DETAILED ACTION
Notice of Pre-AIA  or AIA  Status
The present application is being examined under the pre-AIA  first to invent provisions. 

Response to Amendment
The following detailed action acknowledges the amendments of the response filed on 14th of September of 2021. The amendments in the filed response have been entered. 
Claims 113, 115, 118-119, 122-132 have been amended. 
Claims 1-112 are confirmed to have been cancelled. 
Claims 113-132 are pending in the application and the status of the application is currently pending. 

Claim Objections
Claims 113 and 123 are objected to because of the following informalities:  
In the first transmitting line, the claims recite the amended limitation wherein the access control server verifies that the account number and determines that the account number is enrolled in an authentication service, where the emphasized limitation suggests a missing limitation. Suggest amendment wherein the access control server verifies  the account number.  Appropriate correction is required.


Claim Rejections - 35 USC § 101
35 U.S.C. 101 reads as follows:
Whoever invents or discovers any new and useful process, machine, manufacture, or composition of matter, or any new and useful improvement thereof, may obtain a patent therefor, subject to the conditions and requirements of this title.


Claims 113-132 are rejected under 35 U.S.C. 101 because the claimed invention is directed to an abstract idea without significantly more. 
The rejection is based on the subject matter eligibility test that is detailed in the 2019 Revised Patent Subject Matter Eligibility Guidance (2019 PEG) and the October 2019 Patent Eligibility Guidance Update (October 2019 Update). The conclusions of the test support the rejection. 
In Step 1 of the test, the claims were found to be directed to one of the four statutory categories, where the claims are reciting a process. Claims 113-122 recite the method steps of a process of user verification and user authentication as executed by a merchant server. Claims 123-132 recite the merchant server executing the steps of the process to verify a user and receive user authentication. 
Thus, it is concluded in Step 1 that the claims are directed to a statutory category of a process.
In Step 2A(1), the claims were found to recite an abstract idea. The claims 113 and 123 recite 
receiving, by a merchant server, payment information comprising an account number from a user computer; 
transmitting, by the merchant server, a verification request comprising the account number to a gateway computer, wherein the gateway computer forwards the verification request to an access control server, wherein the access control server verifies that the account number and determines that the account number is enrolled in an authentication service; 
receiving, by the merchant server, from the access control server via the gateway computer, a verification response; 
transmitting, by the merchant server, an authentication request to the gateway computer, wherein the gateway computer sends the authentication request to the access control server, receives an authentication page, forwards the authentication page to the user computer, receives the authentication page filled in with a first secure datum obtained with a verification token associated with the user computer from a validation entity, receives a second secure datum from the validation entity, and determines if the first secure datum matches the second secure datum; 
receiving by the merchant server, an authentication response in response to transmitting the authentication request; and 
initiating by the merchant server, an authorization process after receiving the authentication response. 
The emphasized limitations describe the transmission of messages, where the sending request messages, receiving response messages and initiating an authorization process is executed by a merchant. The messages sent and received are related to a user authentication, where the merchant is confirming if the user is approved to use the payment method. Additional elements are recited that show functions not performed by the merchant and interpreted as external to the process. The verification token is interpreted as personal identification information of the user that is protected, thus interpreted as data for confirmation that can be verified visually. The secure datum is merely data that is compared for authentication that can be reasonably performed with visual confirmation of a match. These limitations suggest an abstract idea of a merchant confirming if the user is valid and approved to use the payment method, which is part of the security in a transaction between people that falls under certain methods of organizing human activity. 
The claims recite the limitations wherein the gateway computer forwards the verification request to an access control server, wherein the access control server verifies that the account number and determines that the account number is enrolled in an authentication service, which recite elements that perform the verification on behalf of the merchant and are not positively recited as part of the claimed invention. These limitations of the verification support the abstract idea. The claims further recite the limitations wherein the gateway computer sends the authentication request to the access control server, receives an authentication page, forwards the authentication page to the user computer, receives the authentication page filled in with a first secure datum obtained with a verification token associated with the user computer from a validation entity, and determines if the first secure datum matches the second secure datum previously provided by the validation entity to the verification token, which further recite the functions of additional elements that perform the authentication on behalf of the merchant. These limitations of the authentication further support the abstract idea. These recited limitations are reciting the functions of a gateway element and an access control element, functions that are separate from the merchant, and are interpreted as recitations of the intended use of the claimed invention. Although claim 123 recites the gateway as part of the system, the recited limitations positively recite the functions of the merchant. The recited transmission and receipt of messages and comparison of data are functions that can be performed between people to confirm approval to use a payment method falls under the abstract idea of certain methods of organizing human activity.
The dependent claims are shown to support the abstract idea. The claims recite:
Claims 114 and 124 recite wherein the first secure datum is generated based on an identity of a merchant with which a user conducts a transaction, and a date or time of the transaction. 
Claims 115 and 125 recite wherein the first secure datum was received by the verification token from the validation entity after the validation entity validates information received from the verification token. 
Claims 116 and 126 recite wherein the verification token comprises a data processor and a computer readable medium comprising code, executable by the data processor, for causing the verification token to read portable consumer device identification information from a portable consumer device, the portable consumer device being used by a user of the user computer. 
Claims 117 and 127 recite wherein the access control server is configured to receive the authentication page filled in with the first secure datum, the authentication page having a user response disposed in a user response posting field, compare at least a portion of the user response to a stored user response to make a first determination of whether a match exists, compare the first secure datum to a stored secure datum to make a second determination of whether a match exists, and generate the authentication response based on at least the first and second determinations. 
Claims 118 and 128 recite wherein the access control server is configured to transmit the authentication response to the gateway computer, wherein the gateway computer forwards the authentication response to the merchant server. 
Claims 119 and 129 recite wherein the merchant server includes a merchant plug-in, wherein the merchant plug-in opens a communication frame on the user computer, wherein the authentication response is transmitted by the gateway computer to the merchant server via the communication frame, the authentication response including a URL of the gateway computer received in the verification response, and wherein the merchant plug-in validates a signature included in the authentication response. 
Claims 120 and 130 recite wherein the communication frame is used to present the authentication page to a user of the user computer. 
Claims 121 and 131 recite wherein the authorization process is initiated with an acquirer for a transaction based at least in part on the authentication response. 
Claims 122 and 132 recite wherein the account number includes a PAN and wherein the verification request includes the PAN. 
The emphasized limitations support the process of verification and authentication performed between people. Therefore, Step 2A(1) concludes the claims recite an abstract idea.
In Step 2A(2), the claims that recite the abstract idea do not integrate the abstract idea into a practical application. The non-emphasized limitations in the claims are the additional elements that further describe the process of sending and receiving messages to entities that validate and authenticate the user on behalf of the merchant. These elements support the interpretation that a computer is used as a tool to execute the abstract idea. 
The non-emphasized limitations in the dependent claims point to the additional elements that describe the technical elements executing the abstract idea. 
Claims 116 and 126 recite limitations that describe the verification token as a device outside of the merchant server, read by a data processor that is not part of the merchant server, and describing the action of receiving data from a user of the user computer. Interpreting the data processor as a card reader and the verification token as a card, these limitations describe the use of a card in a card reader that receives entry information of the card owner, all part of the abstract idea but not implementing the abstract idea in a practical application.
Claims 119, 120, 129 and 130 recite additional elements that describe a means of communication between the merchant and the customer that further supports the functions of the computer executing the abstract idea but not implementing the abstract idea in a practical application.
The additional elements are not recited to be part of the merchant server or positively recited to execute instructions from the merchant server. 
However, the elements recited with the additional elements in the dependent claims in points G and K-O further describe functions of the merchant server, concluding the limitations are generally linking the use of the abstract idea to a particular technological environment or field of use. 
Therefore, it is concluded in Step 2A(2) that the claims are directed to the abstract idea. 
In Step 2B, the claims do not include additional elements that are sufficient to amount to significantly more than the judicial exception. The claims recite the actions of a merchant server interacting with an access control server, a verification token and a user computer, reciting the sending and receiving of messages during an authentication process, supporting the use of a computer to perform the abstract idea. The recitation of a merchant plug-in from the merchant server opens a communication frame on the user computer gives insight to how the data was transferred for authentication, but the plug-in still allows for a user of the user computer to enter the information for authentication. Thus, while this and the other additional elements limit the abstract idea to a specific technical field, there is no improvement to the process of performing the abstract idea, nor is there an improvement to another technology or technical field. Considering the additional elements individually, the claims do not include elements that are sufficient to amount to significantly more than the judicial exception. Considering the additional elements in combination, the steps do not add any meaningful limits on practicing the abstract idea more than the elements analyzed individually and thus do not add significantly more to the claimed invention. 
Therefore, it is concluded in Step 2B that the claims contain additional elements that are not “significantly more” than the abstract idea. The test concludes the claims are patent ineligible.

