Switch service for wireless transactions between a user device and a reader device

The switch service on user devices resolves AID and OID collisions by orchestrating credential selection and retrieval, improving transaction efficiency and reliability in wireless transactions.

WO2026130707A1PCT designated stage Publication Date: 2026-06-25ASSA ABLOY AB

Patent Information

Authority / Receiving Office
WO · WO
Patent Type
Applications
Current Assignee / Owner
ASSA ABLOY AB
Filing Date
2024-12-19
Publication Date
2026-06-25

AI Technical Summary

Technical Problem

Ambiguous selection of credential deposit vaults due to non-unique application IDs (AIDs) and object IDs (OIDs) leads to inefficient communication and potential denial of service during wireless transactions between user devices and reader devices.

Method used

A switch service on the user device orchestrates credential selection and retrieval by automatically routing commands without additional user input, resolving AID and OID collisions through configuration updates and endpoint management.

Benefits of technology

Enhances communication efficiency by eliminating unnecessary routing and user prompts, ensuring seamless transactions without service denial.

✦ Generated by Eureka AI based on patent content.

Smart Images

  • Figure EP2024087589_25062026_PF_FP_ABST
    Figure EP2024087589_25062026_PF_FP_ABST
Patent Text Reader

Abstract

Disclosed is a switch service for wireless transactions between a user device and a reader device. The disclosure further relates to a corresponding apparatus, system and computer program.
Need to check novelty before this filing date? Find Prior Art

Description

[0001] 40177.AAB.P100PC S / Li / kt

[0002] 1

[0003] SWITCH SERVICE FOR WIRELESS TRANSACTIONS BETWEEN A USER DEVICE AND A READER DEVICE

[0004] TECHNICAL FIELD

[0005] The present disclosure generally relates to the field of wireless transactions, and more particularly to a switch service for wireless transactions between a user device and a reader device.

[0006] BACKGROUND

[0007] Credential deposit vaults (e.g., wallet applications or dedicated hardware chips) have become an essential tool for storing, accessing, and transacting with digital assets such as cryptocurrencies, digital payment credentials, and other sensitive information. As the use of such vaults continues to grow, there is an increasing need to address challenges related to data security, privacy, and seamless user interaction.

[0008] One way of enhancing the security of these systems is to implement a plurality of credential deposit vaults of different security levels for storing credentials.

[0009] In order to retrieve the credentials stored within a target credential deposit vault, two steps have to be performed:

[0010] 1. presentation of an application ID (AID) associated with the target credential deposit vault and

[0011] 2. presentation of an object ID (OID) associated with target information (e.g., credentials, an identifier for a certain functionality or application) stored within the target credential deposit vault.

[0012] However, this poses a problem when different credential deposit vaults are associated with the same AID or when a certain target information) exists in two or more locations on one user device, e.g. if there exists a first and a second credential deposit vault which both store the same credentials with the same OID. In those cases, the selection of the AID and / or OID becomes ambiguous, and it cannot be decided which credential deposit vault a reader device should communicate with resulting in inefficient communication and at worst denial of the service. 40177.AAB.P100PC S / Li / kt

[0013] 2

[0014] A common approach tries to solve this problem by presenting a pop-up to the users requiring them to select the corresponding credential deposit vault. However, this approach is not only inconvenient from the user's point of view, but also leads to a considerable delay in the transaction, which may result in performance inefficiencies or even in the transaction being cancelled.

[0015] It is therefore an objective of the present disclosure to provide a switch service for wireless transactions between a user device and a reader device for automatically orchestrating credential deposit vaults, thereby overcoming the above-mentioned disadvantages of the prior art at least in part.

[0016] SUMMARY OF THE DISCLOSURE

[0017] The objective is solved by the subject-matter defined in the independent claims. Advantageous modifications of embodiments of the present disclosure are defined in the dependent claims as well as in the description and the figures.

[0018] As a general overview, certain aspects of the present disclosure provide techniques for improving efficiency of wireless transactions between user and reader devices by providing a switch service acting as a flexible endpoint for these transactions for orchestrating the credential selection and retrieval. This way, commands associated with the transactions can be automatically routed without requiring additional user input and / or additional actions performed by the reader device.

[0019] One aspect of the present disclosure relates to a user device for wireless transactions with a reader device. The user device may comprise at least two credential deposit vaults installed on the user device for storing target information and a switch service installed on the user device. The switch service may be configured to orchestrate selection and retrieval of target information between the reader device and the at least two credential deposit vaults.

[0020] Accordingly, commands associated with the transactions can be automatically routed without requiring additional user input resulting in improved communication efficiency.

[0021] Throughput the present disclosure, “target information” should be understood as any information stored within a credential deposit vault. Accordingly, the credential deposit vault storing the corresponding target information may be referred to as target credential deposit vault. Target information may comprise credentials, functionality or application identifiers, assets etc. 40177.AAB.P100PC S / Li / kt

[0022] 3

[0023] Throughout the present disclosure, a “switch service” should be understood as a software and / or component configured to facilitate the secure transfer, routing, or exchange of target information between different entities, devices, or systems such as reader devices, user devices and corresponding credential deposit vaults.

[0024] Throughout the present disclosure, “orchestration” should be understood as the coordination and management of processes related to the secure storage, retrieval, and utilization of target information.

[0025] Throughout the present disclosure, a “credential deposit vault” should be understood as a software application (e.g., a wallet application) and / or hardware component (e.g., a physical location on a processor, a dedicated chip such as eSE or iSE etc.) configured to store, manage, and facilitate secure access to target information such as digital assets, including but not limited to cryptocurrencies, digital payment credentials, access credentials or other sensitive information. Different credential deposit vaults may be isolated from each other e.g., with respect to communication. In other words, there is no direct communication between these credential deposit vaults. Accordingly, these vaults cannot exchange information about stored target information (e.g., OIDs) or about the application ID associated with the respective credential deposit vault.

[0026] Throughout the present disclosure, a “reader device” should be understood as any mobile or stationary device with the capability of performing a transaction as well as corresponding transmissions. A reader device may for example be:

[0027] - A Point-of-Sale (POS) Terminal as typically used for contactless payment transactions.

[0028] - An access control reader employed in secure entry systems to grant or deny access based on contactless transmission of credentials.

[0029] - A keyless entry system as found in automotive or building access.

[0030] - A public transit fare reader as used in buses, trains, and subways.

[0031] - A smartphone NFC reader which is built into smartphones to read or interact with NFC tags for applications like payments, ticketing, or data sharing.

[0032] An electronic passport reader as used by immigration or security authorities to read data from e-passports for identity verification. 40177.AAB.P100PC S / Li / kt

[0033] 4

[0034] A warehouse or inventory RFID readers as employed in logistics to track and manage inventory through RFID-tagged items.

[0035] - A (hotel) room key reader which is typically integrated into door locks to allow room access through RFID cards or mobile credentials.

