DETAILED ACTION
Notice of Pre-AIA  or AIA  Status
The present application is being examined under the pre-AIA  first to invent provisions. 

Response to Amendment
The following detailed action acknowledges the amendments of the response filed on 31 January 2022. The amendments in the filed response have been entered. 
Claims 113, 115-116, 119, 123, 125-126 and 128-129 have been amended. 
Claims 1-112, 120 and 130 are confirmed to have been cancelled. 
Claims 113-119, 121-129 and 131-132 are pending in the application and the status of the application is currently pending. 

Claim Objections
Claims 113 and 123 are objected to because of the following informalities:  
In the first transmitting line, the claims recite the amended limitation wherein the access control server verifies that the account number and determines that the account number is enrolled in an authentication service, where the emphasized limitation suggests a missing limitation. Suggest amendment wherein the access control server verifies  the account number.  Appropriate correction is required.


Claim Rejections - 35 USC § 103
The following is a quotation of pre-AIA  35 U.S.C. 103(a) which forms the basis for all obviousness rejections set forth in this Office action:
(a) A patent may not be obtained though the invention is not identically disclosed or described as set forth in section 102, if the differences between the subject matter sought to be patented and the prior art are such that the subject matter as a whole would have been obvious at the time the invention was made to a person having ordinary skill in the art to which said subject matter pertains. Patentability shall not be negatived by the manner in which the invention was made.

