| European Case Law Identifier: | ECLI:EP:BA:2020:T187015.20201008 | ||||||||
|---|---|---|---|---|---|---|---|---|---|
| Date of decision: | 08 October 2020 | ||||||||
| Case number: | T 1870/15 | ||||||||
| Application number: | 11719488.6 | ||||||||
| IPC class: | G07F7/10 | ||||||||
| Language of proceedings: | EN | ||||||||
| Distribution: | D | ||||||||
| Download and more information: |
|
||||||||
| Title of application: | PERSONALIZATION DATA PROVIDING UNIT | ||||||||
| Applicant name: | Giesecke+Devrient Mobile Security GmbH | ||||||||
| Opponent name: | - | ||||||||
| Board: | 3.4.03 | ||||||||
| Headnote: | - | ||||||||
| Relevant legal provisions: |
|
||||||||
| Keywords: | Late-filed main request and auxiliary requests 1A, 1, 2, and 3 - admitted (yes) Late-filed auxiliary request 1B - admitted (no) Inventive step - main request and auxiliary requests 1A, 1, 2, and 3 (no) |
||||||||
| Catchwords: |
- |
||||||||
| Cited decisions: |
|
||||||||
| Citing decisions: |
|
||||||||
Summary of Facts and Submissions
I. The appeal concerns the decision of the examining division refusing the European patent application No. 11 719 488 for lack of inventive step (Article 56 EPC).
II. Reference is made to the following documents:
D1:|US 2003/0050899 A1, |
D3:|WO 99/59109 A1, |
D4:|Philip Alexander, Information Security, A Manager's Guide to Thwarting Data Thieves and Hackers, 2008, Praeger Security International, Westport CT, USA, pages 36-37.|
III. At the oral proceedings before the board the appellant requested that the decision under appeal be set aside and that a patent be granted according to, in that order, a main request or one of auxiliary requests 1B, 1A, 1, 2 and 3, auxiliary request 1B having been filed during oral proceedings before the board and all other requests having been filed with letter dated 24 August 2020.
IV. The wording of respective independent claim 1 of the various requests is as follows (board's labelling "(i)", "(ii)", ..., "(viii)", and "(vii)'"):
Main request:
"1. Method in a system for personalizing portable data carriers (50), the system comprising a personalization data providing unit (20) and a plurality of personalization units, the method comprising the following steps in the data providing unit (20):
- identifying personalization data to be transmitted;
- transmitting (308) personalization data from the providing unit (20) to a first personalization unit (30);
characterized by
(i) |- receiving (301) a request for personalization data from the first personalization unit (30, 40) of the personalization units; |
(ii) |- receiving (305) a data preparation parameter from the first personalization unit (30,40); |
(iii)|- preparing (306, 307) the personalization data to be transmitted in accordance with the received data preparation parameter, |
(iv) |wherein in the step of preparing only selected data fields of the available data fields in the personalization data are provided for transmission, the data preparation parameter indicating the selection, and/or|
(v) |the data preparation parameter comprises an encryption indicator, wherein in the step of preparing the personalization data are encrypted or not encrypted as indicated by the encryption indicator." |
Auxiliary request 1B:
Claim 1 of auxiliary request 1B differs from claim 1 of the main request in that
- the expression "including a first personalisation unit (30, 40)" is introduced in the preamble after the expression "plurality of personalization units" and
- the expression "determined in the first personalisation unit (30, 40)" is included in feature (ii) after the term "data preparation parameter".
Auxiliary request 1A:
Claim 1 of auxiliary request 1A differs from claim 1 of the main request in that the conjunction "and/or" at the end of feature (iv) is replaced by the conjunction "and".
