DETAILED ACTION
Notice of Pre-AIA  or AIA  Status
The present application is being examined under the pre-AIA  first to invent provisions. 

Response to Preliminary Amendment
The following detailed action acknowledges the preliminary amendments of the response filed on 29th of June of 2018. The amendments in the filed response have been entered. 
Claims 113-132 have been added. 
Claims 1-112 have been cancelled. 
Claims 113-132 are pending in the application and the status of the application is currently pending. 

Claim Objections
Claims 115 and 125 are objected to because of the minor informality of grammar. The claims recite received form the verification token, where the limitation should recite received from the verification token. Appropriate correction is required.


Claim Rejections - 35 USC § 112
The following is a quotation of 35 U.S.C. 112(b):
(b)  CONCLUSION.—The specification shall conclude with one or more claims particularly pointing out and distinctly claiming the subject matter which the inventor or a joint inventor regards as the invention.


The following is a quotation of 35 U.S.C. 112 (pre-AIA ), second paragraph:
The specification shall conclude with one or more claims particularly pointing out and distinctly claiming the subject matter which the applicant regards as his invention.


Claims 113-118 and 123-128 are rejected under 35 U.S.C. 112(b) or 35 U.S.C. 112 (pre-AIA ), second paragraph, as being indefinite for failing to particularly point out and distinctly claim the subject matter which the inventor or a joint inventor (or for applications subject to pre-AIA  35 U.S.C. 112, the applicant), regards as the invention.
Observing claims 113 and 123, the claims recite the limitation: wherein the gateway is configured to send the authentication request to the access control server, receive an authentication page, forward the authentication page to the user computer, receive the authentication page filled in with a first secure datum obtained with a verification token associated with the user computer from a validation entity, and determine if the first secure datum matches a second secure datum previously provided by the validation entity to the verification token
In view of claims 113 and 123, the claims 115-117 and 125-127 recite elements that do not describe functions of the claimed invention. Claims 115 and 125 recite: wherein the first secure datum was received by the verification token from a validation entity after the validation entity validates information received form the verification token, where the actions of the verification token are not clearly further limiting the functions of the merchant server; claims 116 and 126 recite: wherein the verification token comprises a data processor and a computer readable medium comprising code, executable by the data processor, for causing the verification token to read portable consumer device identification information from a portable consumer device, the portable consumer device being used by a user of the user computer, where the elements of the verification token and the portable consumer device are not clearly further limiting the merchant server; and claims 117 and 127 recite: wherein the access control server is configured to receive the authentication page filled in with the first secure datum, the authentication page having a user response disposed in a user response posting field, compare at least a portion of the user response to a stored user response to make a first determination of whether a match exists, compare the first secure datum to a stored secure datum to make a second determination of whether a match exists, and generate the authentication response based on at least the first and second determinations, where the elements and the functions of the access control server do not clearly further limit the merchant server. 
Considering the recitations of claims 115-117 and 125-127, the limitations of the claims do not further limit the functions of the merchant server, and it is not clear if the claims would be infringed by being in possession of the merchant server sending and receiving authentication messages, or by possession of a verification token, a portable 

Claim Rejections - 35 USC § 101
35 U.S.C. 101 reads as follows:
Whoever invents or discovers any new and useful process, machine, manufacture, or composition of matter, or any new and useful improvement thereof, may obtain a patent therefor, subject to the conditions and requirements of this title.


