DETAILED ACTION

Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

Status of Claims
This communication is in response to the applicant’s response to the Non-Final Rejection filed on 10/22/2021. Claims 10-13 have been cancelled. Claims 1, 14, and 19 have been amended. Claims 1-9 and 14-20 are currently pending and have been examined. 

Claim Interpretation
Examiner interprets the phrase “Fast IDentity Online technique” as any method to improve online identity authentication. The FIDO Alliance has created a series of interoperable technical standards that facilitate the creation of secure and fast login experiences on websites.
	Examiner interprets the phrase ‘shared secret’ to mean: Data known to only the entities involved in a communication so that any party's possession of that data can be provided as proof of identity for authentication. The simplest form of a shared secret is a password. Other examples include private keys, long strings of characters and random numbers.

Claim Rejections - 35 USC § 101
35 U.S.C. 101 reads as follows:
Whoever invents or discovers any new and useful process, machine, manufacture, or composition of matter, or any new and useful improvement thereof, may obtain a patent therefor, subject to the conditions and requirements of this title.



Claims 1-9 are directed to a Method, claims 14-17 are directed to a CRM, and claims 18-20 are directed to a System. Therefore, claims 1-9 and 18-20 are directed to a statutory category of invention under Step 1. 

Step 2A-1: Claim 1 recites: A method of authorizing an electronic transaction, the method comprising
receiving, by a mobile device, a shared secret and a shared secret identifier, wherein 
the mobile device stores an indexed list of shared secrets from a validation platform and corresponding shared secret identifiers, 
the shared secrets including the shared secret and the shared secret identifiers including the shared secret identifier; 
receiving, by the mobile device, transaction data from a transaction terminal; 
calculating, by the mobile device, a one-way hash of data using the shared secret to generate a transaction hash value; 
generating, by the mobile device, authentication data for a transaction using the transaction hash value and the shared secret identifier; 
transmitting, by the mobile device, the authentication data for a transaction to the transaction terminal, 
receiving, by the validation platform, authentication data from the transaction terminal, 
wherein the validation platform is programmed to 
verify whether the shared secret identifier corresponds to a valid shared secret t by analyzing a flag associated with the shared secret identifier,
calculate a verification hash value by calculating a one-way hash of data using the shared secret corresponding to the shared secret identifier 
compare the transaction hash value and the verification hash value to determine if the electronic transaction is valid; and
transmit a message to an issuer computer indicating validity of the electronic transaction; and
receiving, by the mobile device, a status of the electronic transaction based on a determination performed by the validation platform.
The claim limitations under the broadest reasonable interpretation cover steps or functions that can be reasonably grouped under the category of ‘certain methods of organizing human activity’. 
	For example, the disclosure establishes the context of securing standard transaction data using encrypted passwords and secure identification data. Therefore, the claim limitations appear to recite an abstract idea, as highlighted above, which is consistent with the authorizing, receiving, calculating, generating, and transmitting aspects of certain methods of organizing human activity.
If a claim limitation, under its broadest reasonable interpretation, covers performance of
Mathematical concepts, mental processes, or certain methods of organizing human activity (fundamental economic principles, commercial or legal interactions, or managing personal behavior), then it falls within the grouping of abstract ideas. The invention recites a method that allows an entity to conduct a secure transaction using passwords and secrets to protect private information. The user sends transaction data to a merchant who compare hidden data through a third party (authorization server). Accordingly, the claims recite an abstract idea. 
	Independent Claims 14 and 18 recites similar features in system form, and therefore are evaluated under the same rationale. 



Step2A-2
	The judicial exception is not integrated into a practical application. The additional elements in the claims (i.e. mobile device, electronic transaction, programming, terminal, hash) are recited at a high-level of generality such that it amounts no more than mere instructions to apply the exception using a generic computer component. Nothing in the specification shows that what is described in claim 1 (method), a claim 18 (system) and claim 14 (CRM) integrates a judicial exception into the practical application or an improvement upon the uses of an electronic device for typical functions. Recitation of the words "apply it" (or an equivalent) are no more than mere instructions to implement an abstract idea or other exception on a computer. As explained by the Supreme Court, in order to transform a judicial exception into a patent-eligible application, the additional element or combination of elements must do "‘more than simply state the [at a computer system] while adding the words ‘apply it’". Thus, for example, claims that amount to nothing more than cite an instruction to apply the abstract idea using a generic computer do not render an abstract idea eligible. The invention does not introduce an improvement on the process but only incorporates a computer to automate the process previously mentioned. Accordingly, this additional element does not integrate the abstract idea into a practical application because it does not impose any meaningful limits on practicing the abstract idea. The claims are directed to an abstract idea.

