T 0991/19 () of 16.2.2023

Summary of Facts and Submissions

I. The appeal is against the examining division's decision to refuse the European patent application No. 15 165 149 on the grounds that the subject-matter defined in the then sole request on file was considered not to involve an inventive step (Article 52(1) EPC in combination with Article 56 EPC).

II. At the end of the oral proceedings before the Board the appellant requested that the decision under appeal be set aside and that a patent be granted on the basis of the set of claims of the main request filed with the statement setting out the grounds of appeal.

III. The following document is referred to:

D1: US 2003/0101246 A1

IV. Claim 1 of the main request reads as follows:

"A method for over the air (OTA) provisioning of a soft card on a device having wireless communications capabilities using a provisioning configuration server (108), the method comprising:

at the provisioning configuration server (108):

(a) storing, in a database, a plurality of issuer identification numbers associated with a plurality of different card issuers, wherein each of the plurality of issuer identification numbers is mapped to a respective issuer server address;

(b) receiving, from a soft card provisioning application (102) on the device with wireless communications capabilities, a soft card request for provisioning a soft card on the device, the request including a card identifier that includes a personal account number (PAN);

(c) authenticating the device;

(d) in response to authenticating the device, performing a lookup in the database based on the card identifier to identify a card issuer associated with the soft card request from among the plurality of different card issuers, wherein performing the lookup in the database includes retrieving an issuer identification number (IIN) from the PAN and using the IIN to identify an Internet protocol (IP) address of a provisioning issuer server (110) associated with the card issuer, and wherein the database includes entries matching IINs to IP addresses of provisioning issuer servers (110) associated with the plurality of card issuers;

(e) in response to determining the card issuer, communicating both the IP address of the provisioning issuer server (110) associated with the card issuer and a challenge question to the device over an air interface; and

(f) sending, from the provisioning issuer server (110) associated with the card issuer, to the device over a secure channel established using the IP address, soft card personalization data for provisioning the soft card on the device in response to receiving a challenge response to the challenge question and the PAN from the device."

V. The appellant's arguments, insofar as they are relevant to the present decision, may be summarised as follows:

The present invention dealt with a system wherein the personal account number (PAN) did not present non-technical business data related to the personal account, but concerned technical routing information. The PAN represented a data package wherein the first six digits of the PAN were routing information which allowed a link between the specific bank and the soft card. Furthermore, document D1 did not teach a one-to-one correspondence between the application at the device side and the provisioning issuer server at the bank side. In document D1 the applications were standardised applications which were stored at a plurality of servers. Therefore, when starting from document D1 the skilled person would rather go back to a direct one-to-one correspondence between the device and the card issuer as disclosed in paragraphs [0006] and [0007] of document D1 relating to existing prior art, instead of reducing the one-to-a-plurality correspondence shown in document D1 to a one-to-one correspondence between the device and the provisioning issuer server including an interposed provisioning configuration server. Moreover, the skilled person would not adapt the set-up of document D1 by foreseeing a database according to the definition of claim 1 at the provisioning configuration server. Finally, there were many adaptations to be made, so that this plurality of adaptations appeared not obvious but indicated an inventive step.

Reasons for the Decision

1. Main request - amendments and admittance

1.1 The claims of the main request submitted with the statement setting out the grounds of appeal were amended compared to the claims of the request underlying the impugned decision as follows:

- Reference numerals were introduced.

- In claim 1, the "provisioning configuration server" in line 3 and the "device" in line 7 have been amended from the indefinite article "a" to the definite article "the".

- Feature (f) of claim 1 has been amended by adding the following underlined wording (underlining by the Board): "... sending, from the provisioning issuer server (110) associated with the card issuer, to the device over a secure channel ...".

These amendments comply with Article 123(2) EPC.

