Pizzeys Patent and Trade Mark Attorneys Pty Ltd v Apple Inc
[2023] APO 61
•5 December 2023
IP AUSTRALIA
AUSTRALIAN PATENT OFFICE
Pizzeys Patent and Trade Mark Attorneys Pty Ltd v Apple Inc. [2023] APO 61
Patent Application: 2018256522
Title:Method, device and secure element for conducting a secured financial transaction on a device
Patent Applicant: Apple Inc.
Opponent: Pizzeys Patent and Trade Mark Attorneys Pty Ltd
Delegate: Dr V. Z. Kolev
Decision Date: 5 December 2023
Hearing Date: 23 November 2022 via video conference
Catchwords: PATENTS – section 59 – opposition to grant of a patent – clarity – novelty – inventive step – part of evidence unreadable – reg 5.23 – whether some evidence properly in reply – secure hardware element embedded in a chipset of a device – certification of devices and elements – claims referring to standards in general or to a particular standard – opposition unsuccessful – costs awarded
Representation: Counsel for the applicant: Ms Sophie Goddard SC and Ms Laura Thomas
Patent attorney for the applicant: FPA Patent Attorneys Pty Ltd
Counsel for the opponent: Mr Tom Cordiner KC and Mr Anthony Middleton
IP AUSTRALIA
AUSTRALIAN PATENT OFFICE
Patent Application: 2018256522
Title: Method, device and secure element for conducting a secured
financial transaction on a devicePatent Applicant: Apple Inc.
Date of Decision: 5 December 2023
DECISION
The opposition is unsuccessful. I have found that the claims are clear. In addition, I have not found that any one of the claims is not novel or does not involve an inventive step.
Subject to appeal, I direct that the patent application proceeds to grant.
I award costs according to the amounts specified in Schedule 8 against Pizzeys Patent and Trade Mark Attorneys Pty Ltd.
REASONS FOR DECISION
Throughout this decision, unless explicitly stated otherwise, any reference to the Act, or to a specific section or subsection, refers to the Patents Act 1990, and any reference to the Regulations, or to a specific regulation or subregulation, refers to the Patents Regulations 1991. In addition, any reference to the Commissioner refers to the Commissioner of Patents as per the Act.
Background
The matter relates to patent application 2018256522 (the Application) in the name of Apple Inc. (the Applicant). The Application was filed on 30 October 2018 by the original applicant Mobeewave, Inc. as a divisional application of 2013225577 (the Parent). The earliest claimed priority date is 29 February 2012.
It is worth noting that the Parent is, at present, a granted patent which is under re-examination originally requested by Pizzeys Patent and Trade Mark Attorneys Pty Ltd, and a number of adverse re-examination reports have been issued.
The Application was advertised as accepted on 3 December 2020. A notice of opposition to grant was filed on 2 March 2021 by Pizzeys Patent and Trade Mark Attorneys Pty Ltd (the Opponent).
The statement of grounds and particulars (the SGP) was filed on 2 June 2021, together with some of the documents mentioned in the SGP and referred to as D1-D10 and D17-D18. Following the filing of the SGP, a Delegate of the Commissioner issued a direction to the effect that documents D1-D10 and D17-D18 are to be treated as evidence in support of the opposition.
On 2 July 2021, the Applicant filed a request to dismiss the opposition. Following that request, on 23 August 2021, a Delegate of the Commissioner issued a direction, according to which the Opponent should provide copies of prior art documents D11-D16 and D19 (that were referred to in the SGP, but not filed together with the SGP) as well as further and better particulars for the grounds of novelty, inventive step, and manner of manufacture.
On 2 September 2021, the Opponent filed their evidence in support. A few days later, on 6 September 2021, the Opponent filed copies of documents D11-D16 and D19 as well as a request to amend the SGP to include further and better particulars and additional documents referred to as D20 and D21. This request to amend the SGP was ultimately allowed on 23 February 2022.
On 6 December 2021, the Applicant filed their evidence in answer. On 7 February 2022, the Opponent filed their evidence in reply.
On 8 February 2022, a Delegate of the Commissioner issued a direction stating that “the ground of opposition under s40(2)(aa)- ‘the Best method’ is hereby dismissed”.
The “Opponent’s outline of submissions” (the Opponent’s Summary or OS) was filed on 8 September 2022. Due to the fact that the original hearing date was declared the National Day of Mourning for Her Majesty the Queen public holiday and thus the hearing was vacated, on 12 September 2022, a Delegate of the Commissioner wrote to the parties noting that:
“As the hearing is vacated, there is no need for the Applicant to file submissions on 15 September 2022. I note that the Opponent has already filed submissions on 8 September 2022. The Opponent may file further submissions, if it so chooses, ten business days prior to the date on which the hearing is re-set”.
The Opponent did not file further submissions. On 16 November 2022, the Applicant filed the “Patent Applicant’s outline of submissions” (the Applicant’s Summary or AS).
Relevantly, the present opposition is with respect to the Application as accepted and is based on the SGP, as amended by the request filed on 6 September 2021 and allowed on 23 February 2022 (the amended SGP), having regard to the fact that the ground under s 40(2)(aa) is dismissed as per the direction issued on 8 February 2022.
Applicable law and onus
On 15 April 2013, important provisions of the Intellectual Property Laws Amendment (Raising the Bar) Act 2012 commenced which resulted in significant amendments to the Act and Regulations affecting, inter alia, the standard of proof required for an opposition to succeed. For patent applications filed on or after the above commencement date, subsection 60(3A) applies:
“If the Commissioner is satisfied, on the balance of probabilities, that a ground of opposition to the grant of the standard patent exists, the Commissioner may refuse the application.” (underlining added)
The Application was filed on 30 October 2018, hence subsection 60(3A) applies to the instant opposition. In addition, the filing date of the Application being after 15 April 2013 also means that the Application was examined under the amended provisions of the Act and Regulations following the Raising the Bar Act and the same are also applicable to the present opposition proceedings.
It is well settled and was accepted by the Opponent (OS at [2.2]) that they have the onus of establishing the facts supporting the grounds of opposition, and this applies even though the standard of proof is “the balance of probabilities”.
Grounds of opposition and evidence
Grounds of opposition
Excluding the dismissed ground under s 40(2)(aa), the grounds of opposition as per the amended SGP are as follows:
·lack of novelty;
·lack of inventive step;
·not a manner of manufacture; and
·failure to comply with ss 40(2) and 40(3), in that:
othe specification of the Application (the Specification) does not disclose the invention in a manner which is clear enough and complete enough for the invention to be performed by a person skilled in the relevant art across the full scope of the claim (s 40(2)(a));
othe claims are not clear (s 40(3)); and
othe claims are not supported by matter disclosed in the Specification (s 40(3)).
I note that the Opponent’s Summary addresses only the grounds of clarity, novelty, and inventive step. At the hearing, the Opponent clarified that the grounds pressed by them are specifically:
·the claims are not clear due to the presence of the phrase “secure hardware element”;
·lack of novelty in light of document D4 when read together with several other documents as a single source of information; and
·lack of inventive step in light of the common general knowledge considered together with either one of documents D4 or D1.
Evidence on file
The evidence filed in the opposition consists of the following documents:
·Evidence in support consisting of:
odocuments D1-D10 and D17-D18 as filed together with the SGP, forming part of the evidence in support through the above mentioned direction;
oa declaration by Mr Grahame Willis dated 2 September 2021 (Willis-1) with exhibits marked as Schedule 1 to Schedule 3; and
oa declaration by Mr Bill Webster dated 2 September 2021 (Webster) with a single exhibit marked as Schedule BW.
·Evidence in answer consisting of:
oa declaration by Mr Tasman Merrick dated 6 December 2021 (Merrick) with exhibits marked as Annexure TM1 to Annexure TM12; and
oa declaration by Mr Steven Hadley dated 6 December 2021 (Hadley) with exhibits marked as Annexure SH1 to Annexure SH7.
·Evidence in reply consisting of:
oa second declaration by Mr Grahame Willis dated 7 February 2022 (Willis-2) with Exhibit GW-1 and Exhibit GW-2.
Documents D4(c) and D4(d)
The reproduction quality of parts of document D4, referred to as D4(c) and D4(d), as filed in evidence is poor, and this severely affects the readability of the text. Both Mr Merrick and Mr Hadley noted “[a]s the text in D4(c)-(d) was difficult to read, FPA also provided me with the following links to these documents: …” (Merrick at [14], Hadley at [38]). In essence, these Experts viewed documents that are not in evidence. I was unable to find Mr Willis mentioning anything specific about an inability to read D4(c) or D4(d). This means that either he also viewed documents that are not in evidence, or he somehow managed to read D4(c) and D4(d) as they are in evidence, which appears to me unlikely.
At the hearing, I noted that since I am unable to properly read D4(c) and D4(d) in any of the versions that I identified in the evidence before me, I cannot accept any submissions or evidence regarding the disclosure in D4(c) and D4(d). The Opponent’s representative suggested to send me via email (with a copy to the Applicant’s representative) readable versions of D4(c) and D4(d). The Applicant’s representative agreed to such course of action and the readable versions were received during the hearing. Helpfully, the Applicant’s representative submitted that if the readable versions of D4(c) and D4(d) are introduced under reg 5.23, no further evidence and/or submissions under reg 5.23(2)(c) would be needed, since the Applicant and their Experts have already reviewed readable versions of D4(c) and D4(d) and provided related submissions and evidence. In view of the agreement between the parties, I stated that, in deciding the opposition, I will consult the readable versions of D4(c) and D4(d) under the provisions of reg 5.23.
Paragraph [13] of Willis-2 and Exhibit GW-2
In this paragraph, Mr Willis states:
“Finally, it has been brought to my attention that the Opposed Application has a parent patent 2013225577 (the Parent Patent) which is under re-examination and on which another re-examination report issued on 7 January 2022 (Exhibit GW-2). I have considered that report. In that report, the claims of the Parent Patent are objected to for lack of inventive step. While there are differences between the claims of the Opposed Application and the claims of the Parent Patent, that re-examination report echoes my concerns on the patentability of the invention of the subject Opposed Application. Some of the remarks in that re-examination report that resonate with my views on the Opposed Application are reproduced below:
‘… I remain satisfied that incorporating the functions of the iSMP device into a mobile phone, rather than providing that functionality through a separate physical device, is no more than a workshop improvement, driven by ordinary technical and commercial imperatives without any inventive ingenuity. I see no problem with providing the components within the same housing that could require ingenuity to solve, and the benefits the claimed arrangement provides (e.g. durability, convenience) are no more than the routine efficiencies that come from combining functions that have already been designed to work together in the same housing without otherwise changing the way those functions are provided.