[0036] Throughout the present disclosure, a “user device” should be understood as any device, preferably mobile device, with the capability of performing a transaction as well as corresponding transmissions. A user device may for example be:

[0037] - A smartphone (typically NFC-Enabled) used for mobile payments, ticketing, and access control by communicating with POS terminals, access readers, and other NFC-enabled devices.

[0038] - A smart card (e.g., for contactless payment, public transit cards, student ID cards or medical ID cards).

[0039] - A RFID key fob (i.e. , small devices used for access control, often in keyless entry systems).

[0040] - A smartwatch and wearable-device which are typically equipped with NFC or RFID for payments, fitness tracking, or access control (e.g., home entry, gym entry or public transit).

[0041] - An electronic passport (e-passport) which typically contains RFID chip(s) that store biometric information and can be read by a reader device (e.g. a passport reader) at border control.

[0042] - An employee ID badge (typically with RFID or NFC) used in workplace access control systems, allowing employees to gain access to buildings or restricted areas.

[0043] - A wireless smart key for vehicles used in proximity-based car unlocking and starting, allowing keyless entry and ignition.

[0044] One aspect of the present disclosure relates to a method for configuring a switch service installed on a user device. The method may be computer-implemented. The method may comprise obtaining, by the switch service, a first application ID (AID) associated with a first credential deposit vault. The method may comprise determining, by the switch service, whether there is a second AID stored in the switch service, which is the same as the first AID, wherein the second AID is associated with a second credential deposit vault. The 40177.AAB.P100PC S / Li / kt

[0045] 5 method may comprise updating, by the switch service, a configuration for the switch service based on the determining.

[0046] By keeping the switch service always up to date with respect to the different credential deposit vaults and their IDs, the switch service is able to automatically and correctly route the commands associated with the transaction without requiring additional user input resulting in improved communication efficiency.

[0047] Throughout the present disclosure, an “AID” should be understood as an ID representing the corresponding credential deposit vault. The ID is not necessarily unique on the user device which is why AID collisions can occur as explained herein.

[0048] According to another aspect of the present disclosure, wherein it is determined that there is no second AID which is the same as the first AID, updating the configuration for the switch service may comprise storing the first AID in the switch service and setting the first credential deposit vault as endpoint for wireless transactions associated with the first credential deposit vault.

[0049] By storing the first AID the switch service is updated. Furthermore, by setting the first credential deposit vault as endpoint (i.e. , responder), the switch service does not have to act on behalf of the credential deposit vault avoiding unnecessary routing by the switch service resulting in a more efficient performance of the system.

[0050] According to another aspect of the present disclosure, wherein it is determined that there is a second AID which is the same as the first AID, updating the configuration for the switch service may comprise storing the first AID in the switch service and setting the switch service as endpoint for wireless transactions associated with the first credential deposit vault. Setting the switch service as endpoint may comprise assigning the switch service with one or more AIDs known to the reader device. By assigning the known AID(s) to itself, the switch service can act as a proxy between the reader device and the plurality of credential deposit vaults.

[0051] By storing the first AID the switch service is updated. Furthermore, by setting the switch service as endpoint, the switch service is able to orchestrate (e.g., request and route etc.) the selection and retrieval of the target information. Thus, a situation in which a transaction is cancelled due to the ambiguity between the credential deposit vaults is avoided. As a result, the switch service acts as a sole responder for any transactions between a reader device and the corresponding credential deposit vaults. Accordingly, a reader device communicating with the user device is not affected by the ambiguity between the AIDs of the corresponding credential deposit vaults. This is because the switch service acts as a credential deposit vault 40177.AAB.P100PC S / Li / kt

[0052] 6 by assigning a common AID known to the reader device to itself. As a result, no adaptation at the reader device (e.g., orchestration of different Al Ds) is needed.

[0053] According to another aspect of the present disclosure, the method may further comprise obtaining, by the switch service, an object ID (OID) associated with first target information stored in the first credential deposit vault and storing the first AID in the switch service may comprise storing the OID in the switch service.

[0054] By storing the AID together with the corresponding OID, the switch service is not only aware of the credential deposit vaults installed on the user device, but also about which credential deposit vault is storing which target information.

[0055] Storing the OID in the switch service may comprise storing the OID together with the first AID in the switch service. In this regard, it is important that the logical relationship between the first credential deposit vault and the corresponding target information is represented. For example, the first AID and the OID may be stored in the form of a tuple (first AID, OID). Alternatively, the switch service may store a list of every OID stored within the credential deposit vault, wherein the list is accessible / identifiable using the first AID (e.g., {first AID: [OIDi, OID2, ... , OIDn], where n represents the amount of different OIDs stored within the credential deposit vault associated with the first AID).

[0056] Throughout the present disclosure, an “OID” should be understood as an ID representing the corresponding target information stored within the credential deposit vault. The ID is not necessarily unique which is why OID collisions can occur as explained herein. For example, if the same credentials are stored within different credential deposit vaults. Depending on the technology, the OID may be understood as a second level identifier. For example, for target information stored within the corresponding credential deposit vault.

[0057] Detecting an AID or OID collision may be based on an equality comparison (e.g., a byte-by- byte or bit-by-bit comparison) of the corresponding AIDs or OIDs. Alternatively, detecting an AID or OID collision may be based on a partial comparison (e.g., a prefix-based, suffixbased, infix-based matching). In other words, OIDs / AIDs do not have to be identical to collide. It is to be understood that these are only examples and that any other suitable algorithm for identifying ID collisions can be used.

[0058] For example, a first AID may be “1234”, a second AID may be “12345” and a third AID may be “1267”. Depending on the used detection algorithm (i.e., equality or partial comparison), an AID collision could be detected under certain conditions or not. For example, if the reader device transmits a select “AID 1234” command and a prefix-based matching for “1234” is 40177.AAB.P100PC S / Li / kt

[0059] 7 used, this would result in an AID collision between the first AID and the second AID. On the other hand, if the reader device transmits a select “AID 1234” and an equality comparison is ued, this would result in no AID collision being detected.

[0060] One aspect of the present disclosure relates to a method for wireless transactions between a user device and a reader device. The method may be computer-implemented. The method may be performed by a switch service installed on the user device. The method may comprise receiving, from the reader device, a first AID associated with a target credential deposit vault storing target information. The method may comprise determining that the first AID is associated with a first credential deposit vault and with a second credential deposit vault. The method may comprise transmitting, to the reader device, a response without the target information. The method may comprise receiving, from the reader device, an OID associated with the target information stored in the target credential deposit vault. The method may comprise determining either the first credential deposit vault or the second credential deposit vault as the target credential deposit vault based on the first OID. The method may comprise transmitting, to the reader device, the target information stored in the target credential deposit vault.

