Methods and apparatus for delivering electronic identification components over a wireless network

The present invention relates to methods and apparatus for delivering electronic identification components over a wireless network. Methods and apparatus enabling programming of electronic identification information of a wireless apparatus are disclosed. In one embodiment, a previously purchased or deployed wireless apparatus is activated by a cellular network. The wireless apparatus connects to the cellular network using an access module to download operating system components and/or access control client components. The described methods and apparatus enable updates, additions and replacement of various components including Electronic Subscriber Identity Module (eSIM) data, OS components. One exemplary implementation of the invention utilizes a trusted key exchange between the device and the cellular network to maintain security.

GENERATING TRANSACTION IDENTIFIERS

To facilitate conducting a financial transaction via wireless communication between an electronic device and another electronic device, the electronic device determines a unique transaction identifier for the financial transaction based on financial-account information communicated to the other electronic device. The financial-account information specifies a financial account that is used to pay for the financial transaction. Moreover, the unique transaction identifier may be capable of being independently computed by one or more other entities associated with the financial transaction (such as a counterparty in the financial transaction or a payment network that processes payment for the financial transaction) based on the financial-account information communicated by the portable electronic device. The electronic device may also associate receipt information, which is subsequently received from a third party (such as the payment network), with the financial transaction by comparing the determined unique transaction identifier to the computed unique transaction identifier. 1. A portable electronic device , comprising:an antenna;an interface circuit, coupled to the antenna, configured to wirelessly communicate with another electronic device; and conduct a financial transaction with the other electronic device; and', 'determine, after the portable electronic device communicates financial-account information to the other electronic device, a unique transaction identifier for the financial transaction based on the financial-account information., 'a secure element, coupled to the interface circuit, configured to2. The portable electronic device of claim 1 , wherein the secure element includes a payment applet associated with the financial-account information; andwherein, during the financial transaction, the payment applet is configured to execute in an environment of the secure element, and is configured to conduct the financial transaction and to determine the unique ...

Payment milestones for improved financial health

The disclosed technology provides enhanced financial statements such as credit statements that provide customized payment options to a customer that takes into account the total amount owed by the customer, and past payments made by the customer. The customized payment options are determined with the goal of providing more payment options that encourage financial health, while not overwhelming the customer with too many options or irrelevant options. The customized payment options can be displayed in an interactive user interface for paying a credit statement that can visually inform a user of the benefit of the respective payment options with respect to the impact of the respective payment option on the customer's financial health—at least as it pertains to a credit account for which the statement was issued.

Disabling mobile payments for lost electronic devices

If a user loses an electronic device that has the capability to conduct financial transactions, the user may report that the electronic device is lost using a lost-device software application to a management electronic device associated with a provider of the electronic device. In response to receiving this information, a disabling command is sent to a payment network associated with the financial account of the user to temporarily disable use of the electronic device to conduct the financial transactions. In particular, the electronic device may include a secure element that stores a payment applet for a financial account, and the disabling command may disable a mapping from a virtual identifier for the financial account to a financial primary account number. Subsequently, if the user finds the electronic device, the user may re-enable the capability (and, thus, the mapping) by providing authentication information to the electronic device.

Pre-personalization of eSIMs to support large-scale eSIM delivery

Representative embodiments described herein set forth techniques for optimizing large-scale deliveries of electronic Subscriber Identity Modules (eSIMs) to mobile devices. Specifically, instead of generating and assigning eSIMs when mobile devices are being activated—which can require significant processing overhead—eSIMs are pre-generated with a basic set of information, and are later-assigned to the mobile devices when they are activated. This can provide considerable benefits over conventional approaches that involve generating and assigning eSIMs during mobile device activation, especially when new mobile devices (e.g., smartphones, tablets, etc.) are being launched and a large number of eSIM assignment requests are to be fulfilled in an efficient manner.

APPARATUS AND METHODS FOR DISTRIBUTING AND STORING ELECTRONIC ACCESS CLIENTS

Apparatus and methods for efficiently distributing and storing access control clients within a network. In one embodiment, the access clients include electronic Subscriber Identity Modules (eSIMs), and an eSIM distribution network infrastructure is described which enforces eSIM uniqueness and conservation, distributes network traffic to prevent bottle necking congestion, and provides reasonable disaster recovery capabilities. In one variant, eSIMs are securely stored at electronic Universal Integrated Circuit Card (eUICC) appliances which ensure eSIM uniqueness and conservation. Access to the eUICC appliances is made via multiple eSIM depots, which ensure that network load is distributed. Persistent storage is additionally described, for among other activities, archiving and backup.

Methods and apparatus for user authentication and human intent verification in mobile devices

Methods and apparatus for user authentication and human intent verification of administrative operations for eSIMs of an eUICC included in a mobile device are disclosed. Certain administrative operations, such as import, modification, and/or export, of an eSIM and/or for an eUICCs firmware can require user authentication and/or human intent verification before execution of the administrative operations are performed or completed by the mobile device. A user of the mobile device provides information to link an external user account to an eSIM upon (or subsequent to) installation on the eUICC. User credentials, such as a user name and password, and/or information generated therefrom, can be used to authenticate the user with an external server. In response to successful user authentication, the administrative operations are performed. Human intent verification can also be performed in conjunction with user authentication to prevent malware from interfering with eSIM and/or eUICC functions ...

Payment milestones for improved financial health

The disclosed technology provides enhanced financial statements such as credit statements that provide customized payment options to a customer that takes into account the total amount owed by the customer, and past payments made by the customer. The customized payment options are determined with the goal of providing more payment options that encourage financial health, while not overwhelming the customer with too many options or irrelevant options. The customized payment options can be displayed in an interactive user interface for paying a credit statement that can visually inform a user of the benefit of the respective payment options with respect to the impact of the respective payment option on the customer's financial health—at least as it pertains to a credit account for which the statement was issued.

Management systems for multiple access control entities

Methods and apparatus for managing multiple user access control entities or clients. For example, in one embodiment, a “wallet” of electronic subscriber identity modules (eSIMs) may be stored and used at a user device and/or distributed to other devices for use thereon. In another embodiment, a networked server may store and distribute eSIM to a plurality of user devices in communication therewith. A database of available eSIM is maintained at the wallet entity and/or at the network which enables request for a particular eSIM to be processed and various rules for the distribution thereof to be implemented. Security precautions are implemented to protect both user and network carrier specific data as the data is transmitted between networked entities. Solutions for eSIM backup and restoration are also described.

Apparatus and methods for controlling distribution of electronic access clients

Apparatus and methods for controlling the distribution of electronic access clients to a device. In one embodiment, a virtualized Universal Integrated Circuit Card (UICC) can only load an access client such as an electronic Subscriber Identity Module (eSIM) according to an activation ticket. The activation ticket ensures that the virtualized UICC can only receive eSIMs from specific carriers (“carrier locking”). Unlike prior art methods which enforce carrier locking on a software application launched from a software chain of trust (which can be compromised), the present invention advantageously enforces carrier locking with the secure UICC hardware which has, for example, a secure code base.

ACCESS DATA PROVISIONING APPARATUS AND METHODS

Methods and apparatus for activating a purchased or previously deployed device by a subscriber. In one embodiment, activation includes authenticating the device to a service provider or carrier, and providing the device with data necessary for enabling the service to the device. In one variant, a user device is activated at a retail store, with the assistance of a carrier representative. In another variant, user equipment is activated via a communications network without the assistance of a representative. In yet another variant, the user equipment is activated via the Internet without the assistance of a representative. The provision of access data includes pre-assigning eSIM from a population of unassigned eSIMs to certain devices for various carrier networks. Alternatively, the eSIM may be assigned on an as-needed basis. Unassigned and/or unused eSIMs can be released (or sold back to the vendor) and/or reused. Solutions for eSIM backup and restoration are also described.

Update of a trusted name list

Methods, devices, and servers for as-needed update of a trusted list are provided herein. An electronic subscriber identity module (eSIM) server receives a request for an eSIM of a particular type from a wireless device. The eSIM server evaluates the particular type and requests an eSIM of the particular type from a second eSIM server, which is not initially trusted by a secure element (SE) of the wireless device. The eSIM server sends a policy update to the wireless device. The wireless device passes the policy update to the SE, for example, a universal integrated circuit card (UICC). The UICC updates the trusted list with an identity of the second eSIM server. When the wireless device downloads a bound profile package (BPP) containing an eSIM from the second eSIM server, the UICC validates the BPP based on the updated trusted list. The eSIM is then installed on the UICC.

PROVISIONING OF CREDENTIALS ON AN ELECTRONIC DEVICE USING PASSWORDS COMMUNICATED OVER VERIFIED CHANNELS

Systems, methods, and computer-readable media for provisioning credentials on an electronic device are provided. In one example embodiment, a secure platform system may be in communication with an electronic device and a financial institution subsystem. The secure platform system may be configured to, inter alia, detect a selection of a particular commerce credential, access communication mechanism data indicative of at least one communication mechanism of the device, where the at least one mechanism is configured to receive a communication on the device, transmit information to the financial subsystem, where the information includes the mechanism data and the selection of the particular commerce credential, and instruct the financial subsystem to provision the particular commerce credential in a disabled state on the device and communicate credential enablement data to the device using a particular communication mechanism of the at least one communication mechanism indicated by the communication mechanism data. 1. A secure platform system in communication with an electronic device and a financial institution subsystem , the secure platform system comprising:a processor component;a memory component; and detect a selection of a particular commerce credential;', 'access communication mechanism data indicative of at least one communication mechanism of the electronic device, wherein the at least one communication mechanism is configured to receive a communication on the electronic device;', 'transmit information to the financial institution subsystem, wherein the information comprises the communication mechanism data and the selection of the particular commerce credential; and', provision the particular commerce credential in a disabled state on the electronic device; and', 'communicate credential enablement data to the electronic device using a particular communication mechanism of the at least one communication mechanism indicated by the communication mechanism data ...

METHODS AND APPARATUS FOR DELIVERING ELECTRONIC IDENTIFICATION COMPONENTS OVER A WIRELESS NETWORK

Methods and apparatus enabling programming of electronic identification information of a wireless apparatus. In one embodiment, a previously purchased or deployed wireless apparatus is activated by a cellular network. The wireless apparatus connects to the cellular network using an access module to download operating system components and/or access control client components. The described methods and apparatus enable updates, additions and replacement of various components including Electronic Subscriber Identity Module (eSIM) data, OS components. One exemplary implementation of the invention utilizes a trusted key exchange between the device and the cellular network to maintain security. 1. A method of receiving an access control client over a network , the method comprising:establishing an authorized data session having a first set of access rights, the first set of access rights enabling access to one or more packages associated with an access control client;downloading the one or more packages associated with the access control client, the access control client having a second set of access rights;assembling the access control client based at least in part on the downloaded one or more packages; andestablishing a subscriber session with the assembled access control client.2. The method of claim 1 , wherein the authorized data session comprises a mutual verification between the network and a recipient device.3. The method of claim 2 , wherein the mutual verification comprises a cryptographic key protocol.4. The method of claim 3 , wherein the cryptographic key protocol is based on one or more asymmetric Rivest Shamir and Adelman (RSA) public and private keys.5. The method of claim 1 , wherein the second set of access rights enables one or more customer services.6. The method of claim 5 , wherein the network comprises a wireless network claim 5 , and the one or more customer services comprises placing or receiving a voice call.7. The method of claim 5 , wherein ...

Management of credentials on an electronic device using an online resource

Systems, methods, and computer-readable media for using an online resource to manage credentials on an electronic device are provided. In one example embodiment, a method, at an electronic device, includes, inter alia, receiving account data via an online resource, accessing commerce credential status data from a secure element of the electronic device, providing initial credential management option data via the online resource based on the received account data and based on the accessed commerce credential status data, in response to the providing, receiving a selection of an initial credential management option via the online resource, and changing the status of a credential on the secure element based on the received selection. Additional embodiments are also provided.

ELECTRONIC ACCESS CLIENT DISTRIBUTION APPARATUS AND METHODS

Apparatus and methods for distributing access control clients. In one exemplary embodiment, a network infrastructure is disclosed that enables delivery of electronic subscriber identity modules (eSIMs) to secure elements (e.g., electronic Universal Integrated Circuit Cards (eUICCs), etc.) The network architecture includes one or more of: (i) eSIM appliances, (ii) secure eSIM storages, (iii) eSIM managers, (iv) eUICC appliances, (v) eUICC managers, (vi) service provider consoles, (vii) account managers, (viii) Mobile Network Operator (MNO) systems, (ix) eUICCs that are local to one or more devices, and (x) depots. Moreover, each depot may include: (xi) eSIM inventory managers, (xii) system directory services, (xiii) communications managers, and/or (xiv) pending eSIM storages. Functions of the disclosed infrastructure can be flexibly partitioned and/or adapted such that individual parties can host portions of the infrastructure. Exemplary embodiments of the present invention can provide redundancy ...

DISABLING MOBILE PAYMENTS FOR LOST ELECTRONIC DEVICES

If a user loses an electronic device that has the capability to conduct financial transactions, the user may report that the electronic device is lost using a lost-device software application to a management electronic device associated with a provider of the electronic device. In response to receiving this information, a disabling command is sent to a payment network associated with the financial account of the user to temporarily disable use of the electronic device to conduct the financial transactions. In particular, the electronic device may include a secure element that stores a payment applet for a financial account, and the disabling command may disable a mapping from a virtual identifier for the financial account to a financial primary account number. Subsequently, if the user finds the electronic device, the user may re-enable the capability (and, thus, the mapping) by providing authentication information to the electronic device. 1. An electronic device , comprising:an antenna;an interface circuit, coupled to the antenna, configured to communicate with a management electronic device;a processor coupled to the secure element; and instructions for receiving, from a user of the electronic device, authentication information;', 'instructions for determining that a capability to conduct financial transactions via the electronic device is disabled; and', 'instructions for providing, to the management electronic device, a re-enabling command to re-enable use of the electronic device to conduct financial transactions based on the authentication information., 'memory, coupled to the processor, which stores a program module configured to be executed by the processor, the program module including2. The electronic device of claim 1 , wherein the authentication information includes one of: a personal identification number; a passcode for unlocking at least some functionality of the electronic device; and a biometric identifier of the user.3. The electronic device of ...

MANAGEMENT OF CREDENTIALS ON AN ELECTRONIC DEVICE USING AN ONLINE RESOURCE

Systems, methods, and computer-readable media for using an online resource to manage credentials on an electronic device are provided. In one example embodiment, a method, at an electronic device, includes, inter alia, receiving account data via an online resource, accessing commerce credential status data from a secure element of the electronic device, providing initial credential management option data via the online resource based on the received account data and based on the accessed commerce credential status data, in response to the providing, receiving a selection of an initial credential management option via the online resource, and changing the status of a credential on the secure element based on the received selection. Additional embodiments are also provided. 1. A method comprising: receiving account data via an online resource;', 'accessing commerce credential status data from a secure element of the electronic device;', 'providing initial credential management option data via the online resource based on the received account data and based on the accessed commerce credential status data;', 'in response to the providing, receiving a selection of an initial credential management option via the online resource; and', 'changing the status of a credential on the secure element based on the received selection., 'at an electronic device2. The method of claim 1 , further comprising claim 1 , prior to the receiving the account data claim 1 , authenticating a user of the electronic device with the online resource.3. The method of claim 1 , further comprising claim 1 , prior to the receiving the account data claim 1 , at the electronic device:receiving user authentication data; andtransmitting the received user authentication data to a remote subsystem associated with the online resource, wherein the received account data is received from the remote subsystem based on the transmitted user authentication data.4. The method of claim 3 , wherein the online resource ...