…
Many of the remaining arguments assert that the present claims are inventive because they require, within the mobile device, features that the cited documents disclose as being separately provided by way of the iSMP. If it is no more than a workshop improvement to provide the functionality of the iSMP inside the mobile device (and for the reasons above I consider that it is), then the device that it would be obvious to the skilled addressee to produce necessarily contains these features. For example, in relation to claim 26, the response explicitly acknowledges that the iSMP includes a contactless interface for communication with a payment apparatus. Combining these functions into a single device would therefore produce a mobile phone with the contactless interface as claimed.’” (original bold and italic, underlining added)
On 10 March 2022, the Applicant wrote to the Commissioner that:
“Applicant currently intends to challenge at least the purported Opponent’s Evidence in Reply of paragraph [13] of the Willis declaration [i.e., Willis-2]. Paragraph [13] is irrelevant to the opposition proceedings and is not Evidence in Reply. Unless the Commissioner directs otherwise, the applicant is happy for this issue to be considered at the hearing.”
In relation to this matter, on 22 March 2022, a Delegate of the Commissioner wrote to the parties:
“I acknowledge that this paragraph does not appear to be responsive to the evidence in answer and raises matters on a different process. … My preference is to proceed to set the hearing and should the delegate find it crucial to consult any material on 2013225577, including paragraph [13] of the Willis declaration of 7 February 2022, then a proper process under r 5.23 will be followed.”
At the hearing, the Applicant maintained that paragraph [13] of Willis-2 and Exhibit GW-2 were not properly in reply. The Opponent submitted that Exhibit GW-2 was not needed and could be removed from the evidence, but maintained that paragraph [13] of Willis-2 was properly in reply and stood on its own as a response to some of Mr Hadley’s comments on the “cleverness” and inventiveness of the instant invention. Having heard the parties’ oral submissions, I stated that I will reserve my decision on the issue, and if I later decide that paragraph [13] of Willis-2 and Exhibit GW-2 are not properly in reply, but I will nevertheless consider them under reg 5.23, I will follow the due process under the Regulations. Both parties explicitly confirmed that they had no objections to this approach.
With respect to the content of Exhibit GW-2 (parts of which are quoted in paragraph [13] of Willis-2), it is worth noting that “[t]he Commissioner is an administrative decision-maker equipped with technical expertise. Subject to the rules of natural justice both common law and statutory …, he or she is entitled to make use of that expertise, and draw inferences that may be rationally drawn from technical knowledge …” (Commissioner of Patents v Emperor Sports Pty Ltd [2006] FCAFC 26 at [24]). While the Examiner, as a Delegate of the Commissioner, is entitled to make use of their technical expertise, I have my doubts that an Expert can increase the credibility of their evidence via drawing support for their views from the content of a re-examination report on a related case.
In any event, even if paragraph [13] of Willis-2 and Exhibit GW-2 are properly evidence in reply (or, in the alternative, introduced under reg 5.23), in view of the rest of the evidence on file, I do not consider that the content of Exhibit GW-2, as quoted with approval by Mr Willis, have the potential to save the Opponent’s case on inventive step. It follows that the question of whether paragraph [13] of Willis-2 and Exhibit GW-2 are properly in reply is inconsequential. Hence, I do not need to answer this question conclusively.
The specification
The invention as described
In identifying the technical field of the invention, the description notes that “[s]ome embodiments relate to a method, device and secure element for conducting a secured transaction on a device, in particular a secured financial transaction” (at [002]).
As background information, it is explained that:
“[004] Merchants often use payment terminals to conduct secured financial transactions with customers. Such customers usually hold payment cards issued by a financial institution or a payment card institution. In some instances, the payment cards include a magnetic strip and/or a smart card chip allowing a transaction to be initiated by swiping the card in a magnetic strip reader of a payment terminal or by introducing the payment card in a smart card reader of a payment terminal. In other instances, the payment card may also be contactless transaction enabled to allow a transaction to occur by presenting the payment card proximate to a payment terminal. In order to ensure security during the financial transactions, security standards such as the Europay, MasterCard, and Visa (EMV) transaction standard have been developed and used to [sic]
[005] [sic] certify both the payment terminals and the payment cards. However, due to various factors, including the technical complexity required to meet the security standards, payment terminals that are used to conduct secured financial transactions are usually devices that are solely dedicated to the conduct of financial transactions.
[006] There is therefore a need in the art for a method, device and secure element for conducting secured transactions, from any devices, in particular from devices that offer other functionalities than the mere conduct of financial transactions.” (underlining added)
Against this background, the general concept of the invention is illustrated on Figure 1 (reproduced below), which “illustrates a diagrammatical representation of a system 9 for conducting a secured financial transaction from a device 12 in accordance with one embodiment of the present disclosure” (at [0037], italic added). The figure shows an example secured financial transaction between a customer 4 and a merchant 2, and this also involves the financial institution (or issuer) 6 holding the customer’s financial account, the payment card company (or card association) 8, the financial institution (or acquirer / processor) 10 holding the merchant’s financial account, and the gateway 11. For payment, the customer may use “for example, a payment card and/or a secured unique identification component which may be embedded in a device of the customer 4 (e.g. a mobile phone). The payment card is held by the payment card company 8 and may be, for example but without being limitative, a debit card … or a credit card” (at [0037]). In addition, “[a]lthough the gateway 11 is shown in Fig. 1, it should be understood that the financial transactions may occur directly between the merchant 2 and the financial institution 10 with no gateway in between” (at [0038]).
Importantly, the device 12 used by the merchant to accept the customer’s payment “comprises a secure element 16 and an interface 18” (at [0038], italic added). It is explained that “[i]n one embodiment, the interface 18 may be, for example but without being limitative, a magnetic strip reader, a smart card reader, or a near field communication (NFC) interface” and that “[t]he interface 18 allows a contact and/or a contactless transaction between a payment card of the customer 4 and/or a device of the customer 4 to occur on the device 12” (at [0038]). It is also noted that:
“[0038] … In one embodiment, the transaction is a financial transaction that is secured and that is compliant with the EMV transaction standard and the applicable PCI SSC standards. The applicable PCI SSC standards may be one of the Payment Application Data Security Standard (PA-DSS), PIN Transaction Security (PTS) and/or Point-to-Point Encryption (P2PE). In other embodiments, the transaction may be compliant with other secured transaction standards.” (underlining added)
It is later stated that “[d]ue to the wide variety of devices that may embody the secure element 16 and the interface 18, a wide variety of secured transactions may be conducted” (at [0057]).
The method of conducting such “secured contact and/or contactless financial transactions … may be embodied in a software application such as a point of sale application … running on the device 12. The point of sale application … may comprise various software components allowing a transaction to be conducted between the customer 4 and the merchant 2 in accordance with the method … In particular, some of the various software components may be executed on the secure element 16 of the device 12, while other software components are executed by a CPU of the device 12” (at [0040], italic and underlining added).
Figure 2 (not reproduced) is “a diagrammatical representation of a contactless transaction occurring between the customer 4 and the merchant 2 of Fig. 1” (at [0039]). In essence, this figure merely illustrates some of the device options that the customer and the merchant have for conducting the transaction. For example, the customer can use for the payment a credit card (contactless, in the context of the transaction of Figure 2), a smart phone, or a tablet; whereas, to accept the payment, the merchant can use a variety of devices as long as the secure element 16 and the interface 18 are included in the device to be used:
“[0039] … For example, but without being limitative, the secure element 16 and the interface 18 may be embedded in devices such a tablet computer …, a cash register …, a printer …, a vending machine …, a payment terminal …, and/or an automatic telling machine (ATM) … (in which case the customer 4 may conduct a transaction without having to interact with the merchant 2, i.e. by solely interacting with her/his payment card company 8 or her/his financial institution 6). Other examples of devices on which the secure element 16 and the interface 18 may be embedded include, but without being limitative, a TV, a video game system, a setup box to access the Internet, or an Apple TV® from Apple Inc.”
Figures 1 and 2 also show that the merchant’s device can be a smart phone having a secure element 16 and an interface 18.
The general structure of the merchant’s device is described by reference to Figure 4 (reproduced below), which is “a block diagram illustrating various exemplary components and features of the illustrative device 12 in accordance with one embodiment” (at [0043]).
In that respect, it is explained that:
“[0043] … The device may include the secure element 16, a NFC interface 19, a smart card reader 55, a subscriber identity module (SIM) card slot 36, a communication interface 38, a control circuit 40, a central processing unit (CPU) 42 on which an operating system (OS) of the device 12 is running, an input/output (I/O) Controller 44, a display 46, a keypad 48, a printer (not represented in Figure 4), a magnetic strip reader 52, and a memory 54 …
…
[0045] … The memory 54 may also include data files such as connection information (e.g. information used to establish a communication), or data allowing the device 12 to run a payment control application. The payment control application is one of the software components (executed by the CPU 42 of the device 12) of the point of sale application …” (underlining and italic added)
The secure element can be embedded in the merchant’s device in various ways. For example, as described in paragraph [0068], the secure element may be incorporated within the circuitry of the device; may be embedded on a non-volatile memory card, e.g., a secure digital (SD) card; or may be embedded on a SIM card. If the security element is embedded on a card, the card can then be introduced in the device, thus allowing secured transactions to be conducted from the device, without the device itself being certified for that purpose. Additionally, “[i]n still an alternative embodiment …, the secure element 16 may be located in a housing to be plugged to the device 12” (at [0068], underlining added).
Figure 5 (reproduced below) “illustrates a schematic representation of an architecture allowing the point of sale application … to run on the device 12 and to conduct an EMV certified secured transaction” (at [0058]).
It is explained that:
“[0058] … In an embodiment, the architecture is implemented as a combination of pre-programmed hardware or firmware elements (for example application specific integrated circuits (ASICs) running on a chipset implementing the secure element 16 and a software component stored in the memory 54 run by the CPU 42 upon activation of the point of sale application … It should be understood that it is equally feasible that the components running on the secure element 16 be solely pre-programmed hardware elements or, alternatively, solely firmware or software elements. In an embodiment, the chipset on which the secure element 16 is implemented includes memory and processing capabilities (e.g. controller and/or microprocessor).” (italic and underlining added)
In addition, “the secure element 16 comprises a first module 200, a second module 202, and a third module EMV contact/contactless transaction module 204 and/or a third module MAG 206” (at [0063]). In the example embodiment, “[t]he first module 200 comprises the drivers of the chipset on which the secure element 16 is running and provides access to the hardware layer of the secure element 16” (at [0063]); “[t]he second module 202 comprises the operating system (OS) of the chipset implementing the secure element 16” (at [0063]); “[t]he third module EMV contact/contactless transaction module 204 comprises instructions to process the data read by the NFC interface 19 from payment cards and/or from RFID-enabled devices or by the smart card reader 55 from payment cards” (at [0064]); and the “third module magnetic (MAG) 206 [in addition to, or in replacement of, the third module EMV contact/contactless 204] ... comprises instructions to process the data read by the magnetic strip reader 52 from payment cards” (at [0065]). As can be seen from the figure, different modules can have different levels of certification.