Claim Rejections - 35 USC § 103
The following is a quotation of pre-AIA  35 U.S.C. 103(a) which forms the basis for all obviousness rejections set forth in this Office action:
(a) A patent may not be obtained though the invention is not identically disclosed or described as set forth in section 102, if the differences between the subject matter sought to be patented and the prior art are such that the subject matter as a whole would have been obvious at the time the invention was made to a person having ordinary skill in the art to which said subject matter pertains. Patentability shall not be negatived by the manner in which the invention was made.

The factual inquiries for establishing a background for determining obviousness under pre-AIA  35 U.S.C. 103(a) are summarized as follows:
Determining the scope and contents of the prior art.
Ascertaining the differences between the prior art and the claims at issue.
Resolving the level of ordinary skill in the pertinent art.
Considering objective evidence present in the application indicating obviousness or nonobviousness.
This application currently names joint inventors. In considering patentability of the claims under pre-AIA  35 U.S.C. 103(a), the examiner presumes that the subject matter of the various claims was commonly owned at the time any inventions covered therein were made absent any evidence to the contrary.  Applicant is advised of the obligation under 37 CFR 1.56 to point out the inventor and invention dates of each claim that was not commonly owned at the time a later invention was made in order for the examiner to consider the applicability of pre-AIA  35 U.S.C. 103(c) and potential pre-AIA  35 U.S.C. 102(e), (f) or (g) prior art under pre-AIA  35 U.S.C. 103(a).
Claims 113, 114, 117, 118, 121, 123, 124, 127, 128, and 131 are rejected under pre-AIA  35 U.S.C. 103(a) as being unpatentable over Stemer (CA 2,604,348, hereinafter “Stemer”), in view of Weller (US 2010/0332393, hereinafter “Weller”), in view of Nyberg (CA 2,449,748, hereinafter “Nyberg”).
Regarding Claims 113 and 123, Stemer teaches 
receiving, by a merchant server, payment information comprising an account number from a user computer; (“Referring now briefly to Fig. 2, after the required information has been gathered at the merchant's (POS, ATM, online, telephone, etc.), an authorization request or charge request 10 is sent to the financial processing facility 6. There, the request is processed in a conventional manner as indicated by the boxes 11 and 12. At the same time, the customer profile 25 associated with the account number is checked at 13.” See Stemer in pagemark 7, lines 20-25)
transmitting, by the merchant server, a verification request comprising the account number to a gateway computer, (“…an authorization request or charge request 10 is sent to the financial processing facility 6. … At the same time, the customer profile 25 associated with the account number is checked at 13.” See Stemer in pagemark 7, lines 21-25)
receiving, by the merchant server, from the access control server via the gateway computer, a verification response; (“If the profile is set to Notify Only, the query 14 returns a corresponding response and the customer's wireless device (e.g., cell phone or beeper) is notified at 15. The message may be an SMS message or it may be a voice announcement, depending on the customer profile. Once the notification has been sent at 15, a flag is set at 16.” See Stemer in pagemark 7, lines 27 – pagemark 8, Line 3)
transmitting, by the merchant server, an authentication request to the gateway, (same process for the verification, See Stemer in pagemark 7, lines 21-25)
receiving, by the merchant server, an authentication response in response to transmitting the authentication request; (“The confirmation may be a simple reply to an SMS message, it may consist of any key depressed (during a live call), or it may be a full-fledged PIN or password. In a further modification, which adds yet another level of security, the customer may be prompted for a voice reply and the reply may then be subjected to "voice recognition" by comparing a frequency hysteresis chart associated with the customer to the voice reply. If the customer (or the person in the possession of the wireless device) returns the proper response, the query 18 directs the process flow to the box 16, where the confirm flag is once more set to "l".” See Stemer in pagemark 8, lines 6-14) and
initiating by the merchant server, an authorization process after receiving the authentication response (Stemer provides the process of authentication and of authorization of payment, based on the customer profile: “It will be understood that the foregoing scenario is merely exemplary and is in no way limiting with regard to the application of the instant invention (nor is it intended to be disparaging to the restaurant industry). Indeed, there exist numerous situations where proper customer notification and customer authorization may prevent fraudulent transactions and even wrongful transactions that are based on honest mistakes.” See Stemer in pagemark 6, lines 23-28; “Referring now briefly to Fig. 2, after the required information has been gathered at the merchant's (POS, ATM, online, telephone, etc.), an authorization request or charge request 10 is sent to the financial processing facility 6. There, the request is processed in a conventional manner as indicated by the boxes 11 and 12.” See Stemer in pagemark 7, lines 21-25).
The limitations describing the functions between the gateway and the access control server are not directly tied to the functions of the merchant server, and they are not recited as receiving instructions from the merchant server. These limitations are interpreted as the intended use of the claimed invention. 
Stemer does not expressly teach wherein the gateway computer forwards the verification request to an access control server, wherein the gateway computer forwards the verification request to an access control server, wherein the access control server verifies that the account number and determines that the account number is enrolled in an authentication service. The limitations are not reciting instructions from the merchant server or a connection to the merchant server, and the functions recited are interpreted to define the access control server.
However, Weller does teach verification of the account number and determine the account number is enrolled in an authentication service (“After the merchant plug-in software 114 conducts the search, the VerifyEnrollmentReq message is transmitted to the access control server 114 either directly, as shown by line 1b, or after first passing through the directory server 128, as shown by line 1a. When the VerifyEnrollmentReq message is transmitted to the access control server 114 via the directory server 128, the directory server 128 searches for a record corresponding to the cardholder PAN contained in the VerifyEnrollmentReq message. On unsuccessful match, the directory server 128 will format a VerifyEnrollmentRes message with no URL value(s) and set the value of Status of PAN Enrollment or VerifyEnfollmentRes-Status to "N." The VerifyEnrollmentRes message is then returned to the merchant plug-in software. On the other hand, upon successful match, the directory server 128 will, if not already established, establish a secure connection with and authenticate itself to the access control server URL.” See Weller in [0072]).
