DETAILED ACTION
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
Any citation of the instant specification is as published in US Patent Application Publication 20190392449.

Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

Claims Status
Claims 1-20 are pending and are currently being examined.

Claim Rejections - 35 USC § 101
35 U.S.C. 101 reads as follows:
Whoever invents or discovers any new and useful process, machine, manufacture, or composition of matter, or any new and useful improvement thereof, may obtain a patent therefor, subject to the conditions and requirements of this title.

Claims 1-5 and 7-20 are rejected under 35 U.S.C. 101 because the claimed invention is directed to an abstract idea without significantly more. 

Representative Independent Claim 1 involves an authentication for authenticating an user, the authentication comprising: (1) an authentication profile; (2) receive an authentication request message, the authentication request message 
These limitations, as drafted, refers to operations that, under its broadest reasonable interpretation, covers performance of the limitation in the mind and/or manually by a human but for the recitation of generic computer components (specifically, “platform” [here platform is interpreted as a computer component, although it might not necessarily be so], “memory device”, “and at least one processor coupled to the memory device, the at least one processor programmed to”). That is, other than reciting the generic computing components and merely applying nothing the limitation to a technical field (more on this below), nothing in the claim element precludes the step from practically being performed in the mind and/or manually by a human. As examples, a human can include an “authentication profile” in a record file, such as a paper folder stored in a filing cabinet. A human can receive a spoken or written authentication request message with authentication data, extract [e.g., visually] the authentication data from the message, then mentally and with pen and paper, generate a risk-based authentication results including a risk score [e.g., based on some pre-established rules]. When completed, the authenticating human can personally route [deliver] the results, based on certain authentication profile information [like routing rules written in the profile]. As is the case here, if a claim limitation, under its broadest reasonable interpretation, covers performance of the limitation in the mind and/or manually by a human, except for the recitation of generic computer components, then it falls within the 
This judicial exception is not integrated into a practical application. In particular, the claim only recites the additional elements of “platform”, “a memory device” and “at least one processor coupled to the memory device, the at least one processor programmed to”, which are mere instructions to implement an abstract idea on a computer. Nothing in the specification describes the platform, memory device, or processor as being anything other than generic computing components known in the prior art. 
Also, the additional element of “online” with respect to the user being an online user, amounts to generally linking the use of the judicial exception to a particular technological environment or field of use. Specifically to an “online” (herein interpreted as connected to the internet) environment. 
 Accordingly, these additional elements do not integrate the abstract idea(s) into a practical application because they do not impose any meaningful limits on practicing the abstract idea(s), as the additional elements of mere instruction to implement an abstract idea on a computer and/or generally linking the use of the judicial exception to 
All elements of the claim have been addressed above. Therefore, the claims does not include any additional elements that are sufficient to amount to significantly more than the judicial exception. As discussed above with respect to integration of the abstract idea into a practical application, the additional elements amounts to no more than mere instruction to implement an abstract idea on a computer and/or generally linking the use of the judicial exception to a particular technological environment or field of use are not indicative of integration into a practical application. Mere instructions to implement an abstract idea on a computer and/or generally linking the use of the judicial exception to a particular technological environment or field of use cannot provide a practical application (step 2A Prong 2) and cannot provide an inventive concept in Step 2B. Therefore, the claim is not patent eligible.

	As per independent claims 13 and 19, they have similar limitations to claim 1 and are ineligible for similar reasons given for representative independent claim 1. 

	Dependent claims 3, 5-12, 15-18 and 20 include additional elements that amount to further recitation of the abstract idea(s), as they recite steps, e.g., transmitting, routing, embedding, performing a challenge, determining, comparing, and receiving, which as claimed does not preclude these steps from practically being performed by a human in the mind or manually. And these claims also recite limitations 
	Dependent claims 2, 4 and 14 each merely links the result data in the abstract idea to specific type of data field or to online payment card, issuer processor, and/or merchant technology field(s). 
Therefore, dependent claims 2-5, 7-12, 14-18 and 20 are also ineligible.

Nevertheless, claim 6 is found to be eligible for integrating the abstract idea(s) into a practical application, namely, of providing authentication on behalf of an ACS (access control server) that is determined to be unavailable. This is a purported problem/solution in the prior art, according to the instant specification. 

Furthermore, the applicant should note that for method claims, such as claim 15, the method is not limited by steps that are optional, such as “if the ACS is unavailable, the method further comprises generating, by the processor, an authentication decision based on the RBA result data and the authentication profile”. If rewritten to be positively recited, such as “determining that the ACS is unavailable”, then claim 15 would also be found eligible. Furthermore, if the remaining claims were rewritten to positively incorporate the abovementioned feature(s) of claim 6 (and/or claim 15 , if modified), the remaining claims would also be eligible under 101.

