DETAILED ACTION
Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

Continued Examination Under 37 CFR 1.114
A request for continued examination under 37 CFR 1.114, including the fee set forth in 37 CFR 1.17(e), was filed in this application after final rejection.  Since this application is eligible for continued examination under 37 CFR 1.114, and the fee set forth in 37 CFR 1.17(e) has been timely paid, the finality of the previous Office action has been withdrawn pursuant to 37 CFR 1.114.  Applicant's submission filed on 22 OCT 2020 has been entered.
 
Response to Amendment
The amendment filed 22 OCT 2020 has been entered. Claims 1-20 remain pending in the application. 

Claim Rejections - 35 USC § 101
35 U.S.C. 101 reads as follows:
Whoever invents or discovers any new and useful process, machine, manufacture, or composition of matter, or any new and useful improvement thereof, may obtain a patent therefor, subject to the conditions and requirements of this title.


Claims 1-20 are rejected under 35 U.S.C. 101 because the claimed invention is directed to a judicial exception (i.e., a law of nature, a natural phenomenon, or an abstract idea) without significantly more. 
Claims 1-13 and 16-20 are drawn to a system which is within the four statutory categories (i.e. a machine). Claims 14-15 are drawn to a method which is within the four statutory categories (i.e., a process).
Since the claims are directed toward statutory categories, it must be determined if the claims are directed towards a judicial exception (i.e., a law of nature, a natural phenomenon, or an abstract idea). Based on consideration of all of the relevant factors with respect to the claim as a whole, claims 1-20 are determined to be directed to an abstract idea. The rationale for this determination is explained below:  
With respect to claims 1, 14, and 15:
Claims 1, 14, and 15 are drawn to an abstract idea without significantly more. The claims recite storing a first cryptographic data comprising single use keys and a long term use key, storing a second cryptographic data, generating an application cryptogram based on the long term use key, embodying a security architecture for an application, causing the second cryptographic data to be deleted on rebooting of the computing 
The limitations of storing a first cryptographic data comprising single use keys and a long term use key, storing a second cryptographic data, generating an application cryptogram based on the long term use key, embodying a security architecture for an application, causing the second cryptographic data to be deleted on rebooting of the computing device, replenishing at least the second cryptographic data, and performing an action using the first and second cryptographic data, as stated, are processes that, under its broadest reasonable interpretation, cover Mental Processes such as concepts performed in the human mind (including an observation, evaluation, judgment, opinion). For example, but for the “computing device”, “cryptographic data”, “security architecture”, “volatile storage”, “non-volatile storage”, and “cryptogram” language, “storing”, “generating”, “embodying”, “replenishing”, and “preforming” in the context of this claim encompass the mental processes. The series of steps including storing cryptographic data, generating an application cryptogram, embodying a security architecture, replenishing cryptographic data, and performing an action using cryptographic data belong to a typical performing an observation, evaluation, 
This judicial exception is not integrated into a practical application. In particular, the claim only recites additional elements – computing device, cryptographic data, security architecture, volatile storage, non-volatile storage, and cryptogram. The computing device, cryptographic data, security architecture, volatile storage, non-volatile storage, and cryptogram are recited at a high-level of generality (i.e., performing generic functions of an interaction) such that it amounts no more than mere instructions to apply the exception using a generic computer component, merely implementing an abstract idea on a computer, or merely using a computer as a tool to perform an abstract idea - see MPEP 2106.05(f). The (volatile and non-volatile) storages are used for storing, replenishing, or utilizing the (cryptographic) data, which is surely at a high-level of generality and furthermore the added elements are also recited at a high-level of generality, not being related to the other devices and overall functions, and the instant invention is not integrated in any deeper level into their conventional operations, indicating that the limitations are not indicative of integration into a practical application: Generally linking the use of the judicial exception to a particular technological environment or field of use—see MPEP 
The claims do not include additional elements that are sufficient to amount to significantly more than the judicial exception, reaffirming that the limitations are not indicative of integration into a practical application: Generally linking the use of the judicial exception to a particular technological environment or field of use. As discussed above with respect to integration of the abstract idea into a practical application, the additional elements in the process amounts to no more than mere instructions to apply the exception using generic computer components. Mere instructions to apply an exception using a generic computer component cannot provide an inventive concept. The claims are not patent eligible.