Claims 113-132 are rejected under 35 U.S.C. 101 because the claimed invention is directed to an abstract idea without significantly more. 
The rejection is based on the subject matter eligibility test that is detailed in the 2019 Revised Patent Subject Matter Eligibility Guidance (2019 PEG) and the October 2019 Patent Eligibility Guidance Update (October 2019 Update). The conclusions of the test support the rejection. 
In Step 1 of the test, the claims were found to be directed to one of the four statutory categories. Claims 113-122 are directed to a method of authentication as executed by a merchant server. Claims 123-132 are directed to the merchant server that is implementing a method of authentication. Thus, it is concluded in Step 1 that the claims recite executing a process.
In Step 2A(1), the claims were found to recite an abstract idea. The claims 113 and 123 recite 
receiving, by a merchant server, payment information from a user computer; 
transmitting, by the merchant server, a verification request to a gateway, wherein the gateway forwards the verification request to an access control server; 
receiving, by the merchant server, from the access control server via the gateway, a verification response; 
transmitting, by the merchant server, an authentication request to the gateway, […]; 
receiving by the merchant server, an authentication response in response to transmitting the authentication request; and 
initiating by the merchant server, an authorization process after receiving the authentication response. 
The emphasized limitations describe the transmission of messages, receiving response messages and initiating an authorization process by a merchant server. The messages sent and received are related to a payment transaction, where the merchant server is exchanging messages with an access control server, which is related to the issuer. These limitations suggest an abstract idea of a merchant confirming approval to use a payment method, which is a transaction between people that falls under certain methods of organizing human activity. 
The extracted limitations recite as follows: wherein the gateway is configured to send the authentication request to the access control server, receive an authentication page, forward the authentication page to the user computer, receive the authentication page filled in with a first secure datum obtained with a verification token associated with the user computer from a validation entity, and determine if the first secure datum matches a second secure datum previously provided by the validation entity to the verification token. The limitations are reciting the functions of the access control server in a manner that is separate from the merchant server, and is considered as recitations of the intended use of the claimed invention. Even though they are the intended use of the claimed invention, the limitations recite the method steps: send the authentication request; forward the authentication page; receive the authentication page filled in with a first secure datum obtained with a verification token; and determine if the first secure datum matches a second secure datum previously provided. The recited transmission of messages and comparison of data are functions that can be performed by hand as part of the process to confirm approval to use a payment method, which falls under the abstract idea of certain methods of organizing human activity.
The dependent claims further support the interpretation of the abstract idea. The claims recite:
Claims 114 and 124 recite wherein the first secure datum is generated based on an identity of a merchant with which a user conducts a transaction, and a date or time of the transaction. These limitations describe elements of the first datum that the merchant has available at the time of the transaction, part of the payment transaction and supporting the abstract idea.
Claims 115 and 125 recite wherein the first secure datum was received by the verification token from a validation entity after the validation entity validates information received form the verification token. These limitations describe a function of the verification token, which is defined in claims 116 and 126 as another device outside of the merchant server, which is not executing functions that further 
Claims 116 and 126 recite wherein the verification token comprises a data processor and a computer readable medium comprising code, executable by the data processor, for causing the verification token to read portable consumer device identification information from a portable consumer device, the portable consumer device being used by a user of the user computer. These limitations describe the verification token as a device outside of the merchant server, read by a data processor that is not part of the merchant server, and describing the action of receiving data from a user of the user computer. Interpreting the data processor as a card reader and the verification token is the card, these limitations describe the use of a card in a card reader that receives entry information of the card owner, all part of the abstract idea. 
Claims 117 and 127 recite wherein the access control server is configured to receive the authentication page filled in with the first secure datum, the authentication page having a user response disposed in a user response posting field, compare at least a portion of the user response to a stored user response to make a first determination of whether a match exists, compare the first secure datum to a stored secure datum to make a second determination of whether a match exists, and generate the authentication response based on at least the first and second determinations. The limitations describe the access control server, which is not part of the merchant server, and describes the comparison of datum interpreted as a one to one 
Claims 118 and 128 recite wherein the access control server is configured to transmit the authentication response to the gateway, wherein the gateway forwards the authentication response to the merchant server. The limitations describe the transmission of the response message that is received by the merchant server, related to the response to the request to authorize the use of payment, part of the abstract idea.
Claims 119 and 129 recite wherein the merchant server includes a merchant plug-in, wherein the merchant plug-in opens a communication frame on the user computer, wherein the authentication response is transmitted by the gateway to the merchant server via the communication frame, the authentication response including a URL of the gateway received in the verification response, and wherein the merchant plug-in validates a signature included in the authentication response. The limitations describe the process of connecting the merchant with the customer through the communication frame to receive the authentication response, which is supporting the authentication process that is part of the abstract idea. 
Claims 120 and 130 recite wherein the communication frame is used to present the authentication page to a user of the user computer. The limitations describe the technology used to simplify the communication between the merchant and the customer, which are considered a method of organizing human activity as part of the abstract idea.
Claims 121 and 131 recite wherein the authorization process is initiated with an acquirer for a transaction based at least in part on the authentication response. The limitations describe the initiation of authorization, suggesting it has not been done and may not be done. Interpreting the process will be executed, the limitations are describing the initiation of authentication which would be part of the abstract idea.
Claims 122 and 132 recite wherein payment information includes a PAN and wherein the verification request includes the PAN. The limitations describe elements used as part of an authorization process and are part of the abstract idea.
As shown in points G-O, the claims support the process of authentication that is part of the transaction between people. Therefore, it is concluded in Step 2A(1) that the claims recite an abstract idea.
In Step 2A(2), the claims that recite the judicial exception do not integrate the judicial exception into a practical application. The additional elements in points A – F are describing a merchant server sending and receiving messages, where other servers are recited to perform the authentication and return it to the merchant server. These elements show using a computer as a tool to perform the abstract idea. 
The additional elements in the dependent claims in points H – J were determined to be outside of the merchant server and are not properly reciting elements as part of the claimed invention. However, the elements recited with the additional elements in the dependent claims in points G and K-O further describe functions of the merchant server, concluding the limitations are generally linking the use of the abstract idea to a particular Therefore, it is concluded in Step 2A(2) that the claims are directed to the abstract idea. 
In Step 2B, the claims do not include additional elements that are sufficient to amount to significantly more than the judicial exception. The claims recite the actions of a merchant server interacting with an access control server, a verification token and a user computer, reciting the sending and receiving of messages during an authentication process, supporting the use of a computer to perform the abstract idea. In point L, the recitation of a merchant plug-in from the merchant server opens a communication frame on the user computer gives insight to how the data was transferred for authentication, but the plug-in still allows for a user of the user computer to enter the information for authentication. Thus, while this and the other additional elements limit the abstract idea to a specific technical field, there is no improvement to the process of performing the abstract idea, nor is there an improvement to another technology or technical field. Considering the additional elements individually, the claims do not include elements that are sufficient to amount to significantly more than the judicial exception. Considering the additional elements in combination, the steps do not add any meaningful limits on practicing the abstract idea more than the elements analyzed individually and thus do not add significantly more to the claimed invention. Therefore, it is concluded in Step 2B that the claims do not have additional elements that mean significantly more, and the test concludes the claims are patent ineligible.

