Acknowledgments
The amendment filed on 10/09/2020 is acknowledged.
Claims 1-2, 8-9, 15-16, and 21-33 are pending.
Claims 1-2, 8-9, 15-16, and 21-30 are amended.
Claims 31-33 are new.
Claims 1-2, 8-9, 15-16, and 21-33 have been examined.
References to the specification are to the pre-grant publication, US Pub. No. 2019/0147440 (“PG Pub.”).

Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

Response to Amendments/Arguments
35 U.S.C. 101
Applicant argues that the claims are patent eligible because they recite a practical application by reciting meaningful limitations that reflect an improvement in the functioning of a computer, or an improvement to other technology or technical field, and specifically a practical application that improves the operation of a transaction network and transaction network devices by implementing secured account provisioning and payments for NFC-enabled devices. Applicant Arguments/Remarks, filed 04/14/2020 (“Remarks”), p. 13. However, Examiner respectfully disagrees. The judicial exception is not integrated into a practical application because, when analyzed under prong two of Alice/Mayo test (See 2019 Revised Patent Subject Matter Eligibility Guidance, 84 Fed. Reg. 50, 54-55 (January 7, 2019)), the additional elements of the claim, such as at least one computing device, near-field communication-enabled user device, server root key, device fingerprint, encryption key, message authentication code key, and decryption key, merely serve as tools to perform the combination of the abstract ideas of decrypting a request and encrypting its response and determining that a device passes a risk check, and/or generally link the use of a judicial exception to a particular technological environment.
Applicant argues that the claims are patent eligible because the specific combination of limitations are indicative of an inventive concept under step 2B of the 2019 Eligibility Guidance. Remarks, pp. 14-16. However, Examiner respectfully disagrees. The claims do not include additional elements that are sufficient to amount to significantly more than the judicial exception because, when analyzed under step 2B of the Alice/Mayo test (See 2019 Revised Patent Subject Matter Eligibility Guidance, 84 Fed. Reg. 50, 52, 56 (January 7, 2019)), using the additional elements of at least one computing device, near-field communication-enabled user device, server root key, device fingerprint, encryption key, message authentication code key, and decryption key to perform the steps amounts to no more than using a computer or processor to automate and/or implement the combination of the abstract ideas of decrypting a request and encrypting its response and determining that a device passes a risk check, which, according to the MPEP, cannot provide significantly more than the abstract idea itself. MPEP 2106.05(I)(A)(f) & (h). Hence, the claim is not patent eligible.

35 U.S.C. 102
Applicant’s argues, as per claim 8, that Chandoor fails to show or suggest at least “determining, by at least one computing device, that a near-field communication (NFC)-enabled user device passes an initial risk check for receiving secure provisioning data. However, Chandoor teaches the system of claim 8, and therefore it is sufficient in terms of art.
Claim 8 is directed to “A system comprising: at least one computing device; and at least one application executable by the at least one computing device, the at least one application being configured to cause the at least one computing device to at least...”. Features of an apparatus may be recited either structurally or functionally. MPEP 2114(I); In re Schreiber, 128 F.3d 1473, 1478, 44 USPQ2d 1429, 1432 (Fed. Cir. 1997). A claim containing a recitation with respect to the manner in which a claimed apparatus is intended to be employed does not differentiate the claimed apparatus from the prior art apparatus if the prior art apparatus teaches all of the structural elements of the claim. MPEP 2114(II). See MPEP 2103(I)(C). Here, “A system comprising: at least one computing device; and at least one application executable by the at least one computing device, the at least one application being configured…” is structural language. However, “to cause the at least one computing device to at least: determine… decrypt… retrieve… generate… generate… by: encrypting… encrypting… digitally signing… and transmit…” is language that describes the intended use of the system, and accordingly does not limit the claim. Therefore, as Chandoor teaches a system comprising at least one computing device (Fig. 3, 300); and at least one 

