DETAILED ACTION
The present application is being examined under the first inventor to file provisions of the AIA .  In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  
This Office Action is in response Applicant communication filed on 2/10/2021.  

Claims
Claims 1 and 11 have been amended. 
Claims 1-20 are currently pending in the application. 

Information Disclosure Statement(s)
The Information Disclosure Statement (IDS) that was filed on 12/29/2020 has been considered.

Response to Arguments

101
The applicant argues that the claims are not directed to a judicial exception, however the examiner respectfully disagrees.  Claim 1 recites receiving credential data and then simultaneously performing both local authentication and sending the credential data to an outside source for outside authentication.  Then based on one of the local authentication or outside authentication, it determines whether to grant or deny access.  This is an abstract idea that falls 
The applicant specifically argues that the claims recite an improvement to the functioning of the computer.  However the examiner respectfully disagrees.  The use of simultaneously requesting authentication to an outside service and initiating local authentication does not improve computer technology.  Computers are able to perform multiple tasks simultaneously.  The claims recite that the determining whether to grant or deny the user access to a resource is based on receiving an authorization response message from the server OR a result of the ODA process.  Both the server authentication and the ODA are not used together to determine whether the user is granted access.  Since only one or the other authentication process is used, there is not a security improvement or time improvement over a system/process that only does one authentication process (e.g. server authentication or ODA).  The use of an access device, processor, computer readable medium, communication device, and server computer is nothing more than merely using a computer as a tool to perform the abstract idea.  Further the use of authenticating based on one or more of public key cryptography, static data authentication, or dynamic data authentication is broadly recited and is generally linking the use of the judicial exception to the particular technological environment or field of use (e.g. computer transaction authentication).  For the same reasons, the claims do not provide significantly more than the abstract idea.     
103
Applicant’s arguments with respect to claim 1 have been considered but are moot because the arguments do not apply to any of the references being used in the current rejection.  
112


Claim Rejections - 35 USC § 101
35 U.S.C. 101 reads as follows:
Whoever invents or discovers any new and useful process, machine, manufacture, or composition of matter, or any new and useful improvement thereof, may obtain a patent therefor, subject to the conditions and requirements of this title.

Claims 1-20 are rejected under 35 U.S.C. 101 because the claimed invention is directed to an abstract idea without significantly more.
In the instant case, claims 1-10 are directed to a method and claims 11-20 are directed to an access device. Therefore, these claims fall within the four statutory categories of invention. 
Claim 1 recites locally and remotely authenticating an authorization request and then determining whether to grant or deny the user access based on the result of the local and remote authentication. Specifically, the claim recites “receiving… credential data; simultaneously transmitting… the received credential data in an authorization request message… and initiating… an offline data authentication (ODA) process using the received credential data…; transmitting… a challenge request; receiving… a challenge response and identifying information associated with the communication device; authenticating… using the challenge response and the identifying information…; in response to receiving… an authorization response message within a predetermined period of time after transmitting the credential data in the authorization request message… determining whether to grant or deny the user access to a resource based on the received authorization response message or a result of the ODA process”, which is grouped within the “certain methods of organizing human activity” grouping of abstract ideas in prong one of step 2A of the Alice/Mayo test (See 2019 Revised Patent Subject Matter Eligibility See pages 7, 10, Alice Corporation Pty. Ltd. v. CLS Bank International, et al., US Supreme Court, No. 13-298, June 19, 2014; 2019 Revised Patent Subject Matter Eligibility Guidance, 84 Fed. Reg. 50, 53-54 (January 7, 2019)).  Claim 11 is directed to an access device that performs the same functions of claim 1.  Therefore Claim 11 is also directed to the abstract idea of locally and remotely authenticating an authorization request and then determining whether to grant or deny the user access based on the result of the local and remote authentication.  
This judicial exception is not integrated into a practical application because, when analyzed under prong two of step 2A of the Alice/Mayo test (See 2019 Revised Patent Subject Matter Eligibility Guidance, 84 Fed. Reg. 50, 54-55 (January 7, 2019)), the additional element(s) of claims 1 and 11, such as the use of the access device, processor, computer readable medium, communication device, and server computer, merely use(s) a computer as a tool to perform an abstract idea. Specifically, the access device, processor, computer readable medium, communication device perform(s) the steps or functions of locally and remotely authenticating an authorization request and then determining whether to grant or deny the user access based on the result of the local and remote authentication. The use of a processor/computer as a tool to implement the abstract idea does not integrate the abstract idea into a practical application because it requires no more than a computer performing functions that correspond to acts required to carry out the abstract idea.  Further, the communication over a network and the 
Claims 1 and 11 does/do not include additional elements that are sufficient to amount to significantly more than the judicial exception because, when analyzed under step 2B of the Alice/Mayo test (See 2019 Revised Patent Subject Matter Eligibility Guidance, 84 Fed. Reg. 50, 52, 56 (January 7, 2019)), the additional element(s) of using a access device, processor, computer readable medium, communication device, and server computer to perform the steps amounts to no more than using a computer or processor to automate and/or implement the abstract idea of locally and remotely authenticating an authorization request and then determining whether to grant or deny the user access based on the result of the local and remote 
    	The dependent claims 2-10 and 12-20 further describe the abstract idea.  Claims 2 and 12 describe the time period used for the authorization response message and does not include any additional elements; claims 3 and 13 recite the resource is for describe what the resource is used for and does not include any additional elements; claims 4 and 14 further describe the communication device and does not include any additional elements; claims 5 and 15 further describe the credential data and does not include any additional elements; claims 6, 7, 16, and 17 recite the abstract idea of using a blacklist and does not include any additional elements; claims 8 and 18 further describe the credential data and does not include any additional elements; claims 9 and 19 further describe the server computer and does not include any additional elements; claims 