Auxiliary request 1:
Claim 1 of auxiliary request 1 differs from claim 1 of auxiliary request 1A in that feature (v) is replaced by the following feature (vi):
(vi)|"wherein each data field of the personalization data is stored separately in the encrypted form, hence in the step of preparing the selected data fields for transmission only the selected data fields have to be decrypted."|
Auxiliary request 2:
Claim 1 of auxiliary request 2 differs from claim 1 of the main request in that the following features (vii) and (viii) are appended at the end of the claim:
(vii) |"the personalization unit (30, 40) comprises transmission processing means (31, 32) and a main personalization unit (40), the processing means (31, 32) providing transmitted personalization data to the main personalization unit (40), which performs the personalization of the portable data carriers, and|
(viii)|the transmission processing means (31, 32) counts the number of personalization data forwarded to the main personalisation unit (40) and limits the number to a predetermined reference limit." |
Auxiliary request 3:
Claim 1 of auxiliary request 3 differs from claim 1 of auxiliary request 2 in that feature (vii) is replaced by the following feature (vii)' (underlining of the additions with respect to feature (vii) by the board):
(vii)'|"the personalization unit (30, 40) comprises transmission processing means (31, 32) and a main personalization unit (40), the transmission processing means (31, 32) decrypting transmitted personalization data, the transmission processing means (31, 32) providing the decrypted, transmitted personalization data to the main personalization unit (40), which performs the personalization of the portable data carriers, and"|
V. The appellant argued essentially as follows:
(a) Admission of the requests
The main request and auxiliary requests 1A, 1, 2 and 3 should be admitted into the proceedings as they were filed in response to clarity objections raised for the first time by the board.
Auxiliary request 1B should be admitted into the proceedings as there were extraordinary circumstances justifying its admission into the proceedings.
(b) Main request - inventive step
The claimed invention involved an inventive step over document D1 in combination with document D3. In particular, feature (ii) related to a decentralized process control achieving an improved flexibility over the system of document D1. Furthermore, the centrally required processing power was reduced and was even further reduced by features (iv) and (v).
(c) Auxiliary requests 1A and 1 to 3 - inventive step
According to claim 1 of auxiliary request 1A both features (iv) and (v) were claimed. The resulting decentralized solution reduced the risks of errors and made them more easily traceable.
The additional feature (vi) of claim 1 of auxiliary request 1 was not rendered obvious by document D4, which indicated that only sensitive data fields had to be encrypted.
Additional features (vii) and (viii) claimed according to claim 1 of auxiliary request 2 reduced the risk of the personalization unit requesting more data than actually used for the personalization.
The combination of features (vii)' and (viii) claimed according to claim 1 of auxiliary request 3 further improved data security.
Reasons for the Decision
1. Admission of the requests
1.1 All pending requests were filed after the notification of the summons of 15 May 2020 to attend the oral proceedings before the board. In particular, the main request and auxiliary requests 1A, 1, 2 and 3 were filed with letter dated 24 August 2020 and auxiliary request 1B was filed during the oral proceedings before the board. Hence the admission of all requests is subject to the provisions of Article 13(2) RPBA 2020 (Articles 24 and 25 RPBA 2020).
1.2 As argued by the appellant, the main request and auxiliary requests 1A, 1, 2 and 3 were filed in response to clarity objections raised for the first time in the board's communication pursuant to Article 15(1) RPBA 2020 in preparation of oral proceedings. Indeed, the amendments effected in relation to these requests aimed at overcoming the raised clarity objections. Hence, exercising its discretion under Article 13(2) RPBA 2020 the board decides to admit these requests into the appeal proceedings.
1.3 In relation to auxiliary request 1B the appellant argued that this request should be admitted into the proceedings since it could not have been anticipated that the board would interpret the claims such that the format translation or the creation of the data preparation parameter were not necessarily performed by the personalization unit. These were extraordinary circumstances justifying the admission of auxiliary request 1B into the proceedings.
The board observes that in its communication pursuant to Article 15(1) RPBA 2020 (see point 2.2.3 of the communication) there was provided a preliminary assessment of inventive step of the claimed subject-matter over document D1 as closest state of the art, which had already been thoroughly discussed in the proceedings before the examining division. The board's claim interpretation stated at the oral proceedings and invoked by the appellant is a mere further elucidation of its inventive step assessment which does not have any influence on the determination of the distinguishing features of the claimed subject-matter over document D1 and is entirely consistent with its previously communicated preliminary opinion on this issue. This is regarded by the board as a normal course of events during the discussion at oral proceedings, and as such not surprising or unexpected.
Consequently, the board does not consider that there are exceptional circumstances justifying the admission of auxiliary request 1B and decides not to admit this request into the appeal proceedings (Article 13(2) RPBA 2020).
