ELECTRONIC PAYMENTS, INC.Download PDFPatent Trials and Appeals BoardFeb 23, 20222021003280 (P.T.A.B. Feb. 23, 2022) Copy Citation UNITED STATES PATENT AND TRADEMARK OFFICE UNITED STATES DEPARTMENT OF COMMERCE United States Patent and Trademark Office Address: COMMISSIONER FOR PATENTS P.O. Box 1450 Alexandria, Virginia 22313-1450 www.uspto.gov APPLICATION NO. FILING DATE FIRST NAMED INVENTOR ATTORNEY DOCKET NO. CONFIRMATION NO. 14/540,032 11/12/2014 Terry L. Glatt 10375-0007 1890 16698 7590 02/23/2022 Sean L. Ingram Ingram IP Law, P.A. 601 Heritage Drive, #426 Jupiter, FL 33458 EXAMINER GETACHEW, WODAJO ART UNIT PAPER NUMBER 3685 NOTIFICATION DATE DELIVERY MODE 02/23/2022 ELECTRONIC Please find below and/or attached an Office communication concerning this application or proceeding. The time period for reply, if any, is set in the attached communication. Notice of the Office communication was sent electronically on above-indicated "Notification Date" to the following e-mail address(es): docket@ingramiplaw.com PTOL-90A (Rev. 04/07) UNITED STATES PATENT AND TRADEMARK OFFICE ____________________ BEFORE THE PATENT TRIAL AND APPEAL BOARD ____________________ Ex parte TERRY L. GLATT __________________ Appeal 2021-003280 Application 14/540,032 Technology Center 3600 ____________________ Before JAMES P. CALVE, KENNETH G. SCHOPFER, and AMEE A. SHAH, Administrative Patent Judges. CALVE, Administrative Patent Judge. DECISION ON APPEAL STATEMENT OF THE CASE Pursuant to 35 U.S.C. § 134(a), Appellant1 appeals from the decision of the Examiner to reject claims 25-44, which are all of the pending claims.2 We have jurisdiction under 35 U.S.C. § 6(b). We AFFIRM. 1 “Appellant” refers to “applicant” as defined in 37 C.F.R. § 1.42. Appellant identifies Electronic Payments Inc. as the real party in interest in this appeal. Appeal Br. 2. 2 Claims 1-24 are cancelled. See Appeal Br. 23 (Claims App.). Appeal 2021-003280 Application 14/540,032 2 CLAIMED SUBJECT MATTER The claimed point of sale (POS) device can be locked to a particular independent sales organization (ISO), member service provider (MSP), or payment processor via a software lock to prevent the device from operating. Spec. ¶¶ 17, 26.3 Periodic authentication compares a security key generated by the POS device to a control key for a match. Id. ¶ 23. Claims 25, 32, and 39 are independent. Claim 25 recites such a point-of-sale device as follows: 25. A point-of-sale device for a merchant, comprising: an input that receives at least one of merchant identification data corresponding to a merchant account associated with the merchant, business identification data associated with the merchant, and hardware identification data associated with the point-of-sale device; and a computer communicatively coupled to the input, the computer having: a security module that uses bitwise interleave encryption to generate an empirical security key from at least one of said merchant identification data, said business identification data, and said hardware identification data; a network interface controller communicatively coupled to said security module, wherein said network interface controller communicates with an authentication server to obtain comparison results between a control security key generated at the authentication server and the empirical security key, said network interface controller being configured to receive payment processing authorization based on a match between the control security key and the empirical security key; and a payment module communicatively coupled to said security module and said network interface controller, said payment module being authorized to process payments upon receipt of the payment processing authorization. Appeal Br. 23 (Claims App.). 3 Unless otherwise noted, all citations to the Specification (“Spec.”) refer to the original specification that was filed on Nov. 12, 2014. Appeal 2021-003280 Application 14/540,032 3 REJECTIONS4 Claims 25-44 are rejected under 35 U.S.C. § 101 as directed to a judicial exception without significantly more. Claims 25-44 are rejected under 35 U.S.C. § 112(a) for failing to comply with the written description requirement. Claims 25-44 are rejected under 35 U.S.C. § 112(b) as being indefinite. Claims 25, 27-29, 31, 32, 34-39, and 41-44 are rejected under 35 U.S.C. § 103 as unpatentable over Rabin,5 Langley,6 Miller,7 and von Mueller. 8 Claims 26, 33, and 40 are rejected under 35 U.S.C. § 103 as unpatentable over Rabin, Langley, Miller, von Mueller, and Schwartz.9 Claim 30 is rejected under 35 U.S.C. § 103 as unpatentable over Rabin, Langley, Miller, von Mueller, Schwartz, and Khan.10 ANALYSIS Eligibility of Claims 25-44 Appellant does not argue the claims apart from claim 25. See Appeal Br. 5-7. We use claim 25 as the representative claim. Claims 26-44 stand or fall with claim 25. See 37 C.F.R. § 41.37(c)(1)(iv) (2019). 4 The rejection of claims 25-31 and 39-44 under 35 U.S.C. § 102(a)(1) as anticipated by Langley (US 2012/0150669 A1, published June 14, 2012) is withdrawn. See Ans. 3; see also Final Act. 38-39. 5 US 6,697,948 B1, issued February 24, 2004. 6 US 2012/0150669 A1, published June 14, 2012. 7 US 2012/0201381 A1, published August 9, 2012. 8 US 2013/0254117 A1, published September 26, 2013. 9 US 2010/0153008 A1, published June 17, 2010. 10 US 2015/0095238 A1, published April 2, 2015. Appeal 2021-003280 Application 14/540,032 4 The Examiner determines that the claims recite the abstract idea of access authorization. Final Act. 22. In particular, the Examiner determines that the claims recite certain methods of organizing human activity and/or mathematical concepts by limitations that receive merchant, business, and/or hardware identification data, generate an empirical security key from the data, communicate the empirical security key to an authentication entity, obtain payment processing authorization based on a match between a control security key generated at the authentication entity and the empirical security key, and authorize payment processing upon receipt of the authorization. Id. The Examiner determines that these functions are commercial interactions and business relations between payment system users and payment system providers within certain methods of organizing human activity. Id. at 22-23. The Examiner determines that this abstract idea is not integrated into a practical application because additional elements of a point-of-sale device for a merchant, a computer having a security module, a network interface controller to communicate with an authentication server, and a payment module coupled to the security module are used as generic tools to perform the abstract idea and/or link its use to a particular environment. Id. at 23-24. The Examiner also determines that the additional elements do not improve computer functions or other technology, do not apply the abstract idea with a particular machine, do not effect a transformation or reduction of a particular article to a different state or thing, and do not apply the abstract idea in a meaningful way beyond merely linking its use to a particular technological environment. Id. at 24-25. The Examiner determines that the additional elements are not significantly more than the abstract idea, and a combination of elements merely recites the concept of access authorization. Id. at 25-27. Appeal 2021-003280 Application 14/540,032 5 Whoever invents or discovers any new and useful process, machine, manufacture, or composition of matter, or any new and useful improvement thereof, may obtain a patent therefor, subject to the conditions and requirements of this title. 