Figures 8a and 8b (reproduced below) illustrate that “a software architecture of the secure element 16 providing security functionalities … includes a low-level OS, a Java Card Java Virtual Machine (JVM), and a Global Platform component, corresponding to the L1 certified drivers 200 and OS 202 … [and] further comprises an Issuer Security Domain (ISD), and optional Supplementary Security Domains (SSD)” (at [0069]). It is also noted that “[o]n top of these components, java applets are executed in a secured environment. In particular, a payment applet 810 may implement the Level 2 certified (optionally also Level 3 certified) modules: EMV contact/contactless transaction module 204 and/or MAG module 206” (at [0069], italic added).
The “software architecture of the payment applet 810” (at [0070]) is illustrated on Figure 8c (reproduced below). This is explained as follows:
“[0070] … The payment applet 810 includes an abstraction layer, to interface generically with the lower level software components (e.g. the OS) of the secure element 16. The payment applet 810 includes interface modules, to interface with different contact and contactless interfaces of the device 12: EMV Contact L1 and EMV Contact L2 Core for interfacing with a smart card reader 55, EMV Contactless L1 core and EMV Contactless L2 Core for interfacing with a NFC interface 19, Mag Stripe Core for interfacing with a magnetic strip reader 52. The payment applet 810 comprises communication services, to communicate with external entities (e.g. a financial institution) via the communication interface 38 of the device 12. The payment applet 810 further comprises security services for securing a communication with the external entities (e.g. a financial institution): authentication services, cryptographic services, and crypto storage services. The payment applet 810 also includes an acquirer module. And the payment applet 810 includes several payment modules (e.g. MasterCard PayPass MagStripe, Visa PayWave MSD, MasterCard Paypass M/Chip, Visa PayWave qVSDC), to support various types of payment applications provided by different types of payment means (e.g. contact or contactless credit card, contactless payment enabled mobile phone, etc).”
It is clear that by introducing the secure element into the merchant’s device, which I noted earlier can be a smart phone, the instant invention proposes to address the “need in the art for a method, device and secure element for conducting secured transactions, from any devices, in particular from devices that offer other functionalities than the mere conduct of financial transactions” (at [006]. In that regard, “the certification of the secure element ensures that various financial entities are willing to use the secure element to store and process critical financial data, and to perform secured financial transactions using the critical financial data” (at [0029]).
It should be noted that the above is not intended to be a comprehensive discussion of the described invention and all of its embodiments. Instead, it is limited to the concepts necessary to understand the claimed invention, and I will provide a more detailed analysis on some parts of the body of the specification later in this decision as necessary.
The claimed invention
The Specification ends with 15 claims. Claims 1, 8, and 15 are independent and reproduced below. To assist readability and discussion of the individual features, I have formatted the text and included, in square brackets, labels to the features (or integers) of the claims, largely following the nomenclature of Schedule 1 to Willis-1.
Claim 1
“[1.1] A method of conducting a secured financial transaction on a device used as a payment terminal,
[1.2] the device running a point of sale (POS) application,
[1.3] the device comprising
[1.4] a central processing unit,
[1.5] an interface,
[1.6] a communication interface and
[1.7] a secure hardware element embedded in a chipset of the device,
[1.8] the POS application comprising a payment control application,
[1.9] the payment control application running on the central processing unit and comprising control instructions to control the secure hardware element without allowing the central processing unit to access the secure hardware element,
the method comprising:
[1.10] receiving, from the payment control application, by the secure hardware element, a request to conduct the secure financial transaction;
[1.11] acquiring, by the secure hardware element, via the interface of the device, data relating to the financial account from a payment apparatus;
[1.12] establishing a secured communication channel between the secure hardware element and a server through the communication interface of the device;
[1.13] transmitting, by the secure hardware element and over the secured communication channel, at least a portion of the data relating to the financial account of the payment apparatus, the portion of the data relating to the financial account being inaccessible to the central processing unit; and
[1.14] obtaining, by the secure hardware element, a transaction authorization for conducting the secured financial transaction from the server,
[1.15] the transaction authorization being based, at least partially, on the portion of the data relating to the financial account of the payment apparatus that is inaccessible to the central processing unit and processed by the secure hardware element.”
Claim 8
“[8.1] A device to be used as a payment terminal and
[8.2] configured to run a point of sale (POS) application for conducting a secured financial transaction,
the device comprising
[8.3] a central processing unit,
[8.4] a secure hardware element embedded in a chipset of the device,
[8.5] an interface and a non-transitory computer readable storage medium comprising computer-executable instructions for execution by the device,
the instructions, upon being executed by the device, causing:
[8.6] running the point of sale (POS) application, the POS application comprising a payment control application,
[8.7] the payment control application running on the central processing unit and comprising control instructions to control the secure hardware element without allowing the central processing unit to access the secure hardware element;
[8.8] receiving, by the secure hardware element, a request to conduct the secure financial transaction wherein the request is transmitted to the secure hardware element by the payment control application;
[8.9] acquiring, by the secure hardware element, via the interface of the device, data relating to the financial account from a payment apparatus; and
[8.10] establishing a secured communication channel between the secure hardware element and a server through the communication interface of the device;
[8.11] transmitting, by the secure hardware element and over the secured communication channel, at least a portion of the data relating to the financial account of the payment apparatus, the portion of the data relating to the financial account being inaccessible to the central processing unit; and
[8.12] obtaining, by the secure hardware element, a transaction authorization for conducting the secured financial transaction from the server,
[8.13] the transaction authorization being based, at least partially, on the portion of the data relating to the financial account of the payment apparatus that is inaccessible to the central processing unit and processed by the secure hardware element.”
Claim 15
“[15.1 (referring to the whole claim)] A non-transitory computer readable storage medium comprising computer-executable instructions for execution by a device, the device to be used as a payment terminal and configured to run a point of sale (POS) application for conducting a secured financial transaction,
the device comprising
a central processing unit,
an interface and
a secure hardware element embedded in a chipset of the device,
the instructions, upon being executed by the device, causing:
running the point of sale (POS) application, the POS application comprising a payment control application,
the payment control application running on the central processing unit and comprising control instructions to control the secure hardware element without allowing the central processing unit to access the secure hardware element;
receiving, by the secure hardware element, a request to conduct the secure financial transaction wherein the request is transmitted to the secure hardware element by the payment control application;
acquiring, by the secure hardware element, via the interface of the device, data relating to the financial account from a payment apparatus; and
establishing a secured communication channel between the secure hardware element and a server through the communication interface of the device;
transmitting, by the secure hardware element and over the secured communication channel, at least a portion of the data relating to the financial account of the payment apparatus, the portion of the data relating to the financial account being inaccessible to the central processing unit; and
obtaining, by the secure hardware element, a transaction authorization for conducting the secured financial transaction from the server,
the transaction authorization being based, at least partially, on the portion of the data relating to the financial account of the payment apparatus that is inaccessible to the central processing unit and processed by the secure hardware element.”
Comparing the independent claims, I note that:
·claim 1 is directed to a method of conducting a secured financial transaction on a device used as a payment terminal, the device running a point of sale (POS) application;
·claim 8 is directed to a device to be used as a payment terminal and configured to run a point of sale (POS) application for conducting a secured financial transaction, the device comprising a non-transitory computer readable storage medium comprising computer-executable instructions for execution by the device; and
·claim 15 is directed to a non-transitory computer readable storage medium comprising computer-executable instructions for execution by a device, the device to be used as a payment terminal and configured to run a point of sale (POS) application for conducting a secured financial transaction.
It appears that the only difference between claims 8 and 15 is that claim 8 is directed to the device comprising the above described storage medium, whereas claim 15 is directed to the storage medium itself, the other features being essentially the same. I also note that claim 1 does not explicitly define that the device has a non-transitory computer readable storage medium comprising computer-executable instructions for execution by the device. These differences, however, do not appear sufficiently material to warrant separate detailed considerations of the three independent claims, in particular with respect to novelty and inventive step. Hence, I will initially focus my attention on claim 1, and I will briefly comment on the other independent claims to the extent necessary.
The person skilled in the art and the Experts
The hypothetical person skilled in the art is a well-established legal concept and, since the applicable legal principles are not in real dispute, I do not consider it necessary to discuss the relevant Authorities. The Opponent submits:
“3.9 … the person to whom the Opposed Application is addressed, …, will comprise a person or team that has skills in the design of electronic payment systems to bring about secured financial transactions with financial institutions. Such a person, or team, will have specific experience in the design of software, firmware and hardware (including security components) used, and combined to operate, in such electronic payment systems.
3.10 As is made apparent from claims 7 and 14 of the Opposed Application, which refer to the secure hardware element being ‘Europay, MasterCard, and Visa (EMV) transaction certifiable’, the skilled addressee must also be at least aware of the relevant EMV transaction standard, and would be expected to know how that standard should be met in the design of the software, firmware and hardware of an electronic payment system. Indeed, given paragraph [0028], the skilled addressee ought have a working knowledge of all the relevant standards disclosed there.” (OS, original italic and bold, underlining added)
In view of the above, the Opponent notes that while Mr Willis, Mr Webster, and Mr Merrick are “qualified to give evidence in the Opposition” (OS at [3.11], [3.12], and [3.14]), “care should be taken in placing too much weight on Mr Hadley’s evidence as it pertains to what was known and surprising at the priority date, to the extent they are contrary to the Opponent’s case”, because “[i]t was only from June 2013 (after the priority date), that Mr Hadley appears to have gained any experience in the software used in payment terminals” (OS at [3.13]).
In response to this, the Applicant states:
“10. … the concept of the person skilled in the art is not an invitation to create a checklist of qualifications that each expert witness must have in order for their evidence as a whole to be considered relevant or irrelevant. Rather, so long as evidence is properly based on the witness’ learning and experience, the decision-maker must consider the relevance of particular evidence to each question to be determined. The fact that a witness’ qualifications or experience were gained after the priority date is not necessarily disqualifying, because ‘evidence is admissible from persons who do not precisely answer the description of the hypothetical skilled person’: KD Kanopy Australasia v Insta Image (2007) 71 IPR 615 at [16]; and see Gilead Sciences v Idenix Pharmaceuticals (2016) 117 IPR 252 at [206]. Rather, the decision maker must consider how particular evidence informs the question of how the notional person skilled in the art would read the patent or the prior art.
