DETAILED ACTION
Acknowledgements
This office action is in response to the claims filed 09/01/2021.
Claim 1 is amended.
Claims 6-8, 11, and 15-37 are cancelled.
Claims 1-5, 9, 10, and 12-14 are pending.
Claims 1-5, 9, 10, and 12-14 have been examined.

Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA . 

Response to Arguments
Applicant's arguments filed 09/01/2021 have been fully considered but they are not persuasive. 
112
Due to Applicant’s amendments, the prior 112 rejection is withdrawn. 
103
Applicant’s argues that “the Examiner takes the position that a SLUK is no different than a LUK… Acar neither teaches the generation of a SLUK nor the receipt of a SLUK generated in the manner claimed.”. The limitation recites the intended use of a receiver to “receive a secure limited use key (SLUK) from a financial institution.” The description of how the SLUK is generated is first, not claimed by, nor performed by the claimed scope of the communication device and secondly, the description of a remote device that performs the generation of SLUK is nonfunctional descriptive language, outside the scope of claimed functions and not given patentable weight. In Acar, there is a receipt of a secure limited use key as the limitation recites.

Claim Rejections - 35 USC § 112
The following is a quotation of the first paragraph of 35 U.S.C. 112(a):
(a) IN GENERAL.—The specification shall contain a written description of the invention, and of the manner and process of making and using it, in such full, clear, concise, and exact terms as to enable any person skilled in the art to which it pertains, or with which it is most nearly connected, to make and use the same, and shall set forth the best mode contemplated by the inventor or joint inventor of carrying out the invention.

The following is a quotation of the first paragraph of pre-AIA  35 U.S.C. 112:
The specification shall contain a written description of the invention, and of the manner and process of making and using it, in such full, clear, concise, and exact terms as to enable any person skilled in the art to which it pertains, or with which it is most nearly connected, to make and use the same, and shall set forth the best mode contemplated by the inventor of carrying out his invention.

Claims 1-5, 9, 10, and 12-14  are  rejected under 35 U.S.C. 112(a) or 35 U.S.C. 112 (pre-AIA ), first paragraph, as failing to comply with the written description requirement. The claim(s) contains subject matter which was not described in the specification in such a way as to reasonably convey to one skilled in the relevant art that the inventor or a joint inventor, or for applications subject to pre-AIA  35 U.S.C. 112, the inventor(s), at the time the application was filed, had possession of the claimed invention. 
Claim 1 recites “, wherein the second key is received by the communications device and stored by the communications device in the storage unit before receiving the SLUK from the financial institution”. According to the disclosure(¶ 40), “each of the characters in the subset being determined by a predetermined algorithm on the basis of a second key associated with the user of the communications device, the identifier which identifies the user of the communications device and the variable code, the second key being a secret key, wherein the SLUK is generated by wrapping the first LUK using each of the characters in the subset, and receive the variable code from the financial institution, controlling a storage unit of the communications device to store the received SLUK and variable code and to store the second key associated with the user of the communications device”. The disclosure does not support the second key  being received by the communications device or that the second key is stored by the communications device in the storage unit before receiving the SLUK from the financial institution.  Dependent claims 2-5, 9, 10, and 12-14 are also rejected. 

Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

Claims 1, 2, 5, 13 and 14  are rejected under 35 U.S.C. 103 as being unpatentable over Acar et al. (2017/0155513) (“Acar”), in view of Sama (2011/0208964) (“Sama”) and further in view of  Ngo et al (20150178724) “Ngo”).
egarding claim 1, Acar discloses a receiver unit operable to: receive a secure limited use key (SLUK) from a financial institution (¶19, 20, 34, 45, 72, 79), 
Claim Interpretation- A “secure limited use key (SLUK)” does not appear to be different from a “limited use key (LUK)”, a known term in the art. For the purpose of claim interpretation, the SLUK will be understood to also be a limited use key. 

