DETAILED ACTION
	This is a non-final office action on the merits.  The U.S. Patent and Trademark Office has received claims 1-18 in application number 17/104,923.  Claims 1-18 are pending and have been examined on the merits.

Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

Claim Rejections - 35 U.S.C. 101
	35 U.S.C. 101 reads as follows:
Whoever invents or discovers any new and useful process, machine, manufacture, or composition of matter, or any new and useful improvement thereof, may obtain a patent therefor, subject to the conditions and requirements of this title.

	Claims 1-18 are rejected under 35 U.S.C. 101 because the claimed invention is directed to a judicial exception, an abstract idea without significantly more.
	As a threshold inquiry (Step 1) when considering subject matter eligibility under 35 U.S.C. 101, it must be determined whether the claim is directed to one of the four statutory categories of invention, i.e., process, machine, manufacture, or composition of matter (i.e., Step 1).  If the claim does fall within one of the statutory categories, it must then be determined whether the claim recites a judicial exception (i.e., law of nature, natural phenomenon, and abstract idea) (i.e., Step 2A.1) and whether the judicial exception is integrated into a practical application (i.e., Step 2A.2), according to the 2019 Revised Patent Subject Matter Guidance.  See 
	In the present application, claims 1-18 are directed to a method (1-6), apparatus (7-12), and a non-transitory computer-readable storage medium (13-18).  Thus, the claims fall within at least one of the statutory categories of 35 U.S.C. 101, Step 1 is complete, and the eligibility analysis proceeds to Step 2A.
	
	Beginning with Step 2A.1, the limitations of independent claims 1, 7, and 13 are presented, numbered by line for reference (e.g. the line numbered “1.1” refers to the first limitation of claim 1; applicant’s claims are quoted in italics).
	Claims 1, 7, and 13, recite the limitations (judicial exception emphasized):
1.1	receiving a request for payment graphic code generation from a mobile terminal device, the request carrying preset risk control features, the risk control features including a payment account feature of an account, a current location feature, and a station entering and exiting feature;
1.2	obtaining pre-stored historical risk control features of the account according to the payment account feature in the request;
1.3	detecting whether there is a transaction risk for the mobile terminal device by comparing the obtained historical risk control features with the risk control features carried in the request, 
1.4	wherein detecting whether there is a transaction risk comprises: determining whether a payment graphic code to be generated is used for station entering or station exiting according to the station entering and exiting feature;
1.5	 if it is determined that the payment graphic code to be generated is used for station entering, determining whether a frequency of the request for payment graphic code generation is higher than a preset threshold, and if so, determining that there is a transaction risk;
1.6	 and if it is determined that the payment graphic code to be generated is used for station exiting, determining whether the current location feature in the request for payment graphic code generation and a corresponding station entering location feature in the historical risk control features meet a preset location relation condition, and if not, determining that there is a transaction risk;
1.7	 and sending a risk control detection result to the mobile terminal device to generate and display the payment graphic code. 
	Claims 1, 7, and 13, under the broadest reasonable interpretation, cover steps or functions that can be reasonably interpreted to constitute a commercial or legal interaction in business relations, part of a defined subject-matter grouping for the judicial exception category of abstract ideas.  See 2019 PEG at 52 (“(b) Certain methods of organizing human activity—fundamental economic principles or practices (including hedging, insurance, mitigating risk); commercial or legal interactions (including agreements in the form of contracts; legal obligations; advertising, marketing or sales activities or behaviors; business relations.”) (emphasis added).
	The limitations of claims 1, 7, and 13, recite steps for receiving a payment request and performing risk mitigation associated with the completion of that payment request, where the completion is associated with the exchange of a service.  These are abstract steps involved in fundamental economic principles and practices.

	Regarding claim(s) 1, 7, and 13, at Step 2A.2, the abstract idea is not integrated into a practical application.


	Claims 1, 7, and 13, recite the additional limitations (emphasized):
1 (preamble)	A method for payment risk control, comprising
7 (preamble)	An apparatus for payment risk control, comprising: a processor; and a memory storing instructions executable by the processor; wherein the processor is configured to:
13 (preamble)	A non-transitory computer-readable storage medium having stored thereon instructions that, when executed by a processor of an apparatus, cause the apparatus to perform a method for payment risk control, the method comprising:
1.1	receiving a request for payment graphic code generation from a mobile terminal device, the request carrying preset risk control features, the risk control features including a payment account feature of an account, a current location feature, and a station entering and exiting feature;
1.2	obtaining pre-stored historical risk control features of the account according to the payment account feature in the request;
1.3	detecting whether there is a transaction risk for the mobile terminal device by comparing the obtained historical risk control features with the risk control features carried in the request, 
1.4	wherein detecting whether there is a transaction risk comprises: determining whether a payment graphic code to be generated is used for station entering or station exiting according to the station entering and exiting feature;
1.5	 if it is determined that the payment graphic code to be generated is used for station entering, determining whether a frequency of the request for payment graphic code generation is higher than a preset threshold, and if so, determining that there is a transaction risk;
1.6	 and if it is determined that the payment graphic code to be generated is used for station exiting, determining whether the current location feature in the request for payment graphic code generation and a corresponding station entering location feature in the historical risk control features meet a preset location relation condition, and if not, determining that there is a transaction risk;
1.7	 and sending a risk control detection result to the mobile terminal device to generate and display the payment graphic code. 
	Viewed individually and in combination, these additional elements to the identified judicial exceptions of Step 2A.1, amount to no more than mere instructions to be executed on a generic computer.  The additional elements of apparatus, a processor, a memory storing instructions executable by the processor; wherein the processor; the mobile terminal device, the generation of a graphic code from a mobile terminal, and to generate and display the payment graphic code at the mobile terminal device, are all steps for facilitating payment executed by a graphic code, other than facilitating payment for the service received (station entering or exiting).  Therefore, at Step 2A.2, these additional elements do not act in combination to integrate the abstract idea into a practical application.
	At Step 2B, the additional elements, both individually and as an ordered combination, do not amount to significantly more than the judicial exception because the outcome of the considerations at Step 2B will be the same when the considerations from Step 2A.2 are reevaluated.  As discussed under Step 2A.2, the additional elements generally link the abstract idea to a technological environment through "instructions" performed by a generic computer.  Because those instructions embody the abstract idea, the claim itself is merely a recitation of the abstract idea and an instruction to "apply it" on a computer.  This is not sufficient to provide an inventive concept.
	Therefore claim(s) 1, 7, and 13, are found to be directed to a judicial exception under 35 U.S.C. 101, without significantly more.  Claims 2-6, 8-12, and 14-18 are also rendered unpatentable under 35 U.S.C. 101 as dependent on claim(s), 1, 7, and 13, respectively.
	Analysis now proceeds to the dependent claims to identify any further recitations of judicial exceptions and additional elements contained therein.
	Dependent claims 2, 8, and 14, further recite the additional elements (emphasized):
2.1	 a cloud server connected with the mobile terminal device through a wireless network, or the mobile terminal device through a wired link in the mobile terminal device.
cloud server, mobile terminal device, and the wireless network connecting them; and a mobile terminal device with a wired link.  However, none of these additional elements, when viewed individually and in combination with the recited judicial exceptions of independent claims 1, 7, and 13, integrate those recitations beyond that of mere instructions.  Nor do the additional elements add anything more to the mere instructions provided by the limitations.  Therefore the limitation of claims 2, 8, and 14, do not amount to significantly more than the judicial exception itself, when viewed alone and in combination with the limitations of independent claims 1, 7, and 13, and claims 2, 8, and 14, are found ineligible under 35 U.S.C. 101.