…
13. The Opponent submits that Mr Hadley’s evidence should be treated with care because he commenced working as a software developer in the merchant acquiring team and the Commonwealth Bank in June 2013 (about 15 months after the priority date) and before that, his experience was not focussed on payment terminals. Mr Hadley says:
Immediately after commencing work in this team, I developed my understanding of payment terminals and how they operated. In order to do this, I worked with developers on the team to learn about: the various different process flows used in payment terminals; the various different components of the payment device and how they interacted with each other; and the different types of certification processes and standards that applied to the payment terminals. I consider that I developed a good understanding of what was generally known about payment devices during the period 2013 to 2015, and the years immediately prior to 2013.” (AS, original italic, underlining added, reference(s) omitted)
In addition, the Applicant submits, with respect to Mr Willis and Mr Webster, that “[t]heir evidence does not provide a proper basis to assess whether they are qualified to express the opinions found in their declarations” and hence “their evidence should be treated with caution and the Commissioner should certainly not accept that they are more qualified to give evidence than the Applicant’s expert witnesses” (AS at [11], original italic). In conclusion, “the Applicant submits that his [i.e., Mr Hadley’s] evidence is in fact more useful and reliable than the evidence of Mr Willis and Mr Webster, who simply make bald assertions of having relevant experience” (AS at [19]).
Having regard to their experience, I have no issues with accepting that all Experts are suitably qualified to give evidence in the present opposition proceedings. Notwithstanding that, I am prepared to give more weight to the Experts’ statements that are supported by some logical explanations and reasoning as opposed to being mere assertions.
The common general knowledge
The common general knowledge is another well-established legal concept associated with the person skilled in the art. Referring to several paragraphs from Merrick, the Opponent submits that, at the priority date, the common general knowledge included “[t]he existence and content of the Europay, MasterCard, and Visa (EMV) and Payment Card Industry (PCI) standards as they were in force at that time, as set out in D7 to D10 and D17” (OS at [4.2], original bold, underlining added). They also emphasised that “[t]he PCI standards did not allow payments to be performed on mobile phones because those devices fall into the category of devices known as COTS (Consumer Off The Shelf) devices” (OS at [4.4], referring to Willis-2 at [6]).
Further, by reference to Webster, Willis-2, and Merrick, the Opponent submits that:
“4.11 … trust separation architectures in payment systems were common, whereby sensitive operations and less sensitive operations are run on a single system, with a barrier between those operations. For example, financial institutions have employed Hardware Security Modules (HSMs) for PIN verification since the mid 1970s, where the heart of a HSM is a secure element that is often a single chip.
4.12 The existence and nature of secure elements and secure hardware elements as a component in payment terminals and payment cards, which were responsible for processing sensitive information and securing keys used in the processing of sensitive information, and that were resistant to tampering, were well known.” (OS, original bold, reference(s) omitted)
Finally, the Opponent refers to Hadley and the PCI standard (D6) to support their view that:
“4.13 The use of two processors was a common feature of a ‘traditional, or known, payment terminal’ where the main processor is the ‘CPU of the payment terminal’ which runs a ‘payment application’ and the cryptoprocessor is ‘invoked by the payment application on the main processor as required to perform some functions’. Those functions, logically, would be those concerning ‘sensitive information’. Contrary to Mr Hadley’s assertion, a cryptoprocessor is not limited to simply ‘generating random numbers and holding keys that would be used for encryption of data’ – the PCI standard makes clear that the cryptoprocessor can also ‘process sensitive data such as [but not limited to] cryptographic keys, PINs, and passwords’ and communicate the sensitive data to the card chip and the issuer of the card.” (OS, original italic and bold, reference(s) omitted)
The Applicant disagrees that the full content of the applicable security standards was part of the common general knowledge, and refers to Gilead Sciences Pty Ltd v Idenix Pharmaceuticals LLC [2016] FCA 169 at [213]-[216] (AS at [22]). Despite their length, I consider it worthwhile to reproduce the referenced paragraphs of this decision in full, because they provide a useful summary of some legal principles relevant to the points of contention between the parties:
“213 Justice Middleton summarised the law as follows in Ranbaxy Laboratories Ltd v AstraZeneca AB [2013] FCA 368; (2013) 101 IPR 11:
[215] Common general knowledge is knowledge actually known or used by skilled addressees generally, or accepted by ‘the bulk of those who are engaged in the particular art’: see British Acoustic Films Ltd v Nettlefold Productions (1936) 53 RPC 221 at 250 (British Acoustic Films). As the High Court emphasised in Aktiebolaget Hässle [v Alphapharm Pty Ltd (2002) 212 CLR 411; 194 ALR 485; 56 IPR 129; [2002] HCA 59] at [31], information cannot be treated as part of the common general knowledge unless there is ‘evidence of its general acceptance and assimilation’ by persons skilled in the art.
…
[217] As I noted in Eli Lilly [and Company Ltd v Apotex Pty Ltd (2013) 100 IPR 451; [2013] FCA 214], information does not constitute common general knowledge merely because it might be found, for example, in a journal, even if widely read by persons in the art: see Wake Forest University Health Sciences v Smith & Nephew Pty Ltd (No 2) (2011) 92 IPR 496; [2011] FCA 1002 at [96], citing British Acoustic Films at 250 (which was also affirmed in General Tire at IPR 135; RPC 480–1). Reference in this regard is made to the words of Luxmoore J in British Acoustic Films (1936) 53 RPC 221 at 250, cited by Lehane J in Aktiebolaget Hässle v Alphapharm Pty Ltd (1999) 44 IPR 593; [1999] FCA 628 at [39]:
In my judgment it is not sufficient to prove common general knowledge that a particular disclosure is made in an article, or series of articles, in a scientific journal, no matter how wide the circulation of that journal may be, in the absence of any evidence that the disclosure is accepted generally by those who are engaged in the art to which the disclosure relates. A piece of particular knowledge as disclosed in a scientific paper does not become common general knowledge merely because it is widely read, and still less because it is widely circulated. Such a piece of knowledge only becomes general knowledge when it is generally known and accepted without question by the bulk of those who are engaged in the particular art; in other words, when it becomes part of their common stock of knowledge relating to the art.
[218] In Alphapharm [Pty Ltd v H Lundbeck A/S (2008) 76 IPR 618; [2008] FCA 559], Lindgren J observed that (at [221]):
[221] … [I]t was held in Astra [Aktiebolaget Hassle v Alphapharm Pty Ltd (2002) 212 CLR 411] that information recorded in a document, even a document widely circulated within the art, is not part of general common knowledge merely because the skilled addressee could be expected to locate it. The question is whether it is ‘generally accepted without question’ or ‘generally regarded as a good basis for further action’ by the bulk of those in the art.
214 In ICI Chemicals & Polymers Ltd v Lubrizol Corporation Inc [1999] FCA 345; (1999) 45 IPR 577 (ICI Chemicals) at [112] Emmett J said:
The common general knowledge is the technical background to the hypothetical skilled worker in the relevant art. It is not limited to material which might be memorised and retained at the front of the skilled workers mind but also includes material in the field in which he is working which he knows exists and to which he would refer as a matter of course. It might, for example, include:
· standard texts and handbooks;
· standard English dictionaries;
· technical dictionaries relevant to the field;
· magazines and other publications specific to the field.
215 The competing submissions of the parties are to be assessed consistently with these principles. It follows that I do not necessarily accept Idenix’s submissions as follows:
Thirdly, even though a particular journal article may not be able to be instantly recalled by an expert, this does not mean that the article and its teaching have not been assimilated into the common general knowledge. This is particularly the case in the field under consideration where the evidence establishes that those working in the field follow the literature as and when it is published even though they may later have to conduct literature searches to remind themselves of the specific details of its contents.
Fourthly, the evidence establishes that, in this field, one of the primary methods by which knowledge is disseminated is by publications. While a particular researcher’s work may not of itself indicate whether the methodology employed by the researcher is common general knowledge, the fact is that by publication and re-publication of that researcher’s work, the information becomes part of the common general knowledge of researchers in that field. That conclusion can be reached where there is evidence from a relevant expert with that knowledge supported by publication evidence.
216 I do not necessarily accept these submissions because they are expressed at a level of principle rather than proof in the particular case. Justice Emmett’s observations in ICI Chemicals are consistent with the authorities. Justice Emmett is not suggesting anything more than that the common general knowledge might include information in articles (etc) if the skilled addressee knows the article (etc) exists and would refer to it as a matter of course. In other words, what his Honour is allowing for is that the skilled addressee does not have to have instant recall of every matter for it to be common general knowledge. If the skilled addressee knows that certain information exists in an article (etc) and would refer to that document as a matter of course to refresh his or her memory about the details of that which the skilled addressee already knows in broad outline then those details might themselves form part of the common general knowledge. Justice Emmett is not suggesting that merely because the skilled addressee could locate a document and, having located it, could read and assimilate its contents, the document and its contents would form part of the common general knowledge. This would be inconsistent with Minnesota Mining, in particular, that the common general knowledge is the background knowledge and experience which is available to all in the trade. For the possibility which Emmett J recognised in ICI Chemicals to arise there would have to be evidence that the particular document was known and would be referred to as a matter of course by those in the field.” (original bold and italic, underlining added)
Given the prominence of the certification and the consistent references to some applicable security standards in the Specification, it would be a strange proposition to suggest that the person skilled in the art would be unaware of the existence of these standards. In addition, in my view, industry standards are unlike scientific publications, in that there is nothing in them that needs to be “accepted by ‘the bulk of those who are engaged in the particular art’”, or requires “‘evidence of its general acceptance and assimilation’ by persons skilled in the art”. In that respect, I consider that the industry standards are much more akin to “standard texts and handbooks” and “technical dictionaries relevant to the field”, such that they represent “material in the field in which [the skilled worker] is working which he knows exists and to which he would refer as a matter of course”. The Experts’ evidence on file does not appear to contradict this view.
The above line of reasoning suggests that I am more inclined to think that the relevant security standards in the field of the instant invention are likely to be part of the common general knowledge; however, as this will not change the outcome of my decision, I do not need to conclusively decide the issue. Therefore, I will proceed on the basis that the relevant security standards in the field of the instant invention, as they existed at the priority date, were indeed part of the common general knowledge.
Claim interpretation and clarity
The law
The principles of claim interpretation (sometimes referred to as the rules of construction) as well as the requirements that the claims must be clear are well settled. A helpful summary is provided by the Full Court of the Federal Court in Austal Ships Sales Pty Ltd v Stena Rederi Aktiebolag [2008] FCAFC 121 (Austal Ships), citing with approval from an earlier decision:
“13 In Flexible Steel Lacing Company v Beltreco Ltd (2000) 49 IPR 331, Hely J considered at length the approach to construction of a specification and, in particular, the circumstances in which uncertainty might lead to invalidity. At [71]-[78] his Honour identified the following principles:
·The monopoly must be defined in a way that is not reasonably capable of being misunderstood.
·In determining the nature and extent of the monopoly claimed, the specification must be read as a whole, but recognizing that the parts have different functions. The claims mark out the legal limits of monopoly. What is not claimed is disclaimed. The specification describes how to carry out the process and the best method known to the patentee of doing so.
·Although the claims are construed in the context of the specification as a whole, it is not legitimate to narrow or expand the boundaries of the monopoly as fixed by a claim by adding glosses drawn from other parts of the specification. If a claim is clear, it is not to be varied, qualified or made obscure by statements found elsewhere in the document.
