DETAILED ACTION
Notice of AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
Status of Claims
This action is in reply to the first amendment to non-final filed on October 12, 2021.
Claims 1, 4, 9, 12, 17, and 20 have been amended and are hereby entered.
Claims 2, 3, 5–8, 10, 11, 13–16, 18, and 19 have been canceled.
Claims 1, 4, 9, 12, 17, and 20 are currently pending and have been examined.
This action is made FINAL.
Response to Amendment
The amendment filed October 12, 2021 has been entered.  Claims 1, 4, 9, 12, 17, and 20 remain pending in the application.
Claim Rejections - 35 USC § 101
The following is a quotation of 35 U.S.C. 101:
Whoever invents or discovers any new and useful process, machine, manufacture, or composition of matter, or any new and useful improvement thereof, may obtain a patent therefor, subject to the conditions and requirements of this title.
	
Claims 1, 4, 9, 12, 17, and 20 are rejected under 35 U.S.C. 101 because the claimed invention is directed to an abstract idea without significantly more. 
First of all, claims must be directed to one or more of the following statutory categories: a process, a machine, a manufacture, or a composition of matter.  Claims 1 and 4 are directed to a 
Claims 1, 4, 9, 12, 17, and 20, however, are directed to an abstract idea without significantly more.  For claim 1, the specific limitations that recite an abstract idea are:
receiving, . . . an attestation request message associated with the transaction, wherein the attestation request message comprises a request for determining whether a trusted execution environment that is used for determining whether the transaction satisfies a policy ruleset is secure;
in response to receiving the attestation request message, transmitting, . . . an attestation response message . . ., wherein the attestation response message comprises an indication of whether the trusted execution environment that is used for determining whether the transaction satisfies the policy ruleset is secure; 
receiving . . . a policy message, the policy message comprising a policy ruleset for determining whether a transaction is authorized . . . for authenticating an identity of the user involved in the transaction; . . .
. . . calculate an authentication score . . ., wherein the authentication score comprises an indication of whether an identity of the user is authenticated . . .; 
determining . . . in the trusted execution environment, based on the authentication score, whether the transaction satisfies the policy ruleset for determining authorization of the transaction; 
in response to determining that the transaction satisfies the policy ruleset for determining authorization of the transaction, transmitting, . . . a transaction authorization status message; and
receiving, . . . a transaction authorization decision message . . . based on the transaction authorization status message, wherein the transaction authorization decision message includes an indication of whether the transaction is authorized for processing.
The claims, therefore, recite authenticating a user transaction, which is the abstract idea of methods of organizing human activity because they recite a commercial interaction and the fundamental economic practice of mitigating risk.  The additional elements of the claims are various generic computer components to implement this abstract idea (“processor”, “smartcard”, “point-of-sale (POS) device”, “user device”, “machine learning algorithm”, “biometric measurement”, “biometric sensor”, and “smartcard”).
The additional elements are not integrated into a practical application because the invention merely applies the abstract idea to generic computer technology, using the computer to send and receive data and perform authentication.  Claim 1 does introduce a more specific technology, machine learning algorithm, but again, this is merely being used as a generic tool to implement the abstract idea above.  The machine learning process only provides an alternative means for authenticating the user identity, rather than creating any type of improvement to the technology 
Finally, the claims do not include additional elements that are sufficient to amount to significantly more than the judicial exception because, as discussed above, the additional elements are at a high level of generality such that they amount to no more than mere instructions to apply the abstract idea using generic components.  Because merely “applying” the exception using generic computer components cannot provide an inventive concept, claim 1 is not patent eligible.
Independent claims 9 and 17 are rejected as ineligible subject matter under 35 U.S.C. 101 for substantially the same reasons as independent method claim 1.  There are no additional elements recited in these claims other than the generic computer parts discussed above.  The only differences are that the steps of claim 1 are performed by a system in claim 9 and implemented by computer program instructions in claim 17.  Thus, because the same analysis should be used for all categories of claims, claims 9 and 17 are also not patent eligible.  See Alice Corp. Pty. Ltd. v. CLS Bank Int'l, 134 S. Ct. 2347, 2354 (2014).
