DETAILED ACTION
Acknowledgements
This Office Action is in reply to Applicant’s original application filed 05 Sept. 2019.  
Claims 1–20 are currently pending and have been examined.
Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
Claim Rejections - 35 U.S.C. § 101
35 U.S.C. § 101 reads as follows: 
Whoever invents or discovers any new and useful process, machine, manufacture, or composition of matter, or any new and useful improvement thereof, may obtain a patent therefor, subject to the conditions and requirements of this title.
Claims 1–20 are rejected under 35 U.S.C. § 101 because the claimed invention is directed to an abstract idea without significantly more.  
Exemplary claim 11 is directed to an abstract idea of authenticating a user, participating in a transaction with a merchant, via a third party using a secret known to the user and third party, which is a fundamental economic practice, mental process, and/or certain methods of organizing human activity (e.g., mitigating risk). 
The abstract idea is set forth or described by the following limitations: 
(1) receiving, from a merchant [ ], an authentication request, the authentication request comprising at least a payment card identifier,
(2) generating an authentication code associated with the [ ] transaction for authenticating the customer,

(4) transmitting [or sending], the authentication code for transmission to the customer and an indication of the payment card to an issuer [ ];
(5) receiving, from the merchant [ ], a customer entered authentication code which was entered by the customer [ ];
(6) determining if the customer entered authentication code matches the stored authentication code; and 
(7) if the customer entered authentication code matches the stored authentication code: 
(a) generating an authentication indication; 
(b) storing, in the payment [ ] database, the authentication indication as a stored authentication indication; and 
(c) transmitting [or sending], to the merchant [ ], an authentication response comprising the authentication indication.  
Limitations (1)–(7) represent a fundamental economic practice, mental process, and/or certain methods of organizing human activity. Therefore, limitations (1)–(7) fall within the subject matter groupings of abstract ideas enumerated in Section I of the 2019 Revised Patent Subject Matter Eligibility Guidance.
Claim 11 does not include additional elements (when considered individually, as an ordered combination, and/or within the claim as a whole) that are sufficient to integrate the abstract idea into a practical application. Particularly, implementing the issuer or merchant as a “server” amounts to the mere use of a generic computer to implement, at least in part, the abstract idea. Furthermore, implementation with a server(s), a “network” database, and “e-
Claim 11 does not include additional elements, when considered individually and as an ordered combination, that are sufficient to amount to significantly more than the abstract idea. Particularly, implementing the issuer or merchant as a “server” amounts to the mere use of a generic computer to implement, at least in part, the abstract idea. Furthermore, implementation with a server(s), a “network” database, and “e-commerce” transaction amounts to mere field of use limitations and/or limitations that place the abstract idea into a particular technological environment. Furthermore, the use of “a merchant website associated with the merchant server” for entry of the code is not given patentable weight because it does not affect the “receiving … a customer entered authentication code” step in a manipulative sense. Even if it were given patentable weight, using a website for entry of a code amounts to using a generic computer component as a tool to implement the abstract idea.
Dependent claims 12–19 fail to cure this deficiency of independent claim 11 (set forth directly above) and are rejected accordingly. Particularly, recite additional limitations that represent, in addition to elements (1)–(7) noted above, either the abstract idea, extra-solution activity, limit the abstract idea to a particular technological environment, language that is not afforded patentable weight. For example, claim 12 recites additional language of the abstract idea, besides the additional elements already discussed above. Also, for example, claim 13 
Claims 1–10 and 20 contain language similar to claims 11–19 as discussed in the preceding paragraphs, and for reasons similar to those discussed above, claims 1–10 and 20 are also rejected under 35 U.S.C. § 101. Claims 1–10 and 20 do not include additional elements that provide a practical application or that are sufficient to amount to significantly more than the abstract idea. Particularly, in addition to the additional elements discussed above with respect to claim 11, the “payment network server … comprising at least a computer processor and a data storage device, the data storage device comprising instructions operative by the processor” of claim 1 is merely using a generic computer as a tool to implement the abstract idea. The same can be said for the “non-transitory computer-readable medium” of claim 20.
Claim Rejections - 35 U.S.C. § 112(d)
The following is a quotation of 35 U.S.C. § 112(d):
(d) REFERENCE IN DEPENDENT FORMS.—Subject to subsection (e), a claim in dependent form shall contain a reference to a claim previously set forth and then specify a further limitation of the subject matter claimed. A claim in dependent form shall be construed to incorporate by reference all the limitations of the claim to which it refers.
Claim 20 is rejected under 35 U.S.C. § 112(d) as being of improper dependent form for failing to further limit the subject matter of the claim upon which it depends, or for failing to include all the limitations of the claim upon which it depends.  
Claim 20 recites “A non-transitory computer-readable medium having stored thereon program instructions for causing at least one processor to perform the method according to claim 11.” The recitation of “for causing at least one processor to perform the method” is part of a functional language recitation describing the capability of the “instructions,” not a recitation of actual execution resulting in active method steps. Since no active steps are recited, claim 20, 
Applicant may cancel the claim(s), amend the claim(s) to place the claim(s) in proper dependent form, rewrite the claim(s) in independent form, or present a sufficient showing that the dependent claim(s) complies with the statutory requirements.
Claim Rejections - 35 U.S.C. § 103
The following is a quotation of 35 U.S.C. § 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.
Claims 1–4, 6–14, and 16–20 are rejected under 35 U.S.C. § 103 as being unpatentable over Groarke et al. (US 2016/0140558 A1) (“Groarke”), in view of Telle et al. (US 2012/0011066 A1) (“Telle”) and Lee et al. (EP 3 062 270 A1) (“Lee”).
As per claim 11, Groarke teaches a computerised method for processing an e-commerce transaction initiated by a customer, the method comprising:
receiving, from a merchant server, an authentication request, the authentication request comprising at least a payment card identifier ([0023] “merchant server then generates a payer authentication request (‘PAReq’) message to authenticate the consumer (payer) for that particular online purchase and transmits 213 the PAReq message directly to the ACS 208 (by using the ACS address) for cardholder authentication”; [0007] “MPI 108 creates a payer authentication request message which is transmitted back to the ACS 112”);



