Acknowledgements
This communication is in response to applicant’s response filed on 09/20/2021.
Claims 9, 13-15, 18, 20-21, and 31 have been amended. Claims 1-8, 17, 22, and 29 have been cancelled. 
Claims 9-16, 18-28, and 30-31 are pending and have been examined.

Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

Response to Arguments
Regarding applicant’s arguments under Claim Rejections - 35 USC § 103 that Davis (US 20090132415) in view of Davis (US 20090132415) in view of Baird (US 20140279544) in further view of Klein (US 20130018777) in further view of Priebatsch (US 20140279554) does not disclose teach, or suggest “determining a number of failed log-in attempts for the payment account of the user; based on the number of failed log-in attempts, suspending a validity of the barcode that has the embedded different unique identifier; generating a new barcode that embeds a new unique identifier; and providing the new barcode to the payment account of the user,” in amended claim 9, examiner respectfully argues applicant’s argument is moot in light of the new grounds of rejection necessitated by the claim amendments. 

Applicant argues dependent claims 10-16, 18-19, 23-28, and 30-31 are allowable based on their dependence upon allowable base claims, examiner respectfully argues applicant’s arguments are moot in light of the new rejections necessitated by the claim amendments for claims 9, 20, and 21.

Priority
This application claims the benefit of US Provisional Application No. 62/108,386 filed on 01/27/2015. Applicant’s claim for the benefit of this prior-filed application is acknowledged.

Claim Rejections - 35 USC § 103
In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.


Claims 9-10, 12, 20-21, 28, and 30 are rejected under 35 U.S.C. 103 as being unpatentable over Davis (US 20090132415) in view of Baird (US 20140279544) in further view of Klein (US 20130018777) in further view of Priebatsch (US 20140279554) in further view of Specogna (US 20160189123) in further view of Haulund (US 20130173915).

