Detailed Action
Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

Continued Examination Under 37 CFR 1.114
1.	A request for continued examination under 37 CFR 1.114, including the fee set forth in 37 CFR 1.17(e), was filed in this application after final rejection.  Since this application is eligible for continued examination under 37 CFR 1.114, and the fee set forth in 37 CFR 1.17(e) has been timely paid, the finality of the previous Office action has been withdrawn pursuant to 37 CFR 1.114.  Applicant's submission filed on 03/25/2021 has been entered.
 
Status of Claims
2.	Claims 2-4, 7-9, 11-20, 22, 25, and 26 are cancelled
3.	Claims 1 and 6 are amended 
4.	Claims 1, 5, 6, 10, 21, 23, 24, and 27-33 are pending

Claim Rejections - 35 USC § 112
5.	The following is a quotation of 35 U.S.C. 112(b):
(b)  CONCLUSION.—The specification shall conclude with one or more claims particularly pointing out and distinctly claiming the subject matter which the inventor or a joint inventor regards as the invention.


The following is a quotation of 35 U.S.C. 112 (pre-AIA ), second paragraph:
The specification shall conclude with one or more claims particularly pointing out and distinctly claiming the subject matter which the applicant regards as his invention.


6.	Claims 1, 5, 6, 10, 21, 23, 24, and 27-33  are rejected under 35 U.S.C. 112(b) or 35 U.S.C. 112 (pre-AIA ), second paragraph, as being indefinite for failing to particularly point out 
7.	Claims 1 and 6 recite “a certain number of uses of the credential, using the credential in a certain geographic location, using the credential at certain times of a day, using the credential at certain days of a week, and using the credential with certain merchants,” which is an intended result of a process step positively recited and is not given any patentable weight. The claims as recite failed to provide clear-cut indication of claim scope because the intended use language as recited is not precise and definite resulting in no boundaries on the claim limitation. Therefore, the terms are indefinite.
(Examiner notes that the fact that these elements are capable of performing or cause to perform specific functions does not mean that they actually perform the functions as recited in the claims. A recitation of the intended use of the claimed invention must result in a structural difference between the claimed invention and the prior art in order to patentable distinguish the claimed invention from the prior art. If the prior art structure is capable of performing the intended use, then it meets the claim. See MPEP 2114 and Ex parte Masham, 2 USPQ2d 1647 (Bd. Pat. App. & Inter. 1987).)
8.	In claims 1 and 6, the terms "based least in part risk assignment outcome", is relative terms which, renders the claims indefinite. The terms are not defined by the claim. The specification recites “risk assignment outcome” (Specification Paragraph [0098],[0099]) but does not provide a standard for ascertaining on least in part risk assignment outcome (i.e., quantity, measure of “at least in part” as it relates to the risk assignment outcome), and one of ordinary skill in the art would not be reasonably apprised of the scope of the invention.
9.	1, 5, 6, 10, 21, 23, 24, and 27-33 are dependent on claims 1 and 6, respectfully.
10.	Appropriate Action is required.

Claim Rejections - 35 USC § 101

Whoever invents or discovers any new and useful process, machine, manufacture, or composition of matter, or any new and useful improvement thereof, may obtain a patent therefor, subject to the conditions and requirements of this title.


