharge identifier 122 may bear no relationship to the transaction identifier 121, or it may consist in whole or

in part of the transaction identifier or a subset or permutation thereof. Furthermore, recharge identifier 122 may identify a bank account number, a checking account number, a credit card number, customer account number, a direct deposit number, an automatic bill pay number or other identifier which can be readily processed as a deposit identifier by the financial industry.

In terms of the action of obtaining the instrument, as illustrated in Figure 2, in action 211 the network account manager 110 creates an individual account 123a consisting of a unique transaction identifier 121a associated with a unique recharge identifier 122a. The network account manager 110 may optionally associate a non-zero account balance with the initially created account, as is often done with prepaid telephone cards for example.

The network account manager 110 may distribute accounts to consumers 111 directly, or may optionally engage the services of a distributor 114. Assuming the general aspect where a distributor is engaged, the network account manager 110 provides the account information to the distributor 114 in transaction 202 according to any number of mechanisms such as are currently used for the distribution of prepaid telephone cards. A customer llla may obtain the account from the distributor 114 in transaction 203, without providing an

opportunity to have their identity associated with the transaction ID 121a or the recharge identifier 122a. There are a variety of methods for achieving this security. For example, the consumer might obtain a card containing the information from a vending machine, or they might purchase a card from a retail store, which card has secret information concealed from the vendor. Or, the consumer might obtain the information via an Internet, telephone dial-up or other communication connection, or via mass market distribution such as in cereal boxes, with CD's or as magazine inserts.

Optionally, as shown in transaction 204, the consumer llla may be required or given the capability to activate the instrument, or charge up the instrument for the first time, and/or change any or all of the ID information.

It may be noted that the activities provide a mechanism where a consumer llla may obtain a stored value account 123a identified to them as consisting of a transaction ID 121a and a recharge identifier 122a such that they do not reveal their identity to the network account manager 110. Further, these activities also provide that the distributor is unable to associate the consumer's identity Illa with the transaction ID 121a or the recharge identifier 122a, even if the distributor knows the identity of the consumer (solved by concealing the Ids from the distributor), or if the distributor knows the Ids

(solved by the consumer acquiring the account without revealing their identity), or both (solved by allowing the consumer to change the IDs).

In terms of the purchasing action, as shown in Figure 2, an individual consumer llla may engage with an individual merchant 112a to initiate a purchase request in communication 211. At least two embodiments of this communication are possible. In a first embodiment, the consumer discloses transaction ID 121a to the merchant in communication 211, such as is the case with credit card purchases today. The merchant subsequently initiates communication 212a with the network account manager 110, which queries the authentication elements of network database 120 and authenticates the transaction ID 121a, provides validation that account 123a can make good on the purchase price, confirms authentication to the merchant in communication 212c, posts a debit to the account maintained in network database 120 in action 213 and remits payment to the merchant in communication 215, which payment may occur immediately or substantially later.

Having received confirmation in communication 212c, the merchant 112a provides the goods to consumer llla in communication 214. This embodiment may pose a potential security issue in that the merchant may fraudulently use or distribute the transaction ID 123a. In a preferred

embodiment, the consumer llla does not disclose the transaction ID to the merchant in communication 211. Instead, the in communication 212a the merchant 112a redirects an authorization request including the amount of purchase to the network account manager 110, who then engages communication 212b with the consumer llla directly. Consumer llla provides transaction information 121a only to the network account manager, who subsequently informs the merchant 112a of successful authorization via communication 212c. The remaining actions and communications 213 through 215 remain the same as in the first embodiment. Hybrid embodiments similar to today's debit cards are also possible, where the merchant or vendor is presented with a portion of the transaction ID 121a (the debit card number), and the consumer provides the rest of the transaction ID 121a (the PIN) to the network account manager 110 in order to complete the authorization.

In the course of providing the goods or services provided, merchant 112a may interact or communicate with other merchants, suppliers or distributors, and may subsequently remit to them a portion of the payment received from the consumer via the network account manager, which communications are not shown for clarity.