·It is legitimate to refer to the rest of the specification to explain the background to the claims, to ascertain the meaning of technical terms and resolve ambiguities in the construction of the claims. When the language of the claims is obscure or doubtful such doubts may be resolved by reference to the specification.
·It is not necessary that the claims be construed without reference to the body of the specification in order to see whether there is any ambiguity. The document is construed as a whole. If the specification demonstrates an intention that words used elsewhere have a particular meaning, effect should be given to such a ‘dictionary’.
14 At [79]-[81] his Honour then continued:
…
[81] Other principles of construction which may be of assistance in the resolution of the present matter include:
·A patent specification should be given a purposive construction rather than a purely literal one …
·The hypothetical addressee of the patent specification is the non-inventive person skilled in the art before the priority date. The words used in a specification are to be given the meaning which the hypothetical addressee would attach to them, both in the light of his own general knowledge and in the light of what is disclosed in the body of the specification.
·There is a fine line between, on the one hand, reading down the words of a patent claim to reflect how a person skilled in the art would understand it in a practical and commonsense way, and, on the other hand, impermissibly limiting the clear words of a claim because a reader skilled in the art would be likely to apply those wide words only in a limited range of all the situations they describe.
·It is permissible for an invention to be described in a way which involves matters of degree. Lack of precise definition in claims is not fatal to their validity, so long as they provide a workable standard suitable to the intended use. The consideration is whether, on any reasonable view, the claim has meaning. In determining this, the expressions in question must be understood in a practical, commonsense manner. Absurd constructions should be avoided and mere technicalities should not defeat the grant of protection.
·As a general rule, the terms of a specification should be accorded their ordinary English meaning.
·Evidence can be given by experts on the meaning which those skilled in the art would give to technical or scientific terms and phrases and on unusual or special meanings given by such persons to words which might otherwise bear their ordinary meaning.
·However, the construction of the specification is for the court, not for the expert witness. In so far as a view expressed by an expert depends upon a reading of the patent, it cannot carry the day unless the court reads the patent in the same way.
·Section 116 of the 1990 Act provides that the court may, in interpreting a complete specification, refer to the specification without amendment. However, it is neither useful nor legitimate to do so where the amended specification is clear.” (original italic, underlining added)
The High Court in Interlego A.G. v Toltoys Pty. Ltd. [1973] HCA 1; (1973) 130 CLR 461 also stated (at p. 479) that:
“14 … If the expression is not clear it is then permissible to resort to the body of the specification to define or clarify the meaning of words used in the claim without infringing the rule that clear and unambiguous words in the claim cannot be varied or qualified by reference to the body of the specification …” (underlining added)
Relevantly to my decision, it is important to note that the claims are to be interpreted purposively on the basis of the actual wording chosen by the Applicant as clarified, when necessary, by the body of the Specification. Nonetheless, if the specification includes a “dictionary”, this should be taken into account for the purposes of claim construction.
Preliminary considerations
As a general observation, I find the parts of the Opponent’s Summary, related to construing the claims and clarity, somewhat unusual. These parts create the impression that, inter alia, the Opponent is trying to expose all potential deficiencies in the wording of the claims without necessarily relating these to legal implications. In addition, the Opponent is referring to the description for explanations regarding many of the expressions used in the claims without much justification. Moreover, while the Opponent is characterising some aspects as “inapt”, “otiose”, or “odd”, it remains uncertain whether the Opponent is actually asserting what should be the proper interpretation in relation to these aspects, or pointing towards clarity issues. Some examples found in these parts of the OS are provided below:
“… in the claims, there is no antecedent for a ‘financial account’. [0037] of the Opposed Application explains that a financial account is something held by a financial institution for a customer” (OS, page 13, footnote 39)
“There is no definition of a ‘payment apparatus’ but it appears likely that it is a ‘token’ which may be for example, ‘a payment card and/or a secured unique identification component which may be embedded in a device of the customer’: [0037] and see [0042].” (OS, page 13, footnote 40)
“Presumably the ‘server’ [is the server] of a financial institution related to the financial account as explained at [0011] of the Opposed Application.” (OS, page 13, footnote 41)
“… it is inapt to state that a payment apparatus (such as a credit card) has a ‘financial account’ so presumably ‘of the payment apparatus’ is otiose or should read ‘from the payment apparatus’ consistently with the earlier integer in (b) above [i.e., ‘(b) acquire data relating to “the financial account” of the entity wishing to perform the financial transaction from a “payment apparatus”;’ (OS at [5.7], reference(s) omitted)]” (OS, page 13, footnote 42)
Some further examples could be found in the part of the OS dealing with the expression “portion of the data relating to the financial account of the payment apparatus [being/that is] inaccessible to the central processing unit” (starting on page 15 of OS):
“5.16 Claim 1 also provides that there be an ‘acquiring, by the secure hardware element, via the interface of the device, data relating to the financial account from a payment apparatus’. That gives rise to the question, what might comprise ‘data relating to the financial account’? Paragraph [0037] explains that the ‘data related to the customer’s financial account may be any kind of data that allow a financial account to be identified during a transaction. For example, but without being limitative, such data may include keys, certificates, and payment card numbers’.
5.17 As noted above, the EMV standard provides that at least a PAN and an ARQC is required to be obtained from the payment card and sent to the financial institution in order to obtain an online authorisation of a financial transaction. Accordingly, both a PAN and ARQC would constitute ‘data relating to the financial account of the payment apparatus’ that is obtained from the payment apparatus. There does not appear, however, to be any limit to the kind of information that might be acquired from the payment card which is odd since the invention is plainly directed to dealing with sensitive information, but the claim is not limited to data of that kind.” (OS, original italic)
Unlike the Opponent, I cannot see an issue here. The claims define “acquiring … data relating to the financial account” and “transmitting … at least a portion of” these data. To my mind, any “data relating to the financial account” could broadly be characterised as sensitive information. In addition, claim 1 is to a method of conducting a secured financial transaction and, therefore, sensitive data would be implied. More generally, I also consider that, to the extent any of the above identified potential deficiencies in the wording of the claims may actually exist, they appear easily resolvable by purposively construing the relevant claim(s) as a whole.
Often, the issue of clarity is highly dependent on the specific claim interpretation being adopted. In my interpretation of the claims, I will pay particular attention to the phrases and expressions explicitly flagged by the Opponent as being problematic. In the OS, the Opponent’s main concerns are related to the use of the phrase “secure hardware element” (OS at [5.7]-[5.15]) and the expression “portion of the data relating to the financial account of the payment apparatus [being/that is] inaccessible to the central processing unit” (OS at [5.16]-[5.20]).
With respect to the latter expression and, more specifically, with respect to the meaning of “inaccessible to the central processing unit”, having considered some explanations in the body of the Specification, the Opponent concludes:
“5.20 This appears to simply require that the device have a trust separation architecture where information which is considered ‘sensitive’ is only accessed, processed and stored by the secure hardware element. However, as noted above, there is no requirement in the claim that the data taken from the payment card be sensitive.” (OS)
At the hearing, however, the Opponent clarified that they “are not running a case saying: ‘this is impossible to understand’ …”, and submitted that this expression should be interpreted as referring to “access to unencrypted sensitive data”. I have no issues with such interpretation.
The Opponent further clarified, in their oral submissions, that what they are, in fact, pressing as a clarity issue is the use of the phrase “secure hardware element”, hence this is what I will consider next.
“secure hardware element”
As an initial observation, it is worth noting that the body of the Specification uses the exact phrase “secure hardware element” only in the context of what appears to be consistory statements in the section “Summary”. The rest of the body of the Specification uses the phrase “secure element”. I will first consider the meaning of “secure element”, and then discuss the implications of this meaning to the interpretation of the phrase “secure hardware element” as used in the claims.
Does the Specification provide a “dictionary” for “secure element”?
It is important for me to consider whether the Specification provides a “dictionary” (within the meaning of Austal Ships at [13], last dot-point as quoted above) with respect to the phrase “secure element”. In the section “Detailed Description”, there is a specific subsection titled “Terminology”, where some of the terms used in the Specification are discussed. While in some cases, these discussions are clearly limited to providing examples of what a term may encompass to facilitate better understanding of the invention, in other cases, the explanations appear more akin to defining the meaning of a term. I consider the following parts relevant to “secure element”:
“[0028] Throughout the present disclosure, reference is made to secure transactions (for example, but without being limitative, contact and contactless transactions), secure elements (for example, but without being limitative, chipset, secured chipset, hardware embedding secured component, software embedding secured component, or firmware embedding secured component) and security standards. Examples of security standards include, without being limitative, certification standards from Europay, MasterCard, and Visa (EMV), EMVCo, MasterCard®, Visa®, American Express®, JCB®, Discover® and the PCI SSC (Payment Card Industry Security Standards Council (founded by MasterCard®, Visa®, American Express®, Discover® and JCB® and [sic]) dealing specifically with the definition of security standards for financial transactions). Reference to secure transactions, secure elements, and security standards is made for the purpose of illustration and is intended to be exemplary of some embodiments and not limiting of the scope thereof.
[0029] Secure element: a processing entity characterized by specific hardware and/or software components subject to a certification ensuring a specific level of security according to specific security standards. From a hardware perspective, a secure element includes usual components found in a computing entity: at least one microcontroller (e.g. CPU), memory (e.g. RAM or FLASH memory), communication interfaces, etc. Specific hardware components may also be included to implement specific functionalities particular to a secure element. For instance, a cryptographic accelerator may be included. Also, a module providing RF and electrostatic insulation may be included, to protect the secure element 16 from eavesdropping. In the context of financial transactions, the certification of the secure element ensures that various financial entities are willing to use the secure element to store and process critical financial data, and to perform secured financial transactions using the critical financial data.” (underlining and italic added)
I note that the first sentence of paragraph [0029] above is a statement that reads like “the specification demonstrates an intention that words [i.e., “secure element’] used elsewhere have a particular meaning” (Austal Ships at [13], last dot-point as quoted above). The rest of this paragraph provides some further explanations, whereas the first sentence of paragraph [0028] provides, in brackets, some non-limiting examples. However, I also note that the last sentence of paragraph [0028] could potentially be interpreted as suggesting that the discussions of “secure element” (as well as “secure transactions” and “security standards”) should be treated as a mere illustration or example. This primarily depends on whether “not limiting of the scope thereof” refers to the scope of the terms “secure transactions, secure elements, and security standards”, or to the scope of “some embodiments”.