12.	Claims 1, 5, 6, 10, 21, 23, 24, and 27-33    are rejected under 35 U.S.C. § 101 because the claimed invention is directed to non-statutory subject matter. Based upon consideration of all of the relevant factors with respect to the claims as a whole, claims 1, 5, 6, 10, 21, 23, 24, and 27-33 are held to claim an unpatentable abstract idea, and are therefore rejected as ineligible subject matter under 35 U.S.C. § 101.
13.	The text of those sections of Title 35, U.S. Code not included in this action can be found in a prior Office action.
14.	Therefore, claims 1, 5, 6, 10, 21, 23, 24, and 27-33 were analyzed for U.S.C. 101 as follows:
15.	Claims 1, 5, and 21, 23, 24, 27-33 are directed to a method, claims 6 and 10 are directed to server computer. The claims 6 and 10 are rejected for software (signal) per se.  1, 5, 6, 10, 21, 23, 24, and 27-33 are directed to a non-statutory judicial exception of an abstract idea.
16.	In claim 1, corresponding representative claims 6 and 33, the limitations that define an abstract idea (in bold) are below:
a method, comprising:
receiving, at a server computer, a provisioning request from an application provider computer to provision a credential to a mobile device, wherein the credential is associated with an account of a user; the provisioning request including device information of the mobile device and a risk score generated by the application provider computer, the device information including a unique identifier of the device and a consumer identifier, the application provider computer generating the risk score using the device information and the unique identifier;
generating, by the server computer, a risk assignment outcome for the provisioning request based at least in part on the device information and the risk score;
transmitting, by the server computer, provisioning scripts to be executed by the mobile device to cause the credential to be stored at the mobile device based at least in part on the risk assignment outcome; 
storing, by the server computer, a credential record indicating that the credential stored at the mobile device is associated with a partially activated state, such that the mobile device can utilize the credential for restricted transactions.
the partially activated state being different than a fully activated state where restrictions associated with the restricted transactions are lifted, the restricted transactions comprising a certain number of uses of the credential, using the credential in a certain geographical location, using the credential at certain times of a day, using the credential at certain days of a week, and using the credential with certain merchants,
the method further comprising: receiving, at the server computer, a first authorization request message for a first transaction, the first authorization request message including the credential;
identifying, by the server computer, the credential record based on the credential; determining, by the server computer, based on the credential record, that the credential stored at the mobile device is associated with the partially activated state; 
determining, by the server computer, that the first transaction qualifies as a restricted transaction; forwarding, by the server computer, the first authorization request message to an authorizing entity, wherein the authorizing entity authorizes the first transaction; receiving, at the server computer, a second authorization request message for a second transaction, the second authorization request message including the credential;  identifying, by the server computer, the credential record based on the credential;
determining, by the server computer, based on the credential record, that the credential stored at the mobile device is associated with the partially activated state; determining, by the server computer, that the second transaction does not qualify as a restricted transaction; and 
declining, by the server computer, the second transaction.
17.	In claim 1, corresponding representative claims 6 and 33, the steps describe receiving, identifying, determining a request to authenticate a user associated with an account on the mobile device. Provisioning a mobile device with account credentials are using concepts relating to certain methods of organizing human activity, more specifically fundamental economic principles or practices (including hedging, insurance, mitigating risk).
18.	The limitations of receiving the first authorization transaction, determining based on the credential record that the credential stored at the mobile device is associated with the partially activated state; determining that the first transaction qualifies as a restricted transaction and forwarding the first authorization request message to an authorizing entity and wherein the authorizing entity authorizes the first transaction. The recitation of “a server computer” does not take the claim out of certain methods of activity. It is mere instructions to implement an abstract ideal on a computer as a tool to perform the abstract idea. The claims are an abstract idea.  

20.	There specification only cited components under broadest reasonable interpretation, the components are described generic. The interpretation of the computing components are consistent with applicant's specification which describes the components in broad terms:
a.	  A "server computer" may be a powerful computer or combination of two or more computers. For example, the server computer can be a large mainframe, a minicomputer cluster, or a group of servers functioning as a unit such as a cluster. In one example, the server computer may be a database server coupled to a web server. Server computers often execute server applications that act as a server in client-server interactions, including but not limited to database server applications, web server applications, application server applications, etc. (Specification: Paragraph [0042]
b.	A "mobile device" may include any suitable device that is moveable. In some embodiments, a mobile device may be any suitable electronic device that may be transported and operated by a user, which may also provide remote communication capabilities to a network. Examples of remote communication capabilities include using a mobile phone (wireless) network, wireless data network (e.g. 3G, 4G or similar networks), Wi-Fi, Wi-Max, or any other 
c.	In other embodiments, the functions, processes, operations or method steps may be implemented by firmware or a dedicated processor, integrated circuit, etc. [0176]. Any of the software components or functions described in this application may be implemented as software code to be executed by a processor using any suitable computer language such as, for example, Java, C++ or Perl using, for example, conventional or object-oriented techniques. The software code may be stored as a series of instructions, or commands on a computer-readable medium, such as a random access memory (RAM), a read-only memory (ROM), a magnetic medium such as a hard-drive or a floppy disk, or an optical medium such as a CD-ROM. Any such computer-readable medium may reside on or within a single computational apparatus, and may be present on or within different computational apparatuses within a system or network (Specification: [0175], [0176])

