DETAILED ACTION
Acknowledgements
This office action is in response to the claim amendments filed Nov. 16, 2020.
Claims 2-4 have been canceled.
Claims 1 and 5-12 are pending.
Claims 1 and 5-12 have been examined.

Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA . 

Response to Arguments
With respect to Claim Rejections - 35 USC § 103:
Applicant’s arguments with respect to Claims 1 and 5-12 have been considered but are moot in view of new grounds of rejection initiated by applicant’s amendment to the claims.

With respect to Applicant arguments/remarks made in an amendment remarks (pages 8-9):
“Regarding element (a), as explained previously, unlike what is recited in Applicant's claim 1, the identification of the communications terminal used to generate an authentication code in ZHU is not an identification of the communications terminal from which a transaction is carried out: on the contrary, it corresponds to the identification of a third-party communications terminal.”

Applicant’s arguments/remarks regarding element (a) (pages 8-9), have been considered.  The Examiner, have addressed the Applicant’s arguments. See the rejections below.

Applicant’s arguments/remarks regarding element (b): Applicant is of the opinion prior art fails to disclose (pages 11-12):
“(b ) filling in a pre-selected entry area corresponding to an entry area for a bank 
card verification code, the current authentication code…”
Regarding element (b), none of the cited documents discloses or suggests the limitations of amended independent claims according to which the current authentication code is provided in an entry area for a bank card verification code. 
The Applicant does not share the position of the Examiner when the Examiner considers, in points 30 and 31 of the Office Action, that these limitations would be taught in paragraphs [0012] and [0137] of TSUI. Paragraph [0012] of TSUI teaches only that data associated with a bank card, including a CVV code, can be obtained automatically by using a proximity based communication module. As for the passage cited by the Examiner in paragraph [0137], it only teaches that an authentication party can be called to perform authentication on the basis of parameters provided automatically in some data entry fields of an entry form…”

Applicant’s arguments/remarks with respect to element b have been considered.  The Examiner, however, respectfully disagrees.
Tsui discloses, current authentication code (e.g., a CVV or CVC number, any form of unique identification code and/or security code, address data, and other user data).
filling in a pre-selected entry area (step 306) corresponding to an entry area for a bank card verification code, [CVV/security code/unique identification code] (Tsui CVV/security code/unique identification code to be the current authentication code) (Tsui [0012], “In some implementations, the electronic communication device extracts data from the card that is necessary to establish the card-holder's credentials. This can include the card-holder's full name, the type of card, the account number associated with the card, the expiration date of the card, a CVV or CVC number, any form of unique identification code and/or security code, address data, and other user data” and Fig. 3 and related text, see also [0085]-[0087], [0137] and [0066] and Fig. 3 and related text);

Tsui doesn’t explicitly discloses, the current authentication code is generated by obtaining two pieces of data for example of obtaining a piece of identification data of the communications terminal and a piece of authentication data of a user.

However Varadarajan discloses: the current authentication code is generated by obtaining two pieces of data (see paragraphs [0012], “The DCV may be configured as one of a CVC, CVV, CSC, PAN, account number, partial PAN and a portion of an account number, as those terms are defined herein. The DCV generator may be configured to generate at least one DCV on the user device, and may further include an algorithm adapted to generate at least one DCV”, [0021], “The DCV is configured and provided in the same form as the static DCV for which it is being substituted. For example, if the static CVV is a three digit number, then the dynamic CVV is generated as a three digit number”, see also [0022], [0057], [0031], [0025], [0054]-[0056] and [0035]-[0039] and) and Fig. 4 and related text).

It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify Tsui with Varadarajan to include function of generating a dynamic card value (DCV) from a mobile user device for use in a transaction between a user cardholder and a transaction provider to enhance transaction security.

With respect to Applicant arguments/remarks made in the amendment remarks, Applicant is of the opinion Non-Obviousness of Claim 1 over the proposed Combination of TSUI, ZHU (pages 11-12):
“The newly cited document DHAR is used by the Examiner to contend that limitations of claim 1 reciting that, 
"taking control, by the transactional data processing device, of the display made on the 
display screen, by interrupting a requesting application used to initialize said 
payment transaction" and
"obtaining ... payment data ... when the display is under control of the transactional 
data processing device," 
would be an obvious modification of the combination of TSUI and ZHU.
1.    Regarding the limitations of independent claims reciting that the current authentication code has a bank card verification code format and is provided in an entry area for a bank card verification code. 
The Applicant maintains its position: none of the cited documents discloses or suggests these limitations of independent claims. 
Regarding this point, compared with the previous Office Action, the Examiner has only updated section 16.II.ii. of the present Office Action to quote paragraphs [0012] and [0137] of TSUI. The Examiner seems to considers, without giving any details on his 
Paragraph [0012] of TSUI teaches only that data associated with a bank card, including a CVV code, can be obtained automatically by using a proximity based communication module. As for the passage cited by the Examiner in paragraph [0137], it only teaches that an authentication party can be called to perform authentication on the basis of parameters provided automatically in some data entry fields of an entry form. Thus, neither these paragraphs of TSUI or TSUI as whole discloses formatting a current authentication code (generated as defined in claim 1) as a bank card verification code and providing such current authentication code in an entry area for a bank card verification code.
Thus, none of the cited documents teaches nor suggests diverting the primary functionality of an entry area for a bank card verification code (CVV code) to use it to transmit to a server a current authentication code which does not correspond to a conventional CVV code, but which is generated both according to an identification of a user and an identification of the communications terminal used to implement a transaction”.

