DETAILED ACTION
Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA . 
Status of Claims
This action is in reply to the amended claims filed on 12/16/2020, wherein:
Claims 1-20 have been amended; and 
Claims 1-20 are currently pending and have been examined.
Claim Objections
Amendments of claims 2, 7-9, 11, 13, and 14 resolves the previous objections to the claims due to informalities and the previous objections are withdrawn.  

Claim Rejections - 35 USC § 112
The following is a quotation of 35 U.S.C. 112(b):
(b)  CONCLUSION.—The specification shall conclude with one or more claims particularly pointing out and distinctly claiming the subject matter which the inventor or a joint inventor regards as the invention.


The following is a quotation of 35 U.S.C. 112 (pre-AIA ), second paragraph:
The specification shall conclude with one or more claims particularly pointing out and distinctly claiming the subject matter which the applicant regards as his invention.



Claims 12-14 are rejected under 35 U.S.C. 112(b) or 35 U.S.C. 112 (pre-AIA ), second paragraph, as being indefinite for failing to particularly point out and distinctly claim the subject matter which the inventor or a joint inventor, or for pre-AIA  the applicant regards as the invention.
Claims 12-13 recites the limitation “the electronic device”.  There is insufficient antecedent basis for this limitation in the claims because the limitation in independent claim 12 was amended to “a user electronic device”.  For purposes of examination, the limitation “the electronic device” is interpreted as “the user electronic device” in claims 12-14.     
The rejections that follow are interpreted in light of the 35 USC 112 rejections discussed above. 
Amendment of claim 9 resolves the previous rejection of the claim in the non-final rejection under 35 U.S.C. 112(b) or 35 U.S.C. 112 (pre-AIA ), second paragraph, as being indefinite for failing to particularly point out and distinctly claim the subject matter which the inventor or a joint inventor, or for pre-AIA  the applicant regards as the invention; and the previous rejection is withdrawn.

Claim Rejections - 35 USC § 101
35 U.S.C. 101 reads as follows:
Whoever invents or discovers any new and useful process, machine, manufacture, or composition of matter, or any new and useful improvement thereof, may obtain a patent therefor, subject to the conditions and requirements of this title.


Claims 1-20 are rejected under 35 U.S.C. 101 because the claimed invention is directed to an abstract idea without significantly more.  The claims recite a system and method for generating a dynamic security code for a card transaction which is considered a judicial exception because it falls under Certain Methods of Organizing Human Activity such as fundamental economic principles or practices, including mitigating risk.  This judicial exception is not integrated into a practical application as discussed below and the claims do not include additional elements that are sufficient to amount to significantly more than the judicial exception as discussed below.
This rejection follows the 2019 Revised Patent Subject Matter Eligibility Guidance, 84 Fed Reg 4, January 7, 2019, pp. 50-57 (“2019 PEG”).  
Analysis
Step 1 – 2019 PEG pg. 53
Claims 1-20 are directed to the statutory category of a process.  

Step 2A, Prong 1 – 2019 PEG pg. 54
For independent claim 1, the claim recites an abstract idea of generating a dynamic security code for a card transaction.  The steps of: receiving a user request to generate the dynamic security code; upon receiving the user request, sending a time request to a time source; receiving, in response to the time request, a message comprising a time from the time source, determining an authenticity of the message containing the time; computing a dynamic security code based on the time received in the message and a key; and causing the dynamic security code to be displayed, when considered collectively as an ordered combination recites the oral abstract idea of generating a dynamic security code for a card transaction.       
For independent claim 12, the claim recites an abstract idea of generating a dynamic security code for a card transaction.  The steps of: receive, via the user, a request to generate the dynamic security code; upon receiving the user request, send a time request to a time source; receive, in response to the time request, a message comprising a time, determine an authenticity of the message containing the time; compute the dynamic security code based on the time received in the message and a key; and cause the dynamic security code to be displayed, when considered collectively as an ordered combination recites the oral abstract idea of generating a dynamic security code for a card transaction.   
Independent claims 1 and 12, as drafted, are a process that, under the broadest reasonable interpretation, covers Certain Methods of Organizing Human Activity, since they recite fundamental economic principles or practices including mitigating risk.  The steps of receiving a user request to generate the dynamic security code; upon receiving the user request, sending a time request to a time source; receiving, in response to the time request, a message comprising a time from the time source, determining an authenticity of the message containing the time; computing a dynamic security code based on the time received in the message and a key; and causing the dynamic security code to be displayed, considered collectively as an ordered combination, are fundamental economic principles or practices of mitigating risk.  Hence all the steps of the claim, considered collectively as an ordered combination, fall under the abstract idea of certain methods of organizing human activity.  If the claim limitations, under the broadest reasonable interpretation, covers methods of organizing human activity but for the recitation of generic computer components, then it falls within the “Certain Methods of Organizing Human Activity” grouping of abstract ideas.  Other than reciting the abstract idea, the independent claims recite generic computer components such as “a user electronic device separate from the card, a user input device of the user electronic device, a time source external to the user electronic device, a key stored at the user electronic device; a display of the user electronic device, the user electronic device comprising at least one processor, storage, a display, and a user input device”, and nothing in the claims precludes the steps from being performed as a method of organizing human activity.  Accordingly, the claims recite an abstract idea.  
Dependent claims 2-11, and 13-20 recite similar limitations as claims 1, and 12; and when analyzed as a whole are held to be patent ineligible under 35 U.S.C 101 because the additional recited limitations only refine the abstract idea further.  For instance in claims 2-5, 13, and 16-19, the additional abstract ideas of: computing the dynamic security code; and causing the dynamic security code to be displayed; are only performed if the message comprising the time is determined to be authentic; wherein the message comprising the time comprises a Message Authentication Code, MAC and determining an authenticity of the message comprises computing a Message Authentication Code using a key; and comparing the computed Message Authentication Code with the Message Authentication Code in the received message; sending a time request to the time source, the time request including the identifier; and determining an authenticity of the message uses a public key of the time source, under the broadest reasonable interpretation, are further refinements of methods of organizing human activity because these describe the intermediate steps of the underlying process for mitigating risk of the transaction.
In claims 6, 7, 10, and 20 the limitations of computing a dynamic security code for a plurality of different cards, displaying an invitation for user input to select one of the plurality of cards; sending a request to generate a dynamic security code for the selected card; and computing the dynamic security code comprises deriving a key for a selected one of the cards using the master key, are further refinements of methods of organizing human activity such as fundamental economic principles or practices including mitigating risk because they describe a variation in the method for mitigating risk for a transaction using multiple cards.
In claims 8 and 9, the limitations of an enrollment process of sending the identifier to an authorization entity, wherein the identifier can be used to associate the selected card to the key used to compute the security code; the enrollment process comprising partial data about cards issued to a user from an authorization entity; receiving user input selecting at least one of the cards; and sending the identifier to the authorization entity, wherein the identifier can be used to associate the selected card to the key used to compute the security code, are further refinements of methods of organizing human activity such as fundamental economic principles or practices including mitigating risk because they describe the steps of enrolling in the system for mitigating risk during transactions and are contingencies that are taken into consideration when applying the abstract idea and the environment in which the abstract idea is applied.  
Other than reciting the abstract idea, the dependent claims recite similar generic computer components as the independent claims, such as “a Message Authentication Code, MAC, a key stored at the electronic device, the electronic device stores an identifier ID, the message comprising the time comprises a digital signature, the electronic device stores a master key, a secure element on the electronic device, a secure partition of a general purpose process of the electronic device”.  If a claim limitation, under its broadest reasonable interpretation, covers commercial or legal interactions, but for the recitation of generic computer components, then it falls within the “Certain Methods of Organizing Human Activity” grouping of abstract ideas.