1.2 The amended claims were submitted for the first time together with the statement setting out the grounds of appeal. The above-mentioned amendments concern only formal aspects or clarifications of the wording of the claims, so that the substantive content of the claims remains unchanged compared to the claims underlying the impugned decision. Consequently, according to Article 12(4) RPBA 2007 (which here applies according to Article 25(2) RPBA 2020), the board does not see any valid reason for not considering this new main request during the appeal procedure.

2. Main request - inventive step

2.1 Closest state of the art

The examining division considered document D1 to represent the closest state of the art and the appellant agreed. Also in the board's view, document D1 represents a suitable starting point for arguing inventive step since it deals with similar subject-matter, in particular with the transmission of an application or an up-date of an application over the air from an issuer server to a mobile device using a configuration server as an intermediary authority.

Document D1 discloses (the references in this paragraph refer to document D1; crossed out features are not disclosed in document D1) a method for over the air ([0027]) provisioning of [an application or a new service] [deleted: a soft card] on a device having wireless communications capabilities using a provisioning configuration server ([0011] and [0012]), the method comprising:

at the provisioning configuration server (Figures 1 to 4, reference signs 106, 204, 302, 402):

(a) storing, [deleted: in a database,] a plurality of issuer identification numbers associated with a plurality of different [application] [deleted: card] issuers (Figures 3 and 4, reference signs 310, 312, 314, 424, 426), wherein each of the plurality of issuer identification numbers is mapped to a respective issuer server address ([0028] to [0030], [0052], [0057]; Figure 5, reference sign 506; in particular [0030] reads "the mobile terminal(s) 102 receive and process an application ID and corresponding access parameters including an identification of one of a plurality of application servers");

(b) receiving, from [deleted: a soft card provisioning application on] the device with wireless communications capabilities, a [deleted: soft card] request for provisioning an [application] [deleted: soft card] on the device, the request including a[n application] [deleted: card] identifier [deleted: that includes a personal account number (PAN)] ([0037] and [0038]; the disclosure of document D1 is not limited to "push"-technology, but also includes "pull"-technology as indicated by the following sentence in [0038]: "However, WAP provisioning may be extended to other protocols, such as protocols permitting two-way communication of provisioning information");

(c) authenticating the device (implicit; see also [0052] which indicates the possibility of authentication credentials when needed);

(d) [deleted: in response to authenticating the device,] performing a lookup [deleted: in the database] based on the [application] [deleted: card] identifier to identify a[n application] [deleted: card] issuer associated with the [application] [deleted: soft card] request ([0040], [0047] and [0049]; Figures 4 and 5) from among the plurality of different [application] [deleted: card] issuers, wherein performing the lookup [deleted: in the database] includes retrieving [deleted: an issuer identification number (IIN) from the PAN and using the IIN to identify] an Internet protocol (IP) address of a provisioning issuer server associated with the [application] [deleted: card] issuer (Figures 4 and 5; [0040], [0049] and [0057])[deleted: , and wherein the database includes entries matching IINs to IP addresses of provisioning issuer servers associated with the plurality of card issuers];

(e) in response to determining the [application] [deleted: card] issuer, communicating both the IP address of the provisioning issuer server associated with the [application] [deleted: card] issuer [deleted: and a challenge question] to the device over an air interface (Figures 3 to 5; [0040], [0056] [0057]); and

(f) sending, from the provisioning issuer server associated with the [application] [deleted: card] issuer, to the device over a [deleted: secure] channel established using the IP address ([0057]), [deleted: soft card] personalization data for provisioning the [application] [deleted: soft card] on the device ([0011], [0027]; for example providing a new service or upgrading existing services or applications) in response to receiving [access parameters including authentication credentials] ([0052]) [deleted: a challenge response to the challenge question and the PAN from the device].

2.2 Differentiating features

The subject-matter defined in claim 1 differs from the teaching of document D1 by the following features:

- A soft card is requested wherein the request includes a personal account number (PAN).

- The transmission of the provisioning data is carried out after authentication of the requesting device including a challenge question and response.

- The provisioning configuration server comprises a database which is used to map the PAN to the issuer identification number (IIN) and the IP-address of the provisioning issuer server.