Applicant’s arguments/remarks regarding Non-Obviousness of Claim 1 over the proposed Combination of TSUI, ZHU have been considered.  The Examiner, however, respectfully disagrees.
Tsui discloses, authentication code has a bank card verification code format (TSUI [0128], the examiner considers the bank card verification code format to be the a CVV value), and is provided in an entry area for a bank card verification code (TSUI [0012], “the communication device outputs this data to corresponding fields of a web page”)  to be the [CVV/security code/unique identification code] (Tsui [0012], the examiner considers the CVV/security code/unique identification code to be the current authentication code) (Tsui [0012], “In some implementations, the electronic communication device extracts data from the card that is necessary to establish the card-holder's credentials. This can include the card-holder's full name, the type of card, the account number associated with the card, the expiration date of the card, a CVV or CVC number, any form of unique identification code and/or security code, address data, and other user data”, [0087], “the website typically gives the user the opportunity (306) to verify, edit, and confirm any data that was entered into the web page, regardless of whether extracted from a payment card or entered manually. The user at this point can modify, add, and/or remove data (e.g., even overriding data extracted from the payment card).” See also [0137], [0066] and [0128] and Fig. 3 and related text).

Tsui does not specifically disclose, the current authentication code is generated by obtaining two pieces of data. Generating comprising, obtaining a piece of identification data of the communications terminal and a piece of authentication data of a user.

However Varadarajan discloses, the current authentication code is generated by obtaining two pieces of data (See paragraph(s) [0021], “The DCV is configured and provided in the same form as the static DCV for which it is being substituted. For example, if the static CVV is a three digit number, then the dynamic CVV is generated as a three digit number”, [0057], “it is understood that a generally similar system could be used for other transactional processes or authorizing and authenticating systems which require verification by inputting a user identifier or an account code and/or a secondary code, such as a PIN or additional data element.” see also [0022], [0057], [0031], [0025], [0054]-[0056] and [0035]-[0039] and) and Fig. 4 and related text).

Additionally, Varadarajan discloses formatting the current authentication code as a bank card verification code (See paragraph(s) [0021], “The DCV is configured and provided in the same form as the static DCV for which it is being substituted. For example, if the static CVV is a three digit number, then the dynamic CVV is generated as a three digit number”, see also paragraph [0039]-[0040]).

It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify Tsui with Varadarajan to include function of generating a dynamic card value (DCV) from a mobile user device for use in a transaction between a user cardholder and a transaction provider to enhance transaction security.

With respect to Applicant arguments/remarks made in the amendment remarks, Applicant is of the opinion Non-Obviousness of Claim 1 over the proposed Combination of TSUI, ZHU (pages 11-12):
“2. Regarding the limitations of independent claims reciting that the current authentication code is generated taking into account both an identification of the communications terminal and an identification of the user. 
The Applicant maintains its position: none of the cited documents discloses or suggests these limitations of independent claims.
Regarding this point, there is no difference at all between the previous Office Action and the present Office Action: arguments provided by the Examiner in the present Office 
The Applicant respectfully disagrees. In the response to the previous Office Action, the Applicant provided convincing arguments against the relevance of these paragraphs of TSUI, but these arguments have not been considered or responded to by the Examiner in the present Office Action…”

Applicant’s arguments/remarks regarding Non-Obviousness of Claim (pages 12-13), have been considered.  The Examiner, have addressed the Applicant’s arguments. See the rejections below.

Claim Rejections - 35 USC § 112
The following is a quotation of 35 U.S.C. 112(b):
(b)  CONCLUSION.—The specification shall conclude with one or more claims particularly pointing out and distinctly claiming the subject matter which the inventor or a joint inventor regards as the invention.

The following is a quotation of 35 U.S.C. 112 (pre-AIA ), second paragraph:
The specification shall conclude with one or more claims particularly pointing out and distinctly claiming the subject matter which the applicant regards as his invention.

