T 1110/07 () of 30.11.2010

European Case Law Identifier: ECLI:EP:BA:2010:T111007.20101130
Date of decision: 30 November 2010
Case number: T 1110/07
Application number: 01930487.2
IPC class: G07F 19/00
Language of proceedings: EN
Distribution: D
Download and more information:
Decision text in EN (PDF, 36 KB)
Documentation of the appeal procedure can be found in the Register
Bibliographic information is available in: EN
Versions: Unpublished
Title of application: An improved method and system for conducting secure payments over a computer network
Applicant name: MASTERCARD INTERNATIONAL, INC.
Opponent name: -
Board: 3.4.03
Headnote: -
Relevant legal provisions:
European Patent Convention 1973 Art 54
European Patent Convention 1973 Art 56
Keywords: Inventive step (yes) - after amendment
Catchwords:

-

Cited decisions:
-
Citing decisions:
-

Summary of Facts and Submissions

I. The appellant (applicant) lodged an appeal against the decision of the Examining Division refusing the European patent application No. 01 930 487.

The Examining Division held that the application did not meet the requirements of Articles 52(1) EPC and 56 EPC 1973, because the invention did not involve an inventive step, having regard to the following document:

D5: US 6 000 832 A.

II. The appellant requests that the decision be set aside and a patent be granted on the basis of the following documents:

- claims 1 to 3, claim 4 (part on page 20), and claims 5-8 as filed with the letter dated 29 October 2010, claim 4 (part on page 19) as filed with the letter dated 12 November 2010;

- description pages 1, 2, 5, 8, 10, and 16 as filed with the letter dated 30 September 2010, pages 3 and 4 as filed with the letter dated 22 May 2006, pages 6, 7, 9, and 11 to 15 as published;

- drawings sheets 1/2 and 2/2 as published.

The appellant also requests oral proceedings as an auxiliary measure.

III. The wording of claim 1 reads as follows:

"1. A method of conducting a transaction with a merchant (16) using a payment account for payment over a communications network, wherein the payment account is associated with a first payment account number that is further associated with a second payment account number, the first payment account number having a service provider identification number that is associated with a service provider other than the payment account issuer, the second payment account number having an issuer identification number associated with the payment account issuer; the method comprising:

(a) generating a message authentication code based on one or more transaction details;

(b) transmitting at least the first payment account number and the message authentication code to the merchant (16);

(c) requesting by the merchant a first authorization request for payment of the transaction using the first payment account number, said second payment account number not being included in said first authorization request, the request being formatted as if payment were tendered at a point-of-sale terminal with a conventional magnetic-stripe payment card, the format having a track with at least a discretionary data field and said message authentication code being transmitted in said discretionary data field, the first authorization request being routable through the communications network to the service provider based on said service provider identification number and optionally a first acquirer code associated with an acquirer;

(d) responsive to the first authorization request for payment of the transaction using the first payment account number, requesting by the service provider a second authorization for payment of the transaction using the second payment account number, the second authorization request being routable through the communications network to the issuer based on said issuer identification number and optionally including a second acquirer code associated with the service provider; and

(e) receiving from the issuer a response to the second authorization request transmitted by the service provider; and

(f) accepting or declining the first authorization request based on the message authentication code and the response to the second authorization request using the second payment account number, wherein said first and second payment account numbers include respective service provider and issuer identification numbers, wherein a service provider other than the issuer receives said merchant´s first authorization request through the communications network based on said service provider identification number, and wherein said service provider generates said request for second authorization of payment using the second payment account number and routes said request to said issuer through said communications network based on said issuer identification number."

IV. The appellant argued essentially as follows:

The claimed invention differed from what is disclosed in document D5 in (i) using an intermediate service provider for communications between the merchant and the issuer, and in (ii) formatting the message authentication code in the discretion data field of a magnetic stripe track image.

Using an intermediate service provider provided an additional layer of anonymity and an increased barrier to improper tracking of the cardholder's information. Consequently, a breach of security on one side did not expose all of a party's information. In document D5 it was merely mentioned that third parties might be involved in some phases of the transaction (D5, column 4, lines 3-9). However, in contrast to the invention it was conventional that all of a party's information was available to every entity up and down the transaction communication chain.

