DETAILED ACTION
Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
Acknowledgements
This communication is in response to claim amendments and applicant’s remarks filed on 02/22/2021.
Claims 1, 6, 9, 13, 16, and 22 have been amended.
Claims 2, 5, 8, 10, 15, 19-20, 23, and 26 have been cancelled.
Claims 27-29 have been added.
Claims 1, 3-4, 6-7, 9, 11-14, 16-18, 21-22, 24-25, and 27-29 are pending and are presented for examination on the merits.

Claim Objections
Claim 24 is objected to because of the following informalities:  Claim 24 is depend on claim 23.  However, claim 23 is cancelled.  Therefore, claim 24 is incomplete (MPEP 608.01(n)).  For examination purposes, the Examiner has interpret the claim 24 is depend on claim 1. Appropriate correction is required.

Claim 24 is rejected under 35 U.S.C. 112(b) or 35 U.S.C. 112 (pre-AIA ), second paragraph, as being indefinite for failing to particularly point out and distinctly claim the subject matter which the inventor or a joint inventor (or for applications subject to pre-AIA  35 U.S.C. 112, the applicant), regards as the invention.

Claim Rejections - 35 USC § 101
35 U.S.C. 101 reads as follows:
Whoever invents or discovers any new and useful process, machine, manufacture, or composition of matter, or any new and useful improvement thereof, may obtain a patent therefor, subject to the conditions and requirements of this title.

As per claims 1, 3-4, 6-7, 9, 11-14, 16-18, 21-22, 24-25, and 27-29, the claimed invention is directed to an abstract idea without significantly more because:
•             Claim 1 recites:
               receiving, by the communication device from the access device via the short range communication channel, an anti-collision command;
              receiving, by the communication device from the access device via the short range communication channel, an information request comprising transaction level data, the transaction level data comprising data relating to application selection and/or transaction processing; 
             responsive to receiving the anti-collision command, determining, by the communication device, a UID (unique identifier) or PUPI (pseudo unique PICC identifier);
            generating, by the communication device using a cryptogram generation module in a memory in the communication device, a cryptogram by encrypting at least the transaction level data, and the UID or PUPI; 
             transmitting, by the communication device, the transaction level data, and the UID or PUPI to the access device; and 
             transmitting, by the communication device, the cryptogram to the access device, 
            wherein the access device or a remote server computer in communication with the access device validates the cryptogram before allowing the interaction to proceed, by
           Page 2 of 12 KILPATRICK TOWNSEND 74525703 1Amdt.decrypting the cryptogram to obtain the transaction level data, and the UID or PUPI, 
            comparing, the received transaction level data, and the UID or PUPI received from the communication device with the transaction level data, and the UID or PUPI obtained from the cryptogram to determine if the received cryptogram is valid; and 
             allowing the transaction to proceed if the received cryptogram is valid.
•             Under Step 1 of the Section 101 analysis, the claim(s) is/are directed to a system and method, which are statutory categories of invention.
•             Under Step 2A Prong One of the 2019 Revised Patent Subject Matter Eligiblity Guidance, the claimed invention as drafted includes language (see underlined language above) that recites an abstract idea of authenticating a transaction by using a cryptogram (a certain method of organizing human activity such as a commercial or legal interactions, e.g. sales activities or behaviors) but for the recitation of additional claim elements. Claims 9 and 16 recite similar abstract idea.  That is, other than reciting “communication device”, “access device”, “short range communication channel”, and “cryptogram generation module in a memory”, nothing in the claim precludes the language from being considered as practically being organized by human activity. For example, but for the “by the communication device from the access device via short range communication channel”, “receiving, an information request comprising transaction level data, the transaction level data comprising data relating to transaction processing” encompasses a person manually transmit an information request comprising transaction level data to another person. Similarly, but for the generating, a cryptogram by encrypting at least the transaction level data, and the UID or PUPI” encompasses a person manually compute a cryptogram by writing down a transaction amount and a phone number backwards and add them together. 
•             A similar analysis can be applied to dependent claims 3-4, 6-7, 11-14, 17-18, 21-22, 24-25, and 27-29, which further recite the abstract idea of authenticating a transaction by using a cryptogram.
•             Under Step 2A Prong Two of the 2019 Revised Patent Subject Matter Eligiblity Guidance, the additional claim element(s), considered individually, do not apply, rely on, or use the judicial exception in a manner that imposes a meaningful limit on the judicial exception and in a manner that integrates the exception into a practical application of the exception. The additional claim elements(s) merely add the words “apply it” (or an equivalent) with the judicial exception, or mere instructions to implement an abstract idea on a computer, or merely uses a computer as a tool to perform an abstract idea. For example, the additional elements of “communication device”, “access device”, and “cryptogram generation module in a memory” merely use a generic computer device and generic computer components as a tool to perform an abstract idea. Furthermore, the additional claim elements(s) such as “short range communication channel” generally link the use of the judicial exception to a particular technological environment or field of use of short range transmission.  
•             Under Step 2A Prong Two, the additional claim element(s), considered in combination, do not apply, rely on, or use the judicial exception in a manner that imposes a meaningful limit on the judicial exception and in a manner that integrates the exception into a practical application of the exception. The combination of elements is no more than the sum of their parts. Unlike the eligible claims in Diehr and Bascom, in which the elements limiting the exception taken together improve a technical field, the instant claim lacks an improvement to the functioning of a computer or to any other technology or technical field.
•             Under Step 2B, the additional claim element(s), considered individually and in combination, do not provide meaningful limitation(s) to transform the abstract idea into a patent eligible application of the abstract idea such that the claim(s) amounts to significantly more than the abstract idea itself for similar reasons outlined under Step 2A Prong Two. 
            Therefore, claims 1, 3-4, 6-7, 9, 11-14, 16-18, 21-22, 24-25, and 27-29 are rejected under 35 U.S.C. §101.


Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

The factual inquiries set forth in Graham v. John Deere Co., 383 U.S. 1, 148 USPQ 459 (1966), that are applied for establishing a background for determining obviousness under 35 U.S.C. 103(a) are summarized as follows:
1.	Determining the scope and contents of the prior art.
2.	Ascertaining the differences between the prior art and the claims at issue.
3.	Resolving the level of ordinary skill in the pertinent art.
4.	Considering objective evidence present in the application indicating obviousness or nonobviousness.


Claims 1, 3, 6-7, 9, 11-14, 16-18, 21, 22, 24, 25 and 27-29 are rejected under 35 U.S.C. 103 as being unpatentable over Shastry et al. (US 20160036790), in view of Guglani (US 20180268403).
Regarding claims 1 and 9, Shastry discloses:
          a data processor (paragraph [0072] of Shastry);
          a non-transitory computer readable medium coupled to the data processor, the non-transitory computer readable medium comprising code, executable by the data processor (paragraph [0079] of Shastry);
           responsive to receiving a command, determining, by the communication device, a UID (unique identifier) or PUPI (pseudo unique PICC identifier) (By disclosing, “Any of the software components or functions described in this application, may be implemented as software code to be executed by a processor using any suitable computer language …. The software code may be stored as a series of instructions, or commands on a computer readable medium” (paragraph [0079] of Shastry); “the user may be required to authenticate the untrusted mobile application 110 with the payment network cloud service system. To that end, the untrusted mobile application 110 may submit … along with account credentials of the user” (paragraph [0048] of Shastry); and the account credentials include a device identifier (UID) (paragraph [0050] of Shastry)); 
           generating, by the communication device using a cryptogram generation module in a memory in the communication device, a cryptogram by encrypting at least the transaction level data, and the UID or PUPI (By disclosing, “Using the first cryptographic key, the trusted mobile application 108 may create an identity verification cryptogram (step S156 in FIG. 1B). That is, the trusted mobile application 108 may encrypt the ; 
           transmitting, by the communication device, the transaction level data, and the UID or PUPI to the access device (By disclosing, “The trusted mobile application 108 may provide the account credentials (i.e. user data) such as the primary account number (PAN), the expiration date, the name on the account, the billing address, the device identifier and the like to the payment network cloud service system 104” (paragraph [0043] of Shastry))(Note: the Examiner interprets the “payment network cloud service system 104” to be the “access device”); and 
           transmitting, by the communication device, the cryptogram to the access device (By disclosing, “The server computer receives the user data associated with the user and the identity verification cryptogram from a second mobile application” (paragraph [0005] of Shastry)), 
            wherein the access device or a remote server computer in communication with the access device validates the cryptogram before allowing the interaction to proceed, byPage 2 of 12 KILPATRICK TOWNSEND 74525703 1decrypting the cryptogram to obtain the transaction level data, and the UID or PUPI (By disclosing, “The payment network cloud service system 104 may decrypt the identity verification cryptogram to obtain decrypted credentials” (paragraph [0050] of Shastry)), 
            comparing, the received transaction level data, and the UID or PUPI received from the communication device with the transaction level data, and the UID or PUPI obtained from the cryptogram to determine if the received cryptogram is valid (By disclosing, “The payment network cloud service system 104 may decrypt the identity verification cryptogram to obtain decrypted credentials, may compare the decrypted credentials to the user data received from the untrusted mobile application 110” (paragraph [0050] of Shastry); and “the user data may include one or more of primary account number (PAN), expiration date of a payment account, user name, billing address and a device identifier”(paragraph [0018] of Shastry)); and          
            Shastry does not disclose:
            receiving, by the communication device from the access device via the short range communication channel, an anti-collision command;
           receiving, by the communication device from the access device via the short range communication channel, an information request comprising transaction level data, the transaction level data comprising data relating to application selection and/or transaction processing; and
            allowing the transaction to proceed if the received cryptogram is valid.
          However, Guglani teaches:
          receiving, by the communication device from the access device via the short range communication channel, an anti-collision command (By disclosing, the mobile device receives from an access device a unique code (anti-collision command) (paragraph [0062]-[0063] of Guglani); the unique code is transmitted to the mobile device via NFC (paragraph [0062]-[0063] of Guglani); and “a unique code is of sufficient length as to make insignificant the likelihood of independently generating the same unique code multiple times”, thus the command is anti-collision (paragraph [0024] of Guglani)); and 
           receiving, by the communication device from the access device via the short range communication channel, an information request comprising transaction level data, the transaction level data comprising data relating to application selection and/or transaction processing (By disclosing, “the mobile device 104 can receive transaction data for the transaction in accordance with a second transaction protocol” (paragraph [0062] of ; and
            allowing the transaction to proceed if the received cryptogram is valid (By disclosing, “If the cryptograms match, this may indicate that the mobile device and/or the user are authenticated such that the transaction may proceed” (paragraph [0034] of Guglani)).
          Therefore, it would have been obvious to one of ordinary skill in the art at the effective filing date of the present application to modify the method of generating a cryptogram based on transaction data and validating the cryptogram in view of Guglani to include techniques of receiving, by the communication device from the access device via the short range communication channel, an anti-collision command; receiving, by the communication device from the access device via the short range communication channel, an information request comprising transaction level data, the transaction level data comprising data relating to application selection and/or transaction processing; and allowing the transaction to proceed if the received cryptogram is valid.  Doing so would results in an improved invention because this would allow a cryptogram to be generated upon receiving the transaction data and the anti-collision command from the access device of a merchant when the client is present at a merchant 