Claims 1 and 5-12 are rejected under 35 U.S.C. 112(b) or 35 U.S.C. 112 (pre-AIA ), second paragraph, as being indefinite for failing to particularly point out and distinctly claim the subject 

Claim 1, for example, is directed to a method for securing the processing of transaction data as it recites in claim limitation “encrypting the piece of identification data …, to generate the current authentication code”. However, claim further recites in claim limitation “filling in a pre-selected entry area corresponding to an entry area for a bank card verification code, the current authentication code”.  It is unclear to one of the ordinary skill in the art, in the manner its filing in the current authentication code without even generating the current authentication code, anther words the current authentication code was never generated. Appropriate correction is required.

Claim 1, for example, the limitation “generating, by the transactional data processing device, a current authentication code having a bank card verification code format” which renders the claims indefinite. It is unclear to a person of ordinary skill in the art, what the phrase “a bank card verification code format” is referring to. Appropriate correction is required. 

Claim Rejections - 35 USC § 103
This application currently names joint inventors. In considering patentability of the claims the examiner presumes that the subject matter of the various claims was commonly owned as of the effective filing date of the claimed invention(s) absent any evidence to the contrary.  Applicant is advised of the obligation under 37 CFR 1.56 to point out the inventor and 

The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

The factual inquiries set forth in Graham v. John Deere Co., 383 U.S. 1, 148 USPQ 459 (1966), that are applied for establishing a background for determining obviousness under 35 U.S.C. 103 are summarized as follows:
1. Determining the scope and contents of the prior art.
2. Ascertaining the differences between the prior art and the claims at issue.
3. Resolving the level of ordinary skill in the pertinent art.
4. Considering objective evidence present in the application indicating obviousness or nonobviousness.

Claims 1 and 5-12 are rejected under 35 U.S.C. 103 as being unpatentable over Tsui (US 20160026997 A1) in view of Varadarajan (US 20110184867 A1) further in view of Dhar (US 20140143151 A1).