35 U.S.C. 103
Applicant’s arguments regarding the rejection of the claims under 35 U.S.C. 103 have been considered. However, they are unpersuasive.
Applicant submits that Chandoor fails to disclose that transaction account data includes a limited use payment credential, as “Chandoor does not teach or suggest that access data is equivalent to a limited use payment credential”. Applicant Arguments/Remarks, p. 19. However, Chandoor col. 4, ln. 1-32, provide that “access data” “can be account information for a payment account. Account information may include an identifier such as a primary account number (PAN), verification values (e.g. CVV, CVV2, dCVV, dCVV2), or other account data can be used to verify an account.”
Applicant submits that Chandoor in view of Cockerill, LeSaint, and McDonald does not disclose the limitation “encrypting, by the at least one computing device, the LUPC in the transaction account data using the DEK key.” However, Examiner respectfully disagrees. Chandoor discloses “encrypting, by the at least one computing device, the LUPC in the transaction data…” (col. 10, ln. 35-52; col. 11, ln. 20-61). Chandoor in view of Cockerill and LeSaint does not teach encryption using a data encryption key. However, McDonald teaches encryption using a data encryption key (Fig. 3, step 308; col. 6, ln. 22-53). It would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to modify the method taught by Chandoor in view of Cockerill and LeSaint with the generating an 

Examiner Comments
Not Positively Recited
Claim 2 recites “… the NFC-enabled user device that performs…”.
Claim 22 recites “whether the NFC-enabled user device has been tampered, whether one or more provisional requests… were denied, or a frequency of provisional requests being received...”.
Claim 32 recites “receiving…; validating…; and granting… to selecting… for provisioning…”.
These limitations are not positively recited. See In re Wilder, 166 USPQ 545 (C.C.P.A. 1970) (“Employing, if we may, a syllogistic analysis to answer appellant’s arguments, we start with the proposition that claims cannot be obtained to that which is not new. This was the basis of the holding in In re Thuau. It was the law then, is now and will be until Congress decrees otherwise. So the first inquiry must be into exactly what the claims define. Towards that goal, we state the next proposition, which is that every limitation positively recited in a claim must be given effect in order to determine what subject matter that claim defines.”).

Intended Use
Claim 8 is directed to “A system comprising: at least one computing device; and at least one application executable by the at least one computing device, the at least one application being configured to cause the at least one computing device to at least...”. Features of an apparatus may be recited either structurally or functionally. MPEP 2114(I); In re Schreiber, 128 F.3d 1473, 1478, 44 USPQ2d 1429, 1432 (Fed. Cir. 1997). A claim containing a recitation with respect to the manner in which a claimed apparatus is intended to be employed does not differentiate the claimed apparatus from the prior art apparatus if the prior art apparatus teaches all of the structural elements of the claim. MPEP 2114(II). See MPEP 2103(I)(C). Here, “A system comprising: at least one computing device; and at least one application executable by the at least one computing device, the at least one application being configured…” is structural language. However, “to cause the at least one computing device to at least: determine… decrypt… retrieve… generate… generate… by: encrypting… encrypting… digitally signing… and transmit…” is language that describes the intended use of the system, and accordingly does not limit the claim.
Claims 31-33 recite “and granting… for provisioning…”. These are statements of the intended use of the claimed invention that do not require any steps or functions to be performed. Language that suggests or makes a feature or step optional but does not require that feature or step does not limit the scope of the claim under the broadest reasonable claim interpretation. An example of such language includes statements of intended use or field of use. MPEP 2103(I)(C).

Claim Rejections - 35 USC § 101
35 U.S.C. 101 reads as follows:
Whoever invents or discovers any new and useful process, machine, manufacture, or composition of matter, or any new and useful improvement thereof, may obtain a patent therefor, subject to the conditions and requirements of this title.