	Dependent claims 3, 9, and 15, further recite the additional elements (emphasized):
3.1	 receiving, by the cloud server, the request for payment graphic code generation from the mobile terminal device when the mobile terminal device determines that current network signal reaches the preset strength
3.2	 and receiving, by an application locally installed on the mobile terminal device, the request for payment graphic code generation from the mobile terminal device when the mobile terminal device determines that the current network signal does not reach the preset strength.
	The additional elements recited at claims 3, 9, and 15, are a cloud server, an application locally installed on the mobile terminal device; the graphic code generation from the mobile terminal device, and the network connecting them.  However, none of these additional elements, when viewed individually and in combination with the recited judicial exceptions of independent claims 1, 7, and 13, integrate those recitations beyond that of mere instructions.  Nor do the 

	Dependent claims 4, 10, and 16, further recite the judicial exception (emphasized):
4.1	updating the historical risk control features of the account with the risk control features carried in the request for payment graphic code generation, for subsequent detection of transaction risk according to the updated historical risk control features.
	Updating the historical risk data of an account with the historical risk data associated with the payment request such that any subsequent transaction can be evaluated against updated historical data falls under a “fundamental economic principles or practices” as described in the 2019 PEG.  The recited additional element to the judicial exception is the graphic code generation by the mobile terminal device, as invoked at independent claims 1, 7, and 13.  However, none of these additional elements, when viewed individually and in combination, integrate the recitations to updating historical risk data beyond that of mere instructions.  Nor do the additional elements add anything more to the mere instructions provided by the limitation.  Therefore the limitation of claims of claims 4, 10, and 16, do not amount to significantly more than the judicial exception itself and the claim is found ineligible under 35 U.S.C. 101.

	Dependent claims 5, 11, and 17, further recite the judicial exception (emphasized):
5.1	 obtaining a pre-stored blacklist;
5.2	and determining whether objects with transaction risks recorded in the blacklist comprise an object corresponding to the request for payment graphic code generation, according to the risk control features in the request for payment graphic code generation, wherein the object comprises at least one of: a payment account, user information bound to the payment account, or device information of the mobile terminal device.
	Obtaining a list of objects and comparing that list to historical transaction data to determine whether to authorize a transaction falls under a “fundamental economic principles or practices” as described in the 2019 PEG.  The recited additional element to the judicial exception is the graphic code generation by the mobile terminal device, and the mobile terminal device, as invoked at independent claims 1, 7, and 13.  However, none of these additional elements, when viewed individually and in combination, integrate the recitations to obtaining a pre-existing list and making a determination on authorizing payments, based on the pre-existing list and historical data, beyond that of mere instructions.  Nor do the additional elements add anything more to the mere instructions provided by the limitation.  Therefore the limitation of claims of claims 5, 11, and 17, do not amount to significantly more than the judicial exception itself and the claim is found ineligible under 35 U.S.C. 101.

	Dependent claims 6, 12, and 18, further recite the judicial exception (emphasized):
6.1	 receiving trigger of a station entering and exiting payment operation on the mobile terminal device, to generate the request for payment graphic code generation
6.2	 and after receiving the risk control detection result indicating no transaction risk, generating and displaying the payment graphic code on the mobile terminal device.
graphic code generation by the mobile terminal device, and generating [a] graphic code on the mobile terminal device, as invoked at independent claims 1, 7, and 13.  However, none of these additional elements, when viewed individually and in combination, integrate the recitations to generating a payment request in response (trigger) to the provisioning of a service or behavior (station entering and exiting), beyond that of mere instructions.  Nor do the additional elements add anything more to the mere instructions provided by the limitation.  Therefore the limitation of claims of claims 6, 12, and 18, do not amount to significantly more than the judicial exception itself and the claim is found ineligible under 35 U.S.C. 101.

Claim Rejections - 35 USC § 112(b)
	The following is a quotation of 35 U.S.C. 112(b):
(b)  CONCLUSION.—The specification shall conclude with one or more claims particularly pointing out and distinctly claiming the subject matter which the inventor or a joint inventor regards as the invention.

