Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
	
Status of Claims
Claims 1-20, as filed 07/03/2019, are examined herein.

Claim Objections
Claim 2 is objected to because of the following informalities: the syntax of the claim is awkward with respect to “differentiated from other types of transaction messages …. that do not comprise an m-OTP.”  Appropriate correction is required.
Claim 17 is objected to because of the following informalities: a grammar error line 12. “and provide the transaction message to a directory.”  Appropriate correction is required. 


	Claim Rejections - 35 USC § 101
35 U.S.C. 101 reads as follows:
Whoever invents or discovers any new and useful process, machine, manufacture, or composition of matter, or any new and useful improvement thereof, may obtain a patent therefor, subject to the conditions and requirements of this title.


Claims 1-20 are rejected under 35 U.S.C. 101 because the claimed invention is directed to an abstract idea without significantly more.  
[Step 1]


[Step 2A Prong 1]
	Representative Claim 17, is directed to the abstract idea of authorizing financial transactions which is grouped under “organizing human activity… fundamental economic practice”.  Claim 17 recites: receiving, …, a mobile-One Time Password (m-OTP) as input for initiating a transaction, …; generating, …, a transaction message comprising an identifier and the m-OTP, wherein the identifier indicates that the transaction message comprises the m-OTP and is differentiated from other types of transaction messages that do not comprise an m-OTP; providing, …, the transaction message comprising the m-OTP to an acquirer system, wherein the acquirer system includes an authorization request in the transaction message, and provide the transaction message to a directory server for sending the authorization request message to an issuer system for authenticating a cardholder associated with the issuer system and authorizing the transaction message, wherein a response message comprising a result of authorization is generated by the issuer system; and receiving, …., the response message from the directory server via the acquirer system. Accordingly, the claim recites an abstract idea (See 2019 Revised Patent Subject Matter Eligibility Guidance).
The dependent claim(s) 7-8 and 14-15 are directed to the following:
Claim(s) 7 and 14: wherein the response message is generated based on authenticating the m-OTP and authorizing the transaction message.
Claim(s) 8 and 15: wherein the response message is generated based on authenticating the m-OTP.

The dependent claim(s)  2-6, 9, 11-13, 16, and 18-20 include limitations which are not directed to any additional abstract ideas and are also not directed to any additional non-abstract claim elements. Rather, these claim(s) offer further descriptive limitations of elements found in the independent claims and addressed above – such as by describing the nature and content of the data that is received/sent. While these descriptive elements may provide further helpful context for the claimed invention these elements do not serve to confer subject matter eligibility to the invention since their individual and combined significance is still not heavier than the abstract concepts at the core of the claimed invention. Step 2A prong 2 and Step 2B for these limitations therefore are the same as for the independent claims.
Accordingly, the claims recite an abstract idea.

[Step 2A Prong 2] 	
	This judicial exception is not integrated into a practical application because, when analyzed under prong two of step 2A (See 2019 Revised Patent Subject Matter Eligibility Guidance), the additional elements of the claim such as “directory server comprising: one or more processors; and one or more computer-readable media, communicatively coupled to the one or more processors” represent the use of a computer as a tool to perform an abstract idea and/or does no more than generally link the abstract idea to a particular field of use. Therefore, the additional elements do not integrate the abstract idea into a practical application as they do no more than represent a computer performing functions that correspond to (i.e. automate) [automate or implement] the acts of using rules to authorize a financial transaction.  

[Step 2B]
	When analyzed under step 2B, the claim does not include additional elements that are sufficient to amount to significantly more than the judicial exception itself. Viewed as a whole, the combination of elements recited in the claims merely describe the concept of  authenticating a financial transaction using computer technology (e.g. financial institution computing system). Therefore, the use of these additional elements does no more than employ a computer as a tool to automate and/or implement the abstract idea, which cannot provide significantly more than the abstract idea itself (MPEP 2106.05(I)(A)(f) & (h)). 
     
The claims do not include additional elements that are sufficient to amount to significantly more than the judicial exception. As discussed above with respect to integration of the abstract idea into a practical application, the additional elements identified in Step 2A Prong 2 amount to no more than mere instructions to implement the judicial exception on a computer or no more than mere data gathering or data outputting which only adds insignificant extra solution activity to the judicial exception. These element(s) in combination do not add anything that is not already pre-sent when the steps are considered separately. Adding insignificant extra-solution activity cannot provide an inventive concept when the activities are well-understood routine and conventional. The courts have recognized the following computer functions as well-understood, routine, and conventional functions when they are claimed in a merely generic manner: 
(for storing various data) Storing and retrieving information in memory, (See MPEP § 2106.05(d)(II)). 
(sending receiving transaction messages) Receiving or transmitting data over a network, (See MPEP § 2106.05(d)(II)).




