T 0982/12 () of 29.6.2017

European Case Law Identifier: ECLI:EP:BA:2017:T098212.20170629
Date of decision: 29 June 2017
Case number: T 0982/12
Application number: 01916663.6
IPC class: G07F 7/10
Language of proceedings: EN
Distribution: D
Download and more information:
Decision text in EN (PDF, 284 KB)
Documentation of the appeal procedure can be found in the Register
Bibliographic information is available in: EN
Versions: Unpublished
Title of application: METHOD AND SYSTEM FOR SECURE PAYMENTS OVER A COMPUTER NETWORK
Applicant name: MASTERCARD INTERNATIONAL, INC.
Opponent name: -
Board: 3.4.03
Headnote: -
Relevant legal provisions:
European Patent Convention Art 123(2)
Keywords: Amendments - added subject-matter (yes)
Catchwords:

-

Cited decisions:
-
Citing decisions:
-

Summary of Facts and Submissions

I. The appeal concerns the decision of the examining division refusing the European patent application No. 01916663 for added subject-matter (Article 123(2) EPC) and lack of inventive step (Article 56 EPC 1973).

II. Oral proceedings before the board took place in the absence of the appellant, of which the board had been informed beforehand.

The appellant had requested in writing that the deci­sion under appeal be set aside and that a patent be granted in the version annexed to the statement of grounds of appeal.

III. In a communication pursuant to Article 15(1) RPBA the board expressed inter alia its provisional opinion that claim 1 contained subject-matter going beyond the application as filed, contrary to the requirements of Article 123(2) EPC.

IV. The wording of independent claim 1 is as follows:

"1. A computer implemented method of conducting purchaser-merchant transactions over a communications

network including a consumer computer means of a

purchaser, merchant server means, and an acquirer

computer means, wherein the purchaser has been

assigned a first payment account number having a

status which changes over time, the first payment account number identifying a payment account of the

purchaser with an issuer; wherein also the purchaser

has been assigned a second payment account number

associated with said first payment account number,

said second payment account number being usable by

said consumer computer means to designate a payment

account in lieu of said first payment account number

for a purchaser-merchant transaction; said method

including steps of:

(a) requesting authorization from said acquirer computer means for payment of a purchaser-merchant

transaction, wherein said requesting comprises using said second payment account number to designate a payment account for payment;

(b) in response to said authorization request, said acquirer computer means identifying said purchaser's first payment account number thereby,

identifying the payment account of the purchaser with the issuer; and

(c) said acquirer computer means responding to said authorization request according to the status of

said first payment account number at the time of the transaction;

said method being characterised by:

(d) said consumer computer means having an encryption key that is unique to said first payment account number and to said second payment account number;

(e) a merchant server means sending, and said consumer computer means receiving, merchant identification data and an unique transaction identification number for the transaction;

(f) said consumer computer means returning said merchant identification data and said unique transaction identification number for the transaction to said merchant server means for verification by said merchant server means;

(g) said merchant server means verifying that the returned merchant identification data and unique

trans­­action identification number for the trans­action is the correct data for the transaction;

(h) said consumer computer means using said encryption key to encrypt the received merchant identification data and unique transaction identification number for the transaction;

(i) said consumer computer means sending the encrypted merchant identification data and unique transaction identification number as authentication data to said merchant server means or to said acquirer

computer means;

(j) said merchant server means or said acquirer computer means using the received authentication data to authenticate the purchaser using said second account number."

V. In response to the objection of added subject-matter raised in the board's communication pursuant to Article 15(1) RPBA the appellant made no submissions and merely stated that it did not wish to be represented at the oral proceedings before the board.

Reasons for the Decision

1. Amendments

1.1 The subject-matter of claim 1 underlying the decision was deemed by the examining division to lack inventive step (see points 1 to 1.4 of the grounds of the deci­sion). The decision contains no objection under Article 123(2) EPC against that claim.

However, as poin­ted out in the board's com­mu­ni­cation pursuant to Article 15(1) RPBA and set forth below, the board is of the opinion that the subject-matter of present claim 1, which has been filed with the letter setting out the grounds of appeal and contains amendments compared to the claim considered by the examining division, extends beyond the content of the application as filed.

1.2 Claim 1 relates to the subject-matter of original inde­pendent claim 4 as well as Figures 4a and 4b in combination with the corresponding parts of the description.