	Claims 3, 9, and 15, are rejected under 35 U.S.C. 112(b) as being indefinite for failing to particularly point out and distinctly claim the subject matter which the inventor or a joint inventor regards as the invention.  A claim is indefinite when it contains words or phrases whose meaning is unclear.
	Regarding claims 3, 9, and 15, the recited phrase, receiving, by an application locally installed on the mobile terminal device, the request for payment graphic code generation from the mobile terminal device, is found indefinite because it is unclear how the request is received by an application locally installed on the device when the request is received from the device itself.   In other words, it is unclear how the how the mobile terminal device can both send and receive the request to itself.  Even if the intent of the limitation is to describe a communication between the operating system or background API and an application, there are no sufficient limiting elements present to render this limitation definite.  Therefore claims 3, 9, and 15, are rendered indefinite under 35 U.S.C. 112(b).
	Moreover, claims 2, 8, and 14 from which claims 3, 9, and 15 depend, are presented in the disjunctive form: a cloud server connected with the mobile terminal device through a wireless network, or the mobile terminal device through a wired link in the mobile terminal device.  This states that the method of the independent claims can be performed either via a cloud server or via a wired link in the mobile terminal.  However, claims 3, 9, and 15 contain two limitations in the conjunctive: receiving by the cloud sever [. . . ]; and receiving by an application locally installed.  According to claims 2, 8, and 14, from which claims 3, 9, and 15, both receiving by the cloud server and receiving by the application locally installed would contradict the either one or the other occurring, as in the claims they depend from.  Therefore claims 3, 9, and 15, are further rendered indefinite under 35 U.S.C. 112(b).
	Claim(s} 6, 12, and 18 recite the phrase: receiving trigger of a station entering and exiting payment operation [. . .].  While the term receiving trigger can be interpreted to be receiving a trigger of a station entering and exiting payment operation, or simply, receiving a trigger to perform a function, this is not the only claim interpretation and the recited phrase has no modifying grammar to give it the necessary metes and bounds for definiteness.  Therefore claims 6, 12, and 18, are found indefinite and rejected under 35 U.S.C. 112.

Claim Rejections 35 U.S.C. 103
	The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

	The factual inquiries set forth in Graham v. John Deere Co., 383 U.S. 1, 148 USPQ 459 (1966), that are applied for establishing a background for determining obviousness under 35 U.S.C. 103 are summarized as follows:
1. Determining the scope and contents of the prior art.
2. Ascertaining the differences between the prior art and the claims at issue.
3. Resolving the level of ordinary skill in the pertinent art.
4. Considering objective evidence present in the application indicating obviousness or nonobviousness.

	Claims 1-4, 6-10, 12-16, and 18, are rejected under 35 U.S.C. 103 as being unpatentable over U.S. Patent No. US 10163105 B1 (hereinafter “ZIRAKNEJAD”) in view of U.S. Patent No. US 10853787 B1 (hereinafter “MANGO”).  Throughout this section, claim limitations are numbered by decimal and all quotations of prior art are cited to with the applicable paragraph number in brackets; bold-type is used to emphasize disclosure.  U.S. Patents are quoted by column and row number [col:row]; U.S. Pre-Grant Publications with the paragraph number in brackets.