Dependent claims 4, 12, and 20 have been given the full two part analysis, analyzing the additional limitations both individually and in combination.  The dependent claims, when analyzed individually and in combination, are also held to be patent ineligible under 35 U.S.C. 101.  
For claims 4, 12, and 20, the additional limitations of these claims merely recite additional steps that amount to no more than insignificant extra-solution activity.  These claims recite receiving a certificate and an attestation request message.  The limitations of these claims fail to integrate the abstract idea into a practical application because these steps amount to no more than mere data gathering, which is insignificant extra-solution activity.  See, e.g., MPEP 2106.05(g) (citing CyberSource v. Retail Decisions, Inc., 654 F.3d 1366, 1375 (Fed. Cir. 2011); Intellectual Ventures I LLC v. Erie Indem. Co., 850 F.3d 1315, 1328–29 (Fed. Cir. 2017)).  Finally, the additional recited limitations of the dependent claims fail to amount to significantly more than the judicial exception because the courts have found mere data gathering to be well-understood, routine, and conventional activity.  See, e.g., MPEP 2106.05(d) (citing buySAFE, Inc. v. Google, Inc., 765 F.3d 1350, 1355 (Fed. Cir. 2014); OIP Techs., Inc., v. Amazon.com, Inc., 788 F.3d 1359, 1362–1363 (Fed. Cir. 2015)).
Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

The factual inquiries set forth in Graham v. John Deere Co., 383 U.S. 1, 148 USPQ 459 (1966), that are applied for determining obviousness under 35 U.S.C. 103 are summarized as follows:
(1)	Determining the scope and contents of the prior art.
(2)	Ascertaining the differences between the prior art and the claims at issue.
(3)	Resolving the level of ordinary skill in the pertinent art.
(4)	Considering objective evidence present in the application indicating obviousness or nonobviousness.
Claims 1, 4, 9, 12, 17, and 20 are rejected under 35 U.S.C. 103 as being unpatentable over Nowak et al., U.S. Patent App. No. 2019/0114404 (“Nowak”) in view of Zovi et al., U.S. Patent 
For claim 1, Nowak teaches:
A computer-implemented method for authorizing a transaction, comprising (¶ 13: example authentication method): . . . 
receiving, with the at least one processor, . . . a policy message, the policy message comprising a policy ruleset for determining whether a transaction is authorized and a machine learning model for authenticating an identity of the user involved in the transaction (¶ 13: user and FI preferences and rules; ¶ 15: neural network; ¶ 36: rules system can be a model); 
receiving, with the at least one processor, biometric measurement data associated with a biometric measurement of the user . . . (¶ 25: example biometrics data); 
executing, with at the least one processor, . . . the machine learning model to calculate an authentication score based on the biometric measurement data, wherein the authentication score comprises an indication of whether an identity of the user is authenticated based on the biometric measurement data (¶ 37: scores for facial samples through model); 
determining, with the at least one processor, . . . based on the authentication score, whether the transaction satisfies the policy ruleset for determining authorization of the transaction (¶ 39: comparison to required score); 
in response to determining that the transaction satisfies the policy ruleset for determining authorization of the transaction, transmitting, with the at (¶ 40: match indication transmitted). 
Nowak does not teach: receiving, with at least one processor, from a smartcard associated with a user involved in a transaction, via a point-of-sale (POS) device, an attestation request message associated with the transaction, wherein the attestation request message comprises a request for determining whether a trusted execution environment that is used for determining whether the transaction satisfies a policy ruleset is secure; in response to receiving the attestation request message, transmitting, with the at least one processor, to the smartcard, via the POS device, an attestation response message generated by a user device associated with the user, wherein the attestation response message comprises an indication of whether the trusted execution environment that is used for determining whether the transaction satisfies the policy ruleset is secure; from the smartcard, via the POS device; taken by a biometric sensor of one of the POS device and the user device; in the trusted execution environment; in the trusted execution environment; transmitting . . ., to the smartcard, via the POS device, a transaction authorization status message; and receiving, with the at least one processor, from the smartcard, via the POS device, a transaction authorization decision message generated by the smartcard based on the transaction authorization status message, wherein the transaction authorization decision message includes an indication of whether the transaction is authorized for processing.