Rejections under 35 § U.S.C. 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all 
obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102 of this title, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains.  Patentability shall not be negated by the manner in which the invention was made.

This application currently names joint inventors. In considering patentability of the claims the examiner presumes that the subject matter of the various claims was commonly owned as of the effective filing date of the claimed invention(s) absent any evidence to the contrary.  Applicant is advised of the obligation under 37 CFR 1.56 to point out the inventor and effective filing dates of each claim that was not commonly owned as of the effective filing date of the later invention in order for the examiner to consider the applicability of 35 U.S.C. 102(b)(2)(C) for any potential 35 U.S.C. 102(a)(2) prior art against the later invention.

Claims 1-4 and 11-14 are rejected under 35 U.S.C. 103 as being unpatentable over US 20100327056 A1 (“Yoshikawa”) and US 20130227651 A1 (“Schultz”) and EP 2339543 A2 (“Cabezas”) and US 20150312041 A1 (“Choi”).

Per claims 1 and 11, Yoshikawa discloses:
receiving, by an access device (e.g. IC terminal) and from a communication device (e.g. card) operated by a user, credential data (e.g. card information) (Section [0090]-[0091]);
initiating an online authorization request by transmitting, by the access device (e.g. IC terminal), the received credential data (e.g. card information) in an authorization request message (e.g. authorization data) to a server computer (e.g. host computer) and initiating, by the access device, an offline data authentication (ODA) process (e.g. offline approval) using the received credential data from the communication device… (Section [0088]-[0101]);
in response to receiving, by the access device (e.g. IC terminal) and from the server computer (e.g. host computer), an authorization response message (e.g. approval result) [within a predetermined period of time] after transmitting the credential data (e.g. card information) in the authorization request message (e.g. authorization data) to the server computer (e.g. host computer): determining whether to grant or deny the user access to a resource based on the received authorization response message (e.g. approval result), or a result of the ODA process (e.g. offline approval) (Section [0088]-[0101]).

Although Yoshikawa discloses an access device that receives credential data and can perform both online and offline authorization, Yoshikawa does not specifically disclose simultaneously initiating an online authorization request and offline data authentication (ODA) process; the ODA process comprising: transmitting, by the access device, a challenge message; receiving, by the access device and form the communication device, a challenge response and identifying information associated with the communication device; authenticating, by the access device, of the communication device using the challenge response and the identifying information based on one or more of public key cryptography, static data authentication, or dynamic data authentication.  However Schultz, in analogous art of user authentication, discloses:
simultaneously (e.g. concurrent) initiating an online authorization request (e.g. online) and offline data authentication (ODA) process (e.g. offline) (Section [0063]); 
the ODA process comprising: transmitting, by the access device (e.g. biometric authenticator), a challenge message (e.g. message) (Section [0070]); 
receiving, by the access device and from the communication device (e.g. mobile device), a challenge response (e.g. response) and identifying information (e.g. mobile device identifier) associated with the communication device (Section [0070]-[0072]); 
authenticating, by the access device, of the communication device using the challenge response (e.g. determines a user authentication confidence score that may be used to authorize a transaction, authorize access to resources, access to a facility) and the identifying information (e.g. determines whether the context information matches one or more criteria associated with the multi-factor authentication procedure) (Section [0070]-[0072]).
It would have been obvious to one of ordinary skill in the art as of the effective filing date of the claimed invention to modify the user authentication process/system of Yoshikawa to simultaneously initiate the offline and online authentication, as taught by Schultz, in order to provide a more confident authorization decision (See Schultz Section [0034]).
Further, Since each individual element and its function are shown in the prior art, albeit shown in separate references, the difference between the claimed subject matter and the prior art rests not on any individual element or function but in the very combination itself that is in the substitution of the offline authentication process of Schultz for the offline authentication process of Yoshikawa.  Thus, the simple substitution of one known element for another producing a predictable result renders the claim obvious. 