Regarding Claim 1: Tsui discloses: A method for securing the processing of transactional data during a payment transaction, the method being implemented within a communications terminal (e.g. computing device/a client device/tablet computer/a smart phone) comprising a transactional data processing device (e.g. a dedicated app or dedicated plug-in software), wherein the method comprises (See paragraph(s) [0099] and Fig. 5 and related text):
detecting, by the transactional data processing device (e.g. a dedicated app or dedicated plug-in software), a display (e.g. screen of electronic communication device 301) of at least one entry area relating to a piece of payment data (e.g. dedicated payment card) on a display screen of the communications terminal (See paragraph(s) [0056], [0071], [0084] and Fig. 1 and Fig. 3 and related text); (See paragraph [0086], "...In a second alternative scenario, the user in step 304 taps a proximity based communications enabled payment card against his electronic communication device…In this case, the system initiates extraction of just payment data from the payment card, and places the extracted data into corresponding fields on the displayed web page on the electronic communication device.”);
activating (e.g. step 303-304), by the transactional data processing device, a contactless data reading device (e.g. proximity based communication circuitry or module of the electronic communication device) (See paragraph [0085], "...the scenario branches into one of the following two scenarios. In a first scenario, the user in step 304 taps a dedicated payment card 203 against the electronic communication device 201, which initiates data extraction from the dedicated payment card. The extracted data includes payment data, any address data, and any other user data needed to populate corresponding fields in the web page displayed on the electronic communication device.”, see also [0086] and Fig. 1 and Fig. 3 and related text);
obtaining (e.g. step 306), by the contactless data reading device, at least one piece of payment data (e.g. payment data/information) coming from a contactless payment device (See paragraph [0085], "...In a first scenario, the user in step 304 taps a dedicated payment card 203 against the electronic communication device 201, which initiates data extraction from the dedicated payment card. The extracted data includes payment data, any address data, and any other user data needed to populate corresponding fields in the web page displayed on the electronic communication device”, [0087], "...After the previous steps, the website typically gives the user the opportunity (306) to verify, edit, and confirm any data that was entered into the web page, regardless of whether extracted from a payment card or entered manually. The user at this point can modify, add, and/or remove data (e.g., even overriding data extracted from the payment card).”), see also [0085]-[0086] and Fig. 1 and Fig. 3 and related text;
[sends or providing], by the transactional data processing device, a [CVV/security code/unique identification code] (Tsui [0012], the examiner considers the CVV/security code/unique identification code to be the current authentication code) having a bank card verification code format (e.g., a Card Verification Value ("CVV") or Card Verification Code ("CVC")), the generating comprising (See paragraph [0152], "...In some implementations, the computing device includes a device authentication module configured to receive an authentication request from the server and to respond to the authentication request by providing a unique identifier of the mobile computing device. In some implementations, the unique identifier is a MAC address, an IP address, or a phone number.”); (See paragraph [0131-0132], "...The third party uses the unique identifier to look up an account corresponding to the device 820, and returns authentication values from the account information. For example, the authentication values may include a ZIP or postal code, an email address, or a user name….the application sends a transaction to an authentication party”); (See paragraph [0012], "...In some implementations, the electronic communication device extracts data from the card that is necessary to establish the card-holder's credentials. This can include the card-holder's full name, the type of card, the account number associated with the card, the expiration date of the card, a CVV or CVC number, any form of unique identification code and/or security code, address data, and other user data. In some implementations, the communication device outputs this data to corresponding fields of a web page.”); (See paragraph [0137], "...In some implementations, the authentication party (e.g., bank or credit card company) performs (950) multifactor authentication, as illustrated below in FIG. 13A or 13B. If the authentication process is successful (952), the transaction is approved (956). Otherwise, the transaction is declined (954). After the approval or declination, this portion of the process is complete (958). Subsequently, the product is shipped.” See also paragraph(s) [0003], [0012], [0066], [0131]-[0132], [0137] and [0152]).
obtaining a piece of identification data (e.g. a unique identifier of the mobile) of the communications terminal (See paragraph(s) [0022]); (See paragraph [0022], "...In some implementations, the computing device includes a device authentication module configured to receive an authentication request from the server and to respond to the authentication request by providing a unique identifier of the mobile computing device. In some implementations, the unique identifier is a MAC address, an IP address, or a phone number.”);
obtaining a piece of authentication data of a user with whom the communications terminal is associated (See paragraph(s) [0016] and [0166]); (See paragraph [0016], "...In some implementations, the prompt for user authentication requires entry of a personal identification number or password by a user. In some implementations, the prompt for user authentication activates a biometric input device for user authentication”); (See paragraph [0166], "…In some implementations, the server issues a separate authentication request to identify the mobile device 201. In this case, the mobile device receives (1448) the authentication request from the server. In response to the authentication request, the mobile device provides (1450) a unique identifier of the device. In some implementations, the unique identifier is (1452) a MAC address, an IP address, a phone number of the device, an email address, a MSISDN number, an IMEI or MEID number, or an IMSI number.”); and
encrypting the piece of identification data of the communications terminal and the piece of authentication data of the user, to generate the current authentication code (See paragraph(s) [0108-0111] and [0169]); (See paragraph [0108-0111], "…a cryptographic module 532, which encrypts or decrypts data to protect the security of a user, the user's personal information, account information, and other critical information….[0109] a user authentication module 534, …the user authentication module accesses one or more biometric devices 556 for authentication. In some implementations, the user authentication module requires input of a password or personal identification number, [0110] a device authentication module 536, which provides a unique identifier for the device 201 for certain communication with remote servers 602. In some implementations, the device authentication module uses a MAC address, an IP address, or a phone number as the unique identifier for the device…”, see also paragraph(s) [0108[-[0111]);
filling in (e.g. step 408), at the at least one entry area (e.g. data entry fields) with at least one piece of payment data previously obtained (See paragraph(s) [0075] and [0091 and Fig. 4 and related text); (See paragraph [0075], "...In some implementations, one or more data entry fields cannot be edited by the user once they are filled by the Tap application/plugin 550. This can be used to guarantee authenticity (e.g., the data has not been manipulated) of the data retrieved by the Tap application/plugin 550.”); (See paragraph [0091], "...In step 408 the entity typically gives the user 200 the opportunity to verify, edit, and confirm any data that was acquired by the entity. In some physical environments the user at step 408 can modify, add, and/or remove data manually.”); and
filling a pre-selected entry area corresponding to an entry area for a bank card verification code, the current authentication code (See paragraph [0137], "...The tap and autofill process 942 is described in more detail below in FIG. 12. Whatever data entry fields are not filled by the tap process must be entered (944) manually, and the user submits (948) the transaction. In some implementations, one or more data entry fields cannot be edited by the user once they are filled by the Tap application/plugin 550. This can be used to guarantee authenticity (e.g., the data has not been manipulated) of the data retrieved by the Tap application/plugin 550. In some implementations, the submission of the transaction is automated after the data entry fields are filled and does not require manual submission by the user. In some implementations, when the Tap application 550 has permission from the user, the Tap application 550 collects and stores the information that the user manually enters. In some implementations, the authentication party (e.g., bank or credit card company) performs (950) multifactor authentication, as illustrated below in FIG. 13A or 13B.” See also [0003], [0066] and [0137] and Fig. 12 and related text).

Tsui does not specifically disclose, the current authentication code is generated by obtaining two pieces of data. Generating comprising, obtaining a piece of identification data of the communications terminal and a piece of authentication data of a user.