Claim Rejections - 35 USC § 112(b) or 112(2nd)
The following is a quotation of 35 U.S.C. 112(b):



The following is a quotation of 35 U.S.C. 112 (pre-AIA ), second paragraph:
The specification shall conclude with one or more claims particularly pointing out and distinctly claiming the subject matter which the applicant regards as his invention.


Claim(s) 9, 17 and 20 is/are rejected under 35 U.S.C. 112(b) or 35 U.S.C. 112 (pre-AIA ), second paragraph, as being indefinite for failing to particularly point out and distinctly claim the subject matter which the inventor or a joint inventor, or for pre-AIA  the applicant regards as the invention.

	Claims 9, 17 and 20 recite the steps/functions of the authentication platform (and of respective method and storage media, which steps/functions performable by “at least one processor”) which include transmitting a step-up challenge to the online user, receiving a response to the step-up challenge from the online user, and determining an authentication decision based on the response to the step-up challenge and the RBA result data. Here, this is unclear because there is a lack of correspondence between the specification and the claims. The specification teaches that step-up challenge is performed by an ACS (“[0038] The enhanced AReq message is then transmitted from the RBA-enabled directory server [an “authentication platform”] to the ACS. The ACS then analyzes the RBA result data in the enhanced AReq message to make an authentication decision…the ACS may determine to…perform additional authentication (e.g., by issuing a step-up challenge to the cardholder) for the transaction”), and not that the authentication platform itself performs the step-up challenge. A claim, although clear on its face, may also be indefinite when a conflict or inconsistency between the claimed In re Moore, 439 F.2d 1232, 1235-36, 169 USPQ 236, 239 (CCPA 1971); In re Cohn, 438 F.2d 989, 169 USPQ 95 (CCPA 1971); In re Hammack, 427 F.2d 1378, 166 USPQ 204 (CCPA 1970). See MPEP 2173.03. For examination purposes, the examiner interprets that the ACS performs these steps/functions and not the authentication platform (or respective method/media).

Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102 of this title, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains.  Patentability shall not be negated by the manner in which the invention was made.

Claim(s) 1-4, 7-8, 11-14, 16 and 18-19 is/are rejected under 35 U.S.C. 103 as being unpatentable over Tomasofsky (US Patent Application Publication 20160078444) in view of Aquino (US Patent Application Publication 20160104163).

	As per claims 1, 13 and 19, Tomasofsky teaches an authentication platform (and respective method and storage media) for authenticating an online user, the authentication platform comprising:
	a memory device including an authentication profile (¶ 107 – “each particular issuing bank may provide its own custom set of rules to be 
	and at least one processor coupled to the memory device, the at least one processor programmed to:
	receive an authentication request message (FIG. 9:910 and “[0116] …TPS 910 transmits a scoring request to a risk-based decisioning (RBD) system 920 for fraud analysis and scoring”), 
the authentication request message including authentication data (“[0116] …the scoring request to RBD system 920 includes infrastructure data such as one or more of transaction data, information about a computing device used to conduct the subject transaction (“device information”, e.g., geo-location data of the device Internet protocol (IP) address), additional payment card information not included in the transaction data (“payment card information”), information about a digital wallet used to conduct the subject transaction (“digital wallet information”, e.g., whether and/or how often this particular device has been used in conjunction with this digital wallet), and cart data associated with the subject transaction (“cart data”).”);
	extract the authentication data from the authentication request message (“[0117] RBD system 920, in the example embodiment, scores the subject transaction for fraud using at least some of the provided data.”, 
	generate, based at least in part on the extracted authentication data, risk-based authentication (RBA) result data including a risk score (“[0117]…RBD system 920 generates a risk result 922 (e.g., a risk score) for the transaction”, RBA (risk-based authentication) synonymous to RBD (risk-based decisioning) ).
Tomasofsky doesn’t teach/suggest 
route the RBA result data based on the authentication profile and the RBA result data
However, Aquino, in an analogous art of identifying potentially risky transactions (¶ 2), teaches/suggests the concept(s) of:
route the RBA result data based on the authentication profile (risk assessment model) and the RBA result data (¶ 17 – “Based on a risk assessment indicator (e.g., a numeric score) generated using a risk assessment model, transactions may be automatically allowed or blocked, or may be routed to a human reviewer for a final decision regarding whether to allow or block the transaction.” And “[0050]…transaction reviewer computer system 70 may each include user display 22 and 72, respectively, which may include any suitable device operable to visually present information to a user…GUI 74, for example, may present a user with suitable displays for reviewing transactions for potential risk, subsequent to receiving a risk 
Therefore, it would have been obvious to a person having ordinary skill in the art, before the effective filing date of the claimed invention, to apply the known concept(s) of route the RBA result data based on the authentication profile and the RBA result data, as taught/suggested by Aquino, to modify (or “further modify”) the authentication profile and any interrelated element(s) of the platform/method/media of Tomasofsky, because this would lead to the predictable results of a more efficient platform/method/media, e.g., which is capable of routing to authentication entities that are more appropriate capabilities for the transaction’s risk level, e.g., less/more experienced (Aquino ¶¶ 61 and 62).

