This decision is interesting in that it uses the concept of the "notional business person", as it was introduced in T 1463/11, to assess whether a given difference over the prior art achieves a technical effect or not.

Here are the practical takeaways from the decision T 1749/14 (MOBILE PERSONAL POINT-OF-SALE TERMINAL/MAXIM) of 3.4.2020 of Technical Board of Appeal 3.5.01:

Key takeaways

Improving a mobile POS terminal in respect of the customers' security against fraudulent use of their sensitive information: technical

The invention

This European patent application concerns the field of mobile point-of-sale (POS) terminals for carrying out credit card transactions.

Conventionally, the merchant possesses such mobile POS terminals and the customer has to provide identification credentials (e.g. an account number and PIN) to this merchant's unit. The invention tries to avoid the customer's sensitive information becoming known if the merchant's device is tampered with. The basic idea is to allow a transaction to be carried out without the customer having to present account information and the PIN to the merchant.

1002004a.jpg

Fig. 2 of EP 2 335 203

Here is how the invention was defined in claim 1:

Claim 1 (main request)

A method comprising:

(a) storing customer account information in a customer mobile personal point-of-sale terminal (CMPPT), wherein the CMPPT includes a cellular telephone portion and a point-of-sale attachment portion; this CMPPT is personalized for the individual customer by storing (a) encryption key(s) that is(are) used for communication with the individual CMPPT of the individual customer, and using this personalized CMPPT in subsequent operations;

(b) after the storing of customer account information in the CMPPT according (a) [sic] receiving merchant account information into the CMPPT; and

(c) initiating a transaction by sending the customer account information and the merchant account information from the CMPPT to a financial transaction verification entity (FTVE).

Is it patentable?

The first-instance examining division had refused the application for lack of inventive step based on the argument that no technical problem was solved by the differences over D1, which were only cognitive business aspects providing no technical contribution.

On appeal, the board started its inventive-step assessment from the closest prior art D1, which discloses a mobile POS terminal which consists of a cellular phone and docking module combination. This POS terminal is in the possession of and under control of the merchant. No further equipment is required to carry out a POS transaction.

According to the board, the transaction with the mobile POS terminal disclosed in D1 involves the security problem of the customer having to provide his PIN and account number to the merchant's device, which then encrypts this information and passes it on to the Financial Transaction Verification Entity (FTVE). The invention of the patent application seeks to overcome this by directly communicating the customer's sensitive information to the FTVE. To this end, the POS terminal is divided into a merchant part and a customer part consisting of a docking station or sleeve and a cellular phone.

More precisely, the board identified the following differences of claim 1 over D1:

The concept of the invention differs from the teaching of D1 in that dedicated encryption keys are assigned to the POS attachment portion with the customer's cellular phone being linked by the phone's serial number thereby personalising the CMPPT. The Board agrees with the appellant that this causes the security related effect that only this personalised cellular phone can be used for a transaction, in contrast to D1 where any cellular phone can be used.

A further difference is that customer account information is stored in the point-of-sale attachment portion, which receives merchant account information. Customer and merchant account information is sent from the CMPPT to the FTVE when initiating a transaction, i.e. the customer account information is sent directly from the cellular phone portion of the CMPPT to the FTVE. This has the effect that customer account information is not accessible to the merchant's POS terminal. In contrast to the contested decision (see point 1 of the decision; page 3, first paragraph), D1 does not disclose the latter difference.

The board then assessed whether these differences provided a contribution to the technical character of the invention, using the notional business person as a control consideration:

The notional business person, as introduced in T 1463/11 (Universal merchant platform / CardinalCommerce), knows all about the business related requirements specification and knows about the fact that such business related concepts can be implemented on a computer system (stand-alone or networked, including the Internet). What the notional business person does not know, however, is how exactly it can be implemented on a computer system. This is in the sphere of the technical expert and subject to the assessment of inventive step (see T 1082/13).

In the Board's view, in the present case the notional business person might come up with the abstract idea of avoiding the customer having to provide PIN and account information to the merchant. Even when considering this to be an abstract business concept for carrying out POS transactions, it cannot however be convincingly argued that it would be sufficient to implement this idea on a standard general purpose mobile POS terminal infrastructure as known from D1 with standard programming skills. It requires a new infrastructure, new devices and a new protocol involving technical considerations linked to modified devices and their capabilities as well as security relevant modifications of the transfer of sensitive information using new possibilities achieved by the modifications to the mobile POS infrastructure.

This goes beyond what the notional business person knows, but rather concerns technical implementation details (how to implement) which are more than a straight-forward 1:1 programming of an abstract business idea. Just as T 1463/11 (supra) considered the security relevance of centralising authentication services in view of avoiding maintenance of software plug-ins in merchant computers contributed to the technical character, the Board considers the security relevance of the modifications according to point 4 above contribute to the technical character of the present invention.

Hence, the board considered the distinguishing features to be technical ones and formulates the objective technical problem as follows:

The Board therefore considers the objective technical problem underlying the differences outlined in point 4 above to be to improve the mobile POS terminal known from D1 in respect of the customers security against fraudulent use of their sensitive information.

The board took the view that a further search for prior art was necessary to assess inventive step in a meaningful manner. Therefore, the decision under appeal was set aside and the case was remitted to the department of first instance for further prosecution.

More information

You can read the whole decision here: T 1749/14 (MOBILE PERSONAL POINT-OF-SALE TERMINAL/MAXIM) of 3.4.2020

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.