Methods and apparatus for delivering electronic identification components over a wireless network

Methods and apparatus enabling programming of electronic identification information of a wireless apparatus. In one embodiment, a previously purchased or deployed wireless apparatus is activated by a cellular network. The wireless apparatus connects to the cellular network using an access module to download operating system components and/or access control client components. The described methods and apparatus enable updates, additions and replacement of various components including Electronic Subscriber Identity Module (eSIM) data, OS components. One exemplary implementation of the invention utilizes a trusted key exchange between the device and the cellular network to maintain security.

Access data provisioning apparatus and methods

Methods and apparatus for activating a purchased or previously deployed device by a subscriber. In one embodiment, activation includes authenticating the device to a service provider or carrier, and providing the device with data necessary for enabling the service to the device. In one variant, a user device is activated at a retail store, with the assistance of a carrier representative. In another variant, user equipment is activated via a communications network without the assistance of a representative. In yet another variant, the user equipment is activated via the Internet without the assistance of a representative. The provision of access data includes pre-assigning eSIM from a population of unassigned eSIMs to certain devices for various carrier networks. Alternatively, the eSIM may be assigned on an as-needed basis. Unassigned and/or unused eSIMs can be released (or sold back to the vendor) and/or reused. Solutions for eSIM backup and restoration are also described.

GENERATING TRANSACTION IDENTIFIERS

To facilitate conducting a financial transaction via wireless communication between an electronic device and another electronic device, the electronic device determines a unique transaction identifier for the financial transaction based on financial-account information communicated to the other electronic device. The financial-account information specifies a financial account that is used to pay for the financial transaction. Moreover, the unique transaction identifier may be capable of being independently computed by one or more other entities associated with the financial transaction (such as a counterparty in the financial transaction or a payment network that processes payment for the financial transaction) based on the financial-account information communicated by the portable electronic device. The electronic device may also associate receipt information, which is subsequently received from a third party (such as the payment network), with the financial transaction by comparing the determined unique transaction identifier to the computed unique transaction identifier. 1. A portable electronic device , comprising:an antenna;an interface circuit, coupled to the antenna, configured to wirelessly communicate with another electronic device; and conduct a financial transaction with the other electronic device; and', 'determine, after the portable electronic device communicates financial-account information to the other electronic device, a unique transaction identifier for the financial transaction based on the financial-account information, wherein the unique transaction identifier is capable of being independently computed by one or more other entities associated with the financial transaction based on the financial-account information communicated by the portable electronic device., 'a secure element, coupled to the interface circuit, configured to2. The portable electronic device of claim 1 , wherein the unique transaction identifier corresponds to a secure hash ...

Virtual access module distribution apparatus and methods

Apparatus and methods for distributing electronic access client modules for use with electronic devices. In one embodiment, the access client modules are virtual subscriber identity modules (VSIMs) that can be downloaded from online services for use with cellular-equipped devices such as smartphones. The online services may include a point of sale (POS) system that sells electronic devices to users. A broker may be used to facilitate the selection of a virtual subscriber identity module. A provisioning service may also be used to provision the selected VSIM.

METHOD TO SEND PAYMENT DATA THROUGH VARIOUS AIR INTERFACES WITHOUT COMPROMISING USER DATA

A commercial transaction method is disclosed. The method first establishes a secure link over a first air interface by a purchasing device. This secure link is between the purchasing device and a point of sale device. The method further identifies a second air interface, which is different from the first air interface, and the second air interface is used to conduct a secure commercial transaction. 1. A method of performing a commercial transaction , comprising:establishing a first secure link over a first air interface by a purchasing device, the first secure link between the purchasing device and a point of sale device;identifying a second air interface different from the first air interface;establishing a second secure link over the second air interface, the second secure link between the purchasing device and a backend server; andconducting, using the second secure link, a secure commercial transaction between the purchasing device and the backend server using payment data secured by a shared secret known to a secure element in the purchasing device and to the backend server.2. The method of claim 1 , wherein the payment data comprises an alias associated with a payment account claim 1 , and establishing the second secure link comprises:encrypting the payment data by the secure element at the purchasing device using the shared secret as an encryption key.3. The method of claim 2 , wherein establishing the second secure link comprises:decrypting, at the backend server, the payment data using the shared secret; andverifying, at the backend server, the payment data,wherein verifying includes comparing the payment data to independently known payment data stored at the backend server.4. The method of claim 3 , wherein comparing the payment data to independently known payment data comprises:retrieving an alias from the decrypted received payment data;identifying a credit card account associated with the alias;determining if the alias is associated with the credit card ...

APPARATUS AND METHODS FOR CONTROLLING DISTRIBUTION OF ELECTRONIC ACCESS CLIENTS

Apparatus and methods for controlling the distribution of electronic access clients to a device. In one embodiment, a virtualized Universal Integrated Circuit Card (UICC) can only load an access client such as an electronic Subscriber Identity Module (eSIM) according to an activation ticket. The activation ticket ensures that the virtualized UICC can only receive eSIMs from specific carriers (“carrier locking”). Unlike prior art methods which enforce carrier locking on a software application launched from a software chain of trust (which can be compromised), the present invention advantageously enforces carrier locking with the secure UICC hardware which has, for example, a secure code base. 1. A wireless apparatus , comprising:a wireless interface;one or more processors; and receive an activation ticket, the activation ticket comprising one or more unbreak records associated with the one or more processors;', 'verify the received activation ticket; and', 'upon successful verification, enable at least one processor of the one or more processors based at least in part on the one or more unbreak records., 'a secure element comprising a secure processor and secure storage in data communication with the secure processor, the secure storage comprising computer-executable instructions that are configured to, when executed by the secure processor2. The wireless apparatus of claim 1 , wherein the one or more processors comprise an application processor and one or more baseband processors.3. The wireless apparatus of claim 2 , wherein the verification of the received activation ticket comprises checking the one or more unbreak records for records associated with the application processor and the one or more baseband processors.4. The wireless apparatus of claim 1 , wherein the verification of the received activation ticket comprises checking for an unbreak record for the secure processor.5. The wireless apparatus of claim 1 , wherein the activation ticket comprises a digital ...

Apparatus and methods for storing electronic access clients

Apparatus and methods for storing and controlling access control clients. In one embodiment, transmitting and receiving devices ensure that only one copy of an eSIM is active at any time. Specifically, each transferred eSIM is encrypted for the destination device; the eSIM from the source device is deleted, deactivated, or otherwise rendered unusable. Various aspects of network infrastructure are also described, including electronic Universal Integrated Circuit Card (eUICC) appliances, and mobile devices. Various scenarios for transfer of eSIMs are also disclosed.

PAYMENT MILESTONES FOR IMPROVED FINANCIAL HEALTH

The disclosed technology provides enhanced financial statements such as credit statements that provide customized payment options to a customer that takes into account the total amount owed by the customer, and past payments made by the customer. The customized payment options are determined with the goal of providing more payment options that encourage financial health, while not overwhelming the customer with too many options or irrelevant options. The customized payment options can be displayed in an interactive user interface for paying a credit statement that can visually inform a user of the benefit of the respective payment options with respect to the impact of the respective payment option on the customer's financial health—at least as it pertains to a credit account for which the statement was issued. 1. A computer-readable medium comprising computer-executable instructions stored thereon , when executed the computer-executable instructions are effective to cause a computing system to:analyze a collection of transactions and a carried balance for a statement period;determine a plurality of payment milestones, wherein on of the plurality of milestones is a last payment milestone that is determined by combining all of the payments made during a previous statement period, analyzing categories associated with the collection of transactions for the statement period, identifing a smallest category from the categories associated with the collection of transactions, wherein a total of all transactions associated with the smallest category is less than a total of all transactions associated with any other of the analyzed categories, and whereby the last payment plus smallest category milestone is determined by combining the last payment milestone with the total of all of the transactions associated with the smallest category;select a subset of the plurality of payment milestones; andprepare a statement for the statement period that includes the subset of the ...

Apparatus and methods for storing electronic access clients

Apparatus and methods for storing and controlling access control clients. In one embodiment, transmitting and receiving devices ensure that only one copy of an eSIM is active at any time. Specifically, each transferred eSIM is encrypted for the destination device; the eSIM from the source device is deleted, deactivated, or otherwise rendered unusable. Various aspects of network infrastructure are also described, including electronic Universal Integrated Circuit Card (eUICC) appliances, and mobile devices. Various scenarios for transfer of eSIMs are also disclosed.

Apparatus and methods for distributing and storing electronic access clients

Apparatus and methods for efficiently distributing and storing access control clients within a network. In one embodiment, the access clients include electronic Subscriber Identity Modules (eSIMs), and an eSIM distribution network infrastructure is described which enforces eSIM uniqueness and conservation, distributes network traffic to prevent “bottle necking” congestion, and provides reasonable disaster recovery capabilities. In one variant, eSIMs are securely stored at electronic Universal Integrated Circuit Card (eUICC) appliances which ensure eSIM uniqueness and conservation. Access to the eUICC appliances is made via multiple eSIM depots, which ensure that network load is distributed. Persistent storage is additionally described, for among other activities, archiving and backup.

MANAGEMENT SYSTEMS FOR MULTIPLE ACCESS CONTROL ENTITIES

Methods and apparatus for managing multiple user access control entities or clients. For example, in one embodiment, a wallet of electronic subscriber identity modules (eSIMs) may be stored and used at a user device and/or distributed to other devices for use thereon. In another embodiment, a networked server may store and distribute eSIM to a plurality of user devices in communication therewith. A database of available eSIM is maintained at the wallet entity and/or at the network which enables request for a particular eSIM to be processed and various rules for the distribution thereof to be implemented. Security precautions are implemented to protect both user and network carrier specific data as the data is transmitted between networked entities. Solutions for eSIM backup and restoration are also described.

Techniques for provisioning bootstrap electronic subscriber identity modules (eSIMS) to mobile devices

Representative embodiments described herein set forth techniques for provisioning bootstrap electronic Subscriber Identity Modules (eSIMs) to mobile devices. According to some embodiments, a mobile device can be configured to issue, to an eSIM selection server, a bootstrap eSIM request that includes (i) metadata associated with the mobile device, and (ii) metadata associated with an electronic Universal Integrated Circuit Card (eUICC) included in the mobile device. In turn, the eSIM selection server selects and binds a particular bootstrap eSIM to the mobile device, and provides information to the mobile device that enables the mobile device to obtain the particular bootstrap eSIM from one or more eSIM servers. When the mobile device obtains the particular bootstrap eSIM, the mobile device can interface with a mobile network operator (MNO) and obtain a complete eSIM that enables the mobile device to access services provided by the MNO.

Access data provisioning apparatus and methods

Methods and apparatus for activating a purchased or previously deployed device by a subscriber. In one embodiment, activation includes authenticating the device to a service provider or carrier, and providing the device with data necessary for enabling the service to the device. In one variant, a user device is activated at a retail store, with the assistance of a carrier representative. In another variant, user equipment is activated via a communications network without the assistance of a representative. In yet another variant, the user equipment is activated via the Internet without the assistance of a representative. The provision of access data includes pre-assigning eSIM from a population of unassigned eSIMs to certain devices for various carrier networks. Alternatively, the eSIM may be assigned on an as-needed basis. Unassigned and/or unused eSIMs can be released (or sold back to the vendor) and/or reused. Solutions for eSIM backup and restoration are also described.

Methods and apparatus for providing management capabilities for access control clients

Methods and apparatus for managing access control clients (e.g., electronic Subscriber Identity Modules (eSIMs)). In one embodiment, secure elements (e.g., electronic Universal Integrated Circuit Cards (eUICCs)) and management entities of secure elements are associated with credentials. Post-deployment managerial operations can be executed, by transmitting the requested operation with the appropriate credentials. For example, a device can receive secure software updates to electronic Subscriber Identity Modules (eSIMs), with properly credentialed network entities.

METHODS AND APPARATUS FOR ACCESS CONTROL CLIENT ASSISTED ROAMING

Methods and apparatus that allow a device to migrate wireless service across multiple wireless networks. In one exemplary embodiment, the present invention enables storing and switching between multiple Electronic Subscriber Identity Modules (eSIM), where each eSIM is specific to a different carrier network. By loading the appropriate eSIM, the user device can authenticate itself with the selected carrier, rather than roaming. During roaming operation, the user equipment can load one or more of the previously stored eSIMs. Selection of the eSIM can be done manually by the user or can be driven by the user equipment based on desired context; for example, based on carrier signal strength, cost-effectiveness, etc. Support for multiple radio technologies also allows universal connectivity for wireless devices, even spanning previously incompatible technologies such as GSM (Global Standard for Mobile Communications), CDMA (Code Division Multiple Access), etc. 1. A wireless apparatus , comprising:one or more wireless interfaces, the one or more wireless interfaces adapted to connect to one or more wireless networks;a secure element, wherein the secure element is adapted to store a plurality of user access data elements, each user access data element being associated with a corresponding network;a processor; and select an available network;', 'retrieve from the secure element a first user access data element associated with the selected network;', 'load the retrieved user access data; and', 'authenticate to the selected network with the loaded user access data., 'a storage device in data communication with the processor, the storage device comprising computer-executable instructions that are configured to, when executed by the processor2. The wireless apparatus of claim 1 , wherein the plurality of user access data elements comprises an electronic Subscriber Identity Module (eSIM).3. The wireless apparatus of claim 2 , wherein the one or more wireless networks comprises a ...

ELECTRONIC RECEIPTS FOR NFC-BASED FINANCIAL TRANSACTIONS

To facilitate conducting a financial transaction via wireless communication between an electronic device and another electronic device, a secure element in the electronic device receives, from a third party, a notification associated with a financial transaction. This third party may be independent of a counterparty in the financial transaction, such as: a provider of the electronic device or a payment network that processes payment for the financial transaction. In response to the notification, the secure element requests, from the third party, receipt information associated with the financial transaction, and then receives the receipt information from the third party. This receipt information may include a first-level information, such as payment status. Alternatively or additionally, the receipt information may include a second-level information, such as an itemized list of purchased items, links to information and/or discounts.

Methods and apparatus for large scale distribution of electronic access clients

Methods and apparatus for large scale distribution of electronic access control clients. In one aspect, a tiered security software protocol is disclosed. In one exemplary embodiment, a server electronic Universal Integrated Circuit Card (eUICC) and client eUICC software comprise a so-called stack of software layers. Each software layer is responsible for a set of hierarchical functions which are negotiated with its corresponding peer software layer. The tiered security software protocol is configured for large scale distribution of electronic Subscriber Identity Modules (eSIMs).

PAYMENT MILESTONES FOR IMPROVED FINANCIAL HEALTH

The disclosed technology provides enhanced financial statements such as credit statements that provide customized payment options to a customer that takes into account the total amount owed by the customer, and past payments made by the customer. The customized payment options are determined with the goal of providing more payment options that encourage financial health, while not overwhelming the customer with too many options or irrelevant options. The customized payment options can be displayed in an interactive user interface for paying a credit statement that can visually inform a user of the benefit of the respective payment options with respect to the impact of the respective payment option on the customer's financial health—at least as it pertains to a credit account for which the statement was issued.

Apparatus and methods for secure element transactions and management of assets

Methods and apparatus for the deployment of financial instruments and other assets are disclosed. In one embodiment, a security software protocol is disclosed that guarantees that the asset is always securely encrypted, that one and only one copy of an asset exists, and the asset is delivered to an authenticated and/or authorized customer. Additionally, exemplary embodiments of provisioning systems are disclosed that are capable of, among other things, handling large bursts of traffic (such as can occur on a so-called “launch day” of a device).