With respect to claims 2-13 and 16-20:
Dependent claims 2-13 and 16-20 include additional limitations, for example, replenishing at least second cryptographic data from a source, using a first or second part of the first cryptographic data, using keystores, using cryptographic keys, performing an action, generating encrypted volatile integers, providing verification of user, using 
	Thus, taken alone, the additional elements do not amount to significantly more than the above-identified judicial exception (the abstract idea). Furthermore, looking at the limitations as an ordered combination adds nothing that is not already present when looking at the elements taken individually. There is no indication that the combination of elements improves the functioning of a computer or improves any other technology, and their collective functions merely provide conventional computer 
Therefore, whether taken individually or as an ordered combination, claims 2-13 and 16-20 are nonetheless rejected under 35 U.S.C. 101 as being directed to non-statutory subject matter.

Claim Rejections - 35 USC § 103
In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  
This application currently names joint inventors. In considering patentability of the claims the examiner presumes that the subject matter of the various claims was commonly owned as of the effective filing date of the claimed invention(s) absent any evidence to the contrary.  Applicant is advised of the obligation under 37 CFR 1.56 to point out the inventor and effective filing dates of each claim that was not commonly owned as of the effective filing date of the later invention in order for the examiner to consider the applicability of 35 U.S.C. 
The factual inquiries set forth in Graham v. John Deere Co., 383 U.S. 1, 148 USPQ 459 (1966), that are applied for establishing a background for determining obviousness under 35 U.S.C. 103 are summarized as follows:
1. Determining the scope and contents of the prior art.
2. Ascertaining the differences between the prior art and the claims at issue.
3. Resolving the level of ordinary skill in the pertinent art.
4. Considering objective evidence present in the application indicating obviousness or nonobviousness.
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

Claims 1-7, 9, and 12-19 are rejected under 35 U.S.C. 103 as being unpatentable over Bradshaw et al. (US 9,558,080 B2; hereinafter Bradshaw) in view of Collinge et al. (WO 2015/160385 A1; already of record in IDS; hereinafter Collinge), and in .
With respect to claim 1:
	Bradshaw teaches a computing device comprising: (See at least Bradshaw: Abstract)
a non-volatile storage device... for storing first ... data, wherein the first ... data comprises [one or more single use keys and a long term use key], ...; (See at least Bradshaw: Abstract; Figs. 1-2 & 4-6; col. 1, lines 6-17; col. 6, lines 5-9)
a volatile storage device for storing second ... data; and...(See at least Bradshaw: Abstract; Figs. 1-2 & 4-6; col. 1, lines 6-17; col. 6, lines 5-9)
wherein the computing device embodying a security architecture for an application, the security architecture being configured to cause the second ... data to be deleted on rebooting of the computing device. (By disclosing, the recovery occurs by identifying pages that were in the volatile memory at the time of the crash. For each of these pages, the recovery determines whether to recover the page into the volatile memory (content of which is deleted on rebooting) from either the intermediate non-volatile memory or the storage, and then performs the recovery. In some embodiments in which the computing system is transaction-enabled, the recovery also 
	However, Bradshaw does not teach explicitly ...cryptographic data, ...comprising two or more proxies for physical payment cards, each of the two or more proxies comprising keystores, ...one or more single use keys and a long term use key, ...each of the keystores to securely store a key while enabling the key stored therein to be utilized, and ...a processor to generate an application cryptogram based at least partially on the long term use key for processing of a transaction.