Step 2B
The claimed invention is directed to an abstract idea without significantly more. This judicial exception is not integrated into a practical application because: 
The claims 1, 18 and 14 do not include additional elements that are sufficient to amount to significantly more than the judicial exception. As discussed above with respect to integration of the abstract idea into a practical application, the additional element of using a processor to perform the ‘authorizing, receiving, calculating, generating, and transmitting’ steps amounts to 

Dependent claim analysis:
Dependent claims 2 and 15 recite “the mobile device receives a plurality of shared secrets and a plurality of shared secret identifiers, each shared secret identifier corresponding to a respective shared secret, and wherein the authentication data comprises the shared secret identifier corresponding to the shared secret used in the calculation of the hash value.” 
This limitation specifies the informational content of a message used to complete a payment (for example: multiple passwords and user data in order to verify identity) and thereby simply elaborates on the abstract idea identified in the claims above. There are no new additional elements in claims 2 or 15 for further consideration under Step 2A.2 or Step 2B. Therefore, claims 2 and 15 are patent ineligible.
Dependent claim 3 further recites “the mobile device receives the shared secret and the shared secret identifier via a first communication link, and wherein the mobile device transmits the authentication data via a second communication link different from the first communication link.” 
This limitation specifies how the information is to be shared and thereby simply elaborates on the abstract idea identified in the claims above. Concerning the first and second communications link, a communications link is a wireless communications link simply states the ways and means that information is shared on the network. There are no new additional 
Dependent claims 4 and 19 further recite “the first communication link communicates data using the Internet Protocol.” 
This limitation specifies how the information is to be shared and thereby simply elaborates on the abstract idea identified in the claims above. Concerning internet protocol, Internet Protocol being the ways and means that information is shared on the internet. There are no new additional elements in claims 4 or 19 for further consideration under Step 2A.2 or Step 2B. Therefore, claims 4 and 19 are patent ineligible.
	Dependent claims 5 and 20 further recite “wherein the second communication link is a wireless communication link.” This limitation specifies how the information is to be shared and thereby simply elaborates on the abstract idea identified in the claims above. Concerning a second communications link, a communications link is a wireless communications link simply states the ways and means that information is shared on the network. There are no new additional elements in claims 5 or 20 for further consideration under Step 2A.2 or Step 2B. Therefore, claims 5 and 20 are patent ineligible.
Dependent claim 6 further recites “the second communication link communicates data using a Near Field Communication protocol.” 
This limitation specifies how the information is to be shared and thereby simply elaborates on the abstract idea identified in the claims above. Concerning a second communications link, a communications link uses a near-field communications protocol simply states the ways and means that information is shared on the network. There are no new additional elements in claim 6 for further consideration under Step 2A.2 or Step 2B. Therefore, claim 6 is patent ineligible.

This limitation specifies how the user’s identity is to be verified and thereby simply elaborates on the abstract idea identified in the claims above. There are no new additional elements in claims 7 or 16 for further consideration under Step 2A.2 or Step 2B. Therefore, claims 7 and 16 are patent ineligible.
Dependent claims 8 and 17 further recite “verifying of the identity of the user comprises using a Fast Identity Online technique.” 
This limitation specifies how the user’s identity is to be verified and thereby simply elaborates on the abstract idea identified in the claims above. Fast Identity Online technique has been defined as any method to improve online identity authentication. There are no new additional elements in claims 8 or 17 for further consideration under Step 2A.2 or Step 2B. Therefore, claims 8 and 17 are patent ineligible.
Dependent claim 9 further recites “the transaction comprises a contactless payment transaction, the payment terminal comprises a contactless payment terminal and the mobile device comprises a contactless payment device.” 
This limitation specifies how the information is to be shared and thereby simply elaborates on the abstract idea identified in the claims above. Concerning a contactless payment transaction or terminal, a communications link is a wireless communications link simply states the ways and means that information is shared on the network. There are no new additional elements in claim 9 for further consideration under Step 2A.2 or Step 2B. Therefore, claim 9 is patent ineligible.
Further, viewing the claim limitations as an ordered combination does not add anything further than looking at the claim limitations individually. When viewed, either individually or as an ordered combination, the additional claim limitations do not amount to a claim that, as a 

Claim Rejections - 35 USC § 103
In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  
	The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.