Claims 1-2, 8-9, 15-6, and 21-33 are rejected under 35 U.S.C. 101 because they are directed to an abstract idea without significantly more.
Claims 1-2, 21-25, and 31 are directed to a method, claims 8-9, 16-28, and 32 are directed to a system comprising at least one computing device, and claims 15-16, 29-30, and 33 are directed to an article of manufacture including a non-transitory, tangible computer-readable storage medium. Therefore, these claims fall within the four statutory categories of invention.
Claim 1 is directed to decrypting a request and encrypting its response, which is an abstract idea. Specifically, the claim recites “decrypting, by at least one [computing device], an encrypted account provisioning request with a [server] root key, wherein the encrypted account provisioning request comprises data indicating a provisioning account and a [device fingerprint], and the encrypted account provisioning request is received from the [NFC-enabled user device]; retrieving, by the at least one [computing device], transaction account data including a limited use payment credential (LUPC), the transaction account data being retrieved based at least in part on the provisioning account; generating, by the at least one [computing device], an encryption (ENC) key, a message authentication code (MAC) key, and a data encryption key (DEK) key based on the [device fingerprint] and the [server] root key; generating, by the at least one Alice/Mayo test (See 2019 Revised Patent Subject Matter Eligibility Guidance, 84 Fed. Reg. 50, 52, 54 (January 7, 2019)) because the claim recites mathematical relationships and mathematical calculations. Accordingly, the claim recites an abstract idea. See pages 7, 10, Alice Corporation Pty. Ltd. v. CLS Bank International, et al., US Supreme Court, No. 13-298, June 19, 2014; 2019 Revised Patent Subject Matter Eligibility Guidance, 84 Fed. Reg. 50, 53-54 (January 7, 2019).
Additionally, claim 1 is directed to determining that a device passes a risk check, which is an abstract idea. Specifically, the claim recites “determining, by the at least one [computing device], that a [near-field communication (NFC)-enabled user device] passes an initial risk check for receiving secure provisioning data”, which is grouped within the “mental processes” grouping of abstract ideas in prong one of step 2A of the Alice/Mayo test (See 2019 Revised Patent Subject Matter Eligibility Guidance, 84 Fed. Reg. 50, 52, 54 (January 7, 2019)) because the claim recites concepts performed in the human mind (including an observation, evaluation, judgment, opinion). Accordingly, the claim recites an abstract idea. See pages 7, 10, Alice Corporation Pty. Ltd. v. CLS Bank International, et al., US Supreme Court, No. 13-298, June 19, 2014; 2019 Revised Patent Subject Matter Eligibility Guidance, 84 Fed. Reg. 50, 53-54 (January 7, 2019).
Furthermore, merely combining several abstract ideas does not render the combination any less abstract. RecogniCorp, LLC v. Nintendo Co., Ltd., 855 F.3d 1322, 1327 (Fed. Cir. 2017) (“Adding one abstract idea (math) to another abstract idea . . . does not render the claim non-abstract.”); see also FairWarning IP, LLC v. Iatric Sys., Inc., 839 F.3d 1089, 1093-94 (Fed. Cir. 2016) (determining the pending claims were directed to a combination of abstract ideas). Accordingly, the claim is directed to the combination of the abstract ideas of decrypting a request and encrypting its response and determining that a device passes a risk check.
This judicial exception is not integrated into a practical application because, when analyzed under prong two of step 2A of the Alice/Mayo test (See 2019 Revised Patent Subject Matter Eligibility Guidance, 84 Fed. Reg. 50, 54-55 (January 7, 2019)), the additional elements of the claim, such as a computing device, near-field communication-enabled user device, server, and device fingerprint, merely serve as tools to perform the abstract idea and/or generally link the use of a judicial exception to a particular technological environment.
The claim does not include additional elements that are sufficient to amount to significantly more than the judicial exception because, when analyzed under step 2B of the Alice/Mayo test (See 2019 Revised Patent Subject Matter Eligibility Guidance, 84 Fed. Reg. 50, 52, 56 (January 7, 2019)), using the additional elements to perform the steps amounts to no more than using a computer or processor to automate and/or implement the combination of the abstract ideas of decrypting a request and encrypting 
Claim 8 recites the additional element of at least one computing device, and claim 15 recites the additional elements of a non-transitory, tangible computer readable storage medium and a computer-based system. However, these additional elements do no more than serve as tools to perform the abstract idea and/or generally link the use of a judicial exception to a particular technological environment, and the additional elements do no more than use a computer or processor to automate and/or implement the combination of the abstract ideas of decrypting a request and encrypting its response and determining that a device passes a risk check. Claims 8 and 15 are also not patent eligible. 
Dependent claims 2, 9, 16, and 21-33 further describe the combination of the abstract ideas of decrypting a request and encrypting its response and determining that a device passes a risk check. The dependent claims do not include additional elements that integrate the abstract idea into a practical application or that provide significantly more than the abstract idea. Therefore, the dependent claims are also not patent eligible.