Claim Rejections - 35 USC § 103
In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.


Claims 1-20 are rejected under 35 U.S.C. 103 as being unpatentable over US 20080154770 (Rutherford) in view of US 10395462 (Ates).

Claim 1:  Rutherford teaches: A computer-implemented method comprising: 
receiving, by a directory server, a transaction message comprising transaction information for authorization, from an acquirer system, wherein the transaction message comprises at least a mobile-One Time Password (m-OTP), wherein the m-OTP was generated by an issuer mobile application configured in a cardholder's device and was submitted into a merchant system, wherein the merchant system provided the transaction message to the acquirer system for completing the transaction; (See at least Rutherford FIG. 8 and [0089] teaching (emphasis added) “The secure code Authentication Application (SCAA) may reside on a multi-application  “one-time passcode” and the creation of a “proof of transaction acceptance” code.” See also [0086] “The cardholder's Personal Computing Device may be any computer platform or access device on which the cardholder performs the activity that requires them to be authenticated. The computer platform may be a PC platform, which may be connected to a PCR. Alternatively, the computer platform may be any device that is capable of accessing the Internet, including, for example, PDAs or other mobile Wi-Fi devices.” See also [0030] “The cardholder may use the ICC in conjunction with a Personal Card Reader (PCR) to generate a dynamic “secure code” or authentication token for one-time use. A Cardholder Authentication Page may be generated and displayed at the cardholder's Internet access device for this purpose (e.g., to receive the secure code).”)
receiving, by the directory server, a response message comprising a result of authorization of the transaction message, from the issuer system, based on outcome of the authentication of the m-OTP; and providing, by the directory server, the response message to the merchant system via the acquirer system. (See at least Rutherford FIG. 8  showing authorization request message, authorization response message, and VEReq and VERes messages to and from a merchant system to a directory server. See also [0150] –[0202] teaching the message flow for a transaction. The one time passcode is taught at [0089].)
Rutherford teaches [0079] the use of an UCAF. However, Ates teaches this concept in more detail:

sending, by the directory server, the transaction message to an issuer system for authorization, wherein the transaction message is authorized after the m-OTP is retrieved from the transaction message by the issuer system for authenticating a cardholder associated with the issuer system; (See at least Ates Col. 10 lines 6-20 “The UCAF (Universal Cardholder Authentication Field) data field is a multipurpose data transport area in a digital message to allow communication of authentication data to an Issuer from an Acquirer over any form of telecommunications network. For example, the UCAF can be a 32-character field (24 bytes—1 control byte and 23 data bytes—that are base-64 encoded to become 32 characters) with a flexible data structure that can be tailored to support the needs of a variety of Issuer security and authentication requirements. For example, ISO 8583 Data Element 48, sub-element 43 may be designated to contain the UCAF. The term UCAF also extends to referring to the interface defined to pass data between the Merchant and the MCD and back again, i.e. the field names in the specification for any given channel.”)
One of ordinary skill in the art is motivated, as of the filing date of the instant application, to modify the transaction system of Rutherford with the multipurpose data transport area of Ates because Ates explicitly teaches (Col. 3 lines 21-34)  the motivation of highly secure, yet not complicated financial transactions. 

Claim 10, teaching a server having processors and computer-readable media [see Rutherford [0004] is rejected for similar reasons.