22.	Finally, taken together, the additional elements and components of claim 1, corresponding representative claims 6 and 33, have been considered and are not ordered combinations as defined by the courts.
23.	Dependent claims 5, 10, and 31 further recite limitations of causing an authentication process to be performed with the user, responsive to authenticating the user, updating the credential record to indicate that the credential stored at the mobile device is associated with a fully activated state, receives the credential in the first authorization request message and detokenizes the payment token to obtain a primary account number, and includes the primary account number in the authorization request message that is forwarded to the authorizing entity, these limitations do not transform the abstract idea (i.e. steps to describe updating and authenticating a user for a payment transaction including access device status) but merely elaborates on how the abstract idea in the independent claims may be implemented and the technological environment upon which the abstract idea may be carried out. The “server computer” and the recitation of the additional element using “detokenizes the payment token to obtain a primary account number”, it is recited at a high level of generality and do not amount to anything more than instructions to perform the abstract idea using a generic computer. The claims are directed to an abstract idea. Simply suggesting a technological environment upon which the abstract idea may be implemented does not alter or transform the abstract idea.
claims 5, 10, and 31 are directed to an ineligible judicial exception without any significant more.
25.	Dependent claims 21, 23,  24, 27-30, and 32 further recite limitations of wherein the mobile device is a mobile phone, wherein the first transaction and the second transaction are payment transactions, wherein the credential is a payment token, and the authorizing entity is a bank, wherein the first authorization request message is received from an access device after the mobile device provides the credential to the access device, wherein the second authorization request message is received from an access device or another access device after the mobile device provides the credential to the access device or the another access device, wherein the access device is a point of sale terminal, wherein the credential is a payment token, and  wherein the authorizing entity is a bank that issued the primary account number, these limitations do not transform the abstract idea (i.e. steps to determine the restriction status for a payment transactions using a payment token  where the mobile phone is the access badge) but merely elaborates on how the abstract idea in the independent claims may be implemented and the technological environment upon which the abstract idea may be carried out. The “mobile device” and the recitation of the additional element using “mobile device is a mobile phone”, “mobile device is an access badge”, “ the restricted transaction”, and “credential is a payment token”, it is recited at a high level of generality and do not amount to 
26.	The additional components of "access device", "mobile device'', are recited at a high level of generality and does not amount to anything more than instructions to perform the abstract idea using a generic computer. The additional component and additional elements amount to no more than a generic computing component and elements that does not contribute anything significant or meaningful to the claim other than, in combination, suggesting a technological environment in which to implement or apply the abstract idea. The claims do not recite any improvements to the generic computing component. The claim does not recites additional elements that integrate the exception into a practical application of that exception Therefore, similar to the independent claim, dependent claims 21, 23, 24, 27-30, and 32  are directed to an ineligible judicial exception without any significant more
27.	Claim 6 recite to "a computer readable medium' and “code”. The broadest reasonable interpretation of a claim drawn to one or more computer readable tangible storage media typically covers forms of non-transitory tangible media and transitory propagating signals per se in view of the ordinary and customer meaning of computer readable medium. The specification does not discloses clarification on if the signal is transitory or non-transitory media.
28.	The interpretation of the terms are consistent with applicant's specification which describes it below: 

29.	Claim 10 is depending on claim 6. Therefore, claims 6 and 10 are rejected as covering a software (signal) per se, which is not directed towards statutory subject matter. See MPEP 2111.01.
30.	In summary, the independent and dependent claims, both individually and in combination with the ordered claims, do not provide meaningful limitations to transform the abstract idea into a patent eligible application of the abstract idea such that the claims amount to significantly more than the abstract idea itself. The claims do not recite an improvement to another technology or technical field, an improvement to the functioning of the computer itself, or provide meaningful limitations beyond generally linking an abstract idea to a particular technological environment. Therefore, the claims 1, 5, 6, 10, 21, 23, 24, and 27-33     are rejected under 35 U.S.C. § 101 as being directed to unpatentable subject matter.

Claim Rejections - 35 USC § 103
31.	The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.


32.	The text of those sections of Title 35, U.S. Code not included in this action can be found in a prior Office action.
33.	The factual inquiries set forth in Graham v. John Deere Co., 383 U.S. 1, 148 USPQ 459 (1966), that are applied for establishing a background for determining obviousness under 35 U.S.C. 103 are summarized as follows:
1. Determining the scope and contents of the prior art.
2. Ascertaining the differences between the prior art and the claims at issue.
3. Resolving the level of ordinary skill in the pertinent art.
4. Considering objective evidence present in the application indicating obviousness or nonobviousness.
34.	Claims 1, 5, 6, 10, 21, 23, 24, and 27-33 are rejected under 35 U.S.C. 103 as being unpatentable over Khan et al. (US Patent Application Publication No.: 2015/0058191; hereafter is known as Khan) in view of Schibuk et al (US Patent Application Publication No.: 2009/0132813; hereafter known as Schibuk)