Managing embedded universal integrated circuit card (eUICC) provisioning with multiple certificate issuers (CIs)

Embodiments provided herein identify a certificate issuer (CI) to be relied on as a trusted third party by an electronic subscriber identity module (eSIM) server in remote SIM provisioning (RSP) transactions with an embedded universal integrated circuit card (eUICC). In an RSP ecosystem, multiple CIs may exist. Parties rely on public key infrastructure (PKI) techniques for establishment of trust. Trust may be established based on a trusted third party such as a CI. Parties need to agree on the CI in order for some PKI techniques to be useful. Embodiments provided herein describe approaches for an eUICC and an eSIM server to arrive at an agreed-on CI. Candidate or negotiated CIs may be indicated on a public key identifier (PKID) list. A PKID list is distributed, in some embodiments, by means of a discovery server, via an activation code (AC) and/or during the establishment of a profile provisioning session.

Electronic access client distribution apparatus and methods

Apparatus and methods for distributing access control clients. In one exemplary embodiment, a network infrastructure is disclosed that enables delivery of electronic subscriber identity modules (eSIMs) to secure elements (e.g., electronic Universal Integrated Circuit Cards (eUICCs), etc.) The network architecture includes one or more of: (i) eSIM appliances, (ii) secure eSIM storages, (iii) eSIM managers, (iv) eUICC appliances, (v) eUICC managers, (vi) service provider consoles, (vii) account managers, (viii) Mobile Network Operator (MNO) systems, (ix) eUICCs that are local to one or more devices, and (x) depots. Moreover, each depot may include: (xi) eSIM inventory managers, (xii) system directory services, (xiii) communications managers, and/or (xiv) pending eSIM storages. Functions of the disclosed infrastructure can be flexibly partitioned and/or adapted such that individual parties can host portions of the infrastructure. Exemplary embodiments of the present invention can provide redundancy ...

Apparatus and methods for secure element transactions and management of assets

Methods and apparatus for the deployment of financial instruments and other assets are disclosed. In one embodiment, a security software protocol is disclosed that guarantees that the asset is always securely encrypted, that one and only one copy of an asset exists, and the asset is delivered to an authenticated and/or authorized customer. Additionally, exemplary embodiments of provisioning systems are disclosed that are capable of, among other things, handling large bursts of traffic (such as can occur on a so-called “launch day” of a device).

APPARATUS AND METHODS FOR STORING ELECTRONIC ACCESS CLIENTS

Apparatus and methods for storing and controlling access control clients. In one embodiment, transmitting and receiving devices ensure that only one copy of an eSIM is active at any time. Specifically, each transferred eSIM is encrypted for the destination device; the eSIM from the source device is deleted, deactivated, or otherwise rendered unusable. Various aspects of network infrastructure are also described, including electronic Universal Integrated Circuit Card (eUICC) appliances, and mobile devices. Various scenarios for transfer of eSIMs are also disclosed. 1. Apparatus for storing one or more access data elements , comprising:a secure element adapted to store a plurality of user access data elements, each user access data element encrypted for the secure element;a processor; and process a request for one or more access data elements from a peer device in order to verify the peer device;', 'decrypt the one or more requested access data elements;', 're-encrypt the decrypted one or more access data elements for the peer device; and', 'transfer the re-encrypted one or more data elements to the verified peer device, the transfer causing removal of the one or more access data elements from the secure element., 'a storage device in data communication with the processor, the storage device comprising computer-executable instructions that are configured to, when executed by the processor2. The apparatus of claim 1 , wherein each of the plurality of user access data elements is associated with a corresponding different network.3. The apparatus of claim 1 , wherein each of the plurality of user access data elements is associated with a corresponding different user.4. The apparatus of claim 1 , wherein each of the plurality of user access data elements is associated with a corresponding different use case for a same user.5. The apparatus of claim 1 , wherein the user access data element comprises an electronic Subscriber Identity Module (eSIM).6. The apparatus of claim ...

Provisioning of credentials on an electronic device using passwords communicated over verified channels

Systems, methods, and computer-readable media for provisioning credentials on an electronic device are provided. In one example embodiment, a secure platform system may be in communication with an electronic device and a financial institution subsystem. The secure platform system may be configured to, inter alia, detect a selection of a particular commerce credential, access communication mechanism data indicative of at least one communication mechanism of the device, where the at least one mechanism is configured to receive a communication on the device, transmit information to the financial subsystem, where the information includes the mechanism data and the selection of the particular commerce credential, and instruct the financial subsystem to provision the particular commerce credential in a disabled state on the device and communicate credential enablement data to the device using a particular communication mechanism of the at least one communication mechanism indicated by the communication ...

Electronic receipts for NFC-based financial transactions

To facilitate conducting a financial transaction via wireless communication between an electronic device and another electronic device, a secure element in the electronic device receives, from a third party, a notification associated with a financial transaction. This third party may be independent of a counterparty in the financial transaction, such as: a provider of the electronic device or a payment network that processes payment for the financial transaction. In response to the notification, the secure element requests, from the third party, receipt information associated with the financial transaction, and then receives the receipt information from the third party. This receipt information may include a first-level information, such as payment status. Alternatively or additionally, the receipt information may include a second-level information, such as an itemized list of purchased items, links to information and/or discounts.

Apparatus and methods for distributing and storing electronic access clients

Apparatus and methods for efficiently distributing and storing access control clients within a network. In one embodiment, the access clients include electronic Subscriber Identity Modules (eSIMs), and an eSIM distribution network infrastructure is described which enforces eSIM uniqueness and conservation, distributes network traffic to prevent bottle necking congestion, and provides reasonable disaster recovery capabilities. In one variant, eSIMs are securely stored at electronic Universal Integrated Circuit Card (eUICC) appliances which ensure eSIM uniqueness and conservation. Access to the eUICC appliances is made via multiple eSIM depots, which ensure that network load is distributed. Persistent storage is additionally described, for among other activities, archiving and backup.

Update of a trusted name list

Methods, devices, and servers for as-needed update of a trusted list are provided herein. An electronic subscriber identity module (eSIM) server receives a request for an eSIM of a particular type from a wireless device. The eSIM server evaluates the particular type and requests an eSIM of the particular type from a second eSIM server, which is not initially trusted by a secure element (SE) of the wireless device. The eSIM server sends a policy update to the wireless device. The wireless device passes the policy update to the SE, for example, a universal integrated circuit card (UICC). The UICC updates the trusted list with an identity of the second eSIM server. When the wireless device downloads a bound profile package (BPP) containing an eSIM from the second eSIM server, the UICC validates the BPP based on the updated trusted list. The eSIM is then installed on the UICC.

Electronic subscriber identity module (eSIM) eligibility checking

Embodiments provided herein determine if an electronic subscriber identity module (eSIM) associated with a requested service can be installed in a secure element (SE) housed in a wireless device. Before requesting deployment of an eSIM suitable for the requested service from an eSIM delivery server, a carrier server asks that an original equipment manufacturer (OEM) server validate that an eSIM corresponding to a customer request should be deployed. The OEM server obtains information about the wireless device and information about the SE. When the carrier server requests validation, the OEM server evaluates the wireless device information and/or the SE information. If the OEM server indicates that deployment of the eSIM should proceed, the OEM server also indicates the eSIM type that is compatible with the wireless device and with the SE housed in the device.

Apparatus and methods for controlling distribution of electronic access clients

Apparatus and methods for controlling the distribution of electronic access clients to a device. In one embodiment, a virtualized Universal Integrated Circuit Card (UICC) can only load an access client such as an electronic Subscriber Identity Module (eSIM) according to an activation ticket. The activation ticket ensures that the virtualized UICC can only receive eSIMs from specific carriers (“carrier locking”). Unlike prior art methods which enforce carrier locking on a software application launched from a software chain of trust (which can be compromised), the present invention advantageously enforces carrier locking with the secure UICC hardware which has, for example, a secure code base.

PAYMENT MILESTONES FOR IMPROVED FINANCIAL HEALTH

The disclosed technology provides enhanced financial statements such as credit statements that provide customized payment options to a customer that takes into account the total amount owed by the customer, and past payments made by the customer. The customized payment options are determined with the goal of providing more payment options that encourage financial health, while not overwhelming the customer with too many options or irrelevant options. The customized payment options can be displayed in an interactive user interface for paying a credit statement that can visually inform a user of the benefit of the respective payment options with respect to the impact of the respective payment option on the customer's financial health—at least as it pertains to a credit account for which the statement was issued.

Generating transaction identifiers

To facilitate conducting a financial transaction via wireless communication between an electronic device and another electronic device, the electronic device determines a unique transaction identifier for the financial transaction based on financial-account information communicated to the other electronic device. The financial-account information specifies a financial account that is used to pay for the financial transaction. Moreover, the unique transaction identifier may be capable of being independently computed by one or more other entities associated with the financial transaction (such as a counterparty in the financial transaction or a payment network that processes payment for the financial transaction) based on the financial-account information communicated by the portable electronic device. The electronic device may also associate receipt information, which is subsequently received from a third party (such as the payment network), with the financial transaction by comparing the ...

MANAGEMENT OF CREDENTIALS ON AN ELECTRONIC DEVICE USING AN ONLINE RESOURCE

Systems, methods, and computer-readable media for using an online resource to manage credentials on an electronic device are provided. In one example embodiment, a method, at an electronic device, includes, inter alia, receiving account data via an online resource, accessing commerce credential status data from a secure element of the electronic device, providing initial credential management option data via the online resource based on the received account data and based on the accessed commerce credential status data, in response to the providing, receiving a selection of an initial credential management option via the online resource, and changing the status of a credential on the secure element based on the received selection. Additional embodiments are also provided.

Methods and apparatus for user authentication and human intent verification in mobile devices

Methods and apparatus for user authentication and human intent verification of administrative operations for eSIMs of an eUICC included in a mobile device are disclosed. Certain administrative operations, such as import, modification, and/or export, of an eSIM and/or for an eUICCs firmware can require user authentication and/or human intent verification before execution of the administrative operations are performed or completed by the mobile device. A user of the mobile device provides information to link an external user account to an eSIM upon (or subsequent to) installation on the eUICC. User credentials, such as a user name and password, and/or information generated therefrom, can be used to authenticate the user with an external server. In response to successful user authentication, the administrative operations are performed. Human intent verification can also be performed in conjunction with user authentication to prevent malware from interfering with eSIM and/or eUICC functions of the mobile device.

Generating transaction identifiers

To facilitate conducting a financial transaction via wireless communication between an electronic device and another electronic device, the electronic device determines a unique transaction identifier for the financial transaction based on financial-account information communicated to the other electronic device. The financial-account information specifies a financial account that is used to pay for the financial transaction. Moreover, the unique transaction identifier may be capable of being independently computed by one or more other entities associated with the financial transaction (such as a counterparty in the financial transaction or a payment network that processes payment for the financial transaction) based on the financial-account information communicated by the portable electronic device. The electronic device may also associate receipt information, which is subsequently received from a third party (such as the payment network), with the financial transaction by comparing the ...

Virtual access module distribution apparatus and methods

Apparatus and methods for distributing electronic access client modules for use with electronic devices. In one embodiment, the access client modules are virtual subscriber identity modules (VSIMs) that can be downloaded from online services for use with cellular-equipped devices such as smartphones. The online services may include a point of sale (POS) system that sells electronic devices to users. A broker may be used to facilitate the selection of a virtual subscriber identity module. A provisioning service may also be used to provision the selected VSIM.

Apparatus and methods for storing electronic access clients

Apparatus and methods for storing and controlling access control clients. In one embodiment, transmitting and receiving devices ensure that only one copy of an eSIM is active at any time. Specifically, each transferred eSIM is encrypted for the destination device; the eSIM from the source device is deleted, deactivated, or otherwise rendered unusable. Various aspects of network infrastructure are also described, including electronic Universal Integrated Circuit Card (eUICC) appliances, and mobile devices. Various scenarios for transfer of eSIMs are also disclosed.

Methods and apparatus for delivering electronic identification components over a wireless network

Methods and apparatus enabling programming of electronic identification information of a wireless apparatus. In one embodiment, a previously purchased or deployed wireless apparatus is activated by a cellular network. The wireless apparatus connects to the cellular network using an access module to download operating system components and/or access control client components. The described methods and apparatus enable updates, additions and replacement of various components including Electronic Subscriber Identity Module (eSIM) data, OS components. One exemplary implementation of the invention utilizes a trusted key exchange between the device and the cellular network to maintain security.

Techniques for provisioning bootstrap electronic subscriber identity modules (eSIMs) to mobile devices

Representative embodiments described herein set forth techniques for provisioning bootstrap electronic Subscriber Identity Modules (eSIMs) to mobile devices. According to some embodiments, a mobile device can be configured to issue, to an eSIM selection server, a bootstrap eSIM request that includes (i) metadata associated with the mobile device, and (ii) metadata associated with an electronic Universal Integrated Circuit Card (eUICC) included in the mobile device. In turn, the eSIM selection server selects and binds a particular bootstrap eSIM to the mobile device, and provides information to the mobile device that enables the mobile device to obtain the particular bootstrap eSIM from one or more eSIM servers. When the mobile device obtains the particular bootstrap eSIM, the mobile device can interface with a mobile network operator (MNO) and obtain a complete eSIM that enables the mobile device to access services provided by the MNO.

Pre-personalization of eSIMs to support large-scale eSIM delivery

Representative embodiments described herein set forth techniques for optimizing large-scale deliveries of electronic Subscriber Identity Modules (eSIMs) to mobile devices. Specifically, instead of generating and assigning eSIMs when mobile devices are being activated—which can require significant processing overhead—eSIMs are pre-generated with a basic set of information, and are later-assigned to the mobile devices when they are activated. This can provide considerable benefits over conventional approaches that involve generating and assigning eSIMs during mobile device activation, especially when new mobile devices (e.g., smartphones, tablets, etc.) are being launched and a large number of eSIM assignment requests are to be fulfilled in an efficient manner.

TECHNIQUE FOR PROVIDING OPTIMIZED DIGITAL INFORMATION

Techniques for providing optimized digital information including receiving a request for authorization to access a subset of order information that corresponds to a transaction. A account server can generate a first authorization token based at least in part on the request for authorization. The account server can transmit at least the first authorization token to the application of the user device. The account server can receive a verification request comprising a second authorization token. The account server can verify whether the first authorization token matches the second authorization token. In accordance with a determination that the first authorization token matches the second authorization token, the account server can transmit, to the service provider, a verification response that instructs the service provider to provide the subset of the order information that corresponds to the transaction to the application of the user device.

Methods and apparatus for large scale distribution of electronic access clients

Methods and apparatus for large scale distribution of electronic access control clients. In one aspect, a tiered security software protocol is disclosed. In one exemplary embodiment, a server electronic Universal Integrated Circuit Card (eUICC) and client eUICC software comprise a so-called “stack” of software layers. Each software layer is responsible for a set of hierarchical functions which are negotiated with its corresponding peer software layer. The tiered security software protocol is configured for large scale distribution of electronic Subscriber Identity Modules (eSIMs).

Methods and apparatus for delivering electronic identification components over a wireless network

Methods and apparatus enabling programming of electronic identification information of a wireless apparatus. In one embodiment, a previously purchased or deployed wireless apparatus is activated by a cellular network. The wireless apparatus connects to the cellular network using an access module to download operating system components and/or access control client components. The described methods and apparatus enable updates, additions and replacement of various components including Electronic Subscriber Identity Module (eSIM) data, OS components. One exemplary implementation of the invention utilizes a trusted key exchange between the device and the cellular network to maintain security.