Step 2A, Prong 2 – 2019 PEG pg. 54
This judicial exception is not integrated into a practical application.  In particular, independent claims 1, and 12 only recite the additional elements of “a user electronic device separate from the card, a user input device of the user electronic device, a time source external to the user electronic device, a key stored at the user electronic device; a display of the user electronic device, the user electronic device comprising at least one processor, storage, a display, and a user input device”.  A plain reading of Figures 1, 2, 12 and 13, and associated descriptions in at least pages 3, 4, 7, 16 and 17 of the specification stating “examples of the host devices are a smart phone, a table, a personal computer or any other suitable computing device” reveals that generic processors may be used to execute the claimed steps.  The additional elements of “an electronic device separate from the card, a time source external to the electronic device, a key stored at the electronic device; and an electronic device being separate from the card comprising at least one processor, storage, display, and a user input device” are recited at a high level of generality (i.e., as a generic processor performing generic computer functions) such that it amounts to no more than mere instructions to apply the exception using generic computer components.  Accordingly, these additional elements do not integrate the abstract idea into a practical application because it does not impose any meaningful limits on practicing the abstract idea.  Hence, independent claims 1, and 12 are directed to an abstract idea. 
In dependent claims 2-11, and 13-20, the judicial exception is not integrated into a practical application.  The dependent claims only recite the additional elements of “a Message Authentication Code, MAC, a key stored at the electronic device, the electronic device stores an identifier ID, the message comprising the time comprises a digital signature, the electronic device stores a master key, a secure element on the electronic device, a secure partition of a general purpose process of the electronic device”.  The additional limitations are recited at a high-level of generality such that it amounts to more no more than mere instructions to apply the exception using generic computer components.  Also the claims do not affect an improvement to another technology or technical field; the claims do not amount to an improvement of the functioning of a computer system itself; the claims do not effect a transformation or reduction of a particular article to a different state or thing; and the claims do not move beyond a general link of the use of an abstract idea to a particular technological environment.   

Step 2B – 2019 PEG pg. 56
Independent claims 1, and 12 do not include additional elements that are sufficient to amount to significantly more than the judicial exception.  As discussed above with respect to integration of the abstract idea into a practical application, the additional elements of “a user electronic device separate from the card, a user input device of the user electronic device, a time source external to the user electronic device, a key stored at the user electronic device; a display of the user electronic device, the user electronic device comprising at least one processor, storage, a display, and a user input device” to perform the steps of: receiving a user request to generate the dynamic security code; upon receiving the user request, sending a time request to a time source; receiving, in response to the time request, a message comprising a time from the time source, determining an authenticity of the message containing the time; computing a dynamic security code based on the time received in the message and a key; and causing the dynamic security code to be displayed, amounts to no more than mere instructions to apply the exception using a generic computer component (See MPEP 2106.05(h)).  The additional elements of the instant underlying process, when taken in combination, together do not offer substantially more than the sum of the function of the elements when each is taken alone.  Mere instructions to apply an exception using a generic computer component cannot provide an inventive concept.  Further, the displaying step falls to transform the claims into patent eligible material, as this is part of the field of use and technical environment in which the abstract idea is being implement and does not result in an improvement to additional elements (see MPEP 2106.05(h) Electric Power Group court decision). Therefore, independent claims 1 and 12 are not patent eligible.  
In addition, the dependent claims 2-11, and 13-20 do not include additional elements that are sufficient to amount to significantly more than the judicial exception.  The additional elements of the instant underlying process, when taken in combination, together do not offer substantially more than the sum of the functions of the elements when each is taken alone.  The claims as a whole, do not amount to significantly more than the abstract idea itself.  For these reasons, the dependent claims also are not patent eligible.

	
Claim Rejections - 35 USC § 103
In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  
This application currently names joint inventors. In considering patentability of the claims the examiner presumes that the subject matter of the various claims was commonly owned as of the effective filing date of the claimed invention(s) absent any evidence to the contrary.  Applicant is advised of the obligation under 37 CFR 1.56 to point out the inventor and effective filing dates of each claim that was not commonly owned as of the effective filing date of the later invention in order for the examiner to consider the applicability of 35 U.S.C. 102(b)(2)(C) for any potential 35 U.S.C. 102(a)(2) prior art against the later invention.
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.


Claims 1-7, and 11-20 are rejected under 35 U.S.C. 103 as being unpatentable over US 2011/0225089 to Hammad (hereinafter referred to as Hammad), in view of WO 2014022778 to Teixeron et al. (hereinafter referred to as Teixeron), and further in view of US 2016/0148194 to Guillaud et al. (hereinafter referred to as Guillaud).