35.	In claim 1: Khan discloses,
A method, comprising: 


 transmitting, by the server computer, provisioning scripts(Khan: Paragraph: [0056], [0057]) to be executed by the mobile device (i.e., a secure mobile platform) (Khan: Paragraph:  [0022],[0056]) to cause the credential to be stored at the mobile device; and  (i.e., may define and store a virtual-linking table 352 (e.g., as shown in FIG. 1) that may create associations between the actual credential and a virtual credential, such that anytime a virtual credential is utilized by device) (Khan: Paragraph: [0054], [0055], [0057])
storing, by the server computer, a credential record indicating that the credential stored at the mobile device is associated with a partially activated state (i.e., toggling the credential from disabled/pending activation) (Khan: Paragraph [0054],[0056],[0057]), such that the mobile device can utilize the credential for restricted transactions, (i.e., Such security features also may include a secure storage area that may have restricted access.) (Khan:  Paragraph [0023], [0057], [0058], [0063], [0088], [0090], [0091]) 
the partially activated state (i.e. Such a check cards response may include, for each credential associated with the authenticated user account, a description of the credential, a commercial entity fraud score for the credential, and/or a commercial entity fraud determination for the credential, which may be utilized by SMP broker 410 to determine whether or not the credential ought to be provisioned on device 100. Such a check cards response generated by fraud system component 450 may be transmitted by fraud system component 450 to SMP broker component 410 as data 665 via communications path 495 of FIG. 4 using any suitable 
Khan does not disclose,
based at least in part on the risk assignment outcome;
the restricted transactions comprising a certain number of uses of the credential, using the credential in a certain geographical location, using the credential at certain times of a day, using the credential at certain days of a week, and using the credential with certain merchants,
receiving, at the server computer, a first authorization request message for a first transaction, the first authorization request message including the credential; 
identifying, by the server computer, the credential record based on the credential;
determining, by the server computer, based on the credential record, that the credential stored at the mobile device is associated with the partially activated state; 
determining, by the server computer, that the first transaction qualifies as a restricted transaction; 
forwarding, by the server computer, the first authorization request message to an authorizing entity, wherein the authorizing entity authorizes the first transaction; 
receiving, at the server computer, a second authorization request message for a second transaction, the second authorization request message including the credential; 
identifying, by the server computer, the credential record based on the credential;
determining, by the server computer, based on the credential record, that the credential stored at the mobile device is associated with the partially activated state; 

However Schibuk discloses,
based at least in part on the risk assignment outcome; (communications gateway may also handle data other than trusted data communications gateway may be integrated into a trusted system allowing the communications gateway to offer trusted data storage as an additional service i.e. gateway could determine to proceed in process 1950 only with transactions that have a low risk profile) (Schibuk: Paragraph [0249] [0254])
the restricted transactions comprising a certain number of uses of the credential (i.e., an organization may have a standing policy to issue day pass cards to visitors, and revoke them at the end of each business day) (Schibuk: Paragraph [0168], [0175], [0262]) , using the credential in a certain geographical location (i.e., limiting the geographic location of the other party) (Schibuk: Paragraph {0218], [0301]), using the credential at certain times of a day (i.e., where the offer is good until a certain date, or for a number of days after the first use of the memory device, or until a retail version is purchased) (Schibuk: Paragraph [0168], [0175], [0262]), using the credential at certain days of a week (i.e., an organization may have a standing policy to issue day pass cards to visitors, and revoke them at the end of each business day) (Schibuk: Paragraph [0129], [0221], [0334]) , and using the credential with certain merchants (i.e., limiting the geographic location of the other party) (Schibuk: Paragraph [0218],0301])
receiving (i.e., receives data for trusted storage), at the server computer, a first authorization request message (i.e., data storage request originates from the trusted source) for a first transaction, the first authorization request message including the credential (i.e., credentials, and storing data, associated with the transaction and the digitally signed document,); (Schibuk: Paragraph [0013], [0232], [0235])  
identifying, by the server computer, the credential record based on the credential; (i.e., determine whether any given data storage request originates from the trusted source. This 
determining, by the server computer, based on the credential record, that the credential stored at the mobile device is associated with the partially activated state; (i.e., The data service provider may also allocate a URL to the storage area. Additionally in process 1620, a data service provider may receive business rules governing data to be stored in the allocated, trusted storage space. These rules may be similar to the business policies) (Schibuk: Paragraph [0234],[0239]) 
determining, by the server computer, that the first transaction qualifies as a restricted transaction; (i.e., they could instruct the data service provider to forward or not forward data based on a number of criteria) (Schibuk: Paragraph [0234]) 
forwarding, by the server computer, the first authorization request message to an authorizing entity, wherein the authorizing entity authorizes the first transaction; (i.e., for example, the rules may instruct to only forward data once per day as a daily digest. This rule is appropriate where a trusted source generates many informational data messages. Or, the rules may instruct to deliver each message as it is received by the data service provider.) (Schibuk: Paragraph [0234])
receiving, at the server computer, a second (i.e., since the last time it was requested or similar method) authorization request message for a second transaction (i.e. the transaction may be requested), the second authorization request message including the credential (i.e., business data); (Schibuk: Paragraph [0261],Fig. 21) 
identifying (i.e., has been initialized with business data in the process), by the server computer, the credential record based on the credential (i.e. business data); (i.e., Process 2150 applies instructions or rules to determine whether to proceed with the transaction.) (Schibuk: Paragraph [0261]) 