Although Yoshikawa/Schultz discloses an access device that simultaneously initiates online and offline authentication; and uses a challenge message/response for the offline authentication.  Yoshikawa/Schultz does not specifically disclose the predetermined period of time for receiving the authorization response message from the server computer.  However Cabezas, in analogous art of user authorization, discloses “in relation to the case in which said condition is said maximum time without response, the method comprises the local system notifying said remote system of the online operation having been canceled due to said maximum time without response having been exceeded…” and “after cancelling said on-line operation, declaring as valid the transaction which was being performed when said cancellation occurred, only by means of the previously performed offline operations” Sections [0017]-[0018].  
It would have been obvious to one of ordinary skill in the art to include in the authorization system of Yoshikawa/Schultz the concept of authorizing based on receiving a response from the server within a predetermined period of time as taught by Cabezas since the claimed invention is merely a combination of old elements, and in the combination each element merely would have performed the same function as it did separately, and one of ordinary skill in the art would have recognized that the results of the combination were predictable.  Section [0001]-[0002] of Cabezas discloses that both offline and online authorization are used to maintain the fluidity of users to pass through the toll system.  One of ordinary skill in the art would use a predetermined period of time to receive a response as taught by Cabezas in the authorization system of Yoshikawa/Schultz so that it maintains the fluidity of users to perform the transactions and reduce the risk of long lines.    

authenticating… based on one or more of public key cryptography, static data authentication, or dynamic data authentication.  However Choi, in analogous art of user authentication, discloses:
authenticating… based on one or more of public key cryptography (e.g. public key certificate), static data authentication, or dynamic data authentication (Section [0080]).  
It would have been obvious to one of ordinary skill in the art as of the effective filing date of the claimed invention to modify the user authentication process/system of Yoshikawa/Schultz/Cabezas to use public key cryptography for authenticating, as taught by Choi, in order to increase the security of the system.

Per claims 2 and 12, Yoshikawa/Schultz/Cabezas/Choi discloses all of the limitations of claims 1 and 11 above.  Cabezas further discloses:
wherein the predetermined period of time (e.g. maximum time) is 500 milliseconds (ms) (Section [0015]-[0018]).  Note: Cabezas in section [0015]-[0018] that a maximum time condition without a response is used to determine whether or not to perform the offline authorization.  The amount of time is a design choice and it would be obvious to make the period of time any amount.    

Per claims 3 and 13, Yoshikawa/Schultz/Cabezas discloses all of the limitations of claims 1 and 11 above.  Cabezas further discloses:
wherein the resource is at least one of a transit system (e.g. toll road), event venue, or building (Section [0009]).  

Per claims 4 and 14, Yoshikawa/Schultz/Cabezas discloses all of the limitations of claims 1 and 11 above.  Cabezas further discloses:
wherein the communication device comprises at least one of a mobile device or a payment card (e.g. magnetic card or chip card) or an EMV card) (Section [0009]).  

Claims 5-7, 9, 10, 15-17, 19, and 20 are rejected under 35 U.S.C. 103 as being unpatentable over Yoshikawa/Schultz/Cabezas, as applied to claims 1 and 11 above, in further view of US 20080183589 A1 (“Dixon”).

Per claims 5 and 15, Yoshikawa/Schultz/Cabezas do not specifically disclose wherein the credential data comprises a primary account number associated with the communication device, and wherein the primary account number is used to initiate transactions at other access devices.  However Dixon, in analogous art of user authorization, discloses:
wherein the credential data comprises a primary account number (e.g. PAN) associated with the communication device, and wherein the primary account number is used to initiate transactions at other access devices (Section [0048]).
Since each individual element and its function are shown in the prior art, albeit shown in separate references, the difference between the claimed subject matter and the prior art rests not on any individual element or function but in the very combination itself that is in the substitution  

Per claims 6 and 16, Yoshikawa/Schultz/Cabezas do not specifically disclose further comprising updating a blacklist based on at least one of the received authorization response message or the result of the ODA process.  However Dixon, in analogous art of user authorization, discloses:
further comprising updating a blacklist (e.g. black list) based on at least one of the received authorization response message (e.g. notification from issuer) or the result of the ODA process (Section [0055]).
It would have been obvious to one of ordinary skill in the art to include in the authorization system of Yoshikawa/Schultz/Cabezas the concept of updating a blacklist based on the authorization response as taught by Dixon since the claimed invention is merely a combination of old elements, and in the combination each element merely would have performed the same function as it did separately, and one of ordinary skill in the art would have recognized that the results of the combination were predictable.  Cabezas discloses the use of a blacklist in section [0022] to authorize a user.  By updating the blacklist of Cabezas based on the authorization response message (as taught by Dixon), it allows the system to be more secure and faster for future transactions.  

