DETAILED ACTION
Claim Status
This is first office action on the merits in response to the application filed on 5 JUN 2019.
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
Claims 1-7 are currently pending and have been examined.

Election/Restrictions
Restriction to one of the following inventions is required under 35 U.S.C. 121:
I. Claims 1-7, drawn to a method for activating a merchant-specific cryptogram lockbox, classified in G06Q20/3675.
II. Claims 8-12, drawn to a method for provisioning a cryptogram lockbox, classified in G06Q20/385.
III. Claims 13-19, drawn to a method for generating a cryptogram locally using a cryptogram lockbox, classified in H04L9/0891.
Inventions I-III are directed to related processes. The related inventions are distinct if: (1) the inventions as claimed are either not capable of use together or can have a materially different design, mode of operation, function, or effect; (2) the inventions do not overlap in scope, i.e., are mutually exclusive; and (3) the inventions as claimed are not obvious variants.  See MPEP § 806.05(j). In the instant case, the inventions as claimed are not overlap in scope.  Furthermore, the inventions as claimed do not encompass overlapping subject matter and there is nothing of record to show them to be obvious variants.
Restriction for examination purposes as indicated is proper because all the inventions listed in this action are independent or distinct for the reasons given above and there would be a serious search and/or examination burden if restriction were not required because one or more of the following reasons apply: the inventions have acquired a separate status in the art in view of their different classification.
During a telephone conversation with Milan Jovanovic (614-217-2430) on 16 FEB 2021 a provisional election was made without traverse to prosecute the invention of Group I, claims 1-7.  Affirmation of this election must be made by applicant in replying to this Office action.  Claims 8-19 are withdrawn from further consideration by the examiner, 37 CFR 1.142(b), as being drawn to a non-elected invention.

Information Disclosure Statement
The information disclosure statement (IDS) submitted on 30 AUG 2020 is in compliance with the provisions of 37 CFR 1.97.  Accordingly, the information disclosure statement is being considered by the examiner.

Claim Objections
Claims 1 and 3 are objected to because of the following informalities: 
In claim 1, line 9, “herein” should read --wherein--.
In claim 3, lines 2-3, “between the cryptogram lockbox information processing apparatus” should read --between the cryptogram lockbox and the information processing apparatus--. 
Appropriate correction is required.

Claim Rejections - 35 USC § 101
35 U.S.C. 101 reads as follows:
Whoever invents or discovers any new and useful process, machine, manufacture, or composition of matter, or any new and useful improvement thereof, may obtain a patent therefor, subject to the conditions and requirements of this title.


Claims 1-7 are rejected under 35 U.S.C. 101 because the claimed invention is directed to a judicial exception (i.e., a law of nature, a natural phenomenon, or an abstract idea) without significantly more. 
Claims 1-7 are drawn to a method which is within the four statutory categories (i.e., a process). 
Since the claims are directed toward statutory categories, it must be determined if the claims are directed towards a judicial exception (i.e., a law of nature, a natural phenomenon, or an abstract idea). Based on consideration of all of the relevant factors with respect to the claim as a whole, claims 1-7 are determined to be directed to an abstract idea. The rationale for this determination is explained below:  
With respect to claim 1:
Claim 1 is drawn to an abstract idea without significantly more. The claims recite providing a merchant-specific cryptogram lockbox to merchant, wherein the cryptogram lockbox generates a cryptogram for a transaction locally; providing the merchant with a startup code; receiving an activation call from the cryptogram lockbox; receiving lockbox metadata from the cryptogram lockbox; providing the cryptogram lockbox with an API secret for API calls; and establishing a secure communication channel with the cryptogram lockbox. 


The claims do not include additional elements that are sufficient to amount to significantly more than the judicial exception, reaffirming that the limitations are not indicative of integration into a practical application: Generally linking the use of the judicial exception to a particular technological environment or field of use. As discussed above with respect to integration of the abstract idea into a practical application, the additional elements in the process amounts to no more than mere instructions to apply the exception using generic computer 
With respect to claims 2-7:
Dependent claims 2-7 include additional limitations, for example, startup code provided out-of-band, encrypting with communication keys, rotated communication keys, implementing cryptogram lockbox in hardware or software, and lockbox metadata comprising lockbox identifier, lockbox location, or merchant identifier, but none of these limitations are deemed significantly more than the abstract idea because, as stated above, they require no more than generic computer structures or signals to be executed, and do not recite any Improvements to the functioning of a computer, e.g., a modification of conventional Internet hyperlink protocol to dynamically produce a dual-source hybrid webpage, as discussed in DDR Holdings, LLC v. Hotels.com, L.P., 773 F.3d 1245, 1258-59, 113 USPQ2d 1097, 1106-07 (Fed. Cir. 2014) (see MPEP § 2106.05(a)); or Improvements to any other technology or technical field, e.g., a modification of conventional rubber-molding processes to utilize a thermocouple inside the mold to constantly monitor the temperature and thus reduce under- and over-curing problems common in the art, as discussed in Diamond v. Diehr, 450 U.S. 175, 191-92, 209 USPQ 1, 10 (1981) (see MPEP § 2106.05(a)).
	Thus, taken alone, the additional elements do not amount to significantly more than the above-identified judicial exception (the abstract idea). Furthermore, looking at the limitations as an ordered combination adds nothing that is not already present when looking at the elements taken individually. There is no indication that the combination of elements improves the functioning of a computer or improves any other technology, and their collective functions 
Therefore, whether taken individually or as an ordered combination, claims 2-7 are nonetheless rejected under 35 U.S.C. 101 as being directed to non-statutory subject matter.