	As per claims 2 and 14, Tomasofsky, as modified, teaches the authentication platform of Claim 1 and the method of Claim 13, wherein the RBA result data further include at least one reason code (e.g., sub-scores or individual risk-based data elements) that indicates at least one factor that influenced the generated risk score (¶ 31 – “the RBD system may score the payment card transaction and provide an overall score and/or an overall recommendation to the issuer's ACS…The RBD system may 

	As per claim 3, Tomasofsky, as modified, teaches the authentication platform of Claim 1, wherein to route the RBA result data, the at least one processor is programmed to transmit the RBA result data to a source of the authentication request message (Tomasofsky FIG. 12:1206 and ¶ 144 – “transmitting 1206 an indication of acceptable risk to the merchant if the risk score satisfies a first pre-defined threshold.”). 

	As per claim 4, Tomasofsky, as modified, teaches the authentication platform of Claim 3, 
wherein the authentication request message is associated with an online payment card transaction (“[0026] One risk-based decisioning (RBD) system described herein evaluates payment card transactions involving digital wallets. During a payment card transaction, such as an online transaction on a merchant web site”), 
wherein the authentication profile is associated with an issuer processor (¶ 107 – “each particular issuing bank may provide its own custom set of rules to be applied by RBD module 750 to generate risk result 752”), and 


	As per claim 7, Tomasofsky, as modified, teaches the authentication platform of Claim 1, wherein to route the RBA result data, the at least one processor is programmed to determine a risk level based on the RBA result data and the authentication profile (Tomasofsky ¶ 28 – “The RBD system also generates a payment card score from the payment card information and combines the payment card score with the session trust level to generate an overall transaction risk level for the payment card transaction.”).
 
As per claim 8, Tomasofsky, as modified, teaches the authentication platform of Claim 7, wherein the at least one processor is programmed to transmit an authentication approval if the risk level is low (Tomasofsky ¶ 35 – “the RBD system scores the subject transaction based at least in part on the transaction data and the infrastructure data. If the score is below the pre-defined threshold (i.e., “less risky”), then the transaction will be approved at this stage and subsequently will continue through to authorization without additional authentication of the suspect consumer”). 
	
	As per claim 11, Tomasofsky, as modified, teaches the authentication platform of Claim 7. 
Tomasofsky, as modified, doesn’t directly teach: 
wherein the at least one processor is programmed to transmit an authentication denied message if the risk level is high.
However, Tomasofsky, suggests the concept(s) of:
wherein the at least one processor is programmed to transmit an authentication denied message if the risk level is high (¶ 81 – payment cards data 620 may indicate blacklisted cards, ¶ 52 – “the RBD module generates a risk score for the payment card transaction using payment card data” and “[0145]…method 1300 is performed by a computing system such as…RBD system 920 (shown in FIG. 9)…Method 1300 also includes transmitting 1308 the message with the first risk score included within the at least one extension field to a party associated with the payment card transaction for use during authentication of the payment card transaction.” And Table 3 in Page 12. Table 3 shows that a risk level may be “Negative”. And given that cards data 620 might indicate that a card is blacklisted, it would be understood by a person having ordinary skill in the art that the risk level that would be calculated and communicated by the RBD system, in the cases of blacklisted cards would be “Negative”, reflective of a “denied” authentication)
Therefore, it would have been obvious to a person having ordinary skill in the art, before the effective filing date of the claimed invention, to apply the known concept(s) of wherein the at least one processor is programmed to transmit an authentication denied Tomasofsky, to modify (or “further modify”) the platform of Tomasofsky, as modified, because this would lead to the predictable results of a more secure and efficient platform that may take into consideration of cards on a blacklist (too risky) to reject transactions involving these cards, without the need for further considerations/authentication steps.