In regards to claim 1, Hammad discloses a method of securing a card transaction by generating a dynamic security code for the card transaction (systems and methods for generating dynamic verification values for use in electronic payment transactions, para. 0006) the method being performed at a user electronic device (portable consumer device 112 may include a cellular phone associated with an account of the user 110 such as a bank account, para. 0036; consumer device may include a verification token 122 installed as a module, para. 0053) separate from a card (portable consumer device 112 may include a contactless element 114 including a processor and one or more applications stored on computer readable media that allow the portable consumer device to wirelessly send its stored card data to a wireless reader, para. 0037), the card transaction using card details of the card (card data associated with the portable consumer device 112 are received by the verification token 122 from the contactless element 114 of the portable consumer device 112, para. 0063), the card details comprising the dynamic security code (the dynamic verification value is received by the user communication device and the user may manually enter the dynamic verification value in a payment page of a website, para. 0054), the method comprising: receiving, via a user input device of the user electronic device (the dynamic verification value may be generated in response to a request from a user communication device before conducting a payment transaction, para. 0054), a user request to generate the dynamic the security code (server computer receives a request for a dynamic verification value from a user communication device and the generated dynamic verification value is sent to verification token 122 of user communication device, para. 0054); upon receiving the user request (the dynamic verification value may be generated in response to a request from a user communication device before conducting a payment transaction, para. 0054), sending a time request to a time source (for example the dynamic verification value may be generated from the primary account number PAN and the request date on which the request for dynamic verification was made, para. 0068, fig. 3) external to the user electronic device (server computer generates the dynamic verification value using security values as inputs in response to a request from a user communication device, para. 0054); computing a dynamic security code (a dynamic verification value is generated by using a function-based algorithm that uses a selected set of security values as inputs, para. 0025, fig. 3) based on (security values shown in fig. 3 include a primary account number PAN 301, a refresh window 302, a request date 303, a request sequence number 304, a request type 305 and an issuer secret phrase, para. 0068, fig. 3) the time (request date 303, fig. 3) received in the message and a key (primary account number PAN 301, fig. 3; PAN 301 may be embossed on the portable consumer device 112, para. 0072; for example the dynamic verification value may be generated from the primary account number PAN and the request date on which the request for dynamic verification was made, para. 0068, fig. 3); and causing the dynamic security code to be displayed on a display of the user electronic device (dynamic verification value may be received by a user communication device such as a mobile device and the user 110 may manually enter the dynamic verification value in a payment page of a website, para. 0054).  However, Hammad fails to disclose, receiving, in response to the time request, a message comprising a time from the time source; determining an authenticity of the message containing the time; computing a dynamic security code based on the time and a key stored at the user electronic device.
Teixeron, in the related field of securing remote transactions, teaches receiving a message comprising a time from the time source (dynamic variable may comprise a time related value and may be a data element comprised in the Authentication Initiating Message received from the server-based application, para. 0054); determining an authenticity of the message containing the time (the input data may comprise a server credential and the authentication device verifies the server credential prior to generating the dynamic security value, para. 0054) and computing a dynamic security code based on the time and a key (dynamic security value generated by the authentication device may be generated by cryptographically combining at least one secret value such as a cryptographic key with at least one dynamic variable such as a time value, para. 0017).  It would have been obvious to one skilled in the art before the effective filing date of the claimed invention to modify the method of Hammad with the method of Teixeron to provide receiving a message comprising a time from the time source; determining an authenticity of the message containing the time and computing a dynamic security code based on the time and a key.  Since, the claimed elements were known in the past, the claimed innovation is merely a combination of old elements, each element would have performed the same function in the combination as they did separately, and one of ordinary skill in the art would have recognized that the results of the combination were predictable.  The motivation for doing so would have been to provide a high security level for remote applications by generating dynamic security values by cryptographically combining a shared secret with a dynamic value such as a time value (Teixeron, para. 0005).  However, the combination of Hammad, and Teixeron fails to teach receiving, in response to the time request, a message comprising a time; computing a dynamic security code based on the time and a key stored at the user electronic device.  
Guillaud, in the related field of enhanced security features for smart, debit, and credit cards, teaches receiving, in response to the time request (time based methodology for generation of security codes requires the card to have wireless access to a time keeping system to synchronize the generation of the security codes, paras. 0064-0067), a message comprising a time (time based methodology for the generation of security codes requires the card to connect to the payment processor or 3rd party who maintains a clock for synchronization timing solutions, para. 0065); and computing a dynamic security code based on the time and a key stored at the user electronic device (the security code sent to a payment processor for authentication may be automatically generated by algorithms running on a microprocessor located in the card and generated for each of the time period windows Period 1, Period 2, and Period 3 with the payment processor’s computer system comparing the card’s security code 111 corresponding to Period 1 to the payment processor’s security authorization system 816 security code 111 for Period 1 to see if they match, paras. 0067-0068).  It would have been obvious to one skilled in the art before the effective filing date of the claimed invention to modify the method of Hammad with the method of Guillaud to teach receiving, in response to the time request, a message comprising a time; and computing a dynamic security code based on the time and a key stored at the user electronic device.  Since, the claimed elements were known in the past, the claimed innovation is merely a combination of old elements, each element would have performed the same function in the combination as they did separately, and one of ordinary skill in the art would have recognized that the results of the combination were predictable.  The motivation for doing so would have been to enable the user of a dynamically generated security code using a time based implementation methodology for added protection (Guillaud, paras. 0064-0068).

In regards to claim 2, modified Hammad discloses the method according to claim 1, but fails to disclose wherein at least one of: computing the dynamic security code, and causing the dynamic security code to be displayed are only performed if the message comprising the time is determined to be authentic.
Teixeron, in the related field of securing remote transactions, teaches wherein at least one of: computing the dynamic security code (dynamic security value generated by the authentication device may be generated by cryptographically combining at least one secret value such as a cryptographic key with at least one dynamic variable such as a time value, para. 0017), and causing the dynamic security code to be displayed are only performed if the message comprising the time (the application identifier is cryptographically linked by a server credential such as a MAC to other data elements such as a challenge or a session identifier in the Authentication Initiating Message which after successful verification of the server credential, the user authentication device uses as input in the cryptographic algorithm for the generation of the dynamic security value, para. 00227) is determined to be authentic (the authentication device generates the dynamic security value on condition that verification of the server credential was successful, para. 0054).   It would have been obvious to one skilled in the art before the effective filing date of the claimed invention to modify the method of Hammad with the method of Teixeron to provide wherein at least one of: computing the dynamic security code, and causing the dynamic security code to be displayed are only performed if the message comprising the time is determined to be authentic.  The motivation for doing so would have been to provide a high security level for remote applications by generating dynamic security values by cryptographically combining a shared secret with a dynamic value such as a time value (Teixeron, para. 0005).

In regards to claim 3, modified Hammad discloses the method according to claim 1, but fails to disclose wherein the message comprising the time comprises a Message Authentication Code, MAC, and determining an authenticity of the message comprises: computing a Message Authentication Code at the user electronic device using a key (time-key lD) stored at the user electronic device; and comparing the computed Message Authentication Code with the Message Authentication Code in the received message.
Teixeron, in the related field of securing remote transactions, teaches wherein the message comprising the time (dynamic variable may comprise a time related value and may be a data element comprised in the Authentication Initiating Message received from the server-based application, para. 0054) comprises a Message Authentication Code, MAC (in some embodiments the server credential comprises a MAC (message authentication code) and the user authentication device may compute a reference value for the MAC and compare the reference value with the received server credential, para. 00120), and determining an authenticity of the message (the input data may comprise a server credential and the authentication device verifies the server credential prior to generating the dynamic security value, para. 0054) comprises: computing a Message Authentication Code at the user electronic device (in some embodiments the server credential comprises a MAC (message authentication code) and the user authentication device may compute a reference value for the MAC and compare the reference value with the received server credential, para. 00120) using a key stored at the user electronic device (In some embodiments the verification of the server credential is done using a symmetric cryptographic algorithm that uses a secret key shared with the server, para. 0027); and comparing the computed Message Authentication Code with the Message Authentication Code in the received message (the application identifier is cryptographically linked by a server credential such as a MAC to other data elements such as a challenge or a session identifier in the Authentication Initiating Message which after successful verification of the server credential, the user authentication device uses as input in the cryptographic algorithm for the generation of the dynamic security value, para. 00228).  It would have been obvious to one skilled in the art before the effective filing date of the claimed invention to modify the method of Hammad with the method of Teixeron to provide wherein the message comprising the time comprises a Message Authentication Code, MAC, and determining an authenticity of the message comprises: computing a Message Authentication Code at the user electronic device using a key (time-key lD) stored at the user electronic device; and comparing the computed Message Authentication Code with the Message Authentication Code in the received message.  The motivation for doing so would have been to provide a high security level for remote applications by generating dynamic security values by cryptographically combining a shared secret with a dynamic value such as a time value (Teixeron, para. 0005).  