Claim Rejections - 35 USC § 103
In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  
This application currently names joint inventors. In considering patentability of the claims the examiner presumes that the subject matter of the various claims was commonly owned as of the effective filing date of the claimed invention(s) absent any evidence to the contrary.  Applicant is advised of the obligation under 37 CFR 1.56 to point out the inventor and effective filing dates of each claim that was not commonly owned as of the effective filing date of the later invention in order for the examiner to consider the applicability of 35 U.S.C. 102(b)(2)(C) for any potential 35 U.S.C. 102(a)(2) prior art against the later invention.
The factual inquiries for establishing a background for determining obviousness under 35 U.S.C. 103 are summarized as follows:
1. Determining the scope and contents of the prior art.
2. Ascertaining the differences between the prior art and the claims at issue.
3. Resolving the level of ordinary skill in the pertinent art.
4. Considering objective evidence present in the application indicating obviousness or nonobviousness.
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

Claims 1 and 3-7 are rejected under 35 U.S.C. 103 as being unpatentable over Ghosh et al. (US 7357309 B2; already of record in IDS; hereinafter Ghosh) in view of Dill et al. (CA 2919199 A1; already of record in IDS; hereinafter Dill). 
With respect to claim 1:
	Ghosh teaches A method for activating a merchant-specific cryptogram lockbox, comprising: (See at least Ghosh: col. 12, lines 1-12)
in an information processing apparatus comprising at least one computer processor: (See at least Ghosh: col. 2, lines 1-3 & 42-55)
providing a merchant-specific cryptogram lockbox to merchant, wherein the cryptogram lockbox generates a cryptogram for a transaction locally;… (By disclosing, the concept of a security lock-box can be used for storage of EMV symmetric key and generation of EMV application cryptograms. The Sym-Locker should be able to use the result of the user's authentication to the EMV-proxy module in order to generate and release the cryptogram for the mobile-EMV transaction. In addition, the payment terminal may be, for example, a Point of Sale (POS) terminal equipped with a chip card-reader and EMV access software. This payment terminal obtains the user and chip card information and sends the information to the EMV issuer to be processed. The EMV issuer processes the information and completes the EMV transaction by crediting the merchant and debiting the buyer's account accordingly. Such a transaction is called a 
providing the cryptogram lockbox with an API secret for API calls; and (See at least Ghosh: col. 12, lines 12-22)
establishing a secure communication channel with the cryptogram lockbox. (See at least Ghosh: col. 2, lines 15-29; col. 12, lines 1-12)
	However, Ghosh does not teach …providing the merchant with a startup code;
receiving an activation call from the cryptogram lockbox, herein the activation call comprises the startup code; receiving lockbox metadata from the cryptogram lockbox.
	Dill, directed to systems and methods for communicating risk using token assurance data and thus in the same field of endeavor, teaches
…providing the merchant with a startup code; (By disclosing, payment processing network systems that have the need to use the tokens (startup code) to facilitate payment transactions. An authorization request message can include a token assurance level code that is indicative of a token assurance level associated with a generated token. See at least Dill: Abstract; paragraph(s) [0182])
receiving an activation call from the cryptogram lockbox, herein the activation call comprises the startup code; (By disclosing, an authorization request message may include a payment token, an expiration date, a token presentment mode, a token requestor identifier, an application cryptogram, and an assurance level data. In addition, the consumer 110 may use the consumer device 120 to make a payment. The merchant computer 140 may capture a token, a token expiration date, a chip cryptogram and a POS 
receiving lockbox metadata from the cryptogram lockbox; (By disclosing, the NFC terminal at the merchant computer 140 may capture data from the user's consumer device 120 when the consumer device 120 is tapped or waved at the NFC terminal. In addition, the merchant computer 140 may capture a token, a token expiration date (metadata), a chip cryptogram and a POS entry mode from the consumer device 120. See at least Dill: paragraph(s) [0182])
It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to have modified the EMV transactions in mobile terminals teachings of Ghosh to incorporate the systems and methods for communicating risk using token assurance data teachings of Dill for the benefit of facilitating payment transactions, providing interfaces for various entities (e.g., mobile devices, issuers, merchants, mobile wallet providers, acquirers, etc.) to request payment tokens, and providing for services such as a providing a token assurance level. (See at least Dill: paragraph(s) [0007])
