DETAILED ACTION

Status of Application
This action is in reply to the Amendment filed on 02 November 2021. 
In the Amendment, claim 1, 4, 9, 11, 14, 21 and 22 were amended, claims 8 was cancelled, and claims 23-27 were added. 
Accordingly, claims 1-7, 9-14 and 21-27 are currently pending and have been allowed.
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA . In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.

Allowable Subject Matter
Claims 1-7, 9-14 and 21-27 are allowed.
	Note: although the subject matter indicated in the Final Office Action issued on 02 September 2021 (pp. 4-5, "Applicant's 
 
Examiner's Statement of Reasons for Allowance
The following is an examiner’s statement of reasons for allowance:
The closest prior art of record is as follows:  
Powell et al. (U.S. Patent Application Publication No. 2015/0310439 A1) teaches: 
receiving a request from an issuer to generate a new CVC2 value for a payment card (0028-0029); 
generating the CVC2 value, using an algorithm, based on the card number, the expiration date, the service code, and encryption keys (0023, 0035-0039); 
adding two new service code fields to the payment card file/table for implementing the generation and use of new CVC2 values (0035-0043); 
updating the service codes upon generation of the new CVC2 values (0035-0043, 0072-0073); and 
during a card-not-present (CNP) transaction, receiving a CVC2 value (authentication code) from the user, generating a CVC2 value using the applicable (new or original) service code, comparing the received CVC2 value with the generated CVC2 
Powell et al. does not teach, inter alia: 
a user-selected CVC2 value; 
that a request to change a CVC2 value is received from a user; 
that the user-selected CVC2 value, account number, expiration date, and service code are transmitted by a server to a hardware security module that substitutes the user-selected CVC2 value for a calculated CVC2 value, determines a second service code, using an algorithm, based on the account number, expiration date, the user-selected CVC2 value, and cryptographic keys, and transmits the determined second service code back to the server; and 
that the aforementioned substitution may be performed in response to determining that the received CVC2 value matches the generated CVC2 value.
Vaish et al. (U.S. Patent Application Publication No. 2014/0122331 A1) teaches: 
receiving a request from a user to generate a security code (CVC2 value) for a payment card (0025, 0033-0034); 
generating the security code, based on the card number, the expiration date, and the service code; and (0036, 0043-0044); and
comparing a received security code with a recalculated security code, authorizing a payment transaction if they match, and sending a notification if they do not match (0045-0049).
Vaish et al. do not teach, inter alia: 
a user-selected CVC2 value; and
that the request to generate the security code is a request to change the security code to a new security code. 
Hawkins (U.S. Patent Application Publication No. 2013/0268775 A1) teaches: 
a user selecting input related to an image, which is used in generating a security code.
Hawkins does not teach, inter alia: 
a request to change a CVC2 value on a payment card to a new CVC2 value. 
Muscato (U.S. Patent Application Publication No. 2009/0173782 A1) teaches (in further detail): 
generating the CVC2 value, using an algorithm, based on the card number, the expiration date, the service code, and encryption keys; and (0068-0075)
comparing the received CVC2 value with the generated CVC2 value, authorizing the transaction if the received CVC2 value matches the generated CVC2 value, and declining the transaction if the received CVC2 value does not match the generated CVC2 value (0076-0086).
Kuang (U.S. Patent Application Publication No. 2009/0031407 A1) teaches: 
retrieving a payment card record from a payment card table (0055); and 
a security check/user verification server (hardware security module) that receives verification information from a website hosting server (server), performing verification using the verification information, and transmitting a verification result to the website hosting server (claim 1).
As for closest non-patent literature, Gehringer teaches a user choosing a password, but not a CVC2/security code for a credit card, while Ansari teaches that a CVC2 is generated by an algorithm known only to the bank and not for any person/ organization, i.e., the algorithm must be kept secret from those other than the card issuer. 
Accordingly, the prior art teaches away from the key claimed feature of a user-selected CVC2 value. 
The prior art of record alone or in combination does not teach the combination of the following elements:
Claim 1
a database having a payment card table therein, the payment card table including a payment card record associated with a payment card, the payment card record comprising a primary account number, a payment card expiry date, and a first service code; 
a hardware security module comprising one or more cryptographic keys associated with the payment card, the hardware security module operable to receive a user- selected CVC2 value, the primary account number, the payment card expiry date, and the first service code, and to transmit a second service code that is based upon the user-selected CVC2 value;
a memory device; and 
a sever coupled to the database and the hardware security module, the server comprising a processor coupled to said memory device, said memory device storing first computer-executable instructions that when executed by said processor, cause said processor to perform operations to: 
receive a request to change a first CVC2 value associated with the payment card to a user-selected CVC2 value, the request including the user-selected CVC2 value; 
based upon the request, retrieve from the payment card table the payment card record associated with the payment card;
transmit the user-selected CVC2 value, the primary account number, the payment card expiry date, and the first service code to the hardware security module; 
receive from the hardware security module the second service code, the second service code based on the user-selected CVC2 value, the primary account number, and the payment card expiry date; and 
update the first service code in the payment card record to the second service code.
Claim 9
receiving, by a server, a request to change a first CVC2 value associated with a payment card to a user-selected CVC2 value, the request including the user-selected CVC2 value; 
based upon the request, retrieving, by the server from a payment card table stored on a database, a payment card record associated with the payment card, the payment card record comprising a primary account number, a payment card expiry date, and a first service code; 