	As per claim 12, Tomasofsky, as modified, teaches the authentication platform of Claim 1, 
wherein to generate RBA result data, the at least one processor is programmed to compare the authentication data to at least one of one or more long term variables and one or more short term variables (Tomasofsky ¶ 27 – “Digital wallet information may include information about the digital wallet used during the transaction, such as how the suspect consumer was authenticated into the digital wallet, whether the digital wallet has historically been used with the current computing device, or whether the shipping address of the current transaction is a shipping address previously used with the digital wallet”, where current [short –term] variables, like current computing device and current shipping address, has been used in the past [long-term variable] comparison), 
wherein the one or more long term variables include historical authentication data and historical authorization data (Tomasofsky ¶ 96 – “RBD module 750 examines historical data 760 involving past authentication results…RBD module 750 may raise or lower the access Tomasofsky ¶ 78 – “device data 610 may include a fraudulent device status (e.g., whether the device has been involved in past fraudulent transactions)” and Tomasofsky ¶ 80 - “Similarly, if there are fraudulent transactions and/or transactions that result in a chargeback, then the subsequent transaction with that payment card/digital wallet may be scored in such a way indicating that the subsequent transaction is risker from a fraud perspective. Such data may be tied to a particular payment card, a particular digital wallet, and/or a particular device.” Also see Tomasofsky ¶ 27). 

As per claim 16, Tomasofsky, as modified, teaches the method of Claim 13, wherein routing the RBA result data further comprises:
	determining a risk level based on the RBA result data and the authentication profile (Tomasofsky ¶ 28 – “The RBD system also generates a payment card score from the payment card information and combines the payment card score with the session trust level to generate an overall transaction risk level for the payment card transaction.”); and 
transmitting an authentication approval if the risk level is low (Tomasofsky ¶ 35 – “the RBD system scores the subject transaction based at least in part on the transaction data and the infrastructure data. If the score is below the pre-defined threshold (i.e., “less risky”), then the transaction will be approved at this stage and subsequently will continue 

	As per claim 18, Tomasofsky, as modified, teaches the method of Claim 13, wherein routing the RBA result data further comprises:
	determining a risk level based on the RBA result data and the authentication profile (Tomasofsky ¶ 28 – “The RBD system also generates a payment card score from the payment card information and combines the payment card score with the session trust level to generate an overall transaction risk level for the payment card transaction.”);
[…].
	Tomasofsky, as modified, doesn’t directly teach: 
transmitting an authentication denied message if the risk level is high
However, Tomasofsky, suggests the concept(s) of:
transmitting an authentication denied message if the risk level is high (¶ 81 – payment cards data 620 may indicate blacklisted cards, ¶ 52 – “the RBD module generates a risk score for the payment card transaction using payment card data” and “[0145]…method 1300 is performed by a computing system such as…RBD system 920 (shown in FIG. 9)…Method 1300 also includes transmitting 1308 the message with the first risk score included within the at least one extension field to a party associated with the payment card transaction for use during 
Therefore, it would have been obvious to a person having ordinary skill in the art, before the effective filing date of the claimed invention, to apply the known concept(s) of wherein the at least one processor is programmed to transmit an authentication denied message if the risk level is high, as suggested by Tomasofsky, to modify (or “further modify”) the platform of Tomasofsky, as modified, because this would lead to the predictable results of a more secure and efficient platform that may take into consideration of cards on a blacklist (too risky) to reject transactions involving these cards, without the need for further considerations/authentication steps.

Claim(s) 5-6 and 15 is/are rejected under 35 U.S.C. 103 as being unpatentable over Tomasofsky (US Patent Application Publication 20160078444) in view of Aquino (US Patent Application Publication 20160104163) as applied to claim 1 above, and further in view of Stieglitz (US Patent 7614078) and Epelman (US Patent Application Publication 20160210633).