In regards to claim 4, modified Hammad discloses a method according to claim 1, and further disclose wherein the user electronic device (portable consumer device 112 may include a cellular phones associated with an account of the user 110 such as a bank account, para. 0036; consumer device may include a verification token 122 installed as a module, para. 0053) stores an identifier (verification token 122 encrypts the card data when submitting payment information and the authenticity of the information is validated by validating the account number associated with the portable consumer device 112, para. 0063) and the method comprises: sending a time request to the time source (for example the dynamic verification value may be generated from the primary account number PAN and the request date on which the request for dynamic verification was made, para. 0068, fig. 3), the time request (server computer generates the dynamic verification value using security values as inputs in response to a request from a user communication device, para. 0054) including the identifier (verification token 122 encrypts the card data when submitting payment information and the authenticity of the information is validated by validating the account number associated with the portable consumer device 112, para. 0063).

In regards to claim 5, modified Hammad discloses the method according to claim 1, but fails to disclose wherein the message comprising the time comprises a digital signature and determining an authenticity of the message uses a public key of the time source.
Teixeron, in the related field of securing remote transactions, teaches wherein the message comprising the time (dynamic variable may comprise a time related value and may be a data element comprised in the Authentication Initiating Message received from the server-based application, para. 0054); comprises a digital signature (data elements comprised in the contents of the Authentication Initiating Message may comprise a digital signature or MAC and signature of the server credential is verified by the user authentication device using a corresponding public key stored in the user authentication device, paras. 0102 and 00118) and determining an authenticity of the message uses a public key of the time source (the input data may comprise a server credential and the authentication device verifies the server credential prior to generating the dynamic security value and the authentication device may use a symmetric cryptographic algorithm with a secret key that is shared with the application server to verify the server credential, para. 0054).

In regards to claim 6, modified Hammad discloses the method according to claim 1, but fails to disclose wherein the user electronic device is capable of computing a dynamic security code for a plurality of different cards, the user electronic device stores a master key, and computing the dynamic security code comprises deriving a key for a selected one of the cards using the master key.
Teixeron, in the related field of securing remote transactions, teaches wherein the user electronic device is capable of computing a dynamic security code (the authentication device generates the dynamic security value on condition that verification of the server credential was successful, para. 0054) for a plurality of different cards (the user authentication device can be used for an inherently unlimited number of applications, para. 00267; applications include internet banking application and e-commerce sites, para. 0094), the user electronic device stores a master key (user authentication device may cryptographically combine the PIN or password value with a master key to derive another key, para. 0137), and computing the dynamic security code (the authentication device generates the dynamic security value on condition that verification of the server credential was successful, para. 0054) comprises deriving a key for a selected one of the cards using the master key (user authentication device may cryptographically combine the PIN or password value with a master key to derive another key, para. 0137).  ).  It would have been obvious to one skilled in the art before the effective filing date of the claimed invention to modify the method of Hammad with the method of Teixeron to provide wherein the user electronic device is capable of computing a dynamic security code for a plurality of different cards, the user electronic device stores a master key, and computing the dynamic security code comprises deriving a key for a selected one of the cards using the master key.  Since, the claimed elements were known in the past, the claimed innovation is merely a combination of old elements, each element would have performed the same function in the combination as they did separately, and one of ordinary skill in the art would have recognized that the results of the combination were predictable.  The motivation for doing so would have been to provide a high security level for remote applications by generating dynamic security values by cryptographically combining a shared secret with a dynamic value such as a time value (Teixeron, para. 0005).

In regards to claim 7, modified Hammad discloses the method according to claim 6, but fails to disclose wherein computing the dynamic security code comprises deriving a key for a selected one of the cards using the master key and an additional per-card data element received from an authorization entity.
Teixeron, in the related field of securing remote transactions, teaches wherein computing the dynamic security code (the authentication device generates the dynamic security value on condition that verification of the server credential was successful, para. 0054) comprises deriving a key for the selected one of the cards (the user authentication device can be used for an inherently unlimited number of applications, para. 00267; applications include internet banking application and e-commerce sites, para. 0094), using the master key (user authentication device may cryptographically combine the PIN or password value with a master key to derive another key, para. 0137), and an additional per-card data element received from an authorization entity (dynamic security value generated by the authentication device may be generated by cryptographically combining at least one secret value such as a cryptographic key with at least one dynamic variable such as a time value, para. 0017).  It would have been obvious to one skilled in the art before the effective filing date of the claimed invention to modify the method of Hammad with the method of Teixeron to provide wherein computing the dynamic security code comprises deriving a key for a selected one of the cards using the master key and an additional per-card data element received from an authorization entity.  Since, the claimed elements were known in the past, the claimed innovation is merely a combination of old elements, each element would have performed the same function in the combination as they did separately, and one of ordinary skill in the art would have recognized that the results of the combination were predictable.  The motivation for doing so would have been to provide a high security level for remote applications by generating dynamic security values by cryptographically combining a shared secret with a dynamic value such as a time value (Teixeron, para. 0005).

In regards to claim 11, modified Hammad discloses the method according to claim 1, wherein at least the step of computing the dynamic security code based on the time (a dynamic verification value is generated by using a function-based algorithm that uses a selected set of security values as inputs, para. 0025, fig. 3) is performed (for example the dynamic verification value may be generated from the primary account number PAN and the request date on which the request for dynamic verification was made, para. 0068, fig. 3), but fails to disclose performed by one of: a secure element on the user electronic device; and a secure partition of a general purpose processor of the user electronic device.
Teixeron, in the related field of securing remote transactions, teaches performed (dynamic security value generated by the authentication device may be generated by cryptographically combining at least one secret value such as a cryptographic key with at least one dynamic variable such as a time value, para. 0017) by one of: a secure element on the user electronic device (user authentication device may comprise a removable security device adapted to securely store and handle secret keys and perform certain cryptographic calculations, para. 0148).  It would have been obvious to one skilled in the art before the effective filing date of the claimed invention to modify the method of Hammad with the method of Teixeron to provide performed by one of: a secure element on the user electronic device.  Since, the claimed elements were known in the past, the claimed innovation is merely a combination of old elements, each element would have performed the same function in the combination as they did separately, and one of ordinary skill in the art would have recognized that the results of the combination were predictable.  The motivation for doing so would have been to provide a high security level for remote applications by generating dynamic security values by cryptographically combining a shared secret with a dynamic value such as a time value (Teixeron, para. 0005).