Claim Rejections - 35 USC § 103
The following is a quotation of pre-AIA  35 U.S.C. 103(a) which forms the basis for all obviousness rejections set forth in this Office action:
(a) A patent may not be obtained though the invention is not identically disclosed or described as set forth in section 102, if the differences between the subject matter sought to be patented and the prior art are such that the subject matter as a whole would have been obvious at the time the invention was made to a person having ordinary skill in the art to which said subject matter pertains. Patentability shall not be negatived by the manner in which the invention was made.

The factual inquiries for establishing a background for determining obviousness under pre-AIA  35 U.S.C. 103(a) are summarized as follows:
1. Determining the scope and contents of the prior art.
2. Ascertaining the differences between the prior art and the claims at issue.
3. Resolving the level of ordinary skill in the pertinent art.
4. Considering objective evidence present in the application indicating obviousness or nonobviousness.
This application currently names joint inventors. In considering patentability of the claims under pre-AIA  35 U.S.C. 103(a), the examiner presumes that the subject matter of the various claims was commonly owned at the time any inventions covered therein were made absent any evidence to the contrary.  Applicant is advised of the obligation under 37 CFR 1.56 to point out the inventor and invention dates of each claim that was not commonly owned at the time a later invention was made in order for the examiner to consider the applicability of pre-AIA  35 U.S.C. 103(c) and potential pre-AIA  35 U.S.C. 102(e), (f) or (g) prior art under pre-AIA  35 U.S.C. 103(a).
Claims 113, 114, 117, 118, 121, 123, 124, 127, 128, and 131 are rejected under pre-AIA  35 U.S.C. 103(a) as being unpatentable over Stemer (CA 2,604,348, hereinafter “Stemer”), in view of Nyberg (CA 2,449,748, hereinafter “Nyberg”).
Regarding Claims 113 and 123, Stemer teaches 
receiving, by a merchant server, payment information from a user computer; (“Referring now briefly to Fig. 2, after the required information has been gathered at the merchant's (POS, ATM, online, telephone, etc.), an authorization request or charge request 10 is sent to the financial processing facility 6.” See Stemer in pagemark 7, lines 20-23)
transmitting, by the merchant server, a verification request to a gateway, wherein the gateway forwards the verification request to an access control server; (“…an authorization request or charge request 10 is sent to the financial processing facility 6. … At the same time, the customer profile 25 associated with the account number is checked at 13.” See Stemer in pagemark 7, lines 21-25)
receiving, by the merchant server, from the access control server via the gateway, a verification response; (“If the profile is set to Notify Only, the query 14 returns a corresponding response and the customer's wireless device (e.g., cell phone or beeper) is notified at 15. The message may be an SMS message or it may be a voice announcement, depending on the customer profile. Once the notification has been sent at 15, a flag is set at 16.” See Stemer in pagemark 7, lines 27 – pagemark 8, Line 3)
transmitting, by the merchant server, an authentication request to the gateway, (same process for the verification, See Stemer in pagemark 7, lines 21-25)
wherein the gateway is configured to send the authentication request to the access control server, receive an authentication page, forward the authentication page to the user computer, […] (concluded as the access control server sends the authentication request to the user computer: “If the customer profile is set to Notify & Confirm, the message to the customer's wireless device contains a message as above and a prompt for confirmation at 17.” See Stemer in pagemark 8, lines 4-6) 
receiving, by the merchant server, an authentication response in response to transmitting the authentication request; (“The confirmation may be a simple reply to an SMS message, it may consist of any key depressed (during a live call), or it may be a full-fledged PIN or password. In a further modification, which adds yet another level of security, the customer may be prompted for a voice reply and the reply may then be subjected to "voice recognition" by comparing a frequency hysteresis chart associated with the customer to the voice reply. If the customer (or the person in the possession of the wireless device) returns the proper response, the query 18 directs the process flow to the box 16, where the confirm flag is once more set to "l".” See Stemer in pagemark 8, lines 6-14) and
initiating by the merchant server, an authorization process after receiving the authentication response (Stemer provides the process of authentication and of authorization of payment, based on the customer profile: “It will be understood that the foregoing scenario is merely exemplary and is in no way limiting with regard to the application of the instant invention (nor is it intended to be disparaging to the restaurant industry). Indeed, there exist numerous situations where proper customer notification and customer authorization may prevent fraudulent 
Stemer does not expressly teach receive the authentication page filled in with a first secure datum obtained with a verification token associated with the user computer from a validation entity, and determine if the first secure datum matches a second secure datum previously provided by the validation entity to the verification token.  