The factual inquiries for establishing a background for determining obviousness under 35 U.S.C. 103 are summarized as follows:
1. Determining the scope and contents of the prior art.
2. Ascertaining the differences between the prior art and the claims at issue.
3. Resolving the level of ordinary skill in the pertinent art.
4. Considering objective evidence present in the application indicating obviousness or nonobviousness.

Claims 1-2, 4-7, 9 and 14-16, and 18-20 are rejected under 35 U.S.C. 103 as being unpatentable over Schibuk (US20120191615) and Pinkas et al (US20040058952) “Pinkas”.

Regarding claim 1, Schibuk teaches: A method of authorizing an electronic transaction, the method comprising:
	receiving, by a mobile device (e.g. authentication device), a shared secret (e.g. encryption seeds) and a shared secret identifier (e.g. sequence number) [ ], wherein (Fig. 7B, [0079] FIG. 7B is a schematic block diagram showing the server-facing processes of the exemplary merchant transaction of FIG. 7A. Processes 742 and 744 are shown, as in FIG. 7A. As before, the merchant transmits a message to the authentication service (credit issuer) in process 742. Recall that the message contains a cipher (and sequence number), a purchase amount, a purchaser identifier other than the credit or debit account number, and merchant identification data (e.g. a merchant account number).
	the mobile device stores an indexed list of shared secrets (e.g. encryption seeds) and corresponding shared secret identifiers (e.g. sequence numbers), the shared secrets including the shared secret and the shared secret identifiers including the shared secret identifier; (Fig. 7A, [0044] The authentication device may store a pool or cache of encryption seeds to reduce the number of initialization requests that must be made. The authentication device may request a number of seeds in response to user input, or it may do so automatically. [0076] To complete process 732, the authentication device creates a message containing the cipher generated by the token facility and the sequence number, if any, and transmits the message to the merchant.)
	receiving, by the mobile device, transaction data (e.g. transaction parameters) from a transaction terminal (e.g. merchant terminal); ([0071] In process 722, the merchant device establishes transaction parameters, such as a cost and a stock keeping unit (SKU) of an item or service for sale. The merchant terminal transmits this transaction-specific information to the authentication device using the secure local link). 
	calculating, by the mobile device (e.g. authentication device), a one-way hash (e.g. mathematical function) of data using the shared secret to generate a transaction hash value (e.g. transaction cipher); (Fig. 7A, [0074] Once the shared secret is unlocked, the token facility applies a mathematical function to the shared secret in order to create a transaction cipher.
	generating, by the mobile device, authentication data (e.g. message) for a transaction using the transaction hash value (e.g. cipher) and the shared secret identifier (e.g. sequence number); ([0076] To complete process 732, the authentication device creates a message containing the cipher generated by the token facility and the sequence number, if any, and transmits the message to the merchant.)
	transmitting, by the mobile device, the authentication data (e.g. message) to the transaction terminal (e.g. merchant), ([0076] To complete process 732, the authentication device creates a message containing the cipher generated by the token facility and the sequence number, if any, and transmits the message to the merchant. [0077] The merchant terminal receives the message in process 740. In process 742, the merchant forwards the message to the authentication service as a transaction request, along with data identifying the merchant to the authentication service).
	receiving, by the mobile device, a status of the electronic transaction based on a determination performed by the validation platform (e.g. authentication service such as the issuer),  (Fig. 5, [0061] In process 540, the issuer stores a database record including the ticket, the identifying data, and the pre-authorization data. At this point, the issuer may return a status code to the authentication device, indicating whether the transaction was successfully pre-authorized. [0068] To verify the individual's identity, the merchant requests that the authentication device create an encrypted message that only that particular individual and device can generate. The merchant then verifies the identity of the individual by sending the message to a trusted authentication service, such as that of the issuer.)