It would have been obvious to a person having ordinary skill in the art, at the date the claimed invention was made, to include in the teachings of Stemer a “verification service”, as taught by Weller, because it would be a service to protect the customer’s payment information to determine the customer is registered.
Stemer does not expressly teach wherein the gateway computer sends the authentication request to the access control server, receives an authentication page, forwards the authentication page to the user computer, receives a second secure datum from the validation entity, and determines if the first secure datum matches the second secure datum. 
However, Weller does teach determining the match of a received secure datum against stored secure datum (interpreting the first secure datum is created at user registration, and the second secure datum is provided for authentication: “The cardholder client device software returns secret #2, the cryptogram, and the supporting data to the ACS for the ACS to validate the cryptogram. The ACS accepts the cardholder client device software's input and validates it against the Account Holder Database. If there is more than one Account Holder Database entry (secret #2) for a Primary Account Number (PAN), the cardholder is validated if any of the entries (secret #2) match the secret #2 sent to the ACS by the cardholder client device software.” See Weller in [0177]).
It would have been obvious to a person having ordinary skill in the art, at the date the claimed invention was made, to include in the teachings of Stemer an “authorization service”, as taught by Weller, because it would be a service to protect the customer’s payment information to determine the customer is approved for payment.
Stemer, in view of Weller, does not explicitly teach the gateway computer is configured to send the authentication request to the access control server, receives an authentication page, forwards the authentication page to the user computer, receives the authentication page filled in.
However, Nyberg does teach 
the gateway computer is configured to send the authentication request to the access control server, receives an authentication page, forwards the authentication page to the user computer, (interpreting the gateway as the form of communication between the access control server [first device] and the user computer [second device]: “In connection with the paging stage the communication devices 2, 3 can transmit the address of their own to the other party involved in the data transmission connection to be set up, wherein these addresses individualizing the communication device 2, 3 are used in the communication thereafter. After the paging stage both communication devices 2, 3 perform an interactive key exchange stage (arrow 102 in Fig. 1) to generate the same secret key K in both devices.” See Nyberg in pagemark 8 line 37 – pagemark 9 line 7)
receive the authentication page filled in […] associated with the user computer from a validation entity, (“In this preferred embodiment of the invention the first communication device 2 selects a unique random string P (block 103 in Fig. 1), which is relatively short, for example 6 characters long. This selection can be conducted in a manner known as such, for example by generating it using a random string generator provided in the application software of the control block. Besides selecting a random string P, the first communication device 2 calculates a first check string c1 (block 104) on the basis of the random string P it has generated and the shared encryption key K. The length of this check string is preferably the same as the length of the random string, i.e. in this example situation 6 characters. The first communication device 2 displays the random string P it has selected and the first check string c1 it has calculated on the display 7a (block 105) and the random string P and the check string c1 are reported to the user of the second communication device 3 (arrow 106).” See Nyberg in pagemark 10 lines 10-25).
It would have been obvious to a person having ordinary skill in the art, at the date the claimed invention was made, to include in the teachings of Stemer, in view of Weller, a “system of communication devices”, as taught by Nyberg, because the specific devices with the specific functions improve on securing the information in order to perform the authentication service.  
Regarding Claims 114 and 124, Stemer, in view of Weller, in view of Nyberg, teaches the limitations of claims 113 and 123. Stemer, in view of Weller, in view of Nyberg, further teaches the first secure datum is generated based on an identity of a merchant with which a user conducts a transaction, and a date or time of the transaction (interpreting the datum as a dynamic value, where the merchant identity is a static value [secret key] and the date and time is constantly changing [random number]: “After the paging stage both communication devices 2, 3 perform an interactive key exchange stage (arrow 102 in Fig. 1) to generate the same secret key K in both devices. … In this preferred embodiment of the invention the first communication device 2 selects a unique random string P (block 103 in Fig. 1), which is relatively short, for example 6 characters long. This selection can be conducted in a manner known as such, for example by generating it using a random string generator provided in the application software of the control block. Besides selecting a random string P, the first communication device 2 calculates a first check string c1 (block 104) on the basis of the random string P it has generated and the shared encryption key K.” See Nyberg in Figure 1 and paragraphs with references 102, 103 and 104).
Regarding Claims 117 and 127, Stemer, in view of Weller, in view of Nyberg, teaches the limitations of claims 113 and 123. Stemer, in view of Weller, in view of Nyberg, further teaches wherein the access control server is configured to receive the authentication page filled in with the first secure datum, (See Nyberg in pagemark 10 lines 10-25) the authentication page having a user response disposed in a user response posting field, compare at least a portion of the user response to a stored user response to make a first determination of whether a match exists, compare the first secure datum to a stored secure datum to make a second determination of whether a match exists, and generate the authentication response based on at least the first and second determinations (See Nyberg in pagemark 10 lines 28-37).
Regarding Claims 118 and 128, Stemer, in view of Weller, in view of Nyberg, teaches the limitations of claims 117 and 127. Stemer further teaches wherein the access control server is configured to transmit the authentication response to the gateway, wherein the gateway forwards the authentication response to the merchant server (See Stemer in pagemark 7, lines 27 – pagemark 8, Line 3).
Regarding Claims 121 and 131, Stemer, in view of Weller, in view of Nyberg, teaches the limitations of claims 113 and 123. Stemer further teaches wherein the authorization process is initiated with an acquirer for a transaction based at least in part on the authentication response (“Immediately upon receiving the authorization request, the credit card authorization system (e.g., the acquirer 6) sends an SMS message to the customer's cell phone. The customer receives the message telling him that the restaurant has requested authorization for a charge of $40.00. This happens well before the server returns with the transaction slip requesting the customer's signature.” See Stemmer in pagemark 6, lines 1-6).

