| European Case Law Identifier: | ECLI:EP:BA:2020:T216915.20200128 | ||||||||
|---|---|---|---|---|---|---|---|---|---|
| Date of decision: | 28 January 2020 | ||||||||
| Case number: | T 2169/15 | ||||||||
| Application number: | 12157590.6 | ||||||||
| IPC class: | G07F7/10 | ||||||||
| Language of proceedings: | EN | ||||||||
| Distribution: | D | ||||||||
| Download and more information: |
|
||||||||
| Title of application: | Personal identification number distribution device and method | ||||||||
| Applicant name: | Oberthur Technologies Denmark A/S | ||||||||
| Opponent name: | - | ||||||||
| Board: | 3.4.03 | ||||||||
| Headnote: | - | ||||||||
| Relevant legal provisions: |
|
||||||||
| Keywords: | Inventive step - (yes) Inventive step - after amendment |
||||||||
| Catchwords: |
- |
||||||||
| Cited decisions: |
|
||||||||
| Citing decisions: |
|
||||||||
Summary of Facts and Submissions
I. The appeal is against the decision of the Examining Division refusing European patent application No. 12 157 590 on the grounds that the claimed subject-matter did not involve an inventive step within the meaning of Article 56 EPC.
II. At the end of the oral proceedings held before the Board the appellant confirmed that its sole request was that the decision under appeal be set aside and that a patent be granted on the basis of the following documents:
Claims 1-7 as filed and amended during the oral proceedings before the Board, as "subsidiary request 11";
Description, pages 1 to 13 as filed and amended during the oral proceedings before the Board;
Drawings: sheets 1/3-3/3 (Figures 1 to 3) as originally filed.
III. The following documents are referred to:
D1: US 2006/0168657 Al
D2: EP 1 195 973 A1
D3: US 6 112 078
D4: WO 2006/056826 A1
IV. Claim 1 reads as follows:
"A method of distributing a personal identification number for a card, namely a PIN, to a user of the card associated with said PIN, characterized in that it comprises:
- a preliminary step of generating said card and the associated PIN, and generating for this card a record containing the user's mobile phone number, said PIN and a request code, the request code identifying one and only one record, and a step of sending this card to the user, and after the preliminary step:
- a step of sending to the user, via a first channel, the request code (260) associated with said PIN (210),
- a step (335) of receiving said request code (260) via a second channel, which is a SMS channel,
- a step of searching for a record (200) matching the received request code (260), and checking the requestor's phone number against the phone number in the matching record,
- a step of retrieving, from the matching record, the PIN (210) associated with said received request code (260) and
- when the requestor's phone number matches the phone number in the matching record a step (345) of sending to the user the retrieved PIN (210) via a third channel which is a SMS channel."
Independent claim 6 reads as follows:
"A device for distributing a personal identification number for a card to a user of the card associated with said personal identification number, namely a PIN, characterized in that it comprises:
- a memory for storing a record specific to this card containing the user's mobile phone number, this PIN and a request code, the request code identifying one and only one record,
- means for receiving, via a second channel, which is a SMS channel, the request code (260) associated with said PIN (210) and previously sent to the user via a first channel,
- means for searching for a record (200) matching the received request code (260) and for retrieving, from the matching record, the PIN (210) associated with said received request code, and checking the requestor's phone number against the phone number in the matching record, and
- means for sending the retrieved PIN (210) via a third channel which is a SMS channel to said user when the requestor's phone number matches the phone number in the matching record."
Reasons for the Decision
1. The appeal is admissible.
2. Articles 123(2) and 76(1) EPC
2.1 Claim 1 is based on claims 1, 3 and 7 as originally filed, together with additional details taken from the description and drawings as filed. The checking of the PIN request code and mobile phone number is shown at step 340 in Fig. 3 and further described on page 11, lines 3-10. The existence of a record comprising the request code, PIN etc. is evident throughout the application (including in claim 1 as originally filed) and a step of generating such a record is therefore implicit, even if not expressly mentioned in the description or depicted in Fig. 3.
Claim 6 is based on claim 8 as originally filed, with additional features essentially corresponding to those referred to in connection with claim 1. Claims 2-5 and 7 are based on original claims 2, 4-6 and 13, respectively.
2.2 The parent application as originally filed (EP 08 291 060, published as EP 2 187 363 A1) comprises claims which are similar to those of the present application as originally filed, and, apart from the recitation of the claims, the description and drawings are essentially identical in both cases.
2.3 The Board is therefore satisfied that the requirements of Articles 123(2) and 76(1) EPC are met.
3. Inventive Step
3.1 The appellant argues that D4 represents the most suitable starting point for the evaluation of inventive and the Board sees no reason to disagree.