Regarding Claims 9, 20, and 21, Davis teaches receiving a request for a credit check for the user, the request including a unique identifier associated with the user (Paragraphs 0024 and 0067 teach the system can include a mobile identification component that receives a unique ID of an mobile communication device (MCD), where the unique ID can be affiliated with a user of the MCD and identify both the MCD as well as the user; the mobile identification component can provide the unique ID to a mobile credit interface component that associates a credit account with the unique ID of the MCD, and a credit history associated with the user can be obtained utilizing the identifier (e.g., by way of a credit check with a commercial credit reporting agency) upon receipt of the unique ID, or upon pairing the identifier with the unique ID); mapping the unique identifier to a social security number of the user associated with the payment account (Paragraphs 0024 and 0067 teach consumer credit information (i.e., social security number) can be associated with the unique ID, where the identifier (i.e., social security number) associated with the owner can be included within the unique ID of the MCD); retrieving a credit history of the user from a credit reporting service using the social security number (Paragraphs 0024 
However, Davis does not explicitly teach receiving from a merchant device a request for a credit check in relation to a user, the request including a type of merchant associated with the merchant device; performing a web presence analysis of the user based on user-inputted text in one or more published posts of an online social media account associated with the payment account of the user; generating a risk score report based on the credit history and the user-inputted text in the one or more published posts of the online social media account associated with the payment account, wherein, based on the type of merchant associated with the merchant device, the credit history is weighted more than the user-inputted text in the one or more published posts of the online social media account in generating the risk score report; and communicating the risk score report to the merchant device.
Baird from same or similar field of endeavor teaches receiving from a merchant device a request for a credit check in relation to a user, the request including a type of merchant associated with the merchant device performing a web presence analysis of the user based on user-inputted text in one or more published posts of an online social media account associated with the payment account of the user (Paragraphs 0051, 0058-0059, 0071, and 0074 teach the subscriber may request that an identity agent (i.e., part of the Provider) create an mIdentity for the subscriber; the identity agent may retrieve this personal data from the sources and may attempt to correlate information found in the different sources (e.g., each of the subscriber's social networks/online presence); the more the different sources of information can be validated and/or generating a risk score report based on the credit history, wherein, based on the type of merchant associated with the merchant device, the credit history is weighted more than the user-inputted text in the one or more published posts of the online social media account in generating the risk score report (Paragraphs 0075, 0079, 0081, and 0083 teach when profiles from multiple sites (e.g., Facebook, LinkedIn, Twitter, and eBay) are triangulated against each other and analyzed for accuracy and consistency a “Verifiable Social Identity Score” (VSIS) may be generated; the VSIS may represent a “fingerprint” for the user that corresponds to, for example, a mathematical representation of the user's social networking site identifying information, correlated across multiple social networking sites; once all relevant social networking sites have been consulted, processing may and communicating the risk score report to the merchant device (Paragraph 0062 teaches the identity agent may provide the mIdentity to the requesting beneficiary, which may result in a new transaction taking place).
It would have been prima facie obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to have modified the base invention in Davis, which teaches requesting a credit check of a user, to incorporate the teachings of Baird to receive from a merchant device a request for a credit check in relation to a user, the request including a type of merchant associated with 
There is motivation to combine Baird into Davis because the use of mobile devices and social networks to conduct commerce and interact with others on the Internet provides unique opportunities in such fields as authentication and the evaluation of creditworthiness. Currently, online services and banks currently do not take advantage of these opportunities (Baird Paragraph 0004). The base invention is improved because a user of these services may establish an identity with the provider of the service in order to protect the integrity of such personally-identifiable services. To reduce the possibility of fraud in identifying the user before any such service is consummated, the provider of the service (or the provider of the system that enables the service) may rely on certain information related to that service to establish the identity of the user. Numerous services require the establishment of some sort of identity for a user before the user can consummate a transaction with the service. A careful, secure, and legal amalgamation of these various sources of identity, across different service providers, yet all relating to the same user, may result in an identity that is far more accurate than any of them 
However, the combination of Davis and Baird does not explicitly teach based on the web presence analysis, determining that the user-inputted text in the one or more published posts of the online social media account indicates that the user has paid off a loan; and generating a risk score report based on the user-inputted text in the one or more published posts of the online social media account associated with the payment account that indicates that the user has paid off the loan.
Klein from same or similar field of endeavor teaches based on the web presence analysis, determining that the user-inputted text in the one or more published posts of the online social media account indicates that the user has paid off a loan (Paragraphs 0050, 0020, 0028 teaches the lending service uses social networking to communicate information about the lender the borrower and the listing (i.e., borrower profile) to other potential lenders; social media can be used to spread information about the borrower or loan subscriptions associated with the borrower; the borrower can create and upload posts (i.e., posts 112) to the borrower’s social network about the repayment of a formal loan agreement, and the lending service can use this information to update and provide badges for the borrower); and generating a risk score report based on the user-inputted text in the one or more published posts of the online social media account associated with the payment account that indicates that the user has paid off the loan (Paragraphs 0028, 0111, 0041, and 0071 teaches a 
It would have been prima facie obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to have modified the base invention in the combination of Davis and Baird, which teaches generating a risk score report based on credit history, wherein the credit history is weighted more 
There is motivation to combine Klein into the combination of Davis and Baird because social networking can assist lenders since lenders often know other lenders who could be interested in lending opportunities recommended by colleagues, even if those lending opportunities fall outside of the normal preferences of a particular lender. Because social networks allow user-inputted posts (i.e., posts 112) to be quickly disseminated to other members of the social networks borrower’s and lender’s social networks, opportunities for borrowing capital and lending capital can go viral and provide additional matches between borrowers and lenders, thereby potentially speeding up the subscription of borrower requests for capital by lenders (Klein Paragraph 0062). The badge can be particularly advantageous for borrower's who have bad credit, no credit, or have had a bankruptcy in their past (Klein Paragraph 0071).
However, the combination of Davis, Baird, and Klein does not explicitly teach receiving, from a merchant device, a request, the request including a scan of a barcode that embeds a unique identifier associated with the user; and replacing the barcode that embeds the unique identifier associated with the user with another barcode that embeds a different unique identifier.
Priebatsch from same or similar field of endeavor teaches receiving, from a merchant device, a request, the request including a scan of a barcode that embeds a unique identifier associated with the user (Paragraphs 0028 and and replacing the barcode that embeds the unique identifier associated with the user with another barcode that embeds a different unique identifier (Paragraph 0029 teaches the app on the mobile device may also be programmed to wait for a triggering event to replace the QR code; for example, this triggering event may be in the form of the user opening the app, the user clicking a button to refresh his token, or other triggers as determined by the app's programming; when the new token is received, the app causes the old one to be invalidated (so that the consumer uses only the newest token)).
It would have been prima facie obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to have modified the combination of Davis, Baird, and Klein, which teaches generating a risk score report based on credit history by weighting social media posts, to incorporate the teachings of Priebatsch to receive, a request, the request including a scan of a barcode that embeds a unique identifier associated with the user; and replace the barcode that embeds the unique identifier associated with the user with another barcode that embeds a different unique identifier.
There is motivation to combine Priebatsch into the combination of Davis, Baird, and Klein because the process of networked code rotation is far more secure than simple static tokens (Priebatsch Paragraph 0029). The security for the base 
However, the combination of Davis, Baird, Klein, Priebatsch, Specogna, and Haulund does not explicitly teach determining a failed log-in attempt for the payment account of the user; based on the failed log-in attempt, suspending a validity of the barcode that has the embedded different unique identifier; generating a new barcode that embeds a new unique identifier; and providing the new barcode to the payment account of the user.
Specogna from same or similar field of endeavor teaches determining a failed log-in attempt for the payment account of the user (Paragraphs 0102-0108 teach an automated fraud detection/mitigation processing may have detected potentially fraudulent activity; identifying information such as a name of the cardholder or a user ID along with one or more of a password, certificate, or other security token may be received; next, a comparison is performed of at least a portion of the received identifying information to at least a portion of the stored cardholder identifying information retrieved from the datastore(s) and a determination may be made as to whether the purported cardholder can be authenticated based on the comparison performed at block; if the identifying information received from the purported cardholder does not match the stored cardholder identifying information based on an appropriate matching algorithm, a determination may be made that the purported cardholder cannot be based on the failed log-in attempt, suspending a validity of the barcode that has the embedded different unique identifier (Paragraphs 0112-0113 and 0066 teach a new card account identifier (i.e., barcode) may be automatically triggered responsive to an automated determination that an existing card account identifier has been potentially compromised; the service provider system may automatically apply a block (i.e., suspend) to the existing card account identifier); generating a new barcode that embeds a new unique identifier (Paragraph 0112 teaches the block (i.e., suspension) may be a permanent block that triggers, that occurs at least partially concurrently with, or that occurs subsequent to the initiation of processing to generate a new card account identifier (i.e., new barcode)); and providing the new barcode to the payment account of the user (Paragraph 0120 teaches the service provider system may communicate an indication of the newly generated permanent card account identifier to the card issuer system for association with the appropriate financial account of the cardholder).
It would have been prima facie obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to have modified the combination of Davis, Baird, Klein, Priebatsch, Specogna, and Haulund, which teaches generating a risk score report based on credit history by weighting social media posts based on receiving a request that includes a scan of a barcode that embeds a new different unique identifier associated with the user, to incorporate the teachings of Specogna to determine a failed log-in attempt for the payment account of the user; based on the failed log-in attempt, suspend a validity of the barcode that has the embedded different unique identifier; generate a new barcode 
There is motivation to combine Specogna into the combination of Davis, Baird, Klein, Priebatsch, Specogna, and Haulund because a cardholder may determine an existing card account identifier has been potentially compromised due to loss or theft of a payment card or funds access card that encodes the card account identifier or due to other forms of potential misappropriation of the card account identifier that may not involve loss or theft of a card. The base invention is improved because it provides an automated system hosted by or on behalf of an issuer of the card account identifier that may determine that the card account identifier has potentially been compromised based on one or more fraud detection/mitigation rules, and may initiate communication with the cardholder, responsive to which the cardholder may indicate a desire to have a card account identifier for temporary use established (Specogna Paragraphs 0025-0026).
However, the combination of Davis, Baird, Klein, and Specogna does not explicitly teach determining a number of failed log-in attempts; and based on the number of failed log-in attempts, suspending a validity of the barcode that has the embedded different unique identifier.
Haulund from same or similar field of endeavor teaches determining a number of failed log-in attempts (Paragraph 0031 teaches if a certain number of failed login attempts are attempted such as 1, 3, 10 or other reasonable number of failed login attempts); and based on the number of failed log-in attempts, suspending a validity of the barcode that has the embedded different unique identifier (Paragraph 0031 teaches the profile can be set to lock out all 
It would have been prima facie obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to have modified the combination of Davis, Baird, Klein, Priebatsch, and Specogna which teaches generating a risk score report based on credit history by weighting social media posts based on receiving a request that includes a scan of a barcode that embeds a new different unique identifier associated with the user, then generating a new barcode after a failed login attempt, to incorporate the teachings of Haulund to determining a number of failed log-in attempts; and based on the number of failed log-in attempts, suspending a validity of the barcode that has the embedded different unique identifier.
There is motivation to combine Haulund into the combination of Davis, Baird, Klein, Priebatsch, and Specogna because the invention provides a reasonable level of security and a reasonable method (i.e., allows for multiple failed log-in attempts) for mitigating compromised login in formation (Haulund Paragraph 0004). The system helps mitigate compromised credentials. If a user loses or misplaces the smartphone used with the system, the user may contact a single server to temporarily or permanently halt access based upon possession of the smartphone (Haulund Paragraph 0010).
Regarding Claim 9, Davis teaches a system (Paragraph 0078 teaches an exemplary computer system) comprising: a non-transitory memory storing a payment account of a user (Paragraphs 0081 and 0025 teach computer storage media can include in any suitable method or technology for storing information such and one or more hardware processors coupled to the non-transitory memory and configured to read instructions to cause the system to perform operations(Paragraph 0083 teaches the processing unit can be any of various commercially available processors and the system bus couples components of system including, but not limited to, the system memory to the processing unit).
Regarding Claim 20, Davis teaches a non-transitory machine-readable medium having stored thereon machine-readable instructions executable to cause a machine to perform operations (Paragraphs 0099 and 0031 teach embodiments include a computer-readable medium having computer-executable instructions for performing the acts and/or events of the various methods; an “article of manufacture” as used herein is intended to encompass a computer program accessible from any computer-readable device, carrier, or media, for example, computer-readable media can represent one or more devices and/or other machine-readable media for storing, containing, and/or carrying instruction(s) and/or data).
Regarding Claim 21, Davis teaches a method (Paragraph 0066 teaches a flowchart of a sample methodology for facilitating credit transactions for an MCD credit account).