Compared to original claim 4 it has been omitted in present claim 1 that

- the second payment account number is "a pseudo account number having the same length as [...] said first payment account number" (see feature (b) of original claim 4),

- the pseudo account number is sent to the merchant (see feature (e) of original claim 4), and

- the first account number is produced by "crypto­graphically processing said pseudo account number" (see feature (h) of original claim 4).

In the description of the application (see page 2, lines 12-24) the following is indicated under the heading "SUMMARY OF THE INVENTION":

"According to the present invention, a 'pseudo' account number is assigned to a customer and crypto­graphically linked to a consumer's payment account number. [...] The pseudo account number appears to be an actual payment account number to a merchant. That is, the pseudo account number has the same length as a valid payment account number and begins with a valid identification number (e. g., a '5' for MasterCard International Incor­porated ('MasterCard')). The pseudo account number is used by the customer instead of the real account number for all of his or her on-line financial transactions."

In the description of the application it has thus been presented as being part of the inven­tion that a pseudo account number is assigned to the customer and that this pseudo account number is crypto­graph­ically linked to the consumer's payment account number. Moreover, it cannot be derived from any other part of the de­scrip­­tion that these elements are not part of the in­ven­tion or that they are merely optional features. In partic­ular, according to both embodiments the pseudo account number is sent to the merchant, namely alone (embodi­ment of Figure 4a) or as part of a digital certificate (embodiment of Figure 4b) (see the description of the application, page 21, lines 12-16). In addition, the subject-matter of the omitted features is deemed indispensable for allowing the merchant to handle the transaction by treating the second account num­ber like an actual account number and for ensuring the security of the payment by keeping the first account number secret.

It has also been omitted in present claim 1 compared to original claim 4 that

- the purchaser is provided with a "secure pay­ment application" which includes a cryptographic key and the pseudo account number (see feature (b) of original claim 4).

In the description of the application it is stated (see page 19, lines 21-25):

"Figures 4a and 4b illustrate the steps that are performed when the cardholder contacts and places an order with a merchant on the Internet and the merchant requests an interchange authorization from an acquirer. It is assumed that the cardholder has enrolled in the MasterCard secure payment program and has installed the MasterCard secure payment application on his/her computer".

No alternative to using a secure payment application is presented in the description for conducting the pur­chaser-merchant transaction over the communications network. Furthermore, its use is a prerequisite for generating from the transaction-specific data the Message Authentication Code (embodiment of Figure 4a) or the digital signature (embodiment of Figure 4b).

Therefore the board considers that the omission of the four features mentioned above in present claim 1 is not directly and unambiguously derivable from the appli­ca­tion as filed.

1.3 According to feature (i) of claim 1 the consumer com­puter means are sending the encrypted merchant identi­fi­­cation data and unique transaction identifi­ca­tion number as authentication data to the merchant server means "or to said acquirer computer means".

However, according to both embodiments the encrypted merchant and transaction data, i. e. the Message Au­then­tication Code (embodiment of Figure 4a) and the digital signature (embodiment of Figure 4b), ­respec­tively, are sent to the merchant. While the Message Au­then­tication Code is subsequently trans­mitted to the acquirer for authentication, the digital signature is authenticated by the merchant (see the description of the applica­tion, page 20, lines 19-26; page 21, lines 5-21; page 22, lines 1-8; page 22, line 19 - page 23, line 24). There is thus no disclosure of direct trans­mission of the encrypted merchant and transaction data to the acquirer. Consequently, the addition of the alternative "or to said acquirer computer means" cited above introduces subject-matter into the claim which is not directly and unambiguously derivable from the application as filed.

1.3.1 In feature (j) of claim 1 it is specified that the merchant server means or the acquirer computer means are using the received authentication data to authen­ticate the purchase using the second account number.

However, in the application as filed only the specific ways of authenticating the purchase used in the em­bodi­­ments of Figures 4a and 4b are disclosed. In parti­cu­lar, public-key authentication is used at the mer­chant computer means (which is related to the fact that the merchant does not have access to secret cardholder account infor­ma­tion), while secret-key au­then­tication is used at the acquirer computer means (see page 22, lines 1-12; page 23, lines 11-24). Hence, the formula­tion of feature (j) constitutes a general­ization of the dis­closed subject-matter which has no basis in the application as filed.

1.4 In view of the above the subject-matter of claim 1 extends beyond the content of the application as filed, contrary to the requirements of Article 123(2) EPC.

2. Conclusion

As the amended application documents do not meet the requirements of the EPC, the appeal has to be dismissed.

Order

For these reasons it is decided that:

The appeal is dismissed.

Quick Navigation