The factual inquiries for establishing a background for determining obviousness under pre-AIA  35 U.S.C. 103(a) are summarized as follows:
Determining the scope and contents of the prior art.
Ascertaining the differences between the prior art and the claims at issue.
Resolving the level of ordinary skill in the pertinent art.
Considering objective evidence present in the application indicating obviousness or nonobviousness.
This application currently names joint inventors. In considering patentability of the claims under pre-AIA  35 U.S.C. 103(a), the examiner presumes that the subject matter of the various claims was commonly owned at the time any inventions covered therein were made absent any evidence to the contrary.  Applicant is advised of the obligation under 37 CFR 1.56 to point out the inventor and invention dates of each claim that was not commonly owned at the time a later invention was made in order for the examiner to consider the applicability of pre-AIA  35 U.S.C. 103(c) and potential pre-AIA  35 U.S.C. 102(e), (f) or (g) prior art under pre-AIA  35 U.S.C. 103(a).
Claims 113, 114, 117, 118, 121, 123, 124, 127, 128, and 131 are rejected under pre-AIA  35 U.S.C. 103(a) as being unpatentable over Stemer (CA 2,604,348, hereinafter “Stemer”), in view of Vysogorets (US 2010/0199089, hereinafter “Vysogorets”), in view of Weller (US 2002/0111919, hereinafter “Weller”), in view of Nyberg (CA 2,449,748, hereinafter “Nyberg”).
Regarding Claims 113 and 123, Stemer teaches 
receiving, by a merchant server, payment information comprising an account number from […] a user computer; (“Referring now briefly to Fig. 2, after the required information has been gathered at the merchant's (POS, ATM, online, telephone, etc.), an authorization request or charge request 10 is sent to the financial processing facility 6. There, the request is processed in a conventional manner as indicated by the boxes 11 and 12. At the same time, the customer profile 25 associated with the account number is checked at 13.” See Stemer in pagemark 7, lines 20-25)
transmitting, by the merchant server, a verification request comprising the account number to a gateway computer, (“…an authorization request or charge request 10 is sent to the financial processing facility 6. … At the same time, the customer profile 25 associated with the account number is checked at 13.” See Stemer in pagemark 7, lines 21-25)
receiving, by the merchant server, from the access control server via the gateway computer, a verification response; (“If the profile is set to Notify Only, the query 14 returns a corresponding response and the customer's wireless device (e.g., cell phone or beeper) is notified at 15. The message may be an SMS message or it may be a voice announcement, depending on the customer profile. Once the 
opening, by the merchant server, a communication frame on the user computer (interpreting the merchant server is capable of opening a communication frame if it is capable of transmitting the request: “processing the transaction request with the merchant terminal, including a transmission of a first authorization request and receipt of a notification that authorization has been accepted or declined; transmitting a second authorization request to a mobile communications device of a customer associated with the requested transaction via a wireless link.” See Stemer in pagemark, 12 Claim 8);
transmitting, by the merchant server, an authentication request to the gateway, (same process for the verification, See Stemer in pagemark 7, lines 21-25; the second authorization sent through secondary communication link, See pagemark 12, Claim 8)
receiving, by the merchant server, an authentication response in response to the authentication request; (“The confirmation may be a simple reply to an SMS message, it may consist of any key depressed (during a live call), or it may be a full-fledged PIN or password. In a further modification, which adds yet another level of security, the customer may be prompted for a voice reply and the reply may then be subjected to "voice recognition" by comparing a frequency hysteresis chart associated with the customer to the voice reply. If the customer (or the person in the possession of the wireless device) returns the proper response, the query 18 directs and
initiating by the merchant server, an authorization process after receiving the authentication response (Stemer provides the process of authentication and of authorization of payment, based on the customer profile: “It will be understood that the foregoing scenario is merely exemplary and is in no way limiting with regard to the application of the instant invention (nor is it intended to be disparaging to the restaurant industry). Indeed, there exist numerous situations where proper customer notification and customer authorization may prevent fraudulent transactions and even wrongful transactions that are based on honest mistakes.” See Stemer in pagemark 6, lines 23-28; “Referring now briefly to Fig. 2, after the required information has been gathered at the merchant's (POS, ATM, online, telephone, etc.), an authorization request or charge request 10 is sent to the financial processing facility 6. There, the request is processed in a conventional manner as indicated by the boxes 11 and 12.” See Stemer in pagemark 7, lines 21-25).
The limitations describing the functions between the gateway and the access control server are not directly tied to the functions of the merchant server, and they are not recited as receiving instructions from the merchant server. These limitations are interpreted as the intended use of the claimed invention. 
Stemer does not explicitly teach a verification token component coupled to a user computer
However, Vysogorets does teach identification tokens coupled to a user terminal (“As one means to authenticate a particular user, the system makes use of portable devices such as hardware identification tokens (ID Tokens 224), which hold the aforementioned User ID and one or more User Data Encryption keys. In exemplary embodiments, any cryptographic calculations are performed and protocols reside in the ID Token 224 itself, rather than in the User Terminal 222. The Terminal 222 only helps to pass messages to/from the ID Token 224 and other components in the system.” See Vysogorets in [0042]). 
It would have been obvious to a person having ordinary skill in the art, at the date the claimed invention was made, to include in the teachings of Stemer “identification token”, as taught by Vysogorets, because it would further protect the customer’s identification information from theft.