	Schibuk does not explicitly teach: 
	receiving, by the validation platform, authentication data from the transaction terminal,
wherein the validation platform is programmed to 
	verify whether the shared secret identifier corresponds to a valid shared secret by analyzing a flag associated with the shared secret identifier,	
	the validation platform being programmed to verify whether the shared secret identifier corresponds to a valid shared secret,
	calculate a verification hash value by calculating a one-way hash of data using the shared secret corresponding to the shared secret identifier, and
	compare the transaction hash value and the verification hash value to determine if the transaction is valid; and

However, Pinkas teaches at least: 
	receiving, by the validation platform (e.g. escrow server), authentication data from the transaction terminal, ([0076] Thus, in other preferred embodiments, a verification method is used that does not require the escrow server to store data about the content files. This verification method is based on the escrow server comparing hash values of a certified copy of the encoded blocks with the values it receives from a receiver.)
wherein the validation platform is programmed to 
	verify whether the shared secret identifier (e.g. .alpha.) corresponds to a valid shared secret (e.g. encrypted content) by analyzing a flag (e.g. value) associated with the shared secret identifier, ([0030] Assume now that the values [.alpha., .beta.] that escrow server 104 holds do not correspond to the encrypted content 105 and to the corresponding decryption key (for purposes of discussion, assume that the content is defined in the "setting 
	the validation platform (e.g. escrow server) being programmed to verify whether the shared secret identifier (e.g. .alpha.) corresponds to a valid shared secret (e.g. encrypted content), (Fig. 1, [0029]-[0030] Assume that the values [.alpha., .beta.] that are held by the escrow server 104 correspond to the hash of the encrypted content and to the decryption key 106. If the receiver 102 receives E.sub.K(C) from sender 100, then the protocol ensures that the receiver 102 receives the key 106 from the escrow server 104 which enables it to decrypt the content.)
	calculate a verification hash value by calculating a one-way hash of data using the shared secret corresponding to the shared secret identifier, and ([0030] Assume now that the values [.alpha., .beta.] that escrow server 104 holds do not correspond to the encrypted content 105 and to the corresponding decryption key (for purposes of discussion, assume that the content is defined in the "setting terms" stage). If the receiver 102 receives a value that is not hashed to alpha, then receiver 102 is not required to pay, as described above. However, it might be the case that the receiver 102 receives a value which does hash to alpha, and later, after paying and receiving key 106, receiver 102 finds out that the decryption of this value with the key 106 is not content 105.)
	compare the transaction hash value and the verification hash value to determine if the electronic transaction is valid; and (Fig. 1, [0029]-[0030] Assume that the values [.alpha., .beta.] that are held by the escrow server 104 correspond to the hash of the encrypted content and to the decryption key 106. If the receiver 102 receives E.sub.K(C) from sender 100, then the protocol ensures that the receiver 102 receives the key 106 from the escrow server 104 which enables it to decrypt the content.)
	transmit a message to an issuer computer indicating validity of the electronic transaction; and ([0023] Receiver 102 then sends the required payment 110 to 
	It would be obvious to one skilled in the art before the effective filing date of the claimed invention to modify Schibuk with the reverse verification of Pinkas specifically in the communication between the mobile device and the validation platform. Pinkas’ use of multiple accuracy checks with various devices means more options and the higher probability of fast and secure transactions for the buyer and seller. As Pinkas states:
“[Abstract] Systems and methods are provided for performing transactions and managing communications using a trusted third party. In one embodiment, a sender transfers an encrypted version of a file (such as a digitally encoded audio track, movie, document, or the like) to someone who wishes to receive it. The receiver computes a first hash of at least a portion of the encrypted data content, and sends the first hash to a third party configured to compare at least a portion of the first hash to at least a portion of a second hash. The receiver receives a file decryption key from the third party, and decrypts at least the portion of the received encrypted data content with the decryption key. In some cases, multiple hashes of the encrypted data content may be computed, each using a different portion of the encrypted data content.”