Regarding Claim 10, the combination of Davis, Baird, Klein, Priebatsch, Specogna, and Haulund teaches all the limitations of claim 9 above; and Davis further teaches wherein the unique identifier is encoded with the social security number of the user (Paragraphs 0066-0067 teach an identifier associated with the owner can be included within the unique ID of the MCD, wherein the identifier can be a social security number; the unique ID can also be encrypted (i.e., encoded) by an encryption formula, as described herein or as known in the art).

Regarding Claim 12, the combination of Davis, Baird, Klein, Priebatsch, Specogna, and Haulund teaches all the limitations of claim 9 above; and Davis further teaches wherein the unique identifier is encoded with one or more of personal information of the user or financial information of the user (Paragraphs 0066-0067 teach an identifier associated with the owner can be included within the unique ID of the MCD, wherein the identifier can be a PIN number (i.e., financial information) or social security number, etc., that can uniquely identify the owner of the MCD; the unique ID can also be encrypted (i.e., encoded) by an encryption formula, as described herein or as known in the art).

Regarding Claims 28 and 30, the combination of Davis, Baird, Klein, Priebatsch, Specogna, and Haulund teaches all the limitations of claims 21 and 20 above; however the combination does not explicitly teach analyzing online transactions associated with the payment account of the user, and wherein the risk score report is generated further based on the analyzed online transactions.
Baird further teaches analyzing online transactions associated with the payment account of the user, and wherein the risk score report is generated further based on the analyzed online transactions (Paragraph 0063 teaches in addition to providing the requestor with the subscriber's mIdentity, the identity agent may use the mIdentity to calculate the subscriber's “creditworthiness;” the information in the mIdentity may include information about the subscriber's purchase and payment history, employment, risk factors, etc., and hence may provide a great deal of information relevant to the calculation of a credit score; this calculated score may be a numerical quantity, a logical value, or a recommended action based on the Subscriber's mIdentity).
It would have been prima facie obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to have modified the combination of Davis, Baird, Klein, Priebatsch, Specogna, and Haulund to incorporate the further teachings of Baird to analyze online transactions associated with the payment account of the user, and wherein the risk score report is generated further based on the analyzed online transactions.
.