	Zovi, however, teaches:
receiving, with at least one processor, from a smartcard associated with a user involved in a transaction, via a point-of-sale (POS) device (¶ 62, 90: entity in platform, such as payment terminal or payment object requests attestation ticket), an attestation request message associated with (¶ 18–19: attestation to determine platform trustworthy and secure; ¶ 20: request for integrity through attestation ticket);
in response to receiving the attestation request message, transmitting, with the at least one processor, to the smartcard, via the POS device, an attestation response message generated by a user device associated with the user (¶ 143, 134–135: responses may be generated for local testing at the payment object), wherein the attestation response message comprises an indication of whether the trusted execution environment that is used for determining whether the transaction satisfies the policy ruleset is secure (¶ 64: attestation ticket sent to payment terminal or reader validating secure session or indicating error code);
in the trusted execution environment (¶ 28: attestation ticket attests environment is secure); and
in the trusted execution environment (¶ 28: attestation ticket attests environment is secure).
It would have been obvious for one of ordinary skill in the art, before the effective filing date of the claimed invention, to have modified the authentication in Nowak by adding the attestation from Zovi.  One of ordinary skill in the art would have been motivated to make this modification for the purpose of increasing security of payment transactions—a benefit explicitly (¶ 2–3: vulnerabilities in current methods; ¶ 18: invention addresses in part through attestation).
The combination of Nowak and Zovi does not teach: from the smartcard, via the POS device; taken by a biometric sensor of one of the POS device and the user device; transmitting . . ., to the smartcard, via the POS device, a transaction authorization status message; and receiving, with the at least one processor, from the smartcard, via the POS device, a transaction authorization decision message generated by the smartcard based on the transaction authorization status message, wherein the transaction authorization decision message includes an indication of whether the transaction is authorized for processing.
	Shinn, however, teaches:
receiving, . . . from the smartcard (¶ 57: receive information from smart card), via the POS device (¶ 21: smart card operates on reader device associated with terminal);
taken by a biometric sensor of one of the POS device and the user device (¶ 21: biometric sample provided to reader device associated with terminal).
It would have been obvious for one of ordinary skill in the art, before the effective filing date of the claimed invention, to have modified the authentication in Nowak and the attestation in Zovi by adding the smart card from Shinn.  One of ordinary skill in the art would have been motivated to make this modification for the purpose of improving accuracy of authentications—a benefit explicitly disclosed by Shinn (¶ 6: issues of false rejections; ¶ 8–9: invention adjusts authentication based on programming of smart card).  Nowak, Zovi, and Shinn are all related 
The combination of Nowak, Zovi, and Shinn does not teach: transmitting . . ., to the smartcard, via the POS device, a transaction authorization status message; and receiving, with the at least one processor, from the smartcard, via the POS device, a transaction authorization decision message generated by the smartcard based on the transaction authorization status message, wherein the transaction authorization decision message includes an indication of whether the transaction is authorized for processing.
	Choi, however, teaches:
transmitting . . ., to the smartcard, via the POS device, a transaction authorization status message (¶ 39–42: matching information sent to smart card); and
receiving, with the at least one processor, from the smartcard, via the POS device, a transaction authorization decision message generated by the smartcard based on the transaction authorization status message, wherein the transaction authorization decision message includes an indication of whether the transaction is authorized for processing (¶ 43: authorization completion message from smart card; ¶ 63: payment completed).