VIRTUAL ACCESS MODULE DISTRIBUTION APPARATUS AND METHODS

Apparatus and methods for distributing electronic access client modules for use with electronic devices. In one embodiment, the access client modules are virtual subscriber identity modules (VSIMs) that can be downloaded from online services for use with cellular-equipped devices such as smartphones. The online services may include a point of sale (POS) system that sells electronic devices to users. A broker may be used to facilitate the selection of a virtual subscriber identity module. A provisioning service may also be used to provision the selected VSIM. 1. A method , comprising:at an online service implemented using computing equipment, receiving a request for a virtual subscriber identity module (VSIM) that includes an International Mobile Equipment Identity (IMEI); andin response to receiving the request, downloading the VSIM to an electronic device over a communications network from the online service.2. A method for distributing access clients , comprising: determining an allowed carrier;', 'provisioning an access client associated with the allowed carrier; and', 'providing one or more identifiers associated with the provisioned access client;, 'requesting an access client, the requesting causingreceiving the provided one or more identifiers;requesting service activation with a selected one of the provided one or more identifiers; andresponsive to successful service activation, downloading the access client associated with the selected one identifier.3. The method of claim 2 , wherein the access client comprises a virtual subscriber identity module (VSIM).4. The method of claim 3 , wherein the selected one identifier comprises an International Mobile Equipment Identity (IMEI).5. The method of claim 2 , additionally comprising storing the received one or more identifiers.6. The method of claim 2 , additionally comprising releasing at least a portion of the received one or more identifiers.7. The method of claim 6 , wherein the released at least portion does ...

Methods and apparatus for user authentication and human intent verification in mobile devices

Methods and apparatus for user authentication and human intent verification of administrative operations for eSIMs of an eUICC included in a mobile device are disclosed. Certain administrative operations, such as import, modification, and/or export, of an eSIM and/or for an eUICCs firmware can require user authentication and/or human intent verification before execution of the administrative operations are performed or completed by the mobile device. A user of the mobile device provides information to link an external user account to an eSIM upon (or subsequent to) installation on the eUICC. User credentials, such as a user name and password, and/or information generated therefrom, can be used to authenticate the user with an external server. In response to successful user authentication, the administrative operations are performed. Human intent verification can also be performed in conjunction with user authentication to prevent malware from interfering with eSIM and/or eUICC functions ...

Methods and apparatus for delivering electronic identification components over a wireless network

Methods and apparatus enabling programming of electronic identification information of a wireless apparatus. In one embodiment, a previously purchased or deployed wireless apparatus is activated by a cellular network. The wireless apparatus connects to the cellular network using an access module to download operating system components and/or access control client components. The described methods and apparatus enable updates, additions and replacement of various components including Electronic Subscriber Identity Module (eSIM) data, OS components. One exemplary implementation of the invention utilizes a trusted key exchange between the device and the cellular network to maintain security.

SECURE PROVISIONING OF CREDENTIALS ON AN ELECTRONIC DEVICE

Systems, methods, and computer-readable media for provisioning credentials on an electronic device are provided. In one example embodiment, a secure platform system may be in communication with an electronic device and a financial institution subsystem. The secure platform system may be configured to, inter alia, receive user account information from the electronic device, authenticate a user account with a commercial entity using the received user account information, detect a commerce credential associated with the authenticated user account, run a commercial entity fraud check on the detected commerce credential, commission the financial institution subsystem to run a financial entity fraud check on the detected commerce credential based on the results of the commercial entity fraud check, and facilitate provisioning of the detected commerce credential on the electronic device based on the results of the financial entity fraud check. Additional embodiments are also provided. 1. A secure platform system in communication with an electronic device and a financial institution subsystem , the secure platform system comprising:a processor component;a memory component; and receive user account information from the electronic device;', 'authenticate a user account with a commercial entity using the received user account information;', 'detect a commerce credential associated with the authenticated user account;', 'run a commercial entity fraud check on the detected commerce credential;', 'commission the financial institution subsystem to run a financial entity fraud check on the detected commerce credential based on the results of the commercial entity fraud check; and', 'facilitate provisioning of the detected commerce credential on the electronic device based on the results of the financial entity fraud check., 'a communications component, the secure platform system configured to2. The secure platform system of claim 1 , further configured to:transmit to the electronic ...

Electronic subscriber identity module (eSIM) assignment for carrier channel devices

A pool of devices is initially associated under a single product type identifier, for example, a single stock keeping unit (SKU) identifier. Each device is associated with a secure element (SE), for example, an embedded universal integrated circuit card (eUICC). A wireless telecommunications carrier purchases a subset of the devices from the owner of the pool of devices. A policy management server receives a shipment record and associates the subset of devices with a product identifier and with a carrier-specific activation policy. The policy management server sends an electronic subscriber identity module (eSIM) reservation request to a policy evaluation server, which contacts an eSIM delivery server associated with the purchasing carrier. The eSIM delivery server reserves eSIMs for the purchased devices. When an end user buys one of the devices from the subset, the purchased device is provisioned by the eSIM delivery server with the eSIM reserved for that device.

Electronic access client distribution apparatus and methods

Apparatus and methods for distributing access control clients. In one exemplary embodiment, a network infrastructure is disclosed that enables delivery of electronic subscriber identity modules (eSIMs) to secure elements (e.g., electronic Universal Integrated Circuit Cards (eUICCs), etc.) The network architecture includes one or more of: (i) eSIM appliances, (ii) secure eSIM storages, (iii) eSIM managers, (iv) eUICC appliances, (v) eUICC managers, (vi) service provider consoles, (vii) account managers, (viii) Mobile Network Operator (MNO) systems, (ix) eUICCs that are local to one or more devices, and (x) depots. Moreover, each depot may include: (xi) eSIM inventory managers, (xii) system directory services, (xiii) communications managers, and/or (xiv) pending eSIM storages. Functions of the disclosed infrastructure can be flexibly partitioned and/or adapted such that individual parties can host portions of the infrastructure. Exemplary embodiments of the present invention can provide redundancy, thus ensuring maximal uptime for the overall network (or the portion thereof).

Management of credentials on an electronic device using an online resource

Systems, methods, and computer-readable media for using an online resource to manage credentials on an electronic device are provided. In one example embodiment, a method, at an electronic device, includes, inter alia, receiving account data via an online resource, accessing commerce credential status data from a secure element of the electronic device, providing initial credential management option data via the online resource based on the received account data and based on the accessed commerce credential status data, in response to the providing, receiving a selection of an initial credential management option via the online resource, and changing the status of a credential on the secure element based on the received selection. Additional embodiments are also provided.

SUBSTANTIALLY REAL TIME CASH BACK SETTLEMENT

The present technology provides a technological infrastructure that overcomes common problems associated with cash back rewards cards. The present invention integrates a credit card account with cash account through an electronic wallet application such that cash can be transferred directly into a user's cash account after each transaction which cash back is earned. In some embodiments, the user's cash account and a cash account associated with a business associated with a credit card can be provided by the same financial institution. The above infrastructure further allows for more efficient payment of a credit card balance, wherein when cash is transferred from the user's cash account to the business' cash account in association with a credit card balance, an immediate release of open to buy funds is affected.

Management systems for multiple access control entities

Methods and apparatus for managing multiple user access control entities or clients. For example, in one embodiment, a “wallet” of electronic subscriber identity modules (eSIMs) may be stored and used at a user device and/or distributed to other devices for use thereon. In another embodiment, a networked server may store and distribute eSIM to a plurality of user devices in communication therewith. A database of available eSIM is maintained at the wallet entity and/or at the network which enables request for a particular eSIM to be processed and various rules for the distribution thereof to be implemented. Security precautions are implemented to protect both user and network carrier specific data as the data is transmitted between networked entities. Solutions for eSIM backup and restoration are also described.

Management systems for multiple access control entities

Methods and apparatus for managing multiple user access control entities or clients. For example, in one embodiment, a wallet of electronic subscriber identity modules (eSIMs) may be stored and used at a user device and/or distributed to other devices for use thereon. In another embodiment, a networked server may store and distribute eSIM to a plurality of user devices in communication therewith. A database of available eSIM is maintained at the wallet entity and/or at the network which enables request for a particular eSIM to be processed and various rules for the distribution thereof to be implemented. Security precautions are implemented to protect both user and network carrier specific data as the data is transmitted between networked entities. Solutions for eSIM backup and restoration are also described.

PAYMENT MILESTONES FOR IMPROVED FINANCIAL HEALTH

The disclosed technology provides enhanced financial statements such as credit statements that provide customized payment options to a customer that takes into account the total amount owed by the customer, and past payments made by the customer. The customized payment options are determined with the goal of providing more payment options that encourage financial health, while not overwhelming the customer with too many options or irrelevant options. The customized payment options can be displayed in an interactive user interface for paying a credit statement that can visually inform a user of the benefit of the respective payment options with respect to the impact of the respective payment option on the customer's financial health—at least as it pertains to a credit account for which the statement was issued.

Payment milestones for improved financial health

The disclosed technology provides enhanced financial statements such as credit statements that provide customized payment options to a customer that takes into account the total amount owed by the customer, and past payments made by the customer. The customized payment options are determined with the goal of providing more payment options that encourage financial health, while not overwhelming the customer with too many options or irrelevant options. The customized payment options can be displayed in an interactive user interface for paying a credit statement that can visually inform a user of the benefit of the respective payment options with respect to the impact of the respective payment option on the customer's financial health—at least as it pertains to a credit account for which the statement was issued.

Methods and apparatus for delivering electronic identification components over a wireless network

Methods and apparatus enabling programming of electronic identification information of a wireless apparatus. In one embodiment, a previously purchased or deployed wireless apparatus is activated by a cellular network. The wireless apparatus connects to the cellular network using an access module to download operating system components and/or access control client components. The described methods and apparatus enable updates, additions and replacement of various components including Electronic Subscriber Identity Module (eSIM) data, OS components. One exemplary implementation of the invention utilizes a trusted key exchange between the device and the cellular network to maintain security.

Management systems for multiple access control entities

Methods and apparatus for managing multiple user access control entities or clients. For example, in one embodiment, a “wallet” of electronic subscriber identity modules (eSIMs) may be stored and used at a user device and/or distributed to other devices for use thereon. In another embodiment, a networked server may store and distribute eSIM to a plurality of user devices in communication therewith. A database of available eSIM is maintained at the wallet entity and/or at the network which enables request for a particular eSIM to be processed and various rules for the distribution thereof to be implemented. Security precautions are implemented to protect both user and network carrier specific data as the data is transmitted between networked entities. Solutions for eSIM backup and restoration are also described.

METHODS AND APPARATUS FOR PROVIDING MANAGEMENT CAPABILITIES FOR ACCESS CONTROL CLIENTS

Methods and apparatus for managing access control clients (e.g., electronic Subscriber Identity Modules (eSIMs)). In one embodiment, secure elements (e.g., electronic Universal Integrated Circuit Cards (eUICCs)) and management entities of secure elements are associated with credentials. Post-deployment managerial operations can be executed, by transmitting the requested operation with the appropriate credentials. For example, a device can receive secure software updates to electronic Subscriber Identity Modules (eSIMs), with properly credentialed network entities. 1. A wireless apparatus , comprising:one or more wireless links configured to communicate with at least one network;a secure element configured to store an access control client;an interface to the secure element, the interface having one or more credentials associated therewith;a processor; and receive an access attempt to at least one of: (i) the access control client, and (ii) the secure element, the access attempt further comprising a submitted credential;', 'attempt to verify the submitted credential with the one of more associated credentials; and', 'enable the access attempt when the submitted credential is successfully verified., 'a storage device in data communication with the processor, the storage device comprising computer-executable instructions, the computer-executable instructions configured to, when executed by the processor2. The device of claim 1 , wherein the computer-executable instructions further comprise instructions configured to claim 1 , when executed:determine a level of access allowed based at least in part on the submitted credential; andgrant only the access allowed based at least in part on the determined level of access.3. The device of claim 1 , wherein the access attempt is accompanied by a software package configured to perform an operation.4. The device of claim 3 , wherein the operation has a respective level of access and is only performed if the level of access is ...

Methods and apparatus for delivering electronic identification components over a wireless network

Methods and apparatus enabling programming of electronic identification information of a wireless apparatus. In one embodiment, a previously purchased or deployed wireless apparatus is activated by a cellular network. The wireless apparatus connects to the cellular network using an access module to download operating system components and/or access control client components. The described methods and apparatus enable updates, additions and replacement of various components including Electronic Subscriber Identity Module (eSIM) data, OS components. One exemplary implementation of the invention utilizes a trusted key exchange between the device and the cellular network to maintain security.

APPARATUS AND METHODS FOR CONTROLLING DISTRIBUTION OF ELECTRONIC ACCESS CLIENTS

Apparatus and methods for controlling the distribution of electronic access clients to a device. In one embodiment, a virtualized Universal Integrated Circuit Card (UICC) can only load an access client such as an electronic Subscriber Identity Module (eSIM) according to an activation ticket. The activation ticket ensures that the virtualized UICC can only receive eSIMs from specific carriers (“carrier locking”). Unlike prior art methods which enforce carrier locking on a software application launched from a software chain of trust (which can be compromised), the present invention advantageously enforces carrier locking with the secure UICC hardware which has, for example, a secure code base. 1. A mobile device configured to selectively enable and disable different components included in the mobile device , the mobile device comprising:a wireless interface; and an interface to different components included in the mobile device;', 'a secure processor;', 'a first secure storage configured to store at least one access control client that enables the mobile device to access services provided by a cellular network associated with the at least one access control client; and', [ 'corresponds to a component of the different components, includes a shared secret associated with the component, and indicates whether to enable or disable the component; and', 'verifying activation information that specifies at least one limitation for operating the mobile device to be enforced by the secure element, wherein the activation information includes at least one record, and each record, downloading a user access control client,', 'storing the user access control client in the first secure storage, and, 'upon verifying the activation information, 'causing an enablement or a disablement of the component in accordance with the record and in response to a verification of the shared secret by the component.', 'for each record included in the activation information], 'a second secure storage ...

ACCESS DATA PROVISIONING APPARATUS AND METHODS

Methods and apparatus for activating a purchased or previously deployed device by a subscriber. In one embodiment, activation includes authenticating the device to a service provider or carrier, and providing the device with data necessary for enabling the service to the device. In one variant, a user device is activated at a retail store, with the assistance of a carrier representative. In another variant, user equipment is activated via a communications network without the assistance of a representative. In yet another variant, the user equipment is activated via the Internet without the assistance of a representative. The provision of access data includes pre-assigning eSIM from a population of unassigned eSIMs to certain devices for various carrier networks. Alternatively, the eSIM may be assigned on an as-needed basis. Unassigned and/or unused eSIMs can be released (or sold back to the vendor) and/or reused. Solutions for eSIM backup and restoration are also described. 1. A method for provisioning electronic Subscriber Identity Modules (eSIMs) to wireless devices , the method comprising , at an eSIM provisioning server: (1) a wireless device, and', '(2) an eSIM included in a plurality of eSIMs that are not assigned to wireless devices;, 'assigning a unique identifier toreceiving a request to activate the wireless device, wherein the request includes the unique identifier; andcausing the wireless device to utilize the eSIM.2. The method of claim 1 , wherein the request further includes information about a user associated with the wireless device claim 1 , and the method further comprises claim 1 , prior to causing the wireless device to utilize the eSIM:updating the eSIM to reflect at least a portion of the information.3. The method of claim 1 , wherein causing the wireless device to utilize the eSIM comprises:providing the eSIM to the wireless device for installation; andcausing the wireless device to activate the eSIM.4. The method of claim 1 , further ...