Claims 115-116, 122, 125-126 and 132 are rejected under pre-AIA  35 U.S.C. 103(a) as being unpatentable over Stemer, in view of Weller, in view of Nyberg, and further in view of Mennes (US 2009/0235339, hereinafter “Mennes”).
Regarding Claims 115 and 125, Stemer, in view of Weller, in view of Nyberg, teaches the limitations of claims 113 and 123. Stemer, in view of Weller, in view of Nyberg, does not expressly teach wherein the first secure datum was received by the verification token from a validation entity after the validation entity validates information received form the verification token. 
However, Mennes does teach 
   a first secure datum (One Time Password, ‘OTP’) is received by the verification token from a validation entity (Authentication Server): (“First, the Authentication Server generates the Master Server OTP (713). The Master Server OTP (713) is a time and challenge-based one-time password… Subsequently, the 8-digit Server OTP (718) is sent to the token (100).” See Mennes within [0136]-[0147], in reference to Figure 7); 
after the validation entity validates information received from the verification token (“ A Server OTP (718) is correct if: [0156] It was generated with the same SAK (716) as the SAK (722) that is stored in the token (100), and [0157] it was generated using a Business Unit Index (BUI) (715) that is known to token (100), and [0158] it was generated inside the time acceptance window that is used by token (100), and [0159] it is not older than the last received correct Server OTP.” See Mennes in [0155]).
It would have been obvious to a person having ordinary skill in the art, at the date the claimed invention was made, to include in the teachings of Stemer, in view of Weller, a “process to verify and generate the secure datum”, as taught by Mennes, to improve the authentication process by securing the comparison of data.  
Regarding Claims 116 and 126, Stemer, in view of Weller, in view of Nyberg, teaches the limitations of claims 113 and 123. Stemer, in view of Weller, in view of Nyberg, does not expressly teach wherein the verification token comprises a data processor and a computer readable medium comprising code, executable by the data processor, for causing the verification token to read portable consumer device identification information from a portable consumer device, the portable consumer device being used by a user of the user computer. 
However, Mennes does teach a verification token comprising a data processor and a computer readable medium comprising code, executable by the data processor, for causing the verification token to read portable consumer device identification information from a portable consumer device, the portable consumer device being used by a user of the user computer (interpreting the portable consumer device has the means to connect with the verification token: “This application discloses a low-cost strong authentication token for creating one-time passwords and/or transaction signatures, hereafter collectively referred to as security values, for use in client-server transactions, comprising trustworthy output means to present information to the user, and data input means capable of receiving input data, whereby the input data is efficiently encoded so as to allow transfer of the input data into the token in a reasonable time frame and requiring only low-cost hardware, and whereby said token generates a security value upon verification of a server credential. Said security value is generated using a secret shared between token and server, and said server credential is generated and verified using another (optionally, the same) secret shared between token and server. … In a preferred embodiment of the invention the token includes means such as a microprocessor to perform cryptographic operations as RAM, ROM or EEPROM memory to store one or more secret values such as one or more PIN values or cryptographic secret keys.” See Mennes in [0022] and [0026]).
It would have been obvious to a person having ordinary skill in the art, at the date the claimed invention was made, to include in the teachings of Stemer, in view of Weller, a “device for user verification”, as taught by Mennes, because the device will secure the datum prior to use for authentication.
Regarding Claims 122 and 132, Stemer, in view of Weller, in view of Nyberg, teaches the limitations of claims 113 and 123. Stemer, in view of Weller, in view of Nyberg, does not explicitly teach wherein the account number includes a PAN and wherein the verification request includes the PAN.
However, Menned further teaches wherein payment information includes a PAN and verification request includes the PAN (“Instead of containing only literal texts or values, the message can also contain references to texts or values known to or stored in the token. For example, the message can contain a tag value that refers to the text "Amount=", rather than containing the full literal "Amount=" text itself. The message can also contain a reference to a stored value of the user's default account number, rather than containing the literal user's account number itself. Formatted numerical data such as money amounts or account numbers are represented as raw non-formatted numerical data whereby the formatting is added during the expansion based on explicit formatting indicators or implicit context information that implies a certain format.” See Mennes in [0034]-[0035]). 
It would have been obvious to a person having ordinary skill in the art, at the date the claimed invention was made, to include in the teachings of Stemer, in view of Weller, a “default account value”, as taught by Mennes, because the device will secure the datum prior to use for authentication.