 	In regards to claims 14 and 18, CRM claim 14 and System claim 18, correspond generally to claim 1 and recites similar features in method form, and therefore is rejected under the same rationale.

Regarding claim 2, Schibuk further in view of Pinkas teaches: The method according to claim 1, wherein 
	the mobile device receives the shared secrets and the shared secret identifiers, each shared secret identifier corresponding to a respective shared secret, and wherein ([0075] For additional security, the shared secret may be a list of transaction ciphers, such as a one-time pad. A one-time pad may be created by repeatedly executing a PRNG, by sampling a non-deterministic physical noise source, or by any other method. In embodiments that use a one-time pad, process 732 indexes the list according to the sequence number to select the cipher).


Regarding claim 4, Schibuk further in view of Pinkas teaches: The method according to claim 3, wherein 
	the first communication link communicates data using an Internet Protocol ([0076] However, if the improved Internet embodiment is used to facility a CNP transaction, a digitally signed MAC address or an Internet Protocol (IP) address may be included to ensure security of the message through the data communication network).
In regards to claim 19, System claim 19 corresponds generally to Method claim 4 and recites similar features in method form, and therefore is rejected under the same rationale.

Regarding claim 5, Schibuk further in view of Pinkas teaches: The method according to claim 3, wherein 
	the second communication link is a wireless communication link ([0036] FIG. 1 is a block diagram showing functional components of a system in accordance with an embodiment of the invention that processes card present (CP) credit or debit transactions. [0031] A "card present transaction" (CP transaction) is a credit or debit transaction in which a purchaser must present a physical credit or debit card to a seller at a point of sale, such as a retail store, to complete the transaction. A transaction acquiring device typically is used to scan a magnetic strip or a chip on the presented card to automate the process of inputting the PAN into a merchant transactional system. While magnetic scanners are commonplace, other systems known in the art, such as RFID or near field communications, may be used to read the PAN).
In regards to claim 20, System claim 20 corresponds generally to Method claim 5 and recites similar features in method form, and therefore is rejected under the same rationale.
Regarding claim 6, Schibuk further in view of Pinkas teaches: The method according to claim 5, wherein 
the second communication link communicates data using a Near Field Communication protocol (Fig. 7, [0070] In process 720, the merchant terminal establishes secure two-way data communication with the authentication device. Communication may be by way of Bluetooth, near-field communication, cellular communication, physical contact, radio-frequency communication, or a wired connection (for example).

Regarding claim 7, Schibuk further in view of Pinkas teaches: The method according to claim 1, further comprising 
	verifying an identity of a user of the mobile device, wherein ([0070] During this process, the merchant terminal may request the identity or contact information of the credit issuer--it is not necessary for the merchant to request the individual's credit card number or bank account number).
	the data used to calculate the transaction hash value further comprises information relating to the identity verification ([0072] In process 730, the authentication device receives this message, and requires the individual to provide information unique to the individual, such as a password or biometric information in order to confirm the transaction. For example, a message box may appear on the individual's smartphone, asking whether to proceed and providing YES and NO choices. If the individual is not already logged into the phone, the phone must first be unlocked using information unique to the individual. In this way, the system guarantees that only the correct individual (that is, the one who is able to unlock the phone) may generate a proper cipher. [0073] In process 732, once the individual has entered this information and agreed to the transaction, the shared secret is unlocked).
In regards to claim 16, System claim 16 corresponds generally to Method claim 7 and recites similar features in method form, and therefore is rejected under the same rationale.
Regarding claim 9, Schibuk further in view of Pinkas teaches: The method according to claim 1, wherein 
	the transaction comprises a contactless payment transaction, the transaction terminal comprises a contactless payment terminal and the mobile device comprises a contactless payment device (Fig. 1, Item 110 and Item 130).

Claims 3, 8 and 17 are rejected under 35 U.S.C. 103 as being unpatentable over Schibuk (US20120191615) and Pinkas et al (US20040058952) “Pinkas”, and further in view of Le Saint (US20160065370).