However, Nyberg does teach 
the gateway is configured to send the authentication request to the access control server, receive an authentication page, forward the authentication page to the user computer
receive the authentication page filled in with a first secure datum obtained with a verification token associated with the user computer from a validation entity, (“In this preferred embodiment of the invention the first communication device 2 selects a unique random string P (block 103 in Fig. 1), which is relatively short, for example 6 characters long. This selection can be conducted in a manner known as such, for example by generating it using a random string generator provided in the application software of the control block. Besides selecting a random string P, the first communication device 2 calculates a first check string c1 (block 104) on the basis of the random string P it has generated and the shared encryption key K. The length of this check string is preferably the same as the length of the random string, i.e. in this example situation 6 characters. The first communication device 2 displays the random string P it has selected and the first check string c1 it has calculated on the display 7a (block 105) and the random string P and the check string c1 are reported to the user of the second communication device 3 (arrow 106).” See Nyberg in pagemark 10 lines 10-25) and 
determine if the first secure datum matches a second secure datum previously provided by the validation entity to the verification token. (“Thereafter a checking stage is conducted in the second communication device 3. Thus, the second communication device calculates a second check string c2 (block 108) on the basis of the random string P and the shared encryption key K entered by the user. Thereafter the second communication device 3 compares the string c1 entered by the user to the calculated second check string c2 (block 109). The second communication device 3 indicates the result of the check for example with a signal 
The requirements for comparing and confirming the match of the created values, as shown in Nyberg, are to authorize a transaction between one device and a second device. (See Nyberg in Figure 1).
It would have been obvious to a person having ordinary skill in the art, at the date the claimed invention was made, to include in the teachings of Stemer a “process of authentication by comparison”, as taught by Nyberg, to improve the authentication process by securing the comparison of data.  
Regarding Claims 114 and 124, Stemer, in view of Nyberg, teaches the limitations of claims 113 and 123. Stemer, in view of Nyberg, further teaches the first secure datum is generated based on an identity of a merchant with which a user conducts a transaction, and a date or time of the transaction (interpreting the datum as a dynamic value, where the merchant identity is a static value [secret key] and the date and time is constantly changing [random number]: “After the paging stage both communication devices 2, 3 perform an interactive key exchange stage (arrow 102 in Fig. 1) to generate the same secret key K in both devices. … In this preferred embodiment of the invention the first communication device 2 selects a unique random string P (block 103 in Fig. 1), which is relatively short, for example 6 characters long. This selection can be conducted in a manner known as such, for example by generating it using a random string generator provided in the application software of the control block. Besides selecting a random string P, the first communication device 2 calculates a first check string c1 (block 104) on the basis of the random string P it 
Regarding Claims 117 and 127, Stemer, in view of Nyberg, teaches the limitations of claims 113 and 123. Stemer, in view of Nyberg, further teaches wherein the access control server is configured to receive the authentication page filled in with the first secure datum, (See Nyberg in pagemark 10 lines 10-25) the authentication page having a user response disposed in a user response posting field, compare at least a portion of the user response to a stored user response to make a first determination of whether a match exists, compare the first secure datum to a stored secure datum to make a second determination of whether a match exists, and generate the authentication response based on at least the first and second determinations (See Nyberg in pagemark 10 lines 28-37).
Regarding Claims 118 and 128, Stemer, in view of Nyberg, teaches the limitations of claims 117 and 127. Stemer further teaches wherein the access control server is configured to transmit the authentication response to the gateway, wherein the gateway forwards the authentication response to the merchant server (See Stemer in pagemark 7, lines 27 – pagemark 8, Line 3).
Regarding Claims 121 and 131, Stemer, in view of Nyberg, teaches the limitations of claims 113 and 123. Stemer further teaches wherein the authorization process is initiated with an acquirer for a transaction based at least in part on the authentication response (“Immediately upon receiving the authorization request, the credit card authorization system (e.g., the acquirer 6) sends an SMS message to the customer's cell phone. The customer receives the message telling him that the restaurant has requested authorization .