Claims 119-120 and 129-130 are rejected under pre-AIA  35 U.S.C. 103(a) as being unpatentable over Stemer, in view of Weller, in view of Nyberg, and further in view of Wankmueller (US 2005/0289052, hereinafter “Wankmueller”).
Regarding Claims 119 and 129, Stemer, in view of Weller, in view of Nyberg, teaches the limitations of claims 113 and 123. Stemer further teaches wherein the authentication response is transmitted by the gateway to the merchant server via the communication frame, the authentication response including a URL of the gateway received in the verification response (See Stemer in pagemark 7, lines 21-25).  
Stemer, in view of Weller, in view of Nyberg, does not expressly teach wherein the merchant server includes a merchant plug-in, wherein the merchant plug-in opens a communication frame on the user computer, and wherein the merchant plug-in validates a signature included in the authentication response. 
However, Wankmueller teaches the merchant server includes a merchant plug-in, wherein the merchant plug-in opens a communication frame on the user computer, and wherein the merchant plug-in validates a signature included in the authentication response (“either: A) charges the financial instrument in the amount received, using account information stored in account database 248 corresponding to the merchant identifier and generates or receives an authorization identifier indicating the transaction was authorized, and provides a redirect command to browser 264 that will cause browser 264 to transmit a request to merchant web application 274, or B) requests authorization to charge that amount and issues or receives the authorization identifier and optionally stores the transaction amount, the authorization number and the merchant identifier in account database 248 and then redirects browser 264 to merchant web application 274.” See Wankmueller in pagemark 37, 3rd paragraph).
It would have been obvious to a person having ordinary skill in the art, at the date the claimed invention was made, to include in the teachings of Stemer, in view of Weller, a “merchant plug-in”, as taught by Wankmueller, because the plug-in would facilitate the communication of the secure data and reduce the attempts of theft.
Regarding Claims 120 and 130, Stemer, in view of Weller, in view of Nyberg, in view of Wankmueller, teaches the limitations of claims 119 and 129. Stemer, in view of Weller, in view of Nyberg, in view of Wanlmueller, further teaches wherein the communication frame is used to present the authentication page to a user of the user computer (“Figures 3D and 3E are a flowchart illustrating a method of allowing a user to optionally authenticate one or more communications from a computer system and a computer system to optionally authenticate a user and displaying information according to one embodiment of the present invention.” See Wankmueller in pagemark 5, lines 16-19).