The use of the discretionary data field for communicating the message authentication code was contrary to industry standards and common practice by which use of that field was reserved for the card issuer or vendor. The appellant's use of the field had the advantage of making transaction data transmission over electronic networks and processing fully compatible with existing magnetic stripe payment card processing systems.

Reasons for the Decision

1. Admissibility

The appeal is admissible.

2. Amendments

Claim 1 is based on claims 1, 5 and 6 as originally filed.

Dependent claims 2 and 3 are based on original claims 7 and 8, respectively.

Dependent claims 4 to 8 are based on original claims 9 to 13 and on the description as originally filed (page 10, paragraphs 2 and 3).

The description has been brought into conformity with the amended claims and supplemented with an indication of the relevant content of document D5.

Accordingly, the Board is satisfied that the amendments comply with the requirements of Article 123(2) EPC.

3. Novelty

3.1 Document D5 discloses a method for performing an online transaction over a public network. First, an issuing bank creates upon request from a customer an online commerce card which is associated with an account number and a private key. When the customer wishes to perform an online transaction, the customer's computer generates a temporary transaction number, which resembles a real account number, as a function of the private key, customer-specific data, and transaction-specific data. During the transaction, the customer submits the temporary transaction number to the merchant as a proxy for his real account number. The merchant submits the temporary transaction number and the transaction-specific data to the issuing bank for approval. The issuing bank identifies the number as a temporary transaction number and uses it to retrieve customer-specific data and the corresponding private key. The issuing bank uses these data to test whether the transaction number is correct and if so, approves the transaction (column 4, line 53 - column 6, line 22).

In particular, document D5 discloses, using the terminology of claim 1, a method of conducting a transaction with a merchant using a payment account for payment over a communications network (column 3, lines 63-67), wherein the payment account is associated with a first payment account number (column 5, lines 36-39)

that is further associated with a second payment account number, the second payment account number having an issuer identification number associated with the payment account issuer (column 12, lines 27-30); the method comprising:

- generating a message authentication code based on one or more transaction details (column 9, lines 60-63);

- transmitting at least the first payment account number and the message authentication code to the merchant (column 5, lines 41-43);

- requesting by the merchant a first authorization request for payment of the transaction using the first payment account number, said second payment account number not being included in said first authorization request (column 5, lines 59-63).

3.2 The method according to claim 1 differs from that of document D5 in:

(i)-1 the first payment account having a first service provider identification number that is associated with a service provider other than the payment account issuer;

(ii)-1 the request being formatted as if payment were tendered at a point-of-sale terminal with a conventional magnetic-stripe payment card, the format having a track with at least a discretionary data field and said message authentication code being transmitted in said discretionary data field;

(i)-2 the first authorization request being routable through the communications network to the service provider based on said service provider identification number and optionally a first acquirer code associated with an acquirer;

(i)-3 responsive to the first authorization request for payment of the transaction using the first payment account number, requesting by the service provider a second authorization for payment of the transaction using the second payment account number, the second authorization request being routable through the communications network to the issuer based on said issuer identification number and optionally including a second acquirer code associated with the service provider;

(i)-4 receiving from the issuer a response to the second authorization request transmitted by the service provider; and

(i)-5 accepting or declining the first authorization request based on the message authentication code and the response to the second authorization request using the second payment account number, wherein said first and second payment account numbers include respective service provider and issuer identification numbers, wherein a service provider other than the issuer receives said merchant´s first authorization request through the communications network based on said service provider identification number, and wherein said service provider generates said request for second authorization of payment using the second payment account number and routes said request to said issuer through said communications network based on said issuer identification number.

The subject-matter of claim 1 is therefore new over document D5.

3.3 The remaining cited prior art documents are not closer to the subject-matter of claim 1 than document D5.

Claims 2 to 8 are dependent on claim 1 providing further limitations. The subject-matter of these claims is therefore also new.