2. Main request - inventive step
2.1 Closest state of the art
In the decision under appeal the examining division considered document D1 as the closest state of the art (see point 1 of the Reasons). The appellant also argued inventive step taking document D1 as the starting point (see point 0 of the grounds of appeal).
Indeed, document D1 discloses - as detailed below - subject-matter that is conceived for the same purpose as the claimed invention, namely for providing a method for personalizing portable data carriers, and has the most relevant technical features in common with it. This document is therefore considered to represent the closest state of the art.
2.2 Distinguishing features
2.2.1 The examining division held that the claimed method differed from the method known from document D1 in comprising features (i), (ii), (iv), and (v) (see the decision under appeal, point 1 of the Reasons, penultimate paragraph on page 4).
This is not contested by the appellant.
2.2.2 The board agrees with the examining division in that document D1 discloses indeed the other features of claim 1 of the main request, namely the features of the preamble and feature (iii).
In particular, document D1 describes (see paragraphs [0046], [0048], [0050], [0051], and [0057] to [0059]) in relation to the embodiment shown in Figures 1A, 1B, and 1C a smart card issuing process to be carried out using a smart card personalization system 100, which receives data from a card issuer management system 150, translates the data into a data stream, and outputs the data stream to personalization equipment 130 which personalizes the smart cards 160. The card issuer management system 150 manages the cardholder data and determines the type of card to issue, the card applications to embed in the card, and what personalization equipment to use to issue the card for a particular cardholder. The smart card personalization system 100 controls card printers, embossing devices, and integrated or add-on smart card interface devices collectively represented as personalization system 130. Cardholder data maintained by the card issuing organization contains information about each individual cardholder, such as name, account number, card expiration date, and applicable services.
The smart card personalization system 100 directs a portion of the personalization information to the older personalization equipment 130 and the remainder of the data to a post-processor in the smart card interface device 132 which programs the chip.
Using a card identifier provided by the card issuer management system 150, a card operating system interface module 103 of the smart card personalization system 100 retrieves programming control commands specific to the card operating system 122 for the microprocessor chip that is embedded in the type of card being issued. The programming control commands direct the encoding of the chip with the personalization data and the card application(s) chosen by the card issuer. Each card application comprises program code and variable data that is stored in the database as application data 124 and is identified by an application program identifier. The card issuer management system 150 passes one or more program application identifiers to the system 100 which are used by a card application interface module 105 to acquire the corresponding application data 124. The personalization equipment that the card issuer plans to use to issue the batch of cards is defined by a personalization equipment identifier. A personalization equipment interface module 107 acquires equipment characteristic data 126 specific to the type of personalization equipment 130 corresponding to the personalization equipment identifier. The personalization equipment interface 107 also acquires the programming control commands, the application code and variables, and the translated personalization data, and transfers all of this data to the personalization equipment 130 as specified by the equipment characteristic data 126 to issue the smart card.
Hence, using the wording of claim 1 of the main request document D1 discloses a method in a system for personalizing portable data carriers (smart cards), the system comprising a personalization data providing unit (smart card personalization system 100) and a plurality of personalization units (personalization system 130 comprising older personalization equipment 130, e. g. card printers, embossing devices, and integrated or add-on smart card interface device 132), the method comprising the following steps in the data providing unit (smart card personalization system 100):
- identifying personalization data (cardholder data) to be transmitted;
- transmitting personalization data (cardholder data) from the providing unit (smart card personalization system 100) to a first personalization unit (older personalization equipment 130);
- preparing the personalization data (cardholder data) to be transmitted in accordance with the received data preparation parameter (personalization equipment identifier).
2.2.3 The board notes further that only a part of the cardholder data are transmitted to the older personalization equipment 130, the remainder of the data being sent to the smart card interface device 132 which programs the chip (see document D1, paragraph [0051], last sentence). Moreover, the personalization equipment identifier determines the characteristic data related to the personalization equipment 130 (see paragraph [0091]) and thus implicitly the relevant corresponding cardholder data. For example, medical data mentioned as an example of cardholder data in paragraph [0101] might be printed on an medical smart card but not on a credit or debit card.