35 U.S.C. § 101. Laws of nature, natural phenomena, and abstract ideas are not patentable. See Alice Corp. v. CLS Bank Int’l, 573 U.S. 208, 216 (2014). To distinguish patents that claim laws of nature, natural phenomena, and abstract ideas from those that claim patent-eligible applications, we first determine whether the claims are directed to a patent-ineligible concept. Id. at 217. If they are, we consider the claim elements, individually and as an ordered combination, to determine if any additional elements provide an inventive concept sufficient to ensure that the claims in practice amount to significantly more than a patent on the ineligible concept. Id. at 217-18. The USPTO has issued guidance for this framework. 2019 Revised Patent Subject Matter Eligibility Guidance, 84 Fed. Reg. 50 (Jan. 7, 2019) (“Revised Guidance”); MANUAL OF PATENT EXAMINING PROCEDURE § 2106 (9th Ed. Rev. 10.2019, June 2020). To determine if a claim is “directed to” an abstract idea, we evaluate whether the claim recites: (1) any judicial exceptions, including certain groupings of abstract ideas in the Revised Guidance (i.e., mathematical concepts, certain methods of organizing human activities such as a fundamental economic practice, or mental processes); and (2) additional elements that integrate the judicial exception into a practical application.11 Revised Guidance, 84 Fed. Reg. at 52-55. 11 “A claim that integrates a judicial exception into a practical application will apply, rely on, or use the judicial exception in a manner that imposes a meaningful limit on the judicial exception, such that the claim is more than a drafting effort designed to monopolize the judicial exception.” Revised Guidance, 84 Fed. Reg. at 54. Appeal 2021-003280 Application 14/540,032 6 If a claim (1) recites a judicial exception and (2) does not integrate that exception into a practical application, we consider whether the claim (3) provides an inventive concept such as by adding a limitation beyond a judicial exception that is not “well-understood, routine, conventional” in the field or (4) appends well-understood, routine, conventional activities previously known to the industry, specified at a high level of generality, to the judicial exception. Revised Guidance, 84 Fed. Reg. at 56. Statutory Subject Matter / Revised Guidance Step 1 We agree with the Examiner that claim 25 recites a device, which is a statutory category of a machine. See 35 U.S.C. § 101; Final Act. 22. Alice Step One / Revised Guidance Step 2A, Prong One We agree with the Examiner that the focus of claim 25 is on a device that performs data processing functions of commercial interactions between payment system users (merchants using a POS device) and payment system providers (an ISO, MSP, or payment processor) who provide POS devices to merchants. Final Act. 22-23; Spec. ¶¶ 16, 31. Authentication ensures that the POS device is used in accordance with contract terms. See Spec. ¶ 23 (pp. 6-8). The claimed device manages commercial and legal interactions and business relations formed under a contractual agreement and thus falls in the certain methods of organizing human activity grouping of abstract ideas. See Revised Guidance, 84 Fed. Reg. at 52. As claimed, bitwise encryption and comparison of security keys recite basic mathematical concepts that can be performed as mental processes along with the data processing functions. The application title, “Lockable POS Device, Method for Distributing Lockable POS devices, and Method for Locking a Lockable POS Device,” reflects this focus on monitoring a POS device and locking it. Appeal 2021-003280 Application 14/540,032 7 The commercial interaction and business relations relate to a business model to sell POS equipment. See Spec. ¶ 31. The lockdown feature of the POS device allows an MSP/ISO to purchase POS devices and provide them at a discount or no charge if the merchants enter into a merchant processing contract, which requires the merchants to process payment card transactions at the POS device through the providing MSP/ISO for a period of years. Id. The lockdown ensures that the POS system is used only with authorization from the selling MSP/ISO so the MSP/ISO can recover the cost of the POS device over the lifetime of its use by charging the merchant fees. Id. ¶ 22. To ensure compliance with the terms of the contract, the POS device periodically generates and transmits a software key to a business server that authenticates the key by comparing it with a stored key generated using the same data and algorithm, e.g., a bitwise interleave encryption one-way hash algorithm. Id. ¶¶ 43, 44. In a preferred embodiment, the POS device 20 is authenticated daily. Id. ¶ 45. Because the security key (a one-way hash) is generated with data of a merchant and POS device (e.g., a merchant account identifier (MID) unique to a merchant, a business identifier (BID) unique to the business of a merchant, and/or a hardware identifier (HID) unique to the POS device), changes in the use of the POS device will cause the generated security software key to not match the stored software key for the POS device. See id. ¶¶ 19-21, 23. If the security key generated by the POS device does not match the stored control key, a software lock prevents the device from operating. Id. ¶¶ 23, 26. If a merchant submits a transaction to the processor with a security key based on a different MID, a different BID, or a different POS device (different HID), the transaction will not be processed. Id. ¶ 23 (p. 7). Appeal 2021-003280 Application 14/540,032 8 Consistent with this description, claim 25 recites a POS device that receives MID data for a merchant account, BID data for a merchant, and/or HID data for the POS device, generates a security key via bitwise interleave encryption, communicates the key to an authentication server to compare it to a control security key, and receives payment processing authorization if the generated (empirical) security key matches the server’s control key. See Appeal Br. 23 (Claims App.). As claimed, without technical implementation details, these generic functions of data collection, mathematical calculation or analysis, communication, and comparison organize and classify activities of the POS device and manage commercial interactions between a merchant and ISO/MSP provider of the POS device under a contract. They can be performed by any and all technical means including mental processes. See See Elec. Power Grp., LLC v. Alstom S.A., 830 F.3d 1350, 1355 (Fed. Cir. 2016) (“[S]electing information, by content or source, for collection, analysis, and display does nothing significant to differentiate a process from ordinary mental processes, whose implicit