[0061] By determining that the first AID is associated with two credential deposit vaults, the switch service is able to detect an AID collision. In order to resolve this collision, the switch may wait for or request the corresponding OID. Once the switch has the AID and the OID, the switch service is able to identify the correct / target credential deposit vault. As a result, the switch service is able to access the target credential deposit vault, retrieve the target information therefrom and transmit them to the reader device. Alternatively, the switch service may orchestrate communication in a way that subsequent communication between the reader device and the user device is automatically directed to the target credential deposit vault. This way, the transaction can be efficiently performed.

[0062] According to another aspect of the present disclosure, determining either the first or the second credential deposit vault as the target credential deposit vault may comprise determining that only the first credential deposit vault is storing the target information associated with the OID and selecting the first credential deposit vault as the target credential deposit vault.

[0063] In this situation, there is an AID collision, but no OID collision. In other words, while the switch service determined that both credential deposit vaults are associated with the first AID (i.e. , the same), the switch service determined that only the first credential deposit vault is storing the target information. For this purpose, the switch service may check its 40177.AAB.P100PC S / Li / kt

[0064] 8 configuration and see that the OID is only stored in the list of OIDs associated with the first credential deposit vault or that there is only a tuple stored for the first credential deposit vault which comprises the first AID and the OID. This way, the switch service is able to retrieve the correct target information from the target credential deposit vault or orchestrate the communication in a way that subsequent communication between the reader device and the user device is automatically directed to the target credential deposit vault. For this purpose, the configuration of the switch may comprise a look-up table comprising routing commands. A routing command may indicate a location (i.e. , a target credential deposit vault) corresponding to the OID. This allows the switch to act as a proxy for orchestrating the selection and retrieval of target information.

[0065] According to another aspect of the present disclosure, determining either the first or the second credential deposit vault as the target credential deposit vault may comprise determining that only the second credential deposit vault is storing the target information associated with the OID and selecting the second credential deposit vault as the target credential deposit vault.

[0066] In this situation, there is an AID collision, but no OID collision. In other words, while the switch service determined that both credential deposit vaults are associated with the first AID, the switch service determined that only the second credential deposit vault is storing the target information. For this purpose, the switch service may check its configuration and see that the OID is only stored in the list of OIDs associated with the second credential deposit vault or that there is only a tuple stored for the second credential deposit vault which comprises the first AID and the OID. This way, the switch service is able to retrieve the correct target information from the target credential deposit vault.

[0067] According to another aspect of the present disclosure, determining either the first or the second credential deposit vault as the target credential deposit vault may comprise determining that both credential deposit vaults are storing the target information associated with the OID and selecting either the first or the second credential deposit vault as the target credential deposit vault.

[0068] In this situation, there is an AID and an OID collision. In other words, the switch service determined that both credential deposit vaults are associated with the first AID and that both credential deposit vault have stored target information associated with the OID. In order to resolve this situation and to enable completion of the transaction without unnecessary delay (e.g., caused by a user prompt as done in the prior art), the switch service simply selects 40177.AAB.P100PC S / Li / kt

[0069] 9 either the first or the second credential deposit vault and retrieves the target information from it.

[0070] According to another aspect of the present disclosure, selecting either the first or the second credential deposit vault as the target credential deposit vault may be based on at least one of a predefined ranking for the first and the second credential deposit vault or a random selection.

[0071] A random selection may be desirable if no additional computational steps should be performed. While this may result in non-optimal selection of the credential deposit vault, this approach may be cost efficient regarding computational resources. A selection to a predefined ranking on the other hand, may result in an optimal selection at the cost of some additional computational steps (e.g., accessing the predefined ranking, evaluating which credential deposit vault is associated with the highest rank / priority etc.).

[0072] According to another aspect of the present disclosure, the predefined ranking may be based on a user-defined preference, a default setting, computational effort for accessing the first and second credential deposit vault respectively, a level of security associated with the first and the second credential deposit vault respectively or any combination thereof.

[0073] A user-defined preference may for example be set at an initial installation / registration of one credential deposit vault. For example, if an OEM credential deposit vault was already installed and the user installs a third-party credential deposit vault, the user may initially define that he prefers the newly installed credential deposit vault (e.g., for all transactions or only a certain set of transactions e.g. for pay transactions or for access transactions of a certain smart lock etc.). A default setting may be a good alternative when the user does not provide such a user-defined preference. Accordingly, it may be defined as default, that the OEM credential deposit vault is used even if a third-party credential deposit vault is newly installed. Also, the computational effort for accessing the credential deposit vault may play a role. This may be combined with the level of security associated with the credential deposit vaults. A credential deposit vault associated with a high level of security may require more computational steps for accessing / retrieving the credentials than a credential deposit vault associated with a low level of security.

[0074] According to another aspect of the present disclosure, wherein determining that both credential deposit vaults are storing target information associated with the first OID is based on information stored in the switch service. 40177.AAB.P100PC S / Li / kt

[0075] 10

[0076] According to another aspect of the present disclosure, the information may be stored within a look-up table. The look-up table may comprise, for each credential deposit vault installed on the user device an AID associated with the credential deposit vault and a list of OIDs, wherein each OID of the list is associated with a set of target information stored within the respective credential deposit vault.

[0077] By storing the information within a corresponding data structure, an efficient look up of AIDs and fast validation of existence of an OID in a collection of OIDs is achieved.

[0078] One aspect of the present disclosure relates to a method for wireless for wireless transactions between a user device and a reader device. The method may be computer- implemented. The method may be performed by a reader device. The method may comprise transmitting, to a switch service installed on the user device, an AID associated with a target credential deposit vault storing target information. The method may comprise receiving, from the switch service, a response without the target information. The method may comprise transmitting, to the switch service, an OID associated with the target information stored in the target credential deposit vault. The method may comprise receiving, from the switch service, the target information stored in the target credential deposit vault.

[0079] The advantages that were mentioned with regards to any one of the previous aspects apply likewise. Further advantages may be applicable. In particular, the present invention avoids adaptation of the reader device for handling the ambiguity caused by a plurality of credential deposit vaults installed on the user device. Instead, the necessary logic is implemented via the switch service at the user device.

[0080] According to another aspect of the present disclosure, the switch service according to aspects of the present disclosure may be configured according to the method for configuring a switch service according to the aspects of the present disclosure.

[0081] The advantages that were mentioned with regards to any one of the previous aspects apply likewise. Further advantages may be applicable.

[0082] According to another aspect of the present disclosure, the first credential deposit vault may be an OEM credential deposit vault and the second credential deposit vault may be a third- party credential deposit vault.

[0083] The advantages that were mentioned with regards to any one of the previous aspects apply likewise. Further advantages may be applicable. 40177.AAB.P100PC S / Li / kt

[0084] 11

[0085] According to another aspect of the present disclosure, the orchestrating of selection and retrieval of the target information may comprise performing the method(s) according to aspects of the present disclosure.

[0086] The advantages that were mentioned with regards to any one of the previous aspects apply likewise. Further advantages may be applicable.

[0087] According to another aspect of the present disclosure, the user device as referred to within the method(s) of the aspects of the present disclosure may be a user device according to the aspects of the present disclosure.