Claim Rejections - 35 USC § 112
The following is a quotation of the first paragraph of 35 U.S.C. 112(a):
(a) IN GENERAL.—The specification shall contain a written description of the invention, and of the manner and process of making and using it, in such full, clear, concise, and exact terms as to enable any person skilled in the art to which it pertains, or with which it is most nearly connected, to make and use the same, and shall set forth the best mode contemplated by the inventor or joint inventor of carrying out the invention.

The following is a quotation of the first paragraph of pre-AIA  35 U.S.C. 112:
The specification shall contain a written description of the invention, and of the manner and process of making and using it, in such full, clear, concise, and exact terms as to enable any person skilled in the art to which it pertains, or with which it is most nearly connected, to make and use the same, and shall set forth the best mode contemplated by the inventor of carrying out his invention.

Claims 1, 2, 8, 9, 15, 16, and 21-33 are rejected under 35 U.S.C. 112(a) or 35 U.S.C. 112 (pre-AIA ), first paragraph, as failing to comply with the written description requirement. The claims contain subject matter which was not described in the specification in such a way as to reasonably convey to one skilled in the relevant art that the inventor or a joint inventor, or for pre-AIA  the inventor(s), at the time the application was filed, had possession of the claimed invention.

Lack of Algorithm
Claims 1, 8, and 15 fail to comply with the written description requirement because the specification does not provide the algorithm or steps/procedures for claimed functions. The algorithm or steps/procedures taken to perform a function must be described with sufficient detail so that one of ordinary skill in the art would understand how the inventor intended the function to be performed. MPEP 2161.01(I).
Claims 1, 8, and 15 recite “decrypting… data indicating…”. The specification does not provide the algorithm or steps/procedures for how data may itself perform an action, in this case, “indicating…”.
Dependent claims 2, 9, 16, and 21-33 accordingly also fail to comply with the written description requirement.

New Matter
Claims 31-33 fail to comply with the written description requirement because they recite limitations that lack support in the original disclosure. MPEP 706.03(o), 2163.06(I); Waldermar Link, GmbH & Co. v. Osteonics Corp., 32 F.3d 556, 559, 31 USPQ2d 1855, 1857 (Fed. Cir. 1994); In re Rasmussen, 650 F.2d 1212, 211 USPQ 323 (CCPA 1981).
Claims 31-33 recite “receiving login information from the NFC-enabled user device; validating the login information; and granting the NFC-enabled user device access to selecting a transaction account for provisioning on the NFC-enabled user device”. These limitations are not supported in the original disclosure.

The following is a quotation of 35 U.S.C. 112(b):
(b) CONCLUSION.—The specification shall conclude with one or more claims particularly pointing out and distinctly claiming the subject matter which the inventor or a joint inventor regards as the invention.


The following is a quotation of 35 U.S.C. 112 (pre-AIA ), second paragraph:
The specification shall conclude with one or more claims particularly pointing out and distinctly claiming the subject matter which the applicant regards as his invention.


Claims 8-9, 15-16, 22, 26-30, and 32-33 are rejected under 35 U.S.C. 112(b) or 35 U.S.C. 112 (pre-AIA ), second paragraph, as being indefinite for failing to particularly point out and distinctly claim the subject matter which the inventor or a joint inventor, or for pre-AIA  the applicant regards as the invention.