determining, by the server computer, that the second transaction does not qualify as a restricted transaction; i.e., then determines in process whether to perform the transaction by consulting the business using a communications network (not shown), or by consulting business rules stored in the memory device. Process 2150 applies instructions or rules to determine whether to proceed with the transaction) (Schibuk: Paragraph [0261]); and 
declining, by the server computer, the second transaction. (i.e., If the transaction should not proceed, transactional device updates the memory device to disable business data in process 2152.) (Schibuk: Paragraph [0261]) 
Therefore, it would have been obvious for one of ordinary skill in the art before the effective filing date of the claimed invention to combine Khan and Schibuk so that method can authenticate user and the data on a real-time basis by updating the credit record so it can decline or authorized the transaction based on a risk score including identification information and a verification response for a risk assessment. These embodiments of the invention thus enhance both security and privacy, while making secure and trusted transactions easier. (Schibuk: Paragraph [0312]) The process further includes entering the authentication data into the device to authenticate the individual to the device, so that the individual can use the stored set of credential data, and also includes causing the device to communicate the set of credential data to a system of the relying party, for purposes of authenticating the individual to participate in the transaction. (Schibuk: Paragraph [0007])
37.	In claim 5: Khan and Schibuk disclose the method of supra, including Khan discloses further comprising: 

responsive to authenticating the user, updating, by the server computer, the credential record to indicate that the credential stored at the mobile device is associated with a fully activated state. (i.e., the state of the secure element on device 100 (e.g., whether the credential's PAN is enabled for use) may be updated at step 548 asynchronously with (e.g., later than) the status of the credential as it may visually appear available to a user) (Khan: Paragraph [0023], [0054], [0057], [0058], [0063], [0091])
36.	In claim 6: Khan discloses,
A server computer comprising:
a processor; and 
a computer readable medium, the computer readable medium comprising code, executable by the processor, for implementing a method comprising: (Khan: Paragraph [0082],  [0099])
receiving a provisioning request from an application provider to provision a credential to a mobile device, wherein the credential is associated with an account of a user, (Khan: Paragraph [0053],[0054], [0057]) the provisioning request including device information of the mobile device and a risk score generated by the application provider computer, the device information including a unique identifier of the device and a consumer identifier, the application provider computer generating the risk score using the device information and the unique identifier; (Khan: Paragraph [0037], [0038], [0043])
generating, by the server computer, a risk assignment outcome for the provisioning request based at least in part on the device information and the risk score; (Khan: Paragraph [0052], [0055], [0058], [0063])

storing a credential record indicating that the credential stored at the mobile device is associated with a partially activated state(Khan: Paragraph [0054],[0056],[0057]), such that the mobile device can utilize the credential for restricted transactions. (Khan:  Paragraph [0023],[0057], [0058], [0063], [0088], [0090], [0091])
the partially activated state (i.e. Such a check cards response may include, for each credential associated with the authenticated user account, a description of the credential, a commercial entity fraud score for the credential, and/or a commercial entity fraud determination for the credential, which may be utilized by SMP broker 410 to determine whether or not the credential ought to be provisioned on device 100. Such a check cards response generated by fraud system component 450 may be transmitted by fraud system component 450 to SMP broker component 410 as data 665 via communications path 495 of FIG. 4 using any suitable communications protocol over any suitable communications path type. (Khan: Paragraph [0043]))  being different than a fully activated state (i.e. may also include a ranking for each identified credential, where one credential may be ranked higher than another credential for provisioning purposes (Khan: Paragraph [0040])) where restrictions associated with the restricted transactions are lifted (i.e. “ok to provision” indicator for each identified credentials (Khan: Paragraph [0040]))  (Khan: Paragraph [0040], [0043],[0050],[0052], [0058] [0066], [0071],[0091]), the method further comprising: 
Khan does not discloses,
based at least in part on the risk assignment outcome;
the restricted transactions comprising a certain number of uses of the credential, using the credential in a certain geographical location, using the credential at certain times of a day, using the credential at certain days of a week, and using the credential with certain merchants