In regards to claim 12, Hammad discloses a user electronic device (portable consumer device 112 may include a cellular phones associated with an account of the user 110 such as a bank account, para. 0036; consumer device may include a verification token 122 installed as a module), configured for securing a card transaction (portable consumer device 112 may include a cellular phone associated with an account of the user 110 such as a bank account, para. 0036; consumer device may include a verification token 122 installed as a module, para. 0053); the card transaction using card details of a card (card data associated with the portable consumer device 112 are received by the verification token 122 from the contactless element 114 of the portable consumer device 112, para. 0063), the card details comprising the dynamic security code (the dynamic verification value is received by the user communication device and the user may manually enter the dynamic verification value in a payment page of a website, para. 0054), the user electronic device (portable consumer device 112 may include a cellular phone associated with an account of the user 110 such as a bank account, para. 0036; consumer device may include a verification token 122 installed as a module, para. 0053) being separate from the card (portable consumer device 112 may include a contactless element 114 including a processor and one or more applications store on computer readable media that allow the portable consumer device to wirelessly send its stored card data to a wireless reader, para. 0037), and the user electronic device comprising: at least one processor; storage; a display; and a user input device (portable consumer device 112 may include a contactless element 114 including a processor and one or more applications stored on computer readable media that allow the portable consumer device to wirelessly send its stored card data to a wireless reader, para. 0037); wherein the at least one processor is configured to: receive (the dynamic verification value may be generated in response to a request from a user communication device before conducting a payment transaction, para. 0054), via the user input device (the dynamic verification value may be generated in response to a request from a user communication device before conducting a payment transaction, para. 0054), a request to generate the dynamic security code (server computer receives a request for a dynamic verification value from a user communication device and the generated dynamic verification value is sent to verification token 122 of user communication device, para. 0054); upon receiving the user request (the dynamic verification value may be generated in response to a request from a user communication device before conducting a payment transaction, para. 0054), send a time request to a time source (for example the dynamic verification value may be generated from the primary account number PAN and the request date on which the request for dynamic verification was made, para. 0068, fig. 3) external to the electronic device (see 112b rejection, interpreted as the user electronic device)(server computer generates the dynamic verification value using security values as inputs in response to a request from a user communication device, para. 0054); compute the dynamic security code (a dynamic verification value is generated by using a function-based algorithm that uses a selected set of security values as inputs, para. 0025, fig. 3) based on (security values shown in fig. 3 include a primary account number PAN 301, a refresh window 302, a request date 303, a request sequence number 304, a request type 305 and an issuer secret phrase, para. 0068, fig. 3) the time (request date 303, fig. 3) received in the message and a key (primary account number PAN 301, fig. 3; PAN 301 may be embossed on the portable consumer device 112, para. 0072; for example the dynamic verification value may be generated from the primary account number PAN and the request date on which the request for dynamic verification was made, para. 0068, fig. 3); and cause the dynamic security code to be displayed on a display of the electronic device (see 112b rejection, interpreted as the user electronic device)(dynamic verification value may be received by a user communication device such as a mobile device and the user 110 may manually enter the dynamic verification value in a payment page of a website, para. 0054).  However, Hammad fails to disclose a user electronic device configured to generate a dynamic security code for securing a card transaction; receive, in response to the time request, a message comprising a time from the time source; determine an authenticity of the message containing the time; and compute the dynamic security code based on the time and a key stored at the electronic device (see 112b rejection, interpreted as the user electronic device).
Teixeron, in the related field of securing remote transactions, teaches a user electronic device (the user authentication device comprises a smartphone equipped with an authentication software application, para. 0015) configured to generate a dynamic security code for securing a card transaction (dynamic security value generated by the authentication device may be generated by cryptographically combining at least one secret value such as a cryptographic key with at least one dynamic variable such as a time value, para. 0017); receive a message comprising a time from the time source (dynamic variable may comprise a time related value and may be a data element comprised in the Authentication Initiating Message received from the server-based application, para. 0054); determine an authenticity of the message containing the time (the input data may comprise a server credential and the authentication device verifies the server credential prior to generating the dynamic security value, para. 0054), and compute the dynamic security code based on the time and a key (dynamic security value generated by the authentication device may be generated by cryptographically combining at least one secret value such as a cryptographic key with at least one dynamic variable such as a time value, para. 0017).  It would have been obvious to one skilled in the art before the effective filing date of the claimed invention to modify the method of Hammad with the method of Teixeron to provide a user electronic device configured to generate a dynamic security code for securing a card transaction; receive a message comprising a time from the time source; determine an authenticity of the message containing the time, and compute the dynamic security code based on the time and a key.  Since, the claimed elements were known in the past, the claimed innovation is merely a combination of old elements, each element would have performed the same function in the combination as they did separately, and one of ordinary skill in the art would have recognized that the results of the combination were predictable.  The motivation for doing so would have been to provide a high security level for remote applications by generating dynamic security values by cryptographically combining a shared secret with a dynamic value such as a time value (Teixeron, para. 0005).  However, the combination of Hammad, and Teixeron fails to teach receive, in response to the time request, a message comprising a time; and compute the dynamic security code based on the time and a key stored at the user electronic device.  
Guillaud, in the related field of enhanced security features for smart, debit, and credit cards, teaches receive, in response to the time request (time based methodology for generation of security codes requires the card to have wireless access to a time keeping system to synchronize the generation of the security codes, paras. 0064-0067), a message comprising a time (time based methodology for the generation of security codes requires the card to connect to the payment processor or 3rd party who maintains a clock for synchronization timing solutions, para. 0065); and compute the dynamic security code based on the time and a key stored at the user electronic device (the security code sent to a payment processor for authentication may be automatically generated by algorithms running on a microprocessor located in the card and generated for each of the time period windows Period 1, Period 2, and Period 3 with the payment processor’s computer system comparing the card’s security code 111 corresponding to Period 1 to the payment processor’s security authorization system 816 security code 111 for Period 1 to see if they match, paras. 0067-0068).  It would have been obvious to one skilled in the art before the effective filing date of the claimed invention to modify the method of Hammad with the method of Guillaud to teach receive, in response to the time request, a message comprising a time; and compute a dynamic security code based on the time and a key stored at the user electronic device.  Since, the claimed elements were known in the past, the claimed innovation is merely a combination of old elements, each element would have performed the same function in the combination as they did separately, and one of ordinary skill in the art would have recognized that the results of the combination were predictable.  The motivation for doing so would have been to enable the user of a dynamically generated security code using a time based implementation methodology for added protection (Guillaud, paras. 0064-0068).