	Collinge, directed to method and system for generating an advanced storage key in a mobile device without secure elements and thus in the same field of endeavor, teaches
cryptographic data. (By disclosing, the memory 212 may also include a mobile payment application (MPA) 404. The MPA 404 may be an application program configured to perform the functions of the mobile device 104 discussed herein, such as the receipt and storage of payment credentials, validation of RNS messages, and generation of application cryptograms for use in conducting payment transactions. Additional features of the MPA 404 may include traditional features of a digital wallet or other similar application program. See at least Collinge: paragraph(s) [0098], [0068]-[0069], [0008]-[0009], [0039], [0060], [0063], [0065] & [0153])
...a non-volatile storage device comprising two or more proxies for physical payment cards, each of the two or more proxies comprising keystores for storing first cryptographic data (By disclosing, a payment card may be a physical card that may be provided to a merchant, or may be data (proxies) representing the associated transaction account (e.g., as stored in a communication device, such as a smart phone or computer). Payment credentials provisioned to the mobile device 104 may be securely stored in storage in the mobile device 104, such as a card database, which may be data storage on the mobile device 104 that is configured to store data associated with one or more transaction accounts and/or payment cards. See at least Collinge: paragraph(s) [0030], [0039] & [0054])
...one or more single use keys and a long term use key (By disclosing, the term "payment credentials" may refer to any data used by the mobile device 104 and/or transaction management server 02 in the transmission and validation of payment information used in a payment transaction using the methods and systems discussed herein, including, but not limited to, payment details, payment credentials, single use keys, session keys, application cryptograms, card master keys (long term use key), etc. See at least Collinge: paragraph(s) [0036], [0057], [0059] & [0082])
...each of the keystores to securely store a key while enabling the key stored therein to be utilized (By disclosing, the generating of an advanced storage key, as discussed in more detail below, may utilize unique device information, unique MPA information, and randomly generated information in order to identify a secure storage key that can be used to securely store data in the mobile device 104. See at least Collinge: paragraph(s) [0039])
...a processor to generate an application cryptogram based at least partially on the long term use key for processing of a transaction; (By disclosing, the application cryptograms may each be generated by the mobile device 104 using separate session keys and additional data. See at least Collinge: paragraph(s) [0040]-[0041])

However, Bradshaw and Collinge do not teach explicitly ...a non-volatile storage device for storing first cryptographic data and ...a volatile storage device for storing second cryptographic data.
Momchilov, directed to shared secret vault for applications with single sign on and thus in the same field of endeavor, teaches 
...a non-volatile storage device for storing first cryptographic data and ...a volatile storage device for storing second cryptographic data. (By disclosing, the vault database 220 and the passcode-encrypted vault key 214 may be stored in persistent storage while the unlock-key-encrypted vault key 216 and the unlock key storage 241a-c may be stored in volatile memory. As a result, on loss of power or reboot the unlock keys stored by the applications will be lost and each application may 
It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to have modified the teachings of Bradshaw and Collinge to incorporate the shared secret vault for applications with single sign on teachings of Momchilov for the benefit of providing more flexibility, security, and functionality for managed computing devices and/or computer software, particularly in instances in which one or more mobile applications are provided for accessing enterprise resources. (See at least Momchilov: paragraph(s) [0006])
Examiner’s Note: 
(1)  The limitations “for storing first cryptographic data” in claim 1, line 3, “enabling the key stored therein to be utilized” in lines 5-6, “to generate an application cryptogram” in line 8, “for processing of a transaction” in line 9, and “to cause the second cryptographic data material to be deleted lost on rebooting of the computing device” in lines 12-13 are an intended use. No patentable weight is given. The recitation of the intended use of the claimed invention does not serve to differentiate the claim from the prior art. MPEP § 2103 I C states that language that suggests or makes optional but does 
With respect to claim 14:
	Bradshaw teaches a method of preparing and performing an application on a computing device having non-volatile storage and volatile storage, the method comprising: (See at least Bradshaw: Abstract)
storing first ... data in the non-volatile storage, ..., and storing second ... data in the volatile storage, wherein the second ... data is deleted on rebooting of the computing device,...; (By disclosing, the recovery occurs by identifying pages that were in the volatile memory at the time of the crash. For each of these pages, the recovery determines whether to recover the page into the volatile memory from either the intermediate non-volatile memory or the storage, and then performs the recovery. In some embodiments in which the computing system is transaction-enabled, the recovery also identifies transactions that were active at the time of the crash, and undoes the actions of each of those transactions. principles described herein build on top of ARIES and reduce recovery time by restoring pages into the volatile memory 201 from the non-volatile memory 202, as well as from the storage 
replenishing at least the second ... data from a source external to the computing device but accessible by a computing network;... (By disclosing, for each of these pages, the recovery determines whether to recover the page into the volatile memory from either the intermediate non-volatile memory or the storage (external source), and then performs the recovery. See at least Bradshaw: Abstract; col. 4, lines 37-51) 
the application performing an action using the first ... data and, if available, the second ... data, wherein an output of the action indicates whether the second ... data was available. (By disclosing, if normal forward processing is further modified to include snapshots (also referred to as "checkpoints") into non-volatile memory 202, the recovery time may be further reduced especially if the snapshots to non-volatile memory 202 are frequent, and more frequent that the snapshots to storage 203. This checkpointing is an optimization that reduces the size of the log. The checkpointing thus reduces the number of redo and undo actions that have to be performed during crash recovery. See at least Bradshaw: col. 6, lines 39-48)
.