wherein the SLUK is generated by the financial institution using (A) a first limited use key (LUK) generated using a first key associated with the financial institution, an identifier which identifies a user of the communications device, and a variable code, and on the basis of a second key associated with the user of the communications device, the identifier which identifies the user of the communications device, and the variable code, wherein the second key is a secret key, and wherein the SLUK is generated by wrapping the first LUK using each of the characters in the subset, and (¶16-25, 28-32, 41, 45, 56)
Claim Interpretation- According to the disclosure(¶ 70), “The token PAN and secret key are then stored in the storage unit 208 of the communications device 104 ( the secret key being protected using , for example , a whitebox cryptographic technique ) . This completes the registration process of the communications device , and allows the user to now initiate mobile payments using the communications device .” To register, the financial institution provides the user with a token, the PAN that identifies the user’s device,  and a key. 
According to the disclosure(¶ 73, 74, 82)- “the controller 224 of the payment device 200 first generates a limited use key ( LUK ) . This is a cryptographic key , and is generated via any suitable key derivation function using the token PAN associated with the user of the communications device , a further key associated with the financial institution to which the payment device 200 is related , and a variable code… the LUK generated in step 502 is wrapped using the characters of the partial passcode so as to generated the SLUK … The characters of the partial passcode are then used to wrap the LUK in step 506 using , for example , a PBKDF2 encryption algorithm , as previously explained . The resulting SLUK is then transmitted to the communications device 104” 

a storage unit operable to store the received SLUK, the variable code, the second key associated with the user of the communications device, and the identifier which identifies the user of the communications device, wherein the second key is received by the communications device and stored by the communications device in the storage unit before receiving the SLUK from the financial institution;  (¶16-20, 24, 25-35, 41, 42, 46, 50); 

a controller operable to, in response to an operation by a user to initiate an electronic payment at a point of sale (POS) device, generate the character position in the passcode of each character in the subset, wherein the character position in the passcode of each character in the subset is determined by the predetermined algorithm on the basis of the second key, the identifier of the user of the communications device, and the variable code, as stored in the storage unit (¶16-20, 24, 25, 41, 42, 46, 58); and Page 2 of 12Serial No. 16/313,789 Attorney Docket No. MA0018 Response to Office Action Dated December 28, 2020 
Claim Interpretation- According to the disclosure(¶ 63, 64), “The partial passcode entry screen 300 dis played on a screen of the communications device following a successful exchange of NFC signaling between the communications device 104 and POS device 106 which occurs when the user attempts to pay for a product or service using the communications device 104… the partial passcode has been generated such that the user must enter the 1st , 2nd , 5th and 6th characters of the six character passcode .” The user fills in a partial passcode provided on an interface while at the merchant’s. 

a user interface operable to indicate to the user of the communications device the character position in the passcode of each character in the subset as generated by the controller and to receive an input from the user indicative of each character in the subset (¶ 46), 

wherein the controller is operable to perform an unwrapping process on the SLUK stored in the storage unit using each character indicated by the input from the user, wherein the unwrapping process generates a second LUK, and wherein the communications device comprises a transmitter unit operable to transmit the generated second LUK to the financial institution for authentication of the electronic payment (¶ 35, 46, 74).  
Claim Interpretation- According to the disclosure (¶ 88), “The unwrapping of the SLUK generates a further LUK (which may be referred to as a second LUK) which should match the LUK originally generated by the payment device 200 (which may be referred to as a first LUK — see step 502 of FIG 5. 5 ) in the case that the user has entered the correct characters of the partial passcode .”

Acar does not disclose B) a subset of the characters of a passcode associated with the user of the communications device, wherein each character in the subset is identified by its character position in the passcode, wherein the character position in the passcode of each of the characters in the subset is determined by a predetermined algorithm, receive the variable code from the financial institution.

Sama teaches (B) a subset of the characters of a passcode associated with the user of the communications device, wherein each character in the subset is identified by its character position in the passcode, wherein the character position in the passcode of each of the characters in the subset is determined by a predetermined algorithm (Abstract; ¶ 3, 8, 24, 26, 28-32, 35-37 ;claim 1)
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to combine Acar (¶ 2)“provides some cryptographic and other security functionality” and Sama (¶ 3) teaches “technique may be employed to protect a user password from key loggers and/or from direct observation”  in order to provide further protection for user credentials in transaction  (Sama; ¶ 2-4).