With respect to claim 3:
	Ghosh and Dill teach the method of claim 1, as stated above.
Ghosh further teaches wherein communication keys encrypt communications between the cryptogram lockbox information processing apparatus. (By disclosing, the EMV-proxy module performs a card action analysis and generates a new AC, which is forwarded to the personal trusted device at step 468. At step 470, the personal trusted device computes its own AC using 
With respect to claim 4:
	Ghosh and Dill teach the method of claim 3, as stated above.
Ghosh further teaches wherein the communications keys are rotated. (By disclosing, the Sym-Locker should be able to hold multiple EMV symmetric keys, each key corresponding to a separate integrated chip card issued by one or more financial institutions. Users may not browse the contents of the Sym-Locker keys. The EMV-tickets will provide an indication that the user was received at one or more financial institutions. Finally, the Sym-Locker should provide provisions to delete EMV Symmetric keys stored in the locker. See at least Ghosh: col. 12, lines 12-47)
With respect to claim 5:
	Ghosh and Dill teach the method of claim 1, as stated above.
Ghosh further teaches wherein the cryptogram lockbox is implemented in hardware. (By disclosing, a Sym-Locker may either be implemented in a smart-card based security element (i.e., the SWIM card), a smart-card without a security element, such as a standard SIM card (the SIM card provides symmetric key functionality), or in the card-reader terminal hardware. See at least Ghosh: col. 12, lines 1-9)
With respect to claim 6:
	Ghosh and Dill teach the method of claim 1, as stated above.
 wherein the cryptogram lockbox is implemented in software. (By disclosing, Sym-Locker should provide APIs for secure provisioning of the EMV symmetric key into the locker. The API needs to allow provisioning of the symmetric key post issuance of the smart-card or the personal trusted device, depending on where the Sym-Locker is implemented. See at least Ghosh: col. 12, lines 12-23)
With respect to claim 7:
	Ghosh and Dill teach the method of claim 1, as stated above.
Dill, in the same field of endeavor, further teaches wherein the lockbox metadata comprises at least one of a lockbox identifier, a lockbox location, and a merchant identifier. (By disclosing, a "token assurance code" may be any suitable value that represents a level of assurance that a particular token is authentic and/or can be trusted. See at least Dill: paragraph(s) [0175], [0182] & [0191])
Claim 2 is rejected under 35 U.S.C. 103 as being unpatentable over Ghosh in view of Dill, and in further view of Lin (US 20120124646 A1; already of record in IDS; hereinafter Lin).
With respect to claim 2:
	Ghosh and Dill teach the method of claim 1, as stated above.
	However, Ghosh and Dill do not teach wherein the startup code is provided out- of-band.
Lin, directed to method and apparatus for authenticating online transactions using a browser, teaches wherein the startup code is provided out- of-band. (By disclosing, authentication server 110 generates an activation code, which is transmitted (320) to the service consumer himself using an out-of-band communication channel. Out-of-band activation code transmission substantially reduces the risk of fraud. See at least Lin: paragraph(s) [0036])


Conclusion
The prior art made of record and not relied upon is considered pertinent to applicant's disclosure.
Nolte et al. (US 20160020906 A1) teaches trusted terminal platform, including security-box, cryptogram.
Lee et al. (US 20170244677 A1) teaches operation method based on white-box cryptography and secure terminal for performing the method.
Kauffman et al. (US 20020159588 A1) teaches cryptography with unconditional security for the internet, commercial intranets, and data storage.
Rumble (US 20020138740 A1) teaches locked portal unlocking control apparatus and method, including lock box and cryptogram.
Akella et al. (US 20130219176 A1) teaches secure virtual file management system, including lockbox, encrypting with keys, and metadata.
Any inquiry concerning this communication or earlier communications from the examiner should be directed to CLAY C LEE whose telephone number is (571)272-3309.  The examiner can normally be reached on Monday-Friday 7:30-5pm est.

If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Neha Patel can be reached on (571)270-1492.  The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see https://ppair-my.uspto.gov/pair/PrivatePair. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.





                                                                                                                                                                                           /C.C.L./Examiner, Art Unit 3685                                                                                                                                                                                                        
/OLUSEYE IWARERE/Primary Examiner, Art Unit 3687