Claim 2:  Rutherford in view of Ates teaches: The method as claimed in claim 1, 
Rutherford further teaches:
wherein the transaction message comprises an identifier, wherein the identifier indicates that the transaction message comprises an m-OTP and is differentiated from other types of transaction messages using the identifier by the directory server that do not comprise an m-OTP. (See at least Rutherford [0030] teaching a “dynamic “secure code” or authentication token for one-time use”. See also [0079] “the UCAF (Universal Cardholder Authentication Field) data field is a multipurpose data transport area in a digital message to allow communication of authentication data to an Issuer from an Acquirer over any form of telecommunications network. For example, the UCAF can be a 32-character field (24 bytes-1 control byte and 23 data bytes—that are base-64 encoded to become 32 characters) with a flexible data structure that can be tailored to support the needs of a variety of Issuer security and authentication requirements. For example, ISO 8583 Data Element 48, sub-element 43 may be designated to contain the UCAF. The term UCAF also extends to referring to the interface defined to pass data between the Merchant and the MCD and back again, i.e. the field names in the specification for any given channel. The UCAF can contain a 24-byte user authentication token. These 24 bytes are preferably encoded, e.g. Base64 encoded, by the Cardholder IA to give 32 ASCII characters of data that are returned to the Merchant. The Merchant passes the UCAF data, in their proprietary communications with the Acquirer who can then populate the UCAF in the Authorization Request message sent to the Issuer. See also [0166-0173] teaching a directory server.”

Claim 3.  Rutherford in view of Ates teaches: The method as claimed in claim 2, 
Rutherford further teaches:
wherein the identifier is inserted in one of a Message Type Identifier (MTI), a bitmap or data elements of the transaction message. (See at least Rutherford FIG. 3 and [0103] “ICC 170 may include a data object or mask (e.g., an Issuer Internet Proprietary Bitmap (IIPB) with a tag of ‘0x9F56’) that is used by the PCR to determine which portions (i.e. bits) of the ICC's response must be used for generating authentication data or cryptograms. The number of bits that are 
Claims 13 and 19 are rejected for similar reasons.

Claim 4. Rutherford in view of Ates teaches: The method as claimed in claim 1,
Rutherford further teaches:
wherein the m-OTP is a time- based password. (See at least Rutherford FIG. 11 and [0204] “At step 224, if a positive verification result is not received within a predetermined wait time, the MPI may proceed to step 2270 to submit an unauthenticated authorization request. Further at step 224, if a positive verification result is received within the predetermined wait time, the MPI may proceed to step 2250 to generate a message to the issuer to requesting cardholder authentication.”)
Claim 20 is rejected for similar reasons.

Claims 5. Rutherford in view of Ates teaches: The method as claimed in claim 1, 
Rutherford further teaches:
wherein the transaction message is formatted according to IS0 8583 standard. (See at least Rutherford [0079] teaching an ISO 8583 data element.)
Claim 12 is rejected for similar reasons.

Claim 6: Rutherford in view of Ates teaches: The method as claimed in claim 1, 

wherein the transaction information comprises at least one of, a primary account number of the cardholder, a processing code, a transaction amount, a transaction date and time, an acquirer system identification code, a currency code, an issuer system identification code, and mode of authentication comprising m-OTP, One Time Password (OTP) generated by the issuer system, a static password and biometric pattern information. (See at least Rutherford FIG. 1 and [0091-0094] “In process 100, the request for the authentication (150) may be required to include or otherwise supply the following information or data: Personal Account Number (PAN)—The PAN of the card to be used in the authentication process; Cardholder's Personal Assurance Message (PAM)—Cardholders enrolled into the CAP programs may be required to supply an optional Personal Assurance Message that will be displayed when asked to authenticate; Transaction Details—Details of the transaction for which authentication is being requested must be displayed to the cardholder, whether payment for goods from a website or to obtain access to a bank account.”)

Claim 7: Rutherford in view of Ates teaches: The method as claimed in claim 1,
Rutherford further teaches: 
wherein the response message is generated based on authenticating the m-OTP and authorizing the transaction message. (See at least Rutherford FIG. 8 and [0166-0202 teaching response messages.)
Claim 14 is rejected for similar reasons.

Claim 8: Rutherford in view of Ates teaches: The method as claimed in claim 1, 
Rutherford further teaches:
wherein the response message is generated based on authenticating the m-OTP. (See at least Rutherford FIG. 8 and [0166-0202 teaching response messages.)
Claim 15 is rejected for similar reasons.

Claim 9:  Rutherford in view of Ates teaches: The method as claimed in claim 8, 
Rutherford further teaches:
wherein the transaction message includes payer authentication request (PAReq) message. (See at least Rutherford FIG. 8 and [0180] teaching step 7 “PAReq: Cardholder to ACS (HIT/POST)”.)
Claims 16 and 18 are rejected for similar reasons.