Claims 115-116, 122, 125-126 and 132 are rejected under pre-AIA  35 U.S.C. 103(a) as being unpatentable over Stemer, in view of Nyberg, and further in view of Mennes (US 2009/0235339, hereinafter “Mennes”).
Regarding Claims 115 and 125, Stemer, in view of Nyberg, teaches the limitations of claims 113 and 123. Stemer, in view of Nyberg, does not expressly teach wherein the first secure datum was received by the verification token from a validation entity after the validation entity validates information received form the verification token. 
However, Mennes does teach 
   a first secure datum (One Time Password, ‘OTP’) is received by the verification token from a validation entity (Authentication Server): (“First, the Authentication Server generates the Master Server OTP (713). The Master Server OTP (713) is a time and challenge-based one-time password… Subsequently, the 8-digit Server OTP (718) is sent to the token (100).” See Mennes within [0136]-[0147], in reference to Figure 7); 
after the validation entity validates information received from the verification token (“ A Server OTP (718) is correct if: [0156] It was generated with the same SAK (716) as the SAK (722) that is stored in the token (100), and [0157] it was generated using a Business Unit Index (BUI) (715) that is known to token (100), and [0158] it was generated inside the time acceptance window that is used by token 
It would have been obvious to a person having ordinary skill in the art, at the date the claimed invention was made, to include in the teachings of Stemer, in view of Nyberg, a “process to verify and generate the secure datum”, as taught by Mennes, to improve the authentication process by securing the comparison of data.  
Regarding Claims 116 and 126, Stemer, in view of Nyberg, teaches the limitations of claims 113 and 123. Stemer, in view of Nyberg, does not expressly teach wherein the verification token comprises a data processor and a computer readable medium comprising code, executable by the data processor, for causing the verification token to read portable consumer device identification information from a portable consumer device, the portable consumer device being used by a user of the user computer. 
However, Mennes does teach a verification token comprising a data processor and a computer readable medium comprising code, executable by the data processor, for causing the verification token to read portable consumer device identification information from a portable consumer device, the portable consumer device being used by a user of the user computer (interpreting the portable consumer device has the means to connect with the verification token: “This application discloses a low-cost strong authentication token for creating one-time passwords and/or transaction signatures, hereafter collectively referred to as security values, for use in client-server transactions, comprising trustworthy output means to present information to the user, and data input means capable of receiving input data, whereby the input data is efficiently encoded so as to allow transfer of the input data into the token in a reasonable time frame and requiring only low-cost hardware, and 
It would have been obvious to a person having ordinary skill in the art, at the date the claimed invention was made, to include in the teachings of Stemer, in view of Nyberg, a “device for user verification”, as taught by Mennes, because the device will secure the datum prior to use for authentication.
Regarding Claims 122 and 132, Stemer, in view of Nyberg, teaches the limitations of claims 113 and 123. Stemer, in view of Nyberg, does not explicitly teach wherein payment information includes a PAN and wherein the verification request includes the PAN.
However, Menned further teaches wherein payment information includes a PAN and verification request includes the PAN (“Instead of containing only literal texts or values, the message can also contain references to texts or values known to or stored in the token. For example, the message can contain a tag value that refers to the text "Amount=", rather than containing the full literal "Amount=" text itself. The message can also contain a reference to a stored value of the user's default account number, rather than containing the literal user's account number itself. Formatted numerical data such as money amounts or account numbers are represented as raw non-formatted numerical data whereby the formatting is 
It would have been obvious to a person having ordinary skill in the art, at the date the claimed invention was made, to include in the teachings of Stemer, in view of Nyberg, a “default account value”, as taught by Mennes, because the device will secure the datum prior to use for authentication.