	Collinge, directed to method and system for generating an advanced storage key in a mobile device without secure elements and thus in the same field of endeavor, teaches 
...cryptographic data. (By disclosing, the memory 212 may also include a mobile payment application (MPA) 404. The MPA 404 may be an application program configured to perform the functions of the mobile device 104 discussed herein, such as the receipt and storage of payment credentials, validation of RNS messages, and generation of application cryptograms for use in conducting payment transactions. Additional features of the MPA 404 may include traditional features of a digital wallet or other similar application program. See at least Collinge: paragraph(s) [0098], [0068]-[0069], [0008]-[0009], [0039], [0060], [0063], [0065] & [0153])
...the non-volatile storage comprising two or more proxies for physical payment cards, each of the two or more proxies comprising keystores (By disclosing, a payment card may be a physical card that may be provided to a merchant, or may be data (proxies) representing the associated transaction account (e.g., as stored in a communication device, such as a smart phone or computer). Payment credentials provisioned to the mobile device 104 may be securely stored in storage in the mobile device 104, such as a card database, which may be data storage on the mobile device 104 that is configured to store data associated with one or more transaction accounts and/or payment cards. See at least Collinge: paragraph(s) [0030], [0039] & [0054])
...wherein the first cryptographic data comprises one or more single use keys and a long term use key, each of the keystores to securely store a key while enabling the key stored therein to be utilized; (By disclosing, the term "payment credentials" may refer to any data used by the mobile device 104 and/or transaction management server 02 in the transmission and validation of payment information used in a payment transaction using the methods and systems discussed herein, including, but not limited to, payment details, payment credentials, single use keys, session keys, application cryptograms, card master keys (long term use key), etc. In addition, the generating of an advanced storage key, as discussed in more detail below, may 
...generating an application cryptogram based at least partially on the long term use key for processing of a transaction; and (By disclosing, the application cryptograms may each be generated by the mobile device 104 using separate session keys and additional data. See at least Collinge: paragraph(s) [0040]-[0041])
It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to have modified the crash recovery using non-volatile memory of Bradshaw to incorporate the generating an advanced storage key in a mobile device without secure elements teachings of Collinge for the benefit of using of multiple values to build an advanced storage key in a mobile device without a secure element for use in the secure storage of data in the mobile device. (See at least Collinge: paragraph(s) [0002]-[0009])
However, Bradshaw and Collinge do not teach explicitly ... storing first cryptographic data in the non-volatile storage and ... storing second cryptographic data in the volatile storage.

...storing first cryptographic data in the non-volatile storage and ... storing second cryptographic data in the volatile storage. (By disclosing, the vault database 220 and the passcode-encrypted vault key 214 may be stored in persistent storage while the unlock-key-encrypted vault key 216 and the unlock key storage 241a-c may be stored in volatile memory. As a result, on loss of power or reboot the unlock keys stored by the applications will be lost and each application may need to prompt the user to enter his passcode to re-register the application with the shared vault 210 and acquire the unlock key 222. See at least Momchilov: paragraph(s) [0069]-[0070])
It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to have modified the teachings of Bradshaw and Collinge to incorporate the shared secret vault for applications with single sign on teachings of Momchilov for the benefit of providing more flexibility, security, and functionality for managed computing devices and/or computer software, particularly in instances in which one or more mobile applications are provided for accessing enterprise resources. (See at least Momchilov: paragraph(s) [0006])
Examiner’s Note: 
The limitations “wherein the second cryptographic data is deleted on rebooting of the computing device” in claim 14, lines 6-7, “enabling the key stored therein to be utilized” in lines 8-9, “for processing of a transaction” in lines 12-13 are an intended use. No patentable weight is given. The recitation of the intended use of the claimed invention does not serve to differentiate the claim from the prior art. MPEP § 2103 I C states that language that suggests or makes optional but does not require steps to be performed or does not limit a claim to a particular structure does not limit the scope of a claim or claim limitation. An example of such language includes statements of intended use or field of use (MPEP §2103 I C).