Regarding claims 3 and 11, Shastry also discloses:
         the access device validates the cryptogram (By disclosing, The payment network cloud service system 104 may decrypt the identity verification cryptogram to obtain decrypted credentials, may compare the decrypted credentials to the user data received from the untrusted mobile application 110 (step S168 in FIG. 1B). If the decrypted credentials match the user data received from the untrusted mobile application 110, the payment network cloud service system 104 may validate that the identity verification cryptogram is generated using the account credentials received from the untrusted mobile application 110” (paragraph [0050] of Shastry)).
         Shastry does not expressly disclose:
         the access device is programmed to reject the interaction if it cannot validate the cryptogram.
          However, Guglani teaches:
         the access device is programmed to reject the interaction if it cannot validate the cryptogram (By disclosing, “the access device may decrypt the cryptogram using the unique code or a separate decryption key related to the unique code (e.g., a private key in a key pair) at 710. …, if the information has been improperly encrypted or decrypted, the payment information identified may . 
         Therefore, it would have been obvious to one of ordinary skill in the art at the effective filing date of the present application to modify the method of Shastry in view of Guglani to include techniques of rejecting the transaction if it cannot validate the cryptogram as disclosed by Guglani.  Doing so would result in an improved invention because this would allow the transaction being rejected before sending the decrypted information to the issuer for further processing, thus saving the energy consumption of data transmission and data processing. 

Regarding claims 6 and 13, Shastry also discloses:
          generating the cryptogram comprises encrypting the transaction level data and the UID or PUPI using an authorizing entity cryptographic key (By disclosing, “Upon verification, the payment network cloud service system 104 may send a first payment token and a first cryptographic key to the trusted mobile application 108” (paragraph [0043] of Shastry); and “Using the first cryptographic key, the trusted mobile application 108 may create an identity verification cryptogram” (paragraph [0044] of Shastry)), and 
          wherein the access device or the remote server computer uses a corresponding authorizing entity cryptographic key to validate the cryptogram (By disclosing, “The server computer validates that the identity verification . 

Regarding claims 7 and 14, Shastry also discloses:
         the authorizing entity cryptographic key and the corresponding authorizing entity cryptographic key are symmetric keys (By disclosing, “the application encryption key may include a symmetric encryption key” (paragraph [0036] of Shastry)).

Regarding claim 12, Shastry also discloses:
         the communication device is a phone (See at least paragraph [0020] and Fig. 1A of Shastry)).