Regarding claim 3, Schibuk further in view of Pinkas does not explicitly teach ‘two separate communication links’, however, Le Saint teaches at least ‘two separate communication links’: The method according to claim 1, wherein 
	the mobile device receives the shared secret and the shared secret identifier via a first communication link, and wherein ([0177] The server computer may use the ephemeral mobile public key (ePubM) and a server private key (PrivS) to generate a shared secret) (Z.degree, using an elliptic curve Diffie-Hellman function (ECDH). The shared secret may be known by both the user device and the server computer at both ends of the secure channel. The shared secret can be based on server negotiated parameters, algorithm, and/or server certificate choices. In some embodiments, the shared secret (Z.sup.o) can include the second (response) shared secret discussed herein).
	the mobile device transmits the authentication data via a second communication link different from the first communication link ([0181] The SUK may be used to determine a cryptogram key (CK) that is used to encrypt registration data (e.g., one-time password (OTP)) generated by the server computer 1004 and transmitted to user device 1002 over a secondary channel. The secondary channel may be separate from the secure 
	It would be obvious to one skilled in the art before the effective filing date of the claimed invention to modify Schibuk, the reverse verification of Pinkas with the communication systems of Le Saint. Le Saints use of multiple communications channels for a mobile device to perform transactions is a benefit as most mobile phones are already equipped with multiple ways of communicating with various devices. More channels means more options and the higher probability of fast and successful transactions.

Regarding claim 8, Schibuk further in view of Pinkas does not explicitly teach the ‘Fast Identify Online Technique’, Le Saint teaches at least ‘Fast Identify Online Technique’: The method according to claim 7, wherein 
	the verifying of the identity of the user comprises using a Fast Identity Online technique ([0131-0136] The user device identifier may include any data suitable to identify user device. Identification data may include any data or information associated with a user or user device. Examples of identification data may include a name of a user associated with user device, an organization associated with user device, payment information such as a primary account number (PAN) or token associated with user device, an expiration date associated with the PAN or token, a certificate associated with user device, an IMEI or serial number of user device, etc.).	
(e.g., OTP) using the cryptogram key to verify the validity of the registration cryptogram).
	It would be obvious to one skilled in the art before the effective filing date of the claimed invention to modify Schibuk, the reverse verification of Pinkas with the communication systems of Le Saint. Le Saints use of multiple communications channels for a mobile device to perform 
	In regards to claim 17, System claim 17 corresponds generally to Method claim 8 and recites similar features in method form, and therefore is rejected under the same rationale.

Response to Arguments
	Applicant argues on pages 8 and 9 of the response that the Examiner has not correctly applied the 2019 PEG guidance concerning step 2A-prong 1. 
	Examiner acknowledges applicant’s arguments but respectfully disagrees. The claims, with the computer automation removed [two entities using a cipher to verify the validity of transmitted data (i.e. authenticate) and transmit a response] fall reasonably within the grouping of ‘certain methods of organizing human activity’. The method of validating a transaction using shared secret data is clearly a business practice and one that can be performed by a group of individuals.

	Applicant argues on pages 9-11 of the response that the Examiner has not correctly
applied the 2019 PEG guidance concerning step 2A-prong 2 by claiming the additional elements
amount to significantly more than the judicial exception.
	Examiner acknowledges applicant’s arguments but respectfully disagrees. Applicant has not shown additional elements or a combination of elements that apply, rely on, or use the judicial exception in a manner that imposes a meaningful limit on the judicial exception, such that the claim is more than a drafting effort designed to monopolize the judicial exception. 
	The claim as a whole merely describes how to generally “apply” the concept of two entities using a cipher to verify the validity of transmitted data. The claimed computer 
	Applicant argues specifically:
The claims are not abstract, since the claims as a whole provide for improved computer security, which has been held to be "non-abstract computer functionality." The recited steps provide a specific improvement to computer security, which the Federal Circuit has held to be a "non-abstract computer functionality improvement if done by a specific technique that departs from earlier approaches to solve a specific computer problem." (Ancora Techs. Inc. v. HTCAmerica, Inc., 908 F.3d 1343, 1348 (Fed. Cir. 2018)). See also Tecsec, Inc. v. Adobe Inc., 978 F.3d. 1278 (Fed. Cir. 2020). The claim at issue an Ancora addressed "vulnerability of license-authorization software to hacking." In Ancora, the CAFC up-held claims requiring use of a modifiable portion of particular computer capacity to prevent running software on an unauthorized computer. Similarly here, the claims recite a "validation platform" i.e., an entity that generates shared secrets, and is separate and independent from the issuer computer.”