With respect to claim 15:
	Bradshaw teaches a method of preparing and performing an application on a computing device having non-volatile storage and volatile storage, the method comprising: (See at least Bradshaw: Abstract)
storing first cryptographic data in the non-volatile storage, ..., and storing second ... data in the volatile storage, wherein the second ... data is deleted on rebooting of the computing device, and wherein the first ... data comprises a first and a second part, ...; ... (By disclosing, the recovery  
the application performing an action using the first ... data, wherein the first part of the ... data is used to perform the action and the second part of the ... data is also used to perform the action if a use condition is met, wherein an output of the action indicates which parts of the first ... data were used. (By disclosing, the system constructs a mapping (act 413) that identifies a location of a recovery version of each page (first or second part) within the intermediate non-volatile memory for each page that has a recovery version within the intermediate non-volatile memory. In a transactional system, the 
However, Bradshaw does not teach ...cryptographic data, ...the non-volatile storage comprising two or more proxies for physical payment cards, each of the two or more proxies comprising keystores, ...the first cryptographic data comprising one or more single use keys and a long term use key, each of the keystores to securely store a key while enabling the key stored therein to be utilized, and ...generating an application cryptogram based at least partially on the long term use key for processing of a transaction.
	Collinge, directed to method and system for generating an advanced storage key in a mobile device without secure elements and thus in the same field of endeavor, teaches 
...cryptographic data. (By disclosing, the memory 212 may also include a mobile payment application (MPA) 404. The MPA 404 may be an application program configured to perform the functions of the mobile device 104 discussed herein, such as the 
...the non-volatile storage comprising two or more proxies for physical payment cards, each of the two or more proxies comprising keystores (By disclosing, a payment card may be a physical card that may be provided to a merchant, or may be data (proxies) representing the associated transaction account (e.g., as stored in a communication device, such as a smart phone or computer). Payment credentials provisioned to the mobile device 104 may be securely stored in storage in the mobile device 104, such as a card database, which may be data storage on the mobile device 104 that is configured to store data associated with one or more transaction accounts and/or payment cards. See at least Collinge: paragraph(s) [0030], [0039] & [0054])
...the first cryptographic data comprising one or more single use keys and a long term use key, each of the keystores to securely store a key while enabling the key stored therein to be utilized (By disclosing, the term "payment credentials" may refer to any data used by the mobile device 104 and/or 
...generating an application cryptogram based at least partially on the long term use key for processing of a transaction; and (By disclosing, the application cryptograms may each be generated by the mobile device 104 using separate session keys and additional data. See at least Collinge: paragraph(s) [0040]-[0041])
It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to have modified the crash recovery using non-volatile memory of Bradshaw to incorporate the generating an advanced storage key in a mobile device without secure elements teachings of Collinge for the benefit of using of multiple values to build an advanced 
However, Bradshaw and Collinge do not teach explicitly ... storing first cryptographic data in the non-volatile storage and ... storing second cryptographic data in the volatile storage.
Momchilov, directed to shared secret vault for applications with single sign on and thus in the same field of endeavor, teaches 
...storing first cryptographic data in the non-volatile storage and ... storing second cryptographic data in the volatile storage. (By disclosing, the vault database 220 and the passcode-encrypted vault key 214 may be stored in persistent storage while the unlock-key-encrypted vault key 216 and the unlock key storage 241a-c may be stored in volatile memory. As a result, on loss of power or reboot the unlock keys stored by the applications will be lost and each application may need to prompt the user to enter his passcode to re-register the application with the shared vault 210 and acquire the unlock key 222. See at least Momchilov: paragraph(s) [0069]-[0070])
It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to have modified the teachings of Bradshaw and Collinge to incorporate the shared secret vault for applications with single 
Examiner’s Note: 
(1)	The limitations “wherein the second cryptographic data is deleted on rebooting of the computing device” in claim 15, lines 6-7, “enabling the key stored therein to be utilized” in lines 9-10, “to perform the action” in lines 14 and 15 are an intended use. No patentable weight is given. The recitation of the intended use of the claimed invention does not serve to differentiate the claim from the prior art. MPEP § 2103 I C states that language that suggests or makes optional but does not require steps to be performed or does not limit a claim to a particular structure does not limit the scope of a claim or claim limitation. An example of such language includes statements of intended use or field of use (MPEP §2103 I C).
(2)	The limitations “if a use condition is met” in claim 15, line 15 are an optional language. Claim scope is not limited by claim language that suggests or makes optional but does not require steps to be performed, or by claim 
With respect to claim 2:
	Bradshaw, Collinge, and Momchilov teach the computing device of claim 1, as stated above.