In regards to claim 13, modified Hammad discloses the electronic device (see 112b rejection, interpreted as the user electronic device) according to claim 12, but fails to disclose wherein the at least one processor is configured to only perform at least one of: computing the dynamic security code, and causing the dynamic security code to be displayed if the message comprising the time is determined to be authentic.
Teixeron, in the related field of securing remote transactions, teaches wherein at least one of: computing the dynamic security code (dynamic security value generated by the authentication device may be generated by cryptographically combining at least one secret value such as a cryptographic key with at least one dynamic variable such as a time value, para. 0017), and causing the dynamic security code to be displayed if the message comprising the time (the application identifier is cryptographically linked by a server credential such as a MAC to other data elements such as a challenge or a session identifier in the Authentication Initiating Message which after successful verification of the server credential, the user authentication device uses as input in the cryptographic algorithm for the generation of the dynamic security value, para. 00227) is determined to be authentic (the authentication device generates the dynamic security value on condition that verification of the server credential was successful, para. 0054).  It would have been obvious to one skilled in the art before the effective filing date of the claimed invention to modify the method of Hammad with the method of Teixeron to provide wherein the at least one processor is configured to only perform at least one of: computing the dynamic security code, and causing the dynamic security code to be displayed if the message comprising the time is determined to be authentic.  The motivation for doing so would have been to provide a high security level for remote applications by generating dynamic security values by cryptographically combining a shared secret with a dynamic value such as a time value (Teixeron, para. 0005).    

In regards to claim 14, modified Hammad discloses the electronic device (see 112b rejection, interpreted as the user electronic device) according to claim 12, but fails to disclose further comprising one of: a secure element on the electronic device which is configured to compute the dynamic security code; and a secure partition of a general purpose processor of the electronic device which is configured to compute the dynamic security code.
Teixeron, in the related field of securing remote transactions, teaches comprising a secure element on the electronic device (user authentication device may comprise a removable security device adapted to securely store and handle secret keys and perform certain cryptographic calculations, para. 0148) which is configured to compute the dynamic security code (dynamic security value generated by the authentication device may be generated by cryptographically combining at least one secret value such as a cryptographic key with at least one dynamic variable such as a time value, para. 0017).  It would have been obvious to one skilled in the art before the effective filing date of the claimed invention to modify the method of Hammad with the method of Teixeron to provide a secure element on the electronic device which is configured to compute the dynamic security code.  The motivation for doing so would have been to provide a high security level for remote applications by generating dynamic security values by cryptographically combining a shared secret with a dynamic value such as a time value (Teixeron, para. 0005).

In regards to claim 15, modified Hammad discloses a method according to claim 1, and further discloses wherein the user electronic device is one of: a smart phone (portable consumer device 112 may include a cellular phones associated with an account of the user 110 such as a bank account, para. 0036), a tablet, and a personal computer.

In regards to claim 16, modified Hammond discloses the method according to claim 2, but fails to disclose wherein the message comprising the time comprises a Message Authentication Code, MAC, and determining an authenticity of the message comprises: computing a Message Authentication Code at the electronic device using a key stored at the user electronic device; and comparing the computed Message Authentication Code with the Message Authentication Code in the received message.
Teixeron, in the related field of securing remote transactions, teaches wherein the message comprising the time (dynamic variable may comprise a time related value and may be a data element comprised in the Authentication Initiating Message received from the server-based application, para. 0054) comprises a Message Authentication Code, MAC (in some embodiments the server credential comprises a MAC (message authentication code) and the user authentication device may compute a reference value for the MAC and compare the reference value with the received server credential, para. 00120), and determining an authenticity of the message (the input data may comprise a server credential and the authentication device verifies the server credential prior to generating the dynamic security value, para. 0054) comprises: computing a Message Authentication Code at the user electronic device (in some embodiments the server credential comprises a MAC (message authentication code) and the user authentication device may compute a reference value for the MAC and compare the reference value with the received server credential, para. 00120) using a key stored at the user electronic device (In some embodiments the verification of the server credential is done using a symmetric cryptographic algorithm that uses a secret key shared with the server, para. 0027); and comparing the computed Message Authentication Code with the Message Authentication Code in the received message (the application identifier is cryptographically linked by a server credential such as a MAC to other data elements such as a challenge or a session identifier in the Authentication Initiating Message which after successful verification of the server credential, the user authentication device uses as input in the cryptographic algorithm for the generation of the dynamic security value, para. 00228).  It would have been obvious to one skilled in the art before the effective filing date of the claimed invention to modify the method of Hammad with the method of Teixeron to provide wherein the message comprising the time comprises a Message Authentication Code, MAC, and determining an authenticity of the message comprises: computing a Message Authentication Code at the electronic device using a key stored at the electronic device; and comparing the computed Message Authentication Code with the Message Authentication Code in the received message.  

In regards to claim 17, modified Hammad discloses the method according to claim 2, and further disclose wherein the user electronic device (portable consumer device 112 may include a cellular phones associated with an account of the user 110 such as a bank account, para. 0036; consumer device may include a verification token 122 installed as a module, para. 0053) stores an identifier (verification token 122 encrypts the card data when submitting payment information and the authenticity of the information is validated by validating the account number associated with the portable consumer device 112, para. 0063) and the method comprises: sending a time request to the time source (for example the dynamic verification value may be generated from the primary account number PAN and the request date on which the request for dynamic verification was made, para. 0068, fig. 3), the time request (server computer generates the dynamic verification value using security values as inputs in response to a request from a user communication device, para. 0054) including the identifier (verification token 122 encrypts the card data when submitting payment information and the authenticity of the information is validated by validating the account number associated with the portable consumer device 112, para. 0063).

In regards to claim 18, modified Hammad discloses a method according to claim 3, and further discloses wherein the user electronic device (portable consumer device 112 may include a cellular phones associated with an account of the user 110 such as a bank account, para. 0036; consumer device may include a verification token 122 installed as a module, para. 0053) stores an identifier (verification token 122 encrypts the card data when submitting payment information and the authenticity of the information is validated by validating the account number associated with the portable consumer device 112, para. 0063) and the method comprises: sending a time request to the time source (for example the dynamic verification value may be generated from the primary account number PAN and the request date on which the request for dynamic verification was made, para. 0068, fig. 3), the time request (server computer generates the dynamic verification value using security values as inputs in response to a request from a user communication device, para. 0054) including the identifier (verification token 122 encrypts the card data when submitting payment information and the authenticity of the information is validated by validating the account number associated with the portable consumer device 112, para. 0063).