Claims 11, 15, and 31 are rejected under 35 U.S.C. 103 as being unpatentable over Davis (US 20090132415) in view of Baird (US 20140279544) in further view of Klein (US 20130018777) in further view of Priebatsch (US 20140279554) in further view of Specogna (US 20160189123) in further view of Haulund (US 20130173915) in further view of Gaddam (US 20150106239).

Regarding Claims 11 and 31, the combination of Davis, Baird, Klein, Priebatsch, Specogna, and Haulund teaches all the limitations of claims 9 and 20 above; however the combination does not explicitly teach wherein the unique identifier has an expiration after which the unique identifier is invalidated.
Gaddam from same or similar field of endeavor teaches wherein the unique identifier has an expiration after which the unique identifier is invalidated (Paragraph 0068 teaches status code of token (i.e., unique identifier) may indicate the token is expired).
It would have been prima facie obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to have modified the combination of Davis, Baird, Klein, Priebatsch, Specogna, and Haulund to incorporate the teachings of Gaddam for the unique identifier to have an expiration after which the unique identifier is invalidated.


Regarding Claim 15, the combination of Davis, Baird, Klein, Priebatsch, Specogna, and Haulund teaches all the limitations of claim 9 above; however the combination does not explicitly teach determining whether the new unique identifier has expired due to a time limit or a usage limit; and communicating an error message to the user or a credit check requester when the new unique identifier has expired.
Gaddam from same or similar field of endeavor teaches determining whether the new unique identifier has expired due to a time limit or a usage limit (Paragraphs 0068, 0063 teach status code of token (i.e., unique identifier) may indicate the token is expired and a TRL computer system may generate and send a token validation response message, or TRL response, to an entity device; the token validation response message may comprise a response and communicating an error message to the user or a credit check requester when the new unique identifier has expired (Paragraphs 0021 and 0068 teach the token validation response may comprise a response status indicating whether or not the token validation request was accepted and a token revocation list (TRL) status code, wherein the TRL status code may inform the merchant as to whether or not the payment token is valid or not valid, for example, the status code“4” may indicate that the token is expired).
It would have been prima facie obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to have modified the combination of Davis, Baird, Klein, Priebatsch, Specogna, and Haulund to incorporate the teachings of Gaddam for the new unique identifier to have a time limit after which the new unique identifier is invalidated and to communicate an error message to the credit check requester.
There is motivation to combine Gaddam into the combination of Davis, Baird, Klein, Priebatsch, Specogna, and Haulund because of the same reasons listed above for claim 11.

Claim 13 is rejected under 35 U.S.C. 103 as being unpatentable over Davis (US 20090132415) in view of Baird (US 20140279544) in further view of Klein (US 20130018777) in further view of Priebatsch (US 20140279554) in further view of Specogna (US 20160189123) in further view of Haulund (US 20130173915) in further view of Hazel (US 20090048953).

Regarding Claim 13, the combination of Davis, Baird, Klein, Priebatsch, Specogna, and Haulund teaches all the limitations of claim 9 above; however the combination does not explicitly teach determining whether to validate the new unique identifier based on a predetermined format or convention; and communicating an error message to the user or a credit check requester when the new unique identifier is not validated.
Hazel from same or similar field of endeavor teaches determining whether to validate the new unique identifier based on a predetermined format or convention (Paragraphs 0123 and 0011 teach a data capture device can be configured to package the encrypted token data in the same form and format as conventional non-encrypting systems such that the transaction package can be sent to the terminal in a form and format anticipated by the terminal; the terminal can then check the encrypted data (for example, with parity, LRC and a mod 10 check), which should be correct as it was regenerated by the encryption module to maintain the same format); and communicating an error message to the user or a credit check requester when the new unique identifier is not validated (Paragraph 0123 teaches if the token fails, a bad read status can be output).
It would have been prima facie obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to have modified the combination of Davis, Baird, Klein, Priebatsch, Specogna, and Haulund to incorporate the teachings of Gaddam to validate the new unique identifier based on a predetermined format or convention; and communicate an error message to the user or a credit check requester when the new unique identifier is not validated.
.

Claim 14 is rejected under 35 U.S.C. 103 as being unpatentable over Davis (US 20090132415) in view of Baird (US 20140279544) in further view of Klein (US 20130018777) in further view of Priebatsch (US 20140279554) in further view of Specogna (US 20160189123) in further view of Haulund (US 20130173915) in further view of Binder (US 20170161743).