Feature (iv) is therefore also considered to be disclosed in document D1.
2.2.4 Finally, the presence of feature (iv) alone being one of the three alternatives implied by the conjunction "and/or" at the end of feature (iv) (the other two being the presence of feature (v) either alone or in combination with feature (iv)), it is irrelevant for the assessment of inventive step whether feature (v) is also disclosed in document D1.
2.2.5 Hence, the subject-matter of claim 1 of the main request differs from the method of document D1 merely in comprising features (i) and (ii).
2.3 Objective technical problem
2.3.1 The examining division considered that the distinguishing features related to administrative aspects of the claimed method and that no technical problem was solved by them (see the decision under appeal, point 1 of the Reasons, last paragraph on page 4).
2.3.2 The appellant argued that the distinguishing features had the effect of reducing the centrally required processing power. Furthermore, an improved flexibility over the system of document D1 was achieved since new personalization units could be more easily integrated into the system.
2.3.3 The board is of the opinion that features (i) and (ii) relate to a particular implementation of the process control of the claimed method for personalizing portable data carriers involving a specific division of tasks between the first personalization unit and the personalization data providing unit. Hence they relate to technical and not administrative aspects of the claimed method.
However, since features (i) and (ii) concern the transmission of certain data items no effect on the centrally required processing power can be recognized. Moreover, these features do not imply that new personalization units can be more easily integrated into the system as they only relate to the transmission of the data items from one single personalization unit, namely the first personalization unit, to the data providing unit. This has no consequences for the potential integration of other personalization units. In particular, the claimed data preparation parameter is not necessarily adapted to the requirements of other personalization units which are different from the first personalization unit.
Rather, the effect of features (i) and (ii) is merely the provision of an alternative method of personalizing portable data carriers. The objective technical problem is therefore to provide this effect.
2.4 Obviousness
2.4.1 The appellant argued that in the method of document D1 the card issuer system controlled the data preparation and nothing in that document hinted towards a step of sending a data preparation parameter from the personalization unit to the data providing unit. Furthermore, document D3 disclosed that the process was controlled by the central server rather than in a decentralized manner.
2.4.2 The board notes first that the skilled person would consult document D3, which is in the same technical field (production of smart cards) as document D1 and in fact relates to the personalization of smart cards like D1 (see page 1, lines 6 to 8). This is undisputed by the appellant.
Document D3 discloses specifically (see page 5, lines 10 to 20; page 8, lines 26 to 31; page 10, line 24 to page 12, line 9; Figures 1, 3, and 4) that a smart card personalization server 100 receives card objects from a card issuer management system 150. A smart card personalization controller 120 receives, from the card issuer management system 150, a card object identifier for each one of the card objects passed to the smart card personalization server 100. The smart card personalization controller 120 routes each one of the card object identifiers to one of a plurality of personalization stations 130. Each personalization station 130 uses the card object identifier to request data and services from the smart card personalization server 100 in order to personalize a smart card 160.
Personalization station interface software 304 is running on a processor of the personalization station 130 and communicates with the personalization server software 305 running on a processor in the personalization server 100. The smart card personalization process begins at stage 402 when the personalization station interface software 304 receives a unique card object identifier from the smart card personalization controller 120. At stage 404, the personalization station interface software 304 requests the commands and data necessary to personalize the card by passing the card object identifier to the server software 305. Upon receiving the card object identifier, the server software 305 starts a personalization session with the personalization station interface software 304 at stage 406. Based on the card object identifier, the server software 305 retrieves and sends the data and commands unique to the card being personalized to the personalization station interface software 304 at stage 408. Upon receiving the commands and data, the personalization station interface software 304 passes the commands and data directly to the smart card and returns data and/or status signals to the server software 305 as an acknowledgement at stage 412. At stage 414, the server software 305 processes the status signals and/or data returned by the personalization station interface software 304. Upon completion of the personalization of the smart card, the server software 305 sends a "format complete" command to the personalization station interface software 304 at stage 416, which is acknowledged by the personalization station interface software 304 at stage 420.