exclusion from § 101 undergirds the information-based category of abstract ideas.”); In re TLI Commc’ns LLC Patent Litig., 823 F.3d 607, 613 (Fed. Cir. 2016) (classifying and storing digital images in an organized manner by attaching dates and times to the images is a method of organizing human activity); Content Extraction & Transmission LLC v. Wells Fargo Bank, Nat’l Ass’n, 776 F.3d 1343, 1347 (Fed. Cir. 2014) (steps of collecting data, recognizing data in the collection, and storing recognized data recite steps humans always have performed to organize such data and activity). Here, a security key is generated using a generic bitwise interleave encryption algorithm and compared to a stored key to verify a merchant’s compliance with an ISO/MSP’s contract. Appeal 2021-003280 Application 14/540,032 9 Whether generation of the security key and comparison with a control security key at an authentication server is characterized as a mathematical concept or a mental process or both, the result is the same. The focus of the claim is on abstract ideas within the enumerated groupings of abstract ideas in the Revised Guidance. See Revised Guidance, 84 Fed. Reg. at 52; Apple, Inc. v. Ameranth, Inc., 842 F.3d 1229, 1240 (Fed. Cir. 2016) (“An abstract idea can generally be described at different levels of abstraction. . . . The Board’s slight revision of its abstract idea analysis does not impact the patentability analysis.”); see also Elec. Power, 830 F.3d at 1354 (“In a similar vein, we have treated analyzing information by steps people go through in their minds, or by mathematical algorithms, without more, as essentially mental processes within the abstract-idea category.”); SAP Am., Inc. v. InvestPic, LLC, 898 F.3d 1161, 1167 (Fed. Cir. 2018) (“The focus of the claims, as reflected in what is quoted above, is on selecting certain information, analyzing it using mathematical techniques, and reporting or displaying the results of the analysis. That is all abstract.”); Digitech Image Techs, LLC v. Elecs. for Imaging, Inc., 758 F.3d 1344, 1351 (Fed. Cir. 2014) (“Without additional limitations, a process that employs mathematical algorithms to manipulate existing information to generate additional information is not patent eligible.”); Classen Immunotherapies, Inc. v. Biogen IDEC, 659 F.3d 1057, 1067-68 (Fed. Cir. 2011) (a method that collects and compares data, without more, is abstract); CyberSource Corp. v. Retail Decisions, Inc., 654 F.3d 1366, 1373 (Fed. Cir. 2011) (retrieving credit card numbers from a database and comparing a map of the numbers to Internet transactions to identify different credit cards with different names and addresses used at same IP address is performable in the human mind). Appeal 2021-003280 Application 14/540,032 10 The Specification describes this authentication process as mitigating the risk that an ISO/MSP will not recoup its investment because “subsidizing the POS equipment is risky in that the MSP/ISO cannot be assured that the merchant will not go to another MSP/ISO and use the POS system with another MSP/ISO, circumventing their ability to realize payback for their subsidized investment.” Spec. ¶ 16. Mitigating risk in commercial and/or financial transactions is a fundamental economic practice within the certain methods of organizing human activity grouping of abstract ideas. See Revised Guidance, 84 Fed. Reg. at 52; see also Alice, 573 U.S. at 219 (mitigating settlement risk is a fundamental economic practice); Bilski v. Kappos, 561 U.S. 593, 611 (2010) (reducing or hedging risk is a fundamental economic practice). Appellant contends that the claims are not related to certain methods of organizing human activity or to mental processes because the POS device uses bitwise interleave encryption to generate an empirical key in which a computer processor “performs bitwise operations that include manipulating bit patterns or binary numerals for comparison and calculations” and “[i]t is well known that digital computers, not humans, process binary numerals.” Appeal Br. 5-6 (“Clearly, binary numerals are not employed in fundamental economics.”). We are not persuaded by these arguments for several reasons. The claim does not recite any technical implementation details of the bitwise interleave encryption used to generate an empirical security key. The description is equally generalized without any indication that Appellant invented or improved this function. See Spec. ¶ 43 (“[T]he software key is generated in a one-way hash from the MID, BID, and HID. An example of a preferred one-way has[h] is bitwise interweave [sic] encryption.”). Appeal 2021-003280 Application 14/540,032 11 Even if the Specification described technical details, they are not claimed. See Ericsson Inc. v. TCL Commc’n Tech. Holdings Ltd., 955 F.3d 1317, 1325 (Fed. Cir. 2020) (“[T]he specification may be ‘helpful in illuminating what a claim is directed to . . . [but] the specification must always yield to the claim language’ when identifying the ‘true focus of a claim.’”) (citation omitted); Accenture Glob. Servs. GmbH v. Guidewire Software, Inc., 728 F.3d 1336, 1345 (Fed. Cir. 2013) (“[T]he complexity of the implementing software or the level of detail in the specification does not transform a claim reciting only an abstract concept into a patent-eligible system or method.”). Nor does generating a security key by bitwise interleave encryption of MID, BID, and/or HID data take claim 25 out of the abstract realm. See Universal Secure Registry LLC v. Apple Inc., 10 F.4th 1342, 1351-52 (Fed. Cir. 2021) (multi-factor authentication using encrypted authentication data generated by a user’s device based on something the user knows, something the user is (biometrics), something the user has (cell phone serial number), and an account selected by the user for a transaction communicated to a secure registry for authentication through a POS device to authorize a transaction and access a user’s account is an abstract idea of collecting and examining data for authentication); PersonalWeb Techs. LLC v. Google LLC, 8 F.4th 1310, 1316 (Fed. Cir. 2021) (claims to algorithm-generated content-based identifiers used to control access to data and mark copies for deletion recite mental processes); Smart Sys. Innovations, LLC v. Chicago Transit Auth., 873 F.3d 1364, 1369, 1372-73 (Fed. Cir. 2017) (generating a hash identifier by hashing bankcard data for collecting and storing data and linking credit cards to the data to access a transit system is an abstract idea). Appeal 2021-003280 Application 14/540,032 12 Encrypting MID, BID, and/or HID data relating to a POS device of a merchant and using that hash value to authenticate the POS device for the ISO/MSP party that provided the POS device to the merchant under contract to mitigate the risk that the ISO/MSP will not recoup its investment in a POS device is a fundamental economic practice and an abstract idea as discussed above. See Universal Secure, 10 F.4th at 1353 (verifying a user’s identity to facilitate a transaction is a fundamental economic practice); see also Boom! Payments, Inc. v. Stripe, Inc., 839 F. App’x 528, 532 (Fed. Cir. 2021) (an