Regarding Claim 14, the combination of Davis, Baird, Klein, Priebatsch, Specogna, and Haulund teaches all the limitations of claim 9 above; and Davis further teaches determining whether the new unique identifier can be decrypted with a private key associated with the user (Paragraphs 0062 and 0060 teach a decryption database can be used to convert encrypted data back to an un-encrypted form, specifically, a public key/private key pair can be used to encrypt and decrypt data upon transmission and receipt, respectively, by the MCD or financial account server; encryption can essentially enable remote communication between the MCD and a financial account server, including affecting a credit transaction thereby, to be protected).
communicating an error message to the user or a credit check requester when the new unique identifier is not able to be decrypted by the private key.
Binder from same or similar field of endeavor teaches communicating an error message to the user or a credit check requester when the new unique identifier is not able to be decrypted by the private key (Paragraphs 0064 and 0067 teach authorization processing device may receive the new credit card number (i.e., encrypted data) from a first merchant while the new credit card number was encrypted with a public key or an identifier associated with a second merchant that differs from the first merchant; as such, authorization processing device will apply the private key associated with the second merchant and will be unable to access the actual credit card number; the authorization processing device may generate a signal reporting the attempted fraud and/or transmit a signal to the merchant device (i.e., credit check requester) indicating that the use is an attempt at fraud).
It would have been prima facie obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to have modified the combination of Davis, Baird, Klein, Priebatsch, Specogna, and Haulund to incorporate the teachings of Gaddam to communicate an error message to the user or a credit check requester when the new unique identifier is not able to be decrypted by the private key.
There is motivation to combine Binder into the combination of Davis, Baird, Klein, Priebatsch, Specogna, and Haulund because the signal may be transmitted to .

Claim 15 is rejected under 35 U.S.C. 103 as being unpatentable over Davis (US 20090132415) in view of Baird (US 20140279544) in further view of Klein (US 20130018777) in further view of Priebatsch (US 20140279554) in further view of Specogna (US 20160189123) in further view of Haulund (US 20130173915) in further view of Stransky-Heilkron (US 20160048700).

Regarding Claim 15, the combination of Davis, Baird, Klein, Priebatsch, Specogna, and Haulund teaches all the limitations of claim 9 above; however the combination does not explicitly teach determining whether the unique identifier has expired due to a time limit or a usage limit; and communicating an error message to the user or a credit check requester when the new unique identifier has expired.
Stransky-Heilkron from same or similar field of endeavor teaches determining whether the unique identifier has expired due to a time limit or a usage limit (Paragraphs 0022 and 0040 teach the managed database may and communicating an error message to the user or a credit check requester when the new unique identifier has expired (Paragraph 0040 teaches one rule may specify that when a credit check is made more than 10 times (i.e., usage limit) in a day, then an alarm should be issued to the user and a financial institution).
It would have been prima facie obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to have modified the combination of Davis, Baird, Klein, Priebatsch, Specogna, and Haulund to incorporate the teachings of Stransky-Heilkron for the unique identifier to have a usage limit after which the new unique identifier is invalidated and to communicate an error message to the credit check requester.
There is motivation to combine Stransky-Heilkron into the combination of Davis, Baird, Klein, Priebatsch, Specogna, and Haulund because to prevent successive queries to “guess” confidential information, the user and/or the creator of a particular personal information record and/or an authority such as the smartcard issuer may be able to specify an alarm condition such as a threshold that .

Claim 16 is rejected under 35 U.S.C. 103 as being unpatentable over Davis (US 20090132415) in view of Baird (US 20140279544) in further view of Klein (US 20130018777) in further view of Priebatsch (US 20140279554) in further view of Specogna (US 20160189123) in further view of Haulund (US 20130173915) in further view of Oliai (US 8694420 B1).

Regarding Claim 16, the combination of Davis, Baird, Klein, Priebatsch, Specogna, and Haulund teaches all the limitations of claim 9 above; however the combination does not explicitly teach retrieving a transaction history of the user; and analyzing the transaction history, and the one or more published posts of the online social media account.
Baird further teaches retrieving a transaction history of the user (Paragraph 0063 teaches in addition to providing the requestor with the subscriber's mIdentity, the identity agent may use the mIdentity to calculate the subscriber's “creditworthiness;” the information in the mIdentity may include information about the subscriber's purchase and payment history, employment, risk factors, etc., and hence may provide a great deal of information relevant to the calculation of a credit score; this calculated score may be a numerical quantity, a logical value, or a recommended action based on the Subscriber's mIdentity); and analyzing the transaction history, and the one or more published posts of the online social media account (Paragraphs 0075 and 0079 teach when profiles 
It would have been prima facie obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to have modified the combination of Davis, Baird, Klein, Priebatsch, Specogna, and Haulund to incorporate the further teachings of Baird to retrieve a transaction history of the user; retrieve the one or more published posts of the online social media account; and analyze the transaction history, and the one or more published posts of the online social media account.
There is motivation to further combine Baird into the combination of Davis, Baird, Klein, Priebatsch, Specogna, and Haulund because of the same reasons listed above for claim 9.
However, the combination of Davis, Baird, Klein, Priebatsch, Specogna, and Haulund does not explicitly teach and analyzing the credit history.
analyzing the credit history (Col. 1, lines 43-49, and Col. 15, lines 15-19, teach conventional credit risk analysis utilizes a risk model, or a scorecard to give a relative weight to each instance in the credit history to provide a credit-worthiness score, wherein these models vary from provider to provider depending on the needs of the institution requesting the credit score; in the preferred embodiment, the credit-only scorecard includes a set of coefficients for trade-line records, a set of coefficients for public record records, and a set of coefficients for credit inquiry records).
It would have been prima facie obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to have modified the combination of Davis, Baird, Klein, Priebatsch, Specogna, and Haulund to incorporate the teachings of Oliai to retrieve credit reports of the user, analyzing the credit reports, and generating a risk score report.
There is motivation to combine Oliai into the combination of Davis, Baird, Klein, Priebatsch, Specogna, and Haulund because credit providers use credit worthiness scores and reports to evaluate the general level of risk a credit-provider would incur when offering the consumer a line of credit (Oliai Col. 5, lines 22-25). The higher the credit-worthiness score, the lower the risk associated with that consumer (Oliai Col. 15, lines 45-46).