Claims 119-120 and 129-130 are rejected under pre-AIA  35 U.S.C. 103(a) as being unpatentable over Stemer, in view of Nyberg, and further in view of Wankmueller (US 2005/0289052, hereinafter “Wankmueller”).
Regarding Claims 119 and 129, Stemer, in view of Nyberg, teaches the limitations of claims 113 and 123. Stemer, in view of Nyberg, further teaches wherein the authentication response is transmitted by the gateway to the merchant server via the communication frame, the authentication response including a URL of the gateway received in the verification response (See Stemer in pagemark 7, lines 21-25).  
Stemer, in view of Nyberg, does not expressly teach wherein the merchant server includes a merchant plug-in, wherein the merchant plug-in opens a communication frame on the user computer, and wherein the merchant plug-in validates a signature included in the authentication response. 
However, Wankmueller teaches the merchant server includes a merchant plug-in, wherein the merchant plug-in opens a communication frame on the user computer, and wherein the merchant plug-in validates a signature included in the authentication response (“either: A) charges the financial instrument in the amount received, using account rd paragraph).
It would have been obvious to a person having ordinary skill in the art, at the date the claimed invention was made, to include in the teachings of Stemer, in view of Nyberg, a “merchant plug-in”, as taught by Wankmueller, because the plug-in would facilitate the communication of the secure data and reduce the attempts of theft.
Regarding Claims 120 and 130, Stemer, in view of Nyberg, in view of Wankmueller, teaches the limitations of claims 119 and 129. Stemer, in view of Nyberg, in view of Wanlmueller, further teaches wherein the communication frame is used to present the authentication page to a user of the user computer (“Figures 3D and 3E are a flowchart illustrating a method of allowing a user to optionally authenticate one or more communications from a computer system and a computer system to optionally authenticate a user and displaying information according to one embodiment of the present invention.” See Wankmueller in pagemark 5, lines 16-19).

Conclusion
Any inquiry concerning this communication or earlier communications from the examiner should be directed to EDGAR R MARTINEZ-HERNANDEZ whose telephone number is (571)270-0658.  The examiner can normally be reached on M-F from 9:00 am - 5:00 pm.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, JOHN W. HAYES can be reached on (571) 272-6708.  The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.




/ERM/Examiner, Art Unit 3685

/STEVEN S KIM/Primary Examiner, Art Unit 3685