[0088] The advantages that were mentioned with regards to any one of the previous aspects apply likewise. Further advantages may be applicable.

[0089] According to another aspect of the present disclosure, a wireless transaction may comprise a plurality of transmissions.

[0090] According to another aspect of the present disclosure, the plurality of transmissions may comprise a plurality of Application Protocol Data Unit (APDU) command exchanges.

[0091] Utilizing a predefined format / protocol for the transmissions ensures that the transaction can be performed reliably without causing additional signaling overhead. This is because otherwise, the user device and reader device would have to exchange additional information (e.g., on the structure of messages) which would lead to signaling overhead and thus inefficient bandwidth usage.

[0092] According to another aspect of the present disclosure, the transaction between the user device and the reader device may be performed using near field communication (NFC).

[0093] With most common user and reader devices being capable of NFC, using NFC for the transactions causes no additional hardware and software requirements. As a result, the present technique can be easily implemented and scaled across a plurality of different devices.

[0094] Another aspect of the present disclosure relates to data processing apparatus at a reader device comprising means for carrying out the method performed at the reader device according to any one of the aspects described herein.

[0095] The advantages that were mentioned with regards to any one of the previous aspects apply likewise. Further advantages may be applicable. 40177.AAB.P100PC S / Li / kt

[0096] 12

[0097] Another aspect of the present disclosure relates to a data processing apparatus at a reader device. The data processing apparatus may comprise a processor, memory coupled with the processor and instructions stored in the memory and executable by the processor to cause the apparatus to carry out the method performed at the reader device according to any one of the aspects described herein.

[0098] The advantages that were mentioned with regards to any one of the previous aspects apply likewise. Further advantages may be applicable.

[0099] Another aspect of the present disclosure relates to data processing apparatus at a user device comprising means for carrying out the method performed at the user device according to any one of the aspects described herein.

[0100] The advantages that were mentioned with regards to any one of the previous aspects apply likewise. Further advantages may be applicable.

[0101] Another aspect of the present disclosure relates to a data processing apparatus at a user device. The data processing apparatus may comprise a processor, memory coupled with the processor and instructions stored in the memory and executable by the processor to cause the apparatus to carry out the method performed at the user device according to any one of the aspects described herein.

[0102] The advantages that were mentioned with regards to any one of the previous aspects apply likewise. Further advantages may be applicable.

[0103] Another aspect of the present disclosure relates to a data processing system comprising a reader device and a user device. The reader device may comprise a data processing apparatus according to any one of the aspects described herein. The user device may be the user device according to any one of the aspects described herein. The user device may comprise a data processing apparatus according to any one of the aspects described herein.

[0104] The advantages that were mentioned with regards to any one of the previous aspects apply likewise. Further advantages may be applicable.

[0105] Another aspect of the present disclosure relates to a computer program or a computer- readable medium having stored thereon the computer program. The computer program may comprise instructions which, when the computer program is executed by a processor, cause the processor to carry out the method(s) of any one of the aspects described herein. 40177.AAB.P100PC S / Li / kt

[0106] 13

[0107] The advantages that were mentioned with regards to any one of the previous aspects apply likewise. Further advantages may be applicable.

[0108] BRIEF DESCRIPTION OF THE DRAWINGS

[0109] The disclosure may be better understood by reference to the following drawings:

[0110] Fig. 1 : A user device in accordance with embodiments of the present disclosure.

[0111] Fig. 2: A switch service in accordance with embodiments of the present disclosure.

[0112] Fig. 3: A flowchart of a method for configuring a switch service in accordance with embodiments of the present disclosure.

[0113] Fig. 4: A flowchart of a method for wireless transactions in accordance with embodiments of the present disclosure.

[0114] Fig. 5: A flowchart of a method for wireless transactions in accordance with embodiments of the present disclosure.

[0115] Fig. 6: A data processing apparatus in accordance with embodiments of the present disclosure.

[0116] Fig. 7: A data processing system in accordance with embodiments of the present disclosure.

[0117] Fig. 8: An example of a switch service for orchestrating the selection and retrieval of target information in accordance with embodiments of the present disclosure.

[0118] DETAILED DESCRIPTION

[0119] In the following, representative embodiments illustrated in the accompanying drawings will be explained. It should be understood that the illustrated embodiments and the following descriptions refer to examples which are not intended to limit the embodiments to one preferred embodiment.

[0120] Fig. 1 illustrates a user device 100 in accordance with embodiments of the present disclosure. The user device 100 may be configured for wireless transactions with a reader device 702. 40177.AAB.P100PC S / Li / kt

[0121] 14

[0122] The user device 100 comprises at least two credential deposit vaults (e.g., a first credential deposit vault 120-1 , a second credential deposit vault 120-2 and a nthcredential deposit vault 120-N) for storing target information or other sensitive information.

[0123] The user device 100 comprises a switch service 110 installed on the user device. Alternatively, the switch service may be installed on a remote entity (e.g., another data processing apparatus such as a server) and is provided to the user device as a service (e.g., via an API). The switch service 110 is configured to orchestrate selection and retrieval of target information between the reader device 702 and the at least two credential deposit vaults. For this purpose, the switch service 110 may be configured according to the method for configuring a switch service according to aspects of the present disclosure (e.g., method 300 of Fig. 3). For this purpose, the switch service 110 may also be configured to perform the method for wireless transactions according to the aspects of the present disclosure (e.g., method 400 of Fig. 4) in order to orchestrate the selection and retrieval of target information between the reader device and the at least two credential deposit vaults.

[0124] Fig. 2 illustrates a switch service 110 in accordance with embodiments of the present disclosure. As explained above, the switch service 110 is configured to orchestrate selection and retrieval of target information between the reader device 702 and at least two credential deposit vaults. For this purpose, the switch service 110 may be configured according to the method for configuring a switch service according to aspects of the present disclosure (e.g., method 300 of Fig. 3). For this purpose, the switch service 110 may be configured to perform the method for wireless transactions according to the aspects of the present disclosure (e.g., method 400 of Fig. 4) in order to orchestrate the selection and retrieval of target information between the reader device and the at least two credential deposit vaults.

[0125] The present example illustrates a switch service 110 which stores a configuration 200 comprising three different credential deposit vaults, namely a first credential deposit vault 120-1 associated with a first application ID (AID 1), a second credential deposit vault 120-2 also associated with the first application ID (AID 1) and a third credential deposit vault 120-3 associated with a second application ID (AID 2). In this example, the configuration 200 may be stored within a look-up table. The table stores the application ID of each credential deposit vault registered at the switch service 110. Preferably, every credential deposit vault installed on the user device is also registered at the switch service 110 to ensure the desired performance. In addition, the table stored a list of object IDs, OIDs, wherein each OID of the list is associated with target information stored within the respective credential deposit vault. For example, the credential deposit vault 120-1 with the AID1 stores two sets of target information, namely first target information associated with the OID1 and second target 40177.AAB.P100PC S / Li / kt

[0126] 15 information associated with the OID2. Accordingly, the switch service 110 stores a list 210-1 comprising both OIDs for the credential deposit vault 120-1. For example, the credential deposit vault 120-2 with the AID1 stores two sets of target information, namely first target information associated with the OID1 and second target information associated with the OID3. Accordingly, the switch service stores a list 210-2 comprising both OIDs for the credential deposit vault 120-2. For example, the credential deposit vault 120-3 with the AID2 stores two sets of target information, namely first target information associated with the OID4 and second target information associated with the OID5. Accordingly, the switch service stores a list 210-3 comprising both OIDs for the credential deposit vault 120-3.

