T 0737/14 (Authorisation system / SECOREN) 09-07-2019

1. Background

1.1 The invention concerns an authorisation system for authorising a transaction on an account. Looking at Figure 7, there are three entities in this system: an access terminal 100, an account server 120, and an authorisation server 140. The access terminal sends a first transaction request 204 to the account server that forwards this, as the third transaction request 208, to the authorisation server. The access terminal also sends a second transaction request 206, including a terminal identifier, to the authorisation server. Based on the transaction data, the authorisation server determines whether the access terminal is authorised to enable the transaction, and sends the response 210 to the account server that carries out the transaction on the account.

1.2 The independent claims do not define what sort of transaction is processed by the system. As it turned out, this caused some difficulties in the assessment of the invention, both in examination and appeal proceedings.

2. The decision under appeal

2.1 The examining division saw the invention basically as a conventional transaction processing system running a "generic three party transaction authorisation protocol" involving a trusted third party. In such a system, the third party typically receives two messages; one from the account owner and one from the the party that performs the transaction settlement. To prevent fraudulent transactions, the third party authorises the transaction only if it is confirmed by the account owner.

2.2 D1 discloses (Figure 1) such a transaction processing system, for online shopping. The customer sends a purchase request 1, including credit card details, to an e-retailer. The e-retailer forwards the credit card details 2 to a credit card issuer who checks them and returns an authorisation 3. The e-retailer then sends a message 4 to a web site administered by a third party. The message comprises sufficient information to identify the customer. In order to authorise the purchase, the customer must log on 5 to the authorisation web site using a password. Once the customer has logged on, a message 6 is sent from the authorisation web site to the e-retailer. Alternatively (Figure 2), it is the credit card issuer, that, in the same way, uses the authorisation website to make sure that the transaction is not a fraudulent one.

2.3 The examining division found that the customer's terminal in D1 corresponded to the access terminal in claim 1, and that the combination of the credit card issuer and the e-retailer mapped to the account server. The authorisation website in D1 was equated with the authorisation server in claim 1. As a result, the examining division identified the following differences between the invention in claim 1 and D1:

a) The access terminal in claim 1 had a token reader for inputting the credit card data.

b) The authorisation server in claim 1 determined, based on access terminal identification data, whether the access terminal (rather than the user) was authorised to enable the transaction.

2.4 The examining division considered that it would have been obvious to use a reader to input the credit card data. Thus, feature a) did not provide an inventive step. The Board agrees with this finding. Also, since feature a) has no synergy with feature b), it is justified to assess the two features separately.

2.5 Concerning feature b), the examining division argued that the identification of the access terminal rather than the user was a well known alternative available to the skilled person, and that the choice was "governed by business constraints". Alternatively, it could be seen as an obvious security measure, on top of the identification of the user.

2.6 The examining division did not say what the business constraints were. That is unfortunate, because the business constraints are key in this case. The Board does not see any technical reason, given the on-line purchasing scenario in D1, why the skilled person would have identified the access terminal, whether as an alternative to the identification of the user, or as an additional measure. As the appellant argued, the access terminal simply does not play any role in this scenario.

3. The transaction scenario in the invention

3.1 It is clear that the transaction scenario in the invention is crucial to the question of inventive step because this sets the framework of the technical problem given to the skilled person to solve (see e.g. T 1463/11 - Universal merchant platform/CARDINALCOMMERCE, points 12 and 13). In the communication, the Board raised the question what that scenario was in view of the widely different embodiments disclosed in the application. The appellant neither replied, nor attended the oral proceedings. Thus, the Board has to find a reasonable interpretation based on the examples in the application.

3.2 The claims cover the example of the transaction scenario, in which the access terminal is used to load money onto a custom pre-paid credit card. Also, the appellant's arguments in the grounds of appeal focus on this scenario.

3.3 According to the description, a customer who wants to load money onto a pre-paid card goes to a conventional point-of-sale system (access terminal) and swipes the card (see page 10, lines 5 to 11). The customer also presents funds, corresponding to the amount that he wants to load onto the card, to the point-of-sale system that acts as an agent.

The point-of-sale system requests that the credit card issuer or processor credit the pre-paid card with the specified amount. This corresponds to the claimed first transaction request to the account server. The account server redirects the details of the swipe to a third party computer system for authorisation (lines 32 to 34). This corresponds to the claimed third transaction request to the authorisation server. The point-of-sale system also transmits details of the transaction and identification of the access terminal to the third party computer system (page 11, lines 6 to 11). This corresponds to the second transaction request to the authorisation server.

3.4 At first glance, it may appear that the third party is there just to authorise the agent on behalf of the credit card issuer/processor (account server). However, the description goes on to state (page 11, lines 11 to 15):

"In this embodiment, when a user presents funds to an agent, no transfer of funds occurs between the agent and the credit card issuer or processor, but funds are instead provided by the third party to the credit card issuer. The funds are then reimbursed by the agent to the third party in due course. The authorisation process can be used to ensure that only transactions from trustworthy agents are processed."(Board's emphasis)

In the Board's assessment, this means that the role of the third party is actually to guarantee the money vis-à-vis the credit card issuer. In other words, the third party is not only acting as the authorisation server, but also as a financial middleman between the agent and the credit card issuer/processor. It follows that, since the third party needs to recover the funds from the agent, it has to trust the agent. The description suggests that this idea allows a third party to offer a new type of financial service using existing point-of-sale systems (page 11, lines 2 and 3) without requiring a bank account (lines 16 and 17).

4. Inventive step

4.1 The Board takes the view that the pre-paid scenario, including the relationship between the point-of-sale/agent, the credit card issuer/processor, and the third party, is a business idea. According to decision T 641/00 - Two identities/COMVIK, this type of subject-matter cannot contribute to inventive step. Instead, as mentioned above, it is considered to be part of the problem that the skilled person has to solve.

4.2 In the Board's view this case is a good example of why the proper application of the COMVIK approach requires a thorough analysis of the business constraints when formulating the problem to be solved before investigating what the skilled person would have done to solve it. The failure to reflect all aspects of the business method in the problem to be solved led the examining division to argue unconvincingly that the inconvenient distinguishing feature of authorising the access terminal was an alternative whose choice was governed by unspecified business constraints.

4.3 Instead, the skilled person should have been given the problem of implementing a business model on the conventional transaction processing system, as exemplified in D1, in which the third party carries the financial risk and needs to safeguard itself from fraud and recover the funds from the agent. The skilled person would have assigned the necessary technical means, namely an access terminal at the side of the agent, an account server at the side of the credit card issuer/processor, and an authorisation server that carries out the task of the third party. The functions performed by those entities in claim 1 follow directly from the business scenario. Since the third party needs to safeguard itself, rather than the agent, from fraud, the skilled person would realise that the third party has to authorise the agent. Performing the authorisation based on the terminal identifier of the access terminal would have been an obvious implementation.

4.4 Furthermore, as already concluded in point 2.4 above, the skilled person would have provided the terminal with a card reader for reading the card data.

4.5 Thus, the Board judges that subject-matter of claim 1 lacks an inventive step (Article 56 EPC).