Stemer, in view of Vysogorets, does not expressly teach wherein the gateway computer forwards the verification request to an access control server, wherein the gateway computer forwards the verification request to an access control server, wherein the access control server verifies that the account number and determines that the account number is enrolled in an authentication service. The limitations are not reciting instructions from the merchant server or a connection to the merchant server, and the functions recited are interpreted to define the access control server.
However, Weller does teach verification of the account number and determine the account number is enrolled in an authentication service (“After the merchant plug-in software 114 conducts the search, the VerifyEnrollmentReq message is transmitted to the access control server 114 either directly, as shown by line 1b, or after first passing through the directory server 128, as shown by line 1a. When the VerifyEnrollmentReq message is 
It would have been obvious to a person having ordinary skill in the art, at the date the claimed invention was made, to include in the teachings of Stemer a “verification service”, as taught by Weller, because it would be a service to protect the customer’s payment information to determine the customer is registered.
Stemer, in view of Vysogorets, does not expressly teach wherein the gateway computer sends the authentication request to the access control server, receives an authentication page, forwards the authentication page to the user computer, receives a second secure datum from the validation entity, and determines if the first secure datum matches the second secure datum. 
However, Weller does teach determining the match of a received secure datum against stored secure datum (interpreting the first secure datum is created at user registration, and the second secure datum is provided for authentication: “The cardholder client device software returns secret #2, the cryptogram, and the supporting data to the ACS for the ACS to validate the cryptogram. The ACS accepts the cardholder client device software's input and validates it against the Account Holder Database. If there is more than 
It would have been obvious to a person having ordinary skill in the art, at the date the claimed invention was made, to include in the teachings of Stemer an “authorization service”, as taught by Weller, because it would be a service to protect the customer’s payment information to determine the customer is approved for payment.
Stemer, in view of Vysogorets, in view of Weller, does not explicitly teach the gateway computer is configured to send the authentication request to the access control server, receives an authentication page, forwards the authentication page to the user computer, receives the authentication page filled in.
However, Nyberg does teach 
the gateway computer is configured to send the authentication request to the access control server, receives an authentication page, forwards the authentication page to the user computer
receive the authentication page filled in […] associated with the user computer from a validation entity, (“In this preferred embodiment of the invention the first communication device 2 selects a unique random string P (block 103 in Fig. 1), which is relatively short, for example 6 characters long. This selection can be conducted in a manner known as such, for example by generating it using a random string generator provided in the application software of the control block. Besides selecting a random string P, the first communication device 2 calculates a first check string c1 (block 104) on the basis of the random string P it has generated and the shared encryption key K. The length of this check string is preferably the same as the length of the random string, i.e. in this example situation 6 characters. The first communication device 2 displays the random string P it has selected and the first check string c1 it has calculated on the display 7a (block 105) and the random string P and the check string c1 are reported to the user of the second communication device 3 (arrow 106).” See Nyberg in pagemark 10 lines 10-25).
It would have been obvious to a person having ordinary skill in the art, at the date the claimed invention was made, to include in the teachings of Stemer, in view of Weller, a “system of communication devices”, as taught by Nyberg, because the specific devices with the specific functions improve on securing the information in order to perform the authentication service.  
Regarding Claims 114 and 124,  Stemer, in view of Vysogorets, in view of Weller, in view of Nyberg, teaches the limitations of claims 113 and 123. Stemer, in view of Nyberg, further teaches the first secure datum is generated based on an identity of a merchant with which a user conducts a transaction, and a date or time of the transaction (interpreting the 
Regarding Claims 117 and 127,  Stemer, in view of Vysogorets, in view of Weller, in view of Nyberg, teaches the limitations of claims 113 and 123. Stemer, in view of Nyberg, further teaches wherein the access control server is configured to receive the authentication page filled in with the first secure datum, (See Nyberg in pagemark 10 lines 10-25) the authentication page having a user response disposed in a user response posting field, compare at least a portion of the user response to a stored user response to make a first determination of whether a match exists, compare the first secure datum to a stored secure datum to make a second determination of whether a match exists, and generate the authentication response based on at least the first and second determinations (See Nyberg in pagemark 10 lines 28-37).
Regarding Claims 118 and 128,  Stemer, in view of Vysogorets, in view of Weller, in view of Nyberg, teaches the limitations of claims 117 and 127. Stemer further teaches wherein the access control server is configured to transmit the authentication response to the gateway, wherein the gateway forwards the authentication response to the merchant server (See Stemer in pagemark 7, lines 27 – pagemark 8, Line 3).
Regarding Claims 121 and 131,  Stemer, in view of Vysogorets, in view of Weller, in view of Nyberg, teaches the limitations of claims 113 and 123. Stemer further teaches wherein the authorization process is initiated with an acquirer for a transaction based at least in part on the authentication response (“Immediately upon receiving the authorization request, the credit card authorization system (e.g., the acquirer 6) sends an SMS message to the customer's cell phone. The customer receives the message telling him that the restaurant has requested authorization for a charge of $40.00. This happens well before the server returns with the transaction slip requesting the customer's signature.” See Stemmer in pagemark 6, lines 1-6).