Regarding claim 16, Shastry discloses:
          responsive to a command, the communication device determines a UID (unique identifier) or PUPI (pseudo unique PICC identifier) (By disclosing, “Any of the software components or functions described in this application, may be implemented as software code to be executed by a processor using any suitable computer language …. The software code may be stored as a series of instructions, or commands on a computer readable medium” (paragraph [0079] of Shastry); “the user may be required to authenticate the untrusted mobile application 110 with the ; 
           generates, using a cryptogram generation module in a memory in the communication device, a cryptogram by encrypting the transaction level data, and the UID or PUPI (By disclosing, “Using the first cryptographic key, the trusted mobile application 108 may create an identity verification cryptogram (step S156 in FIG. 1B). That is, the trusted mobile application 108 may encrypt the user data (i.e. account credentials) using the first cryptographic key” (paragraph [0044] of Shastry); and “The trusted mobile application 108 may provide the account credentials (i.e. user data) such as the primary account number (PAN), the expiration date, the name on the account, the billing address, the device identifier and the like to the payment network cloud service system 104” (paragraph [0043] of Shastry))(Note: the Examiner interpret the “primary account number (PAN), expiration date of a payment account, user name, billing address” in the prior art to be the “transaction level data” and the “device ID” in the prior art to be the “unique identifier”); 
           receiving, by the assess device from the communication device, the transaction level data, the UID or PUPI, and the cryptogram that was generated by encrypting the transaction level data, and the UID or PUPI ; and 
            Shastry does not disclose:
            providing, by the access device to the communication device via the short range communication channel, an anti-collision command;
           providing, by the access device to the communication device via the short range communication channel, an information request comprising transaction level data comprising data relating to application selection and/or transaction processing;
          generating an authorization request message comprising the transaction level data; and 
         transmitting the authorization request message to an authorizing entity computer, wherein the authorizing entity computer approves or declines the authorization request message.
          However, Guglani teaches:
providing, by the access device to the communication device via the short range communication channel, an anti-collision command (By disclosing, the mobile device receives from an access device a unique code (anti-collision command) (paragraph [0062]-[0063] of Guglani); the unique code is transmitted to the mobile device via NFC (paragraph [0062]-[0063] of Guglani); and “a unique code is of sufficient length as to make insignificant the likelihood of independently generating the same unique code multiple times”, thus the command is anti-collision (paragraph [0024] of Guglani));
           providing, by the access device to the communication device via the short range communication channel, an information request comprising transaction level data comprising data relating to application selection and/or transaction processing (By disclosing, “the mobile device 104 can receive transaction data for the transaction in accordance with a second transaction protocol” (paragraph [0062] of Guglani); the transaction data is transmitted from the access device to the mobile device via NFC (paragraph [0062]-[0063] of Guglani); and the transaction data is used for generating a cryptogram for transaction processing (paragraph [0082] of Guglani));
          generating an authorization request message comprising the transaction level data (See at least paragraph [0025] of Guglani); and 
         transmitting the authorization request message to an authorizing entity computer, wherein the authorizing entity computer approves or declines the authorization request message (See at least paragraph [0033]-[0034] and [0026] of Guglani). 