Claim 11:  Rutherford in view of Ates teaches: The directory server as claimed in claim 10,
Rutherford further teaches:
wherein the one or more processors are configured to differentiate the transaction message comprising the m-OTP from other types of transaction messages that do not comprise an m-OTP, using an identifier in the transaction message, wherein the m-OTP is a time-based password and wherein the transaction message is according to IS08583 standard. (See at least [0176] “The ACS returns a unique Account Identifier, which must not be the PAN, that is used by the ACS when contacted by the cardholder with a PAReq to identify the payment card in question. This Account Identifier must match the PAN of the actual card used on a one-to-one basis in order that the key may be correctly generated so that the secure code can be verified.” See also [0079] teaching ISO 8583. See further [0204] “At step 224, if a positive verification result is not received within a predetermined wait time, the MPI may proceed to step 2270 to submit an unauthenticated authorization request. Further at step 224, if a positive verification 

Claim 17: Rutherford teaches: A computer-implemented method of authorizing transactions, comprising: 
receiving, by a merchant system, a mobile-One Time Password (m-OTP) as input for initiating a transaction, wherein the m-OTP was generated by an issuer mobile application configured in a cardholder's device; (See at least Rutherford FIG.8 and [0089] teaching (emphasis added) “The secure code Authentication Application (SCAA) may reside on a multi-application credit, debit or other card (e.g., ICC) alongside a standard payment application. The SCAA may be a separate instance of the payment application, in which case the issuer has the option of using separate security environments for payments and remote authentications. The application may support both the generation of a “one-time passcode” and the creation of a “proof of transaction acceptance” code.” See also [0086] “The cardholder's Personal Computing Device may be any computer platform or access device on which the cardholder performs the activity that requires them to be authenticated. The computer platform may be a PC platform, which may be connected to a PCR. Alternatively, the computer platform may be any device that is capable of accessing the Internet, including, for example, PDAs or other mobile Wi-Fi devices.” See also [0030] “The cardholder may use the ICC in conjunction with a Personal Card Reader (PCR) to generate a dynamic “secure code” or authentication token for one-time use. A Cardholder Authentication Page may be generated and displayed at the cardholder's Internet access device for this purpose (e.g., to receive the secure code).”)
providing, by the merchant system, the transaction message comprising the m-OTP  to an acquirer system, wherein the acquirer system includes an authorization request in the transaction message, and provide the transaction message to a directory server for sending the authorization request message to an issuer system for authenticating a cardholder associated with the issuer system and authorizing the transaction message, wherein a response message comprising a result of authorization is generated by the issuer system; receiving, by the merchant system, the response message from the directory server via the acquirer system. (See at least Rutherford FIG. 8  showing authorization request message, authorization response message, and VEReq and VERes messages to and from a merchant system to a directory server. See also [0150] –[0202] teaching the message flow for a transaction. The one time passcode is taught at [0089].)

Rutherford teaches [0079] the use of an UCAF. However, Ates teaches this concept in more detail:
generating, by the merchant system, a transaction message comprising an identifier and the m-OTP, wherein the identifier indicates that the transaction message comprises the m-OTP and is differentiated from other types of transaction messages that do not comprise an m-OTP; (See at least Ates Col. 10 lines 6-20 “The UCAF (Universal Cardholder Authentication Field) data field is a multipurpose data transport area in a digital message to allow communication of authentication data to an Issuer from an Acquirer over any form of telecommunications network. For example, the UCAF can be a 32-character field (24 bytes—1 control byte and 23 data bytes—that are base-64 encoded to become 32 characters) with a flexible data structure that can be tailored to support the needs of a variety of Issuer security and authentication requirements. For example, ISO 8583 Data Element 48, sub-element 43 may be designated to contain the UCAF. The term UCAF also extends to referring to the interface defined to pass data between the Merchant and the MCD and back again, i.e. the field names in the specification for any given channel.”)
. 