identification code does nothing more than overlay a second layer of abstraction--identity authentication--to the escrow procedures rather than provide a technical solution); Bridge & Post, Inc. v. Verizon Commc’ns, Inc., 778 F. App’x 882, 888-89 (Fed. Cir. 2019) (generating a local user identifier for a client computer by performing a one-way hashing operation on a unique device identifier used to communicate information is an abstract idea); see also Bozeman Fin. LLC v. Fed. Reserve Bank of Atl., 955 F.3d 971, 978 (Fed. Cir. 2020) (receiving and comparing first and second records of stored data to verify checks and reduce check fraud is a fundamental business practice that is ineligible for patent protection). Combining abstract ideas does not make claim 25 any less abstract. RecogniCorp, LLC v. Nintendo Co., 855 F.3d 1322, 1327 (Fed. Cir. 2017) (“Adding one abstract idea (math) to another abstract idea (encoding and decoding) does not render the claim non-abstract.”); Synopsys, Inc. v. Mentor Graphics Corp., 839 F.3d 1138, 1151 (Fed. Cir. 2016) (“[A] claim for a new abstract idea is still an abstract idea.”). Thus, we determine that claim 25 recites the abstract idea identified above. Appeal 2021-003280 Application 14/540,032 13 Alice Step One / Revised Guidance Step 2A, Prong Two We next consider whether claim 25 recites additional elements that integrate the abstract idea into a practical application. Revised Guidance, 84 Fed. Reg. at 54. We agree with the Examiner that the additional elements of a point-of-sale device, a computer, a security module, a network interface controller, an authentication server, and a payment module are used as tools to perform the abstract idea and link it to a particular technological environment. Final Act. 23. As such, they do not reflect improvements to the functioning of computers or other technology. They do not implement the abstract idea with a particular machine or manufacture that is integral to the claims. They do not effect a transformation or a reduction of a particular article to a different state or thing. They do not apply the abstract idea in a meaningful way beyond linking its use to a particular technological environment. See Revised Guidance, 84 Fed. Reg. at 55. The Specification describes these elements generically without any indication that Appellant invented any of these components or improved any of their capabilities. The POS device includes registers, computer terminals, credit card terminals, and other hardware devices programmed to allow a merchant to accept electronic payments using credit cards and other payment forms. Spec. ¶ 12. Other devices and systems that use software solutions to accept electronic payments such as devices using applications, middleware, and operating systems sold under the trade names OPOS, JAVAPOS, Windows®, IOS, ANDROID, and LINUX® are considered POS devices. Id. The POS device includes computer processor 10 connected to touchscreen 11 and card reader 12. Id. ¶ 39. Other components of the POS device are described generically as well. See id. ¶ 39-44, Figs. 1, 2. Appeal 2021-003280 Application 14/540,032 14 The network interface controller likewise is described generically. It is a network interface card (NIC) 17 that is connected to processor 10. Spec. ¶ 39. It has a unique hardware identifier (HID) that is the MAC address of the NIC 17 and can be used in the authentication. Id. ¶¶ 21, 26, 39, Fig. 1. The secure module appears only in original claim 25 in which a POS device includes a computer further configured to execute a security module that generates a security key from at least one of a MID, BID, and HID. No other description, much less technical details, are provided for this module. A payment processor 30 is connected to network 23 and receives data from POS device 20 over network 21. Id. ¶ 40. It includes a web server 31 that is connected to a network 21 to receive data from a POS device 20 and transmit data to the POS device 20. Id. ¶ 41. No details are provided for the payment module of the POS device, however. See id. ¶¶ 18, 23, 24, 33. The authentication server is business logic server 32 that implements business logic used by the payment processor. Id. ¶ 41. It receives a system key 41 from POS device 20 and compares the system key 41 to the software key 42 stored in the database 33. Id. ¶ 45. If the system key 41 matches the software key 42, the payment processor will continue to process payments transmitted from POS device 20. Id. This generic description of the structure and data processing functions of the additional elements confirms that they do not improve computers or other technology to integrate the abstract idea into a practical application. See Alice, 573 U.S. at 223 (“These cases demonstrate that the mere recitation of a generic computer cannot transform a patent-ineligible abstract idea into a patent-eligible invention. Stating an abstract idea ‘while adding the words “apply it”’ is not enough for patent eligibility.”) (citation omitted). Appeal 2021-003280 Application 14/540,032 15 Appellant argues that the POS device’s structural features of an input and a computer that includes a security module that uses bitwise interleave encryption to generate an empirical security key from MID, BID, and HID data and its function of generating an empirical security key integrate the bitwise interleave encryption into a practical application. Appeal Br. 6. Appellant asserts that a network interface controller communicates with an authentication server to obtain comparison results between a control security key generated at the authentication server and the empirical security key. Id. Appellant further contends that the comparison is integrated into a practical application of receiving payment processing authorization. Id. Appellant also argues that the payment module authorizes payment processing upon receiving the payment processing authorization. The features relied on by Appellant are largely features of the abstract idea identified under Prong One. They are not additional elements. Revised Guidance, 84 Fed. Reg. at 55 n.24 (“additional elements” are claim features, limitations, and/or steps that are recited in a claim beyond the identified judicial exception); see also Alice, 573 U.S. at 221 (a claim that recites an abstract idea must include additional features to ensure that it does not monopolize the abstract idea). A wholly generic computer implementation is not the sort of “additional feature” that provides practical assurance that the process does not monopolize the idea itself. Alice, 573 U.S. at 223-24. No technical details are claimed for the input. According to the Specification, a touchscreen 11 is connected to processor 10 and allows users to input data that is transmitted to processor 10. Spec. ¶ 23. Appellant does not purport to have invented or improved input mechanisms to receive MID, BID, and/or HID data as claimed. Appeal 2021-003280 Application 14/540,032 16 Merely collecting input data is part of the abstract idea identified under Prong One. See Elec. Power, 830 F.3d at 1355 (merely selecting information by content or source for