Claims 115-116, 122, 125-126 and 132 are rejected under pre-AIA  35 U.S.C. 103(a) as being unpatentable over  Stemer, in view of Vysogorets, in view of Weller, in view of Nyberg, and further in view of Mennes (US 2009/0235339, hereinafter “Mennes”).
Regarding Claims 115 and 125,  Stemer, in view of Vysogorets, in view of Weller, in view of Nyberg, teaches the limitations of claims 113 and 123.  Stemer, in view of Vysogorets, in view of Weller, in view of Nyberg, does not expressly teach wherein the first secure datum was received by the verification token from a validation entity after the validation entity validates information received form the verification token. 
However, Mennes does teach 
   a first secure datum (One Time Password, ‘OTP’) is received by the verification token from a validation entity (Authentication Server): (“First, the Authentication Server generates the Master Server OTP (713). The Master Server OTP (713) is a time and challenge-based one-time password… Subsequently, the 8-digit Server OTP (718) is sent to the token (100).” See Mennes within [0136]-[0147], in reference to Figure 7); 
after the validation entity validates information received from the verification token (“ A Server OTP (718) is correct if: [0156] It was generated with the same SAK (716) as the SAK (722) that is stored in the token (100), and [0157] it was generated using a Business Unit Index (BUI) (715) that is known to token (100), and [0158] it was generated inside the time acceptance window that is used by token (100), and [0159] it is not older than the last received correct Server OTP.” See Mennes in [0155]).
It would have been obvious to a person having ordinary skill in the art, at the date the claimed invention was made, to include in the teachings of Stemer, in view of Weller, a “process to verify and generate the secure datum”, as taught by Mennes, to improve the authentication process by securing the comparison of data.  
Regarding Claims 116 and 126,  Stemer, in view of Vysogorets, in view of Weller, in view of Nyberg, teaches the limitations of claims 113 and 123.  Stemer, in view of Vysogorets, in view of Weller, in view of Nyberg, does not expressly teach wherein the verification token comprises a data processor and a computer readable medium comprising code, executable by the data processor, for causing the verification token to read portable consumer device identification information from a portable consumer device, the portable consumer device being used by a user of the user computer. 
However, Mennes does teach a verification token comprising a data processor and a computer readable medium comprising code, executable by the data processor, for causing the verification token to read portable consumer device identification information from a portable consumer device, the portable consumer device being used by a user of the user computer (interpreting the portable consumer device has the means to connect with the verification token: “This application discloses a low-cost strong authentication token for creating one-time passwords and/or transaction signatures, hereafter collectively referred to as security values, for use in client-server transactions, comprising trustworthy output means to present information to the user, and data input means capable of receiving input data, whereby the input data is efficiently encoded so as to allow transfer of the input data into the token in a reasonable time frame and requiring only low-cost hardware, and whereby said token generates a security value upon verification of a server credential. Said security value is generated using a secret shared between token and server, and said server credential is generated and verified using another (optionally, the same) secret shared between token and server. … In a preferred embodiment of the invention the token includes means such as a microprocessor to perform cryptographic operations as RAM, ROM or EEPROM memory to store one or more secret values such as one or more PIN values or cryptographic secret keys.” See Mennes in [0022] and [0026]).
It would have been obvious to a person having ordinary skill in the art, at the date the claimed invention was made, to include in the teachings of Stemer, in view of Weller, a 
Regarding Claims 122 and 132,  Stemer, in view of Vysogorets, in view of Weller, in view of Nyberg, teaches the limitations of claims 113 and 123.  Stemer, in view of Vysogorets, in view of Weller, in view of Nyberg, does not explicitly teach wherein the account number includes a PAN and wherein the verification request includes the PAN.
However, Menned further teaches wherein payment information includes a PAN and verification request includes the PAN (“Instead of containing only literal texts or values, the message can also contain references to texts or values known to or stored in the token. For example, the message can contain a tag value that refers to the text "Amount=", rather than containing the full literal "Amount=" text itself. The message can also contain a reference to a stored value of the user's default account number, rather than containing the literal user's account number itself. Formatted numerical data such as money amounts or account numbers are represented as raw non-formatted numerical data whereby the formatting is added during the expansion based on explicit formatting indicators or implicit context information that implies a certain format.” See Mennes in [0034]-[0035]). 
It would have been obvious to a person having ordinary skill in the art, at the date the claimed invention was made, to include in the teachings of Stemer, in view of Weller, a “default account value”, as taught by Mennes, because the device will secure the datum prior to use for authentication.