Ngo teaches receive the variable code from the financial institution (¶ 10)
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to combine Acar (¶ 2)“provides some cryptographic and other security functionality”, Sama (¶ 3) teaches “technique may be employed to protect a user password from key loggers and/or from direct observation” and Ngo (¶ 6) “address the problem of security concerns with conducting payment transactions with a mobile communication device that does not have or does not rely on a secure element”   in order to protects the account information from malware or viruses during transactions with POS systems and financial institutions (Ngo; ¶ 3-6).
Regarding claim 2, Acar discloses wherein the receiver unit is operable to receive a message indicative of a successful electronic payment when the second LUK transmitted to the financial institution matches the first LUK generated by the financial institution and to receive a message indicative of a non-successful electronic payment when the second LUK transmitted to the financial institution does not match the first LUK generated by the financial institution (¶16-25, 28-32, 41, 45, 56).  
Regarding claim 5, Ngo teaches  wherein the first key associated with the financial institution is an Issuer Master Key (IMK), wherein the second key associated with the user of the communications device is an Advanced Standards Encryption (AES) 128 bit secret key, wherein the variable code has the format DDDNN, wherein DDD represents the number of days since a predetermined first day of the year and NN is a key sequence number ranging from 00 to 99, and wherein the identifier which identifies the user of the communications device is a Primary Account Number (PAN) associated with the user of the communications device (¶ 42, 45, 64, 73, 175, 180, 181, 193, 198)
Regarding claim 13, Acar teaches wherein following the operation by the user of the communications device to initiate an electronic payment at the POS device, the receiver unit is operable to receive a message from the POS device indicative of the payment value, and the controller is operable to determine whether or not the payment value exceeds a predetermined threshold, wherein the controller performs the unwrapping process on the SLUK using each character indicated by the input from the user to generate the second LUK, and wherein the transmitter unit transmits the generated second LUK to the financial institution only when the payment value exceeds the predetermined threshold (¶ 17, 20, 35, 45, 46, 48, 73, 75, 80, 96).  Sama teaches wherein the controller generates the character position in the passcode of each character in the subset, wherein the user interface indicates to the user of the communications device the character position Page 5 of 12Serial No. 16/313,789 Attorney Docket No. MA0018 Response to Office Action Dated December 28, 2020 in the passcode of each character in the subset and is operable to receive the input from the user indicative of each character in the subset (Abstract; ¶ 3, 8, 24, 26, 28-32, 35-37 ;claim 1).
Regarding claim 14, Acar discloses wherein the receiver unit and transmitter unit are operable to exchange signaling with the POS device using a Near Field Communication (NFC) interface and to exchange signaling with the financial institution using a longer range wireless access network (WAN) interface (¶ 35).
Claims 4, 10 and 12 are rejected under 35 U.S.C. 103 as being unpatentable over Acar et al. (2017/0155513) (“Acar”), in view of Sama (2011/0208964) (“Sama”), in view of  Ngo et al (20150178724) “Ngo”) and further in view of  Scarisbrick et al (2014/0169554) (“Scarisbrick”).
Regarding claim 4, Acar teaches wherein the SLUK is generated by wrapping the first LUK using each of the characters in the subset of characters of the passcode, and wherein the second LUK is using each character indicated by the input from the user of the communications device (¶16-25, 28-32, 41, 45, 56). Neither Acar, Sama nor Ngo teach using a Password-Based Key Derivation Function 2 (PBKDF2) algorithm and generated using a corresponding PBKDF2 algorithm.  Scarisbrick teaches using a Password-Based Key Derivation Function 2 (PBKDF2) algorithm and generated using a corresponding PBKDF2 algorithm (¶ 59-65, 81, 82).  Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to combine Acar, Sama , Ngo and Scarisbrick   in order to keep track and manage cryptographic keys (Scarisbrick; ¶ 4-6).
Regarding claim 10, Acar discloses wherein the second LUK is transmitted to the financial institution as a cryptogram, wherein the controller is operable using the second LUK, together with the second LUK, and wherein the transmitter is operable to transmit the second LUK to the financial institution via the POS device (¶ 35, 47). Scarisbrick teaches to generate a Key Check Value (KCV) wherein the transmitter unit is operable to transmit the generated KCV to the financial institution (¶ 64-84, 95, 99, 101).
Regarding claim 12, Acar discloses the second LUK (¶ 16-25).  Scarisbrick teaches wherein the KCV is generated by an algorithm comprising the following steps: (i) providing and eight zero bytes as inputs to an encryption function; and (ii) obtaining the first three bytes of the output to the encryption function, wherein the obtained first three bytes form the KCV (¶ 64-85).  