As per claim 5, Tomasofsky, as modified, teaches the authentication platform of Claim 1, wherein to route the RBA result data, the at least one processor is programmed to:
	[…]
to enable the ACS to make an authentication decision based on the RBA result data (Tomasofsky “[0030] In some embodiments, the RBD system may be provided as a service to issuing banks. In other words, the RBD system may provide scores to an issuer's access control system (ACS), and the ACS may make decisions based at least in part on the risk scores or risk data available from the RBD system.”). 
Tomasofsky, as modified, doesn’t teach/suggest 
determine whether an access control server (ACS) is available;
transmitting information to ACS “if the ACS is available” 
“embed the RBA result data into the authentication request message to generate an enhanced authentication request message” and 
“transmit the enhanced authentication request message to the ACS”
However, Stieglitz, in an analogous art of a “providing threshold network access to requesters of network resources” (Col 1:8-9), teaches/suggests the concept(s) of:
determine whether an access control server (ACS) is available (FIG. 3 and Col 9:44-49 – “In step 350,…threshold access control server 110 is periodically queried to determine the status of…threshold access control server 110, i.e., whether…threshold access control server 110 
transmitting information to ACS “if the ACS is available” (Col 1:35-38 – “in processing an access request, an access control server authenticates the access request. Authentication is the validation of credentials presented by the access requester.” And Col 4: 65-57 – “assist threshold access control server 110 by verifying that an access request originates from a legitimate client 120.”)
Therefore, it would have been obvious to a person having ordinary skill in the art, before the effective filing date of the claimed invention, to apply the known concept(s) of “determine whether an access control server (ACS) is available” and transmitting information to ACS “if the ACS is available”, as taught/suggested by Stieglitz, to modify (or “further modify”) the platform of Tomasofsky, as modified, because this would lead to the predictable results of a more convenient platform, that “avoid the undesirable implications of denying access to legitimate access requesters” when ACS is unavailable (Stieglitz Col 3:4-5).
Tomasofsky, as modified, doesn’t teach/suggest 
“embed the RBA result data into the authentication request message to generate an enhanced authentication request message” and 
“transmit the enhanced authentication request message to the ACS”
However, Epelman
“embed the RBA result data into the authentication request message to generate an enhanced authentication request message” (FIG. 7:750 and ¶ 98 – “at block 750, the risk score may be sent/transmitted within a second transaction data (e.g., by modifying and forwarding the authorization request message) to an issuer of the user account, to provide the issuer with the detailed analysis of the risk of the transaction”) and 
“transmit the enhanced authentication request message to the ACS” (FIG. 7:750 and ¶ 98 – “at block 750, the risk score may be sent/transmitted within a second transaction data (e.g., by modifying and forwarding the authorization request message) to an issuer of the user account, to provide the issuer with the detailed analysis of the risk of the transaction”, it is understood by a person having ordinary skill in the art that the ACS is of or operates on behalf of the issuer)
Therefore, it would have been obvious to a person having ordinary skill in the art, before the effective filing date of the claimed invention, to apply the known concept(s) of “embed the RBA result data into the authentication request message to generate an enhanced authentication request message” and “transmit the enhanced authentication request message to the ACS”, as taught/suggested by Epelman, to modify (or “further modify”) the platform of Tomasofsky, as modified, because this would lead to the predictable results of a more practical platform, providing a feasible way to forward risk data to the issuer known transactions data field formats.

As per claim 6, Tomasofsky, as modified, teaches the authentication platform of Claim 5, wherein the at least one processor is programmed to generate an authentication decision based on the RBA result data and the authentication profile if the ACS is unavailable (Stieglitz Col 5:29-34 – “In step 206, a session profile is selected for the access requester based on the threshold access level. The session profile indicates one or more actions the access requester is authorized to perform in the network. The session profile may be stored in any appropriate repository with other profiles”; Tomasofsky ¶ 28 – “The RBD system also generates a payment card score from the payment card information and combines the payment card score with the session trust level to generate an overall transaction risk level for the payment card transaction.”).