collection, analysis, and display is an ordinary mental process); CyberSource, 654 F.3d at 1372 (even if the steps of obtaining data require entering a query via a keyboard or by clicking a mouse, the data gathering steps alone do not confer patentability); see also Revised Guidance, 84 Fed. Reg. at 55 n.31 (mere data gathering such as obtaining data about credit card transactions for analysis adds insignificant extra-solution activity to the abstract idea). Authorizing payment processing by a generic payment module based on data collection and analysis that are part of the abstract idea also is extra- solution activity to the abstract idea. See Elec. Power, 830 F.3d at 1354 (merely presenting results of abstract processes of collecting and analyzing information, without more in terms of identifying a particular tool for the presentation, is abstract as an ancillary part of the collection and analysis). Generating an empirical security key using generic bitwise interleave encryption without any technical implementation details indicating that this process improves computers, encryption processes, security, or technology beyond its intended result is not sufficient. It does not transform an article or item to a different state or thing. See Digitech, 758 F.3d at 1351 (holding a process that uses mathematical algorithms to manipulate existing data to generate additional data is ineligible; see also Universal Secure, 10 F.4th at 1352 (collecting and examining authentication data to authenticate a user’s identity using two factors such as biometric information and secret information known only to the user and providing encrypted authenticated information to a secure registry via a POS device is an abstract idea). Appeal 2021-003280 Application 14/540,032 17 “Software can make non-abstract improvements to computer technology just as hardware improvements can, and . . . the improvements can be accomplished through either route.” Enfish, LLC v. Microsoft Corp., 822 F.3d 1327, 1335 (Fed. Cir. 2016). However, “to be directed to a patent- eligible improvement to computer functionality, the claims must be directed to an improvement to the functionality of the computer or network platform itself.” Customedia Techs., LLC v. Dish Network Corp., 951 F.3d 1359, 1365 (Fed. Cir. 2020) (citing Enfish, 822 F.3d at 1336-39). Claim 25 does not recite improved encryption or authentication techniques or technology. “Merely claiming ‘those functions in general terms, without limiting them to technical means for performing the functions that are arguably an advance,’ does not make a claim eligible at step one.” Ericsson, 955 F.3d at 1328 (citation omitted); SAP, 898 F.3d at 1167-68 (to avoid ineligibility, a claim must have the specificity to transform it from one claiming only a result to one that claims a way of achieving the result); Interval Licensing LLC v. AOL, Inc., 896 F.3d 1335, 1346 (Fed. Cir. 2018) (content data update instructions that enable updating of displayed information are recited at the broadest, functional level, without explaining how that is accomplished, let alone providing a technical means for performing that function; thus, they do not recite a technological improvement for performing those functions and recite only generic information acquisition and organization steps that do not convert an abstract idea into a particular way to carry out that concept); Elec. Power, 830 F.3d at 1356 (the result-focused, functional nature of the claim language at issue is a frequent feature of claims that are patent-ineligible). Accordingly, we determine that claim 25 lacks additional elements that are sufficient to integrate it into a practical application. Appeal 2021-003280 Application 14/540,032 18 Alice, Step Two / Revised Guidance Step 2B We next consider whether claim 25 recites any additional elements that, when considered individually or as an ordered combination, provide an inventive concept that is significantly more than the abstract idea. Alice, 573 U.S. at 217-18. This step is satisfied when the limitations involve more than well-understood, routine, and conventional activities known in the industry. See Berkheimer v. HP Inc., 881 F.3d 1360, 1367 (Fed. Cir. 2018). Individually, the additional elements are conventional as discussed under Prong Two above. The functions that they perform are conventional. The POS device uses an “input” to receive data. The “computer” performs conventional data processing by collecting and analyzing data using known encryption techniques. The “network interface controller” communicates data to an authentication server. See buySAFE, Inc. v. Google, Inc., 765 F.3d 1350, 1355 (Fed. Cir. 2014) (“That a computer receives and sends the information over a network-with no further specification-is not even arguably inventive.”). The “authentication server” compares a control security key to an empirical security key in some undefined manner to see if they “match.” There is no indication in the language of the claims or the Specification’s description of these features or functions that they represent unconventional, non-routine, or unknown elements or functions in the art. Bancorp, 687 F.3d at 1277-78 (using a computer for no more than its basic functions of calculations or computations does not circumvent the ban against patenting mental processes); see Alice, 573 U.S. at 226 (“Nearly every computer will include a ‘communications controller’ and ‘data storage unit’ capable of performing the basic calculation, storage, and transmission functions required by the method claims.”). Appeal 2021-003280 Application 14/540,032 19 As our reviewing court explained in a similar context: Bridge and Post does not claim to have invented new networking hardware or software. Nor does it claim to have invented HTTP header fields, user identifiers, encryption techniques, or any other improvement in the network technology underlying its claims. The specification states that the invention filled a need for a system which would “ensure higher access rates, longer browse times, and increased consumption of media” by users. . . . But each of these goals is in the abstract realm-an improvement in the success or monetization of tracking users with personalized markings in order to serve advertisements-not an improvement in networking or computer functionality. None of these alleged improvements “enables a computer . . . to do things it could not do before.” Finjan, Inc. v. Blue Coat Sys., Inc., 879 F.3d 1299, 1305 (Fed. Cir. 2018) (emphasis added). Such claims, whose focus is “not a physical-realm improvement but an improvement in a wholly abstract idea,” are not eligible for patenting. SAP[,]898 F.3d [at] 1168 . . . . Bridge and Post, Inc. v. Verizon Commc’ns, Inc., 778 F. App’x 882, 889 (Fed. Cir. 2019) (using an identifier derived from an existing MAC address, port identifier, or hardcoded identifier embodied in software or hardware and assigned to a client computer to transmit tagged requests is an abstract idea). As an ordered combination, the limitations recite no more than when they are considered individually. “If a claim’s only ‘inventive concept’ is the application of