In regards to claim 19, modified Hammad discloses the method according to claim 2, but fails to disclose wherein the message comprising the time comprises a digital signature and determining an authenticity of the message uses a public key of the time source.
Teixeron, in the related field of securing remote transactions, teaches wherein the message comprising the time (dynamic variable may comprise a time related value and may be a data element comprised in the Authentication Initiating Message received from the server-based application, para. 0054); comprises a digital signature (data elements comprised in the contents of the Authentication Initiating Message may comprise a digital signature or MAC and signature of the server credential is verified by the user authentication device using a corresponding public key stored in the user authentication device, paras. 0102 and 00118) and determining an authenticity of the message uses a public key of the time source (50) (the input data may comprise a server credential and the authentication device verifies the server credential prior to generating the dynamic security value and the authentication device may use a symmetric cryptographic algorithm with a secret key that is share with the application server to verify the server credential, para. 0054).  

In regards to claim 20, modified Hammad discloses the method according to claim 2, but fails to disclose wherein the user electronic device is capable of computing a dynamic security code for a plurality of different cards, the user electronic device stores a master key, and computing the dynamic security code comprises deriving a key for a selected one of the cards using the master key.
Teixeron, in the related field of securing remote transactions, teaches wherein the user electronic device is capable of computing a dynamic security code (the authentication device generates the dynamic security value on condition that verification of the server credential was successful, para. 0054) for a plurality of different cards (the user authentication device can be used for an inherently unlimited number of applications, para. 00267; applications include internet banking application and e-commerce sites, para. 0094), the user electronic device stores a master key (user authentication device may cryptographically combine the PIN or password value with a master key to derive another key, para. 0137), and computing the dynamic security code (the authentication device generates the dynamic security value on condition that verification of the server credential was successful, para. 0054) comprises deriving a key for a selected one of the cards using the master key (user authentication device may cryptographically combine the PIN or password value with a master key to derive another key, para. 0137).

Claims 8 and 9 are rejected under 35 U.S.C. 103 as being unpatentable over Hammad, in view of Teixeron, in view of Guillaud, and further in view of US 9,947,001 to Smith et al. (hereinafter Smith).

In regards to claim 8, modified Hammad discloses the method according to claim 1, wherein the user electronic device (portable consumer device 112 may include a cellular phones associated with an account of the user 110 such as a bank account, para. 0036; consumer device may include a verification token 122 installed as a module, para. 0053) stores an identifier (verification token 122 encrypts the card data when submitting payment information and the authenticity of the information is validated by validating the account number associated with the portable consumer device 112, para. 0063), but fails to disclose wherein the method further comprises an enrolment process of: sending the identifier (ID) to an authorization entity, wherein the identifier (ID) can be used to associate the selected card to the key used to compute the security code.
Smith, in the related field of transmitting multiple payment accounts for use by a payment device, teaches wherein the method further comprises an enrolment process (in step 301a a software application and corresponding data may be loaded on the payment device 106, para. 0032) of: sending the identifier (ID) to an authorization entity (in step 404, one or more DPANs 214 to the processing server 102 wherein each DPAN is associated with a payment account associated with the cardholder 108, para. 0039), wherein the identifier (ID) (in step 406 the processing device may generate a repersonalization script 218 for each DPAN 214 with associated set of data of the payment account and the repersonalization script 218 is transmitted to the payment device 106 in step 408 for storage in secure storage, paras. 0034-0035) can be used to associate the selected card to the key (in step 402, at least one cryptographic master key set 212 is transmitted for storage in the payment device 106 with the cryptographic master key set 212 corresponding to a master cryptographic personal account number (CPAN), para. 0038) used to compute the security code (payment device is configured to use the key set relating to the CPAN for selected cryptographic calculations and the DPAN and associated set of data for all other aspects of a financial transaction, para. 0009).  It would have been obvious to one skilled in the art before the effective filing date of the claimed invention to modify the method of Hammad with the method of Smith to provide wherein the method further comprises an enrolment process of: sending the identifier (ID) to an authorization entity, wherein the identifier (ID) can be used to associate the selected card to the key used to compute the security code.  Since, the claimed elements were known in the past, the claimed innovation is merely a combination of old elements, each element would have performed the same function in the combination as they did separately, and one of ordinary skill in the art would have recognized that the results of the combination were predictable.  The motivation for doing so would have been to enable a payment device to conduct financial transactions using multiple payment accounts (Smith, para. 0006).

In regards to claim 9, modified Hammad discloses the method according to claim 8, but fails to disclose wherein the enrolment process comprises: receiving partial data about cards issued to a user from an authorization entity; receiving user input selecting at least one of the cards; and sending the identifier (ID) to the authorization entity, wherein the identifier (ID) can be used to associate the selected card to the key used to compute the security code.
Smith, in the related field of transmitting multiple payment accounts for use by a payment device, teaches wherein the enrolment process (in step 301a a software application and corresponding data may be loaded on the payment device 106, para. 0032) comprises: receiving partial data about cards issued to a user from an authorization entity (in step 404, one or more DPANs 214 are sent to the processing server 102 wherein each DPAN is associated with a payment account associated with the cardholder 108, para. 0039), receiving user input selecting at least one of the cards (in step 303, the cardholder may request activation of a payment account, para. 0033); and sending the identifier (ID) to the authorization entity (in step 404, one or more DPANs 214 are sent to the processing server 102 wherein each DPAN is associated with a payment account associated with the cardholder 108, para. 0039), wherein the identifier entity (in step 406 the processing device may generate a repersonalization script 218 for each DPAN 214 with associated set of data of the payment account and the repersonalization script 218 is transmitted to the payment device 106 in step 408 for storage in secure storage, paras. 0034-0035) can be used to associate the selected card to the key (in step 402, at least one cryptographic master key set 212 is transmitted for storage in the payment device 106 with the cryptographic master key set 212 corresponding to a master cryptographic personal account number (CPAN), para. 0038) used to compute the security code (payment device is configured to use the key set relating to the CPAN for selected cryptographic calculations and the DPAN and associated set of data for all other aspects of a financial transaction, para. 0009).  

Claim 10 is rejected under 35 U.S.C. 103 as being unpatentable over Hammad, in view of Teixeron, in view of Guillaud, and further in view of US 8,577,803 to Chatterjee et al. (hereinafter Chatterjee).