identifying the credential record based on the credential; 
determining, based on the credential record, that the credential stored at the mobile device is associated with the partially activated state; 
determining the server computer, that the first transaction qualifies as a restricted transaction; 
forwarding the first authorization request message to an authorizing entity, wherein the authorizing entity authorizes the first transaction; 
receiving a second authorization request message for a second transaction, the second authorization request message including the credential; 
identifying the credential record based on the credential; 
determining based on the credential record, that the credential stored at the mobile device is associated with the partially activated state; 
determining that the second transaction does not qualify as a restricted transaction; and declining the second transaction.
However Schibuk disclose, 
based at least in part on the risk assignment outcome; (Schibuk: Paragraph [0249] [0254])
the restricted transactions comprising a certain number of uses of the credential (Schibuk: Paragraph [0168], [0175], [0262]), using the credential in a certain geographical location (Schibuk: Paragraph [0218],0301]), using the credential at certain times of a day (Schibuk: Paragraph [0168], [0175], [0262]), using the credential at certain days of a week, and using the credential with certain merchants,(Schibuk: Paragraph [0218],0301])

identifying the credential record based on the credential; (Schibuk: Paragraph [0234])
determining, based on the credential record, that the credential stored at the mobile device is associated with the partially activated state; (Schibuk: Paragraph [0234],[0239])
determining the server computer, that the first transaction qualifies as a restricted transaction; (Schibuk: Paragraph [0234])
forwarding the first authorization request message to an authorizing entity, wherein the authorizing entity authorizes the first transaction; (Schibuk: Paragraph [0234])
receiving a second authorization request message for a second transaction, the second authorization request message including the credential; (Schibuk: Paragraph [0261],Fig. 21)
identifying the credential record based on the credential; (Schibuk: Paragraph [0261])
determining based on the credential record, that the credential stored at the mobile device is associated with the partially activated state; (Schibuk: Paragraph [0261])
determining that the second transaction does not qualify as a restricted transaction; and declining the second transaction. (Schibuk: Paragraph [0261]
Therefore, it would have been obvious for one of ordinary skill in the art before the effective filing date of the claimed invention to combine Khan and Schibuk so that method can authenticate user and the data on a real-time basis by updating the credit record so it can decline or authorized the transaction based on a risk score including identification information and a verification response for a risk assessment. These embodiments of the invention thus enhance both security and privacy, while making secure and trusted transactions easier. (Schibuk: Paragraph [0312]) The process further includes entering the authentication data into the device to authenticate the individual to the device, so that the individual can use the stored set of credential data, and also includes causing the device to communicate the set of credential 
37.	In claim 10: Khan and Schibuk disclose the method of supra, including Khan discloses further comprises: 
causing an authentication process to be performed with the user; and  (Khan: Paragraph [008], [0032])
responsive to authenticating the user, updating, by the server computer, the credential record to indicate that the credential stored at the mobile device is associated with a fully activated state. (Khan:  Paragraph [0023], [0057], [0058], [0063], [0088], [0090], [0091])
38.	In claim 21: Khan and Schibuk disclose the method of supra, including wherein the mobile device is a mobile phone. (Schibuk: Paragraph [0130])
39.	In claim 23: Khan and Schibuk disclose the method of supra, including wherein the first transaction and the second transaction are payment transactions (i.e., the transaction includes: a purchase; receiving an extension of credit; obtaining access to money stored in a financial account, credentials may include a physical credential credit card). (Schibuk: Paragraph [0008], [0023], [0028])
40.	In claim 24: Khan and Schibuk disclose the method of supra, including wherein the credential is a payment token (i.e., for example, a driver's license or a credit card (which are also tokens), (Schibuk: Paragraph [0125]) and the authorizing entity is a bank (i.e., Trusted data producers include banks, hospitals, credit card companies). (Schibuk: Paragraph [0116], [0226], [0234], [0249])
41.	In claim 27: Khan and Schibuk disclose the method of supra, including wherein the first authorization request message is received (i.e., user initiates a request) from an access device after the mobile device (i.e., user accesses the phone, computer, or other electronic device) provides the credential to the access device. (i.e., the electronic device may contain a credential 
42.	In claim 28: Khan and Schibuk disclose the method of supra, including wherein the second authorization request message is received from an access device or another access device after the mobile device (i.e., transactional device is depicted as a phone) provides the credential to the access device or another access device. (i.e., consistent with consumer needs and a relevant business environment, memory device) (Schibuk: Paragraph [0261]) 
43.	In claim 29: Khan and Schibuk disclose the method of supra, including wherein the access device is a point of sale terminal. (i.e., Process 2520 may include, for example, activating point-of-sale devices (e.g. credit card readers), physical access systems and head ends, web servers, and other devices and processes. (Schibuk: Paragraph [0280]
44.	In claim 30: Khan and Schibuk disclose the method of supra, including wherein the credential is a payment token. (i.e., a virtual smartcard can represent the data contained in the physical smartcard or other physical credential or token) [Schibuk: Paragraph [0182])
45.	In claim 31: Khan and Schibuk disclose the method of supra, wherein the server computer receives the credential in the first authorization request message and detokenizes the payment token (i.e., decrypt the number) to obtain a primary account number (i.e., credit card number), and includes the primary account number in the authorization request message that is forwarded to the authorizing entity (i.e., forward a message with the encrypted data). (Schibuk: Paragraph [0305], [0306]) 
46.	In claim 32: Khan and Schibuk disclose the method of supra, including wherein the authorizing entity (i.e., credential issuers) is a bank that issued the primary account number (i.e., credit card accounts). (Schibuk: Paragraph [0095], [0116], [0125]) 
claim 33: Khan and Schibuk disclose the method of claim of supra, including wherein the method further comprises: 
receiving, at the server computer, a third authorization request message for a third transaction, the third authorization request message including the credential;  (Schibuk: Paragraph [0261], [0329], Fig. 21]) 
identifying, by the server computer, the credential record based on the credential; (Schibuk: Paragraph [0261]) 
determining, by the server computer, based on the credential record, that the credential stored at the mobile device is associated with the fully activated state; (Schibuk: Paragraph [0261])
determining, by the server computer, that the third transaction does not qualify as a restricted transaction; and (Schibuk: Paragraph [0261])
forwarding, by the server computer, the third authorization request message to an authorizing entity, wherein the authorizing entity authorizes the third transaction (i.e., transaction should proceed). (Schibuk: Paragraph [0261])