Following the rules of grammar, I consider that “thereof” should refer to the last mentioned noun, i.e., “embodiments”. Some clarification of what is meant by “not limiting of the scope thereof” with respect to described embodiments is given in the beginning of the section “Detailed Description”:
“[0027] Aspects of the present disclosure will now be described in connection with one or more contemplated embodiments. The embodiments that are described are intended to be exemplary and not limiting of the scope thereof. In other words, while attention is focused on specific embodiments, those embodiments are not intended to limit the present disclosure. To the contrary, the examples provided below are intended to illustrate the broad scope of the present disclosure.” (underlining and italic added)
In view of the above, I consider it reasonable that “the scope” of described embodiments is the breadth of their disclosure and applicability. I also consider that the breadth of disclosure and applicability of “some embodiments” being not limiting does not necessarily require that the terms used to describe the embodiments are also not limited in their meaning.
With this in mind, in my opinion, the last sentence of paragraph [0028] has no effect on the meaning of the terms “secure transactions, secure elements, and security standards”. Thus, I conclude that paragraph [0029] of the Specification provides a “dictionary” for the meaning of “secure element” (the “dictionary”), i.e.: a processing entity characterised by specific hardware and/or software components subject to a certification ensuring a specific level of security according to specific security standards.
I will now consider what does the wording of the “dictionary” actually mean. In doing so, I will endeavour to answer the questions of: “what does ‘a certification ensuring a specific level of security according to specific security standards’ mean?”; “what does ‘subject to’ mean with respect to the certification?”; and “which item is ‘subject to a certification’?”.
What does “a certification ensuring a specific level of security according to specific security standards” mean?
According to one possible interpretation, this expression could refer to the procedure of certification that verifies (and certifies upon successful verification) the compliance with the requirements of “a specific level of security according to specific security standards”. However, I do not consider that this is the appropriate interpretation as I will discuss below.
In paragraph [0029] (the paragraph that also contains the “dictionary”), the Specification explains that:
“[0029] … In the context of financial transactions, the certification of the secure element ensures that various financial entities are willing to use the secure element to store and process critical financial data, and to perform secured financial transactions using the critical financial data.”
Mr Willis also notes that “[a]ny device developed to perform secure financial transactions must function in accordance with the standards. Otherwise, the device could not be certified as complying with the relevant standard and, in turn, no financial institution would allow the device to perform secure financial transactions with it” (Willis-1 at [28]).
Hence, an item which has successfully undergone a certification procedure (i.e., a certified item) is likely to be considered sufficiently secure and trustworthy, thus resulting in better market acceptance of that item. Importantly, “ensuring a specific level of security according to specific security standards” is not achieved by the item merely commencing or even undergoing the procedure of certification, but only after this procedure is successfully completed. Therefore, in the context of the “dictionary”, I consider that the expression in question does not refer to the procedure of certification itself, but instead means having a certified status ensuring a specific level of security according to specific security standards. This certified status is acquired through a successful completion of the relevant certification procedure(s).
What does “subject to” mean with respect to the certification?
It does not appear that “subject to a certification” is a term in the art with a well-established meaning. Macquarie Dictionary (online edition, © Macmillan Publishers Australia 2023) provides the following definition:
“subject to,
a. open or exposed to: *of all the hundred-odd ethnic groups in Australia, only we and the British are subject to criticism; our elites in the universities and the media pour it upon us unceasingly, while exempting all the others as if they were disabled children. –LES MURRAY, 1999.
b. dependent or conditional upon: *Jabiru is also part of Kakadu National Park and so its ‘development’ is subject to a Town Plan and to the park’s Plan of Management. –M. A. HILL AND A. J. PRESS, 1994.
c. under the domination of: subject to colonial rule.
d. Rare under the necessity of undergoing something: subject to death.
e. inclined towards having: subject to headaches.” (original emphasis)
Unfortunately, the above definitions do not appear entirely conclusive for my task of deciding whether the item “subject to a certification”:
(i) is “under the necessity of undergoing” a certification and “dependent or conditional upon” a certification, which could be interpreted to imply that the “dictionary” imposes the limitation that the item must be certified; or
(ii) while “open or exposed to” a certification and “inclined towards having” a certification, the item, according to the “dictionary”, does not necessarily have to be certified.
It appears to me that a meaning according to interpretation (i) could have been more unambiguously articulated by using alternative expressions, such as for example, “having undergone a certification …”, “having a certification …”, “having been certified …”, and the like. In my view, the deliberate use of broader wording in the “dictionary” (which, according to Macquarie Dictionary, allows for both interpretations (i) and (ii)) favours the adoption of the broader interpretation (ii). In addition, while I note that the embodiments in the Specification provide many examples of a secure element that is said to be certified according to certain identified security standards, on a number of occasions (including as quoted above), the Specification insists that the described embodiments are only exemplary and illustrative and should not be treated as limiting the disclosure.
Finally, in the context of a certification of an item, the evidence before me does not suggest that the certification procedure itself actually improves the security of the item (or indeed changes the item in any way), in the sense that a certified item is more secure than (or any different to) the same item before the certification. The item being physically unchanged by the certification procedure (notwithstanding any possible destructive tests performed on sample items) also appears to be pointing towards meaning (ii).
Therefore, on balance, I conclude that an item “subject to a certification” means that the item is open or exposed to a certification, but the item may, or may not, be actually certified.
Which item is “subject to a certification”?
Grammatically, the “dictionary” states that the “specific hardware and/or software components”, which characterise the processing entity, are “subject to a certification”. However, the last sentence of paragraph [0029] (the paragraph also containing the “dictionary”) mentions “the certification of the secure element”. Hence, it would appear that the Specification considers that a certification of the “specific hardware and/or software components” that characterise a processing entity is, in substance, also a certification of the processing entity. It is also not unreasonable to assume that the certification of a processing entity (or a secure element) would inevitably involve the certification of its characterising “specific hardware and/or software components”. Therefore, I consider that the meaning of the “dictionary” extends to both cases, namely:
·the “specific hardware and/or software components” and/or
·the “processing entity”
are “subject to a certification ensuring a specific level of security according to specific security standards”.
In other words, with respect to the specific item which is “subject to a certification”, I consider that the wording of the “dictionary” means a processing entity characterised by specific hardware and/or software components, the entity and/or the components subject to a certification.
The meaning of “secure element” – conclusion
Having decided that the Specification contains a “dictionary” for this term and having considered the wording of the “dictionary” in some detail, I conclude that “secure element” means: a processing entity characterised by specific hardware and/or software components, the entity and/or the components not necessarily having, but open or exposed to having, a certified status ensuring a specific level of security according to specific security standards.
The existence of the “dictionary”, that I need to take into account for claim construction, means that the Experts’ views on the meaning of the term “secure element” are somewhat less relevant. Nonetheless, I believe that it will be helpful for me to briefly consider the extract of the Encyclopedia of Cryptography and Security, © Springer Science+Business Media, LLC 2005, 2011 (the Encyclopedia), filed in evidence as Annexure SH3 to Hadley.
The definition given in the Encyclopedia
On page 1115, the Encyclopedia provides the following definition:
“A Secure Element is a hardware device component. It offers any number of the following non-exhaustive list of tamper resistant secure services to the rest of the device:
● Tamper detection
● Root of trust (e.g., start of an authentication chain)
● Secure memory (e.g., a Secure Element can store the private key of a public key pair)
● Cryptographically secure random number generation
● Cryptographic services (e.g., AES decrypting using a secret key stored in the Secure Element, signature of a message using a private key, verification of a signature)
● Secure generation of keys (e.g., generation of a public key pair or of a shared-secret key for an authentication)
● Secure monitoring of system resources (e.g., detection of hardware configuration changes)
● Secure execution of software modules (e.g., secure boot)
● Secure counting of events (e.g., usage counter for secret keys)
● Secure time measurements (e.g., for a time-bounded proximity detection protocol)
● Tamper resistant unique identifier (e.g., a unique serial number that cannot be forged)
‘Secure Element’ is a broad term; there exist many secure element embodiments: smart cards, SIM cards, memory cards, TPMs, etc. They also exist with various contact and contactless interfaces.” (underlining added)
I cannot see any significant discrepancies between the above definition and the “dictionary” (having regard to my interpretation of its wording). For example, at least some of the above listed “tamper resistant secure services” would require a component that is, or includes, a processing entity. With respect to the issue of certification, the Encyclopedia explains:
“One standard possible way to rate the security level of a given secure element is to evaluate it according to Common Criteria. For example, modern smart cards are evaluated between EAL4 and EAL5+ following the Common Criteria terminology.” (page 1115, underlining added)
“The current trend is to see more and more standardization efforts toward secure elements interoperability: ISO standards, ECMA, ETSI, Global Platform standards, Common Criteria protection profiles, etc.” (page 1116)
Importantly, the Encyclopedia does not explicitly state that the “secure element” is an item that is certified. The absence of such a requirement could possibly be also implied from the underlined sentence above, in which the term “secure element” is used to refer to an item even before “evaluat[ing] it according to Common Criteria”.
As far as differences go, it is worth noting that the Encyclopedia states that “[a] Secure Element is a hardware device component”, whereas the “dictionary” defines the “secure element” as “a processing entity characterized by specific hardware and/or software components”. Notably however, claim 1 defines “a device … comprising … a secure hardware element embedded in a chipset of the device” (underlining added), and the other independent claims define the same limitation. Hence, any potential differences, as to whether a “secure element” must necessarily be a hardware element/component, are inconsequential for the purpose of claim construction as I will discuss in the next section of this decision.
“secure hardware element” vs “secure element”
I am unable to identify any evidence that “secure hardware element” is a term in the art having a meaning that is completely unrelated to the meaning of the term “secure element” (in fact, the opposite could be inferred, e.g., from Merrick at [13]). In plain English, “secure [being an adjective] hardware [being a noun as adjective] element [being a noun]” means an element that is both a secure element and a hardware element. In other words, it is a secure element which consists of hardware. I emphasise that this does not preclude a secure hardware element from incorporating software components stored in, and executed by, the hardware components of the element. What is excluded from the meaning of “secure hardware element” is a secure element that consists entirely of software components. In other words, I do not consider that “secure hardware element” means an element having secure hardware; if that were the case, then “empty coffee cup” would mean a cup for drinking empty coffee, instead of the more appropriate meaning of a cup that is both an empty cup and a cup for drinking coffee.
which may suggest that he regards the combination of iSMP and an SMD as a device, he does not see the iSMP itself as the disclosure of a secure hardware element. Instead, he considers that the secure element is within the iSMP:
“It [the iSMP] therefore must have a ‘secure element’ as also required by D6, described below … The definition of the secure element in the Patent at [028] matches the requirements listed in the Payment Card Industry (PCI) documentation for a Pin Entry Device (PED). Payment terminals must have a secure element for compliance with PCI and EMV standards …” (Schedule 2 to Willis-1, page 3, underlining added)
“D4 all: The payment control application must run on the CPU of iSMP and necessarily must comprise control instructions to control the secure element otherwise a secure transaction could not occur.” (Schedule 2 to Willis-1, page 5, original bold, underlining added)
140. In addition, it is important to note that, in his explanations of how the features of the claims are disclosed in document D4, Mr Willis only asserts the implied disclosure of a “secure element”, and not of a “secure hardware element”. I find this significant, given that Mr Willis provides a considerably detailed discussion on the use of the word “hardware” in the term “secure hardware element” as defined in claim 1 and, from his comments, it would appear that he does not think that “secure hardware element” and “secure element” are the same. In that regard, I do not consider that Mr Willis’s stray comment that “the word ‘hardware’ … appears to have been added to the claims to give the appearance of a more physical effect, rather than a mere data processing scheme” (see Willis-1 at [58] as quoted below) is sufficient for me to reach a different conclusion in the absence of a clearer statement to that effect. Indeed, regarding “secure hardware element”, Mr Willis states:
“55. The invention described in the opposed application and around which the claims are drawn is a device comprising a secure hardware element for conducting a secured financial transaction. Accordingly, the security of the financial transaction must be achieved by way of the nature and function of the ‘secure hardware element’. Firstly, I note that the term ‘secure hardware element’ is not described at all in the specification. The closest definition is of a ‘secure element’, at paragraph [0029]: from a ‘hardware perspective’ a ‘secure element’ includes typical computing elements and:
‘Specific hardware components may also be included to implement specific functionalities particular to a secure element. For instance, a cryptographic accelerator may be included. Also, a module providing RF and electrostatic insulation may be included, to protect the secure element 16 from eavesdropping.’ (emphasis added)
56. Accordingly, part of the invention described and around which the claims are drawn is to a device comprising a secure hardware element for conducting a secured financial transaction, where the secured element may be provided with electrostatic insulation to protect the secure element from eavesdropping.