In regards to claim 10, modified Hammad discloses the method according to claim 1, but fails to disclose wherein the user electronic device is capable of computing a dynamic security code for a plurality of different cards and the method comprises: causing the user electronic device to display an invitation for user input to select one of the plurality of cards; and sending a request to generate a dynamic security code for the selected card.
Teixeron, in the related field of securing remote transactions, teaches wherein the user electronic device is capable of computing a dynamic security code (the authentication device generates the dynamic security value on condition that verification of the server credential was successful, para. 0054) for a plurality of different cards (the user authentication device can be used for an inherently unlimited number of applications, para. 00267; applications include internet banking application and e-commerce sites, para. 0094), and the method comprises sending a request to generate a dynamic security code for the selected card (user authentication device comprises an electronic device adapted to generate a Response message comprising a dynamic security value in response to an Authentication Initiating Message, para. 00108, para. 0137).  However, the combination of Hammad and Teixeron fails to teach wherein the method comprises: causing the user electronic device to display an invitation for user input to select one of the plurality of cards.
Chatterjee, in the related field of virtual wallet card selection apparatus, teaches causing the user electronic device to display an invitation for user input to select one of the plurality of cards (users device may display the virtual wallet card selection options via the app to the user, col. 8, line 1-28, figs. 1B-2).  It would have been obvious to one skilled in the art before the effective filing date of the claimed invention to modify the method of Hammad with the method of Chatterjee, to provide causing the user electronic device to display an invitation for user input to select one of the plurality of cards.  Since, the claimed elements were known in the past, the claimed innovation is merely a combination of old elements, each element would have performed the same function in the combination as they did separately, and one of ordinary skill in the art would have recognized that the results of the combination were predictable.  The motivation for doing so would have been to enable a user to provide a card selection input in response to the virtual wallet card selection options to complete a purchase transaction (Chatterjee, col. 6, lines 52-67).

Response to Arguments
Applicant’s arguments with respect to claims 1-20 have been fully considered by the Examiner. Applicant’s arguments and amended claims have been considered with respect to objections of claims 2, 7-9, 11, 12, and 14, and the previous objections are withdrawn.
Applicant’s arguments with respect to the rejection of claims 1-20 under 35 USC 101 have been fully considered by the Examiner. However, the Examiner does not find the Applicant’s arguments persuasive, and therefore the rejections of claims 1-20 under 35 USC 101 is maintained.
The Applicant argues that under Step 2A of the 2019 PEG, the claims do not recite an abstract idea because the claims are not directed to a method of organizing human activity.  Applicant argues that the amended independent claims recite a method and a system for securing a card transaction which constitutes patent eligible subject matter because the claims are directed to a technical solution of securing an electronic solution.  Examiner respectfully disagrees with Applicant’s arguments that the claims do not recite subject matter which falls within the groupings of abstract ideas defined by the 2019 PEG.  As stated in the previous office action and in the final rejection above, under Step 1 of the 2019 PEG, the claims are directed to the statutory category of a process; and under Prong 1 of Step 2A, under the broadest reasonable interpretation, the claims do fall under the “Certain Method of Organizing Human Activity” category since they recite fundamental economic principles or practices, including mitigating risk.  Under the broadest reasonable interpretation, the steps of claim 1 for: receiving a user request to generate the dynamic security code; upon receiving the user request, sending a time request to a time source; receiving, in response to the time request, a message comprising a time from the time source, determining an authenticity of the message containing the time; computing a dynamic security code based on the time received in the message and a key; and causing the dynamic security code to be displayed, are fundamental economic principles or practices.  Other than reciting the abstract idea, independent claims 1 and 12 recited generic computer components such as “a user electronic device separate from the card, a user input device of the user electronic device, a time source external to the user electronic device, a key stored at the user electronic device; a display of the user electronic device, the user electronic device comprising at least one processor, storage, a display, and a user input device”.  If a claim limitation, under its broadest reasonable interpretation, covers fundamental economic principles or practices, but for the recitation of generic computer components, then it falls within the “Certain Methods of Organizing Human Activity” grouping of abstract ideas.  The claims recite a method of securing a card transaction and the specification further indicates that dynamically generating the security code is used in Card not Present transactions to prevent the fraudulent use of credit and debit cards.  Under the broadest reasonable interpretation the claims cover mitigating risk which falls under the grouping of “Certain Methods of Organizing Human Activity”.  Therefore the rejections of the claims pursuant to 35 USC 101 are maintained.
With respect to the Applicant’s arguments regarding the previous rejection of independent claims 1, and 12 under 35 USC 103, the Applicant argues that the prior art fails to disclose the limitations of the amended independent claims.  On pages 15-19 of their Remarks, Applicant argues that none of the references applied by the office action teach wherein the computation of the dynamic code is performed by the user electronic device after reception of a request from a user.  Applicant further states that only the requested time is sent from an external device to the user device, and that the prior art of Hammad and Teixeron fail to all of the claimed steps performed at the user electronic device including: the dynamic security code associated with a payment card and receiving via a user input device of the user electronic device a user request to generate the dynamic security code.  Applicant further argues that the prior art fails to disclose the following amended claim limitations of independent claims 1, and 12: “the method being performed at a user electronic device separate from a card, the card transaction using card details of the card, the card details comprising the dynamic security code”,  and “receiving via a user input device of the user electronic device, a user request to generate the dynamic security code”.  However, Applicant’s arguments are moot in view of new grounds of rejection required by the Applicant’s amendments. As referenced above in the examiner’s art rejections pursuant to 35 USC § 103, the combination of Hammad, Teixeron, and Guillaud, teach all of the limitations of amended claims 1 and 12.  Furthermore, the Applicant’s argument is moot that the dependent claims should be allowed based on their dependability on independent claims 1, and 12.  Therefore, the rejections for claims 2-11, and 13-20 are maintained. 	
Conclusion
The prior art made of record and not relied upon is considered pertinent to applicant's disclosure. 
 Karpenko et al. (US 9,646,303) teaches using a mobile device comprising secure and sensitive payment credentials during a remote payments transaction.
Bacastow (US 9,530,125) teaches a method and system for secure mobile payment transactions.
Applicant's amendment necessitated the new ground(s) of rejection presented in this Office action.  Accordingly, THIS ACTION IS MADE FINAL.  See MPEP § 706.07(a).  Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a).  
A shortened statutory period for reply to this final action is set to expire THREE MONTHS from the mailing date of this action.  In the event a first reply is filed within TWO MONTHS of the mailing date of this final action and the advisory action is not mailed until after the end of the THREE-MONTH shortened statutory period, then the shortened statutory period will expire on the date the advisory action is mailed, and any extension fee pursuant to 37 CFR 1.136(a) will be calculated from the mailing date of the advisory action.  In no event, however, will the statutory period for reply expire later than SIX MONTHS from the date of this final action. 
Any inquiry concerning this communication or earlier communications from the examiner should be directed to Paul Schwarzenberg whose telephone number is (313) 446-6611.  The examiner can normally be reached on Monday-Thursday (7:30-6:30).
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.  
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Ryan Donlon, can be reached on (571) 270-3602.  The fax phone number for the organization where this application or proceeding is assigned is (571) 273-8300.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see http://pair-direct.uspto.gov. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.
/P. S./
Examiner, Art Unit 3695 
3/22/2021
	
/NARAYANSWAMY SUBRAMANIAN/Primary Examiner, Art Unit 3695                                                                                                                                                                                                        
March 23, 2021