ELECTRONIC SUBSCRIBER IDENTITY MODULE (eSIM) ASSIGNMENT FOR CARRIER CHANNEL DEVICES

A pool of devices is initially associated under a single product type identifier, for example, a single stock keeping unit (SKU) identifier. Each device is associated with a secure element (SE), for example, an embedded universal integrated circuit card (eUICC). A wireless telecommunications carrier purchases a subset of the devices from the owner of the pool of devices. A policy management server receives a shipment record and associates the subset of devices with a product identifier and with a carrier-specific activation policy. The policy management server sends an electronic subscriber identity module (eSIM) reservation request to a policy evaluation server, which contacts an eSIM delivery server associated with the purchasing carrier. The eSIM delivery server reserves eSIMs for the purchased devices. When an end user buys one of the devices from the subset, the purchased device is provisioned by the eSIM delivery server with the eSIM reserved for that device. 1. A policy evaluation server comprising:a memory; and determining a first eSIM delivery server based on a first product identifier of a first device, wherein: i) the first device is identified by a first device identification number, and ii) the first device is associated with a first secure element (SE),', 'sending a first request message, wherein the first request message: i) requests reservation of a first eSIM, ii) includes the first device identification number, and iii) includes a first SE identifier of the first SE,', 'determining a second eSIM delivery server based on a second product identifier of a second device, wherein: i) the second device is identified by a second device identification number, and ii) the second device is associated with a second SE, and', 'sending a second request message, wherein the second request message: i) requests reservation of a second eSIM, ii) includes the second device identification number, and iii) includes a second SE identifier of the second SE., 'one or ...

ELECTRONIC ACCESS CLIENT DISTRIBUTION APPARATUS AND METHODS

Apparatus and methods for distributing access control clients. In one exemplary embodiment, a network infrastructure is disclosed that enables delivery of electronic subscriber identity modules (eSIMs) to secure elements (e.g., electronic Universal Integrated Circuit Cards (eUICCs), etc.) The network architecture includes one or more of: (i) eSIM appliances, (ii) secure eSIM storages, (iii) eSIM managers, (iv) eUICC appliances, (v) eUICC managers, (vi) service provider consoles, (vii) account managers, (viii) Mobile Network Operator (MNO) systems, (ix) eUICCs that are local to one or more devices, and (x) depots. Moreover, each depot may include: (xi) eSIM inventory managers, (xii) system directory services, (xiii) communications managers, and/or (xiv) pending eSIM storages. Functions of the disclosed infrastructure can be flexibly partitioned and/or adapted such that individual parties can host portions of the infrastructure. Exemplary embodiments of the present invention can provide redundancy, thus ensuring maximal uptime for the overall network (or the portion thereof). 1. A method to distribute electronic Subscriber Identity Modules (eSIMs) , the method comprising: receiving a request to allocate a batch of eSIMs for a plurality of destination devices, wherein the request comprises identifying information associated with each destination device of the plurality of destination devices;', 'in response to the request, identifying an available eSIM to allocate to each destination device of the plurality of destination devices;', 'allocating the available eSIM to each destination device of the plurality of destination devices, wherein allocating the available eSIM comprises pairing the available eSIM to a corresponding destination device based on the identifying information associated with the corresponding destination device;', 'encrypting the available eSIM for the corresponding destination device; and', 'distributing the encrypted eSIM to the corresponding ...

METHODS AND APPARATUS FOR ACCESS CONTROL CLIENT ASSISTED ROAMING

Methods and apparatus that allow a device to migrate wireless service across multiple wireless networks. In one exemplary embodiment, the present invention enables storing and switching between multiple Electronic Subscriber Identity Modules (eSIM), where each eSIM is specific to a different carrier network. By loading the appropriate eSIM, the user device can authenticate itself with the selected carrier, rather than roaming. During roaming operation, the user equipment can load one or more of the previously stored eSIMs. Selection of the eSIM can be done manually by the user or can be driven by the user equipment based on desired context; for example, based on carrier signal strength, cost-effectiveness, etc. Support for multiple radio technologies also allows universal connectivity for wireless devices, even spanning previously incompatible technologies such as GSM (Global Standard for Mobile Communications), CDMA (Code Division Multiple Access), etc. 1. A method for enabling a wireless apparatus to preemptively transition between utilizing different eSIMs , the method comprising , at the wireless apparatus: (i) a first eSIM that is associated with a first wireless network, and', '(ii) a second eSIM that is associated with a second wireless network;, 'managing a plurality of electronic Subscriber Identity Modules (eSIMs) that includes at leastautomatically detecting, based on historical connectivity information accessible to the wireless apparatus, a condition in which the wireless apparatus should preemptively transition from being connected to the first wireless network over a first connection to being connected to the second wireless network over a second connection; and accessing the second eSIM included in the plurality of eSIMs,', 'attempting to establish the second connection to the second wireless network using the second eSIM, and', 'when the second connection to the second wireless network is established:', 'terminating the first connection to the first ...

MANAGEMENT SYSTEMS FOR MULTIPLE ACCESS CONTROL ENTITIES

Methods and apparatus for managing multiple user access control entities or clients. For example, in one embodiment, a “wallet” of electronic subscriber identity modules (eSIMs) may be stored and used at a user device and/or distributed to other devices for use thereon. In another embodiment, a networked server may store and distribute eSIM to a plurality of user devices in communication therewith. A database of available eSIM is maintained at the wallet entity and/or at the network which enables request for a particular eSIM to be processed and various rules for the distribution thereof to be implemented. Security precautions are implemented to protect both user and network carrier specific data as the data is transmitted between networked entities. Solutions for eSIM backup and restoration are also described. 1. A method for transferring electronic Subscriber Identity Modules (eSIMs) between mobile devices , the method comprising: identifying a condition to provide an eSIM included in the plurality of eSIMs to a first mobile device;', 'referencing a usage status associated with the eSIM to identify whether the eSIM is being utilized by a second mobile device;', 'determining, in accordance with the usage status, that the eSIM is being utilized by the second mobile device;', 'prompting the second mobile device to return the eSIM to the server device;', providing the eSIM to the first mobile device, and', 'updating the usage status to reflect providing the eSIM to the first mobile device; and, 'when the second mobile device returns the eSIM to the server device, 'denying the request.', 'when the second mobile device does not return the eSIM to the server device], 'at a server device configured to manage a plurality of eSIMs2. The method of claim 1 , wherein the condition comprises:receiving, from the first mobile device, a request to download the eSIM.3. The method of claim 1 , wherein the usage status associated with the eSIM is stored in a database that is ...

Techniques for provisioning bootstrap electronic subscriber identity modules (esims) to mobile devices

Representative embodiments described herein set forth techniques for provisioning bootstrap electronic Subscriber Identity Modules (eSIMs) to mobile devices. According to some embodiments, a mobile device can be configured to issue, to an eSIM selection server, a bootstrap eSIM request that includes (i) metadata associated with the mobile device, and (ii) metadata associated with an electronic Universal Integrated Circuit Card (eUICC) included in the mobile device. In turn, the eSIM selection server selects and binds a particular bootstrap eSIM to the mobile device, and provides information to the mobile device that enables the mobile device to obtain the particular bootstrap eSIM from one or more eSIM servers. When the mobile device obtains the particular bootstrap eSIM, the mobile device can interface with a mobile network operator (MNO) and obtain a complete eSIM that enables the mobile device to access services provided by the MNO.

UPDATE OF A TRUSTED NAME LIST

Methods, devices, and servers for as-needed update of a trusted list are provided herein. An electronic subscriber identity module (eSIM) server receives a request for an eSIM of a particular type from a wireless device. The eSIM server evaluates the particular type and requests an eSIM of the particular type from a second eSIM server, which is not initially trusted by a secure element (SE) of the wireless device. The eSIM server sends a policy update to the wireless device. The wireless device passes the policy update to the SE, for example, a universal integrated circuit card (UICC). The UICC updates the trusted list with an identity of the second eSIM server. When the wireless device downloads a bound profile package (BPP) containing an eSIM from the second eSIM server, the UICC validates the BPP based on the updated trusted list. The eSIM is then installed on the UICC. 1. A method comprising: receiving, from a carrier server, a first request for an eSIM of a first type;', initiating an eSIM installation process with a device; and', sending, to a second eSIM server, a second request to reserve the eSIM on behalf of the device,', 'receiving, from the second eSIM server, a first identifier of the eSIM, and', 'sending, to the carrier server, the first identifier., 'when the first eSIM server does not host eSIMs of the first type], 'when the first eSIM server hosts eSIMs of the first type], 'by a first electronic subscriber identity module (eSIM) server2. The method of claim 1 , wherein the first eSIM server is a certificate authority (CA).3. The method of claim 1 , further comprising: receiving, from the carrier server, a bind command message, wherein the bind command confirms a pairing of the eSIM with a universal integrated circuit card (UICC), and wherein the UICC is present in the device; and', 'forwarding, to the second eSIM server, the bind command message., 'when the first eSIM server does not host eSIMs of the first type4. The method of claim 3 , wherein the ...

MANAGING EMBEDDED UNIVERSAL INTEGRATED CIRCUIT CARD (eUICC) PROVISIONING WITH MULTIPLE CERTIFICATE ISSUERS (CIs)

Embodiments provided herein identify a certificate issuer (CI) to be relied on as a trusted third party by an electronic subscriber identity module (eSIM) server in remote SIM provisioning (RSP) transactions with an embedded universal integrated circuit card (eUICC). In an RSP ecosystem, multiple CIs may exist. Parties rely on public key infrastructure (PKI) techniques for establishment of trust. Trust may be established based on a trusted third party such as a CI. Parties need to agree on the CI in order for some PKI techniques to be useful. Embodiments provided herein describe approaches for an eUICC and an eSIM server to arrive at an agreed-on CI. Candidate or negotiated CIs may be indicated on a public key identifier (PKID) list. A PKID list is distributed, in some embodiments, by means of a discovery server, via an activation code (AC) and/or during the establishment of a profile provisioning session. 1. A method comprising: receiving, from an embedded universal integrated circuit card (eUICC), a public key identifier (PKID) list and an eUICC challenge;', 'selecting a certificate issuer (CI) to be used by the eSIM server as a trusted third party, wherein the selecting is based on the PKID list and produces a selected CI;', 'signing the eUICC challenge using a private key during a profile installation flow to create a signature, wherein a public key corresponding to the private key is included in a certificate of the eSIM server signed by the selected CI; and', 'sending, to the eUICC, the certificate signed by the selected CI, the signature, and an indication of a CI to be used by the eUICC for signing operations., 'by an electronic subscriber identity module (eSIM) server2. The method of claim 1 , wherein the CI to be used by the eUICC for signing operations is the selected CI.3. The method of claim 1 , wherein the CI to be used by the eUICC for signing operation is different from the selected CI.4. The method of claim 1 , wherein:the certificate is a ...

APPARATUS AND METHODS FOR SECURE ELEMENT TRANSACTIONS AND MANAGEMENT OF ASSETS

Methods and apparatus for the deployment of financial instruments and other assets are disclosed. In one embodiment, a security software protocol is disclosed that guarantees that the asset is always securely encrypted, that one and only one copy of an asset exists, and the asset is delivered to an authenticated and/or authorized customer. Additionally, exemplary embodiments of provisioning systems are disclosed that are capable of, among other things, handling large bursts of traffic (such as can occur on a so-called “launch day” of a device). 1. A method for an asset broker , comprising one or more account servers , to distribute an asset to a client device that includes a secure element , the method comprising the asset broker at least:receiving from the client device (i) a request to provision the asset to an account and (ii) a device identifier that uniquely identifies the client device;authenticating the request to provision the asset to the account;receiving an asset identifier from an asset locker, wherein the asset identifier uniquely identifies the asset that is assigned to the client device;sending the asset identifier to the client device;receiving a request for the assigned asset from the client device;receiving the asset identifier from the client device; andsending the assigned asset to the client device.2. The method as recited in claim 1 , further comprising the asset broker: receiving from the client device a digital signature associated with the device identifier; and', 'sending the digital signature to an asset agent, wherein the sent digital signature is verified by the asset agent., 'prior to receiving the asset identifier from the asset locker3. The method as recited in claim 2 , further comprising the asset broker: receiving a challenge from the client device, wherein the challenge was generated by the secure element; and', 'sending the challenge to the asset agent, wherein the sent challenge is verified by the asset agent., 'subsequent to ...

CREDENTIAL PROVISIONING FOR AN ELECTRONIC DEVICE

Systems, methods, and computer-readable media for provisioning credentials on an electronic device are provided. In one example embodiment, a secure platform system may be in communication with an electronic device and a financial institution subsystem. The secure platform system may be configured to, inter alia, detect a selection of a particular commerce credential, access communication mechanism data indicative of at least one communication mechanism of the device, where the at least one mechanism is configured to receive a communication on the device, transmit information to the financial subsystem, where the information includes the mechanism data and the selection of the particular commerce credential, and instruct the financial subsystem to provision the particular commerce credential in a disabled state on the device and communicate credential enablement data to the device using a particular communication mechanism of the at least one communication mechanism indicated by the communication mechanism data. 1. A system comprising:a memory; and detect a selection of a particular commerce credential to be enabled on an electronic device, the particular commerce credential corresponding to a financial institution subsystem;', 'access communication mechanism data indicative of at least one communication mechanism of the electronic device, wherein the at least one communication mechanism is configured to receive a communication on the electronic device;', 'transmit information to the financial institution subsystem, wherein the information comprises the communication mechanism data and the selection of the particular commerce credential;', 'instruct the financial institution subsystem to provision the particular commerce credential in a disabled state on the electronic device; and', 'communicate credential enablement data to the electronic device using a particular communication mechanism of the at least one communication mechanism indicated by the communication ...

TECHNIQUES FOR PROVISIONING BOOTSTRAP ELECTRONIC SUBSCRIBER IDENTITY MODULES (ESIMS) TO MOBILE DEVICES

Representative embodiments described herein set forth techniques for provisioning bootstrap electronic Subscriber Identity Modules (eSIMs) to mobile devices. According to some embodiments, a mobile device can be configured to issue, to an eSIM selection server, a bootstrap eSIM request that includes (i) metadata associated with the mobile device, and (ii) metadata associated with an electronic Universal Integrated Circuit Card (eUICC) included in the mobile device. In turn, the eSIM selection server selects and binds a particular bootstrap eSIM to the mobile device, and provides information to the mobile device that enables the mobile device to obtain the particular bootstrap eSIM from one or more eSIM servers. When the mobile device obtains the particular bootstrap eSIM, the mobile device can interface with a mobile network operator (MNO) and obtain a complete eSIM that enables the mobile device to access services provided by the MNO. 1. A mobile device configured to obtain and install a bootstrap electronic Subscriber Identity Module (eSIM) , the mobile device comprising:an electronic Universal Integrated Circuit Card (eUICC); and generate a command to obtain the bootstrap eSIM, wherein the command includes first metadata that identifies one or more operational aspects associated with the mobile device;', 'issue the command to the eUICC;', 'receive, from the eUICC and in response to the command, a bootstrap eSIM request, wherein the bootstrap eSIM request is based on (i) the first metadata, and (ii) second metadata that identifies one or more operational aspects associated with the eUICC;', 'provide the bootstrap eSIM request to a bootstrap eSIM selection server;', 'receive, from the bootstrap eSIM selection server, a bootstrap eSIM package that includes information for obtaining the bootstrap eSIM; and', 'obtain the bootstrap eSIM in accordance with the bootstrap eSIM package, wherein the bootstrap eSIM is formed in accordance with the first and second metadata., ...

PRE-PERSONALIZATION OF eSIMs TO SUPPORT LARGE-SCALE eSIM DELIVERY

Representative embodiments described herein set forth techniques for optimizing large-scale deliveries of electronic Subscriber Identity Modules (eSIMs) to mobile devices. Specifically, instead of generating and assigning eSIMs when mobile devices are being activated—which can require significant processing overhead—eSIMs are pre-generated with a basic set of information, and are later-assigned to the mobile devices when they are activated. This can provide considerable benefits over conventional approaches that involve generating and assigning eSIMs during mobile device activation, especially when new mobile devices (e.g., smartphones, tablets, etc.) are being launched and a large number of eSIM assignment requests are to be fulfilled in an efficient manner.