Hybrid Claiming
Claims 8-9, 15-16, 26-27, and 32-33 are indefinite because they claim both an apparatus and the method steps of using the apparatus. MPEP 2173.05(p)(II).
Claim 8 recites “at least one application being configured…”, “decrypt… data indicating…”, and “generate… for near-field communication enabled payments...”.
Claim 9 recites “the at least one application is further configured” and “invoke… wherein the attestation service is configured to perform…”.
Claims 26 and 32 recite “wherein the at least one application is further configured…”.
Claim 27 recites “wherein the application is further configured…”.
Claim 32 recites “grant the NFC-enabled user device access to selecting...”.
These limitations cause confusion regarding when infringement occurs, either because it is unclear whether infringement depends on use of claimed structure or on its functionality, or because the limitations recite actions that are not attributable to any claimed structure, and the claims are therefore indefinite. See IPXL Holdings v. Amazon.com, Inc., 430 F.3d 1377, 77 USPQ2d 1140 (Fed. Cir. 2005); UltimatePointer, LLC v. Nintendo Co., 118 USPQ2d 1125 (Fed. Cir. 2016); Rembrandt Data Techs., LP v. AOL, LLC, 641 F.3d 1331, 98 USPQ2d 1393 (Fed. Cir. 2011).
Claims 15 recites “decrypt… data indicating…”, and “generate… for near-field communication enabled payments...”.
Claims 16 recites “invoke… wherein the attestation service is configured to perform…”.
Claim 33 recites “grant the NFC-enabled user device access to selecting
These limitations cause confusion regarding when infringement occurs, either because it is unclear whether infringement depends on use of claimed structure or on its functionality, or because the limitations recite actions that are not attributable to any claimed structure, and the claims are therefore indefinite. See IPXL Holdings v. Amazon.com, Inc., 430 F.3d 1377, 77 USPQ2d 1140 (Fed. Cir. 2005); UltimatePointer, LLC v. Nintendo Co., 118 USPQ2d 1125 (Fed. Cir. 2016); Rembrandt Data Techs., LP v. AOL, LLC, 641 F.3d 1331, 98 USPQ2d 1393 (Fed. Cir. 2011).
Dependent claims 9, 16, 26-30, and 32-33 are also indefinite.

Lack of Antecedent Basis
Claim 22 recites “wherein the determining…”. There is insufficient antecedent basis for this limitation in the claims.

Claim Rejections - 35 USC § 102
In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status. 
The following is a quotation of the appropriate paragraphs of 35 U.S.C. 102 that form the basis for the rejections under this section made in this Office action:
A person shall be entitled to a patent unless –

(a)(2) the claimed invention was described in a patent issued under section 151, or in an application for patent published or deemed published under section 122(b), in which the 

Claims 8-9, 26-28, and 32 are rejected under 35 U.S.C. 102(a)(2) as being anticipated by Chandoor et al., US Pat. No. 10,243,958 (“Chandoor”).
Claim 8 is directed to “A system comprising: at least one computing device; and at least one application executable by the at least one computing device, the at least one application being configured to cause the at least one computing device to at least...”. Features of an apparatus may be recited either structurally or functionally. MPEP 2114(I); In re Schreiber, 128 F.3d 1473, 1478, 44 USPQ2d 1429, 1432 (Fed. Cir. 1997). A claim containing a recitation with respect to the manner in which a claimed apparatus is intended to be employed does not differentiate the claimed apparatus from the prior art apparatus if the prior art apparatus teaches all of the structural elements of the claim. MPEP 2114(II). See MPEP 2103(I)(C). Here, “A system comprising: at least one computing device; and at least one application executable by the at least one computing device, the at least one application being configured…” is structural language. However, “to cause the at least one computing device to at least: determine… decrypt… retrieve… generate… generate… by: encrypting… encrypting… digitally signing… and transmit…” is language that describes the intended use of the system, and accordingly does not limit the claim. Therefore, as Chandoor teaches a system comprising at least one computing device (Fig. 3, 300); and at least one application executable by the at least one computing device (col. 18, ln. 3-21), it is sufficient in terms of art.
Claims 9-10, 26-28, and 32 further recite the intended use of the system (“the at least one application is further configured to cause...” and “wherein the account .

Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a application may not be obtained, notwithstanding that the application is not identically disclosed as set forth in section 102, if the differences between the application and the prior art are such that the application as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the application pertains. Patentability shall not be negated by the manner in which the invention was made.

The factual inquiries set forth in Graham v. John Deere Co., 383 U.S. 1, 148 USPQ 459 (1966), that are applied for establishing a background for determining obviousness under 35 U.S.C. 103 are summarized as follows:
1. Determining the scope and contents of the prior art.
2. Ascertaining the differences between the prior art and the claims at issue.
3. Resolving the level of ordinary skill in the pertinent art.
4. Considering objective evidence present in the application indicating obviousness or nonobviousness.
Claims 1-2, 8-9, 15-16, and 21-23, and 25-33 are rejected under 35 U.S.C. 103 as being unpatentable over Chandoor in view of Cockerill et al., US Pat. No. 10,218,697 (“Cockerill”), LeSaint et al., US Pub. No. 2016/0218875 (“LeSaint”), and McDonald, US Pat. No. 9,167,425 (“McDonald”).
As per claims 1, 8, and 15, Chandoor teaches:

	decrypting, by at least one computing device, an encrypted account provisioning request (col. 9, ln. 26-45; col. 14, lines 20-40)…, wherein the encrypted account provisioning request comprises data indicating a provisioning account and a device fingerprint, and the encrypted account provisioning request is received from the… user device (col. 8, ln. 6-29; col. 9, ln. 9-25; col. 11, ln. 20-58; col. 13, ln. 43-49; col. 14, ln. 4-8);
	retrieving, by at least one computing device, transaction account data including a limited use payment credential (LUPC), the transaction account data being retrieved based at least in part on the provisioning account (col. 11, ln. 20-58; col. 13, ln. 43-49)…
	… the at least one computing device… based on the device fingerprint (col. 11, ln. 20-61)…;
	generating, by the at least one computing device, an encrypted account payload by:
	encrypting, by the at least one computing device, the LUPC in the transaction account data using (col. 10, ln. 35-52; col. 11, ln. 20-61)…; 
	… the at least one computing device… the transaction account data (col. 4, ln. 1-32; col. 6, ln. 34-42; col. 10, ln. 3-52; col. 11, ln. 20-58)… encryption of the LUPC (col. 10, ln. 35-52; col. 11, ln. 20-61); and
	… the at least one computing device… the encrypted transaction account data… (col. 4, ln. 1-32; col. 6, ln. 34-42; col. 10, ln. 3-52; col. 11, ln. 20-58); and

	Chandoor also teaches a user device (Fig. 2, 201) with a contactless interface (Fig. 2, 208) including one or more RF receivers (col. 7, ln. 53-59), but does not specifically teach an NFC-enabled user device. Chandoor also does not teach:
	determining, by…, that a near-field communication (NFC)-enabled [user device] passes an initial risk check for….
	... a server root key...
	generating, by… an encryption (ENC) key, a message authentication code (MAC) key, and a data encryption key (DEK) key… and the server root key…; 
	... the DEK key…; 
	encrypting, by… using the ENC key following…
	digitally signing, by… using the MAC key.
	However, Cockerill teaches determining, by… that a near field communication (NFC)-enabled [user device] (Fig. 1, 149; col. 46, ln. 37-43; col. 47, ln. 2) passes an initial risk check for (col. 5, ln. 55-57; col. 11, ln. 65 – col. 12, ln. 60; col. 19, ln. 5-11, 54-60)….
	It would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to modify the method taught by Chandoor with the NFC-enabled user device and risk check taught by Cockerill because this would provide a manner for securing mobile communications (Cockerill, col. 2 ln. 56-57), thus aiding the user by helping to prevent exploits from taking advantage of security vulnerabilities associated with a mobile device (col. 1, ln. 46-48).