[0127] As can be seen, the application ID (AID2) of the credential deposit vault 120-3 is currently unique (i.e. , no other credential deposit vault associated with the same application ID has yet been installed / registered on / at the user device / switch service). Accordingly, when the switch service receives the AID2, the switch service 110 may determine that there is no AID collision and can set the corresponding third credential deposit vault 120-3 as the endpoint for the following transmissions with the reader device. It is nevertheless important that the switch service stores the information (i.e., the AID2 and the corresponding list 201-3 of OIDs) about the credential deposit vault 120-3. This is because it might happen that a new credential deposit vault is installed on the user device and registered at the switch service. In case this credential deposit vault has the same AID as the credential deposit vault 120-3, there might occur an AID collision in the future. However, as the configuration of the switch service is updated accordingly, the switch service is able to detect the collision and is able to correspondingly orchestrate the selection and retrieval of target information.

[0128] As can be seen, the credential deposit vault 120-1 and the credential deposit vault 120-2 have the same application ID (AID1). Accordingly, when the switch service receives the AID1 , the switch service 110 may determine an AID collision between these two credential deposit vaults. At this point, it is not possible to unambiguously determine the requested credential deposit vault. Therefore, the switch service transmits a response to the reader device. The response may implicitly or explicitly (e.g., by a request for the OID comprised within the response) signal to the reader device that the switch service requires / waits for the OID. This way, the reader device knows that its request was well received and can provide further information (e.g., the object ID). Once the switch service receives the OID, the switch service can continue with the retrieval of the target information by checking the lists of OIDs 210-1 and 210-2 to determine which credential deposit vault has stored the corresponding target information. Alternative, once the switch receives the OID, the switch is able to 40177.AAB.P100PC S / Li / kt

[0129] 16 continue with the orchestration that will allow the reader device to obtain the requested target information.

[0130] For example, if the switch service receives the OID2, the switch service 110 may determine that only the credential deposit vault 120-1 is storing the corresponding target information, because only the list 210-1 comprises the OID2. Accordingly, the switch service may request the corresponding target information from the credential deposit vault 120-1 and transmit the target information to the reader device afterwards. Additionally, the switch service may set the credential deposit vault 120-1 as endpoint for the remaining parts of the wireless transactions with the reader device. In an alternative embodiment, the switch may orchestrate the remainder of the communication in such a way that the reader device can obtain the target information from the target credential deposit.

[0131] For example, if the switch service receives the OID1 , the switch service 110 may determine that both credential deposit vaults 120-1 and 120-2 are storing the corresponding target information, because both lists 210-1 and 210-2 comprise the OID1. For example, this might happen if a user has added credentials to the first credential deposit vault 120-1 and has afterwards installed a second credential deposit vault and added the credentials to that credential deposit vault as well. In this case, the switch service may select either credential deposit vault 120-1 or the 120-2 because both credential deposit vault store the credentials needed / requested by the reader device. In this case, the selecting may be based on a random selection or a predefined ranking between the two credential deposit vaults.

[0132] Fig. 3 illustrates a flowchart of a method (300) for configuring a switch service (110) installed on a user device (100). The method may be computer-implemented. The method may be performed by the switch service (110) installed on the user device (110).

[0133] The method (300) may comprise obtaining (step 310) a first application ID (AID) associated with a first credential deposit vault. For example, the first credential deposit vault may transmit a request comprising the first application ID for registration of the first credential deposit vault at the switch service (i.e., the first credential deposit vault is not yet registered in the switch service). The request may additionally comprise a call object (e.g., an object ID). The call object allows to identify target information stored within the credential deposit vault. By providing the call object to the credential deposit vault, the credential deposit vault can identify the corresponding target information and provide it to the requester (e.g., the switch service or a reader device). 40177.AAB.P100PC S / Li / kt

[0134] 17

[0135] The method (300) may comprise determining (step 320) whether there is a second AID stored in the switch service, which is the same as the first AID. The second AID may be associated with a second credential deposit vault.

[0136] If it is determined that there is no second AID stored in the switch service that is the same as the first AID, a collision of the two credential deposit vaults due to identical Al Ds when accessing target information is not to be expected. In this case, updating (step 380) a configuration of the switch service based on the determining may comprise storing the first AID in the switch service and setting the first credential deposit vault as endpoint for wireless transactions associated with the first credential deposit vault (step 320). This way, it is ensured that the switch service is used for a certain credential deposit vault only in the case of an AID collision. This way, any overhead caused by unnecessary routing performed by the switch service is avoided.

[0137] If it is determined that there is a second AID which is the same as the first AID, a collision of the two credential deposit vaults due to identical Al Ds when accessing target information is to be expected. In this case, updating (step 380) a configuration of the switch service based on the determining may comprise storing the first AID in the switch service and setting the switch service as endpoint for wireless transactions associated with the first credential deposit vault.

[0138] For this purpose, the switch service may register (step 340) the first credential deposit vault at the operating system of the user device (e.g., by registering host card emulation (HCE) for the first credential deposit vault). The switch service may then determine (step 350) whether the second AID was registered by a third-party credential deposit vault (i.e. , the second credential deposit vault is a third-party credential deposit vault) or by an OEM credential deposit vault (i.e., the second credential deposit vault is an OEM credential deposit vault).

[0139] In one example, the first credential deposit vault is an OEM credential deposit vault. If it is determined that the second AID was registered by the OEM credential deposit vault, the switch service may transmit (step 360) an indication to the OEM credential deposit vault that the switch service acts as the endpoint for wireless transactions associated with the OEM credential deposit vault (i.e., the first credential deposit vault). The indication may cause the OEM credential deposit vault to disable its HCE or eSE (embedded Secure Element) for NFC. If it is determined that the second AID was registered by a third-party credential deposit vault, the switch service may transmit (step 370) an indication to the third-party credential deposit vault and transmit (step 360) an indication to the OEM credential deposit vault that the switch service acts as the endpoint for wireless transactions associated with the third- 40177.AAB.P100PC S / Li / kt

[0140] 18 party credential deposit vault and the OEM credential deposit vault. The indications may cause the OEM credential deposit vault and the third-party credential deposit vault to disable its HOE or eSE (embedded Secure Element) for NFC.