	Examiner acknowledges applicant’s arguments but respectfully disagrees. Applicant has not shown an improvement in computer technology only the application of a computer program to validate transmitted data. Further Ancora Techs Inc. V. AHT America deals with computer hardware and is therefore not analogous to the instant application.

	Applicant argues on pages 11-13 of the response that the Examiner has not correctly applied the 2019 PEG guidance concerning step 2B.
	Examiner acknowledges applicant’s arguments but respectfully disagrees. Example 21 is not factually analogous to the present claim 1. Applicant argues that the claimed features of the present application are similar to the claimed features of Example 21. Example 21 is related to an improvement in communication technology and is not analogous to using computer automation to automate an abstract idea.  DDR Holdings is also not analogous to the present 

	Applicant argues on pages 13-15 of the response that the ‘validation platform’ and the ‘issuer computer’ must be separate entities. 
	Examiner acknowledges applicant’s arguments and based on the filed amendments finds the arguments persuasive. Examiner has searched the prior art and has found sections of the prior art that more closely align with the instant application. 
	Applicant argues on pages 15-16 of the response that ‘the combination of Schibuk/Pinkas does not teach or suggest the amended feature “wherein each shared secret is used in at most one electronic transaction”.’
	Examiner acknowledges applicant’s arguments but respectfully disagrees. ‘wherein each shared secret is used in at most one electronic transaction’ is not an amended feature. Therefore the argument is moot.
	Applicant further argues on page 16 of the response that: 
	In contrast, in the current independent claims, a validity of a shared secret is determined by analyzing a value of a flag associated with an identifier associated with the shared secret. Applicant respectfully submits that the feature of analyzing a flag associated with an identifier does not correspond to the feature of matching hashed content as described by Pinkas.
	
	Examiner acknowledges applicant’s arguments but respectfully disagrees. Matching hashed content is merely comparing ordinal values to each other in order find similarities. Examiner maintains that the comparison is reasonable as according to BRI only two values are being compared. Further Pinkas is explicit in showing that Hash values are being compared: Fig. 1, [0029]-[0030] Assume that the values [.alpha., .beta.] that are held by the escrow server 104 correspond to the hash of the encrypted content and to the decryption key 106. If the receiver 

Conclusion
The prior art made of record and not relied upon is considered pertinent to applicant's disclosure. Each of the prior art listed in the PTO-892 and not directly recited in this office action, disclose anticipation and/or obviousness to combine concerning the applicant’s claims and are therefore included [Kirsch, Steven (US-20120324242) - Method for fully encrypted repository; Sweet, Carson (US-20130042115) - Implementing Security in a Cloud Environment; Cowen, Michael (US-20140279309) - History Driven Counterfeit Fraud Risk Management; Patel, Paresh (US-20150170145) - Method for Transmitting Interrupted Transactions; Marien, Dirk (US-9124433) - Remote Authentication and Transaction Signatures; Mehta, Gaurang Pankaj (US-9344427) - Facilitating multiple authentication ; Carrer, Marco (US-20160285628) - Trusted Provisioning and Authentication].
	Applicant's amendment necessitated the new ground(s) of rejection presented in this Office action.  Accordingly, THIS ACTION IS MADE FINAL.  See MPEP § 706.07(a).  Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a).  
A shortened statutory period for reply to this final action is set to expire THREE MONTHS from the mailing date of this action.  In the event a first reply is filed within TWO MONTHS of the mailing date of this final action and the advisory action is not mailed until after the end of the THREE-MONTH shortened statutory period, then the shortened statutory period will expire on the date the advisory action is mailed, and any extension fee pursuant to 37 CFR 1.136(a) will be calculated from the mailing date of the advisory action.  In no event, however, will the statutory period for reply expire later than SIX MONTHS from the date of this final action. 

Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Patrick McAtee can be reached on (571) 272-7575. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.
/T.N.M./Examiner, Art Unit 3685                                                                                                                                                                                                        
/PATRICK MCATEE/Supervisory Patent Examiner, Art Unit 3685