Regarding claim(s) 1, 7, and 13, ZIRAKNEJAD discloses::
1.1	 receiving a request for payment graphic code generation from a mobile terminal device, the request carrying preset risk control features, the risk control features including a payment account feature of an account, a current location feature, and a station entering and exiting feature;
[11:61]    The client device 110 may then provide the transaction request to the authentication server 150 (220). For example, the client device 110 may determine that the user "JANE DOE" is currently logged in on the client device 110 and has credentials to open the secured door, and may then provide a transaction request to the authentication server 150 that the user "JANE DOE" wishes to unlock the secured door. The transaction request may include risk profile information that describes the motion of the client device 110 during the past minute, which includes motion while scanning the QR code.
[12:59]    The authentication server 150 may receive a transaction request (310). The transaction request may be received from a client device 110 that scans a QR code generated by a transaction provider 130 that wishes to confirm that the user of the transaction provider 130 is authorized to complete a requested transaction. The transaction request may identify a user, a transaction provider, and a transaction, and may include risk profile information identifying motion and orientation of the client device 110.
1.2	obtaining pre-stored historical risk control features of the account according to the payment account feature in the request;
[13:1]    The authentication server 150 may identify a risk level based on the request (320). The authentication server 150 determine a risk level based on determining how closely the risk profile information matches information stored regarding the user. The more different the risk profile information received from the client device 110 is from information stored regarding the user, the higher the determined risk level. For example, the authentication server 150 may determine the client device 110 received an indication of the transaction request by scanning a QR code, based on determining that the QR code was scanned, determine how client device 110 was moved to scan the QR code was slightly different than how the user typically scans a QR code, and based on determining that the client device 110 was moved to scan the QR code slightly differently, determine that the risk level is low.
1.3	detecting whether there is a transaction risk for the mobile terminal device by comparing the obtained historical risk control features with the risk control features carried in the request, 
[12:4]    The authentication server 150 may identify a risk level for the transaction based on the transaction request (230). For example, the authentication server 150 may determine that the motion of the client device 110 as the QR code was scanned and prior motion of the client device 110, e.g., which may indicate a speed and gait of the user's walk or a path the user takes, is very different from the typical motion of the client device 110 associated by the user 120, and determine that there is a high risk level that the individual using the client device 110 is not the user 120. 
[13:17]    The authentication server 150 may determine a biometric authentication requirement associated with the risk level (330). For example, the authentication server 150 may determine that a low risk level is associated with a biometric authentication requirement of voice authentication.
1.4	 wherein detecting whether there is a transaction risk comprises: determining whether a payment graphic code to be generated is used for station entering or station exiting according to the station entering and exiting feature;
1.5	if it is determined that the payment graphic code to be generated is used for station entering, determining whether a frequency of the request for payment graphic code generation is higher than a preset threshold, and if so, determining that there is a transaction risk;
[7:51]    In some implementations, the authentication server 150 may additionally or alternatively determine a risk level for the transaction request based on the risk profile information that is not related to similarity between risk profile information received and risk profile information stored. . . . In another example, the authentication server 150 may determine a risk level for a transaction based on determining that a client device 110 has transmitted six transaction requests to open a secured door in the past minute but there is no reason for a user to request to open a secured door six times in a minute. Accordingly, the authentication server 150 may determine that the request may be being spoofed and determine a high risk level for the transaction request.
1.6	 and if it is determined that the payment graphic code to be generated is used for station exiting, determining whether the current location feature in the request for payment graphic code generation and a corresponding station entering location feature in the historical risk control features meet a preset location relation condition, and if not, determining that there is a transaction risk;
[6:56]    The authentication server 150 may additionally or alternatively store information regarding a risk profile for the user 120. . . . In an additional example, the authentication server 150 may store information that indicates the historical times, dates, locations, transaction provider, and types of transaction for previous transactions.
[13:42]    In response to receiving the indication of a transaction, the client device 110 may determine risk profile information and a credential for the transaction (420). For example, the client device 110 may determine motion and location information for the past minute that are measured by sensors in the client device 110 and a credential stored on the client device 110 that matches a credential necessary to perform the transaction.
1.7	 and sending a risk control detection result to the mobile terminal device to generate and display the payment graphic code.
[13:59]    In response to determining risk profile information and a credential for the transaction, the client device 110 may determine to prompt for biometric input (430). For example, the client device 110 may generate a transaction request representing the transaction and the risk profile information, and transmit the transaction request to an authentication server 150.
	ZIRAKNEJAD does not explicitly disclose (1.4) wherein detecting whether there is a transaction risk comprises: determining whether a payment graphic code to be generated is used for station entering or station exiting according to the station entering and exiting feature; (1.5) if it is determined that the payment graphic code to be generated is used for station entering; (1.6) and if it is determined that the payment graphic code to be generated is used for station exiting . . . and a corresponding station entering location; (1.7) to generate and display the payment graphic code.
	However, MANGO discloses:
1.4	 wherein detecting whether there is a transaction risk comprises: determining whether a payment graphic code to be generated is used for station entering or station exiting according to the station entering and exiting feature;
[8:7-19]    Even further details of FIG. 3 will now be described. At 321, the app is running and a user is logged in. At 323 geolocation is enabled in the app and at 325 latitude/longitude updates are executed. At 314, a PTA [public transit authority] leg is accessed via a schedule. At 327 a PTA Authorization method is determined. . . . At 324 an access type is determined. . . . At 343, an HTTP API Purchase or QR code is generated and used to direct a user at 345 to a purchase ticket API. The purchase ticket API information may be processed at 347 and sent to DB1 at 349. At 351, deep integration to a PTA API is executed, and at 353 a QR code is sent to the mobile application. At 322 a QR code scanner scans the QR code and at 326 a ticket is accepted.
1.5	if it is determined that the payment graphic code to be generated is used for station entering, [. . . ];
[14:8]    In addition, the universal fare payment and collection system mobile application can utilize ApplePay, Android Pay, or EMV in an automated fashion depending on the reader utilized by the trolley operator. In cases where QR code tickets are utilized, then the application will direct the user to purchase the trolley ticket through the mobile app. When available, the universal fare payment and collection system mobile application may utilize distance-based pricing. The mobile application may require entry and exit readers at each stop, within the transportation system configuration, to accommodate distance-based pricing for travel by a trolley.
1.6	 and if it is determined that the payment graphic code to be generated is used for station exiting, . . .  in the request for payment graphic code generation and a corresponding station entering location [. . . ];
[10:33]    A first step to choosing a correct technology that is needed at a PTA may include determining a location of a user in real time. As a non-limiting example, the disclosed system may make use of native geolocation abilities from an Android device utilizing Google Maps to obtain a "last known location". Upon obtaining the longitude and latitude of the user when accessing the mobile app, those coordinates will be sent up to a server. Based on a lookup table, the server will send down information related to a particular PTA and what type of communication protocol is required at a given location. 
[10:44]    As an example, if a user enters a PTA that requires communication via BLE from the mobile app, a request sent to the server will return to the mobile app all security keys and handshakes required to initiate a bridge to the PTA reader. The reader could also be a contactless reader subsystem reader as described above, in which case the mobile app would utilize a contactless reader mobile SDK for the mobile app to communicate to the reader. The disclosed mobile app may be configured to seamlessly communicate with numerous contactless reader technology readers. As such, a core feature of the system is that it determines which transportation payment technology is to be used at a user's location, and configure the user's device to communicate with a detected payment technology.
1.7	and sending a risk control detection result to the mobile terminal device to generate and display the payment graphic code.
[5:59]    At 343, an HTTP API Purchase or QR code is generated and used to direct a user at 345 to a purchase ticket API. The purchase ticket API information may be processed at 347 and sent to DB1 at 349. At 351, deep integration to a PTA API is executed, and at 353 a QR code is sent to the mobile application. At 322 a QR code scanner scans the QR code and at 326 a ticket is accepted.
	ZIRAKNEJAD discloses the steps of the independent claims as they recite limitations for executing a payment transaction, via a payment graphic code (QR-code), where the QR code is generated by an authorization server in response to a client request with an associated a risk control profile, such that a risk determination is made on whether the transaction is approved.  ZIRAKNEJAD discloses that the risk profile features may involve the frequency in which a client device is used as a credential as well as the location of the device, when attempting the transaction.  Thus, ZIRAKNEJAD discloses the independent claims in full but for a recitation to station entering and exiting as the elements involved in the risk assessment and completion of the transaction.
	MANGO discloses the station entering and exiting elements with respect to a payment system involving a client device (“application side”) and an authorization server (“risk” or “station side”), where a QR code is generated to complete the station entering and exiting, as a payment transaction.  In particular, MANGO discloses that the QR code is generated by the authorization server and provided to the client device as a result of completing an “authorization method,” which may involve the location of the user in relation to the station entering and exit points.  Once authorization is completed with the station-side server (“PTA” or “public transit authority” server), the server generates the QR code on the client device for scanning by a station-side device.
	Where ZIRAKNEJAD discloses an authorization server determining whether to authorize a transaction based on a client request and associated risk profile, and MANGO discloses an authorization server providing a QR code to a client device for station entering and exiting based on location features, it would have been obvious to a person having ordinary skill in the art before the effective filing data of the claimed invention to modify the authorization server of ZIRAKNEJAD to specifically include the generation of the QR code for station entering and exiting of MANGO, to arrive at the invention of the instant claims.  Therefore independent claims 1, 7, and 13, are rendered obvious by ZIRAKNEJAD in view of MANGO.  Discussion proceeds to the dependent claims.