	 ... a server root key...
	generating, by… an encryption (ENC) key, a message authentication code (MAC) key, and a data encryption key (DEK) key… and the server root key…; 
	... the DEK key…; 
	encrypting, by… using the ENC key following…
	digitally signing, by… using the MAC key. 	
	However, LeSaint teaches:
	… a server root key... (para. 117-18); 
	… and the server root key…(para. 117-18); 
	encrypting, by… using… following (para. 205-06)…; 
	digitally signing, by… using the MAC key (para. 205).
	It would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to modify the method taught by Chandoor in view of Cockerill with the server root key, encrypted provisioning response data, and provisioning response protected by a message authentication code disclosed in LeSaint (para. 117-18, 205-06) because it would be a simple substitution of known elements for others -- symmetric or asymmetric encryption techniques to decrypt data (Chandoor, col. 10, ln. 35-52) -- to obtain the predictable result of decrypting an encrypted account provisioning request with a server root key, encrypting transaction account data, and digitally signing transaction account data using a MAC key.
	Chandoor in view of Cockerill and LeSaint does not teach:

	... the DEK key…; 
	… the ENC key…. 
	However, McDonald teaches: 
	generating, by the processor, an encryption (ENC) key, a message authentication code (MAC) key, and a data encryption key (DEK) key (Fig. 3, step 308; col. 6, ln. 22-53)…; 
	… the DEK key (Fig. 3, step 308; col. 6, ln. 22-53)…;
	... the ENC key (Fig. 3, step 308; col. 6, ln. 22-53)…. 	
	It would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to modify the method taught by Chandoor in view of Cockerill and LeSaint with the generating an ENC key, MAC key, and DEK key disclosed in McDonald because it would be a simple substitution of a known element, the generation of ENC, MAC, and DEK keys (McDonald, Fig. 3, step 308; col. 6, ln. 22-26), for another, generating access data based on actual credentials or account information such as a device ID, etc. (Chandoor, col. 2, ln. 20-58), in order to obtain the predictable result of generating an ENC key, a MAC key, and a DEK key based on the device fingerprint and the server root key. 
As per claims 2, 9, and 16, Chandoor teaches … the at least one computing device… the… user device… receiving the encrypted account provisioning request (col. 9, ln. 26-45; col. 14, lines 20-41). 

	It would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to modify the method taught by Chandoor with the NFC-enabled user device and risk check taught by Cockerill because this would provide a manner for securing mobile communications (Cockerill, col. 2 ln. 56-57), thus aiding the user by helping to prevent exploits from taking advantage of security vulnerabilities associated with a mobile device (col. 1, ln. 46-48).
As per claims 21 and 26, Chandoor teaches … the at least one computing device (Fig. 3, 300)… the… user device (Fig. 2, 201)… user device (Fig. 2, 201)….
	Chandoor teaches a user device (Fig. 2, 201) with a contactless interface (Fig. 2, 208) including one or more RF receivers (col. 7, ln. 53-59), but does not specifically teach an NFC-enabled user device. Chandoor also does not teach receiving, by… risk data from the NFC-enabled [user device], wherein determining that NFC-enabled [user device] passes the initial risk check is based at least in part on the risk data. However, Cockerill teaches receiving, by… risk data from the NFC-enabled [user device] (Fig. 1, 149; col. 46, ln. 37-43; col. 47, ln. 2), wherein determining that NFC-enabled [user device] passes the initial risk check is based at least in part on the risk data (col. 12, ln. 54 – col. 13, ln. 13).