Bradshaw further teaches wherein the security architecture is adapted such that at least the second [cryptographic] data is replenished from a source external to the computing device but accessible by a computing network, wherein the application is adapted to perform an action using the first [cryptographic] data and, if available, the second [cryptographic] data, wherein an output of the action indicates whether the second [cryptographic] data was available. (By disclosing, for each of these pages, the recovery determines whether to recover the page into the volatile memory from either the intermediate non-volatile memory or the storage (external source), and then performs the recovery. See at least Bradshaw: Abstract; col. 4, lines 37-51)
	Furthermore, Collinge, in the same field of endeavor, further teaches ...cryptographic data, as stated above, and actions performed based on data. (See at least Collinge: paragraph(s) [0102], [0098], [0068]-[0069], [0008]-[0009], [0039], [0060], [0063], [0065] & [0153])
With respect to claim 3:
the computing device of claim 1, as stated above.
Bradshaw further teaches wherein the security architecture is adapted such that the first [cryptographic] data comprises a first and a second part, wherein the application is adapted to perform an action using the first [cryptographic] data, wherein the second part of the first [cryptographic] data is only used if a use condition is met, wherein if the use condition is not met, only the first part of the [cryptographic] data is used, wherein an output of the action indicates which parts of the first [cryptographic] data were used. (By disclosing, as stated above with respect to claim 15, the system constructs a mapping (act 413) that identifies a location of a recovery version of each page (first or second part) within the intermediate non-volatile memory for each page that has a recovery version within the intermediate non-volatile memory. In a transactional system, the system determines which transactions were prepared at the time of the crash (act 511). Referring to FIG. 3, the identification of the pending transactions may be performed during the analysis phase 311 in the example below. The system then prepares each of the transactions that were prepared at crash time (act 512) prior to loading the pages from the recovery source into the volatile memory (act 412). See at least Bradshaw: col. 7, lines 3-5, 13-24 & 56-60; col. 8, lines 11-20)
...cryptographic data, as stated above, and actions performed based on data. (See at least Collinge: paragraph(s) [0102], [0098], [0068]-[0069], [0008]-[0009], [0039], [0060], [0063], [0065] & [0153])
With respect to claims 4 and 16:
	Bradshaw, Collinge, and Momchilov teach the computing device of claim 1 and the method of claim 15, as stated above.
Collinge, in the same field of endeavor, further teaches wherein the non-volatile storage comprises keystores provided by an operating system of the computing device, and the first cryptographic data comprises cryptographic keys. (By disclosing, payment credentials provisioned to the mobile device 104 may be securely stored in storage in the mobile device 104, such as a card database, discussed in more detail below. In some embodiments, the mobile device 104 may be configured to generate an advanced storage key for use in securely storing data, such as the payment credentials, in a database or memory in the mobile device 104. The first session key 308 and second session key 310 may be additional keys that are used by the processing unit 204 in the generation of the application cryptograms transmitted to the point of sale 110 as part of the conducting of a payment transaction using the mobile device 104. See at 
With respect to claims 5 and 17:
	Bradshaw, Collinge, and Momchilov teach the computing device of claim 4 and the method of claim 16, as stated above.
Collinge, in the same field of endeavor, further teaches wherein the cryptographic keys comprise one or more of one or more single use keys and a long term use key. (By disclosing, the term "payment credentials" may refer to any data used by the mobile device 104 and/or transaction management server 02 in the transmission and validation of payment information used in a payment transaction using the methods and systems discussed herein, including, but not limited to, payment details, payment credentials, single use keys, session keys, application cryptograms, card master keys, etc. See at least Collinge: paragraph(s) [0036], [0057], [0059] & [0082])
With respect to claims 6 and 18:
	Bradshaw, Collinge, and Momchilov teach the computing device of claim 5 and the method of claim 17, as stated above.
	Bradshaw teaches wherein when performing an action using first [cryptographic] data, the application uses one of [the single use keys], if available, and [the long term use key] if no [single use key] is available, and wherein when the [long term use key] is used in performance of the action, the output of the action indicates that [the long term use key] was used. (By disclosing, as stated above with respect to claim 14, if normal forward processing is further modified to include snapshots (also referred to as "checkpoints") into non-volatile memory 202, the recovery time may be further reduced especially if the snapshots to non-volatile memory 202 are frequent, and more frequent that the snapshots to storage 203. This checkpointing is an optimization that reduces the size of the log. The checkpointing thus reduces the number of redo and undo actions that have to be performed during crash recovery. See at least Bradshaw: col. 6, lines 39-48; col. 7, lines 56-60)
Collinge, in the same field of endeavor, further teaches ...first cryptographic data, ...the single use keys, ...the long term use key. (By disclosing, a card master key may be used in place of the PIN, such as the first card master key 612. In such an embodiment, the processing unit 504 of the transaction management server 102 may be configured to generate a second session key 608 based on the second card master key 614 that corresponds to the second session key 310 generated by the mobile device 104 using the single use key 306 and the PIN 314. In some instances, the second session key 608 may also be based on the corresponding single use key 604. See at least Collinge: paragraph(s) [0036], [0057], [0059] & [0082])
With respect to claims 7 and 19:
the computing device of claim 4 and the method of claim 16, as stated above.