Response to Arguments
Applicant’s arguments, filed 14th of September of 2021, with respect to the rejections under 35 USC 101, 35 USC 112 and 35 USC 103 have been fully considered.  
Regarding the rejection under 35 USC 101, the Applicant argues: Claims 113-132 are rejected under 35 U.S.C. § 101 for allegedly being directed to non-statutory subject matter. This rejection is traversed.
At page 5 of the Office Action, claims 113-132 are rejected under 35 U.S.C. § 101. The Office's 2019 Revised Guidance on Patent Subject Matter Eligibility (2019 PEG) dated January 4, 2019 provides a framework for the patent eligibility analysis including Steps 1, 2A-Prong 1, 2A-Prong 2, and 2B. Independent claim 113 is argued as a representative claim. The arguments thereto also apply to independent claim 123 and any claims dependent upon the independent claims.
The first step, Step 1, asks if the claim(s) are directed to a process, machine, manufacture, or composition of matter. Here, the claims are directed to methods (i.e., process) and machines. 
In response: The rejection under 101 is a subject matter eligibility rejection, where the claims would be confirmed to be directed to a statutory category. Thus, the rejection is not for alleging to a non-statutory subject matter. As is clearly recited in the rejection, the claims recite a statutory category, being directed to a process. Although the claims recite machines, the broadness of the recited machines are defined by the process steps. The step 1 of the subject matter eligibility test concludes the claims are directed to the process.
The Applicant further argues: Next, Step 2A- Prong 1, asks if the claims are directed to a judicial exception such as an abstract idea. As explained previously, the claims are not directed to an abstract idea. As explained in the 2019 PEG, in order to satisfy Step 2A, Prong 1, the Examiner must identify specific limitation(s) in the claims that the Examiner believes falls under an abstract idea, and then determine if the limitations fall within the subject matter groupings of the abstract ideas enumerated in Section I of the 2019 PEG (i.e., "mathematical concept," "mental process," or "method of organizing human activity"). The Examiner states that the steps relate to the abstract idea of a "merchant confirming approval to use a payment method, which is a transaction between people that falls under certain methods or organizing human activity." Applicant initially notes that there is no "merchant confirming approval to use a payment method" in the claims, and the alleged abstract idea is not even part of the claims. As such, the claims are patent eligible under Step 2A - Prong 1.
In response: in view of the amendments, the claims are further clearly reciting the steps executed by the merchant server to verify and authenticate a customer before beginning the authorization of payment process. As recited, the merchant server only sends and receives messages regarding the customer’s registration to the authentication service and the authentication of the customer’s identity. However, the additional elements recited are not defined to be performed by the merchant server nor receiving instructions from the merchant server. The claims are interpreted to describe a process of verification and authentication, which are considered possible to be done by a merchant interacting with the customer and the respective third party company that issued the payment method of the customer. Therefore, the abstract idea is the concept of the interaction between people, a concept within certain methods of organizing human activity.
The Applicant further argues: Under Step 2A- Prong 2, the 2019 Guidelines state, at page 54:
A claim that integrates a judicial exception into a practical application will apply, rely on, or use the judicial exception in a manner that imposes a meaningful limit on the judicial exception, such that the claim is more than a drafting effort designed to monopolize the judicial exception. When the exception is so integrated, then the claim is not directed to a judicial exception (Step 2A: NO) and is eligible. This concludes the eligibility analysis.
1. 	The claims are not abstract, since any of the alleged abstract features are used in the context of a "particular machine."
The claims are not abstract, since any of the alleged abstract features are used in the context of a "particular machine." The 2019 Guidance states that an exemplary consideration as to whether the abstract idea has been integrated into a "practical application" is whether "an additional element implements a judicial exception with, or uses a judicial exception in conjunction with, a particular machine or manufacture that is integral to the claim." Further, the MPEP states: "When determining whether a claim integrates a judicial exception, into a practical application ... examiners should consider whether the judicial exception is applied with, or by use of, a particular machine. 'The machine-or-transformation test is a useful and important clue, and investigative tool' for determining whether a claim is patent eligible under§ 101." (MPEP 2106.05(b), quoting Bilski v. Kappas, 561 U.S. 593, 604, 95 USPQ2d 1001, 1007 (2010)). The amended claims clearly recite the use of a specially programmed system that can improve the security of transactions by preventing man-in-the-middle attacks. The claims thus recite specialized hardware and software for providing data security, and not just generic computing components. As such, the claims should be deemed not abstract and patent eligible for this reason alone.
In response: the claims describe the functions of the merchant server, broadly described to be any computer server. Since the merchant server is not particularly described neither by the steps nor by the disclosure, the test concludes the machine is not particular and can be defined as “generic”. The concepts discussed in the case of Bilski vs Kappas are not the guidance used to test the claims for subject matter eligibility. The concepts as discussed in the case of Alice vs CLS are the basis of the subject matter eligibility test and the PEG2019.