2.4.3 Hence, the smart card personalization environments of documents D1 and D3 have precisely the same structure comprising card issuer equipment (card issuer management system 150 of D1 and D3), a personalization system (D1: smart card personalization system 100; D3: smart card personalization server 100), and personalization equipment (D1: personalization equipment 130; D3: personalization stations 130). In both environments the smart cards are identified by unique smart card identifiers.
The skilled person would therefore envisage, when starting from the method of D1 and attempting to provide an alternative to that method, to use the smart card personalization process sequence of document D3. This would require no modification of the smart card personalization environment and would lead the skilled person to the implementation of feature (i) by arranging the personalization equipment 130 in such a way as to request commands and data necessary to personalize the card by passing the relevant smart card identifier to the smart card personalization system 100.
Moreover, since the information is readily available at the personalization equipment 130, the skilled person would also consider sending with the request for commands and data not only the smart card identifier but also the personalization equipment identifier to the smart card personalization system 100 thereby arriving at the subject-matter of feature (ii).
In view of the above the skilled person would arrive at the subject-matter of claim 1 of the main request without exercising any inventive skills, which therefore does not involve an inventive step (Articles 52(1) and 56 EPC).
3. Auxiliary requests 1A and 1 to 3 - inventive step
3.1 Claim 1 of auxiliary request 1A differs from claim 1 of the main request in that the conjunction "and/or" at the end of feature (iv) is replaced by the conjunction "and". This implies that feature (v) is claimed in combination with feature (iv) (which is disclosed in document D1, see point 2.2.3 above).
3.1.1 The appellant argued that the resulting decentralized solution reduced the risk of errors and made errors more easily traceable.
3.1.2 The board notes, however, that a data item (e. g. flag) indicating whether or not to encrypt the personalization data might be erroneous no matter where it originates or where it is stored. Moreover, the ease of tracing errors depends on the particular manner of performing this task. The alleged advantages are therefore not considered to be a necessary consequence of the distinguishing features of claim 1 of auxiliary request 1A over document D1, namely features (i), (ii), and (v).
3.1.3 As pointed out in the decision under appeal (see point 1 of the Reasons, second paragraph on page 5) it is known from document D1 (see paragraph [0066]) to encrypt portions of the card holder data before transmitting them from the card issuer management system 150 to the card personalization system 100.
The effect of feature (v) is therefore not more than the provision of an alternative method. Hence, the objective technical problem as defined under point 2.3.3 above still holds for auxiliary request 1A.
3.1.4 The appellant did not argue that there is any difference in terms of security requirements between the transmission of data between the card issuer equipment and the personalization system on the one hand and between the personalization system and the personalization equipment on the other hand. Indeed, no such difference can be recognized, since the latter transmission might be as vulnerable as the former - depending on the circumstances - to data security breaches. It would therefore be an obvious alternative for the skilled person to encrypt the card holder data in the personalization system 100 before transmitting them to the personalization equipment 130. Sending a corresponding flag indicating whether or not to encrypt the data with the request for commands and data (whose incorporation into the method of document D1 would be obvious for the skilled person for the reasons set out under point 2.4 above) would be one of the possible alternatives occurring to the skilled person.
Hence, the subject-matter of claim 1 of auxiliary request 1A does not involve an inventive step (Articles 52(1) and 56 EPC).
3.2 Claim 1 of auxiliary request 1 differs from claim 1 of auxiliary request 1A in that feature (v) is replaced by feature (vi) concerning the data fields of the personalization data being stored separately in the encrypted form (for the wording see point IV. above).
3.2.1 The examining division held that field-level encryption was generally known to the skilled person and cited document D4 in this respect (see point 2 of the Reasons).
3.2.2 The appellant argued that the additional feature (vi) was not rendered obvious by document D4, which indicated that only sensitive data fields had to be encrypted.
3.2.3 The board observes that there is no information in document D1 on how the data encryption is to be performed in detail. As feature (vi) relates to such details, the objective technical problem has to be slightly reformulated as the implementation of an alternative method of personalizing portable data carriers.