	Regarding claim(s) 2, 8, and 14, MANGO discloses:
The method according to claim 1, being performed by one of: 
2.1	a cloud server connected with the mobile terminal device through a wireless network, or the mobile terminal device through a wired link in the mobile terminal device.
[5:66-6-5]    Turning back, at 355 in FIG. 3 the system determines if a card is configured for host card emulation (HCE). If the card is determined to be HCE configured, then at 357 a ticket is purchased via an android HCE code. If the card is determined as not being HCE, at 359 a credit card HCE registration flow is executed
[6:60]    It is to be understood that a Secure Element may or may not be included in the disclosed system. Host-based Card Emulation (HCE) may be implemented to move a secure storage and execution environment to a cloud instead of the Secure Element.
[8:7-19]    The disclosed solution may include variations. The core technology may be a mobile application running on a specially configured hardware device, which provides a variety of wireless signals through a cellular phone (mobile device) to connect with readers. By utilizing geolocation (GPS) with a mobile device, the mobile application will be able to determine the user's location in relation to nearby public transportation card readers.
	MANGO discloses that the client device is connected to a wireless network and via that network to servers, as discussed at the independent claims above, and as described here at ¶[8:7-19].  Moreover, MANGO discloses a distinction between payment methods involving communication with the cloud server, host card emulation (HCE), and payment methods that do not, those involving the secure element on the client device.
	Therefore it would have been obvious to a person having ordinary skill in the art before the effective filing date of the claimed invention to modify the authorization server of ZIRAKNEJAD in view of MANGO at the independent claims, to further include the client device as connected to a cloud server, as in MANGO.  Therefore claims 2, 8, and 14, are rendered obvious by ZIRAKNEJAD in view of MANGO.

	Regarding claim(s) 3, 9, and 15, ZIRAKNEJAD discloses:
3.1	 receiving, by the cloud server, the request for payment graphic code generation from the mobile terminal device when the mobile terminal device determines that current network signal reaches the preset strength;
3.2	 and receiving, by an application locally installed on the mobile terminal device, the request for payment graphic code generation from the mobile terminal device when the mobile terminal device determines that the current network signal does not reach the preset strength.
[12:59]    The authentication server 150 may receive a transaction request (310). The transaction request may be received from a client device 110 that scans a QR code generated by a transaction provider 130 that wishes to confirm that the user of the transaction provider 130 is authorized to complete a requested transaction. The transaction request may identify a user, a transaction provider, and a transaction, and may include risk profile information identifying motion and orientation of the client device 110.
	ZIRAKNEJAD does not explicitly disclose: [receiving] by the cloud server . . . when the mobile terminal device determines that current network signal reaches the preset strength; and [receiving] . . . when the mobile terminal device determines that the current network signal does not reach the preset strength.  
	However, MANGO discloses:
3.1	 receiving, by the cloud server, the request for payment graphic code generation from the mobile terminal device when the mobile terminal device determines that current network signal reaches the preset strength;
[6:60]    It is to be understood that a Secure Element may or may not be included in the disclosed system. Host-based Card Emulation (HCE) may be implemented to move a secure storage and execution environment to a cloud instead of the Secure Element.
3.2	 and receiving, by an application locally installed on the mobile terminal device, the request for payment graphic code generation from the mobile terminal device when the mobile terminal device determines that the current network signal does not reach the preset strength.
[6:50]    The Secure Element emulates a contactless card. The secure element may perform a handshake with a terminal, sends correct responses to correct or appropriate queries, generates dynamic cryptograms, and authenticates a stored card. In some examples, the Secure Element may not emulate the contactless card. Software that emulates a contactless card may be one that is stored inside the secure element in the form of payment applications or applets. The Secure Element provides secure storage and execution environment for the payment applications to do their job.
	ZIRAKNEJAD discloses the request from the client device to the authorization server for the generation of a QR code.  	MANGO discloses the client device as requesting authentication via a host-based card emulation executed on a cloud storage environment, as well as the request executing from software stored on a secure element within the client device.  While ZIRAKNEJAD discloses the risk-side terminal as providing the QR code for scanning by the client device, MANGO discloses that the client device performs the scanning as result of authentication.  It would be obvious to a person having ordinary skill in the art before the effective filing date of the claimed invention that the authentication request of ZIRAKNEJAD from the client device to the risk-side terminal, as discussed at independent claim 1, can involve the cloud server and secure element of MANGO, because each authentication step involves a client to server communication where the only distinction is which device scans the QR code.
	Neither ZIRAKNEJAD or MANGO explicitly disclose when the mobile terminal device determines that current network signal reaches the preset strength; or when the mobile terminal device determines that the current network signal does not reach the preset strength.
	However, it would be obvious to a person having ordinary skill in the art before the effective filing date of the claimed invention that where MANGO discloses at ¶ [6:60] that both a secure element and cloud server maybe be used to implement authorization and generation of the 
	Therefore it would have been obvious to a person having ordinary skill in the art before the effective filing date of the claimed invention to modify the authorization server of ZIRAKNEJAD in view of MANGO at independent claims 1, 7, and 13, and claims 2, 8, and 14, from which the present claims depend, such the authentication request of ZIRAKNEJAD from the client device to the risk-side terminal, as discussed at independent claim 1, can involve the cloud server and secure element of MANGO, where the decision on whether the cloud or secure element is used is conditional on the network signal strength.  Therefore claims 3, 9, and 15, are rendered obvious by ZIRAKNEJAD in view of MANGO.