receiving, from the merchant server, a customer entered authentication code which was entered by the customer into a merchant website associated with the merchant server ([0008] “the consumer enters the private code and the cardholder’s browser then redirects 109 the information to the ACS 112 for authentication”);
determining if the customer entered authentication code matches the stored authentication code ([0008] “If the private code is correct, then the cardholder is authenticated, an accountholder authentication variable (‘AAV’) is returned to the MPI 108 of the merchant server 106”); and 
if the customer entered authentication code matches the stored authentication code ([0024] “If the ACS 208 successfully authenticates the cardholder …”; [0008]): 
generating an authentication indication ([0024] “generates a positive authentication result message, which in some embodiments may be a positive payer authentication response (‘PARes’) message which includes a Universal Cardholder Authentication Field (‘UCAF’)”); 
storing, in the payment network database, the authentication indication as a stored authentication indication ([0024] “securely stores 219 the PARes message (which includes the UCAF and other transaction data) in the transaction database 212”); and 

Groarke does not expressly disclose:
generating an authentication code associated with the e-commerce transaction for authenticating the customer,
storing, in a payment network database, the authentication code as a stored authentication code; and
transmitting, the authentication code for transmission to the customer and an indication of the payment card to an issuer server.
Telle teaches:
generating an authentication code associated with [an] e-commerce transaction for authenticating [a] customer ([0086] “access control server (ACS) 440 receives 530 the PAReq message. In response to the PAReq message … generates 535 a one-time password (OTP) for the financial transaction”);
storing, in a payment network database, the authentication code as a stored authentication code ([0039] “storing the OTP in a database”); and
transmitting, the authentication code for transmission to the customer 
Therefore, it would have been obvious to one of ordinary skill in the art, at the time the invention was made, to modify Groarke to include generating, storing, and transmitting an authentication code, as taught by Telle. One would have been motivated to do so to “provide increased security in financial card transactions” (Telle, [0028]).
Groarke/Telle does not expressly teach that the transmitting the authentication code for transmission to the customer is transmitting to an issuer server, as claimed.
However, Lee teaches transmitting [an] authentication code for transmission to [a] customer and an indication of [a] payment card to an issuer server ([0177]).
Therefore, it would have been obvious to one of ordinary skill in the art, at the time the invention was made, to modify Groarke/Telle to include transmitting the authentication code and indication (inherent) to the issuer server (i.e., issuer computer 218). One would have been motivated to do so in order to protect registered personal information of cardholder (e.g., mobile phone number, email address, etc.), used for transmission of authentication code, by only maintaining such information at the issuer holding cardholder’s account.
Furthermore, since each individual element and its function are shown in the prior art, albeit shown in separate references, the difference between the claimed subject matter and the prior art rests not on any individual element or function but in the very combination itself – that is in the substitution of the communication path of Lee for the communication path of Groarke/Telle. Thus, the simple substitution of one known element for another, producing predictable results, renders the claim obvious.