Varadarajan discloses, generating a current authentication code and formatting the current authentication code as a bank card verification code (see paragraph [0039]-[0040]).
Varadarajan further discloses, generating, by the transactional data processing device, a current authentication code a bank card verification code, the generating comprising (See paragraph [0012], “The DCV may be configured as one of a CVC, CVV, CSC, PAN, account number, partial PAN and a portion of an account number, as those terms are defined herein. The DCV generator may be configured to generate at least one DCV on the user device, and may further include an algorithm adapted to generate at least one DCV”, [0057], “it is understood that a generally similar system could be used for other transactional processes or authorizing and authenticating systems which require verification by inputting a user identifier or an account code and/or a secondary code, such as a PIN or additional data element.” see also [0022], [0057], [0031], [0025], [0054]-[0056] and [0035]-[0039] and) and Fig. 4 and related text):
obtaining a piece of identification data of the communications terminal (See paragraph [0054], [0056] and [0057] and Fig. 4 and related text);
obtaining a piece of authentication data of a user with whom the communications terminal is associated (See paragraph(s) [0055], [0056], [0057] and [0045] and Fig. 4 and related text);

It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify Tsui with Varadarajan to include function of generating a dynamic card value (DCV) from a mobile user device for use in a transaction between a user cardholder and a transaction provider to enhance transaction security.

Tsui does not specifically disclose:
taking control of the display made on the display screen, by interrupting a requesting application used to initialize said payment transaction; and, when the display is under control of the processing device;

Dhar discloses:
taking control of the display made on the display screen, by interrupting a requesting application (e.g., on a shopping cart or shopping bag page) used to initialize said payment transaction; and, when the display is under control of the processing device (See paragraph “…The account information may be used in a payment transaction involving a merchant system. A payment interface having transaction fields populated with some of the account information retrieved from the payment account of the user is presented to the user while the user maintains the presence on the webpage of a merchant system”); (See paragraph [0031], “…Upon selection of the checkout button 302, a pop-up interface 310 may be presented to the user as shown in FIG. 3B.”); (See paragraphs abstract, [0013], [0016], [0030-0031], [0034-0035], [0040-0041] and Figs. 3A-3D and related text):

It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify the combination of Tsui and Varadarajan with Dhar to include a function such as interrupting or pausing a function to populate or obtain additional data utilizing pop-up interface, hence improving users security and user experience.

Regarding Claim 5: Tsui, Varadarajan and Dhar, discloses as shown above.
Tsui further discloses: The method for securing processing according to claim 1, further comprising obtaining a value of occurrence of implementation of the method for securing processing, and when it is a first occurrence of implementation of the method, the method further comprises creating a piece of data representing a link between the communications terminal and a transaction processing server, called a piece of reference authentication data  (e.g. a unique identifier/plurality of data entry fields) (See paragraph(s) [0110] and [0157] and Fig. 14A and related text); (See paragraph [0110], "...a device authentication module 536, which provides a unique identifier for the device 201 for certain communication with remote servers 602. In some implementations, the device authentication module uses a MAC address, an IP address, or a phone number as the unique identifier for the device;”); (See paragraph [0157], "...The mobile computing device 201 displays (406) at least one user interface window in response to receiving the request from the server. The at least one user interface window includes (1406) a plurality of data entry fields corresponding to the request. In some implementations, the process prompts (1408) for user authentication as a prerequisite to energizing an external proximity based card, as described below. Such an authentication process helps to prevent fraud because an unauthorized user of the card would not be authenticated, and thus not able to gain access to the stored information on the card. In some implementations, prompting for user authentication requires (1410) entry of a personal identification number or password by a user. In some implementations, prompting for user authentication activates (1412) a biometric input device 556 for user authentication. Some implementations use a combination of factors for user authentication.”).

Regarding Claim 6: Tsui, Varadarajan and Dhar, discloses as shown above.
Tsui further discloses: The method for securing processing according to claim 5, wherein creating the piece of reference authentication data between the communications terminal and the transaction processing server comprises (See paragraph(s) [0110] and [0157] and Fig. 14A and related text):
obtaining the piece of identification data of the communications terminal (See paragrap(s [0110], [0157] and [0166] and Fig. 14A and related text); (See paragraph [0110], "...a device authentication module 536, which provides a unique identifier for the device 201 for certain communication with remote servers 602. In some implementations, the device authentication module uses a MAC address, an IP address, or a phone number as the unique identifier for the device;”); (See paragraph [0157], "...The mobile computing device 201 displays (406) at least one user interface window in response to receiving the request from the server. The at least one user interface window includes (1406) a plurality of data entry fields corresponding to the request. In some implementations, the process prompts (1408) for user authentication as a prerequisite to energizing an external proximity based card, as described below.”); (See paragraph [0166], "…In some implementations, the server issues a separate authentication request to identify the mobile device 201. In this case, the mobile device receives (1448) the authentication request from the server. In response to the authentication request, the mobile device provides (1450) a unique identifier of the device. In some implementations, the unique identifier is (1452) a MAC address, an IP address, a phone number of the device, an email address, a MSISDN number, an IMEI or MEID number, or an IMSI number.”);
obtaining the piece of authentication data for the user with whom the communications terminal is associated (See paragraphs [0016] and [0166]); (See paragraph [0016], "...In some implementations, the prompt for user authentication requires entry of a personal identification number or password by a user. In some implementations, the prompt for user authentication activates a biometric input device for user authentication”); (See paragraph [0166], "…In some implementations, the server issues a separate authentication request to identify the mobile device 201. In this case, the mobile device receives (1448) the authentication request from the server. In response to the authentication request, the mobile device provides (1450) a unique identifier of the device. In some implementations, the unique identifier is (1452) a MAC address, an IP address, a phone number of the device, an email address, a MSISDN number, an IMEI or MEID number, or an IMSI number.”);
encrypting the identification data of the communications terminal and the authentication data of the user, and delivering the piece of reference authentication data (See paragraphs [0108-0111] and [0169]); and
transmitting the piece of reference authentication data to the transaction processing server (See paragraph [0169]); (See paragraph [0169], "...the process 1400 transmits (1460) the encrypted values to the server or a third party for the transaction.”).