It would have been obvious for one of ordinary skill in the art, before the effective filing date of the claimed invention, to have modified the authentication in Nowak, the attestation in Zovi, and the smart card in Shinn by adding the smart card communications from Choi.  One of ordinary skill in the art would have been motivated to make this modification for the purpose of improving user authentication for electronic money—a benefit explicitly disclosed by Choi (¶ 2: need for user authentication with electronic money; ¶ 3: invention solves problem through smart card and communication terminal with user authorization).  Nowak, Zovi, Shinn, and Choi are all related to payment authentication, so one of ordinary skill in the art would have been motivated to make this authentication even more secure by combining these methods together.
For claim 4, Nowak, Zovi, Shinn, and Choi teach all the limitations of claim 1 above, and Zovi further teaches:
The computer-implemented method of claim 1, further comprising: receiving, with the at least one processor, a trusted execution environment certificate from the user device associated with the user involved in the transaction (¶ 143, 134–135: responses may be generated for local testing at the payment object; ¶ 233: attestation ticket sent; ¶ 235: ticket sent with various information); and
generating, with at least one processor, a transaction authorization message based on receiving the trusted execution environment certificate from the user device associated with the user, the transaction authorization message comprising data associated with the trusted execution environment certificate and a plurality of transaction parameters associated with the transaction (¶ 233: attestation ticket sent; ¶ 235: ticket sent with various information) and wherein the attestation request message comprises the plurality of transaction parameters associated with the transaction (¶ 233: attestation ticket sent; ¶ 235: ticket sent with various information).
It would have been obvious for one of ordinary skill in the art, before the effective filing date of the claimed invention, to have modified the authentication in Nowak, the smart card in (¶ 2–3: vulnerabilities in current methods; ¶ 18: invention addresses in part through attestation).  Nowak, Zovi, Shinn, and Choi are all related to payment authentication, so one of ordinary skill in the art would have been motivated to make this authentication even more secure by combining these methods together.
For claim 9, Nowak teaches:
A system for authorizing a transaction, comprising (¶ 13: example authentication system):
at least one processor programmed or configured to (¶ 15: processors): . . . 
receive, . . . a policy message, the policy message comprising a policy ruleset for determining whether a transaction is authorized and a machine learning model for authenticating an identity of the user involved in the transaction (¶ 13: user and FI preferences and rules; ¶ 15: neural network; ¶ 36: rules system can be a model); 
receive biometric measurement data associated with a biometric measurement of the user . . . (¶ 25: example biometrics data); 
execute, . . . the machine learning model to calculate an authentication score based on the biometric measurement data, wherein the authentication score comprises an indication of whether an identity of the user is authenticated based on the biometric measurement data (¶ 37: scores for facial samples through model)
determine, . . . based on the authentication score, whether the transaction satisfies the policy ruleset for determining authorization of the transaction (¶ 39: comparison to required score); 
in response to determining that the transaction satisfies the policy ruleset for determining authorization of the transaction, transmit, . . . a transaction authorization status message (¶ 40: match indication transmitted). 
Nowak does not teach: receiving, with at least one processor, from a smartcard associated with a user involved in a transaction, via a point-of-sale (POS) device, an attestation request message associated with the transaction, wherein the attestation request message comprises a request for determining whether a trusted execution environment that is used for determining whether the transaction satisfies a policy ruleset is secure; in response to receiving the attestation request message, transmitting, with the at least one processor, to the smartcard, via the POS device, an attestation response message generated by a user device associated with the user, wherein the attestation response message comprises an indication of whether the trusted execution environment that is used for determining whether the transaction satisfies the policy ruleset is secure; from the smartcard, via the POS device; taken by a biometric sensor of one of the POS device and the user device; in the trusted execution environment; in the trusted execution environment; transmitting . . ., to the smartcard, via the POS device, a transaction authorization status message; and receiving, with the at least one processor, from the smartcard, via the POS device, a transaction authorization decision message generated by the smartcard based on the transaction authorization status message, wherein the transaction authorization decision message includes an indication of whether the transaction is authorized for processing.