an abstract idea using conventional and well-understood techniques, the claim has not been transformed into a patent-eligible application of an abstract idea.” BSG Tech LLC v. Buyseasons, Inc., 899 F.3d 1281, 1290-91 (Fed. Cir. 2018). “It has been clear since Alice that a claimed invention’s use of the ineligible concept to which it is directed cannot supply the inventive concept that renders the invention ‘significantly more’ than that ineligible concept.” BSG, 899 F.3d at 1290. Appeal 2021-003280 Application 14/540,032 20 The POS device, computer, and modules process and analyze data as part of the abstract idea without improving computers or technology. To the extent that these components are described at all, the description indicates that they are well-known enough that no further description is necessary to understand their operation. See Spec. ¶¶ 39-45; see Universal Secure, 10 F.4th at 1355 (“Thus, the claims do not recite a new authentication technique, but rather combine nonspecific, conventional authentication techniques in a non-inventive way. There is nothing in the specification suggesting, or any other factual basis for a plausible inference (as needed to avoid dismissal), that the claimed combination of these conventional authentication techniques achieves more than the expected sum of the security provided by each technique.”); PersonalWeb, 8 F.4th at 1318 (even if content-dependent cryptographic hashes are not routine or conventional, as Appellant asserts, the claimed uses are all abstract and not significantly more); EasyWeb Innovations, LLC v. Twitter, Inc., 689 F. App’x 969, 971 (Fed. Cir. 2017) (“Claim 1 merely recites the familiar concepts of receiving, authenticating, and publishing data” and a claim to such data collection, analysis, and publication recites an abstract idea). As our reviewing court has explained in a similar context, “[n]othing in the claims, understood in light of the specification, requires anything other than off-the-shelf, conventional computer, network, and display technology for gathering, sending, and presenting the desired information.” Elec. Power, 830 F.3d at 1355 (“We have repeatedly held that such invocations of computers and networks that are not even arguably inventive are ‘insufficient to pass the test of an inventive concept in the application’ of an abstract idea.”). Appeal 2021-003280 Application 14/540,032 21 Nor is the ordered combination and/or sequence of steps inventive. See Bozeman, 955 F.3d at 980-81 (using known computer components to receive and store information, analyze that information, display information, and send notifications upon the completion of that analysis recites only a logical sequence of steps without any inventive concept); Inventor Holdings, LLC v. Bed Bath & Beyond, Inc., 876 F.3d 1372, 1378 (Fed. Cir. 2017) (the sequence of data retrieval, analysis, modification, generation, display, and transmission is not inventive and amounts to mere instructions to apply the abstract idea on generic computer technology); Elec. Power, 830 F.3d at 1355 (“The claims at issue do not require any nonconventional computer, network, or display components, or even a ‘non-conventional and non- generic arrangement of known, conventional pieces,’ but merely call for performance of the claimed information collection, analysis, and display functions ‘on a set of generic computer components’ and display devices.”) (citation omitted); see also Universal Secure, 10 F.4th at 1353 (“As we explained above, the ‘encrypted authentication data’ is merely a combination of known authentication techniques that yields only expected results.”); id. at 1358 (“[N]othing in the claims is directed to a new authentication technique; rather, the claims are directed to combining long-standing, known authentication techniques to yield expected additory amounts of security.”); Smart Sys., 873 F.3d at 1374 n.9 (“A hash identifier is a generic and routine concept that does not transform the claims to a patent eligible application of the abstract idea.”); Final Act. 10-11. Accordingly, we sustain the rejection of claim 25, and claims 26-44, which fall with claim 25, as directed to an abstract idea without significantly more. Appeal 2021-003280 Application 14/540,032 22 Written Description of Claims 25-44 The Examiner determines the following features are not described: (1) “network interface controller communicates with an authentication server to obtain comparison results between a control security key generated at the authentication server and the empirical security key” (claim 25); (2) “receive payment processing authorization based on a match between the control security key” (claim 25); (3) “obtaining payment processing authorization from the authentication server based on a match between a control security key generated at the authentication server and the empirical security key (claim 32); (4) authorizing said payment module to process payments upon receipt of the payment processing authorization” (claims 32 and 39); (5) “a security module that uses bitwise interleave encryption to generate an empirical security key” (claims 25 and 26); (6) “wherein said security module deactivates said device when a predefined business condition is not met” (claim 28); and (7) “generate,” “communicating,” “obtaining”, and “authorizing” (claim 32). Final Act. 27-32; Ans. 10-14. (1)-(3) network interface controller receives payment authorization A network interface controller is described as communicating with an authentication server (business logic server 32) that compares an empirical security generated at POS device 20 with a control security key and allows payment processing if the keys match. Spec. ¶¶ 23 (pp. 6-7), 26, 27, 39-45; Appeal Br. 7-9. Network interface card (NIC) 17 connects to processor 10 so data transmitted between POS processor and payment processor passes through NIC 17. Spec. ¶ 39. If a key generated at the POS device matches a control key, payment is authorized. Spec. ¶¶ 23 (p. 6), 27, 29, 45. We do not sustain the rejection under 35 U.S.C. § 112(a) based on these limitations. Appeal 2021-003280 Application 14/540,032 23 (4)-(6) a security module and a payment module The Specification does not describe a security or a payment module. Original claim 25 recited “said computer being further configured to execute a security module; said security module generating a security key from said at least one of a merchant identification, said business identification, and said hardware identification.” The Specification was amended to state that a security module may generate a security key from the MID, the BID, and/or the HID, and the security module may deactivate the POS device when a predefined business condition is not met. Spec. ¶¶ 26, 40, (amended Feb. 7, 2019). No other details are provided for the security module. “[T]he POS software is configured to generate an empirical security key” . . . from the information programmed into the payment module.” Spec. ¶ 23 (p. 6), 27, 29. No mention is made of a security module performing this function. The “payment module” is part of the POS device. Spec. ¶¶ 18, 33. No details are