Regarding Claim 7: Tsui, Varadarajan and Dhar, discloses as shown above. 
Tsui further discloses: Method for processing, according to claim 5, further comprising, during the reception, by the transaction processing server, of the data coming from the at least one entry area, at least one act of comparing at least one piece of data transmitted within the entry area and the piece of reference authentication data, and delivering an assertion of validation of the transaction (See paragraph [0151], "...The user initiates (1320) a transaction, and subsequent activity to fill in data occurs (1322) as described above with respect to FIG. 9, 10, or 11. The user then submits (1324) the transaction for processing. In some implementations, the submission of the transaction is automated after the data entry fields are filled and does not require manual submission by the user. The Tap application 550 requests (1326) a unique identifier for the device, which is retrieved (1328) from memory. As noted above, the unique identifier can take many forms. If the request for a unique identifier is not successful (1330), the transaction is declined (1346), and the process is done (1350) without completing the desired transaction.”).

Regarding Claims 8 and 9: Tsui, Varadarajan and Dhar, discloses as shown above. 
Tsui further discloses: A communications terminal (e.g. electronic communication device 201) comprising (See abstract, paragraphs [0014-0016] and [0099] and Fig. 5 and related text):
a display screen (See abstract, paragraphs [0014-0016] and [0099] and Fig. 5 and related text); 
a contactless data reading device (See abstract, paragraphs [0014-0016] and [0099] and Fig. 5 and related text); 
a transaction data processing device for processing transactional data during a payment transaction, the processing device comprising a processor and a non-transitory computer-readable medium comprising instructions stored thereon which when executed by the processor configure the processing device to perform acts comprising (See abstract, paragraphs [0014-0016] and [0099] and Fig. 5 and related text):
detecting a display of at least one entry area for a piece of payment data on the display screen of the communications terminal (See paragraphs [0056], [0071], [0084] and Fig. 1 and Fig. 3 and related text); (See paragraph [0086], "...In a second alternative scenario, the user in step 304 taps a proximity based communications enabled payment card against his electronic communication device…In this case, the system initiates extraction of just payment data from the payment card, and places the extracted data into corresponding fields on the displayed web page on the electronic communication device.”); 
activating the contactless data reading device (See paragraph [0085], "...the scenario branches into one of the following two scenarios. In a first scenario, the user in step 304 taps a dedicated payment card 203 against the electronic communication device 201, which initiates data extraction from the dedicated payment card. The extracted data includes payment data, any address data, and any other user data needed to populate corresponding fields in the web page displayed on the electronic communication device.” See also paragraph [0086] and Fig. 1 and Fig. 3 and related text);
obtaining, by the contactless data reading device, at least one piece of payment data coming from a contactless payment device (See paragraph [0087], "...After the previous steps, the website typically gives the user the opportunity (306) to verify, edit, and confirm any data that was entered into the web page, regardless of whether extracted from a payment card or entered manually. The user at this point can modify, add, and/or remove data (e.g., even overriding data extracted from the payment card).” See also paragraph(s) [0085]-[0086] Fig. 1 and Fig. 3 and related text);
[sends or providing] a [CVV/security code/unique identification code] (Tsui [0012], the examiner considers the CVV/security code/unique identification code to be the current authentication code) having a bank card verification code format (e.g., a Card Verification Value ("CVV") or Card Verification Code ("CVC")), the generating  comprising (e.g. communication device), the generating comprising (See paragraph [0152], "...In some implementations, the computing device includes a device authentication module configured to receive an authentication request from the server and to respond to the authentication request by providing a unique identifier of the mobile computing device. In some implementations, the unique identifier is a MAC address, an IP address, or a phone number.”); (See paragraph [0131-0132], "...The third party uses the unique identifier to look up an account corresponding to the device 820, and returns authentication values from the account information. For example, the authentication values may include a ZIP or postal code, an email address, or a user name….the application sends a transaction to an authentication party”); (See paragraph [0012], "...In some implementations, the electronic communication device extracts data from the card that is necessary to establish the card-holder's credentials. This can include the card-holder's full name, the type of card, the account number associated with the card, the expiration date of the card, a CVV or CVC number, any form of unique identification code and/or security code, address data, and other user data. In some implementations, the communication device outputs this data to corresponding fields of a web page.”); (See paragraph [0137], "...In some implementations, the authentication party (e.g., bank or credit card company) performs (950) multifactor authentication, as illustrated below in FIG. 13A or 13B. If the authentication process is successful (952), the transaction is approved (956). Otherwise, the transaction is declined (954). After the approval or declination, this portion of the process is complete (958). Subsequently, the product is shipped.” See also paragraph(s) [0003], [0012], [0066], [0131]-[0132], [0137] and [0152]).