	As per claim 15, Tomasofsky, as modified, teaches the method of Claim 13.
Tomasofsky, as modified, doesn’t teach/suggest 
wherein routing the RBA result data further comprises: determining whether an access control server (ACS) is available;
transmitting information to ACS “if the ACS is available” 
the method further comprises: embedding the RBA result data into the authentication request message to generate an enhanced authentication request message; and 
transmitting the enhanced authentication request message to the ACS to enable the ACS to make an authentication decision based on the RBA result data; and 
if the ACS is unavailable, the method further comprises generating, by the processor, an authentication decision based on the RBA result data and the authentication profile..
However, Epelman, in an analogous art of implementing fraud detection techniques (Abstract), teaches/suggests the concept(s) of:
embedding the RBA result data into the authentication request message to generate an enhanced authentication request message (FIG. 7:750 and ¶ 98 – “at block 750, the risk score may be sent/transmitted within a second transaction data (e.g., by modifying and forwarding the authorization request message) to an issuer of the user account, to provide the issuer with the detailed analysis of the risk of the transaction”); and 
transmitting the enhanced authentication request message to the ACS to enable the ACS to make an authentication decision based on the RBA result data (FIG. 7:750 and ¶ 98 – “at block 750, the risk score may be sent/transmitted within a second transaction data (e.g., by modifying and forwarding the authorization request message) to an issuer of the user account, to provide the issuer with the detailed analysis of the risk of the transaction”, it is understood by a person having ordinary skill in the art that the ACS is of or operates on behalf of the issuer)
Therefore, it would have been obvious to a person having ordinary skill in the art, before the effective filing date of the claimed invention, to apply the known concept(s) of Epelman, to modify (or “further modify”) the platform of Tomasofsky, as modified, because this would lead to the predictable results of a more practical platform, providing a feasible way to forward risk data to the issuer known transactions data field formats.
Tomasofsky, as modified, doesn’t teach/suggest 
determining whether an access control server (ACS) is available;
transmitting information to ACS “if the ACS is available” 
if the ACS is unavailable, the method further comprises generating, by the processor, an authentication decision based on the RBA result data and the authentication profile.
However, Stieglitz, in an analogous art of a “providing threshold network access to requesters of network resources” (Col 1:8-9), teaches/suggests the concept(s) of:
determining whether an access control server (ACS) is available (FIG. 3 and Col 9:44-49 – “In step 350,…threshold access control server 110 is periodically queried to determine the status of…threshold access control server 110, i.e., whether…threshold access control server 110 is able or unable to process an access request from an access requester.”);
transmitting information to ACS “if the ACS is available” (Col 1:35-38 – “in processing an access request, an access control server authenticates the access request. Authentication is the validation of 
if the ACS is unavailable, the method further comprises generating, by the processor, an authentication decision based on the RBA result data and the authentication profile (Col 5:29-34 – “In step 206, a session profile is selected for the access requester based on the threshold access level. The session profile indicates one or more actions the access requester is authorized to perform in the network. The session profile may be stored in any appropriate repository with other profiles”. Also take note of Tomasofsky ¶ 28 – “The RBD system also generates a payment card score from the payment card information and combines the payment card score with the session trust level to generate an overall transaction risk level for the payment card transaction.”).
Therefore, it would have been obvious to a person having ordinary skill in the art, before the effective filing date of the claimed invention, to apply the known concept(s) of “determining whether an access control server (ACS) is available”, transmitting information to ACS "if the ACS is available", and “if the ACS is unavailable, the method further comprises generating, by the processor, an authentication decision based on the RBA result data and the authentication profile”, as taught/suggested by Stieglitz, to modify (or “further modify”) the method of Tomasofsky, as modified, because this would lead to the predictable results of a more convenient method, that “avoid the undesirable Stieglitz Col 3:4-5).

Claim(s) 9-10, 17 and 20 is/are rejected under 35 U.S.C. 103 as being unpatentable over Tomasofsky (US Patent Application Publication 20160078444) in view of Aquino (US Patent Application Publication 20160104163) as applied to claims 7, 13 and 19 above, and further in view of Powell (US Patent Application Publication 20210090074).

	As per claim 9, Tomasofsky, as modified, teaches the authentication platform of Claim 7, wherein the at least one processor is programmed to:
	transmit a step-up challenge to the online user if the risk level is medium (Tomasofsky ¶ 35 – “If the score is above a pre-defined threshold (i.e., “more risky”) [“medium”], then the transaction will undergo additional, direct authentication of the suspect consumer (e.g., a 3DS “step-up” challenge).” And Tomasofsky ¶ 25 – “During some known 3-D Secure transactions, the suspect consumer (i.e., the consumer attempting to perform the payment card transaction with the merchant) is presented with an authentication challenge, sometimes called a “step-up challenge.” This step-up challenge generally requires the suspect consumer to provide a password, or a passcode from a second factor user device, before the transaction will be processed” and Tomasofsky ¶ 119 – “may 
	receive a response to the step-up challenge from the online user (Tomasofsky ¶ 25 – “This step-up challenge generally requires the suspect consumer to provide a password, or a passcode from a second factor user device, before the transaction will be processed”);
	and determine an authentication decision based on the response to the step-up challenge and the RBA result data (Tomasofsky ¶ 36 – “having to answer an additional authentication challenge during a transaction” and Tomasofsky “[0030] In some embodiments, the RBD system may be provided as a service to issuing banks. In other words, the RBD system may provide scores to an issuer's access control system (ACS), and the ACS may make decisions based at least in part on the risk scores or risk data available from the RBD system.”, the authentication decision is based on information provided by the RBD and additional authentication challenge, when required).
	 Tomasofsky, as modified, doesn’t teach/suggest 
that the “step-up” challenge steps are performed by the ACS (note that, as noted in the 112(b) section above, the examiner interprets that these step-up operations are performed by an ACS separate from the claimed authentication platform that performs the RBD steps.)
However, Powell
that the “step-up” challenge steps are performed by the ACS (“[0064] An “agent” may be an entity appointed by the issuer to perform specific functions on behalf of the issuer. Exemplary functions may include card processing, cardholder verification using the 3-D Secure protocol, and token service. For example, an Access Control Server (ACS) may be an agent of the issuer that provides a 3D-Secure service for identification and verification (ID&V).”)
Therefore, it would have been obvious to a person having ordinary skill in the art, before the effective filing date of the claimed invention, to apply the known concept(s) of that the “step-up” challenge steps are performed by the ACS, as taught/suggested by Powell, to modify (or “further modify”) the platform of Tomasofsky, as modified, because this would lead to the predictable results of more versatile system capable of fulfilling various system configurations. Furthermore, it was well within the capabilities of a person having ordinary skill in the art to have realized that the expected results of a step-up authentication (such as offered through SD Secure protocol) would be the same regardless of whether the ACS or other entity performs step-up challenge. Namely, further security would be achieved either way by requiring further authentication from the user. 