- Secure channels are used for provisioning the soft card.

2.3 The Comvik approach

It is undisputed that the features defined in claim 1 and in particular also the differentiating features represent a combination of technical and non-technical features.

Therefore the Comvik approach must be applied in the present case when assessing inventive step as set out in T 641/00 (Case Law of the Boards of Appeal of the EPO, 10th edition 2022, I.D.9.2.1 and Official Journal EPO, 7/2003, pages 352 to 364).

The appellant agreed that the Comvik approach is the correct approach for assessing inventive step in the present case. However, it saw the separation between the technical and non-technical features differently from the board.

In the board's view, the decision of what element is to be transmitted over the air, e.g. a soft card or an application, is a purely administrative decision. It is also a purely administrative decision if the transmission of specific data needs to be carried out using a secured channel or not. The same applies for authentication and the use of a challenge question for authentication. Finally, the board even considers the link between a personal account number and an issuer identification number and the relevant server's IP-address representing an administrative relation and not a technical routing information as asserted by the appellant. These viewpoints are further elaborated below under point 2.5 with sub-points.

2.4 Objective technical problem - technical effect

According to the Comvik approach, the non-technical features of a claim may be incorporated as a requirement specification in the formulation of the

problem to be solved. With this in mind and when starting from document D1, the board formulates the objective technical problem as follows:

"The secure over the air provisioning of a soft card related to a specific bank account".

2.5 Obviousness

2.5.1 When starting from the teaching of document D1, the business person prescribes that the new application should be a soft card and further provides the business constraints that all necessary security requirements should be met in order to protect the user's bank account and to link the soft card to the correct bank account.

2.5.2 Therefore, the first differentiating feature mentioned above, namely the provisioning of a soft card instead of an application (or a new service), is a non-technical feature as it is the consequence of the purely administrative stipulation of the business person. A soft card is necessarily linked to a personal account number (PAN) in order to debit the correct account when using the soft card. Therefore, the inclusion of a PAN in the request is a non-technical feature which the business person prescribes in order to allow correct assignments. Since this first differentiating feature is non-technical and no further technical effect can be related to it, it cannot provide a basis for an inventive step.

2.5.3 Directly related to this non-technical administrative stipulation to provide a soft card are the second and fourth differentiating features mentioned above. The implementation of a soft card request requires security measures that are realised by the second and fourth differentiating features. The use of a secure channel, the authentication of the requesting device, and the security protection using challenge question and response are technical implementations of the non-technical business requirements which the business person indicates in relation with the soft card request. These two differentiating features are therefore direct consequences of non-technical requirements in relation with the first differentiating feature. Their unspecific, general definitions do not go beyond a standard straightforward implementation of the non-technical requirements and do not imply any further technical effect. Hence, neither the second nor the fourth differentiating feature can contribute to inventive step, either.

2.5.4 Next, when solving the objective technical problem mentioned above, the skilled person when starting from document D1 would realise that a one-to-one correspondence has to be established between the soft card and the bank account, the provisioning issuer server, in order to debit the correct bank account when using the soft card.

Hence, the requirement of a one-to-one correspondence between the delivered soft card and the provisioning issuer server, instead of a one-to-a-plurality correspondence as known from document D1, is directly linked to the decision that the over the air delivered item is a soft card and not like in document D1 any standardised application. A soft card cannot be linked to a plurality of servers like it is possible for a standardised application. It is a business requirement that a soft card has to be securely linked to an individual bank account which in turn is linked to an individual bank server, namely the provisioning issuer server. Consequently, the one-to-one correspondence between the soft card and the provisioning issuer server is related to a business requirement and cannot contribute to inventive step, either.