Per claims 7 and 17, Yoshikawa/Schultz/Cabezas do not specifically disclose in response to receiving, by the access device and from the server computer, the authorization response message following the predetermined period of time after transmitting the credential data in the authorization request message to the server computer, updating a blacklist based on the received authorization response message.  However Dixon, in analogous art of user authorization, discloses:
in response to receiving, by the access device and from the server computer, the authorization response message following the predetermined period of time after transmitting the credential data in the authorization request message (e.g. notification from issuer) to the server computer, updating a blacklist (e.g. black list) based on the received authorization response message (Section [0055]).
The motivation to combine Dixon with Yoshikawa/Schultz/Cabezas was disclosed above in the examination of claims 6 and 16.  

Per claims 9 and 19, Yoshikawa/Schultz/Cabezas do not specifically disclose wherein the server computer is a part of a payment processing network.  However Dixon, in analogous art of user authorization, discloses:
wherein the server computer (e.g. issuer) is a part of a payment processing network (Section [0035]).
It would have been obvious to one of ordinary skill in the art to include in the authorization system of Yoshikawa/Schultz/Cabezas the use of a payment processing network server as taught by Dixon since the claimed invention is merely a combination of old elements, and in the combination each element merely would have performed the same function as it did separately, and one of ordinary skill in the art would have recognized that the results of the combination were predictable.  One of ordinary skill in the art would know that any type of 

Per claims 10 and 20, Yoshikawa/Schultz/Cabezas do not specifically disclose wherein the credential data is received via a contactless communication protocol.  However Dixon, in analogous art of user authorization, discloses:
wherein the credential data is received via a contactless communication protocol (e.g. wireless/contactless) (Section [0038]-[0041]).
It would have been obvious to one of ordinary skill in the art to include in the authorization system of Yoshikawa/Schultz/Cabezas the use of a contactless communication protocol as taught by Dixon since the claimed invention is merely a combination of old elements, and in the combination each element merely would have performed the same function as it did separately, and one of ordinary skill in the art would have recognized that the results of the combination were predictable.  Since both Yoshikawa and Dixon disclose transmitting payment card information to an access device, one of ordinary skill in the art would know that sending the payment card information of Yoshikawa using a contactless communication protocol (as disclosed by Dixon) would produce predictable results.  

Claims 8 and 18 are rejected under 35 U.S.C. 103 as being unpatentable over Yoshikawa/Schultz/Cabezas, as applied to claims 1 and 11 above, in further view of US 20170200149 A1 (“Antunovie”).

Per claims 8 and 18, Yoshikawa/Schultz/Cabezas do not specifically disclose wherein the credential data comprises a cryptogram, and wherein the result of the ODA process is indicative of whether the cryptogram is valid.  However Antunovie, in analogous art of authorization, discloses:
wherein the credential data comprises a cryptogram (e.g. cryptogram), and wherein the result of the ODA process is indicative of whether the cryptogram is valid (e.g. validated offline) (Section [0085]).
Since each individual element and its function are shown in the prior art, albeit shown in separate references, the difference between the claimed subject matter and the prior art rests not on any individual element or function but in the very combination itself that is in the substitution of the cryptogram of Dixon for the card information of Yoshikawa.  Thus, the simple substitution of one known element for another producing a predictable result renders the claim obvious. 

Conclusion
Applicant's amendment necessitated the new ground(s) of rejection presented in this Office action.  Accordingly, THIS ACTION IS MADE FINAL.  See MPEP § 706.07(a).  Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a).  
A shortened statutory period for reply to this final action is set to expire THREE MONTHS from the mailing date of this action.  In the event a first reply is filed within TWO MONTHS of the mailing date of this final action and the advisory action is not mailed until after the end of the THREE-MONTH shortened statutory period, then the shortened statutory period will expire on the date the advisory action is mailed, and any extension fee pursuant to 37 CFR 1.136(a) will be calculated from the mailing date of the advisory action.  In no event, however, will the statutory 
Any inquiry of a general nature or relating to the status of this application or concerning this communication or earlier communications from the Examiner should be directed to TIMOTHY SAX whose telephone number is 571-272-0821.  The Examiner can normally be reached on M-F 9-5:30.  If attempts to reach the examiner by telephone are unsuccessful, the Examiner’s supervisor, Patrick McAtee can be reached at (571) 272-7575.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see  http://portal.uspto.gov/external/portal/pair .  Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866.217.9197 (toll-free).

/TS/
Examiner, Art Unit 3685

/JACOB C. COPPOLA/Primary Examiner, Art Unit 3685