	As per claim 10, Tomasofsky, as modified, teaches the authentication platform of Claim 7, 
wherein the at least one processor is programmed to transmit the RBA result data to an access control server (ACS) if the risk level is 
[…].
	 Tomasofsky, as modified, doesn’t teach/suggest 
wherein the ACS is configured to perform a step-up challenge
However, Powell, in an analogous art of tokenization concepts used in payment transactions (¶¶ 25-26), teaches/suggests the concept(s) of:
wherein the ACS is configured to perform a step-up challenge (“[0064] An “agent” may be an entity appointed by the issuer to perform specific functions on behalf of the issuer. Exemplary functions may include card processing, cardholder verification using the 3-D Secure protocol, and token service. For example, an Access Control Server (ACS) may be an agent of the issuer that provides a 3D-Secure service for identification and verification (ID&V).”)
Therefore, it would have been obvious to a person having ordinary skill in the art, before the effective filing date of the claimed invention, to apply the known concept(s) of wherein the ACS is configured to perform a step-up challenge, as taught/suggested by Powell, to modify (or “further modify”) the platform of Tomasofsky, as modified, because this would lead to the predictable results of more versatile system capable of fulfilling various system configurations. Furthermore, it was well within the capabilities of a person having ordinary skill in the art to have realized that the expected results of a step-up authentication (such as offered through SD Secure protocol) would be the same regardless of whether the ACS or other entity performs step-up challenge. Namely, 
Further concerning claim 10, claim analysis is highly fact-dependent. A claim is only limited by positively recited elements. See MPEP § 2115. Also see MPEP § 2111.04.I. Here, the "Wherein" clause(s) of “wherein the ACS is configured to perform a step-up challenge” raises questions as to the limiting effect of the clause’s language upon the claim. This “wherein” clause(s) includes an attempt to further limit the ACS, which isn’t even a positively recited subcomponents of the claimed authentication platform. Therefore, the "wherein" clause(s) is/are not found to limit the claim because the clauses do not give "meaning and purpose to the manipulative steps” of the claimed invention. See MPEP § 2111.04.I and/or Griffin v. Bertina, 283 F.3d 1029, 1034, 62 USPQ2d 1431 (Fed. Cir. 2002).

	As per claim 17, Tomasofsky, as modified, teaches the method of Claim 13, wherein routing the RBA result data further comprises:
determining a risk level based on the RBA result data and the authentication profile (Tomasofsky ¶ 28 – “The RBD system also generates a payment card score from the payment card information and combines the payment card score with the session trust level to generate an overall transaction risk level for the payment card transaction.”);
transmitting a step-up challenge to the online user if the risk level is medium (Tomasofsky ¶ 35 – “If the score is above a pre-defined threshold (i.e., “more risky”) [“medium”], then the transaction will undergo additional, 
receiving a response to the step-up challenge from the online user (Tomasofsky ¶ 25 – “This step-up challenge generally requires the suspect consumer to provide a password, or a passcode from a second factor user device, before the transaction will be processed”); and 
determining an authentication decision based on the response to the step-up challenge and the RBA result data (Tomasofsky ¶ 36 – “having to answer an additional authentication challenge during a transaction” and Tomasofsky “[0030] In some embodiments, the RBD system may be provided as a service to issuing banks. In other words, the RBD system may provide scores to an issuer's access control system (ACS), and the ACS may make decisions based at least in part on the risk scores or risk data available from the RBD system.”, the authentication decision is based on information provided by the RBD and additional authentication challenge, when required).
Tomasofsky, as modified, doesn’t teach/suggest 
wherein the ACS is configured to perform a step-up challenge
However, Powell, in an analogous art of tokenization concepts used in payment transactions (¶¶ 25-26), teaches/suggests the concept(s) of:
wherein the ACS is configured to perform a step-up challenge (“[0064] An “agent” may be an entity appointed by the issuer to perform specific functions on behalf of the issuer. Exemplary functions may include card processing, cardholder verification using the 3-D Secure protocol, and token service. For example, an Access Control Server (ACS) may be an agent of the issuer that provides a 3D-Secure service for identification and verification (ID&V).”)
Therefore, it would have been obvious to a person having ordinary skill in the art, before the effective filing date of the claimed invention, to apply the known concept(s) of wherein the ACS is configured to perform a step-up challenge, as taught/suggested by Powell, to modify (or “further modify”) the platform of Tomasofsky, as modified, because this would lead to the predictable results of more versatile system capable of fulfilling various system configurations. Furthermore, it was well within the capabilities of a person having ordinary skill in the art to have realized that the expected results of a step-up authentication (such as offered through SD Secure protocol) would be the same regardless of whether the ACS or other entity performs step-up challenge. Namely, further security would be achieved either way by requiring further authentication from the user. 
 