Accordingly, the subject-matter of claims 1 to 8 is new (Articles 52(1) EPC and 54(1), (2) EPC 1973).

4. Inventive step

4.1 The closest prior art to the subject-matter of claim 1 is document D5, from which the subject-matter of claim 1 differs in

(i) using an intermediate service provider for communications between the merchant and the issuer (see features (i)-1 to (i)-5 above);

and in

(ii) formatting the message authentication code in the discretion data field of a magnetic stripe track image (see feature (ii)-1 above).

The effect of the distinguishing features (i) is to increase the security of the method by allowing that not all the information of a party was available to all the entities involved in the transaction, thus avoiding that a breach of security at one point would expose all of a party's information.

The effect of feature (ii) is to allow merchants to use their existing systems and software for handling point-of-sale transactions in order to process the conduct the claimed transaction (see the description, page 10, lines 15-19).

As the features (i) and (ii) do not produce a synergistic effect, they can be considered to be merely juxtaposed. For the assessment of inventive step, they can therefore be considered separately.

4.2 The objective technical problem related to the features (i) concerning an intermediate service provider can be regarded as to increase the data security.

4.2.1 In view of D5, column 4, lines 7-9 it would be obvious for the skilled person to provide another participant in some phase of the transaction. For example, it is disclosed in D5, column 11, lines 44-46, to include an acquiring bank which verifies that the merchant is a valid merchant and the credit card number is a valid credit card number. In this way an additional layer of anonymity is achieved constituting a barrier to tracking the transaction, thus increasing data security. However, from D5, column 11, line 46-47 it is clear that the authorization request is merely forwarded to the issuing bank. This is conventionally done by an acquiring bank, see for example also document EP 1 028 401 A, paragraph [0027], cited in the search report of the present application.

4.2.2 The skilled person would therefore not be led to use the features (i) in the method described in document D5. According to these features, the service provider does not merely forward the customer's account number received from the merchant to the issuer, but uses a different account number when addressing the issuer. In this way, tracking of a transaction from the merchant to the issuer is made more difficult, even when security breaches occur, thus further increasing data security.

4.2.3 Furthermore, according to the features (i), the service provider does not merely forward the message authentication code to the issuer but the decision to accept or decline the authorization request based on the message authentication code is not made at the issuer. In this way, the transaction details are not available at the issuer, thus not exposing all the customer's information in case of a security breach leading to an even higher level of data security.

4.2.4 The remaining prior art documents do not contain any teaching which would lead the skilled person to using the features (i) in the method of document D5.

4.3 Since it would not be obvious for the skilled person to incorporate the features (i) in the method described in document D5, it is irrelevant for the assessment of inventive step whether or not it would be obvious for the skilled person to also incorporate the feature (ii) in that method.

4.4 Neither the subject-matter of claim 1, nor the subject-matter of claims 2 to 8, which are dependent on claim 1, is therefore considered to be obvious for the skilled person.

Accordingly, the subject-matter of claims 1 to 8 involves an inventive step (Articles 52(1) EPC and 56 EPC 1973).

5. Other EPC requirements and conclusion

The description has been brought into conformity with the amended claims and supplemented with an indication of the relevant content of document D5 to comply with the requirements of Article 84 EPC 1973 and Rule 27(1)(b) EPC 1973. The Board is thus satisfied that the remaining requirements of the EPC are satisfied and that a patent can be granted on the basis of the application documents.

ORDER

For these reasons it is decided that:

1. The decision under appeal is set aside.

2. The case is remitted to the first instance with the order to grant a patent in the following version:

- claims 1 to 3, claim 4 (part on page 20), and claims 5-8 as filed with the letter dated 29 October 2010, claim 4 (part on page 19) as filed with the letter dated 12 November 2010;

- description pages 1, 2, 5, 8, 10, and 16 as filed with the letter dated 30 September 2010, pages 3 and 4 as filed with the letter dated 22 May 2006, pages 6, 7, 9, and 11 to 15 as published;

- drawings sheets 1/2 and 2/2 as published.

Quick Navigation