Collinge, in the same field of endeavor, further teaches wherein the security architecture is adapted to use cryptographic keys only when injection into the keystores was completed within a predetermined time. (By disclosing, the payment credentials 304 (cryptographic keys) may include, for example, a transaction account number, security code, expiration date (within a predetermined time), cardholder name, authorized user name, tracking data, card layout description data, digit counts, bitmaps, etc. See at least Collinge: paragraph(s) [0058])
With respect to claim 9:
	Bradshaw, Collinge, and Momchilov teach the computing device of claim 1, as stated above.
Bradshaw further teaches wherein the computing device is a mobile computing device. (See at least Bradshaw: col. 4, lines 37-45)
With respect to claim 12:
	Bradshaw, Collinge, and Momchilov teach the computing device of claim 1, as stated above.
Collinge, in the same field of endeavor, further teaches wherein the application for execution on the mobile computing device is a payment application. (By disclosing, the mobile 
With respect to claim 13:
	Bradshaw, Collinge, and Momchilov teach the computing device of claim 12, as stated above.
Collinge, in the same field of endeavor, further teaches wherein the action comprises generation of a cryptogram in performance of a transaction. (By disclosing, the conveyance of payment credentials to the point of sale 1 10 may include the transmission of two or more application cryptograms. See at least Collinge: paragraph(s) [0040]-[0041])
Claims 8 and 20 are rejected under 35 U.S.C. 103 as being unpatentable over Bradshaw in view of Collinge and in further view of Momchilov, as applied to claims 1 and 15, and in still further view of Thanos et al. (US 2016/0204935 A1; hereinafter Thanos).
With respect to claims 8 and 20:
Bradshaw, Collinge, and Momchilov teach the computing device of claim 1 and the method of claim 15, as stated above.
However, Bradshaw, Collinge, and Momchilov do not teach wherein the second cryptographic data comprises encrypted volatile integers generated for one time use, and wherein the 
Thanos, directed to systems and methods with cryptography and tamper resistance software security and thus in the same field of endeavor, teaches wherein the second cryptographic data comprises encrypted volatile integers generated for one time use, and wherein the computing device is adapted to request one or more volatile integers on reboot of the device.. (By disclosing, initialization can include sequences involving booting, rebooting, starting and restarting of an application. In addition, the password authentication device produces the one-time password based upon at least one of (i) a random number generator, and (ii) current time combined with a random value. See at least Thanos: paragraph(s) [0043] & [0046]; page 6, col. Right, lines 10-13)
It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to have modified the teachings of Bradshaw, Collinge, and Momchilov to incorporate the systems and methods with cryptography and tamper resistance software security teachings of Thanos for the benefit of providing security techniques that uses, databases, or other data or file management mechanisms to store application user information, authenticating and authorizing access by a 
Claim 10 is rejected under 35 U.S.C. 103 as being unpatentable over Bradshaw in view of Collinge, as applied to claims 1 and 3, and in further view of Ylonen (US 2015/0222604 A1; hereinafter Ylonen).
With respect to claim 10:
Bradshaw, Collinge, and Momchilov teach the computing device of claim 3, as stated above.
However, Bradshaw, Collinge, and Momchilov do not teach wherein the security architecture provides for verification of a user at a mobile computing device, and wherein the first cryptographic data comprises completed verification data and uncompleted verification data, and wherein the action uses the completed verification data if the user was verified at the mobile computing device and uses the uncompleted verification data if the user was not verified at the mobile computing device.