…
58. Further, the word ‘hardware’ which appears to have been added to the claims to give the appearance of a more physical effect, rather than a mere data processing scheme, is not sufficiently described in the specification to allow me to implement its use to achieve the claimed results. For instance, the separation of different types of data between the CPU and secure hardware element, is not described at all well enough for one to achieve the result through hardware.
…
60. The claims are not clear as a feature of each claim is the ‘secure hardware element’. The opposed application seeks to define ‘secure elements’ (noting the lack of the word hardware) in the ‘Terminology’ section at paragraphs [0028] and [0029]. In particular, paragraph [0028] exemplifies ‘secure elements’ non-exhaustively as ‘chipset, secured chipset, hardware embedding secured component, software embedding secured component, or firmware embedding secured component)’ (emphasis added). The terms in bold have no clear meaning in the art, and are not clarified by the specification, such that they would be readily understood by the person of relevant skill in the art. Therefore, a third party cannot know the precise extent of the scope of the claim. It is acknowledged that the terms ‘hardware’, ‘software’ and ‘firmware’ are readily understood terms. The term ‘secured component’ is a broad term that could encompass a wide variety of components or elements that possess a security characteristic. However, use of the word ‘embedding’ in combination with one of the terms ‘hardware’, ‘software’ and ‘firmware’ and in combination with the term ‘secured component’ results in vague and somewhat meaningless features and the specification does not make clear to the person of relevant skill in the art how to implement a ‘hardware embedding secured component’, a ‘software embedding secured component’, or a ‘firmware embedding secured component’.” (Willis-1, original bold and italic, underlining added)
141. I have already found that the claims are clear, so I will only note that I am unsure as to how phrases like “hardware embedding secured component”, “software embedding secured component”, or “firmware embedding secured component” could make the claims unclear, given that these phrases are not present explicitly in the claims and are not part of the “dictionary”, but instead are clearly understood by Mr Willis to be non-exhaustive examples. This is also not helped by Mr Willis’s statements that the term “hardware” is “readily understood” and the term “secured component” is broad, but not necessarily unclear.
142. In summary, the evidence suggests that, while Mr Willis makes a clear distinction between “secure element” and “secure hardware element”, and clearly acknowledges that the latter is “a feature of each claim”, he only discusses the disclosure of a secure element in document D4, as opposed to the disclosure of a secure hardware element. To me, this is a strong indication that Mr Willis is unsure whether the secure element, which he considers to be incorporated within the iSMP by inherency, is indeed a secure hardware element as defined in claim 1.
143. With respect to document D4, Mr Hadley states:
“44 D4(a)-(d) shows a payment terminal and an iPhone or iPod. From what I can tell from the details in D4(a)-(d), the payment terminal of D4(a)-(d) is similar to the payment terminal of D1. It differs from the payment terminal of D1 by being specifically designed to operate with the iPhone or iPod. In particular, instead of using the other connectivity options for receiving a payment amount and communicating with an acquirer, the payment terminal of D4(a)-(d) uses its connection with the iPhone or iPod to communicate with the acquirer (e.g. financial institution) via the iPhone or iPod’s internet connection.
…
46 The payment terminal of D4(a)-(d) has a form factor (e.g. a housing) to accommodate the iPhone or iPod. It also has an additional interface (e.g. a physical jack or Bluetooth connection) to permit data communication with the iPhone or iPod. In operation, I understand that an application on the iPhone or iPod allows the entry of a payment amount for a transaction. The application on the iPhone or iPod will communicate, via Bluetooth or the physical jack, the payment amount to the payment terminal to invoke running of the payment application on the main processor of the payment terminal. The main processor would be responsible for communicating with an acquirer by connecting to the internet via the iPhone or iPod through the physical jack or Bluetooth connection.
47 I understand the payment terminal of D4(a)-(d) to operate as a traditional payment terminal. It has a main processor and a cryptoprocessor. Other than the difference in connectivity to receive the payment amount and to communicate with an acquirer, which I describe in paragraphs 44 to 46 above, I understand that the payment terminal of D4(a)-(d) would operate as I describe in paragraph 42 to 43 above [with respect to D1].” (Hadley, underlining added)
144. Paragraphs 42 and 43 of Hadley are reproduced below:
“42 The payment terminal has a main processor and a cryptoprocessor. The main processor is the CPU of the payment terminal of D1. In line with traditional, or known, payment terminals, I understand that in the payment terminal of D1 a payment application would be run on the main processor. The payment amount would be received by the payment application running on the main processor, for example due to the payment amount being entered using the pin pad of the payment terminal or through one of the described connectivity options, for example a USB port. The main processor would then be responsible for performing functions that I describe in paragraph 32 above [i.e., features 1.10-1.11 and 1.13-1.15 of claim 1] and would communicate with an acquirer (e.g. a financial institution) through another one of the connectivity options, for example by connecting to the internet via a router and modem through the Ethernet connection.
43 The cryptoprocessor would be invoked by the payment application on the main processor as required to perform some functions. The cryptoprocessor would not perform the functions that I describe in paragraph 32 above, it instead provides other functions for the main processor, to enable the main processor to perform those functions. For example, the cryptoprocessor of the payment terminal of D1 would be responsible for generating random numbers and holding keys that would be used for encryption of data.” (underlining added)
145. Mr Hadley concludes:
“47 … I therefore consider that the payment terminal shown in D4(a)-(d) is completely different to the invention described in the Application, as it does not describe the functions performed by the secure hardware element that I describe in paragraph 32 above [i.e., features 1.10-1.11 and 1.13-1.15].” (Hadley, underlining added)
146. In his evidence in reply, Mr Willis states:
“10. Paragraph 44 to 47 of the Hadley Declaration relates to D4. My view on D4 in relation to the claims of the Opposed Application as outlined in my earlier declaration remains unchanged. The Hadley Declaration does not address my comments on the features of the claims of the Opposed Application with respect to the specific disclosures in D4 as outlined in my earlier declaration.” (Willis-2, underlining added)
No additional information that could assist with my novelty consideration is provided.
147. In view of the above discussion, on balance, I conclude that the evidence before me is insufficient to establish that document D4 “contain[s] clear and unmistakeable directions to do what the patentee claims to have invented”. Neither the document on its face, nor the Experts’ evidence on its disclosure helps me identify, in document D4, “a device used as a payment terminal … the device comprising … a secure hardware element embedded in a chipset of the device”, even if I were to accept the Opponent’s submissions that the iSMP (or one or more of its components) must inherently perform all of features 1.10 to 1.15 of claim 1.
Conclusion on novelty for claim 1 in light of document D4
148. There is no suggestion that the feature of a secure hardware element embedded in a chipset of the device is inessential and, in view of the Specification, I do not consider this to be the case. It follows that the Opponent has not established that document D4 discloses all essential features of claim 1 and, thus, has not established that claim 1 is not novel in light of document D4. As a result of this finding, it is unnecessary for me to decide whether document D4 discloses that “the device [is] running a point of sale (POS) application … the POS application [is] comprising a payment control application, the payment control application [is] running on the central processing unit [of the device] and comprising control instructions to control the secure hardware element without allowing the central processing unit to access the secure hardware element”. Nonetheless, it is perhaps worth noting that, in my opinion, the evidence does not appear to be very conclusive on the issue. For example, as I already discussed, Mr Willis explicitly states that “[t]he payment control application must run on the CPU of iSMP” (Schedule 2 to Willis-1, page 5), as opposed to the CPU of the SMD. This statement cannot be simply ignored just because the Opponent does not wish to rely on it, and suggests instead an alternative interpretation supposedly based on different parts of Mr Willis’s evidence.
Novelty – conclusion
149. The remaining independent claims (claims 8 and 15) define respectively “[a] device to be used as a payment terminal … the device comprising … a secure hardware element embedded in a chipset of the device” and “… a device, the device to be used as a payment terminal … the device comprising … a secure hardware element embedded in a chipset of the device”. It is clear that the above conclusion with respect to claim 1 is equally applicable to claims 8 and 15.
150. Each dependent claim incorporates the features of the respective independent claim, to which it is ultimately appended, hence the Opponent has not established that any one of the claims is not novel in light of document D4.
151. As document D4 is the only prior art document raised by the Opponent for novelty, I am not satisfied that the Opponent has established that any one of the claims is not novel.