The Applicant further argues:
2. 	The claims are not abstract, since the claims as a whole provide for improved computer security, which has been held to be "non-abstract computer functionality."
Further, the recited steps provide a specific improvement to computer security, which the Federal Circuit has held to be a "non-abstract computer functionality improvement if done by a specific technique if done by a specific technique that departs from earlier approaches to solve a specific computer problem." (Ancora Techs. Inc. v. HTC America, Inc., 908 F.3d 1343, 1348 (Fed. Cir. 2018)). See also Tecsec, Inc. v. Adobe Inc., 978 F.3d. 1278 (Fed. Cir. 2020). The claim at issue an Ancora addressed "vulnerability of license-authorization software to hacking." In Ancora, the CAFC up-held claims requiring use of a modifiable portion of particular computer capacity to prevent running software on an unauthorized computer. Similarly here, the claims recite use of a secure datum from a validation entity and in an authentication request message to validate a transaction. The secure datum can be dynamically generated so that a man-in-the-middle that skims the secure datum could not use it for subsequent transactions. The advantages of embodiments of the invention are articulated in at least paragraph [0161] of the specification. Thus, the computer security provided by the claims is analogous to the computer security invention aspects in Ancora as well as Tecsec. As such, the claims should be viewed as "non-abstract" or at a minimum the claims should be viewed as having a "practical application" sufficient to satisfy 35 U.S.C. 101. For the reasons provided above, the claims are patent eligible under Step 2A.
In response: the claims do not recite the improvement to computer security as part of the merchant server. The computer security is executed by other elements outside of the system components, and there is no clear tie to the merchant server to these additional elements that secure the customer’s account information and the transaction information. Thus, the merchant server is executing functions that support interactions between people. 
Observing the elements as a whole, the merchant server is managing the messages between the customer and the gateway computer, where the computer security is executed by the gateway computer to verify and authenticate the customer. Thus, the conclusion of Step 2A is the claims are directed to the abstract idea.
The Applicant further argues: Step 2B asks the Examiner to determine if any element, or combination of elements, in the claim is sufficient to ensure that the claim amounts to significantly more than the judicial exception. The following bullet points identify characteristics that can qualify as "significantly more." The claims clearly meet those characteristics. 
As a first example, the claim elements clearly "apply[] the judicial exception with, or by use of, a particular machine," as the claims recite computer components.
As a second example, the claim elements clearly "add[] a specific limitation other than what is well-understood, routine and conventional in the field" or "add[] unconventional steps that confine the claim to a particular useful application." As explained in Berkheimer v. HP Inc. (Appeal No. 2017-1437) (Fed. Cir. 2018).
Here, the claims involve more than performance of "well understood, routine, [and] conventional activities previously known to the industry." For example, at least the following limitations in independent claim 1 are not conventional: "transmitting, by the merchant server, an authentication request to the gateway computer, wherein the gateway computer sends the authentication request to the access control server, receives an authentication page, forwards the authentication page to the user computer, receives the authentication page filled in with a first secure datum obtained with a verification token associated with the user computer from a validation entity, receives a second secure datum from the validation entity, and determines if the first secure datum matches the second secure datum previously provided by the validation entity to the verification token." Clearly, at least this combination of limitations is "unconventional" and "other than what is well-understood, routine and conventional in the field." The Examiner has provided no evidence showing that the combination of steps is conventional. Further, as explained above, these features provide for a number of advantages over the conventional systems. Accordingly, Applicant submits that at least this combination of limitations forms an "inventive concept" and hence constitute "significantly more" under Step 2B.
For at least these reasons, the Applicant respectfully requests withdrawal of the § 101 rejection of the pending claims.
In response: the analysis of the additional elements individually would clearly define the use of the computers to verify and authenticate the customer. However, when considered as a whole, the merchant server does not combine with the other additional elements as part of a system and the merchant server is not recited providing instructions to the gateway to authenticate the customer. If there is an improvement to the technology, which step 2A concluded there was not an improvement, it is not positively recited as part of the merchant server because the merchant server only requires the verification result and authentication result to begin the process of authorization, which is interpreted as authorization for payment.
Step 2B concluded the additional elements do not amount to significantly more than the abstract idea, and the claims remain patent ineligible. 