As noted by the appellant, D4 discloses a first embodiment (page 6, last paragraph to page 8, first paragraph) and a second embodiment (page 8, second paragraph to page 9, second paragraph), the second embodiment further including a first variant (final paragraph on page 8 and first paragraph on page 9) and a second variant (second paragraph on page 9). In both the first embodiment and the second variant of the second embodiment the user selects and enters a PIN which is transmitted to a server, a procedure which is rather remote from the present invention. Hence, the first variant of the second embodiment, in which the PIN is generated by the server and transmitted electronically to the user is considered to be the closest prior art.
3.2 Claim 1 differs from D4 in at least the following respect (emphasis added by the Board):
"a preliminary step of generating said card and the associated PIN, and generating for this card a record containing the user's mobile phone number, said PIN and a request code ...
- a step (335) of receiving said request code (260) via a second channel, which is a SMS channel,
- a step of searching for a record (200) matching the received request code (260), and checking the requestor's phone number against the phone number in the matching record ...
- when the requestor's phone number matches the phone number in the matching record a step (345) of sending to the user the retrieved PIN (210) via a third channel which is a SMS channel."
3.3 The problem solved by the difference features in bold is to verify the identity of the requestor. In any method for providing a PIN for a card a critical security consideration is that the PIN is delivered only to the legitimate user of the card, and not, for example, to a "Man In The Middle" or malicious third party (see description of the application, page 1, line 14 to page 2, line 2). According to the invention, this is guaranteed by receiving the PIN request code via an SMS channel, and only sending the PIN to the user if the requestor's phone number matches the phone number in the corresponding record.
3.4 The second embodiment of D4 discloses a method whereby a customer (or "user" in the terminology of the present application) applies for a credit card manually at a branch of a financial institution, and subsequently obtains the card PIN via a secure session on the financial institution's website. In this session, the financial institution's server receives from the customer "personal information such as their identification number and data identifying the financial instrument which is typically the Card Verification Check (CVC2) value" (page 8, third paragraph of D4). Subsequently:
"the server verifies the validity of the financial instrument and that the entered holder of the financial instrument is the correct holder of the financial instrument. This is done by comparing the entered data with data stored in the database 16 or in another database" (page 8, fifth paragraph).
It thus appears that the CVC2 value verifies that the requester is in possession of the correct card, and that the "personal data" is used to verify that the requester is the legitimate holder of that card. D4 discloses that, after a successful verification, the PIN may be sent to the user via the internet, or alternatively, via an SMS to the user's mobile phone (page 9, paragraph 1).
3.5 D4 does not, however, disclose that the request for the PIN may be made by SMS, nor is there any suggestion in D4 that the requestor's mobile phone number may be used for identity verification.
3.6 D1 discloses a method for securely distributing "one time authentication codes" (OTACs), which are essentially single use transaction authentication numbers (TANs) (paragraph [0002]). D2 (see abstract, paragraph [0018]) and D3 (see abstract, column 6, lines 6-22) disclose methods whereby a user may receive a PIN for a card, possibly via SMS. Documents D1-D3 do not disclose that the requestor's mobile phone number may be used for identity verification.
3.7 Since none of the available prior art documents disclose the claimed feature that the requestor's mobile phone number may be used for identity verification, they would not lead the skilled person to the claimed invention, either starting from D4 or in any other combination. The arguments of the Examining Division that the claimed subject-matter did not involve an inventive step starting from D1 are no longer relevant, since the present claims have been substantially amended compared with those on which the contested decision was based.
3.8 Hence, on the basis of the available prior art, the method defined by claim 1 would not be obvious to a person skilled in the art, and nor, by the same reasoning mutatis mutandis, would the device defined by claim 6. The claimed subject-matter therefore involves an inventive step within the meaning of Articles 52(1) and 56 EPC 1973.
3.9 The Board notes that the appellant argued that claim 1 defines further differences over the closest prior art, in particular that D4 did not disclose any feature anticipating the "request code" as defined in the claim. In view of the conclusion reached in the previous paragraph, it is not necessary for the Board to examine this matter.
Order
For these reasons it is decided that:
1. The decision under appeal is set aside.
2. The case is remitted to the Examining Division with the order to grant a patent in the following version:
Claims: 1-7 as filed and amended during the oral proceedings before the Board, labelled "subsidiary request 11";
Description: pages 1 to 13 as filed and amended during the oral proceedings before the Board;
Drawings: Sheets 1/3-3/3 as originally filed.