Response to Amendment
48.	Applicant’s arguments with respect to the rejections under U.S.C. § 112(b) for the limitation of “the device information including a unique identifier of the device”, Applicant’s amendments and remarks have been fully considered, the rejection was resolve with the amendments, and are  persuasive, rejection is withdrawn.
49.	Applicant’s arguments with respect to the rejection of claims under U.S.C. § 112(b) for limitations “a certain number of uses of the credential, using the credential in a certain geographic location, using the credential at certain times of a day, using the credential at certain 
	In regard to the terms “based least in part risk assignment outcome", the terms are not defined by the claim and do not provide a standard for ascertaining on least in part risk assignment outcome (i.e., quantity, measure of “at least in part” as it relates to the risk assignment outcome), and one of ordinary skill in the art would not be reasonably apprised of the scope of the invention. Therefore the claim is indefinite. 
	In regards to the terms “a certain number of uses of the credential, using the credential in a certain geographic location, using the credential at certain times of a day, using the credential at certain days of a week, and using the credential with certain merchants,” which is an intended result of a process step positively recited and is not given any patentable weight. The claims as recite failed to provide clear-cut indication of claim scope because the intended use language as recited is not precise and definite resulting in no boundaries on the claim limitation. Therefore, the terms are indefinite.
50.	Applicant’s arguments with respect to the rejection of claims 1, 5, 6, 10, 21, 23, 24, and 27-33 under U.S.C. § 101, Applicant’s remarks have been fully considered but they are not persuasive. 
	In regards to Step 2A Prong One, the Applicants argument recite that the claims do not include a "method of organizing human activity." While the Examiner infers that the claims are directed to a "fundamental economic activity," the Examiner has provided no evidence that the claims are in fact a "fundamental economic activity." The Examiner cannot simply allege that something is "fundamental" without providing any evidence to support the assertion. Further, the claims are not directed to a "fundamental economic activity," because the claims recite improved methods and machines that provide for more convenient and secure transaction 
	The Examiner respectfully disagree. The term "fundamental" is used in the sense of being foundational or basic. All of these concepts relate to practices used in economic transactions involving or anticipating some kind of monetary exchange. The concept described in amended claim 1 is not meaningfully different from the concepts above because it recites “ a provisioning request to provision a credential to a mobile device”, “a credential record indicating that the credential stored at the mobile device is associated with a partially activated state, such that the mobile device can utilize the credential for restricted transactions.”,” a risk score generated”,  “a first authorization request message for a first transaction”, “wherein the authorizing entity authorizes the first transaction;”, “that the second transaction does not qualify as a restricted transaction”, “generating the risk score using the device information and the unique identifier”, and “declining the second transaction”. This type of process is foundation or basic to the economy, as financial transaction that uses available [financial] data for completing/implementing a financial transaction. U.S.C 101 rejection above, recites the abstract elements above (in bold). The Examiner would like to point out the amended claims cite: “the first authorization request message to an authorizing entity, wherein the authorizing entity authorizes the first transaction”, “determining, by the server computer, that the second transaction does not qualify as a restricted transaction”, and “declining the second transaction” (i.e. mitigating risk by restricting the transaction based on the credential record and declining the second transaction ) The interpretation above is consistent with the Application specification where it cites " Security risks are still controlled, as any potential fraudulent use is limited by the restricted set of transactions” (Specification: Paragraph [0024]), “Once authenticated, the credentials can be provisioned through a number of back-and-forth messages between the user's mobile device, a provisioning service, and potential other intermediary entities” (Specification: Paragraph [0004]), and “a risk score can include an arbitrary designation or 
	In regards to Step 2A Prong 2, the Applicants argument recites that the alleged abstract idea is clearly integrated into a "practical application. As explained at paragraphs [0023]-[0024] of the specification, embodiments of the invention allow for tokens to be used in a partially activated state, without authentication of a user. This allows the user to use the token in a mobile device immediately, without waiting for an authentication process to be completed. This improves upon conventional systems that would otherwise require authentication prior to the use of any token. Since the methods and systems according to embodiments of the invention improve upon conventional systems, embodiments of the invention provide for an application that is "practical." As such, pursuant to the 2019 Guidelines, the alleged abstract idea is clearly "integrated into a practical application" and the claims should also be patent eligible under Step 2A - Prong 2.