receive, from a smartcard associated with a user involved in a transaction, via a point-of-sale (POS) device (¶ 62, 90: entity in platform, such as payment terminal or payment object requests attestation ticket), an attestation request message associated with the transaction, wherein the attestation request message comprises a request for determining whether a trusted execution environment that is used for determining whether the transaction satisfies a policy ruleset is secure (¶ 18–19: attestation to determine platform trustworthy and secure; ¶ 20: request for integrity through attestation ticket);
in response to receiving the attestation request message, transmit, to the smartcard, via the POS device, an attestation response message generated by a user device associated with the user (¶ 143, 134–135: responses may be generated for local testing at the payment object), wherein the attestation response message comprises an indication of whether the trusted execution environment that is used for determining whether the transaction satisfies the policy ruleset is secure (¶ 64: attestation ticket sent to payment terminal or reader validating secure session or indicating error code);
in the trusted execution environment (¶ 28: attestation ticket attests environment is secure); and
in the trusted execution environment (¶ 28: attestation ticket attests environment is secure).
(¶ 2–3: vulnerabilities in current methods; ¶ 18: invention addresses in part through attestation).
The combination of Nowak and Zovi does not teach: from the smartcard, via the POS device; taken by a biometric sensor of one of the POS device and the user device; transmitting . . ., to the smartcard, via the POS device, a transaction authorization status message; and receiving, with the at least one processor, from the smartcard, via the POS device, a transaction authorization decision message generated by the smartcard based on the transaction authorization status message, wherein the transaction authorization decision message includes an indication of whether the transaction is authorized for processing.
	Shinn, however, teaches:
receive, from the smartcard (¶ 57: receive information from smart card), via the POS device (¶ 21: smart card operates on reader device associated with terminal);
taken by a biometric sensor of one of the POS device and the user device (¶ 21: biometric sample provided to reader device associated with terminal).
It would have been obvious for one of ordinary skill in the art, before the effective filing date of the claimed invention, to have modified the authentication in Nowak and the attestation in Zovi by adding the smart card from Shinn.  One of ordinary skill in the art would have been (¶ 6: issues of false rejections; ¶ 8–9: invention adjusts authentication based on programming of smart card).  Nowak, Zovi, and Shinn are all related to payment authentication, so one of ordinary skill in the art would have been motivated to make this authentication even more secure by combining these systems together.
The combination of Nowak, Zovi, and Shinn does not teach: transmitting . . ., to the smartcard, via the POS device, a transaction authorization status message; and receiving, with the at least one processor, from the smartcard, via the POS device, a transaction authorization decision message generated by the smartcard based on the transaction authorization status message, wherein the transaction authorization decision message includes an indication of whether the transaction is authorized for processing.
	Choi, however, teaches:
transmit, to the smartcard, via the POS device, a transaction authorization status message (¶ 39–42: matching information sent to smart card); and
receive, from the smartcard, via the POS device, a transaction authorization decision message generated by the smartcard based on the transaction authorization status message, wherein the transaction authorization decision message includes an indication of whether the transaction is authorized for processing (¶ 43: authorization completion message from smart card; ¶ 63: payment completed).
It would have been obvious for one of ordinary skill in the art, before the effective filing date of the claimed invention, to have modified the authentication in Nowak, the attestation in Zovi, and the smart card in Shinn by adding the smart card communications from Choi.  One of (¶ 2: need for user authentication with electronic money; ¶ 3: invention solves problem through smart card and communication terminal with user authorization).  Nowak, Zovi, Shinn, and Choi are all related to payment authentication, so one of ordinary skill in the art would have been motivated to make this authentication even more secure by combining these systems together.
For claim 12, Nowak, Zovi, Shinn, and Choi teach all the limitations of claim 9 above, and Zovi further teaches:
The system of claim 9, wherein the at least one processor is programmed or configured to: receive a trusted execution environment certificate from the user device associated with the user involved in the transaction (¶ 143, 134–135: responses may be generated for local testing at the payment object; ¶ 233: attestation ticket sent; ¶ 235: ticket sent with various information); and
generate a transaction authorization message based on receiving the trusted execution environment certificate from the user device associated with the user, the transaction authorization message comprising data associated with the trusted execution environment certificate and a plurality of transaction parameters associated with the transaction (¶ 233: attestation ticket sent; ¶ 235: ticket sent with various information) and wherein the attestation request message comprises the plurality of transaction parameters associated with the transaction (¶ 233: attestation ticket sent; ¶ 235: ticket sent with various information).