It is undisputed that field-level encryption as disclosed in document D4 is known to the skilled person. Indeed, that document is considered a handbook known to a person skilled in the relevant art and thus reflects its common general knowledge. Moreover, it clearly emerges from document D4 that field-level encryption is generally known, independent of the type of data to be encrypted. Encrypting only those fields that contain sensitive data is merely mentioned as an example of how such field-level encryption can be applied efficiently (see D4, page 36, last paragraph). In view of its common general knowledge it would therefore be obvious for the skilled person to implement the envisaged encryption of the card holder data in such a manner that the various data fields are encrypted separately and then stored accordingly, thereby arriving at the subject-matter of feature (vi) without exercising any inventive skills.
Consequently, the subject-matter of claim 1 of auxiliary request 1 does not involve an inventive step (Articles 52(1) and 56 EPC).
3.3 Claim 1 of auxiliary request 2 differs from claim 1 of the main request in that features (vii) and (viii) relating to the personalization unit comprising a main personalization unit and transmission processing means, which count the number of personalization data and limit this number to a predetermined reference limit, are appended at the end of the claim (for the wording see point IV. above).
3.3.1 The examining division held that the claimed subject-matter did not involve an inventive step as feature (vii) did not solve any technical problem and the limitation claimed in feature (viii) related to an administrative aspect of the invention (see point 3 of the Reasons, first and second paragraphs on page 9).
3.3.2 The appellant was of the opinion that the additional features (vii) and (viii) reduced the risk of the personalization unit requesting more data than actually used for the personalization.
3.3.3 The board agrees with the examining division in that it is disclosed in document D1 (see paragraph [0046]) that the personalization unit performs the personalization of the portable data carriers (part of feature (vii)). Moreover, document D1 is silent in relation to the detailed architecture of the personalization equipment 130. The part of feature (vii) relating to such details concerns therefore a particular implementation of the personalization.
Furthermore, since there is no indication at all in the claim concerning the value of the claimed "reference limit", e. g. by means of a relation to another quantity or otherwise, the alleged advantage of reducing the risk of requesting too many data cannot be considered a necessary consequence of feature (viii). Rather, the limitation on the forwarded personalization data as claimed in that feature has to be considered arbitrary.
Hence, the objective technical problem as defined in the first paragraph of point 3.2.3 above still holds for auxiliary request 2.
3.3.4 It is considered a standard approach to implement the various processing and communication functions of the personalization equipment 130 by means of corresponding modules. Moreover, it would occur to the skilled person to impose arbitrary limitations on the transmission of data between these modules.
The skilled person would thus be led in an obvious manner to the claimed invention. Therefore the subject-matter of claim 1 of auxiliary request 2 does not involve an inventive step (Articles 52(1) and 56 EPC).
3.4 Claim 1 of auxiliary request 3 differs from claim 1 of auxiliary request 2 in that feature (vii) is replaced by feature (vii)', in which it is further specified that the transmission processing means decrypt the transmitted personalization data and then provide the decrypted data to the main personalization unit (see point IV. above for the wording, in particular of the differences over feature (vii)).
3.4.1 The appellant argued that data security was further improved.
3.4.2 The board is of the opinion that the additional features over claim 1 of auxiliary request 2 merely relate to a specific implementation of the decryption in the personalization equipment 130. Hence, the objective technical problem as defined in the first paragraph of point 3.2.3 above still holds for auxiliary request 3.
3.4.3 For the reasons set out above under points 3.1.2 to 3.1.4 it would be obvious for the skilled person to encrypt the card holder data in the personalization system 100 before transmitting them to the personalization equipment 130. Moreover, for the reasons indicated under points 3.3.3 and 3.3.4 the skilled person would consider without exercising any inventive skills implementing the various processing and communication functions of the personalization equipment 130 by means of corresponding modules. Decrypting the card holder data by one of these modules would be an obvious choice occurring to the skilled person.
Therefore the subject-matter of claim 1 of auxiliary request 3 does not involve an inventive step (Articles 52(1) and 56 EPC).
4. Conclusion
Since auxiliary request 1B is not admitted into the proceedings and the subject-matter claimed according to the main request and auxiliary requests 1A, 1, 2, and 3 does not involve an inventive step, the examining division's decision refusing the application is confirmed. Consequently the appeal has to be dismissed (Articles 97(2) and 111(1) EPC).
Order
For these reasons it is decided that:
The appeal is dismissed.