	The Examiner respectfully disagree. This is not a technical solution to a technical problem but a business solution to a business problem (i.e., receiving, identifying, and determining a request to authenticate a user associated with an account on the mobile device). This judicial exception is not integrated into a practical application. In particular, the amended claims 1, corresponding representative 6, recite a server computer, computer readable medium, processor, and mobile device.  The computer hardware is recited at a high-level of generality 
	In the Applicants remarks argues that the amended claims, under Step 2B is significantly more. The examiner respectfully disagrees. Under the Step 2B analysis, the Examiner is to "evaluate the additional elements individually and in combination under Step 2B to determine whether they provide an inventive concept (i.e., whether the additional elements amount to significantly more than the exception itself)." Id. At 22-23. Thus, even non-practical additional elements can provide inventive concepts if the additional element "adds a specific limitation or combination of limitations that are not well- understood, routine, conventional activity in the field, which is indicative that an inventive concept may be present" Id. at 23. As stated in the Office Action, the claims recites the additional components of a server computer, computer readable medium, processor, and mobile device. Then the examiner pointed out evidence from applicant's specification how stated computer component are describe: “"server computer" may be a powerful computer or combination of two or more computers. For example, the server computer can be a large mainframe, a minicomputer cluster, or a group of servers functioning as a unit such as a cluster. In one example, the server computer may be a database server coupled to a web server. Server computers often execute server applications that act as a server in client-server interactions, including but not limited to database server applications, web server applications, application server applications, etc.” (Specification: Paragraph [0042]) and “In some embodiments, the functions, processes, operations or method steps may be implemented as a result of the execution of a set of instructions or software code by a suitably-programmed computing device, microprocessor, data processor, or the like. The set of 
	In regards to the Applicants argument which recites that the Examiner has provided no evidence that the amended claims are well-understood, routine and conventional”. The Examiner would like to point out that the Examiner did not recite in the Detail Action on record that the claims were “well-understood, routine and conventional”.
51.	Applicant’s arguments with respect to the rejection of claims 1, 5, 6, 10, 21, 23, 24, and 27-33 under U.S.C. § 103 rejection, Applicant’s remarks and amendments have been fully considered and are not persuasive. 
	The Applicants argument recite that the cited references fail to disclose, teach, or suggest all the features of amended independent claim 1, and corresponding claim 6. For example, amended independent claim 1, and corresponding representative claim 6, recites among other things, "receiving, at a server computer, a provisioning request from an application provider computer to provision a credential to a mobile device, wherein the credential is associated with an account of a user, the provisioning request including device information of the mobile device and a risk score generated by the application provider computer, the device information including a unique identifier of the device and a consumer identifier, the application provider computer generating the risk score using the device information and the unique identifier." The Applicants argument further recite that Schibuk is silent as to utilizing "a risk score" that is included in the "provisioning request," let alone a risk score "generated by the application provider computer ... using the device information and the unique identifier," as recited by amended independent claim 1, and corresponding representative claim 6.
	The Examiner respectfully disagree. The rejection is improper. The amended claims and rejections have been updated with the new amendments and amended claims.  Khan discloses the provision request from an application provider computer to provision a credential to a mobile device (Khan: Paragraph [0025], [0053], [0054], [0057]). In addition, Khan discloses the risk 

Conclusion
52.	Any inquiry concerning this communication or earlier communications from the examiner should be directed to BERNADINE LOTHERY whose telephone number is (571)272-7985.  The examiner can normally be reached on M-F 8-5.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Shahid Merchant can be reached on 5712701360.  The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see https://ppair-my.uspto.gov/pair/PrivatePair. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.






/B.L./Examiner, Art Unit 3693                                                                                                                                                                                                        

/Shahid Merchant/Supervisory Patent Examiner, Art Unit 3693