Conclusion
	The prior art made of record and not relied upon is considered pertinent to applicant's disclosure:
US  20160034889 (Downs) [0049] (emphasis added) “The acquirer 2006 will present transactions from many different merchants 2004 to the payment card network operator 2008 via the PNIP interface 2012. The connection between the merchants 2004 and the acquirer 2006 is typically a TCP/IP interface 2016. The format that the transaction is in when the card is swiped at the merchant 2004 may differ from the format that the transaction is in when actually received by the payment card network operator. The acquirer may convert the transaction into the ISO 8583 format or into a format that is a specific implementation of the ISO 8583 format (e.g., the MASTERCARD CIS (customer interface specification) format. The authorization request message can be an ISO 8583 message type identifier (MTI) 0100 message, for example, sent over the communications interface 2016 between the merchant 2004 and the acquirer 2006.”
US 20160034900 (Nelson) [0043] (emphasis added)  “An “International Organization for Standardization (ISO) 8583 messaging standard” may define how messages are formatted and transmitted by systems exchanging transaction requests and responses. The ISO 8583 messaging standard is a standard for systems that exchange electronic transaction information associated with a payment made by a consumer using a payment device or a payment account. The ISO 8583 messaging standard may define a message format including a message type identifier (MTI), bitmaps, and data elements. The MTI may be 4 digits that describe the message type including the relevant ISO 8583 version, message class, message function, and message origin. Within ISO 8583 standards, a bitmap may indicate which data elements or data element subfields (e.g., amongst fields 1 through 128) may be present elsewhere in an ISO 8583 message. The data elements may be the fields carrying the actual transaction information The standard may define permitted content, attributes, and field length of certain data fields.”
US 20120284187  (Hammad) [0079] “For use with VisaNet, BASE I, and SMS, those messages may be variations of the International Organization for Standardization (ISO) 8583 message, which is the international standard for the format of financial messages. Each message may contain a bit map that specifies the data fields that appear in the message, a message type identifier, and those fields that are needed for the specific function intended. The message header contains basic message identifiers and routing information, along with message processing control codes and flags. The message type identifier specifies the message class and the category of the function that is to be implemented. For instance, 0100 may indicate a transaction authorization request. As noted, a bit map specifies which data fields are in a message. In addition to a primary bit map, messages can include secondary (and other) bit maps. Each map typically contains 64-bit fields, corresponding to the number of possible fields in a message. The data fields contain the information needed to process a message.
US 6687700 (Cornelius) (71) (emphasis added) “The transaction manager 26 references the security database 30 in preparation for the transmission of the data message from the intermediary communications node 14 to the destination communications device 42. The transaction manager 26 may reference a message type identifier, a source identifier, or a destination identifier of the data message to determine the applicable submittal password and submittal log-in identifier to be retrieved from the security database 30.”
US 20140281506 (Redburg) teaches a “mobile device of a user of a secure network resource receives and installs a soft token application. A unique device ID of the mobile device is programmatically obtained by the soft token application. A seed for generating a soft token for accessing the secure network resource is requested by the soft token application. Responsive to 
US 8646062 (Bouz) Claim 1. (emphasis added) A method for authenticating users by presenting a previously acquired signed digital signature, the method comprising: ….and in response to receiving from the server, in reply to the session establishment message, a challenge message comprising the unique username, a challenge message type identifier that is different from the establishment message type identifier, and a unique secure facilitator session identification indicia, replying to the server with a request message comprising service type identifier indicating a service requested by the user for execution by the server and that is different from the challenge message type identifier and the establishment message type identifier, and the unique session identification indicia, …..”
US 20180007172 (Wang) teaches [0064] a PIN dialogue message including PIN dialogue parameters.
US 20180026715 (Zhao) [0090] (emphasis added) “The generated first message includes at least the following fields: a first message type identifier (Message type ID) field, used to identify a type of the first message, where for the type of the first message, refer to 19 downlink PLOAM messages and nine uplink PLOAM messages that are specified in the existing GPON standard protocol ITU-T G.984.3 and respectively used for ONU registration, ONU-ID allocation, ranging, data encryption, status monitoring, password authentication, bit error rate monitoring, and the like; a message length field, used to identify a length of a fragment carried in the first message; an action indication field, used to identify whether the fragment carried in the first message is the last fragment; a first fragment sequence number (Fragment SeqNo) field, used to identify a 

	 Any inquiry concerning this communication or earlier communications from the examiner should be directed to CLAIRE A RUTISER whose telephone number is (571)272-1969.  The examiner can normally be reached on 8:00 AM to 5:00 PM M-F.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Calvin L Hewitt can be reached on 571-272-6709.  The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see https://ppair-my.uspto.gov/pair/PrivatePair. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.

CLAIRE A. RUTISER
Examiner
Art Unit 3692

/C.A.R./Examiner, Art Unit 3692                                                                                                                                                                                                        
/ERIC T WONG/Primary Examiner, Art Unit 3692