wherein the security architecture provides for verification of a user at a mobile computing device, and wherein the first cryptographic data comprises completed verification data and uncompleted verification data, and wherein the action uses the completed verification data if the user was verified at the mobile computing device and uses the uncompleted verification data if the user was not verified at the mobile computing device.. (By disclosing, the last successfully used private key is looked up from a database saved across client invocations using the hash (2002) (generally, using the hash here is optional, and with some databases the same could equivalently be achieved using the host and user directly as keys in a query). It is tested whether such key (completed verification data) was found (2003), and if so, authentication to the server is attempted using the found key (2004). If successful (2005), authentication succeeds (2010). If no key was found or authentication failed, then all available private keys (uncompleted verification data) are tried until one succeeds or there are no more keys (2006), if they all failed (2007), authentication using public key fails 
It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to have modified the teachings of Bradshaw, Collinge, and Momchilov to incorporate the automated access, key, certificate, and credential management teachings of Ylonen for the benefit of completing any outstanding operations for such decommissioned systems in order to not leave related higher-level operations incomplete. (See at least Ylonen: paragraph(s) [0105])
Claim 11 is rejected under 35 U.S.C. 103 as being unpatentable over Bradshaw in view of Collinge and in further view of Momchilov and Ylonen, as applied to claim 10, and in still further view of Zimmermann (US 2018/0027006 A1; hereinafter Zimmermann).
With respect to claim 11:
Bradshaw, Collinge, Momchilov, and Ylonen teach the computing device of claim 10, as stated above.
However, Bradshaw, Collinge, Momchilov, and Ylonen do not teach wherein the completed verification data is cryptographically generated by a keystore provided by an operating system of the computing device, and wherein the 
Zimmermann, directed to system and method for securing an enterprise computing environment and thus in the same field of endeavor, teaches 
wherein the completed verification data is cryptographically generated by a keystore provided by an operating system of the computing device, and wherein the keystore is configured to only perform cryptographic operations after successful user verification. (By disclosing, the keystore API 3610 may operate within the selective encryption module 102 or the CSF 100 to generate keys and manage (e.g. control access to) keys. The keystore API 3610 may act as an integration point with key stores and key management capabilities of third parties and customers. Also, the keyserver/keystore API can interact with customer-managed keystores (such as through a gateway, proxy or the like), such as ones deployed in public cloud, private cloud, or on premises keystores of the customer. See at least Zimmermann: paragraph(s) [0479]-[0480])
It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to have modified the teachings of Bradshaw, Collinge, Momchilov, and Ylonen to incorporate the system 

Response to Arguments
In response to applicant’s argument that the present claims cannot be seen to even remotely correspond to the examples of Mental Processes subject matter groupings and that the present claims are clearly directed to a practical application under Prong Two, at least because the claims are directed to a technical improvement, it is noted that storing data, generating data, and embodying a security architecture can be performed manually and mentally, especially when the additional elements including computing device, non-volatile storage device, proxies, keystores, volatile storage device, and security architecture are recited are recited at a high-level of generality without any technical details and just used as tools to automate the abstract idea. The storing devices, proxies, or keystores are supposed to store data and the computing device is supposed to generate a piece of data (cryptogram), and therefore the claims are not directed to a technical improvement including "an improvement in the functioning of a computer, or an 
In response to applicant’s argument that Collinge does not appear to show that the cryptographic data is stored in proxy for a physical card, such as within keystores, it is noted that Collinge teaches that a payment card may be data (proxies) representing the associated transaction account, as stored in a smart phone or computer (keystores in the computing device). As recited in the claims, the proxies or keystores are recited at a high-level of generality without any technical details. In addition, smart phone includes non-volatile or volatile storage device. Proxies for physical payment cards are not defined in the original disclosure, and any type of storage storing a key may be a keystore. (See at least Collinge: paragraph(s) [0030], [0036], [0039] & [0054])

In response to applicant’s argument that neither Bradshaw nor Collinge, whether considered alone and/or in combination, show a processor to generate an application cryptogram based at least partially on the long term use key for processing of a transaction, it is noted that Collinge teaches that The application cryptograms may each be generated by the mobile device 104 using separate session keys and additional data. (See at least Collinge: paragraph(s) [0041])

Conclusion 
Any inquiry concerning this communication or earlier communications from the examiner should be directed to CLAY C LEE whose telephone number is (571)272-3309.  The examiner can normally be reached on Monday-Friday 7:30-5pm est.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Neha Patel can be reached on (571)270-1492.  The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see https://ppair-my.uspto.gov/pair/PrivatePair. Should you have questions on access to the Private PAIR system, contact the 






/C.C.L./Examiner, Art Unit 3685                                                                                                                                                                                                        

/OLUSEYE IWARERE/Primary Examiner, Art Unit 3687