Claims 3 and 9 are rejected under 35 U.S.C. 103 as being unpatentable over Acar et al. (2017/0155513) (“Acar”), in view of Sama (2011/0208964) (“Sama”), in view of  Ngo et al (20150178724) “Ngo”) and further in view of  Hall (2016/0080381) (“Hall”).
Regarding claim 3, Acar teaches i) generating a cryptographic random number (CRN) by providing the second key, the identifier of the user of the communications device, and variable code(¶ 18, 25, 50).  Sama teaches wherein the predetermined algorithm for generating the character position in the passcode of each character in the subset comprises the steps of:  (i) generating a random number (ii) determining whether the generated CRN has a number of characters greater than or equal to the number of characters of the passcode associated with the user of the communications device, wherein if the generated CRN has a number of characters greater than or equal to the number of characters of the passcode, then the algorithm proceeds to step (iii), and wherein if the generated CRN does not have a number of characters greater than or equal to the number of characters of the passcode, then the algorithm repeats step (ii); 
 (iii) determining whether the generated RN has at least a predetermined number of unique characters, each of which is less than or equal to the number of characters of the passcode, wherein the predetermined number is the number of characters to be included in Page 3 of 12Serial No. 16/313,789 Attorney Docket No. MA0018 Response to Office Action Dated December 28, 2020 the subset of characters of the passcode, wherein if the number of unique characters, each of which is less than or equal to the number of characters of the passcode, is greater than or equal to the predetermined number, then the algorithm proceeds to step (iv), and wherein if the number of unique characters, each of which is less than or equal to the number of characters of the passcode, is less than the predetermined number, then the algorithm repeats step (ii) ; and (iv) determining a set of the identified unique characters, each of which is less than or equal to the number of characters of the passcode, wherein the set comprises a number of the identified unique characters equal to the predetermined number, and wherein the identified unique characters in the set indicate the character position in the passcode of each character of the passcode to be included in the subset of characters of the passcode (Abstract; ¶ 3, 8, 24, 26, 28-32, 35-37 ;claim 1). Neither Acar, Sama nor Ngo teach as inputs to a Format Preserving Encryption (FPE) function. Hall teaches as inputs to a Format Preserving Encryption (FPE) function (¶ 87, 101, 103). Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to combine Acar, Sama , Ngo and Hall in order mitigate the risk of and verify the identity of a party to a transaction (Hall; ¶ 3-5).
Regarding claim 9, Ngo teaches wherein the second key associated with the user of the communications device is an Advanced Page 4 of 12Serial No. 16/313,789 Attorney Docket No. MA0018 Response to Office Action Dated December 28, 2020 Standards Encryption (AES) 128 bit secret key, wherein the identifier which identifies the user of the communications device is a 16 character Primary Account Number (PAN) associated with the user of the communications device, wherein the variable code has the format DDDNN, wherein DDD represents the number of days since a predetermined first day of the year and NN is a key sequence number ranging from 00 to 99, and the sum of the 16 character PAN and variable code DDDNN (¶ 42, 45, 64, 73, 175, 180, 181, 193, 198). Hall teaches wherein inputs to the FPE function that generate the CRN are the second key, and wherein the inputs to the FPE function are the AES 128 bit secret second key (¶ 87, 101, 103). Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to combine Acar, Sama , Ngo and Hall in order mitigate the risk of and verify the identity of a party to a transaction (Hall; ¶ 3-5).

Conclusion
The prior art made of record and not relied upon is considered pertinent to applicant's disclosure. 
Wong et al., (US 10402814) teaches the generated LUK by a financial institution based on the PAN and a key index.
THIS ACTION IS MADE FINAL.  Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a).  
A shortened statutory period for reply to this final action is set to expire THREE MONTHS from the mailing date of this action.  In the event a first reply is filed within TWO MONTHS of the mailing date of this final action and the advisory action is not mailed until after the end of the THREE-MONTH shortened statutory period, then the shortened statutory period will expire on the date the advisory action is mailed, and any extension fee pursuant to 37 CFR 1.136(a) will be calculated from the mailing date of the advisory action.  In no event, however, will the statutory period for reply expire later than SIX MONTHS from the mailing date of this final action. 
Any inquiry concerning this communication or earlier communications from the examiner should be directed to ILSE I IMMANUEL whose telephone number is (469)295-9094.  The examiner can normally be reached on Monday-Friday 9:00 am to 5:00pm.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, NEHA PATEL can be reached on 571-270-1492.  The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see http://pair-direct.uspto.gov. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.

/ILSE I IMMANUEL/Primary Examiner, Art Unit 3685