As per claim 20, Tomasofsky, as modified, teaches the computer-readable storage media of Claim 19, wherein to route the RBA result data, the computer-executable instructions cause the at least one processor to:
determine a risk level based on the RBA result data and the authentication profile (Tomasofsky ¶ 28 – “The RBD system also generates a payment card score from the payment card information and combines the payment card score with the session trust level to generate an overall transaction risk level for the payment card transaction.”);
transmit an authentication approval if the risk level is low (Tomasofsky ¶ 35 – “the RBD system scores the subject transaction based at least in part on the transaction data and the infrastructure data. If the score is below the pre-defined threshold (i.e., “less risky”), then the transaction will be approved at this stage and subsequently will continue through to authorization without additional authentication of the suspect consumer” and ¶ 31 – “the RBD system sends risk-based decisioning data to the issuer's ACS via an extension message to the 3DS protocol”);
if the risk level is medium, the computer-executable instructions cause the at least one processor to:
transmit a step-up challenge to the online user if the risk level is medium (Tomasofsky ¶ 35 – “If the score is above a pre-defined threshold (i.e., “more risky”) [“medium”], then the transaction will undergo additional, direct authentication of the suspect consumer (e.g., a 3DS “step-up” challenge).” And Tomasofsky ¶ 25 – “During some known 3-D Secure 
receive a response to the step-up challenge from the online user (Tomasofsky ¶ 25 – “This step-up challenge generally requires the suspect consumer to provide a password, or a passcode from a second factor user device, before the transaction will be processed”);
and determine an authentication decision based on the response to the step-up challenge and the RBA result data- and transmit an authentication denied message if the risk level is high (Tomasofsky ¶ 36 – “having to answer an additional authentication challenge during a transaction” and Tomasofsky “[0030] In some embodiments, the RBD system may be provided as a service to issuing banks. In other words, the RBD system may provide scores to an issuer's access control system (ACS), and the ACS may make decisions based at least in part on the risk scores or risk data available from the RBD system.”, the authentication decision is based on information provided by the RBD and additional authentication challenge, when required).
Tomasofsky
wherein the ACS is configured to perform a step-up challenge
However, Powell, in an analogous art of tokenization concepts used in payment transactions (¶¶ 25-26), teaches/suggests the concept(s) of:
wherein the ACS is configured to perform a step-up challenge (“[0064] An “agent” may be an entity appointed by the issuer to perform specific functions on behalf of the issuer. Exemplary functions may include card processing, cardholder verification using the 3-D Secure protocol, and token service. For example, an Access Control Server (ACS) may be an agent of the issuer that provides a 3D-Secure service for identification and verification (ID&V).”)
Therefore, it would have been obvious to a person having ordinary skill in the art, before the effective filing date of the claimed invention, to apply the known concept(s) of wherein the ACS is configured to perform a step-up challenge, as taught/suggested by Powell, to modify (or “further modify”) the platform of Tomasofsky, as modified, because this would lead to the predictable results of more versatile system capable of fulfilling various system configurations. Furthermore, it was well within the capabilities of a person having ordinary skill in the art to have realized that the expected results of a step-up authentication (such as offered through SD Secure protocol) would be the same regardless of whether the ACS or other entity performs step-up challenge. Namely, further security would be achieved either way by requiring further authentication from the user. 

Conclusion
	Any inquiry concerning this communication or earlier communications from the examiner should be directed to GABRIEL S MERCADO whose telephone number is (408)918-7537.  The examiner can normally be reached on Mon-Fri 8am-5pm (Eastern Time).
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Neha Patel can be reached on (571) 270-1492.  The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see https://ppair-my.uspto.gov/pair/PrivatePair. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.






/Gabriel Mercado/Examiner, Art Unit 3685      

/NEHA PATEL/Supervisory Patent Examiner, Art Unit 3685