In this purchase activity, it may be noted that consumer's identity llla is not required to be revealed to either the merchant 112a nor the network account manager 110, and that at most the merchant may learn of the consumer's transaction ID 121a, or a portion thereof. Furthermore, the network account manager 110 is not necessarily made aware of the goods or services provided by the merchant 112a to the consumer llla.

In terms of the recharging action, as illustrated in Figure 2, the financial institution 113a may by prearrangement maintain checking, credit, deposit or other accounts on behalf of the consumer 113a, from which the consumer may recharge their stored value account 123. In communication 221, the consumer llla authenticates themselves to the satisfaction of the financial institution.

In communication 222 the consumer llla may transmit a signal to or otherwise request financial institution 113a to debit their bank or other account in order to apply new value to the stored value account 122 maintained by or for the network account manager 110. If financial institution 113a determines that the amount presented for debit is valid, financial institution 113a may issue a communication 224 to the network account manager or its representative with an instruction to credit the consumer's authentication account

122 by that same amount. The network account manager thus receives communication 224 to increase the consumer's authentication account 130, without any necessary indication of the identity of the consumer.

Indeed, it is not necessary that the consumer recharging the account 120 through the recharge identifier 122 be the user of transaction account 121. It may be noted that for the recharge operation neither the optional distributor 114, nor the merchant 112 receives any information concerning recharge identifier 122. Furthermore, the financial institution does not receive any information concerning the transaction identifier 121.

While the network account manager must receive both identifiers 121 and 122,'and jointly associates them with account 123, nothing in the recharge operation provides the network account manager with the identity of consumer llla.

As illustrated in Figure 3, the interposition of a transaction server 421 for transaction purposes with the network interface entity 422 and network database cooperating as the network account manager 110, along with financial institutions 113 and other elements results in increased security and privacy to the consumer performing the recharging action on their stored value account 123. As shown in the

transaction matrix of Figure 3, only the consumer llla is in possession of all categories of information involved in the use and recharging of the stored value account 120, including the consumer's identity, any transaction ID (such as sales receipt number, purchase order number or other), the identity of the goods or services purchased, the bank deposit identification, and the bank account identification or other information surrounding the replenishment of stored value or the purchase of goods or services using that value.

Thus, the distributor 114, as shown in that matrix, may not be aware of any of those categories of information (except perhaps the identity of their consumers, but not what they purchase or details of their financial situation). Similarly, the network account manager 110 is only necessarily aware of the transaction ID and the recharge ID.

The merchants are only aware of the goods and services they have provided, and possibly some or all of the transaction ID (except in a preferred embodiment where they do not possess this information). Financial institutions 113 such as a bank or credit card issuer may only be aware of the consumer's identity along with the internal banking information such as bank deposit ID and bank account ID.

The network account manager 110 learns the transaction ID associated with the purchase or other transaction, along with

the bank deposit ID, in order to properly credit the stored value account 123 by way of debit from the financial institution to show account. However network database 120 is not made aware goods or services purchased since this information is masked by the transaction server 421 and is not necessary in the communication between transaction server 421 and network interface 422.

At the same time, according to the invention the combination of two or more sources of information among the stored value account issuer 204, financial institution 206, vendor 208 and authentication entity 210 may provide sufficient linkage to derive the identity of the consumer, the identity of the goods or services purchased or other information when legally necessary and appropriate, such as by means of a valid subpoena or other inquiry for investigative purposes.

However, during ordinary circumstances there is no mechanism for any party other than the consumers 111 to be aware of-the entire recharging and transaction activities, so that their overall privacy and security is enhanced.

Moreover, the commercial convenience of vendors 112 is increased, since the validation of the transaction against an authenticated stored value account 123 creates a more cash- like basis for online or other commerce.

A further aspect of the invention is that the stored value account 123 is preferably instantiated as a network database 120, which may consist of two or more distinct databases (or networks of databases). This network database performs at least three functions: firstly, authentication of a transaction ID 121; secondly, maintaining the balance of funds on account, identified by recharge ID 122, and thirdly reconciling between these two functions. For example, the first function may be performed using an authentication database maintained in one part of the network database (such as a telephone calling card account) indexed by the transaction ID 121, which could be a calling card number and PIN.