obtaining a piece of identification data (e.g. a unique identifier of the mobile) of the communications terminal (See paragraph(s) [0022]); (See paragraph [0022], "...In some implementations, the computing device includes a device authentication module configured to receive an authentication request from the server and to respond to the authentication request by providing a unique identifier of the mobile computing device. In some implementations, the unique identifier is a MAC address, an IP address, or a phone number.”);
obtaining a piece of authentication data of a user with whom the communications terminal is associated (See paragraph(s) [0016]); (See paragraph [0016], "...In some implementations, the prompt for user authentication requires entry of a personal identification number or password by a user. In some implementations, the prompt for user authentication activates a biometric input device for user authentication”); and
encrypting the piece of identification data of the communications terminal and the piece of authentication data of the user, to generate the current authentication code (See paragraph [0108-0111], "…a cryptographic module 532, which encrypts or decrypts data to protect the security of a user, the user's personal information, account information, and other critical information….[0109] a user authentication module 534, …the user authentication module accesses one or more biometric devices 556 for authentication. In some implementations, the user authentication module requires input of a password or personal identification number, [0110] a device authentication module 536, which provides a unique identifier for the device 201 for certain communication with remote servers 602. In some implementations, the device authentication module uses a MAC address, an IP address, or a phone number as the unique identifier for the device…”, see also paragraph(s) [0108[-[0111]);
filling (e.g. step 408), at the at least one entry area with (e.g. data entry fields), the at least one piece of payment data previously obtained (See paragraph(s) [0075] and [0091 and Fig. 4 and related text); (See paragraph [0075], "...In some implementations, one or more data entry fields cannot be edited by the user once they are filled by the Tap application/plugin 550. This can be used to guarantee authenticity (e.g., the data has not been manipulated) of the data retrieved by the Tap application/plugin 550.”); (See paragraph [0091], "...In step 408 the entity typically gives the user 200 the opportunity to verify, edit, and confirm any data that was acquired by the entity. In some physical environments the user at step 408 can modify, add, and/or remove data manually.”); and
filling, in a pre-selected entry area corresponding to an entry area for a bank card verification code with the current authentication code (See paragraph(s) [0003], [0066] and [0137] and Fig. 12 and related text); (See paragraph [0137], "...The tap and autofill process 942 is described in more detail below in FIG. 12. Whatever data entry fields are not filled by the tap process must be entered (944) manually, and the user submits (948) the transaction. In some implementations, one or more data entry fields cannot be edited by the user once they are filled by the Tap application/plugin 550. This can be used to guarantee authenticity (e.g., the data has not been manipulated) of the data retrieved by the Tap application/plugin 550. In some implementations, the submission of the transaction is automated after the data entry fields are filled and does not require manual submission by the user. In some implementations, when the Tap application 550 has permission from the user, the Tap application 550 collects and stores the information that the user manually enters. In some implementations, the authentication party (e.g., bank or credit card company) performs (950) multifactor authentication, as illustrated below in FIG. 13A or 13B.”).

Tsui does not specifically disclose, the current authentication code is generated by obtaining two pieces of data. Generating comprising, obtaining a piece of identification data of the communications terminal and a piece of authentication data of a user.

Varadarajan discloses, generating a current authentication code and formatting the current authentication code as a bank card verification code (see paragraph [0039]-[0040]).
Varadarajan further discloses, generating, by the transactional data processing device, a current authentication code a bank card verification code, the generating comprising (See paragraph [0012], “The DCV may be configured as one of a CVC, CVV, CSC, PAN, account number, partial PAN and a portion of an account number, as those terms are defined herein. The DCV generator may be configured to generate at least one DCV on the user device, and may further include an algorithm adapted to generate at least one DCV”, [0057], “it is understood that a generally similar system could be used for other transactional processes or authorizing and authenticating systems which require verification by inputting a user identifier or an account code and/or a secondary code, such as a PIN or additional data element.” see also [0022], [0057], [0031], [0025], [0054]-[0056] and [0035]-[0039] and) and Fig. 4 and related text):
obtaining a piece of identification data of the communications terminal (See paragraph [0054], [0056] and [0057] and Fig. 4 and related text);
obtaining a piece of authentication data of a user with whom the communications terminal is associated (See paragraph(s) [0055], [0056], [0057] and [0045] and Fig. 4 and related text);

It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify Tsui with Varadarajan to include function of generating a dynamic card value (DCV) from a mobile user device for use in a transaction between a user cardholder and a transaction provider to enhance transaction security.