(¶ 2–3: vulnerabilities in current methods; ¶ 18: invention addresses in part through attestation).  Nowak, Zovi, Shinn, and Choi are all related to payment authentication, so one of ordinary skill in the art would have been motivated to make this authentication even more secure by combining these systems together.
For claim 17, Nowak teaches:
A computer program product for authorizing a transaction, the computer program product comprising at least one non-transitory computer-readable medium including one or more program instructions that, when executed by at least one processor, cause the at least one processor to (¶ 35: software instructions stored on storage media): . . . 
receive, . . . a policy message, the policy message comprising a policy ruleset for determining whether a transaction is authorized and a machine learning model for authenticating an identity of the user involved in the transaction (¶ 13: user and FI preferences and rules; ¶ 15: neural network; ¶ 36: rules system can be a model); 
receive biometric measurement data associated with a biometric measurement of the user . . . (¶ 25: example biometrics data)
execute, . . . the machine learning model to calculate an authentication score based on the biometric measurement data, wherein the authentication score comprises an indication of whether an identity of the user is authenticated based on the biometric measurement data (¶ 37: scores for facial samples through model); 
determine, . . . based on the authentication score, whether the transaction satisfies the policy ruleset for determining authorization of the transaction (¶ 39: comparison to required score); 
in response to determining that the transaction satisfies the policy ruleset for determining authorization of the transaction, transmit, . . . a transaction authorization status message (¶ 40: match indication transmitted). 
Nowak does not teach: receiving, with at least one processor, from a smartcard associated with a user involved in a transaction, via a point-of-sale (POS) device, an attestation request message associated with the transaction, wherein the attestation request message comprises a request for determining whether a trusted execution environment that is used for determining whether the transaction satisfies a policy ruleset is secure; in response to receiving the attestation request message, transmitting, with the at least one processor, to the smartcard, via the POS device, an attestation response message generated by a user device associated with the user, wherein the attestation response message comprises an indication of whether the trusted execution environment that is used for determining whether the transaction satisfies the policy ruleset is secure; from the smartcard, via the POS device; taken by a biometric sensor of one of the POS device and the user device; in the trusted execution environment; in the trusted execution environment; transmitting . . ., to the smartcard, via the POS device, a transaction authorization status message; 
	Zovi, however, teaches:
receive, from a smartcard associated with a user involved in a transaction, via a point-of-sale (POS) device (¶ 62, 90: entity in platform, such as payment terminal or payment object requests attestation ticket), an attestation request message associated with the transaction, wherein the attestation request message comprises a request for determining whether a trusted execution environment that is used for determining whether the transaction satisfies a policy ruleset is secure (¶ 18–19: attestation to determine platform trustworthy and secure; ¶ 20: request for integrity through attestation ticket);
in response to receiving the attestation request message, transmit, to the smartcard, via the POS device, an attestation response message generated by a user device associated with the user (¶ 143, 134–135: responses may be generated for local testing at the payment object), wherein the attestation response message comprises an indication of whether the trusted execution environment that is used for determining whether the transaction satisfies the policy ruleset is secure (¶ 64: attestation ticket sent to payment terminal or reader validating secure session or indicating error code)
in the trusted execution environment (¶ 28: attestation ticket attests environment is secure); and
in the trusted execution environment (¶ 28: attestation ticket attests environment is secure).
It would have been obvious for one of ordinary skill in the art, before the effective filing date of the claimed invention, to have modified the authentication in Nowak by adding the attestation from Zovi.  One of ordinary skill in the art would have been motivated to make this modification for the purpose of increasing security of payment transactions—a benefit explicitly disclosed by Zovi (¶ 2–3: vulnerabilities in current methods; ¶ 18: invention addresses in part through attestation).