[0141] In another example, the first credential deposit vault is a third-party credential deposit vault. If it is determined that the second AID was registered by the third-party credential deposit vault, the switch service may transmit (step 360) an indication to the third-party credential deposit vault that the switch service acts as the endpoint for wireless transactions associated with the third-party credential deposit vault (i.e. , the first credential deposit vault). The indication may cause the third-party credential deposit vault to disable its HCE or eSE (embedded Secure Element) for NFC. If it is determined that the second AID was registered by an OEM credential deposit vault, the switch service may transmit (step 360) an indication to the third- party credential deposit vault and transmit (step 370) an indication to the OEM credential deposit vault that the switch service acts as the endpoint for wireless transactions associated with the third-party credential deposit vault and the OEM credential deposit vault. The indications may cause the OEM credential deposit vault and the third-party credential deposit vault to disable its HCE or eSE (embedded Secure Element) for NFC.

[0142] The method may further comprise any aspects as described herein.

[0143] Fig. 4 illustrates a method 400 for wireless transactions between a user device 100 and a reader device 702. The method may be computer-implemented. The method may be performed by a switch service 110 (e.g., as explained with respect to Fig. 1) installed on the user device 100.

[0144] The method 400 may comprise receiving (step 410) a first application ID (AID) associated with a target credential deposit vault storing target information.

[0145] The method 400 may comprise determining (step 420 - YES) that the first AID is associated with a first credential deposit vault and with a second credential deposit vault. In case it is determined (step 420 - NO) that there is no AID collision (i.e., the first AID is only associated with one credential deposit vault), the corresponding credential deposit vault may be set as endpoint (i.e., as receiver for the transmissions of the reader device and vice versa). In other words, the switch service may no longer act on behalf of the credential deposit vault. Instead, a direct communication between the credential deposit vault and the reader device is enabled. This way, communication efficiency is improved, because unnecessary routing overhead caused by the switch service is avoided. 40177.AAB.P100PC S / Li / kt

[0146] 19

[0147] If it was determined (step 420 - YES) that there is an AID collision, the switch service 110 may act as endpoint for the transmissions with the reader device. Accordingly, the method 400 may comprise transmitting (step 440) a response without the target information to the reader device. The method may comprise receiving (step 450), from the reader device 702, an object ID (OID) associated with the target information stored in the target credential deposit vault. The method may comprise determining (step 460) either the first credential deposit vault or the second credential deposit vault as the target credential deposit vault based on the first OID. The switch service may then request the corresponding target information using the first OID from the target credential deposit vault. The method 400 may further comprise transmitting (step 470) the target information stored in the target credential deposit vault to the reader device.

[0148] Fig. 5 illustrates a method 500 for wireless transactions between a user device 100 and a reader device 702. The method may be computer-implemented. The method may be performed at the reader device 702.

[0149] The method 500 may comprise transmitting (step 510), to a switch service 110 installed on the user device 100, an application ID (AID) associated with a target credential deposit vault storing target information.

[0150] The method 500 may comprise receiving (step 520), from the switch service 110, a response without the target information. This is because as outlined with respect to Fig. 4, the switch service determined an AID collision.

[0151] The method 500 may comprise transmitting (step 530), to the switch service 110, an object ID (OID) associated with the target information stored in the target credential deposit vault.

[0152] The method 500 may comprise receiving (step 540), from the switch service 110, the target information stored in the target credential deposit vault.

[0153] Fig. 6 illustrates a data processing apparatus 600 in accordance with embodiments of the present disclosure. The data processing apparatus 600 may be a component of a user device (e.g., user device 100) or a component of a reader device (e.g., reader device 702). In other words, a user device (e.g., user device 100) may comprise the data processing apparatus 600 or a reader device (e.g., reader device 702) may comprise the data processing apparatus 600. In another implementation, the data processing apparatus 600 may correspond to the reader device (e.g., reader device 702) or the user device (e.g., user device 100). 40177.AAB.P100PC S / Li / kt

[0154] 20

[0155] The data processing apparatus 600 may comprise means for performing the method(s) according to the present disclosure (e.g., the method 300 and / or the method 400 and / or the method 500). The means may comprise a processor 602 and a memory 604. The processor 602 and the memory 604 may be operatively connected. The memory 604 may store a computer program 606, wherein the computer program 606 comprises instructions that, when the computer program 606 is executed by the data processing apparatus 600, cause the data processing apparatus 600 to execute the method(s) according to any of the aforementioned aspects (e.g., the method 300 and / or the method 400 and / or the method 500).

[0156] Fig. 7 illustrates a data processing system 700 in accordance with embodiments of the present disclosure. The data processing system 700 may comprise a user device 100 and a reader device 702 which are configured to perform wireless transactions 704 between each other. For this purpose, the user device 100 may comprise or correspond to the data processing apparatus 600 so that the method(s) according to the aspects of the present disclosure may be performed at the user device 100 (e.g., method 300 of Fig. 3 and / or method 400 of Fig. 4). Similarly, the reader device 702 may comprise or correspond to the data processing apparatus 700 so that the method according to the aspects of the present disclosure may be performed at the reader device 702 (e.g., the method 500 of Fig. 5).

[0157] Fig. 8 illustrates an example of a switch service 110 for orchestrating 800 the selection and retrieval of target information in accordance with embodiments of the present disclosure. In the present example, the switch service 110 installed on a user device 100 acts as a sole responder for the credential deposit vaults 120-1 and 120-2 because an AID collision between both credential deposit vaults was detected. For the remaining credential deposit vaults 120-3 and 120-4 a direct or indirect (i.e. , the switch service as proxy) communication with a reader device 702 may be established because no AID collision between both credential deposit vaults was detected. The corresponding behaviour of the switch service 110 may be stored in the configuration 200 of the switch. As explained herein, this has the advantage of not having to adapt the reader device (e.g., with respect to orchestration of different AIDs). Accordingly, in order to receive target information, the reader device does not have to perform additional steps, because the additional rerouting logic is implemented at the switch service 110 as illustrated in the following.

[0158] At step 802, the reader device 702 transmits a first command. For example, the first command may be “Select AID 1”. The AID1 is the application ID known (e.g., predefined, defined according to a protocol / standard etc.) to the reader. In other words, the reader device 40177.AAB.P100PC S / Li / kt

[0159] 21

[0160] 702 is not and does not have to be aware of the fact that there is a plurality of credential deposit vaults 120-1 , 120-2, 120-3 and 120-4 installed on the user device 100.

[0161] The switch service 110 receives the first command and transmits a response without the target information in step 804. The response may indicate to the reader device 702 that the target credential deposit vault is ready for receiving further commands. At this point in time, the switch service is not yet able to determine the target credential deposit vault. Nevertheless, it transmits the corresponding response in order to receive additional information (e.g., the OID associated with the target information) based on which the switch service is then able to determine the target credential deposit vault.