	Regarding claim(s) 4, 10, and 16, ZIRAKNEJAD discloses:
4.1	 updating the historical risk control features of the account with the risk control features carried in the request for payment graphic code generation, for subsequent detection of transaction risk according to the updated historical risk control features.  
[5:18]    The transaction request that the client device 110 provides to the authentication server 150 may also include risk profile information. Risk profile information may describe the client device 110 or the individual using the client device 110. . . . The risk profile information may additionally or alternatively include information regarding the transaction. For example, the risk profile information may indicate the current time, the current date, the current location of the client device 110, a type of transaction, and an amount for the transaction.
authentication server 150 may store information that indicates the historical times, dates, locations, transaction provider, and types of transaction for previous transactions.
	ZIRAKNEJAD discloses the transaction request as carrying risk control features, where those risk control features or “risk profile information” are subsequently stored as historical data so those “previous transactions” may be used to build the risk profile associated with subsequent client device requests to the server.  Therefore it would have been obvious to a person having ordinary skill in the art before the effective filing date of the claimed invention to modify the authorization server of ZIRAKNEJAD in view of MANGO at the independent claims, such that risk control features specifically include updating and storing historical data for use in subsequent requests, as disclosed by ZIRAKNEJAD.  Therefore claims 4, 10, and 16, are rendered obvious by ZIRAKNEJAD in view of MANGO.

	Regarding claim(s) 6, 12, and 18, ZIRAKNEJAD discloses:
6.1	receiving trigger of a station entering and exiting payment operation on the mobile terminal device, to generate the request for payment graphic code generation;
[2:56]    The transaction provider 130 may be one or more computing devices that may perform transactions. Transactions may include financial transactions, such as withdrawing money from a user's bank account, and also non-financial transactions, such as verifying that the user 120 is at a certain place at a certain time. The transaction provider 130 may perform a transaction in response to a request from the user.
[13:42]    In response to receiving the indication of a transaction, the client device 110 may determine risk profile information and a credential for the transaction (420). For example, the client device 110 may determine motion and location information for the past minute that are measured by sensors in the client device 110 and a credential stored on the client device 110 that matches a credential necessary to perform the transaction.
6.2	and after receiving the risk control detection result indicating no transaction risk, generating and displaying the payment graphic code on the mobile terminal device.  
[13:59]    In response to determining risk profile information and a credential for the transaction, the client device 110 may determine to prompt for biometric input (430). For example, the client device 110 may generate a transaction request representing the transaction and the risk profile information, and transmit the transaction request to an authentication server 150. The client device 110 may then receive a request to prompt for fingerprint scanning input based on the server determining that there is a medium risk level based on the risk profile information, and based on receiving the request, the client device 110 may determine to prompt for biometric input.
	Thus, ZIRAKNEJAD discloses receiving trigger of a [. . .] payment operation; and after receiving the risk control detection result indicating no transaction risk [authorizing and completing the payment operation].
	However, ZIRAKNEJAD does not disclose: station entering and exiting [. . .] to generate the request for payment graphic code generation; and generating and displaying the payment graphic code on the mobile terminal device.
	MANGO discloses these elements not disclosed by ZIRAKNEJAD:
6.1	receiving trigger of a station entering and exiting payment operation on the mobile terminal device, to generate the request for payment graphic code generation;
6.2	and after receiving the risk control detection result indicating no transaction risk, generating and displaying the payment graphic code on the mobile terminal device.
[5:59]    Even further details of FIG. 3 will now be described. At 321, the app is running and a user is logged in. At 323 geolocation is enabled in the app and at 325 latitude/longitude updates are executed. At 314, a PTA [public transit authority] leg is accessed via a schedule. At 327 a PTA Authorization method is determined. . . . At 324 an access type is determined. . . . At 343, an HTTP API Purchase or QR code is generated and used to direct a user at 345 to a purchase ticket API. The purchase ticket API information may be processed at 347 and sent to DB1 at 349. At 351, deep integration to a PTA API is executed, and at 353 a QR code is sent to the mobile application. At 322 a QR code scanner scans the QR code and at 326 a ticket is accepted.
[14:8]    In addition, the universal fare payment and collection system mobile application can utilize ApplePay, Android Pay, or EMV in an automated fashion depending on the reader utilized by the trolley operator. In cases where QR code tickets are utilized, then the application will direct the user to purchase the trolley ticket through the mobile app. When available, the universal fare payment and collection system mobile application may utilize distance-based pricing. The mobile application may require entry and exit readers at each stop, within the transportation system configuration, to accommodate distance-based pricing for travel by a trolley.
	ZIRAKNEJAD discloses the authorization steps for a client device, where a risk assessment result is determined, as triggering the performance of a transaction.  MANGO discloses that the authorization of a client device, triggers the performance of a transaction, where that transaction is the generation of the QR code on the payment terminal.  Where MANGO and ZIRAKNEJAD each disclose triggering payment operations based on a risk assessment in authorization, it would be obvious to a person having ordinary skill in the art before the effective filing date of the claimed invention to modify the authorization server of ZIRAKNEJAD in view of MANGO at the independent claims, such that the payment operation specifically involves station entering and exiting.  Therefore claims 6, 12, and 18, are rendered obvious by ZIRAKNEJAD in view of MANGO.

	Claims 5, 11, and 17, are rejected under 35 U.S.C. 103 as being unpatentable over U.S. Patent ZIRAKNEJAD in view of U.S. Patent  MANGO and further in view of U.S. Pre-Grant Publication US 2017/0091754 A1 (hereinafter “SILBERNAGL”).

