| European Case Law Identifier: | ECLI:EP:BA:2017:T098212.20170629 | ||||||||
|---|---|---|---|---|---|---|---|---|---|
| Date of decision: | 29 June 2017 | ||||||||
| Case number: | T 0982/12 | ||||||||
| Application number: | 01916663.6 | ||||||||
| IPC class: | G07F 7/10 | ||||||||
| Language of proceedings: | EN | ||||||||
| Distribution: | D | ||||||||
| Download and more information: |
|
||||||||
| Title of application: | METHOD AND SYSTEM FOR SECURE PAYMENTS OVER A COMPUTER NETWORK | ||||||||
| Applicant name: | MASTERCARD INTERNATIONAL, INC. | ||||||||
| Opponent name: | - | ||||||||
| Board: | 3.4.03 | ||||||||
| Headnote: | - | ||||||||
| Relevant legal provisions: |
|
||||||||
| Keywords: | Amendments - added subject-matter (yes) | ||||||||
| Catchwords: |
- |
||||||||
| Cited decisions: |
|
||||||||
| Citing decisions: |
|
||||||||
Summary of Facts and Submissions
I. The appeal concerns the decision of the examining division refusing the European patent application No. 01916663 for added subject-matter (Article 123(2) EPC) and lack of inventive step (Article 56 EPC 1973).
II. Oral proceedings before the board took place in the absence of the appellant, of which the board had been informed beforehand.
The appellant had requested in writing that the decision under appeal be set aside and that a patent be granted in the version annexed to the statement of grounds of appeal.
III. In a communication pursuant to Article 15(1) RPBA the board expressed inter alia its provisional opinion that claim 1 contained subject-matter going beyond the application as filed, contrary to the requirements of Article 123(2) EPC.
IV. The wording of independent claim 1 is as follows:
"1. A computer implemented method of conducting purchaser-merchant transactions over a communications
network including a consumer computer means of a
purchaser, merchant server means, and an acquirer
computer means, wherein the purchaser has been
assigned a first payment account number having a
status which changes over time, the first payment account number identifying a payment account of the
purchaser with an issuer; wherein also the purchaser
has been assigned a second payment account number
associated with said first payment account number,
said second payment account number being usable by
said consumer computer means to designate a payment
account in lieu of said first payment account number
for a purchaser-merchant transaction; said method
including steps of:
(a) requesting authorization from said acquirer computer means for payment of a purchaser-merchant
transaction, wherein said requesting comprises using said second payment account number to designate a payment account for payment;
(b) in response to said authorization request, said acquirer computer means identifying said purchaser's first payment account number thereby,
identifying the payment account of the purchaser with the issuer; and
(c) said acquirer computer means responding to said authorization request according to the status of
said first payment account number at the time of the transaction;
said method being characterised by:
(d) said consumer computer means having an encryption key that is unique to said first payment account number and to said second payment account number;
(e) a merchant server means sending, and said consumer computer means receiving, merchant identification data and an unique transaction identification number for the transaction;
(f) said consumer computer means returning said merchant identification data and said unique transaction identification number for the transaction to said merchant server means for verification by said merchant server means;
(g) said merchant server means verifying that the returned merchant identification data and unique
transaction identification number for the transaction is the correct data for the transaction;
(h) said consumer computer means using said encryption key to encrypt the received merchant identification data and unique transaction identification number for the transaction;
(i) said consumer computer means sending the encrypted merchant identification data and unique transaction identification number as authentication data to said merchant server means or to said acquirer
computer means;
(j) said merchant server means or said acquirer computer means using the received authentication data to authenticate the purchaser using said second account number."
V. In response to the objection of added subject-matter raised in the board's communication pursuant to Article 15(1) RPBA the appellant made no submissions and merely stated that it did not wish to be represented at the oral proceedings before the board.
Reasons for the Decision
1. Amendments
1.1 The subject-matter of claim 1 underlying the decision was deemed by the examining division to lack inventive step (see points 1 to 1.4 of the grounds of the decision). The decision contains no objection under Article 123(2) EPC against that claim.
However, as pointed out in the board's communication pursuant to Article 15(1) RPBA and set forth below, the board is of the opinion that the subject-matter of present claim 1, which has been filed with the letter setting out the grounds of appeal and contains amendments compared to the claim considered by the examining division, extends beyond the content of the application as filed.
1.2 Claim 1 relates to the subject-matter of original independent claim 4 as well as Figures 4a and 4b in combination with the corresponding parts of the description.