Claim 18 is rejected under 35 U.S.C. 103 as being unpatentable over Davis (US 20090132415) in view of Baird (US 20140279544) in further view of Klein (US 20130018777) in further view of Priebatsch (US 20140279554) in further view of .

Regarding Claim 18, the combination of Davis, Baird, Klein, Priebatsch, Specogna, and Haulund teaches all the limitations of claim 9 above; however the combination does not explicitly teach retrieving personal information of the user; determining particular digits of the new unique identifier based on the personal information; and inserting random alphanumeric characters into the new unique identifier.
Fiske from same or similar field of endeavor teaches retrieving personal information of the user (Paragraph 0093 teaches when the user wants to access the secure entity, the user enters at least some identifying information (e.g., a social security number) into passcode device, and if passcode device is able to match the identifying information with identifying information stored in passcode device (i.e., retrieves personal information of the user), then passcode device generates a passcode, wherein the identifying information may be stored in passcode device in association with a user ID); determining particular digits of the new unique identifier based on the personal information (Paragraphs 0097 and 0111 teach the item used to generate the passcodes is any item that is unique (i.e., social security number), and a first item (e.g., unique information) maybe used to “generate” a second item (e.g., a passcode) by using the first item to “directly” generate the second item; a method may be used for generating a registration code from the identification information, wherein the method (which may be referred to as a generating method) may be a “one-way” method such as a and inserting random alphanumeric characters into the new unique identifier(Paragraph 0113 teaches the one-way function involves computations that cause a loss of information or a discarding of selected pieces of information, wherein some of the input information is lost in this class of one-way functions; for example, a one-way function may be constructed by first performing a randomizing operation such as discarding random bits of information from the input, and adding random bits of information to the input).
It would have been prima facie obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to have modified the combination of Davis, Baird, Klein, Priebatsch, Specogna, and Haulund to incorporate the teachings of Fiske to receive a request from the user to generate a new unique identifier; retrieve personal information of the user; determine particular digits of the new unique identifier based on the personal information; and insert random alphanumeric characters into the new unique identifier.
There is motivation to combine Fiske into the combination of Davis, Baird, Klein, Priebatsch, Specogna, and Haulund because using passcode generators enables the identification of a person without having to access the user's identifying data (e.g., social security number). For example, some citizens and organizations are concerned about the government and other institutions storing a person's biometric data. By using a passcode generator, an institution can identify a person with a unique registration or passcode, which is derived from authentication data (Fiske Paragraph 0118).

Claim 19 is rejected under 35 U.S.C. 103 as being unpatentable over Davis (US 20090132415) in view of Baird (US 20140279544) in further view of Klein (US 20130018777) in further view of Priebatsch (US 20140279554) in further view of Specogna (US 20160189123) in further view of Haulund (US 20130173915) in further view of Fiske (US 20140201536) in further view of Ury (US 20150248525).

Regarding Claim 19, the combination of Davis, Baird, Klein, Priebatsch, Specogna, Haulund, and Fiske teaches all the limitations of claim 18 above; however the combination does not explicitly teach generating a private key and a public key associated with the user; and communicating the public key to a user device of the user that enables the new unique identifier generated at the user device to be encrypted.
Ury from same or similar field of endeavor teaches generating a private key and a public key associated with the user (Paragraph 0117 teaches the browser on the user's computer, in certain cases in response to certain user inputs, and, in other cases, in response to internal events, generates a new public/private key pair ke/kd and then requests a public-key certificate from the certificate authority via a request message); and communicating the public key to a user device of the user that enables the new unique identifier generated at the user device to be encrypted (Paragraphs 0117 and 0113 teach upon verification, a certificate authority returns a public-key certificate, such as the X.509 certificate discussed above, wherein the public-key certificate is used in secure communications for verifiably binding a public key to a name or identifier, such as a business entity name or a business or personal email address).

There is motivation to combine Ury into the combination of Davis, Baird, Klein, Priebatsch, Specogna, Haulund, and Fiske because public-key certificates essentially act as data records that contain a sequence of standard fields that contain information needed to employ the certificate for verifying the association of a user identifier or system identifier with a public key (Ury Paragraph 0113).

Claims 23 is rejected under 35 U.S.C. 103 as being unpatentable over Davis (US 20090132415) in view of Baird (US 20140279544) in further view of Klein (US 20130018777) in further view of Priebatsch (US 20140279554) in further view of Specogna (US 20160189123) in further view of Haulund (US 20130173915) in further view of Brudnicki (US 20140040139).

Regarding Claim 23, the combination of Davis, Baird, Klein, Priebatsch, Specogna, and Haulund teaches all the limitations of claim 21 above; however the combination does not explicitly teach wherein the different unique identifier is generated to have 32 digits.
Brudnicki from same or similar field of endeavor teaches wherein the different unique identifier is generated to have 32 digits (Paragraphs 0057 
It would have been prima facie obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to have modified the combination of Davis, Baird, Klein, Priebatsch, Specogna, and Haulund to incorporate the teachings of Brudnicki for the new unique identifier to be generated to have 32 digits.
There is motivation to combine Brudnicki into the combination of Davis, Baird, Klein, Priebatsch, Specogna, and Haulund because creating a data block formed with some or all of the following fields (32 digits): Account # (9 digits); IMEI (device identifier—11 digits); Expiry date (4 digits); Random number (6); and Sequence counter (2) improves security by incorporating multiple pieces of user information to create the different unique identifier there is less likelihood of fraud (Brudnicki Paragraph 0085).