The second function could represent a set of bank accounts or credit card numbers, maintained in another part of the network database, possibly by a financial institution, indexed by the recharge ID. The third function might be a relational database associating the transaction ID bi- directionally with a customer number not necessarily related to the identity of the customer, and the recharge ID with the corresponding customer number, also bi-directionally. These parts of the network database may be owned and operated by different cooperating parties-for example, by financial institutions providing deposit facilities and by telephone

companies providing authentication and billing facilities, and by service bureaus providing the linkage. Such an implementation provides that an efficient network of both credit and debit facilities may be constructed using existing networks of authentication and billing systems (such as the telephone billing system) without modification.

In another regard, a network account manager may wish to permit the value of the stored value of the account to a given consumer to decrease below zero value (or possibly to a limit) in affect creating a temporary credit account, depending on terms of the account and the nature of consumer 202.

While execution of a transaction according to the invention thus requires the intervention of more parties then with conventional card recharging, privacy is significantly increased while still permitting reconstruction of given transactions for valid purposes.

An overall architecture according to the invention in another regard is illustrated in Figure 5, in which the interconnection of a transaction server 206, a telephony engine 208 such as the Nortel Networks DMSr platform for interface to the telecommunications network for authentication and billing and other services, the vendor transaction site or sites such as Web pages or other portals, the client and other aspects are shown.

In general, according to the overall architecture in which the invention in one embodiment may operate, consumers may initiate and execute transactions over a dial-up, broadband or other Internet or other network connections, which transactions may be monitored and mediated via transaction server 206, a telephony engine 208 or other network interface along with attendant database, communications and other resources. The messaging traffic between the consumer and the vendor, and between the vendor and the authentication resources, again may be of a partial, anonymous and/or secure nature.

This is at least in part because the invention does not demand the transmission of complete identity or account information, whether in the clear, encrypted or otherwise, at any one stage of the transaction process. Rather, a subset of selected attributes, fields or keywords may be queried between the consumer and the commercial vendor for the separate transmission to the party, company or other organization operating-the transaction server 206, telephony engine 208 or other network interface, or authentication database 210, and only the party providing the authentication function necessarily records more complete information in order to carry out that task. As shown in that figure and described above, billing against the consumer's account, telephone bill

or otherwise may be triggered by a validated authentication sequence whose details may never be communicated to the vendor. The vendor may consequently receive payment directly or indirectly from banks or other financial intermediaries separately after that process, with whom the consumer separately reconciles. Transaction privacy and flexibility for consumers are therefore enhanced.

The foregoing description of the system and method of the invention is illustrative, and variations in configuration and implementation will occur to persons skilled in the art.

For instance, while the recharging cycle has generally been described as taking place between entities including a financial institution 113, a Web or other vendor 112 and an network account manager 110, different of these functions may be divided amongst other entities and resources, or likewise combined in certain implementations. For example, the functions of the network account manager could be performed by a service bureau, a telephone company (authentication & transaction billing), and a bank (payment & recharge).

Likewise, while the stored value account has been described in terms of discrete parts (transaction ID, recharge ID) in terms of separate accounts, the stored value account 123, transaction ID 121 and recharge ID 123 could either be a

subset, a superset or co-extensive set with each other, or represent multiple accounts.

Similarly, while the invention has generally been described with respect to the stored value card initially coded with some amount of value, the invention may also be applied to stored value accounts whose initial balance is zero, or which is allowed to remain below zero for a period of time and periodically recharged, not necessarily to a positive balance. While the invention has generally been described as recharge of the stored value account being initiated by actions of the consumer, it is possible that the consumer may be prompted to recharge the account by presentment of a bill for any negative value. Although the invention has been described as though the value is a financial currency, it generally applies for other value systems such as loyalty points and so on, and the term"financial institution"is intended to generally represent providers or holders of value whether currency or otherwise. Translation. between different types of'value may also be possible. The scope of the invention is accordingly intended to be limited only by the following claims.