APPARATUS AND METHODS FOR DISTRIBUTING AND STORING ELECTRONIC ACCESS CLIENTS

Apparatus and methods for efficiently distributing and storing access control clients within a network. In one embodiment, the access clients include electronic Subscriber Identity Modules (eSIMs), and an eSIM distribution network infrastructure is described which enforces eSIM uniqueness and conservation, distributes network traffic to prevent “bottle necking” congestion, and provides reasonable disaster recovery capabilities. In one variant, eSIMs are securely stored at electronic Universal Integrated Circuit Card (eUICC) appliances which ensure eSIM uniqueness and conservation. Access to the eUICC appliances is made via multiple eSIM depots, which ensure that network load is distributed. Persistent storage is additionally described, for among other activities, archiving and backup.

METHODS AND APPARATUS FOR LARGE SCALE DISTRIBUTION OF ELECTRONIC ACCESS CLIENTS

Methods and apparatus for large scale distribution of electronic access control clients. In one aspect, a tiered security software protocol is disclosed. In one exemplary embodiment, a server electronic Universal Integrated Circuit Card (eUICC) and client eUICC software comprise a so-called “stack” of software layers. Each software layer is responsible for a set of hierarchical functions which are negotiated with its corresponding peer software layer. The tiered security software protocol is configured for large scale distribution of electronic Subscriber Identity Modules (eSIMs). 1. A method for replacing compromised digital certificates associated with electronic Universal Integrated Circuit Cards (eUICCs) included in mobile devices , the method comprising: receiving an indication that a signing authority associated with a plurality of digital certificates has been compromised; and', identifying (i) an eUICC associated with the digital certificate, and (ii) a mobile device in which the eUICC is included, and', 'causing the eUICC to replace the digital certificate with an updated digital certificate when the updated digital certificate is newer than the digital certificate., 'for each digital certificate of the plurality of digital certificates], 'at an eUICC management server2. The method of claim 1 , wherein the updated digital certificate is newer than the digital certificate when a second epoch property included in the updated digital certificate exceeds a first epoch property included in the digital certificate.3. The method of claim 1 , further comprising:{'sub': 'eUICC', 'identifying a public key (PK) that (i) corresponds to the eUICC, and (ii) is associated with the digital certificate; and'}{'sub': eUICC', 'Updated', '_', 'SA, 'obtaining the updated digital certificate, wherein the updated digital certificate is based on the PKand an updated private key (SK) that corresponds to the signing authority.'}4. The method of claim 3 , wherein claim 3 , for each ...

METHODS AND APPARATUS FOR DELIVERING ELECTRONIC IDENTIFICATION COMPONENTS OVER A WIRELESS NETWORK

Methods and apparatus enabling programming of electronic identification information of a wireless apparatus. In one embodiment, a previously purchased or deployed wireless apparatus is activated by a cellular network. The wireless apparatus connects to the cellular network using an access module to download operating system components and/or access control client components. The described methods and apparatus enable updates, additions and replacement of various components including Electronic Subscriber Identity Module (eSIM) data, OS components. One exemplary implementation of the invention utilizes a trusted key exchange between the device and the cellular network to maintain security. 1. A method for enabling a mobile device to access wireless services , the method comprising: accessing first identification data associated with a secure element included in the mobile device, wherein the secure element stores a pre-loaded at least one partial access control client having at least one missing component;', 'authenticating with an access control client server using the first identification data;', 'receiving, from the access control client server, a package that includes the at least one missing component; and', 'combining the at least one missing component with the at least one partial access control client to establish a complete access control client., 'at the mobile device2. The method of claim 1 , wherein the steps further include:receiving second identification data from the access control client server; andverifying the second identification data prior to receiving the package.3. The method of claim 2 , wherein the first identification data and the second identification data are based on a cryptographic key protocol.4. The method of claim 1 , wherein the at least one partial access control client includes components that are common across other access control clients claim 1 , and the at least one missing component includes credentials that are associated ...

METHODS AND APPARATUS FOR DELIVERING ELECTRONIC IDENTIFICATION COMPONENTS OVER A WIRELESS NETWORK

Methods and apparatus enabling programming of electronic identification information of a wireless apparatus. In one embodiment, a previously purchased or deployed wireless apparatus is activated by a cellular network. The wireless apparatus connects to the cellular network using an access module to download operating system components and/or access control client components. The described methods and apparatus enable updates, additions and replacement of various components including Electronic Subscriber Identity Module (eSIM) data, OS components. One exemplary implementation of the invention utilizes a trusted key exchange between the device and the cellular network to maintain security. 1. A method for enabling a mobile device to access wireless services , the method comprising , at the mobile device: a core operating system (OS) is pre-loaded onto the secure element and is configured to execute at least one electronic Subscriber Identity Module (eSIM), and', 'the core OS is missing at least one component;, 'accessing first identification data associated with a secure element included in the mobile device, whereinauthenticating with a server using the first identification data to allow the mobile device to access a package that includes the missing at least one component;receiving the package from the server; andcombining the missing at least one component with the core OS to enable the mobile device to execute the at least one eSIM.2. The method of claim 1 , further comprising:receiving second identification data from the server; andverifying the second identification data prior to receiving the package.3. The method of claim 2 , wherein the first identification data and the second identification data are based on a cryptographic key protocol.4. The method of claim 1 , wherein the eSIM includes credentials that are associated with a subscriber of a Mobile Network Operator (MNO).5. An apparatus configurable to operate in a mobile device claim 1 , the apparatus ...

METHODS AND APPARATUS FOR USER AUTHENTICATION AND HUMAN INTENT VERIFICATION IN MOBILE DEVICES

Methods and apparatus for user authentication and human intent verification of administrative operations for eSIMs of an eUICC included in a mobile device are disclosed. Certain administrative operations, such as import, modification, and/or export, of an eSIM and/or for an eUICCs firmware can require user authentication and/or human intent verification before execution of the administrative operations are performed or completed by the mobile device. A user of the mobile device provides information to link an external user account to an eSIM upon (or subsequent to) installation on the eUICC. User credentials, such as a user name and password, and/or information generated therefrom, can be used to authenticate the user with an external server. In response to successful user authentication, the administrative operations are performed. Human intent verification can also be performed in conjunction with user authentication to prevent malware from interfering with eSIM and/or eUICC functions of the mobile device. 1. An apparatus configurable for operation in a mobile device , the apparatus comprising:a processor; and detecting by a processor of the mobile device initiation of an administrative operation for an electronic Subscriber Identity Module (eSIM) of the mobile device;', verifying, via a secure processing environment of the mobile device, human intent to perform the administrative operation for the eSIM based on user input received by a secure input of the mobile device and transferred via a secure connection to the secure processing environment; and', 'in response to successful determination of human intent to perform the administrative operation, performing, by an embedded Universal Integrated Circuit Card (eUICC) of the mobile device, the administrative operation for the eSIM; and, 'when the administrative operation for the eSIM requires human intent verification, 'when the administrative operation for the eSIM does not require human intent verification or user ...

MANAGEMENT SYSTEMS FOR MULTIPLE ACCESS CONTROL ENTITIES

Methods and apparatus for managing multiple user access control entities or clients. For example, in one embodiment, a “wallet” of electronic subscriber identity modules (eSIMs) may be stored and used at a user device and/or distributed to other devices for use thereon. In another embodiment, a networked server may store and distribute eSIM to a plurality of user devices in communication therewith. A database of available eSIM is maintained at the wallet entity and/or at the network which enables request for a particular eSIM to be processed and various rules for the distribution thereof to be implemented. Security precautions are implemented to protect both user and network carrier specific data as the data is transmitted between networked entities. Solutions for eSIM backup and restoration are also described. 1. A method for managing electronic Subscriber Identity Modules (eSIMs) for mobile devices , the method comprising , at a server device:receiving a request to provide an eSIM to a mobile device; and retrieving the eSIM,', 'personalizing the eSIM to the mobile device based on one or more of a Mobile Network Operation (MNO), the mobile device, or a user associated with the mobile device,', the new record associates the mobile device with the eSIM, and', 'the new record indicates the eSIM is in-use by the mobile device, and providing the eSIM to the mobile device., 'generating a new record for the eSIM in a database, wherein], 'in response to validating the request2. The method of claim 1 , wherein the request is received from:the mobile device;a computing device associated with the mobile device; oran account management entity associated with the mobile device.3. The method of claim 1 , further comprising claim 1 , prior to providing the eSIM to the mobile device:encrypting the eSIM based on asymmetric cryptography, and/orgenerating a hash of the eSIM.4. The method of claim 3 , wherein encrypting the eSIM based on asymmetric cryptography comprises:encrypting ...

VIRTUAL ACCESS MODULE DISTRIBUTION APPARATUS AND METHODS

Apparatus and methods for distributing electronic access client modules for use with electronic devices. In one embodiment, the access client modules are virtual subscriber identity modules (VSIMs) that can be downloaded from online services for use with cellular-equipped devices such as smartphones. The online services may include a point of sale (POS) system that sells electronic devices to users. A broker may be used to facilitate the selection of a virtual subscriber identity module. A provisioning service may also be used to provision the selected VSIM. 1. (canceled)2. A method , comprising: establishing communications with a network entity providing an intermediary service that is affiliated with a plurality of service providers;', 'utilizing an interface of the intermediary service to initiate a request for service that comprises a current location of the mobile device;', 'in response to initiating the request for service, receiving a list of reserved service identifiers associated with one or more of the plurality of service providers from the network entity via the interface of the intermediary service; and', 'selecting a service identifier within the list of reserved service identifiers via the interface of the intermediary service,', 'wherein the list of reserved service identifiers is determined by the intermediary service based at least in part on the current location of the mobile device., 'at a mobile device3. The method of claim 2 , further comprising:acquiring the selected service identifier from the network entity; andestablishing telecommunication service for the mobile device with a corresponding service provider of the plurality of service providers using the selected service identifier.4. The method of claim 3 , wherein the selected service identifier is acquired from the network entity after the selected service identifier is acquired by the network entity from the corresponding service provider.5. The method of claim 2 , wherein the list of ...

METHODS AND APPARATUS FOR USER AUTHENTICATION AND HUMAN INTENT VERIFICATION IN MOBILE DEVICES

Methods and apparatus for user authentication and human intent verification of administrative operations for eSIMs of an eUICC included in a mobile device are disclosed. Certain administrative operations, such as import, modification, and/or export, of an eSIM and/or for an eUICCs firmware can require user authentication and/or human intent verification before execution of the administrative operations are performed or completed by the mobile device. A user of the mobile device provides information to link an external user account to an eSIM upon (or subsequent to) installation on the eUICC. User credentials, such as a user name and password, and/or information generated therefrom, can be used to authenticate the user with an external server. In response to successful user authentication, the administrative operations are performed. Human intent verification can also be performed in conjunction with user authentication to prevent malware from interfering with eSIM and/or eUICC functions of the mobile device. 1. A method for user authentication of administrative operations for an embedded Universal Integrated Circuit Card (eUICC) included in a mobile device , the method comprising:detecting initiation of an administrative operation for an electronic Subscriber Identity Module (eSIM) of the mobile device;obtaining user credentials;sending a message based on the user credentials to a server to verify user authorization to perform the administrative operation for the eSIM; andin response to receipt of an indication of user authorization from the server, performing the administrative operation for the eSIM.2. The method of claim 1 , wherein the administrative operation comprises installation claim 1 , importing claim 1 , modification claim 1 , deletion claim 1 , or exporting of the eSIM.3. The method of claim 1 , wherein:the user credentials are associated with a user account for a user of the mobile device, andthe user credentials are verified by a third party server ...

APPARATUS AND METHODS FOR SECURE ELEMENT TRANSACTIONS AND MANAGEMENT OF ASSETS

Methods and apparatus for the deployment of financial instruments and other assets are disclosed. In one embodiment, a security software protocol is disclosed that guarantees that the asset is always securely encrypted, that one and only one copy of an asset exists, and the asset is delivered to an authenticated and/or authorized customer. Additionally, exemplary embodiments of provisioning systems are disclosed that are capable of, among other things, handling large bursts of traffic (such as can occur on a so-called “launch day” of a device). 1. (canceled)2. A method comprising: transmitting, to a remote server, a provisioning request for provisioning a virtualized medium of exchange (VME) to the client device;', 'receiving, from the remote server, an asset identifier associated with the VME;', 'requesting delivery of the VME, from the remote server, via a delivery request comprising the asset identifier associated with the VME;', 'receiving, from the remote server, the VME; and', 'sending the VME to the secure element., 'at a client device including a secure element3. The method of claim 2 , further comprising:executing a transaction with a merchant device to charge a user account associated with the VME.4. The method of claim 2 , wherein the VME comprises a virtual credit card.5. The method of claim 2 , wherein the provisioning request comprises identifying information verifying that the secure element is associated with an account corresponding to the VME.6. The method of claim 2 , wherein the VME is encrypted using a key unique to the secure element.7. The method of claim 2 , further comprising: obtaining, from the secure element, a device identifier corresponding to the client device; and', 'transmitting, to the remote server, the device identifier., 'prior to the receiving the VME8. The method of claim 7 , further comprising:obtaining, from the secure element, a challenge value, wherein the challenge value comprises a one-time-use value preloaded on the ...

METHODS AND APPARATUS FOR DELIVERING ELECTRONIC IDENTIFICATION COMPONENTS OVER A WIRELESS NETWORK

Methods and apparatus enabling programming of electronic identification information of a wireless apparatus. In one embodiment, a previously purchased or deployed wireless apparatus is activated by a cellular network. The wireless apparatus connects to the cellular network using an access module to download operating system components and/or access control client components. The described methods and apparatus enable updates, additions and replacement of various components including Electronic Subscriber Identity Module (eSIM) data, OS components. One exemplary implementation of the invention utilizes a trusted key exchange between the device and the cellular network to maintain security. 1. (canceled)2. A mobile device , comprising: accessing first identification data associated with a secure element included in the mobile device;', 'transmitting, to an update portal, the first identification data to establish a set of access rights that enables the mobile device to access an operating system update for an operating system installed within the mobile device;', 'receiving, from the update portal, second identification data associated with a wireless carrier; and', downloading, into the secure element of the mobile device, an operating system update, and', 'updating the operating system in accordance with the operating system update., 'in response to authenticating the second identification data], 'a processor configured to cause the mobile device to carry out steps that include3. The mobile device of claim 2 , wherein downloading the operating system update comprises:downloading one or more packages of which the operating system update is comprised, andassembling the operating system update using the one or more packages.4. The mobile device of claim 2 , wherein the operating system update is selected by a user of the mobile device.5. The mobile device of claim 2 , wherein the first identification data and the second identification data are based on a cryptographic ...

APPARATUS AND METHODS FOR STORING ELECTRONIC ACCESS CLIENTS

Apparatus and methods for storing and controlling access control clients. In one embodiment, transmitting and receiving devices ensure that only one copy of an eSIM is active at any time. Specifically, each transferred eSIM is encrypted for the destination device; the eSIM from the source device is deleted, deactivated, or otherwise rendered unusable. Various aspects of network infrastructure are also described, including electronic Universal Integrated Circuit Card (eUICC) appliances, and mobile devices. Various scenarios for transfer of eSIMs are also disclosed. 1. An apparatus configured to provide access data elements to mobile devices , the apparatus comprising:a first secure element adapted to store a plurality of access data elements; and receive, from a mobile device, a request for at least one access data element of the plurality of access data elements, wherein the request includes a public key that is unique to a second secure element included in the mobile device;', 'obtain, from the first secure element, the at least one access data element;', 'encrypt the at least one access data element using the public key to produce an encrypted at least one access data element; and', 'transfer the encrypted at least one access data element to the mobile device., 'a processor, wherein the processor is configured to cause the apparatus to2. The apparatus of claim 1 , wherein each access data element of the plurality of access data elements is associated with a mobile network operator (MNO).3. The apparatus of claim 1 , wherein each access data element of the plurality of access data elements is associated with a user.4. The apparatus of claim 1 , wherein the request further includes a unique identifier that is generated by the mobile device in conjunction with the request claim 1 , and the processor is further configured to cause the apparatus to:combine the at least one access data element with the unique identifier prior to encrypting the at least one access data ...