Claims 24 is rejected under 35 U.S.C. 103 as being unpatentable over Davis (US 20090132415) in view of Baird (US 20140279544) in further view of Klein (US 20130018777) in further view of Priebatsch (US 20140279554) in further view of Specogna (US 20160189123) in further view of Haulund (US 20130173915) in further view of Mohajeri (US 20140059343) in further view of Palanisamy (20150312038).	

Regarding Claim 24, the combination of Davis, Baird, Klein, Priebatsch, Specogna, Haulund and Mohajeri teaches all the limitations of claim 23 above; however the combination does not explicitly teach wherein the unique identifier previously had 16 digits prior to being replaced with the different unique identifier having 32 digits.
Palanisamy from same or similar field of endeavor teaches wherein the different identifier previously had 16 digits prior to being replaced with the new unique identifier having 32 digits (Paragraph 0022 teaches a “token” may be a substitute for sensitive information; for example, a token can be a substitute for sensitive information such as a real account identifier, and the token may be used in place of the real account identifier to conduct access the account; this reference teaches the unique identifier is 16 digits).
It would have been prima facie obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to have modified the combination of Davis, Baird, Klein, Priebatsch, Specogna, Haulund and Mohajeri to incorporate the further of Palanisamy for the unique identifier to previously have had 16 digits prior to being replaced with the new unique identifier having 32 digits.
.

Claim 25 is rejected under 35 U.S.C. 103 as being unpatentable over Davis (US 20090132415) in view of Baird (US 20140279544) in further view of Klein (US 20130018777) in further view of Priebatsch (US 20140279554) in further view of Specogna (US 20160189123) in further view of Haulund (US 20130173915) in further view of Salama (US 20150100477) in further view of Narayan (US 20140282923).

Regarding Claim 25, the combination of Davis, Baird, Klein, Priebatsch, Specogna, and Haulund teaches all the limitations of claim 21 above; however the combination does not explicitly teach wherein the replacing the unique identifier associated with the user with another unique identifier is performed in response to a determination that a user device associated with the user is currently located in a new location, and wherein the new location is a location that the user device has not previously been located.
Salama from same or similar field of endeavor teaches wherein the replacing the unique identifier associated with the user with another unique identifier is performed in response to a determination that a user device associated with the user is currently located in a new location, and wherein the new location is a location that the user device has not previously been located (Paragraphs 0041, 0083-0084, 0088, and 0093 teach a vault may be configured to update, replace, refresh, modify, and delete tokens generated by a user, for instance, the user-generated tokens may provide another individual with temporary access to portions of the user's stored data; based on one or more conditions or rules, the disclosed embodiments may intelligently determine whether a tokenized transaction account has been compromised, or is in risk of being compromised, and automatically refresh or replace the tokenized account with an updated tokenized transaction account that is stored on client device to improve the security of transaction accounts through the dynamic update, replacement, or elimination of tokens; vault may be configured to generate one or more token update conditions for a transaction account associated with user, for example, the vault may generate and store conditions controlling whether and/or how the user's token for a tokenized transaction account needs to be refreshed, replaced, or otherwise modified, wherein the conditions dictating whether to update the token may be based on one or more characteristics, such as, for example, location data reflecting where a transaction occurs relating to the transaction account (e.g., high-risk or low-risk designated geographical locations); Condition 3 may be associated with the risk level relating to the location involved with a current transaction that is being analyzed by vault, for example, vault may collect geographic information relating to the location of client device that is involved with the transaction, and that provided the transaction account to the merchant for the transaction; if vault determines that the current transaction is taking place in a 
It would have been prima facie obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to have modified the combination of Davis, Baird, Klein, Priebatsch, Specogna, and Haulund to incorporate the teachings of Salama for the replacing the unique identifier associated with the user with another unique identifier to be performed in response to a determination that a user device associated with the user is currently located in a new location, and wherein the new location is a location that the user device has not previously been located.
There is motivation to combine Salama into the combination of Davis, Baird, Klein, Priebatsch, Specogna, and Haulund because the vault may have access to a stored relationship map between identity or account theft locations and certain geographic locations to identify high, medium and/or low risk geographic locations regarding account transactions which may be based on one or more conditions that control how the new token is generated. Vault may determine, based on one or more conditions assessed by vault relating to the transaction account signal, that the transaction account may be at risk and replace the token accordingly (Salama Paragraphs 0088 and 0093).
However, the combination of Davis, Baird, Klein, Priebatsch, Specogna, Haulund, and Salama does not explicitly teach wherein the replacing the barcode that embeds the unique identifier associated with the user with another barcode that embeds a different unique identifier is performed in response to a determination that a user device associated with the user is currently located in a new location.
Narayan from same or similar field of endeavor teaches wherein the replacing the barcode that embeds the unique identifier associated with the user with another barcode that embeds a different unique identifier is performed in response to a determination that a user device associated with the user is currently located in a new location (Paragraph 0018 teaches the at least one QR code validity parameter comprises at least one of (1) a time window having an end time and (2) a defined location within which an authentication QR code remains valid, and outside of which the authentication QR code is invalid; a new authentication QR code is automatically generated when the first device moves outside of the defined location and a new defined location is established for the new authentication QR code).
It would have been prima facie obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to have modified the combination of Davis, Baird, Klein, Priebatsch, Specogna, Haulund, and Salama to incorporate the teachings of Narayan for the replacing the unique identifier associated with the user with another unique identifier to be performed in response to a determination that a user device associated with the user is currently located in a new location, and wherein the new location is a location that the user device has not previously been located.
There is motivation to combine Narayan into the combination of Davis, Baird, Klein, Priebatsch, Specogna, Haulund, and Salama because restricting the barcode .