receiving, from the merchant server, a transaction request ([0025] “purchase transaction authorization request”) comprising a received authentication indication, the payment card identifier and a payment amount associated with the e-commerce transaction (Groarke, [0024]);
determining if the received authentication indication matches the stored authentication indication (Groarke, [0027]);
generating an on-behalf service message if the received authentication indication matches the stored authentication indication, the on-behalf service message indicating that the e-commerce transaction has been authenticated (Groarke, [0027]–[0029]);
transmitting, to the issuer server, an authorisation request comprising the on-behalf service message, the indication of the payment card and the payment amount (Groarke, [0027]–[0029]);
receiving, from the issuer server, an authorisation response indicating if the e-commerce transaction is authorised or refused (Groarke, [0027]–[0029]); and
transmitting, to the merchant server, a transaction response indicating whether the e-commerce transaction is approved or refused, the e-commerce transaction is approved if it is authorized (Groarke, [0027]–[0029]).
As per claim 13, Groarke, Telle, and Lee teach the method of claim 11, wherein the merchant website is designed using an application programming interface associated with the payment network server (Groarke, [0025]).

As per claim 16, Groarke, Telle, and Lee teach the method of claim 11, wherein the authentication code is a one-time password (Telle, “OTP”).
As per claim 17, Groarke, Telle, and Lee teach the method of claim 11, wherein the authentication code is valid for a predetermined authentication code time period.
As per claim 18, Groarke, Telle, and Lee teach the method of claim 11, wherein the authentication indication is valid for a predetermined authentication indication time period (Groarke, [0026]).
As per claim 19, Groarke, Telle, and Lee teach the method of claim 18, wherein the predetermined authentication indication time period is determined by the issuer server (Groarke, [0026]).
Claims 1–4, 6–10, and 20 contain language similar to claims 11–14 and 16–19 as discussed in the preceding paragraphs, and for reasons similar to those discussed above, claims 1–4, 6–10, and 20 are also rejected under 35 U.S.C. § 103 as unpatentable over the cited references.
Claims 5 and 15 are rejected under 35 U.S.C. § 103 as being unpatentable over Groarke, Telle, and Lee, in view of Shanmugam (US 2017/0300895 A1).
As per claim 15, Groarke, Telle, and Lee teach the method of claim 11, but do not expressly teach, however, Shanmugam teaches wherein [a] payment card identifier is in the form of a token, the method further comprises identifying, using [a] payment network database, a 
Therefore, it would have been obvious to one of ordinary skill in the art, at the time the invention was made, to modify Groarke/Telle/Lee to include token features taught by Shanmugam. One would have been motivated to do so in order to add layer of protection to PAN.
Claim 5 contains language similar to claim 15 as discussed in the preceding paragraphs, and for reasons similar to those discussed above, claim 5 is also rejected under 35 U.S.C. § 103 as unpatentable over the cited references.
Conclusion
Any inquiry concerning this communication or earlier communications from the examiner should be directed to JACOB C. COPPOLA whose telephone number is (571)270-3922. The examiner can normally be reached Monday-Friday 8:00-6:00.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Patrick McAtee can be reached on (571) 272-7575. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: 
/JACOB C. COPPOLA/Primary Examiner, Art Unit 3685