provided for the “payment module.” Neither element is described with the POS device in Figure 1 or the POS device’s provision of security key 41 to business logic server in Figure 2. See Spec. ¶¶ 36, 39-44; Ans. 13-14. We sustain these rejections of claims 25-44 under 35 U.S.C. § 112(a). The security module (claim 25) and the payment module (claims 25, 32, and 39) are the means-plus-function limitations, but the Specification does not describe any structure or algorithm for performing their claimed functions. (7) steps in claim 32 We agree with Appellant that claim 32 recites a computer performing the claimed steps interpreted in light of the Specification. Appeal Br. 32; see Spec. ¶¶ 39-44, Figs. 2, 3. We do not sustain the rejection of claim 32 under 35 U.S.C. § 112(a) on this basis. Appeal 2021-003280 Application 14/540,032 24 Indefiniteness of Claims 25-44 The Examiner determines that the limitations “an input that receives,” “a security module . . . to generate,” “a network interface controller communicates,” and “a payment module . . . to process” are non-structural terms, the recitation of which invokes 35 U.S.C. § 112(f) as means-plus- function limitations. Final Act. 33. The Examiner determines that the Specification does not disclose structure corresponding to the functions to take them outside the scope of 35 U.S.C. § 112(f). Id. at 33-35. We agree with Appellant that the claimed “input” and “network interface controller” convey sufficient structure that they do not invoke means-plus-function language under 35 U.S.C. § 112(f). The Specification confirms this presumption by describing the POS device as including a touchscreen 11 that is connected to the processor to display data sent from the processor 10 and to receive input of data by a user and transmit the data to the processor. Spec. ¶ 39, Fig. 1. The Specification describes the POS device as including a network interface card (NIC) 17 that is connected to the processor and has a unique HID that is the MAC address of the NIC 17. Id., Fig. 1. Data to be transmitted to and received between the processor 10 and the payment processor passes through the NIC 17. Id. Accordingly, we do not sustain the Examiner’s rejection of these terms as being indefinite under 35 U.S.C. § 112(b) and § 112(f). We agree with the Examiner that “module” does not convey structure and therefore creates a presumption that “a security module” and “a payment module” are means plus function limitations under 35 U.S.C. § 112(f). This presumption is confirmed by the Specification, which does not describe the structure of either module or link an algorithm to their claimed functions. Appeal 2021-003280 Application 14/540,032 25 The term “security module” appears only in original claim 25. It does not appear anywhere else in the original Specification. No corresponding structure is described in the Specification for the security module. Nor is an algorithm described to perform the claimed function of generating an empirical security key. Appellant asserts that the Specification describes the computer having an embedded algorithm for encrypting and decrypting the software key. Appeal Br. 10-11. We are not persuaded. The Specification indicates that a software key is generated by the provider server by inputting a BID, MID, and a HID into encryption software, which outputs a software key. Spec. ¶ 23. A POS device user enters the software key into software as follows. “The software key is entered into the software by the user, which has the algorithm embedded for encrypting and decrypting the software key.” Id. (cited in Appeal Br. 11). We find no description in this brief passage of any structure in the POS device or its processor of a security module that stores an algorithm for encrypting or decrypting a software key. The passage seems to indicate that some unidentified “software” may have an embedded algorithm used to encrypt and decrypt the software key. This description does not identify a structure/algorithm of a “security module” corresponding to the claimed function of the security module recited in claim 25. See Rain Computing, Inc. v. Samsung Elec. Am., Inc., 989 F.3d 1002, 1006-08 (Fed. Cir. 2021) (“user identification module” has no commonly understood meaning and no structural significance imparted to it in the Specification to rebut a presumption that it is a means plus function term, and the lack of any algorithm described to perform the controlling access function on a general purpose computer rendered the claims indefinite on that basis). Appeal 2021-003280 Application 14/540,032 26 We also agree with the Examiner that a “payment module” invokes means-plus-function provisions of 35 U.S.C. § 112(f) because “module” is a nonce word. Rain Computing, 989 F.3d at 1006. Appellant did not identify anything in the Specification imparting structural significance to it. Appeal Br. 11 (“Applicant respectfully submits that this language is not means plus function language that invokes 35 U.S.C. § 112, sixth paragraph.”). Nor has Appellant identified any structure in the Specification that is linked clearly to the payment module or any algorithm tied to its claimed function of being authorized to process payments upon receipt of the payment processing authorization. See id. Absent identification of some structure or algorithm configured to perform the claimed function, we sustain the rejection of independent claims 25, 32, and 39 as being indefinite on this basis. We sustain the rejection of claims 25-44 under 35 U.S.C. § 112(b). The security module (claim 25) and the payment module (claims 25, 32, and 39) are the means-plus-function limitations, but the Specification does not describe any structure or algorithm for performing their claimed functions. We do not sustain the rejection of claims 25-44 on the basis of the claims reciting a hybrid claim that is neither a process nor a machine but a hybrid overlap of two different statutory classes of invention. See Final Act. 36-37. We agree with Appellant that claim 25 recites a point of sale device, which is a statutory category of a machine that comprises a computer that includes various elements that perform various claimed functions. Appeal Br. 11-12. Claim 32 recites a method of providing payment processing authorization to a POS device. Claim 39 is written in a Beauregard claim format as a computer readable medium that stores instructions for a computer to perform a process. See CyberSource, 654 F.3d at 1373. Appeal 2021-003280 Application 14/540,032 27 Claims 25, 27-29, 31, 32, 34-39, 41-44 Rejected Over Rabin, Langley, Miller, and von Mueller Regarding independent claims 25, 32, and 39, the Examiner relies on Rabin to teach a POS device, method, and storage medium as claimed with a computer coupled to an input and having a security module to generate an empirical security key, a network interface controller to communicate with an authentication server to obtain comparison results between a control security key generated at an authentication server and the empirical security key, and a communication module. Final Act. 40-41. The Examiner cites Langley to teach a POS device for a merchant