         Therefore, it would have been obvious to one of ordinary skill in the art at the effective filing date of the present application to modify the method of Shastry in view of Guglani to include techniques of providing, by the access device to the communication device via the short range communication channel, an anti-collision command; providing, by the access device to the communication device via the short range communication channel, an information request comprising transaction level data comprising data relating to application selection and/or transaction processing; generating an authorization request message comprising the transaction level data; and transmitting the authorization request message to an authorizing entity computer, wherein the authorizing entity computer approves or declines the authorization request message. 
Regarding claim 17,  Shastry does not disclose:
          wherein transmitting the authorization request message to the authorizing entity computer comprises transmitting the authorization request message to the authorizing entity computer via a processing network and a transport computer. 
          However, Guglani teaches:
          wherein transmitting the authorization request message to the authorizing entity computer comprises transmitting the authorization request message to the authorizing entity computer via a processing network and a transport computer (By disclosing, “The reader of the merchant's access device can scan the new two-dimensional barcode including the encoded cryptogram, and can generate an authorization request message for the transaction. The authorization request message can then be routed to the issuer of the account used to conduct the transaction via a payment processing network (See at least paragraph [0033] and Fig. 5 of Guglani)). 
         Therefore, it would have been obvious to one of ordinary skill in the art at the effective filing date of the present application to modify the method of Shastry in to include transmitting the authorization request message to the authorizing entity computer via a processing network and a transport computer as disclosed by Guglani.  Doing so would result in an improved invention because this allow the processing network perform various processing steps before routing the authorization request message to the authorizing entity.

Regarding claim 18, Shastry also discloses:
          the access device, the transport computer, the processing network, or the authorizing entity computer validates the cryptogram (By disclosing, The payment network cloud service system 104 may decrypt the identity verification cryptogram to obtain decrypted credentials, may compare the decrypted credentials to the user data received from the untrusted mobile application 110 (step S168 in FIG. 1B). If the decrypted credentials match the user data received from the untrusted mobile application 110, the payment network cloud service system 104 may validate that the identity verification cryptogram is generated using the account credentials received from the untrusted mobile application 110” (paragraph [0050] of Shastry)). 
          Shastry does not expressly discloses:
          validates the cryptogram before allowing the interaction to proceed.
          However, Guglani teaches:
          validates the cryptogram before allowing the interaction to proceed (By disclosing, “If the cryptograms match, this may indicate that the mobile device and/or the user are authenticated such that the transaction may proceed” (paragraph [0034] of Guglani)).
          Therefore, it would have been obvious to one of ordinary skill in the art at the effective filing date of the present application to modify the method of Shastry in view of Guglani to include techniques of validating the cryptogram before allowing the interaction to proceed.  Doing so would results in an improved 

Regarding claim 21, Shastry also discloses:
          the transaction level data is not needed for the communication device and the access device to communicate (By disclosing, “The server computer sends a cryptographic key to the mobile application after authenticating the user” which infers that the communication device and the access device can communicate other data except the transaction level data (paragraph [0005] of Shastry)); and 
         wherein the transaction level data allows the communication device and the access device to complete the interaction (paragraph [0050] and Fig. 1B of Shastry).