[0162] After receiving the response, the reader device 702 transmits a second command indicating the corresponding OID of the target information. For example, the second command may be “Select OID 2”.

[0163] The switch service 110 receives the second command and determines based on the received OID, that the credential deposit vault 120-1 is the target credential deposit vault storing the target information associated with the OID2. As explained herein, the determining may be done using a corresponding look-up table comprising routing commands. The configuration 200 may comprise the look-up table. Accordingly, the switch service may transmit a response indicating that the target information was found in step 806.

[0164] Afterwards, a direct communication between the target credential deposit vault 120-1 and the reader device 702 can be established for performing the remaining steps (steps 810 and 812) for retrieving the target information such as authentication, encryption etc. It is also possible that an indirect communication between the target credential deposit vault 120-1 and the reader device 702 via the switch service is used for performing the remaining steps.

[0165] As used herein the term “and / or” includes any and all combinations of one or more of the associated listed items and may be abbreviated as

[0166] Although some aspects have been described in the context of an apparatus, it is clear that these aspects also represent a description of the corresponding method, where a block or device corresponds to a method step or a feature of a method step. Analogously, aspects described in the context of a method step also represent a description of a corresponding block or item or feature of a corresponding apparatus.

[0167] Embodiments of the present disclosure may be implemented on a computer system. The computer system may be a local computer device (e.g., personal computer, laptop, tablet 40177.AAB.P100PC S / Li / kt

[0168] 22 computer or mobile phone) with one or more processors and one or more storage devices or may be a distributed computer system (e.g., a cloud computing system with one or more processors and one or more storage devices distributed at various locations, for example, at a local client and / or one or more remote server farms and / or data centers). The computer system may comprise any circuit or combination of circuits. In one embodiment, the computer system may include one or more processors which can be of any type. As used herein, processor may mean any type of computational circuit, such as but not limited to a microprocessor, a microcontroller, a complex instruction set computing (CISC) microprocessor, a reduced instruction set computing (RISC) microprocessor, a very long instruction word (VLIW) microprocessor, a graphics processor, a digital signal processor (DSP), multiple core processor, a field programmable gate array (FPGA), or any other type of processor or processing circuit. Other types of circuits that may be included in the computer system may be a custom circuit, an application-specific integrated circuit (ASIC), or the like, such as, for example, one or more circuits (such as a communication circuit) for use in wireless devices like mobile telephones, tablet computers, laptop computers, two-way radios, and similar electronic systems. The computer system may include one or more storage devices, which may include one or more memory elements suitable to the particular application, such as a main memory in the form of random-access memory (RAM), one or more hard drives, and / or one or more drives that handle removable media such as compact disks (CD), flash memory cards, digital video disk (DVD), and the like. The computer system may also include a display device, one or more speakers, and a keyboard and / or controller, which can include a mouse, trackball, touch screen, voice-recognition device, or any other device that permits a system user to input information into and receive information from the computer system.

[0169] Some or all of the method steps may be executed by (or using) a hardware apparatus, like for example, a processor, a microprocessor, a programmable computer or an electronic circuit. In some embodiments, some one or more of the most important method steps may be executed by such an apparatus.

[0170] Depending on certain implementation requirements, embodiments of the present disclosure can be implemented in hardware or in software. The implementation can be performed using a non-transitory storage medium such as a digital storage medium, for example a floppy disc, a DVD, a Blu-Ray, a CD, a ROM, a PROM, and EPROM, an EEPROM or a FLASH memory, having electronically readable control signals stored thereon, which cooperate (or are capable of cooperating) with a programmable computer system such that the respective method is performed. Therefore, the digital storage medium may be computer readable. 40177.AAB.P100PC S / Li / kt

[0171] 23

[0172] Some embodiments according to the present disclosure comprise a data carrier having electronically readable control signals, which are capable of cooperating with a programmable computer system, such that one of the methods described herein is performed.

[0173] Generally, embodiments of the present disclosure can be implemented as a computer program product with a program code, the program code being operative for performing one of the methods when the computer program product runs on a computer. The program code may, for example, be stored on a machine-readable carrier.

[0174] Other embodiments comprise the computer program for performing one of the methods described herein, stored on a machine-readable carrier.

[0175] In other words, an embodiment of the present disclosure is, therefore, a computer program having a program code for performing one of the methods described herein, when the computer program runs on a computer.

[0176] A further embodiment of the present disclosure is, therefore, a storage medium (or a data carrier, or a computer-readable medium) comprising, stored thereon, the computer program for performing one of the methods described herein when it is performed by a processor. The data carrier, the digital storage medium or the recorded medium are typically tangible and / or non-transitory. A further embodiment of the present disclosure is an apparatus as described herein comprising a processor and the storage medium.

[0177] A further embodiment of the present disclosure is, therefore, a data stream or a sequence of signals representing the computer program for performing one of the methods described herein. The data stream or the sequence of signals may, for example, be configured to be transferred via a data communication connection, for example, via the internet.

[0178] A further embodiment comprises a processing means, for example, a computer or a programmable logic device, configured to, or adapted to, perform one of the methods described herein.

[0179] A further embodiment comprises a computer having installed thereon the computer program for performing one of the methods described herein.

[0180] A further embodiment according to the present disclosure comprises an apparatus or a system configured to transfer (for example, electronically or optically) a computer program for performing one of the methods described herein to a receiver. The receiver may, for example, be a computer, a mobile device, a memory device or the like. The apparatus or 40177.AAB.P100PC S / Li / kt

[0181] 24 system may, for example, comprise a file server for transferring the computer program to the receiver.

[0182] In some embodiments, a programmable logic device (for example, a field programmable gate array) may be used to perform some or all of the functionalities of the methods described herein. In some embodiments, a field programmable gate array may cooperate with a microprocessor in order to perform one of the methods described herein. Generally, the methods are preferably performed by any hardware apparatus.

Claims

40177.AAB.P100PC S / Li / kt25CLAIMS1. A user device (100) for wireless transactions (704) with a reader device (702), the user device (100) comprising: at least two credential deposit vaults (120-1 , 120-2, 120-N) installed on the user device (100) for storing target information; and a switch service (110) installed on the user device (100), wherein the switch service (110) is configured to orchestrate selection and retrieval of target information between the reader device (702) and the at least two credential deposit vaults (120-1 , 120-2, 120-N).

2. A method (300) for configuring a switch service (110) installed on a user device (100), the method comprising: obtaining (310), by the switch service (110), a first application ID, AID, associated with a first credential deposit vault (120-1); determining (320), by the switch service (110), whether there is a second AID stored in the switch service (110), which is the same as the first AID, wherein the second AID is associated with a second credential deposit vault (120-2); and updating (380), by the switch service (110), a configuration (200) for the switch service (110) based on the determining (320).

3. The method (300) of the preceding claim, wherein if it is determined that there is no second AID which is the same as the first AID, updating the configuration for the switch service (110) comprises: storing the first AID in the switch service (110); and setting the first credential deposit vault (120-1) as endpoint for wireless transactions (704) associated with the first credential deposit vault (120-1).