Claims 26 is rejected under 35 U.S.C. 103 as being unpatentable over Davis (US 20090132415) in view of Baird (US 20140279544) in further view of Klein (US 20130018777) in further view of Priebatsch (US 20140279554) in further view of Specogna (US 20160189123) in further view of Haulund (US 20130173915) in further view of Kumnick (US 20150199689).

Regarding Claim 26, the combination of Davis, Baird, Klein, Priebatsch, Specogna, and Haulund teaches all the limitations of claim 21 above; however the combination does not explicitly teach determining, based on predefined rules of the payment account of the user, that the unique identifier is permitted for use with a merchant associated with the merchant device.
Kumnick from same or similar field of endeavor teaches determining, based on predefined rules of the payment account of the user, that the unique identifier is permitted for use with a merchant associated with the merchant device (Paragraphs 0034 and 0043 teach an "identification and verification (ID&V) method" may be used to evaluate whether the person conducting the transaction is the legitimate account holder; examples of ID&V methods may include, but are not limited to, an account verification message, a risk score based on assessment of the primary account number (PAN) and use of one time password by the issuer or its agent to verify the account holder; a “token domain” may indicate the factors that can be established at the time of token 
It would have been prima facie obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to have modified the combination of Davis, Baird, Klein, Priebatsch, Specogna, and Haulund to incorporate the teachings of Kumnick to determine, based on predefined rules of the payment account of the user, that the unique identifier is permitted for use with a merchant associated with the merchant device.
There is motivation to combine Kumnick into the combination of Davis, Baird, Klein, Priebatsch, Specogna, and Haulund because a consumer may only want merchants the consumer conducts transaction with to have access to the consumer’s credit report. The non-transactable payment account identifier enables entities such as merchants and acquirers to identify accountholders when using transactable payment tokens for various applications. Such applications include, but are not limited to: fraud and risk checks on transaction authorization requests, fraud and risk reviews after transactions are completed, performance of value added services (e.g., loyalty, backend applications, reporting), and transaction feeds for third party value added applications (Kumnick Paragraph 0019).

Claim 27 is rejected under 35 U.S.C. 103 as being unpatentable over Davis (US 20090132415) in view of Baird (US 20140279544) in further view of Klein (US .

Regarding Claim 27, the combination of Davis, Baird, Klein, Priebatsch, Specogna, and Haulund teaches all the limitations of claim 21 above; however the combination does not explicitly teach determining that a portion of the unique identifier that corresponds to a portion of a social security number matches a portion of the social security number of the user to authenticate the unique identifier.
Radhakrishnan from same or similar field of endeavor teaches determining that a portion of the unique identifier that corresponds to a portion of a social security number matches a portion of the social security number of the user to authenticate the unique identifier (Paragraphs 0114 and 0118 teach private token provider may generate the password (i.e., unique identifier) by appending the birth year of the user to the last three digits of the social security number of the user; the TBAC module may receive the re-authentication token, wherein the re-authentication token may include a password generated using personal information of user; the TBAC module may request a second password by including instructions on how to form the second password; TBAC module may determine if the password and the second password match; if the password and the second password do match, TBAC module may continue to re-authenticate the user).

There is motivation to combine Radhakrishnan into the combination of Davis, Baird, Klein, Priebatsch, Specogna, and Haulund because the apparatus may detect at least one token indicating a change associated with at least one of the device, the network, or the resource. The apparatus may then determine to re-authenticate the user in response to the change to make sure the device, network, or resource has not been compromised (Radhakrishnan Paragraph 0003).

Conclusion
The prior art made of record and not relied upon is considered pertinent to applicant's disclosure. 
Kemshall (US 20140189831) teaches time-based authentication apparatus deploys a seed record to user equipment such as a mobile telephone pre-equipped with an app. When a user initiates login access to a protected product or service, using a computing device, they run the app on their mobile equipment which delivers an output such as a QR code (or other local communication such as NFC) containing two time-based codes. The login process on the computing device accepts the output and sends the time-based codes to the authentication 
Moore et al. (US 20140033292) teaches system includes a memory and a processor communicatively coupled to the memory. The processor is operable to receive a first notification and determine whether the first device is associated with the user account. The processor is also operable to communicate a token to the first device in response to determining that the first device is associated with the user account. Additionally, the processor is operable to receive a second notification comprising a request to authenticate the user. The processor may also determine if the second notification comprises the token. The processor is operable to authenticate the user if the second notification comprises the token. The processor is also operable to authenticate the user if the second device is not associated with the user account and the second notification comprises user credentials associated with the user account.
Applicant's amendment necessitated the new ground(s) of rejection presented in this Office action.  Accordingly, THIS ACTION IS MADE FINAL.  See MPEP § 706.07(a).  Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a).  
A shortened statutory period for reply to this final action is set to expire THREE MONTHS from the mailing date of this action.  In the event a first reply is filed within TWO MONTHS of the mailing date of this final action and the advisory action is not mailed until after the end of the THREE-MONTH shortened statutory period, then the shortened statutory period will expire on the date the advisory 
Any inquiry concerning this communication or earlier communications from the examiner should be directed to COURTNEY JONES whose telephone number is (469)295-9137.  The examiner can normally be reached on 7:30 am - 5:00 pm CST (M-F).
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Neha Patel can be reached at (571) 270-1492.  The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see http://pair-direct.uspto.gov. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to 



/C.P.J./Examiner, Art Unit 3685              

/JAY HUANG/Primary Examiner, Art Unit 3685