Claims 119-120 and 129-130 are rejected under pre-AIA  35 U.S.C. 103(a) as being unpatentable over  Stemer, in view of Vysogorets, in view of Weller, in view of Nyberg, and further in view of Wankmueller (US 2005/0289052, hereinafter “Wankmueller”).
Regarding Claims 119 and 129,  Stemer, in view of Vysogorets, in view of Weller, in view of Nyberg, teaches the limitations of claims 113 and 123. Stemer further teaches wherein the authentication response is transmitted by the gateway to the merchant server via the communication frame, the authentication response including a URL of the gateway received in the verification response (See Stemer in pagemark 7, lines 21-25).  
 Stemer, in view of Vysogorets, in view of Weller, in view of Nyberg, does not expressly teach wherein the merchant server includes a merchant plug-in, wherein the merchant plug-in opens a communication frame on the user computer, and wherein the merchant plug-in validates a signature included in the authentication response. 
However, Wankmueller teaches the merchant server includes a merchant plug-in, wherein the merchant plug-in opens a communication frame on the user computer, and wherein the merchant plug-in validates a signature included in the authentication response (“either: A) charges the financial instrument in the amount received, using account information stored in account database 248 corresponding to the merchant identifier and generates or receives an authorization identifier indicating the transaction was authorized, and provides a redirect command to browser 264 that will cause browser 264 to transmit a request to merchant web application 274, or B) requests authorization to charge that amount and issues or receives the authorization identifier and optionally stores the transaction amount, the authorization number and the merchant identifier in account rd paragraph).
It would have been obvious to a person having ordinary skill in the art, at the date the claimed invention was made, to include in the teachings of Stemer, in view of Weller, a “merchant plug-in”, as taught by Wankmueller, because the plug-in would facilitate the communication of the secure data and reduce the attempts of theft.
Regarding Claims 120 and 130,  Stemer, in view of Vysogorets, in view of Weller, in view of Nyberg, in view of Wankmueller, teaches the limitations of claims 119 and 129.  Stemer, in view of Vysogorets, in view of Weller, in view of Nyberg, in view of Wankmueller, further teaches wherein the communication frame is used to present the authentication page to a user of the user computer (“Figures 3D and 3E are a flowchart illustrating a method of allowing a user to optionally authenticate one or more communications from a computer system and a computer system to optionally authenticate a user and displaying information according to one embodiment of the present invention.” See Wankmueller in pagemark 5, lines 16-19).