	Regarding claim(s) 5, 11, and 17, ZIRAKNEJAD in view of MANGO discloses, as at independent claims 1, 7, and 13: detecting whether there is a transaction risk.

5.1	obtaining a pre-stored blacklist;
5.2	 and determining whether objects with transaction risks recorded in the blacklist comprise an object corresponding to the request for payment graphic code generation, according to the risk control features in the request for payment graphic code generation, wherein the object comprises at least one of: a payment account, user information bound to the payment account, or device information of the mobile terminal device.
[14:1]    In some implementations, credentials of a user that are stored on a client device 110 may be revoked. The authentication server 150 may revoke credentials based on a risk level of a transaction and a failure of the individual to provide biometric input that satisfies biometric authentication for the risk level. For example, the authentication server 150 may determine that there is a high risk level and that the authentication server 150 does not receive biometric information from the client device 110 that matches biometric information the authentication server 150 has stored for the user. Based on the determination, the authentication server 150 may then revoke or suspend the user's credential. The user's credential may be unsuspended or unrevoked if the user 120 later verifies the user's identity. For example, the user 120 may need to take the client device 110 to a location that provides proctored authentication to undergo proctored authentication to unsuspend or unrevoke the user's credentials.
	Where ZIRAKNEJAD in view of MANGO disclose detecting whether there is a transaction risk as recited at independent claims 1, 7, and 13, it would be obvious to a person having ordinary skill in the art before the effective filing data of the claimed invention to modify the authorization server of ZIRAKNEJAD in view of MANGO to further include the detection of high risk objects and the subsequent suspension of client devices based on requests associated with such high risk objects.
	However, ZIRAKNEJAD in view of MANGO does not explicitly disclose: obtaining a pre-stored blacklist; or a blacklist.

5.1	obtaining a pre-stored blacklist;
5.2	and determining whether objects with transaction risks recorded in the blacklist [. . . ].
[0032] Pre-registration forces an additional step, which inhibits the consumers in making a purchase. To maintain consumer convenience, a black list system may further include heuristic checks to assist in preventing severe fraud. Heuristic checks are particularly suited to contactless credit cards. Such a heuristic security scheme may measure and score a large number of secondary indicia. Such indicia could include: (1) any card identifiers, such as Card Holder Name, Account Identifier, Chip Model, Chip Serial Number, Chip Manufacturer Identifier; (2) make and version of the Card Operating System of the Smart Card if any (e.g., Open Platform or MULTOS); (3) transaction flow, including overall transaction time (e.g., whether or not prolonged pauses are experienced in a particular step of the transaction, or whether or not any step performs slower or faster than expected); and/or (4) CVC1/CVC3 checking (note that even though the card verification code might not be verified in an off-line environment, it may be stored for later validation, leading to the black listing of a card if it does not clear; also note that for a CVC1 or if the CVC3 is determined to be static, it may be used in future validations).
	SILBERNAGL is analogous art to ZIRAKNEJAD, MANGO, and the present application, as the invention of SILBERNAGL is directed to a system of fraud prevention at the payment terminal of a public transit system, where the risk control method is implemented at the server- or station-side of the entry/exit access points.  SILBERNAGL explicitly discloses the use of a “black system” that not only employs a pre-stored list that can be accessed for obtaining the blacklist, as recited at claims 5, 11, and 17, it further discloses doing so with the use of “heuristic checks to assist in preventing severe fraud.”  ZIRAKNEJAD discloses identifying objects with a high transaction risk level, and revoking or suspending the credentials of the associated user based on the request sent from the client device.
	Where ZIRAKNEJAD in view of MANGO discloses detecting whether there is a transaction risk as recited at independent claims 1, 7, and 13; in view of risk detection involving 