As per claims 22, 27, and 30, Chandoor teaches … the… user device…, … one or more provisional requests from the… user device…, … provisional requests being received from the… user device (col. 9, ln. 26-45; col. 14, lines 20-41).
	Chandoor teaches a user device (Fig. 2, 201) with a contactless interface (Fig. 2, 208) including one or more RF receivers (col. 7, ln. 53-59), but does not specifically teach an NFC-enabled user device. Chandoor also does not teach wherein the determining, by at least one computing device, at least one of whether the NFC-enabled [user device] has been tampered, whether… from the NFC-enabled [user device] were denied, or a frequency of… the NFC-enabled [user device]. However, Cockerill teaches wherein the determining, by at least one computing device, at least one of whether the NFC-enabled [user device] (Fig. 1, 149; col. 46, ln. 37-43; col. 47, ln. 2) has been tampered, whether… from the NFC-enabled [user device] were denied, or a frequency of… the NFC-enabled [user device] (col. 70, ln. 13-24).
	It would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to modify the method taught by Chandoor with the NFC-enabled user device and risk check taught by Cockerill because this would provide a manner for securing mobile communications (Cockerill, col. 2 ln. 
As per claims 23 and 29, Chandoor teaches wherein the device fingerprint comprises one or more user device attributes comprising at least one of a media access control (MAC) address, one or more operating system attributes, an application build identifier, a build serial number, or a subscriber identification module (SIM) card identifier (col. 6, ln. 48-58).
As per claims 25 and 28, Chandoor teaches wherein the account transaction data comprises at least one of a transaction account number, user account access data, a transaction account identifying data, a card security code, a card verification value, or a transaction account balance (col. 15, ln. 15-27).
As per claims 31-33, Chandoor teaches receiving login information from the… user device (col. 8, ln. 6-41); validating the login information (col. 8, ln. 6-41); and granting the… user device access to selecting a transaction account for provisioning on the… user device (col. 8, ln. 6-29).	
	Chandoor teaches a user device (Fig. 2, 201) with a contactless interface (Fig. 2, 208) including one or more RF receivers (col. 7, ln. 53-59), but does not specifically teach an NFC-enabled user device. However, Cockerill teaches an NFC-enabled user device (Fig. 1, 149; col. 46, ln. 37-43; col. 47, ln. 2).
	It would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to modify the method taught by Chandoor with the NFC-enabled user device taught by Cockerill because this would provide a manner for securing mobile communications (Cockerill, col. 2 ln. 56-57), thus .
Claim 24 is rejected under 35 U.S.C. 103 as being unpatentable over Chandoor in view of Cockerill, LeSaint, and McDonald and further in view of Guo et al., US Pub. No. 2017/0289139 (“Guo”).
	Chandoor teaches … the device fingerprint… the one or more user device attributes (col. 3, ln. 46-49; col. 6, ln. 48-58; col. 11, 37-38).
	Chandoor in view of Cockerill, LeSaint, and McDonald does not teach wherein… comprises a hash of…. However, Guo teaches wherein… comprises a hash of (para. 75)….
	It would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to modify the method taught by Chandoor in view of Cockerill, LeSaint, and McDonald with the device fingerprint formed by hash values of attributes taught by Guo (Guo, para. 75) because this would help to improve reliability of device verification (para. 4).

Conclusion
The prior art made of record and not relied upon is considered pertinent to applicant's disclosure.
	“Message Authentication Code (MAC),” entry in the glossary of the Computer Security Resource Center of the National Institute of Standards and Technology, available online at csrc.nist.gov/glossary/term/message-authentication-code, provides definitions with sources of a message authentication code.
THIS ACTION IS MADE FINAL. Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a). 
A shortened statutory period for reply to this final action is set to expire THREE MONTHS from the mailing date of this action. In the event a first reply is filed within TWO MONTHS of the mailing date of this final action and the advisory action is not mailed until after the end of the THREE-MONTH shortened statutory period, then the shortened statutory period will expire on the date the advisory action is mailed, and any extension fee pursuant to 37 CFR 1.136(a) will be calculated from the mailing date of the advisory action. In no event, however, will the statutory period for reply expire later than SIX MONTHS from the mailing date of this final action. 
Any inquiry concerning this communication or earlier communications from the examiner should be directed to Benjamin J Aitken whose telephone number is (571)272-8809. The examiner can normally be reached on Monday to Friday, 9:00 AM to 5:00 PM EST.
	Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
	If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Calvin L Hewitt can be reached on (571) 272-6709. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
	Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system. Status information for published 






/B.J.A./Examiner, Art Unit 3685 
/Mohammad A. Nilforoush/Primary Examiner, Art Unit 3685