Regarding claim 22, Shastry also discloses:
          the transaction level data, the interoperability level data, and the cryptogram are transmitted in a single message from the communication device to the access device (By disclosing, “The untrusted mobile application 110 may provide the retrieved identity verification cryptogram along with account credentials such as PAN, the expiration date, the name on the account, the billing address, the device identifier and the like to the payment network cloud 

Regarding claim 24, Shastry also discloses:
          the transaction level data comprise at least one of primary account number, a token, and/or an unpredictable number (By disclosing, “The trusted mobile application 108 may provide the account credentials (i.e. user data) such as the primary account number (PAN), the expiration date, the name on the account, the billing address, the device identifier and the like to the payment network cloud service system 104” (paragraph [0043] of Shastry)).

Regarding claim 25, Shastry does not disclose:
          the short range communication channel comprises an NFC channel.
          However, Guglani teaches:
          the short range communication channel comprises an NFC channel (By disclosing, “This unique code can be transmitted by the access device to the user's mobile device using, for example, a near field communication (NFC) protocol” (paragraph [0033] of Guglani)). 
     Therefore, it would have been obvious to one of ordinary skill in the art at the effective filing date of the present application to modify the method of Shastry in view of Guglani to include a NFC channel as the short range communication 

Regarding claims 27-29, Shastry also discloses:
          the UID is determined by the communication device and the cryptogram is generated by encrypting at least the transaction level data and the UID (By disclosing, “At a first level, a first mobile application on a user device may provide user data (e.g. credentials) including, but not limited to, primary account number (PAN), expiration date of a payment account, user name, billing address and a device identifier to a server computer” (paragraph [0017] of Shastry); and “A "cryptogram" may refer to an encrypted representation of some information” (paragraph [0026]-[0027] of Shastry)).

Claims 4 is rejected under 35 U.S.C. 103 as being unpatentable over Shastry et al. (US 20160036790), in view of Guglani (US 20180268403), and further in view of Antunovic et al. (US 20170200149).
Regarding claim 4, Shastry does not disclose;
          the communication device is a card.
          However, Antunovic teaches:
         the communication device is a card (By disclosing, “system 100 can also be designed to work with a contactless device such as card 112” paragraph [0021] 
         Therefore, it would have been obvious to one of ordinary skill in the art at the effective filing date of the present application to modify the method of Shastry in view of Antunovic to include techniques of using a card as the communication device.  Doing so would result in an improved invention because this would allow a user initiate a transaction with a contactless card when a mobile phone is not at hand, thus improving the functionality of the claimed invention.

                                        Response to Arguments
Applicant’s arguments with regard to the respect to the 35 U.S.C. § 103 rejection have been considered but are moot in view of new grounds of rejection initiated by applicant’s amendment to the claims.
Conclusion
Applicant's amendment necessitated the new ground(s) of rejection presented in this Office action.  Accordingly, THIS ACTION IS MADE FINAL.  See MPEP § 706.07(a).  Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a).  
A shortened statutory period for reply to this final action is set to expire THREE MONTHS from the mailing date of this action.  In the event a first reply is 

Any inquiry concerning this communication or earlier communications from the examiner should be directed to DUAN ZHANG whose telephone number is (571)272-4642.  The examiner can normally be reached on Mon - Fri 10 AM-5 PM.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Neha Patel can be reached on 5712701492.  The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information 





/DUAN ZHANG/Examiner, Art Unit 3685      


/NEHA PATEL/Supervisory Patent Examiner, Art Unit 3685