Compared to original claim 4 it has been omitted in present claim 1 that
- the second payment account number is "a pseudo account number having the same length as [...] said first payment account number" (see feature (b) of original claim 4),
- the pseudo account number is sent to the merchant (see feature (e) of original claim 4), and
- the first account number is produced by "cryptographically processing said pseudo account number" (see feature (h) of original claim 4).
In the description of the application (see page 2, lines 12-24) the following is indicated under the heading "SUMMARY OF THE INVENTION":
"According to the present invention, a 'pseudo' account number is assigned to a customer and cryptographically linked to a consumer's payment account number. [...] The pseudo account number appears to be an actual payment account number to a merchant. That is, the pseudo account number has the same length as a valid payment account number and begins with a valid identification number (e. g., a '5' for MasterCard International Incorporated ('MasterCard')). The pseudo account number is used by the customer instead of the real account number for all of his or her on-line financial transactions."
In the description of the application it has thus been presented as being part of the invention that a pseudo account number is assigned to the customer and that this pseudo account number is cryptographically linked to the consumer's payment account number. Moreover, it cannot be derived from any other part of the description that these elements are not part of the invention or that they are merely optional features. In particular, according to both embodiments the pseudo account number is sent to the merchant, namely alone (embodiment of Figure 4a) or as part of a digital certificate (embodiment of Figure 4b) (see the description of the application, page 21, lines 12-16). In addition, the subject-matter of the omitted features is deemed indispensable for allowing the merchant to handle the transaction by treating the second account number like an actual account number and for ensuring the security of the payment by keeping the first account number secret.
It has also been omitted in present claim 1 compared to original claim 4 that
- the purchaser is provided with a "secure payment application" which includes a cryptographic key and the pseudo account number (see feature (b) of original claim 4).
In the description of the application it is stated (see page 19, lines 21-25):
"Figures 4a and 4b illustrate the steps that are performed when the cardholder contacts and places an order with a merchant on the Internet and the merchant requests an interchange authorization from an acquirer. It is assumed that the cardholder has enrolled in the MasterCard secure payment program and has installed the MasterCard secure payment application on his/her computer".
No alternative to using a secure payment application is presented in the description for conducting the purchaser-merchant transaction over the communications network. Furthermore, its use is a prerequisite for generating from the transaction-specific data the Message Authentication Code (embodiment of Figure 4a) or the digital signature (embodiment of Figure 4b).
Therefore the board considers that the omission of the four features mentioned above in present claim 1 is not directly and unambiguously derivable from the application as filed.
1.3 According to feature (i) of claim 1 the consumer computer means are sending the encrypted merchant identification data and unique transaction identification number as authentication data to the merchant server means "or to said acquirer computer means".
However, according to both embodiments the encrypted merchant and transaction data, i. e. the Message Authentication Code (embodiment of Figure 4a) and the digital signature (embodiment of Figure 4b), respectively, are sent to the merchant. While the Message Authentication Code is subsequently transmitted to the acquirer for authentication, the digital signature is authenticated by the merchant (see the description of the application, page 20, lines 19-26; page 21, lines 5-21; page 22, lines 1-8; page 22, line 19 - page 23, line 24). There is thus no disclosure of direct transmission of the encrypted merchant and transaction data to the acquirer. Consequently, the addition of the alternative "or to said acquirer computer means" cited above introduces subject-matter into the claim which is not directly and unambiguously derivable from the application as filed.
1.3.1 In feature (j) of claim 1 it is specified that the merchant server means or the acquirer computer means are using the received authentication data to authenticate the purchase using the second account number.
However, in the application as filed only the specific ways of authenticating the purchase used in the embodiments of Figures 4a and 4b are disclosed. In particular, public-key authentication is used at the merchant computer means (which is related to the fact that the merchant does not have access to secret cardholder account information), while secret-key authentication is used at the acquirer computer means (see page 22, lines 1-12; page 23, lines 11-24). Hence, the formulation of feature (j) constitutes a generalization of the disclosed subject-matter which has no basis in the application as filed.
1.4 In view of the above the subject-matter of claim 1 extends beyond the content of the application as filed, contrary to the requirements of Article 123(2) EPC.
2. Conclusion
As the amended application documents do not meet the requirements of the EPC, the appeal has to be dismissed.
Order
For these reasons it is decided that:
The appeal is dismissed.