The combination of Nowak and Zovi does not teach: from the smartcard, via the POS device; taken by a biometric sensor of one of the POS device and the user device; transmitting . . ., to the smartcard, via the POS device, a transaction authorization status message; and receiving, with the at least one processor, from the smartcard, via the POS device, a transaction authorization decision message generated by the smartcard based on the transaction authorization status message, wherein the transaction authorization decision message includes an indication of whether the transaction is authorized for processing.
	Shinn, however, teaches:
receive, from the smartcard (¶ 57: receive information from smart card), via the POS device (¶ 21: smart card operates on reader device associated with terminal)
taken by a biometric sensor of one of the POS device and the user device (¶ 21: biometric sample provided to reader device associated with terminal).
It would have been obvious for one of ordinary skill in the art, before the effective filing date of the claimed invention, to have modified the authentication in Nowak and the attestation in Zovi by adding the smart card from Shinn.  One of ordinary skill in the art would have been motivated to make this modification for the purpose of improving accuracy of authentications—a benefit explicitly disclosed by Shinn (¶ 6: issues of false rejections; ¶ 8–9: invention adjusts authentication based on programming of smart card).  Nowak, Zovi, and Shinn are all related to payment authentication, so one of ordinary skill in the art would have been motivated to make this authentication even more secure by combining these systems together.
The combination of Nowak, Zovi, and Shinn does not teach: transmitting . . ., to the smartcard, via the POS device, a transaction authorization status message; and receiving, with the at least one processor, from the smartcard, via the POS device, a transaction authorization decision message generated by the smartcard based on the transaction authorization status message, wherein the transaction authorization decision message includes an indication of whether the transaction is authorized for processing.
	Choi, however, teaches:
transmit, to the smartcard, via the POS device, a transaction authorization status message (¶ 39–42: matching information sent to smart card); and
receive, from the smartcard, via the POS device, a transaction authorization decision message generated by the smartcard based on the transaction authorization status message, wherein the transaction authorization decision (¶ 43: authorization completion message from smart card; ¶ 63: payment completed).
It would have been obvious for one of ordinary skill in the art, before the effective filing date of the claimed invention, to have modified the authentication in Nowak, the attestation in Zovi, and the smart card in Shinn by adding the smart card communications from Choi.  One of ordinary skill in the art would have been motivated to make this modification for the purpose of improving user authentication for electronic money—a benefit explicitly disclosed by Choi (¶ 2: need for user authentication with electronic money; ¶ 3: invention solves problem through smart card and communication terminal with user authorization).  Nowak, Zovi, Shinn, and Choi are all related to payment authentication, so one of ordinary skill in the art would have been motivated to make this authentication even more secure by combining these systems together.
For claim 20, Nowak, Zovi, Shinn, and Choi teach all the limitations of claim 17 above, and Zovi further teaches:
The computer program product of claim 17, wherein the one or more program instructions, when executed by the at least one processor, further cause the at least one processor to: receive a trusted execution environment certificate from associated with the user involved in the transaction (¶ 143, 134–135: responses may be generated for local testing at the payment object; ¶ 233: attestation ticket sent; ¶ 235: ticket sent with various information); and
generate a transaction authorization message based on receiving the trusted execution environment certificate from the user device associated with the (¶ 233: attestation ticket sent; ¶ 235: ticket sent with various information) and wherein the attestation request message comprises the plurality of transaction parameters associated with the transaction (¶ 233: attestation ticket sent; ¶ 235: ticket sent with various information).
It would have been obvious for one of ordinary skill in the art, before the effective filing date of the claimed invention, to have modified the authentication in Nowak, the smart card in Shinn, and the smart card communications in Choi by adding the attestation from Zovi.  One of ordinary skill in the art would have been motivated to make this modification for the purpose of increasing security of payment transactions—a benefit explicitly disclosed by Zovi (¶ 2–3: vulnerabilities in current methods; ¶ 18: invention addresses in part through attestation).  Nowak, Zovi, Shinn, and Choi are all related to payment authentication, so one of ordinary skill in the art would have been motivated to make this authentication even more secure by combining these systems together.
