This decision concerns over the air provisioning of soft cards. However, the Board did not grant a patent, because the distinguishing features were either considered as mere technical implementations of non-technical business requirements or direct consequences of these business requirements.
Here are the practical takeaways from the decision T 0991/19 (Over the air provisioning of soft cards on devices with wireless communications capabilities/MASTERCARD) of February 16, 2023, of the Technical Board of Appeal 3.4.03.
The invention is a system that provides over the air (OTA) soft cards from a card issuer 116 to an application 102 residing on a device with wireless communication capabilities. A user may initiate via an user interface of the device the provisioning of a soft card. The provisioning server 108 receives the request. Once the device is authenticated, a card issuer 116 associated with the requested soft card is identified by means of a card identifier included in the request. Once the card issuer 116 is identified, the IP address of the corresponding provisioning server 110 associated with the identified card issuer 116 is determined and the IP address together with a challenge question is transmitted to the device over an air interface. Once the provisioning server 110 receives the corresponding challenge question and a personal account number (PAN) from the device, the server 110 provides the soft card information to the device.
Fig. 1 of EP 2 937 829 A1
Claim 1 of Main Request
A method for over the air (OTA) provisioning of a soft card on a device having wireless communications capabilities using a provisioning configuration server (108), the method comprising:
at the provisioning configuration server (108):
(a) storing, in a database, a plurality of issuer identification numbers associated with a plurality of different card issuers, wherein each of the plurality of issuer identification numbers is mapped to a respective issuer server address;
(b) receiving, from a soft card provisioning application (102) on the device with wireless communications capabilities, a soft card request for provisioning a soft card on the device, the request including a card identifier that includes a personal account number (PAN);
(c) authenticating the device;
(d) in response to authenticating the device, performing a lookup in the database based on the card identifier to identify a card issuer associated with
the soft card request from among the plurality of different card issuers, wherein performing the lookup in the database includes retrieving an issuer identification number (IIN) from the PAN and using the IIN to identify an Internet protocol (IP) address of a provisioning issuer server (110) associated with the card issuer, and wherein the database includes entries matching IINs to IP addresses of provisioning issuer servers (110) associated with the plurality of card issuers;
(e) in response to determining the card issuer, communicating both the IP address of the provisioning issuer server (110) associated with the card issuer and a challenge question to the device over an air interface; and
(f) sending, from the provisioning issuer server (110) associated with the card issuer, to the device over a secure channel established using the IP address, soft card personalization data for provisioning the soft card on the device in response to receiving a challenge response to the challenge question and the PAN from the device.
Is it patentable?
Both the Board in charge and the Appellant agreed that claim 1 differs from the closest prior art by the following features:
- A soft card is requested wherein the request includes a personal account number (PAN).
- The transmission of the provisioning data is carried out after authentication of the requesting device including a challenge question and response.
- The provisioning configuration server comprises a database which is used to map the PAN to the issuer identification number (IIN) and the IP-address of the provisioning issuer server.
- Secure channels are used for provisioning the soft card.
It was also common ground that the claim represents a combination of technical and non-technical features. Therefore, the COMVIK approach had to be applied (see our post “What is the COMVIK approach?” for further details). However, there was disagreement with respect to the separation between technical and non-technical features.
The appellant argued as follows:
The present invention deals with a system wherein the PAN did not present non-technical business data related to the personal account, but concerned technical routing information.
The appellant underpinned this statement by stating:
The PAN represents a data package wherein the first six digits of the PAN are routing information which allowed a link between the specific bank and the soft card.
Accordingly, the appellant argued that the claimed subject-matter involves an inventive step for the following reasons:
D1 does not teach a one-to-one correspondence between the application at the device side and the provisioning issuer server at the bank side.
Instead, the applications of D1 refer to standardised application stored at a plurality of servers.
Accordingly, the skilled person would rather go back to a direct one-to-one correspondence between the device and the card issuer, instead of reducing the one-to-a-plurality correspondence between the device and the provisioning issuer server including an interposed provisioning configuration server.
In addition, the system set-up of D1 does not foresee a data base at the provisioning server.
Due to the fact that many adaptions have to be made to the system of D1 to arrive at the claimed subject-matter, this plurality of adaptions indicates the presence of an inventive step.
However, the Board did not follow the arguments presented by the appellant and instead argued:
The first differentiating feature mentioned above, namely the provisioning of a soft card instead of an application (or a new service), is a non-technical feature as it is the consequence of the purely administrative stipulation of the business person. A soft card is necessarily linked to a personal account number (PAN) in order to debit the correct account when using the soft card. Therefore, the inclusion of a PAN in the request is a non-technical feature which the business person prescribes in order to allow correct assignments.
Since this first differentiating feature is non-technical and no further technical effect can be related to it, it cannot provide a basis for an inventive step.
With respect to the second and fourth distinguishing feature the Board argued:
Directly related to this non-technical administrative stipulation to provide a soft card are the second and fourth differentiating features mentioned above. The implementation of a soft card request requires security measures that are realised by the second and fourth differentiating features. The use of a secure channel, the authentication of the requesting device, and the security protection using challenge question and response are technical implementations of the non-technical business requirements which the business person indicates in relation with the soft card request.
Accordingly, the Board followed that also the second and fourth feature could not contribute to an inventive step.
Regarding the third feature, the Board argued:
The requirement of a one-to-one correspondence between the delivered soft card and the provisioning issuer server, instead of a one-to-a-plurality correspondence as known from document D1, is directly linked to the decision that the over the air delivered item is a soft card and not like in document D1 any standardised application. A soft card cannot be linked to a plurality of servers like it is possible for a standardised application.
It is a business requirement that a soft card has to be securely linked to an individual bank account which in turn is linked to an individual bank server, namely the provisioning issuer server. Consequently, the one to-one correspondence between the soft card and the provisioning issuer server is related to a business requirement and cannot contribute to inventive step, either.
When implementing this one-to-one correspondence at the provisioning configuration server, it appears obvious for the skilled person to use a database for this purpose. It is common general knowledge that any correspondence between two entities according to predefined assignment rules can be straightforwardly implemented using a database.
Therefore, the use of a database and its location at the provisioning configuration server are obvious implementations and adaptations of the teaching of document D1 in combination with the non-technical business constraint of delivering a soft card.
Finally the Board addressed the argument of the appellant that a plurality of adaptions were necessary to arrive at the claimed subject-matter:
It is true, that a plurality of adaptations has to be made when starting from document D1 in order to arrive at the subject-matter defined in claim 1. However, the number of adaptations as such cannot be an indication of the presence of an inventive step or not.
All these adjustments are either related to administrative requirements or are standard measures based on obvious considerations that are part of the common general knowledge of the skilled person.
Therefore, the Board decided that the subject-matter of the claims was not inventive and the appeal was dismissed.
You can read the full decision here: T 0991/19 (Over the air provisioning of soft cards on devices with wireless communications capabilities/MASTERCARD) of February 16, 2023, of the Technical Board of Appeal 3.4.03.