Regarding the rejection under 35 USC 112, the Applicant argues: At page 3 of the Office Action, claims 113-118 and 123-128 are rejected as being indefinite. This rejection is traversed. This indefiniteness rejection was discussed during the interview, and as indicated in the USPTO's Interview Summary mailed on August 31, 2021, the Examiner agreed with withdraw the indefiniteness rejection.
In response: the Examiner confirms the amendments have overcome the indefiniteness issue, and the rejection under 112, second paragraph, has been withdrawn. 

Regarding the rejection under 35 USC 103, the Applicant argues: Claims 113-114, 117-118, 121, 123-124, 127-128, and 131 are rejected under 35 U.S.C. § 103(a) as being unpatentable over CA Patent No. 2,604,348 to Sterner ("Sterner") in view of CA Patent No. 2,449,748 to Nyberg et al. ("Nyberg"). This rejection is traversed.
Applicant submits that the previously presented or currently amended claims are not obvious in view of the cited art.
First, the cited prior art does not teach a "verification request" that includes an account number as in independent claim 113. Independent claim 123 recites a similar limitation.
The main reference, Sterner describes a cardholder alert, where a cardholder is alerted when a transaction is conducted.
The Office Action page 13 states that the "verification request" is taught at page 7, lines 21-25 of Sterner. However, this is a "charge request" and not a "verification request" to determine if an account number is enrolled in an authentication service.
In response: The art of Stemer teaches a request to verify the customer and authenticate the customer. The process steps are taught by Stemer to be requested in the same message, where the end result received is the response message, as recited. A new grounds of rejection is presented in the prior art of Weller (shown in the rejection above) and is shown to teach an authorization service that verifies the registration of the customer and authenticates the customer information. Weller teaches the verification and authentication steps are shown as separate functions, as recited. However, the claims do not recite the verification process as different from the authentication process, where both processes determine the customer’s authenticity. The verification process compares received information against stored information to confirm the customer is “enrolled in the authentication service”, and the authentication process compares previously received information (interpreted as enrollment information that is stored) against the received information for a current transaction (these would be the first and second secure datum) to confirm the customer. Further, the process of verification and the process of authentication are not executed by the merchant server and the claims lack the piece of information that ties the merchant server to these processes. These processes are recited as the intended use of the claimed invention, where it is clear the functions are not executed by the merchant server, and the other elements in the claim are not positively recited as part of the method steps or the system. 
The art of Stemer, in view of Weller, also teaches that the merchant server is not connected to the authorization service nor does the merchant server send instructions to the authorization service to perform the verification and authorization. The claims remain rejected with regards to the amendments argued.
The Applicant further argues: Further, the cited art does not teach or suggest a method comprising, inter alia, "transmitting, by the merchant server, an authentication request to the gateway computer, wherein the gateway computer sends the authentication request to the access control server, receives an authentication page, forwards the authentication page to the user computer, receives the authentication page filled in with a first secure datum obtained with a verification token associated with the user computer from a validation entity, receives a second secure datum from the validation entity, and determines if the first secure datum matches the second secure datum" as in independent claim 113. Independent claim 123 recites a similar limitation. 
At page 22 of the Office Action, the Examiner alleges that this limitation is taught by Nyberg at page 15 of the Office Action. The Examiner cites the key exchange step 102 in Nyberg as disclosing the above limitation directed to the "gateway". The Examiner alleges that the "gateway" is the "form of communication between the access control server [first device] and the user computer [second device]."
Applicant does not entirely understand the mapping to Nyberg. However, the "form of communication" does not equate to the "gateway" in the claims as the "gateway" is receiving and transmitting messages and is processing data. To clarify the claims and to distinguish the Examiner's interpretation, the claims are amended to state that the "gateway" is a "gateway computer." Further, there is no disclosure of the functions in the limitation above in the prior art. For example, there is no "validation entity" that provides a secure datum to a verification token, and then also provides it to a gateway for verification in the cited art. As such, independent claims 113 and 123, and any claims dependent thereon are clearly patentable over the cited art.
In response: The Examiner confirms the “gateway” is not just a communication server in view of the amendments. However, the gateway computer is also not positively recited as performing instructions from the claimed invention, in this case the merchant server. The term “gateway computer” is interpreted as a generic term that is too broad to define and thus requires the functions recited in the claim to further describe it. As recited, the gateway computer executes the transmission of messages to the access control server for the verification of the customer, and further executes the transmission of messages to follow with the comparison of datum to confirm the authorized customer. None of the messages transmitted were instructed by the merchant server to verify or authorize, and none of the elements created for the verification and the authorization are created by the merchant server. The interpretation of the claims concludes the alleged system is not clearly defined. 
The prior art of Stemmer, in view of Weller, teaches the functions of the access control server to verify the customer, and the functions of the gateway computer to compare and match the datum received against the datum stored to authenticate the customer. The prior art of Nyberg is combined to Stemer and Weller to further teach the gateway computer and the access control server as defined by the process steps taught by Stemer in view of Weller. The claims are shown in the rejection above to be taught by the prior art, and thus the claims remain rejected. 

Conclusion
THIS ACTION IS MADE FINAL.  Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a).  
A shortened statutory period for reply to this final action is set to expire THREE MONTHS from the mailing date of this action.  In the event a first reply is filed within TWO MONTHS of the mailing date of this final action and the advisory action is not mailed until after the end of the THREE-MONTH shortened statutory period, then the shortened statutory period will expire on the date the advisory action is mailed, and any extension fee pursuant to 37 CFR 1.136(a) will be calculated from the mailing date of the advisory action.  In no event, however, will the statutory period for reply expire later than SIX MONTHS from the mailing date of this final action. 
Any inquiry concerning this communication or earlier communications from the examiner should be directed to EDGAR R MARTINEZ-HERNANDEZ whose telephone number is (571)270-0658.  The examiner can normally be reached on M-F from 9:00 am - 5:00 pm.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, JOHN W. HAYES can be reached on (571) 272-6708.  The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.

Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see https://ppair-my.uspto.gov/pair/PrivatePair. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.


/ERM/Examiner, Art Unit 3685


/JOHN W HAYES/Supervisory Patent Examiner, Art Unit 3685