Tsui does not specifically disclose:
taking control of the display made on the display screen, by interrupting a requesting application used to initialize said payment transaction; and, when the display is under control of the processing device;

Dhar discloses:
taking control of the display made on the display screen, by interrupting a requesting application (e.g., on a shopping cart or shopping bag page) used to initialize said payment transaction; and, when the display is under control of the processing device (See paragraph “…The account information may be used in a payment transaction involving a merchant system. A payment interface having transaction fields populated with some of the account information retrieved from the payment account of the user is presented to the user while the user maintains the presence on the webpage of a merchant system”); (See paragraph [0031], “…Upon selection of the checkout button 302, a pop-up interface 310 may be presented to the user as shown in FIG. 3B.”); (See paragraphs abstract, [0013], [0016], [0030-0031], [0034-0035], [0040-0041] and Figs. 3A-3D and related text):

It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify the combination of Tsui and Varadarajan with Dhar to include a function such as interrupting or pausing a function to populate or obtain additional data utilizing pop-up interface, hence improving users security and user experience.

Regarding Claims 10, 11 and 12: Tsui, Varadarajan and Dhar, discloses as shown above. 
Tsui further discloses: The method for securing processing according to claim 1, wherein […] the [CVV/security code/unique identification code] (Tsui [0012], the examiner considers the CVV/security code/unique identification code to be the current authentication code) having the bank card verification code format (e.g., a Card Verification Value ("CVV") or Card ([0012], “This can include the card-holder's full name, the type of card, the account number associated with the card, the expiration date of the card, a CVV or CVC number, any form of unique identification code and/or security code, address data, and other user data. In some implementations, the communication device outputs this data to corresponding fields of a web page.” see also [0066]).

Tsui does not specifically disclose, the current authentication code is generated by obtaining two pieces of data. Generating comprising, obtaining a piece of identification data of the communications terminal and a piece of authentication data of a user.

Varadarajan discloses, generating a current authentication code and formatting the current authentication code as a bank card verification code (see paragraph [0039]-[0040]).
Varadarajan further discloses, the method for securing processing according to claim 1, wherein generating the current authentication code having the bank card verification code format comprises formatting the current authentication code to have a size corresponding to a size accepted by the pre-selected entry area corresponding to the entry area for the bank card verification code (See paragraph [0031], “For example, a dynamic CVV may typically be configured as a 3-digit or 4-digit number and a dynamic PAN may typically be configured as a 16-digit number. ... The DCV may be configured in any form or manner required for input as a DCV by the transaction interface, for example, as one of or a combination of a character string of one or more alpha-numeric or special characters, a datum or an electronic signal transmittable from the user device, a datum or an electronic signal generated by the user device, or as a user instruction.”, [0012], “The DCV may be configured as one of a CVC, CVV, CSC, PAN, account number, partial PAN and a portion of an account number, as those terms are defined herein. The DCV generator may be configured to generate at least one DCV on the user device, and may further include an algorithm adapted to generate at least one DCV”).

It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify Tsui with Varadarajan to include function of generating a dynamic card value (DCV) from a mobile user device for use in a transaction between a user cardholder and a transaction provider to enhance transaction security.

Conclusion
The prior art made of record and not relied upon is considered pertinent to applicant's disclosure. Ayman Hammad (US 20110225094 A1) discloses the subject matter of claim 1, the current authentication code is generated by obtaining two pieces of data. Generating comprising, obtaining a piece of identification data of the communications terminal and a piece of authentication data of a user (see paragraphs [0072]-[0074] and [0076] and Fig. 3 and Fig. 6 and related text).
Applicant's amendment necessitated the new ground(s) of rejection presented in this Office action.  Accordingly, THIS ACTION IS MADE FINAL.  See MPEP § 706.07(a).  Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a).  

Any inquiry concerning this communication or earlier communications from the examiner should be directed to JAHED ALI whose telephone number is (571)270-1085.  The examiner can normally be reached on 8:00 - 5:00 M-F.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Neha Patel can be reached on (571)-270-1492.  The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see http://pair-direct.uspto.gov. Should you have questions on access to the Private 


/JAHED ALI/Examiner, Art Unit 3685

/NEHA PATEL/Supervisory Patent Examiner, Art Unit 3685