Inventive step
152. The test for obviousness was developed in Wellcome Foundation Ltd v VR Laboratories (Aust) Pty Ltd [1981] HCA 12; (1981) 148 CLR 262 (Wellcome Foundation):
“The test is whether the hypothetical addressee faced with the same problem would have taken as a matter of routine whatever steps might have led from the prior art to the invention, whether they be the steps of the inventor or not.” (at [45], underlining added)
153. In considering the question of what constitutes “a matter of routine”, in Aktiebolaget Hassle v Alphapharm Pty Ltd [2002] HCA 59; (2002) 212 CLR 411; (2002) 194 ALR 485; (2002) 77 ALJR 398, it was stated at [53]:
“That way of approaching the matter has an affinity with the reformulation of the ‘Cripps question’ by Graham J in Olin Mathieson Chemical Corporation v Biorex Laboratories Ltd. This Court had been referred to Olin in the argument in Wellcome Foundation. Graham J had posed the question:
‘Would the notional research group at the relevant date, in all the circumstances, which include a knowledge of all the relevant prior art and of the facts of the nature and success of chlorpromazine, directly be led as a matter of course to try the -CF3 substitution in the “2” position in place of the -Cl atom in chlorpromazine or in any other body which, apart from the
-CF3 substitution, has the other characteristics of the formula of claim 1, in the expectation that it might well produce a useful alternative to or better drug than chlorpromazine or a body useful for any other purpose?’ (emphasis added)
That approach should be accepted.” (original emphasis, reference(s) omitted)
154. In Lockwood Security Products Pty Ltd v Doric Products Pty Ltd (No 2) [2007] HCA 21; (2007) 235 ALR 202; 81 ALJR 1070, it was stated:
“In Alphapharm, this Court reiterated that ‘obvious’ means ‘very plain’, as stated by the English Court of Appeal in General Tire & Rubber Co v Firestone Tyre and Rubber Co Ltd. The majority in Alphapharm also confirmed that the question of whether an invention is obvious is a question of fact, that is, it is what was once a ‘jury question’. Broadly speaking, the question is not a question of what is obvious to a court. As well as being a question of fact, the question of determining whether a patent involves an inventive step is also ‘one of degree and often it is by no means easy’, because ingenuity is relative, depending as it does on relevant states of common general knowledge …
Further, as recognised in Beecham Group Ltd’s (Amoxycillin) Application, as a basic premise, obviousness and inventiveness are antitheses and the question is always ‘is the step taken over the prior art an “obvious step” or “an inventive step”’? An inventive step is often an issue ‘borne out by the evidence of the experts’. There is no distinction between obviousness and a lack of inventive step. A ‘scintilla of invention’ remains sufficient in Australian law to support the validity of a patent. In R D Werner Lockhart J stated that there must be ‘some difficulty overcome, some barrier crossed’. This is consonant with older authorities in the United Kingdom which recognised that some inventiveness was required to distinguish patentable advances over the prior art from advances which ‘any fool’ could devise. It also accords with the requirement in the United States that for an invention to be ‘non-obvious’ it must be ‘beyond the skill of the calling’.” (at [51]-[52], underlining added, reference(s) omitted)
155. It is important to emphasise that obviousness is a question of fact that is to be established by evidence.
156. With respect to inventive step, “[t]he Opponent asserts that the claims lack an inventive step in light of the common general knowledge when combined with D1 or D4 (comprising the combination of D4(a)-(d)). If the EMV and PCI standards are not considered common general knowledge, then the Opponent asserts that each of them would be read with each of D1 and D4 as they are referred to in those disclosures” (OS at [7.1]). The parts of Willis-1 that appear relevant to the question of obviousness are presented below:
“5. I was provided with the full accepted specification of the Opposed Application, and with the claims as accepted.
6. I was asked to subsequently provide my view on whether the invention defined by the claims in the accepted specification of the Opposed Application, is disclosed in any of the published documents or prior art information listed below. …
…
26. By way of summary, I think that the alleged invention is not novel and does not appear to offer any significant contribution to the art because the claimed invention does no more than describe the known application or obvious application of published industry standards for secure financial transactions.
27. Such standards are referred to throughout the Opposed Application. However, the specification does not acknowledge that such standards provide a wealth of detail instructing the person skilled in the relevant art as to how to implement secure financial transactions, the features of the devices involved in processing secure transactions, and the processes that must be followed to comply with the standards.
28. Any device developed to perform secure financial transactions must function in accordance with the standards. Otherwise, the device could not be certified as complying with the relevant standard and, in turn, no financial institution would allow the device to perform secure financial transactions with it. As shown below, before the priority date, various devices were promoted as complying with the relevant standards published at the time.
29. It appears that the detail provided by the prior art in the form of such standards, and devices which were promoted as complying with those standards, has not been considered during examination of the opposed application, and such prior art destroys any novelty and/or inventiveness in the claimed invention.
…
48. D4 (with one or more of D6 to D10) If for any reason another person skilled in the relevant art would treat each any [sic] of D4 and D6 to D10 as multiple sources of information, it would nevertheless have been obvious at the priority date to combine the teachings of each of those documents. Similarly to D1 as mentioned above.
…
52. In any event, it would have been obvious at the priority date to merely follow the requirements specified by the standards, which are widely known, and applying them to a device. The opposed application simply states the desire to have those standards met by a device and offers no inventive way to achieve that outcome. Broadly speaking, the opposed application really does no more than identify the relevant standards and claim any method or device that meets them.
53. The relevant standards are published to enable device designers and manufacturers produce devices that comply with the standards so the devices can be certified and be used for secured transactions. There is no ingenuity, creativity or technical hurdle to overcome following the requirements specified by the relevant standards to achieve a compliant device.” (original italic and underlining, bold added)
157. The parts of Webster that appear relevant to the question of obviousness are presented below:
“4. I was provided with the full accepted specification of the Opposed Application including the claims as accepted.
5. I was asked to provide my view on whether the invention defined by the claims in the accepted specification of the Opposed Application, was already known before the priority date. I was asked to provide my view on whether the invention defined by each claim in the accepted specification of the Opposed Application is disclosed in any document published before the priority date known to me or an engineer responsible for, or involved in the design, programming and/or maintenance of systems and/or tools used in the technical field to which the Opposed Application relates at that time.
…
9. I conducted a quick search and found documents D20 and D21 which support this point.
…
13. D20 describes a trust separated architecture and provides a specification. Chapter 13, p160 describes a mobile payment use case in great detail, which is relevant to the Opposed Application. Based on D20, it seems to me that it would have been obvious to implement the method and device as claimed in the Opposed Application.
14. D21 describes an implementation of the OMTP standard described in D20. Whilst this isn’t payment specific, it does mention M-Commerce (i.e. mobile commerce) as an application area. In my view, it provides a concrete implementation that could have been used for a payment system, which uses an identical security architecture and pre-dates the Opposed Application.” (underlining added)
158. I am struggling to see how the above Expert evidence could support a finding of obviousness in a case like the one currently before me. In Meyers Taylor, Aickin J observed:
“36. I have set out these answers in full because they seem to me to state in relation to the present patent very clearly the application of the well-known principle that subsequent analysis of the invention – ‘the dissection of the invention’ – is not often helpful in resolving the question of obviousness. It has been criticized as being a mistaken approach, see Blanco White, Patents for Inventions, 4th ed. (1974), at par. 4-214. This matter was also discussed by Menzies J in Commonwealth Industrial Gases Ltd. v. M.W.A. Holdings Pty. Ltd. [1970] HCA 38; (1970) 44 ALJR 385, at pp 386-387 where he commented on the undesirability of analysis by hindsight because once one sees an invention it may very often appear very simple and one may then wonder why no one previously had thought of so simple an improvement or device. I would add that frequently the answer to that question will be that the device involved an inventive step, though of course that is not necessarily or always so. Menzies J. quoted from Lord Russell in Non-Drip Measure Co. Ltd. v. Strangers Ltd. as follows (1943) 60 RPC 135, at p 142:
‘Whether there has or has not been an inventive step in constructing a device for giving effect to an idea which when given effect to seems a simple idea which ought to or might have occurred to anyone, is often a matter of dispute. More especially is this the case when many integers of the new device are already known. Nothing is easier than to say, after the event, that the thing was obvious and involved no invention. …’” (underlining added)
159. In my opinion, insofar as it relates to inventive step, the evidence of Mr Willis and Mr Webster is a clear example of an ex post facto analysis, an approach that has been consistently criticised by the Courts. I note that the Opponent refers to the reformulated “Cripps question” and to the above quoted test from Wellcome Foundation (OS at [7.3]-[7.4]). However, the evidence filed by the Opponent fails to engage in any meaningful way with Wellcome Foundation, or to provide any logical alternative explaining how the claimed invention, with all of its defined features, is obvious. A consideration of whether “[t]rust separation architectures in payment systems” were known (e.g., Webster at [8]) is clearly insufficient. While Mr Willis discusses the individual features of the claims, his comments in Schedule 2 to Willis-1 regarding the ground of inventive step are limited to the following, reproduced below in full (original bold):
“● For inventive step see also: D11: EMV Co., A Guide to EMV, Version 1.0, Section 5, EMV – How It Works, pp 17-23, in particular p 18 ‘If the chip requests to go online, then the terminal builds an online request to the issuer host for authorisation and online card authentication. If the response includes optional issuer authentication (ARPC), the terminal will send the data to the chip for verification.’” (with respect to feature 1.12)
“For inventive step see also: D11: EMV Co., A Guide to EMV, Version 1.0, Section 5, EMV – How It Works, pp 17-23, in particular p 18 ‘If the chip requests to go online, then the terminal builds an online request to the issuer host for authorisation and online card authentication. If the response includes optional issuer authentication (ARPC), the terminal will send the data to the chip for verification.’” (with respect to feature 1.13)
“For inventive step: Acquiring at least one of a personal identification number (PIN), a signature, a passcode, and biometrics data for processing a secure financial transaction was well known at the priority date. Fingerprint scanners on smartphones have been known since at least 2004 (Pantech GI100). See D15 and D16.
For inventive step see also: D11: EMV Co., A Guide to EMV, Version 1.0, Section 5, EMV – How It Works, pp 17-23.” (apparently, with respect to feature 1.14, although in Schedule 2 this is again referred as feature 1.13)
“For inventive step see also: D11: EMV Co., A Guide to EMV, Version 1.0, Section 5, EMV – How It Works, pp 17-23.” (apparently, with respect to feature 1.15, although in Schedule 2 this is referred to as feature 1.14)
160. The Opponent’s submissions on inventive step cannot rectify the deficiencies of the evidence and I do not consider it necessary to discuss them in detail. On balance, I am not satisfied that the Opponent has established that any one of the claims is obvious.
161. In light of this, I do not need to decide whether document D1 (Ingenico brochure for iPP320/350) was “published by Ingenico on or about October 2011, as inferred from the vertical writing on the right side of page 2 of the document” (OS at [7.15] and similar in Willis-1 at [7]). Nevertheless, I have my doubts that this vertical writing could reliably establish the publication date of document D1 given, for example, that “[t]he document itself can be downloaded from the internet at (Willis-1 at [7], underlining and italic added). This is so, even taking into account that “D1 is similar to D2, being the launch press release of the iPP320/350 device, described below, which is established as published by at least 18 September 2010. That document [i.e., D2] also has vertical writing on the right side of page 2 of the document which indicates the date August 2010” (Willis-1 at [7.1]).
Conclusion and costs
162. I have found that the claims are clear. In addition, I have not found that any one of the claims is not novel or does not involve an inventive step. It follows that the opposition is unsuccessful on all grounds.
163. It is a normal practice that costs should follow the event, and I can see no reasons, in this particular case, to deviate from the normal practice. Since the opposition is unsuccessful, I will award costs according to Schedule 8 against the Opponent.
Dr V. Z. Kolev
Delegate of the Commissioner of Patents
0
17
0