Relevant Prior Art Not Relied Upon
	The prior art made of record and not relied upon is considered pertinent to applicant's disclosure:
INTERNATIONAL SEARCH REPORT PCT/CN2019/092491. Date of mailing 24 September 2019.
FINKE US 20200175496 A1 [0139] The visual graphical barcode can be a one-dimensional barcode, two-dimensional barcode or three-dimensional barcode. The visual graphical barcode can be, for example, one-dimensional barcode that includes linear patterns such as lines and spaces. The lines and spaces may be black-and-white. The lines and spaces can comprise more than one color. The color may be visible to human eyes. The color of the barcode may be distinguishable by special tools. For instance, the barcode may include print carbon lines which are detectable using an infrared scanner. The visual graphical barcode can be a two-dimensional barcode including various shapes. The visual graphical barcode may be static or dynamic. The visual graphical barcode may be changed or updated at a certain frequency. The frequency may vary widely in range, such as from 100 Hz to 0.001 Hz. Any description herein of a QR code can be applicable to any visual graphical barcode, and vice versa. [0140] The merchant 506 can send 520 a QR code request to the fund transfer server 504. The QR code request can include information such as transaction details, a transaction identification number (ID) or any other information related to one or more transactions to be included in the invoice. For example, the QR code request can include at least all information that is printed on or included on the face of the invoice. Upon receipt of the QR code request from the merchant, the fund transfer server can generate 522 a QR code. 
Muller US 20180300961 A1 [0031] The various embodiments of the invention aim to implement a contactless ticket validation, such as a Bluetooth Low Energy (BLE) detector unit, acting as a remote validator for a user medium (such as a smartphone or otherwise scannable or electronically identifiable) based ticketing solutions. These implementations of Bluetooth Low Energy (BLE) based automated fare collection solutions which use mobile devices as the user media is an upcoming trend in public transit systems, however, data communication is usually routed from the user medium directly to the background system utilizing public wireless communication systems, such as public land mobile network (PLMN). This design bears weaknesses such as impeded operation in areas with poor or no reception of public wireless communication systems, 
Simanek US 20170278325 A1 [0043] Some examples of transaction contextual information include the duration of time for which the local card analysis system has been unable to communicate with the central system, e.g., for which the local card analysis system has been offline, the time of day, the day of week, a type of transaction, a current physical location of the local card analysis system, contextual information specific an access card, e.g., whether the card was printed by an end user printer or a system kiosk, or a combination of two or more of these. For instance, a type of transaction may include a type of transit, such as a bus, a subway, or a train. The local card analysis system may access rules that define different logic for different types of transactions that would allow a transaction for a particular card accessing one type of transit and deny a transaction for the particular card accessing a different type of transit using the same account information for the particular card, e.g., when the different type of transit, on average, has a higher transit cost, an entity has a different risk for different types of transit, or both. 
Kutsch US 20150227923 A1 [0099] FIG. 5 shows an exemplary system in the context of a railroad station area 502, it being understood that one or more embodiments are applicable to control access to a variety of different locations, such as bus terminals, subway terminals, stadiums, festivals, pubs, night clubs, corporate or educational campus environments, theme parks, hotels, shopping malls, and holiday parks. The station area 502 includes at least one Wi-Fi transceiver 504, as well as a "fast" access gate 522 using aspects of one or more embodiments of the disclosure. Optional components include a 
Sinai US 20170213205 A1 [0051] FIG. 3 shows a flow chart for a method of executing payment of fares in a transportation system, such as the transportation system 4. In step 
PAN US 20170243262 A1 [0060] Next, at block 330, a request may be sent to the merchant to determine a charge based on the token having the associated first and second locations, or first and second times, e.g., by payment module 214 via communication 
NATHANEL US 20140244409 A1 [0131-133] In accordance with the present invention, the system (a remote server, or the PoS terminal of the merchant, or the mobile device of the consumer) may generate a unique time-sensitive per-consumer code, which may be generated uniquely for the particular mobile device of the particular consumer located in the particular establishment location. The unique code may be generated based on, for example, data indicating the geo-spatial location of the consumer's smartphone, and/or data indicating the current date and/or time, and/or current time-and-date stamp, and/or data identifying the merchant whose establishment or restaurant or store the consumer is now visiting. The unique code may automatically expire or "burn out", or may be otherwise terminated or canceled or written-off, upon entry of the unique code to the PoS terminal; in order to prevent re-use or duplicate-use of the unique code. In some embodiments, the unique code may be a four-digit number which may be time-based, location-based, and user-based in order to ensure uniqueness; and that the consumer may easily show to the merchant, or convey to the merchant verbally, and which the merchant may rapidly type or enter into the PoS terminal in order to finalize the association process. In other embodiments, the unique code may be a Quick Response (QR) code representing a number which may be a function of time-based data, location-based data, 
Ellis US 8924292 B1 (73)   The merchant computer system 140 includes code scanner 1704, location indicator logic 1706, fund requesting logic 1708, and fund receiving logic 1710. In one embodiment, the network interface logic 1702 is configured to allow the merchant computer system 140 to communicate with network 140. The network interface logic 1702 sends and receives data from mobile device 110 and bank computer system 120. (74)    The code scanner 1704 may be configured to scan codes, such as but not limited to, optically scanned or non-optically scanned codes. Examples of optically scanned codes include bar codes, two dimensional codes (e.g. QR code and other similar codes), three dimensional codes (e.g. QR code with color and others characteristics), and four dimensional codes (e.g. QR code with color and timestamp information). Examples of non-optical codes include, near field communication (NFC), RFID, HID or other RF 
Rosenblatt US 20130085941 A1 [0074] FIG. 9E illustrates a flow chart 170 that generally shows the authentication process based upon location of the device 10. The flow chart 170 begins by determining the device location as indicated at block 172. As discussed above, a variety of modes are provided to determine the location of the device. In some embodiments, one or more location identifying modes may be implemented. Once the device location has been determined, the device location information may be communicated to a transaction terminal, such as the ATM 160, as indicated in block 174. A decision is made, as indicated at block 176, as to whether or not the location of the device 10 corresponds with the location of the ATM 160. If not, the transaction may be terminated, as indicated at block 178. Alternatively, if the locations correspond, the 
Van de Velde US 20100252624 A1 [0066] As noted, techniques of the invention may be used to control entrance to and/or exit from a controlled access system. . . .Thus, the steps described could be executed in connection with entrance of the holder to a controlled access system, and in such case, the e-merchandise related information in steps 308 and 318 could include the initial entry point information. Thus, the first terminal, such as terminal 206 in FIG. 2, can in this case be thought of as an entrance terminal. In this case, additional steps can include step 320, namely, facilitating interrogation of the electronic payment device by an exit terminal upon exit of the holder from the system, to obtain system entry point information (the exit terminal in essence already "knows" its own location, i.e., the system exit location). The exit terminal could be, for example, terminal 208 of FIG. 2. Step 322 can include facilitating one or more of providing a ticket to the holder and charging a fee to the holder, via the exit terminal payment module, based upon the controlled access system entry point information and controlled access system exit point information (e.g., location of the exit terminal). It will be appreciated that the ticket provided in step 322 (or elsewhere herein) could be an electronic ticket, a physical ticket, an optical ticket, and the like. [0079] In general terms, in a normal EMV transaction flow, the right application is selected on the card or other device, data is read from the card or other device, terminal risk analysis and terminal action analysis are performed, the card is asked for a cryptogram of a type determined by the above analysis, and the card then does its risk analysis and responds to the terminal in an appropriate fashion. In the modified 

Conclusion
Any inquiry concerning this communication or earlier communications from the examiner should be directed to JEFFREY L LICITRA whose telephone number is (571)272-5340.  The examiner can normally be reached on 9:00AM-5:00PM M-F.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.

Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see https://ppair-my.uspto.gov/pair/PrivatePair. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.


/J.L.L./Examiner, Art Unit 3685                                                                                                                                                                                                        



/PATRICK MCATEE/Supervisory Patent Examiner, Art Unit 3685