Response to Arguments
Claim Rejections Under 35 U.S.C. § 101
Applicant’s arguments (Remarks, page 9, ¶ 3–4) filed October 12, 2021, with respect to the rejections of claims 17 and 20 as reciting non-statutory subject matter have been fully considered and are persuasive.
In light of Applicant’s amendments and arguments, the rejection of claims 17 and 20 as reciting non-statutory subject matter under 35 U.S.C. 101 has been withdrawn.  Applicant, 
at least one non-transitory computer-readable medium including one or more program instructions that, when executed by at least one processor, cause the at least one processor to:”.

Applicant’s additional arguments filed on October 12, 2021 with respect to the rejections of claims 1, 4, 9, 12, 17, and 20 have been fully considered but they are not persuasive.
Applicant argues that the claims recite a practical application because they are directed to biometric authentication in a trusted execution environment to authenticate a transaction involving a smartcard without biometric capabilities.  Applicant further cites limitations of claim 1, and argues that the specific arrangement of smartcard, POS device, and user device is a particular machine integral to the claims.  The cited limitations, however, merely involve using the smartcard, POS device, and user device to implement the abstract idea of authenticating the transaction.  None of these devices are integral to the functioning of the authentication process.  Rather, the authentication process happens to be implemented through these various devices.  The claims therefore are only using the technology to merely implement the commercial interaction, rather than improving the technology itself in any way.  Thus, claims 1, 4, 9, 12, 17, and 20 do not include additional elements sufficient to integrate the claims into a practical application.  
	Claim Rejections Under 35 U.S.C. § 102(a)(2) and 35 U.S.C. § 103
Applicant’s arguments with respect to claims 1, 4, 9, 12, 17, and 20 have been considered but are moot because the arguments do not apply to the references being used in the current rejection under 35 U.S.C. 103.
Applicant has amended claims 1, 9, and 17 and argues that Nowak (U.S. Patent App. No. 2019/0114404) does not disclose these additional limitations.  Claims 1, 9, and 17, however, are currently rejected under 35 U.S.C. 103 over Nowak in view of Zovi (U.S. Patent App. No. 2018/0005230), Shinn (U.S. Patent App. No. 2001/0048025), and Choi (U.S. Patent App. No. 2012/0239567).  Thus, Applicant’s arguments with respect to claims 1, 9, and 17 are moot.
Applicant argues that the dependent claims are allowable by virtue of their dependence on claims 1, 9, and 17, which were amended to overcome the rejections under 35 U.S.C. 102(a)(2).  As discussed above, however, claims 1, 9, and 17 are currently rejected under 35 U.S.C. 103 over Nowak in view of Zovi, Shinn, and Choi.  Thus, Applicant’s arguments with respect to claims 4, 12, and 20 are moot.
Conclusion
The prior art made of record and not relied upon is considered pertinent to applicant's disclosure.  Those prior art references are as follows:
Griggs et al., U.S. Patent App. No. 2014/0114857, discloses conducting a transaction based on transaction initiation rules.  

Applicant's amendment necessitated the new ground(s) of rejection presented in this Office action.  Accordingly, THIS ACTION IS MADE FINAL.  See MPEP § 706.07(a).  Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a).  

Any inquiry concerning this communication or earlier communications from the examiner should be directed to DIVESH PATEL whose telephone number is (571) 272–3430.  The examiner can normally be reached on Monday–Friday 12:00 PM–8:00 PM EST.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Namrata Boveja can be reached on (571) 272–8105.  The fax phone number for the organization where this application or proceeding is assigned is 571–273–8300.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see https://ppair-my.uspto.gov/pair/PrivatePair. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866–217–9197 (toll-free). If you 



/DIVESH PATEL/Examiner, Art Unit 3696                                                                                                                                                                                                        
/SCOTT S TROTTER/Primary Examiner, Art Unit 3696