4. The method (300) of any one the preceding claims, wherein if it is determined that there is a second AID which is the same as the first AID, updating the configuration for the switch service (110) comprises: storing the first AID in the switch service (110); and setting the switch service (110) as endpoint for wireless transactions (704) associated with the first credential deposit vault (120-1).

5. The method (300) of any one of claims 3-4, further comprising:40177.AAB.P100PC S / Li / kt26 obtaining, by the switch service (110), an object ID, OID, associated with first target information stored in the first credential deposit vault (120-1); and wherein storing the first AID in the switch service (110) comprises: storing the OID in the switch service (110).

6. A computer-implemented method (400) for wireless transactions (704) between a user device (100) and a reader device (702), wherein the method (400) is performed by a switch service (110) installed on the user device (100) and the method (400) comprises: receiving (410), from the reader device (702); a first AID associated with a target credential deposit vault storing target information; determining (420) that the first AID is associated with a first credential deposit vault (120-1) and with a second credential deposit vault (120-2); transmitting (440), to the reader device (702), a response without the target information; receiving (450), from the reader device (702), an OID associated with the target information stored in the target credential deposit vault, determining (460) either the first credential deposit vault (120-1) or the second credential deposit vault (120-2) as the target credential deposit vault based on the first OID; and transmitting (470), to the reader device (702), the target information stored in the target credential deposit vault.

7. The method (400) of the preceding claim, wherein the response without the target information comprises an implicit or explicit request for the OID.

8. The method (400) of any one of claims 6-7, wherein determining (460) either the first or the second credential deposit vault (120-1 , 120-2) as the target credential deposit vault comprises: determining that only the first credential deposit vault (120-1) is storing the target information associated with the OID and; selecting the first credential deposit vault (120-1) as the target credential deposit vault.

9. The method (400) of any one of claims 6-8, wherein determining (460) either the first or the second credential deposit vault (120-1 , 120-2) as the target credential deposit vault comprises:40177.AAB.P100PC S / Li / kt27 determining that only the second credential deposit vault (120-2) is storing the target information associated with the OID; and selecting the second credential deposit vault (120-2) as the target credential deposit vault.

10. The method (400) of any one of claims 6-9, wherein determining (460) either the first or the second credential deposit vault (120-1 , 120-2) as the target credential deposit vault comprises: determining that both credential deposit vaults (120-1 , 120-2) are storing target information associated with the OID; and selecting, in response to the determining, either the first or the second credential deposit vault (120-1, 120-2) as the target credential deposit vault.

11. The method (400) of the preceding claim, wherein selecting is based on at least one of: a predefined ranking for the first and the second credential deposit vault (120-1 , 120- 2); or a random selection.

12. The method (400) of the preceding claim, wherein the predefined ranking is based on: a user-defined preference, a default setting, computational effort for accessing the first and second credential deposit vault respectively (120-1 , 120-2), a level of security associated with the first and the second credential deposit vault respectively (120-1 , 120-2) or any combination thereof.

13. The method (400) of any one of claims 10-12, wherein determining that both credential deposit vaults (120-1 , 120-2) are storing target information associated with the first OID is based on information stored in the switch service (110).

14. The method (400) of the preceding claim, wherein the information is stored within a look-up table comprising, for each credential deposit vault (120-1, 120-2) installed on the user device (100): an AID associated with the credential deposit vault (120-1 , 120-2); and a list of OIDs (210-1 , 210-2, 210-3), wherein each OID of the list is associated with a set of information stored within the respective credential deposit vault (120-1 , 120-2).40177.AAB.P100PC S / Li / kt2815. The method (300) of any one of claims 6-14, wherein the switch service (110) is configured according to the method of any one of claims 2-5.

16. The method (300, 400) of any one of the preceding claims, wherein the first credential deposit vault (120-1) is an OEM credential deposit vault and wherein the second credential deposit vault (120-2) is a third-party credential deposit vault.

17. The user device (100) of claim 1 , wherein the switch service (110) is configured according to the method (300) of any one of claims 2-5 or 16 when depending on one of the claims 2-5.

18. The user device (100) of claim 1 or 17, wherein the orchestrating of the selection and retrieval of the target information comprises performing the method (400) of any one of claims 6-15 or 16 when depending on one of claims 6-15.

19. A method (500) for wireless transactions (704) between a user device (100) and a reader device (702), wherein the method (500) is performed at the reader device (702) and comprises: transmitting (510), to a switch service (110) installed on the user device (100), an AID associated with a target credential deposit vault storing target information; receiving (520), from the switch service (110), a response without the target information; transmitting (530), to the switch service (110), an OID associated with the target information stored in the target credential deposit vault; and receiving (540), from the switch service (110), the target information stored in the target credential deposit vault.

20. The method (300, 400, 500) of any one of the preceding claims, wherein the user device (100) is the user device according to claim 1 or 17-18.

21. The method (300, 400, 500) or the user device (100) of any one of the preceding claims, wherein the wireless transactions (704) are performed using Near Field Communication, NFC.

22. The method (300, 400, 500) or the user device (100) of any one of the preceding claims, wherein a wireless transaction comprises a plurality of transmissions.40177.AAB.P100PC S / Li / kt2923. The method (300, 400, 500) or the user device (100) of the preceding claim, wherein the plurality of transmission comprises a plurality of Application Protocol Data Unit, APDU, command exchanges.

24. A data processing apparatus (600) at a reader device (702), comprising means for performing the method (500) of any one of claims 19 or 20-23 when depending on claim 19.

25. A data processing apparatus (600) at a reader device (702), comprising: a processor (602), memory (604) coupled with the processor (602) and instructions stored in the memory (604) and executable by the processor (602) to cause the apparatus (600) to perform the method (500) of any one of claims 19 or 20-23 when depending on claim 19.

26. A data processing apparatus (600) at a user device (100), comprising means for performing the method (300, 400) of any one of claims 2-16 or 20-23 when depending on any one of claims 2-16.

27. A data processing apparatus (600) at a user device (100), comprising: a processor (602), memory (604) coupled with the processor (602) and instructions stored in the memory (604) and executable by the processor (602) to cause the apparatus (600) to perform the method (300, 400) of any one of claims 2-16 or 20-23 when depending on any one of claims 2-16.

28. A data processing system (700) comprising a reader device (702) comprising the data processing apparatus (600) of any one of claims 24-25 and a user device (100) according to any one of claims 1 or 17-18 or 21-23.

29. The data processing system (700) of the preceding claim, wherein the user device (100) comprises the data processing apparatus (600) of any one of claims 26-27.

30. A computer program (606) or a computer-readable medium having stored thereon the computer program (606), the computer program (606) comprising instructions which, when the computer program (606) is executed by a processor (602), cause the processor (602) to carry out the method (300, 400, 500) of any one of claims 2-16 or 19-23.