PRE-PERSONALIZATION OF eSIMs TO SUPPORT LARGE-SCALE eSIM DELIVERY

Representative embodiments described herein set forth techniques for optimizing large-scale deliveries of electronic Subscriber Identity Modules (eSIMs) to mobile devices. Specifically, instead of generating and assigning eSIMs when mobile devices are being activated—which can require significant processing overhead—eSIMs are pre-generated with a basic set of information, and are later-assigned to the mobile devices when they are activated. This can provide considerable benefits over conventional approaches that involve generating and assigning eSIMs during mobile device activation, especially when new mobile devices (e.g., smartphones, tablets, etc.) are being launched and a large number of eSIM assignment requests are to be fulfilled in an efficient manner.

ELECTRONIC SUBSCRIBER IDENTITY MODULE (eSIM) ELIGIBILITY CHECKING

Embodiments provided herein determine if an electronic subscriber identity module (eSIM) associated with a requested service can be installed in a secure element (SE) housed in a wireless device. Before requesting deployment of an eSIM suitable for the requested service from an eSIM delivery server, a carrier server asks that an original equipment manufacturer (OEM) server validate that an eSIM corresponding to a customer request should be deployed. The OEM server obtains information about the wireless device and information about the SE. When the carrier server requests validation, the OEM server evaluates the wireless device information and/or the SE information. If the OEM server indicates that deployment of the eSIM should proceed, the OEM server also indicates the eSIM type that is compatible with the wireless device and with the SE housed in the device. 1. A wireless device comprising:a wireless transceiver;a memory; and forming a first payload, wherein the first payload comprises device information,', 'sending the first payload to a secure element (SE) included in the device,', 'receiving a signed message from the SE, wherein the signed message includes SE information,', 'forwarding the signed message, via the wireless transceiver, to an original equipment manufacturer (OEM) server,', 'receiving, via the wireless transceiver, a transaction identifier from the OEM server,', 'sending, via the wireless transceiver, a second message to a carrier server, wherein the second message comprises the transaction identifier, and', 'receiving, via the wireless transceiver, an electronic subscriber identity module (eSIM), wherein an eSIM type of the eSIM is based on the device information and/or the SE information., 'one or more processors, wherein the memory includes instructions that when executed by a processor of the one or more processors, cause the wireless device to perform operations comprising2. The wireless device of claim 1 , further comprising a user interface ...

ACCESS DATA PROVISIONING APPARATUS AND METHODS

Methods and apparatus for activating a purchased or previously deployed device by a subscriber. In one embodiment, activation includes authenticating the device to a service provider or carrier, and providing the device with data necessary for enabling the service to the device. In one variant, a user device is activated at a retail store, with the assistance of a carrier representative. In another variant, user equipment is activated via a communications network without the assistance of a representative. In yet another variant, the user equipment is activated via the Internet without the assistance of a representative. The provision of access data includes pre-assigning eSIM from a population of unassigned eSIMs to certain devices for various carrier networks. Alternatively, the eSIM may be assigned on an as-needed basis. Unassigned and/or unused eSIMs can be released (or sold back to the vendor) and/or reused. Solutions for eSIM backup and restoration are also described. 1. A method for provisioning electronic Subscriber Identity Modules (eSIMs) to wireless devices , the method comprising , at an eSIM provisioning server:receiving, from a wireless device, a request to activate the wireless device, wherein the request includes a unique identifier associated with the wireless device;identifying, among a plurality of eSIMs, an eSIM that corresponds to the unique identifier; andproviding, to the wireless device, an authorization that causes the wireless device to utilize the eSIM.2. The method of claim 1 , wherein the request further includes information about a user associated with the wireless device claim 1 , and the method further comprises claim 1 , prior to causing the wireless device to utilize the eSIM:updating the eSIM to reflect at least a portion of the information.3. The method of claim 1 , wherein causing the wireless device to utilize the eSIM comprises:providing the eSIM to the wireless device for installation; andcausing the wireless device to ...

MULTI-SCHEME TRANSACTION CREDENTIALS

A device implementing multi-scheme transaction credentials for a mobile transaction system includes a processor configured to transmit, to a mobile transaction system server, a request to provision a transaction credential on a device secure element. The processor is further configured to receive, from the mobile transaction system server, a provisioning script that, when executed by the device secure element, provisions, on the device secure element, a first applet corresponding to a first transaction network for the transaction credential and a second applet corresponding to a second transaction network for the transaction credential, the first and second applets being provisioned as an applet group having a shared life cycle. The processor is configured to, upon execution of the provisioning script, provide, for display, a single representation of the transaction credential corresponding to both the first and second applets. 1. A device comprising:a memory; and transmit, to a mobile transaction system server, a request to provision a transaction credential on a device secure element;', 'receive, from the mobile transaction system server, a provisioning script that, when executed by the device secure element, provisions, on the device secure element, a first applet corresponding to a first transaction network for the transaction credential and a second applet corresponding to a second transaction network for the transaction credential, the first and second applets being provisioned as an applet group having a shared life cycle; and', 'after execution of the provisioning script by the device secure element, provide, for display, a single representation of the transaction credential corresponding to both the first and second applets., 'at least one processor configured to2. The device of claim 1 , wherein the first or second applet is provisioned with an attribute indicating that the corresponding first or second transaction network is a primary transaction network ...

METHODS AND APPARATUS FOR USER AUTHENTICATION AND HUMAN INTENT VERIFICATION IN MOBILE DEVICES

Methods and apparatus for user authentication and human intent verification of administrative operations for eSIMs of an eUICC included in a mobile device are disclosed. Certain administrative operations, such as import, modification, and/or export, of an eSIM and/or for an eUICCs firmware can require user authentication and/or human intent verification before execution of the administrative operations are performed or completed by the mobile device. A user of the mobile device provides information to link an external user account to an eSIM upon (or subsequent to) installation on the eUICC. User credentials, such as a user name and password, and/or information generated therefrom, can be used to authenticate the user with an external server. In response to successful user authentication, the administrative operations are performed. Human intent verification can also be performed in conjunction with user authentication to prevent malware from interfering with eSIM and/or eUICC functions of the mobile device. 1. A method for user authentication of administrative operations for an embedded Universal Integrated Circuit Card (eUICC) included in a mobile device , the method comprising:detecting initiation of an administrative operation for the eUICC of the mobile device;determining whether the administrative operation for the eUICC requires user authentication; sending a secure token to a server to verify user authorization to perform the administrative operation for the eUICC, wherein the secure token is based on user credentials obtained via a secure input connected securely with a secure processing environment of the mobile device; and', 'in response to receipt from the server of an indication of successful user authentication, performing the administrative operation for the eUICC; and, 'when the administrative operation for the eUICC requires user authenticationwhen the administrative operation for the eUICC does not require user authentication, performing the ...

Methods and apparatus for user authentication and human intent verification in mobile devices

Methods and apparatus for user authentication and human intent verification of administrative operations for eSIMs of an eUICC included in a mobile device are disclosed. Certain administrative operations, such as import, modification, and/or export, of an eSEVI and/or for an eUICCs firmware can require user authentication and/or human intent verification before execution of the administrative operations are performed or completed by the mobile device. A user of the mobile device provides information to link an external user account to an eSEVI upon (or subsequent to) installation on the eUICC. User credentials, such as a user name and password, and/or information generated therefrom, can be used to authenticate the user with an external server. In response to successful user authentication, the administrative operations are performed. Human intent verification can also be performed in conjunction with user authentication to prevent malware from interfering with eSIM and/or eUICC functions of the mobile device.

Apparatus and methods for storing electronic access clients

Apparatus and methods for storing and controlling access control clients. In one embodiment, transmitting and receiving devices ensure that only one copy of an eSIM is active at any time. Specifically, each transferred eSIM is encrypted for the destination device; the eSIM from the source device is deleted, deactivated, or otherwise rendered unusable. Various aspects of network infrastructure are also described, including electronic Universal Integrated Circuit Card (eUICC) appliances, and mobile devices. Various scenarios for transfer of eSIMs are also disclosed.

Methods and apparatus for access control client assisted roaming

Apparatus and methods for storing electronic access clients

APPARATUS AND METHODS FOR STORING ELECTRONIC ACCESS CLIENTS 5 Abstract of the Disclosure Apparatus and methods for storing and controlling access control clients. In one embodiment, transmitting and receiving devices ensure that only one copy of an eSIM is active at any time. Specifically, each transferred eSIM is encrypted for the destination device; the eSIM from the source device is deleted, deactivated, or otherwise rendered unusable. Various aspects 0 of network infrastructure are also described, including electronic Universal Integrated Circuit Card (eUICC) appliances, and mobile devices. Various scenarios for transfer of eSIMs are also disclosed.

Multi-scheme transaction credentials

A device implementing multi-scheme transaction credentials for a mobile transaction system includes a processor configured to transmit, to a mobile transaction system server, a request to provision a transaction credential on a device secure element. The processor is further configured to receive, from the mobile transaction system server, a provisioning script that, when executed by the device secure element, provisions, on the device secure element, a first applet corresponding to a first transaction network for the transaction credential and a second applet corresponding to a second transaction network for the transaction credential, the first and second applets being provisioned as an applet group having a shared life cycle. The processor is configured to, upon execution of the provisioning script, provide, for display, a single representation of the transaction credential corresponding to both the first and second applets.

Method to send payment data through various air interfaces without compromising user data

A commercial transaction method is disclosed. The method first establishes a secure link over a first air interface by a purchasing device. This secure link is between the purchasing device and a point of sale device. The method further identifies a second air interface, which is different from the first air interface, and the second air interface is used to conduct a secure commercial transaction.

Methods and apparatus for user authentication and human intent verification in mobile devices

Methods and apparatus for user authentication and human intent verification of administrative operations for eSIMs of an eUICC included in a mobile device are disclosed. Certain administrative operations, such as import, modification, and/or export, of an eSEVI and/or for an eUICCs firmware can require user authentication and/or human intent verification before execution of the administrative operations are performed or completed by the mobile device. A user of the mobile device provides information to link an external user account to an eSEVI upon (or subsequent to) installation on the eUICC. User credentials, such as a user name and password, and/or information generated therefrom, can be used to authenticate the user with an external server. In response to successful user authentication, the administrative operations are performed. Human intent verification can also be performed in conjunction with user authentication to prevent malware from interfering with eSIM and/or eUICC functions of the mobile device.

Method to send payment data through various air interfaces without compromising user data

Access data provisioning apparatus and methods

Methods and apparatus for activating a purchased or previously deployed device by a subscriber. In one embodiment, activation includes authenticating the device to a service provider or carrier, and providing the device with data necessary for enabling the service to the device. In one variant, a user device is activated at a retail store, with the assistance of a carrier representative. In another variant, user equipment is activated via a communications network without the assistance of a representative. In yet another variant, the user equipment is activated via the Internet without the assistance of a representative. The provision of access data includes pre-assigning eSIM from a population of unassigned eSIMs to certain devices for various carrier networks. Alternatively, the eSIM may be assigned on an as-needed basis. Unassigned and/or unused eSIMs can be released (or sold back to the vendor) and/or reused. Solutions for eSIM backup and restoration are also described.

Apparatus and methods for distributing and storing electronic access clients

Apparatus and methods for efficiently distributing and storing access control clients within a network, in one embodiment, the access clients include electronic Subscriber Identity Modules (eSIMs), and an eSIM distribution network infrastructure is described which enforces eSIM uniqueness and conservation, distributes network traffic to prevent "bottle necking" congestion, and provides reasonable disaster recovery capabilities, in one variant, eSIMs are securely stored at electronic Universal Integrated Circuit Card (eUICC) appliances which ensure eSIM uniqueness and conservation. Access to the eUICC appliances is made via multiple eSIM depots, which ensure that network load is distributed. Persistent storage is additionally described, for among other activities, archiving and backup.

Apparatus and methods for storing electronic access clients.

Se describen aparatos y métodos de almacenamiento y control de clientes de control de acceso. En una modalidad, los dispositivos de transmisión y recepción garantizan que solo una copia de un eSIM se encuentre activa en cualquier momento. De manera específica, cada eSIM transferido es cifrado para el dispositivo de destino; el eSIM del dispositivo de origen es suprimido, desactivado o se hace inutilizable de otro modo. También se describen varios aspectos de la infraestructura de red, que incluyen los aparatos electrónicos de Tarjeta de Circuito Integrado Universal (eUICC) y los dispositivos móviles. También se describen varios escenarios para la transferencia de los eSIMs.

Apparatus and methods for storing electronic access clients

Apparatus and methods for storing and controlling access control clients. In one embodiment, transmitting and receiving devices ensure that only one copy of an eSIM is active at any time. Specifically, each transferred eSIM is encrypted for the destination device; the eSIM from the source device is deleted, deactivated, or otherwise rendered unusable. Various aspects of network infrastructure are also described, including electronic Universal Integrated Circuit Card (eUICC) appliances, and mobile devices. Various scenarios for transfer of eSIMs are also disclosed.

Apparatus and methods for storing electronic access clients

Management of credentials on an electronic device using an online resource

Systems, methods, and computer-readable media for using an online resource to manage credentials on an electronic device are provided. In one example embodiment, a method, at an electronic device, includes, inter alia , receiving account data via an online resource, accessing commerce credential status data from a secure element of the electronic device, providing initial credential management option data via the online resource based on the received account data and based on the accessed commerce credential status data, in response to the providing, receiving a selection of an initial credential management option via the online resource, and changing the status of a credential on the secure element based on the received selection. Additional embodiments are also provided.

Techniken zum Bereitstellen von elektronischen Bootstrap-Teilnehmeridentitätsmodulen (eSIMs) an mobile Vorrichtungen

Mobile Vorrichtung, die für den Erhalt und die Installation eines elektronischen Bootstrap-Teilnehmeridentitätsmoduls (eSIM) konfiguriert ist, wobei die mobile Vorrichtung Folgendes umfasst:Mindestens einen Prozessor, der die mobile Vorrichtung dazu veranlasst:einen Befehl zum Erhalten der Bootstrap-eSIM zu generieren, wobei der Befehl erste der mobilen Vorrichtung zugeordnete Metadaten enthält;den Befehl an eine in der mobilen Vorrichtung eingeschlossene elektronische universelle Karte mit integriertem Schaltkreis (eUICC) auszugeben;eine Bootstrap-eSIM-Anfrage von der eUICC und in Reaktion auf den Befehl zu empfangen, wobei die Bootstrap-eSIM-Anfrage auf (i) den ersten der mobilen Vorrichtung zugeordneten Metadaten, und (ii) zweiten der eUICC zugeordneten Metadaten basiert;die Bootstrap-eSIM-Anfrage an einen Bootstrap-eSIM-Auswahlserver bereitzustellen;ein Bootstrap-eSIM-Paket, das Informationen zum Erhalten der bestimmten Bootstrap-eSIM einschließt, vom Bootstrap-eSIM-Auswahlserver zu empfangen; unddie Bootstrap-eSIM in Übereinstimmung mit dem Bootstrap-eSIM-Paket zu erhalten.