Response to Arguments
Applicant’s arguments, filed 31 January 2022, with respect to the rejections under 35 USC 101, 35 USC 112 and 35 USC 103 have been fully considered.  
Regarding the rejection under 35 USC 101, the Applicant argues: Claims 113-132 are rejected under 35 U.S.C. § 101 for allegedly being directed to non-statutory subject matter.
Claims 120 and 130 are canceled herein. The rejection of these claims is now moot.
With respect to the remaining claims, Applicant submits that independent claim 113 can be a representative claim for discussing the rejection of the remaining claims.
In response: The most recent amendments in combination with the additional claim elements support the practical application of an abstract idea. Thus the current claims are patent eligible, and the rejection has been withdrawn. 
The other arguments will not be further considered as the rejection has been withdrawn based on the amendments. 

Regarding the rejection under 35 USC 103, the Applicant argues: Claims 113-114, 117-118, 121, 123-124, 127-128, and 131 are rejected under 35 U.S.C. § 103(a) as being unpatentable over CA Publication No. 2,604,348 of Sterner et al. ("Sterner") in view of U.S. Publication No. 2010/0332393 of Weller et al. ("Weller"), and further in view of CA Publication No. 2,449,748 of Nyberg et al. ("Nyberg").
Claims 115-116, 122, 125-126, and 132 are rejected under 35 U.S.C. § 103(a) as being unpatentable over Sterner in view of Weller, in view of Nyberg, and further in view of U.S. Publication No. 2009/0235339 of Mennes et al. ("Mennes").
Claims 119-120 and 129-130 are rejected under 35 U.S.C. § 103(a) as being unpatentable over Sterner in view of Weller, in view of Nyberg, and further in view of U.S. Publication No. 2005/0289052 of Wankmueller ("Wankmueller").
Applicant notes that Weller does not qualify as prior art as it was published after the effective filing date of the present application, and it is assigned to the same entity.
Weller and the present invention are both assigned to Visa International Service Association. Weller was published on December 30, 2010. The present application has a 
In response: In view of the priority dates, the Weller prior art is a continuation of a Parent application. The parent application has replaced the prior art and the rejection is maintained. 
The art of Powell is not used at all in the rejection, thus it is not clear how the argument is constructive. 
The Applicant further argues: However, Weller is a continuation application which claims priority to US Patent 7,827,115 which qualifies as prior art under 102(a)(l). Accordingly, Applicant addresses Weller (based on its priority document) with the following arguments.
First, claim 113 is amended to clarify that the "verification token" is a hardware component. Amended claim 113 recite receiving, by a merchant server, payment information comprising an account number from a verification token component coupled to a user computer. Support for the amendment may be found at least at [0050] of the present application.
Second, claim 113 is further amended to clarify that the merchant server opens a communication frame on the user computer, which is then used by the merchant computer to transmit the authentication request to the gateway computer, as well as by the access 
In response: The recitation of “opening a communication frame with the user computer” is merely reciting a secondary communication link access, where if the claimed invention is able to transmit information to the receiving device then it is interpreted it opened a communication link. The art of Stemer does teach the possibility to transmit information through a second communication link, representative of the limitation. 
In response to the argument regarding the verification token, the token is used to acquire the user verification information. The new prior art of Vysogorets describes a hardware token that is connected to the user terminal that secures and provides the User ID and User keys. In combination with the art of Stemer it teaches the recited limitation. 
The Applicant further argues: In the Office Action, the Examiner acknowledges that Weller fails to teach or suggest a communication frame. Sterner, in view of Weller, in view of Nyberg, does not expressly teach wherein the merchant server includes a merchant plug-in, wherein the merchant plug-in opens a communication frame on the user computer, and wherein the merchant plug-in validates a signature included in the authentication response. See Office Action, pages 21-22. The Examiner asserts that Sterner and Wankmueller teach or suggest some of these features. However, not only these references fail to teach or suggest the proposed amendments, it also appears that the sections of these references identified in the Office Action do not correspond to the actual content of these references.
While Wankmueller discusses a merchant plug-in (see [0037]-[0038]), Wankmueller fails to cure the shortcomings of Sterner, Weller, and Nyberg with respect to 
As amended, Applicant's claim 113 clarifies that the merchant server opens and supports a communication frame on the user computer that allows for secure communication among not only the merchant server and the user, but also the gateway computer and the validation entity. Specifically, the communication frame allows for (1) the merchant to transmit the authentication request to the gateway computer, (2) the gateway computer to display the authentication page to the user computer, (3) the validation entity to provide first secure datum, (4) the gateway computer to receive the first secure datum, and (5) the merchant server to receive an authentication response. Wankmueller, taken either alone or in any reasonable combination with remaining cited references, fail to teach or suggest the foregoing features of Applicant's claim 113.
In response: The recitation of “opening a communication frame with the user computer” is merely reciting a secondary communication link access, where if the claimed invention is able to transmit information to the receiving device then it is interpreted it opened a communication link. The art of Stemer does teach the possibility to transmit information through a second communication link, representative of the limitation. 
The claims have been found obvious over the prior art of record. Therefore, the claims remain rejected under the prior art of record.

Conclusion
Any inquiry concerning this communication or earlier communications from the examiner should be directed to EDGAR R MARTINEZ-HERNANDEZ whose telephone number is (571)270-0658. The examiner can normally be reached M-F from 9:00 am - 5:00 pm.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, JOHN W. HAYES can be reached on (571) 272-6708. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: 


/ERM/Examiner, Art Unit 3685

/JOHN W HAYES/Supervisory Patent Examiner, Art Unit 3685