Having the set-up of the network known from document D1 in mind, the skilled person immediately realises that this necessary one-to-one correspondence between the soft card and the provisioning issuer server should not be obtained by giving up the provisioning configuration server as an intermediary authority, as asserted by the appellant. The link between the soft card for the requesting device and the corresponding bank account, so the one-to-one correspondence, has to be established at the provisioning configuration server known from document D1 for the following reasons. The provisioning configuration server acts like an intermediary distribution point that links a specific soft card to the associated bank account. The provisioning configuration server centralises possible requests from different mobile devices to different banks thereby distributing the correct soft card to the corresponding bank account at the provisioning issuer server. Due to this specific configuration the control over the delivered soft cards remains with the provisioning configuration server which is considered to be associated with the card managing company, e.g. Mastercard. Therefore the specific construction already known from document D1 using the provisioning configuration server guarantees not only that the correct link between the soft card and the relevant bank is provided but also that the card managing company keeps control over the distributed soft cards. Therefore, contrary to the appellant's allegation that the skilled person would go back to a direct one-to-one relationship between the soft card and the provisioning issuer server without an intermediary authority represented by the provisioning configuration server is not convincing. Based on document D1, the skilled person would maintain the configuration known from this document, because it would recognise that a one-to-one correspondence is mandatory, and, in particular, that it is advantageous to determine the correct one-to-one correspondence at the provisioning configuration server acting as an intermediary authority.

In the next step, when implementing this one-to-one correspondence at the provisioning configuration server, it appears obvious for the skilled person to use a database for this purpose. It is common general knowledge that any correspondence between two entities according to predefined assignment rules can be straightforwardly implemented using a database. Therefore, the use of a database and its location at the provisioning configuration server are obvious implementations and adaptations of the teaching of document D1 in combination with the non-technical business constraint of delivering a soft card. Therefore, neither the use of a database nor its location at the provisioning configuration server can provide a basis for inventive step. Theses features do not provide any further technical effect which provide a basis for an inventive step, either.

2.5.5 Remains the question if the particular use of the PANs, IINs and IP-addresses in the database are inventive technical contributions. The answer is no, for the following reasons. Contrary to the appellant's assertion that PANs, IINs and IP-addresses represent technical routing information, the board considers that the links between the PANs and the IINs are administrative pieces of information provided by the business person. In the banking domain it is known that the PANs provide not only information about the personal bank account, but some of its digits indicate the bank company and the specific bank agency. In this way, a PAN represents administrative information of how a unique link between the requesting device to its individual bank can be established. It is also administrative information that the IINs are a unique identifier of a specific bank. Therefore, it is the business person that provides the constraint that the PANs can be directly linked to the IINs, contrary to the appellant's assertion that the link between these two numbers represents technical routing information. These data are administrative, but are in the present case used by the technical skilled person for routing due to information obtained from the business person. Finally, it is part of the common general knowledge of the skilled person to link the individual bank with its IIN to the technically access address being the IP address of the server of the bank. Therefore, the construction of the database including PANs, IINs and IP-addresses is partly non-technical knowledge and partly part of the common general knowledge of the skilled person, so that the construction of the database as defined in claim 1 cannot provide any contribution to inventive step. In addition, no further technical effect is identifiable due to the specific construction of the database, so that the third differentiating feature cannot provide a basis for inventive step, either.

2.5.6 It is true, that a plurality of adaptations has to be made when starting from document D1 in order to arrive at the subject-matter defined in claim 1. However, the number of adaptations as such cannot be an indication of the presence of an inventive step or not. All these adjustments are either related to administrative requirements or are standard measures based on obvious considerations that are part of the common general knowledge of the skilled person.

2.5.7 In summary, none of the four differentiating features can contribute to inventive step, as all four features are either direct consequences of a non-technical constraint or obvious, straightforward implementations based on the common general knowledge of the skilled person.

2.6 In conclusion, the subject-matter defined in claim 1 does not involve an inventive step (Article 52(1) and 56 EPC).

3. The board therefore judges that the appeal must fail because claim 1 of the main request, which is the only request on file at the end of the oral proceedings, does not fulfil the requirements of the EPC.

Order

For these reasons it is decided that:

The appeal is dismissed.