針對遺失的電子裝置停用行動付款

若一使用者遺失具有用以進行金融交易之能力的一電子裝置，則該使用者可使用一遺失裝置軟體應用程式而向與該電子裝置之一提供者相關聯的一管理電子裝置報告該電子裝置遺失。回應於接收到此資訊，將一停用命令發送至與該使用者之金融帳戶相關聯之一付款網路以暫時地停用該電子裝置進行該等金融交易之用途。詳言之，該電子裝置可包括儲存用於一金融帳戶之一付款小程式的一安全元件，且該停用命令可停用自用於該金融帳戶之一虛擬識別符至一金融主要帳號的一映射。隨後，若該使用者找到該電子裝置，則該使用者可藉由將鑑認資訊提供至該電子裝置而重新啟用該能力(且因此重新啟用該映射)。

PRE-PERSONALIZATION OF eSIMs TO SUPPORT LARGE-SCALE eSIM DELIVERY

PRE-PERSONALIZATION OF eSIMs TO SUPPORT LARGE-SCALE eSIM DELIVERY

Representative embodiments described herein set forth techniques for optimizing large-scale deliveries of electronic Subscriber Identity Modules (eSIMs) to mobile devices. Specifically, instead of generating and assigning eSIMs when mobile devices are being activated-which can require significant processing overhead-eSIMs are pre-generated with a basic set of information, and are later-assigned to the mobile devices when they are activated. This can provide considerable benefits over conventional approaches that involve generating and assigning eSIMs during mobile device activation, especially when new mobile devices (e.g., smartphones, tablets, etc.) are being launched and a large number of eSIM assignment requests are to be fulfilled in an efficient manner.

WSTĘPNA PERSONALIZACJA eSIM W CELU WSPOMAGANIA DOSTARCZANIA eSIM NA DUŻĄ SKALĘ

Management systems for multiple access control entities

Methods and apparatus for managing multiple user access control entities or clients. For example, in one embodiment, a "wallet" of electronic subscriber identity modules (eSIMs) may be stored and used at a user device and/or distributed to other devices for use thereon. In another embodiment, a networked server may store and distribute eSIM to a plurality of user devices in communication therewith. A database of available eSIM is maintained at the wallet entity and/or at the network which enables request for a particular eSIM to be processed and various rules for the distribution thereof to be implemented. Security precautions are implemented to protect both user and network carrier specific data as the data is transmitted between networked entities. Solutions for eSIM backup and restoration are also described.

Disabling mobile payments for lost electronic devices

If a user loses an electronic device that has the capability to conduct financial transactions, the user may report that the electronic device is lost using a lost-device software application to a management electronic device associated with a provider of the electronic device. In response to receiving this information, a disabling command is sent to a payment network associated with the financial account of the user to temporarily disable use of the electronic device to conduct the financial transactions. In particular, the electronic device may include a secure element that stores a payment applet for a financial account, and the disabling command may disable a mapping from a virtual identifier for the financial account to a financial primary account number. Subsequently, if the user finds the electronic device, the user may re-enable the capability (and, thus, the mapping) by providing authentication information to the electronic device.

PRE-PERSONALIZATION OF eSIMs TO SUPPORT LARGE-SCALE eSIM DELIVERY

Representative embodiments described herein set forth techniques for optimizing large-scale deliveries of electronic Subscriber Identity Modules (eSIMs) to mobile devices. Specifically, instead of generating and assigning eSIMs when mobile devices are being activated-which can require significant processing overhead-eSIMs are pre-generated with a basic set of information, and are later-assigned to the mobile devices when they are activated. This can provide considerable benefits over conventional approaches that involve generating and assigning eSIMs during mobile device activation, especially when new mobile devices (e.g., smartphones, tablets, etc.) are being launched and a large number of eSIM assignment requests are to be fulfilled in an efficient manner.

產生交易識別符

為了促進在一電子裝置與另一電子裝置之間經由無線通信進行一金融交易，該電子裝置基於傳達至該另一電子裝置之金融帳戶資訊判定用於該金融交易之一唯一交易識別符。該金融帳戶資訊指定用於對該金融交易進行支付之一金融帳戶。此外，可能夠由與該金融交易相關聯之一或多個其他實體(諸如，該金融交易中之一交易對方或處理對該金融交易之支付的一支付網路)基於由該攜帶型電子裝置傳達之該金融帳戶資訊而獨立地計算該唯一交易識別符。該電子裝置亦可藉由比較該經判定之唯一交易識別符與該經計算之唯一交易識別符使後續自第三方(諸如，該支付網路)接收之收據資訊與該金融交易相關聯。

Bereitstellen von Berechtigungsnachweisen auf einer elektronischen Vorrichtung unter Verwendung von über überprüfte Kanäle mitgeteilten Passwörtern

Sicheres Plattformsystem in Kommunikation (15) mit einer elektronischen Vorrichtung (100) und einem Teilsystem eines Finanzinstituts (350), wobei das sichere Plattformsystem Folgendes umfasst:eine Prozessorkomponente (102);eine Speicherkomponente (104, 470); undeine Kommunikationskomponente (106), wobei das sichere Plattformsystem konfiguriert ist:eine Auswahl eines bestimmten Handelsberechtigungsnachweises zu erkennen;auf Kommunikationsmechanismusdaten (556, 559) zuzugreifen, die mindestens einen Kommunikationsmechanismus (556) der elektronischen Vorrichtung (100) angeben, wobei der mindestens eine Kommunikationsmechanismus (556) konfiguriert ist, eine Kommunikation (15) auf der elektronischen Vorrichtung (100) zu empfangen;Informationen an das Teilsystem eines Finanzinstituts (350) zu übermitteln, wobei die Informationen die Kommunikationsmechanismusdaten (556, 559) und die Auswahl des bestimmten Handelsberechtigungsnachweises umfassen; unddas Teilsystem eines Finanzinstituts (350) anzuweisen:den bestimmten Handelsberechtigungsnachweis in einem deaktivierten Zustand auf der elektronischen Vorrichtung (100) bereitzustellen; undder elektronischen Vorrichtung Berechtigungsnachweis-Aktivierungsdaten unter Verwendung eines bestimmten Kommunikationsmechanismus des mindestens einen Kommunikationsmechanismus (556) zu übermitteln, der durch die Kommunikationsmechanismusdaten (556, 559) angegeben wird.

Disabling mobile payments for lost electronic devices

If a user loses an electronic device that has the capability to conduct financial transactions, the user may report that the electronic device is lost using a lost-device software application to a management electronic device associated with a provider of the electronic device. In response to receiving this information, a disabling command is sent to a payment network associated with the financial account of the user to temporarily disable use of the electronic device to conduct the financial transactions. In particular, the electronic device may include a secure element that stores a payment applet for a financial account, and the disabling command may disable a mapping from a virtual identifier for the financial account to a financial primary account number. Subsequently, if the user finds the electronic device, the user may re-enable the capability (and, thus, the mapping) by providing authentication information to the electronic device.

Provisioning of credentials on an electronic device using passwords communicated over verified channels

Systems, methods, and computer-readable media for provisioning credentials on an electronic device are provided. In one example embodiment, a secure platform system may be in communication with an electronic device and a financial institution subsystem. The secure platform system may be configured to, inter alia , detect a selection of a particular commerce credential, access communication mechanism data indicative of at least one communication mechanism of the device, where the at least one mechanism is configured to receive a communication on the device, transmit information to the financial subsystem, where the information includes the mechanism data and the selection of the particular commerce credential, and instruct the financial subsystem to provision the particular commerce credential in a disabled state on the device and communicate credential enablement data to the device using a particular communication mechanism of the at least one communication mechanism indicated by the communication mechanism data.

電子的アクセスクライアントを配布及び記憶する装置及び方法

【課題】アクセス制御クライアントをネットワーク内で効率的に配布及び記憶するための装置及び方法を提供する。【解決手段】一実施形態において、アクセスクライアントは、電子的加入者アイデンティティモジュール（ｅＳＩＭ）を含む。ｅＳＩＭの独特さ及び保存を強制し、「ボトルネック」混雑を防止するようにネットワークトラフィックを配布し、そして合理的な災害復旧能力を提供するｅＳＩＭ配布ネットワークインフラストラクチャーが説明される。１つの変形例において、ｅＳＩＭは、ｅＳＩＭの独特さ及び保存を保証する電子的ユニバーサル集積回路カード（ｅＵＩＣＣ）アプライアンスにセキュアに記憶される。ｅＵＩＣＣアプライアンスへのアクセスは、複数のｅＳＩＭデポットを経てなされ、これは、ネットワーク負荷が分散されることを保証する。他のアクティビティの中でアーカイブ及びバックアップのための持続的記憶装置についても述べる。【選択図】図３

Métodos e aparelho para distribuir e armazenar clientes de acesso eletrônico

Métodos e aparelho para distribuir e armazenar clientes de acesso eletrônico. A presente invenção refere-se a um aparelho e métodos para distribuir e armazenar de forma eficiente clientes de controle de acesso dentro de uma rede. Em uma modalidade, os clientes de acesso incluem módulos de identidade de assinante eletrônico (esims), e uma infraestrutura de rede de distribuição esim é descrita que reforça singularidade e conservação e sim, distribui tráfego de rede para impedir congestionamento de "gargalo", e fornece razoáveis capacidades de recuperação de desastre. Em uma variante, eslms são armazenados de forma segura em aparelhos de cartão de circuito integrado universal eletrônico (euicc) que asseguram singularidade e conservação esim. Acesso aos aparelhos euicc é feito por meio de múltiplos depósitos esim, os quais asseguram que carga de rede é distribuída. Armazenamento permanente é descrito adicionalmente, para, entre outras atividades, arquivamento e recuperação.

Apparatus and methods for distributing and storing electronic access clients

用以分配和儲存電子存取用戶之設備及方法

Aparatos y metodos de distribucion y almacenamiento de clientes de acceso electronico.

Se describen aparatos y métodos de distribución y almacenamiento, de manera eficiente, de clientes de control de acceso dentro de una red. En una modalidad, los clientes de acceso incluyen Módulos electrónicos de Identidad de Suscriptor (eSIMs), y es descrita una infraestructura de red de distribución eSIM que hace valer la singularidad y conservación eSIM, además, distribuye el tráfico de red para evitar la congestión de "cuello de botella", y proporciona capacidades razonables de recuperación de desastres. En una variante, los eSIMs son almacenados, en forma segura, en aparatos electrónicos de Tarjeta de Circuito Integrado Universal (eUICC) que garantizan la singularidad y conservación eSIM. El acceso a los aparatos eUICC es realizado por medio de múltiples depósitos eSIM, los cuales garantizan que la carga de la red sea distribuida. El almacenamiento persistente es adicionalmente descrito, para entre otras actividades, archivar y respaldar.

Apparatus and methods for distributing and storing electronic access clients

Apparatus and methods for efficiently distributing and storing access control clients within a network, in one embodiment, the access clients include electronic Subscriber Identity Modules (eSIMs), and an eSIM distribution network infrastructure is described which enforces eSIM uniqueness and conservation, distributes network traffic to prevent "bottle necking" congestion, and provides reasonable disaster recovery capabilities, in one variant, eSIMs are securely stored at electronic Universal Integrated Circuit Card (eUICC) appliances which ensure eSIM uniqueness and conservation. Access to the eUICC appliances is made via multiple eSIM depots, which ensure that network load is distributed. Persistent storage is additionally described, for among other activities, archiving and backup.

Access data provisioning apparatus and methods

Secure provisioning of credentials on an electronic device

Systems, methods, and computer-readable media for provisioning credentials on an electronic device are provided. In one example embodiment, a secure platform system may be in communication with an electronic device and a financial institution subsystem. The secure platform system may be configured to, inter alia , receive user account information from the electronic device, authenticate a user account with a commercial entity using the received user account information, detect a commerce credential associated with the authenticated user account, run a commercial entity fraud check on the detected commerce credential, commission the financial institution subsystem to run a financial entity fraud check on the detected commerce credential based on the results of the commercial entity fraud check, and facilitate provisioning of the detected commerce credential on the electronic device based on the results of the financial entity fraud check. Additional embodiments are also provided.

電子裝置上之憑證之安全佈建

本發明提供用於在一電子裝置上佈建憑證之系統、方法及電腦可讀媒體。在一項實例實施例中，一安全平台系統可與一電子裝置及一金融機構子系統通信。該安全平台系統可經組態以尤其自該電子裝置接收使用者帳戶資訊、使用該接收之使用者帳戶資訊藉由一商業實體來鑑認一使用者帳戶、偵測與該經鑑認之使用者帳戶相關聯的一商業憑證、對該偵測之商業憑證執行一商業實體詐騙檢查、基於該商業實體詐騙檢查之結果而委任該金融機構子系統以對該偵測之商業憑證執行一金融實體詐騙檢查，及基於該金融實體詐騙檢查之結果而促進在該電子裝置上佈建該偵測之商業憑證。本發明亦提供額外實施例。

用於資產之安全元件交易及管理之裝置及方法

本發明揭示用於配置財務票據及其他資產之方法及裝置。在一實施例中，揭示保證始終安全地加密某一資產，只存在該資產之唯一複本且該資產被遞送至一經鑑認及/或經授權客戶之一安全軟體協定。另外，揭示尤其能夠處置大訊務叢發(諸如在器件之所謂的「上市日」可發生者)的佈建系統之例示性實施例。

セキュアエレメントのトランザクション及びアセットの管理のための装置及び方法

【課題】金融商品及び他のアセットの展開のための方法及び装置を提供する。【解決手段】セキュリティソフトウェアプロトコルは、アセットが常に安全に暗号化されており、アセットのコピーが１つのみ存在し、及びアセットが認証された顧客及び／又は認可された顧客へ配信されていることを保証する。加えて、プロビジョニングシステムは、機器の「開設日」に生じる大型のトラフィックバーストを扱うこと。【選択図】図８

Método e aparelho para distribuir clientes de controle de acesso

MÉTODOS E APARELHO PARA DISTRIBUIR E ARMAZENAR CLIENTES DE ACESSO ELETRÔNICO. A presente invenção refere-se a um aparelho e métodos para distribuir e armazenar de forma eficiente clientes de controle de acesso dentro de uma rede. Em uma modalidade, os clientes de acesso incluem Módulos de Identidade de Assinante eletrônico (eSIMs), e uma infraestrutura de rede de distribuição eSIM é descrita que reforça singularidade e conservação e SIM, distribui tráfego de rede para impedir congestionamento de "gargalo", e fornece razoáveis capacidades de recuperação de desastre. Em uma variante, eSlMs são armazenados de forma segura em aparelhos de Cartão de Circuito Integrado Universal eletrônico (eUICC) que asseguram singularidade e conservação eSIM. Acesso aos aparelhos eUICC é feito por meio de múltiplos depósitos eSIM, os quais asseguram que carga de rede é distribuída. Armazenamento permanente é descrito adicionalmente, para, entre outras atividades, arquivamento e recuperação.

Generating transaction identifiers

To facilitate conducting a financial transaction via wireless communication between an electronic device and another electronic device, the electronic device determines a unique transaction identifier for the financial transaction based on financial-account information communicated to the other electronic device. The financial-account information specifies a financial account that is used to pay for the financial transaction. Moreover, the unique transaction identifier may be capable of being independently computed by one or more other entities associated with the financial transaction (such as a counterparty in the financial transaction or a payment network that processes payment for the financial transaction) based on the financial-account information communicated by the portable electronic device. The electronic device may also associate receipt information, which is subsequently received from a third party (such as the payment network), with the financial transaction by comparing the determined unique transaction identifier to the computed unique transaction identifier.

User interfaces for managing an account

In some embodiments, exemplary user interfaces for provisioning an electronic device with an account are described. In some embodiments, exemplary user interfaces for providing usage information of an account are described. In some embodiments, exemplary user interfaces for providing visual feedback on a representation of an account are described. In some embodiments, exemplary user interfaces for managing the tracking of a category are described. In some embodiments, exemplary user interfaces for managing a transfer of items are described. In some embodiments, exemplary user interfaces for managing an authentication credential connected with an account are described. In some embodiments, exemplary user interfaces for activating a physical account object are described. In some embodiments, exemplary user interfaces for managing balance transfers are described.