and receiving at a computer MID, BID, and HID and determines it would have been obvious to substitute the POS device of Langley for the device of Rabin and provide a secure element for a merchant by receiving a MID, BID, and HID to allow owners and vendors of software products to protect property rights of their software and process payments using secure payment applications as Langley teaches. Id. at 41-42. The Examiner cites Miller for bitwise interleave encryption and determines it would have been obvious to modify Rabin and Langley to use bitwise interleave encryption to generate empirical security keys to allow owners and vendors of software to protect the property right of their software and provide a unique dynamic key to a service provider. Id. at 42. The Examiner cites von Mueller to teach a key generated from MID, BID, and/or HID and determines it would have been obvious to modify the use of location values to compute a fingerprint function of Robin, Langley, and Miller to generate a key with a unique POS or business identification as von Mueller teaches to allow owners and vendors to protect their property rights. Id. at 43. Appeal 2021-003280 Application 14/540,032 28 Appellant argues that Rabin does not teach or suggest a security module that uses bitwise interleave encryption to generate an empirical security key from MID, BID, and/or HID as claimed. Appeal Br. 16. This argument is not persuasive because it attacks teachings of the references individually rather than as combined by the Examiner who relied on Miller to teach bitwise interleave encryption and von Mueller to teach generating a security key from one or MID, BID, and/or HID. See Final Act. 42-43; In re Merck, 800 F.2d 1091, 1097 (Fed. Cir. 1986) (“Non-obviousness cannot be established by attacking references individually where the rejection is based upon the teachings of a combination of references.”). Appellant also argues that claims 25, 32, and 39 recite a control security key generated at the authentication server, and Rabin’s tag table is relied on to teach a security tag that is transmitted from the user device rather than being generated at an authentication server. Appeal Br. 16-17. In response, the Examiner explains that Rabin periodically requires each user device to communication with guardian center 103 via network 100 to ensure that all tags associated with software on the device are valid and being used in compliance with a usage supervision policy. Ans. 22. To perform this authentication process, a tag server 102 generates tags and uses a supervising program to compute hash function values for the tag, and the supervising program then compares the generated hash value to a hash value found in the tag. If the tag is not valid/validated, the instance of named software is determined to be associated with an invalid tag and it is rejected. Id. at 22-23. Thus, Rabin teaches an authentication server that generates a control security key (hash) that is compared to a security key (hash) of a tag of a user device to validate software on the user device. Appeal 2021-003280 Application 14/540,032 29 In the Reply Brief, Appellant again asserts that Rabin does not teach or suggest a network interface controller that communicates with an authentication server to obtain comparison results between a control security key generated at the authentication server and an empirical security key as claimed and Langley fails to overcome this deficiency. Reply Br. 13-14. Appellant further contends that Rabin teaches away from encryption so it is irrelevant whether Miller teaches this feature because there is no motivation to combine the teachings of Rabin and Miller in this regard or to rely on the teachings of von Mueller to encrypt MID, BID, and/or HID data to generate a key. Id. at 14-15; see Appeal Br. 17-19. We are not persuaded. The Examiner’s findings that Rabin teaches an authentication server (tag server, supervising program) that generates a hash value for a tag and compares the generated value to a hash value found in the tag of software on a user’s device such that if these hash values do not match, the tag is invalid are unrebutted by Appellant. Thus, we are not apprised of Examiner error in the findings. See Final Act. 40-41; Appeal Br. 16-19; Ans. 21-23; see also Ex Parte Frye, 94 USPQ 2d 1072, *4 (BPAI 2010) (precedential) (a panel reviews rejections for error based on the issues identified by an appellant); Jung, 637 F.3d at 1365 (approving of Board’s practice as set forth in Ex Parte Frye of requiring appellants to identify Examiner error in a rejection and noting that even if an examiner failed to make a prima facie case, the Board would not have erred in framing the issue as one of “reversible error”); 37 C.F.R. § 41.37(c)(1)(iv) (“The arguments [in the appeal brief] shall explain why the examiner erred as to each ground of rejection contested by appellant.”). We sustain the rejection of claims 25, 32, and 39 and claims 27-29, 31, 34-38, and 41-44, which are not argued separately. Appeal 2021-003280 Application 14/540,032 30 Claims 26, 33, and 40 Rejected Over Rabin, Langley, Miller, von Mueller, and Schwartz Appellant argues that the Examiner’s reliance on Schwartz to teach features recited in claims 26, 33, and 40 does not cure the deficiencies of Rabin, Langley, Miller, and von Mueller as to independent claims 26, 32, and 39, for failing to teach or suggest bitwise interleave encryption of a security key and an authentication server that generates a control security key as claimed. Appeal Br. 19-20. Because we determine that Rabin, Langley, Miller, and von Mueller teach and suggest these features in the combination that the Examiner proposes, there is no deficiency for Schwartz to cure, and we also sustain the rejection of claims 26, 33, and 40. Claim 30 Rejected Over Rabin, Langley, Miller, von Mueller, Schwartz, and Khan Appellant argues that the Examiner’s reliance on Khan to teach a replacement key as recited in claim 30 does not cure the deficiencies of Rabin, Langley, Miller, and von Mueller as to claim 25 from which claim 30 depends. Appeal Br. 20-21. Because we determine that Rabin, Langley, Miller, and von Mueller teach and suggest these features in the combination that the Examiner proposes, there is no deficiency for Khan to cure, and we also sustain the rejection of claim 30. DECISION In summary: Claim(s) Rejected 35 U.S.C. § Reference(s)/Basis Affirmed Reversed 25-44 101 Eligibility 25-44 25-44 112(a) Written Description 25-44 25-44 112(b) Indefiniteness 25-44 Appeal 2021-003280 Application 14/540,032 31 Claim(s) Rejected 35 U.S.C. § Reference(s)/Basis Affirmed Reversed 25, 27-29, 31, 32, 34- 39, 41-44 103 Rabin, Langley, Miller, von Mueller 25, 27-29, 31, 32, 34- 39, 41-44 26, 33, 40 103 Rabin, Langley, Miller, von Mueller, Schwartz 26, 33, 40 30 103 Rabin, Langley, Miller, von Mueller, Schwartz, Khan 30 Overall Outcome 25-44 TIME PERIOD FOR RESPONSE No time period for taking any subsequent action in connection with this appeal may be extended under 37 C.F.R. § 1.136(a). See 37 C.F.R. § 1.136(a)(1)(iv). AFFIRMED Copy with citationCopy as parenthetical citation