transmitting, by the server, the user-selected CVC2 value, the primary account number, the payment card expiry date, and the first service code to a hardware security module, 
the hardware security module comprising a storage device and a cryptographic processor coupled to the storage device, 
the storage device having one or more cryptographic keys associated with the payment card and a code generation algorithm stored thereon, 
said method further comprising: 
determining, by the hardware security module using the code generation algorithm, a calculated CVC2 value based upon the primary account number, the payment card expiry date, the first service code, and the one or more cryptographic keys associated with the payment card; 
substituting, by the hardware security module, the user-selected CVC2 value for the calculated CVC2 value; 
determining the second service code, by the hardware security module using the code generation algorithm, based upon the primary account number, the payment card expiry date, the user-selected CVC2 value, and the one or more cryptographic keys associated with the payment card; 
transmitting, by the hardware security module, the second service code to the server; 
receiving, by the server from the hardware security module, the second service code, the second service code being different than the first service code and being based on the user-selected CVC2 value, the primary account number, and the payment card expiry date; and 
updating, by the server, the first service code in the payment card record to the second service code.
Claim 11
receiving, by a server, a request to change a first CVC2 value associated with a payment card to a user-selected CVC2 value, the request including the user-selected CVC2 value; 
based upon the request, retrieving, by the server from a payment card table stored on a database, a payment card record associated with the payment card, the payment card record comprising a primary account number, a payment card expiry date, and a first service code; 
transmitting, by the server, the user-selected CVC2 value, the primary account number, the payment card expiry date, and the first service code to a hardware security module, 
the request further includes the first CVC2 value, 
the hardware security module comprising a storage device and a cryptographic processor coupled to the storage device, 
the storage device having one or more cryptographic keys associated with the payment card and a code generation algorithm stored thereon, 
said method further comprising: 
determining, by the hardware security module using the code generation algorithm, a calculated CVC2 value based upon the primary account number, the payment card expiry date, the first service code, and the one or more cryptographic keys associated with the payment card; 
comparing, by the hardware security module, the received first CVC2 value to the calculated CVC2 value; 
determining, by the hardware security module, that the first CVC2 value does not match the calculated CVC2 value;
transmitting, by the hardware security module, a CVC mismatch message to the server; 
receiving, by the server from the hardware security module, the second service code, the second service code being different than the first service code and being based on the user-selected CVC2 value, the primary account number, and the payment card expiry date; and 
updating, by the server, the first service code in the payment card record to the second service code.
Claim 22
receiving, by a server, a request to change a first CVC2 value associated with a payment card to a user-selected CVC2 value, the request including the user-selected CVC2 value; 
based upon the request, retrieving, by the server from a payment card table stored on a database, a payment card record associated with the payment card, the payment card record comprising a primary account number, a payment card expiry date, and a first service code; 
transmitting, by the server, the user-selected CVC2 value, the primary account number, the payment card expiry date, and the first service code to a hardware security module,
the request further including the first CVC2 value, 
the hardware security module comprising a storage device and a cryptographic processor coupled to the storage device, 
the storage device having one or more cryptographic keys associated with the payment card and a code generation algorithm stored thereon,
said method further comprising: 
determining, by the hardware security module using the code generation algorithm, a calculated CVC2 value based upon the primary account number, the payment card expiry date, the first service code, and the one or more cryptographic keys associated with the payment card;
comparing, by the hardware security module, the received first CVC2 value to the calculated CVC2 value; 
determining, by the hardware security module, that the first CVC2 value matches the calculated CVC2 value; 
substituting, by the hardware security module, the user-selected CVC2 value for the calculated first CVC2 value; 
determining, by the hardware security module, the second service code, using the code generation algorithm, based upon the primary account number, the payment card expiry date, the user-selected CVC2 value, and the one or more cryptographic keys associated with the payment card; 
transmitting, by the hardware security module, the second service code to the server
receiving, by the server from the hardware security module, the second service code, the second service code being different than the first service code and being based on the user-selected CVC2 value, the primary account number, and the payment card expiry date; and 
updating, by the server, the first service code in the payment card record to the second service code.
Regarding the claim objections and the rejections under 35 U.S.C. 101 and 112, all of these have been overcome by the claim amendments made in the Amendment filed 11/02/2021. 
Any comments considered necessary by applicant must be submitted no later than the payment of the issue fee and, to avoid processing delays, should preferably accompany the issue fee.  Such submissions should be clearly labeled “Comments on Statement of Reasons for Allowance.”

Conclusion
Any inquiry concerning this communication or earlier communications from the examiner should be directed to DOUGLAS W PINSKY whose telephone number is (571)272-4131.  The examiner can normally be reached on 8:30 am - 5:30 pm ET.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Calvin Hewitt II, can be reached on 571-272-6709.  The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see https://ppair-my.uspto.gov/pair/PrivatePair. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.




/DWP/
Examiner, Art Unit 3692

/ERIC T WONG/Primary Examiner, Art Unit 3692