DETAILED ACTION

Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
This action is the responsive to the communication filed on 01/04/2022.

Response to Amendment
Applicant’s arguments with respect to claim(s) are rejected under 35 USC 103(a) ,filed on 01/04/2022, have been considered but are moot because the new ground of rejection does not rely on any reference applied in the prior rejection of record for any teaching or matter specifically challenged in the argument.





Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.



Claims 1, and 4-10 are rejected under 35 U.S.C. 103 as being unpatentable over Shastry et al US 2016/0036790 in view of Dunjic et al US 2020/0382486  in view of Blanco et al US 2014/0129441. 

 	As per claim 1, Shastry discloses a computer-implemented method for authenticating a transaction over a secure network, the method comprising: 
  	receiving, by a first authentication server ( fig.1B, 106 the OS CLOUD storage system server 106 ),a sensitive data payload and a cryptogram, wherein the first authentication server is configured to either receive or generate a token associated with the sensitive data payload (fig.1B and 0043  the payment network cloud service system 104 may send a first payment token and a first cryptographic key to the trusted mobile application 108 (step S154 in FIG. 1B) to the OS CLOUD storage system server 106);
 	transmitting , by the first authentication server ( par 0043 the OS CLOUD storage system server 106), an authentication request to a directory server ( par 0043  the trusted mobile application 108), the authentication request including the token and the cryptogram( par 0043 send a first payment token and a first cryptographic key to the trusted mobile application 108 (step S154 in FIG. 1B) to the trusted mobile application 108);
  	 
210). Upon verification, the payment network cloud service system may send a second payment token and a second cryptographic key to the untrusted mobile application (step 212). The untrusted mobile application may generate a payment cryptogram using the second cryptographic key, and use the second payment token and the payment cryptogram to conduct a transaction with a merchant. ); 
 	generating, by the second authentication server, a first message including a validation result (par 0068 the payment network cloud service system may receive user data along with the identity verification cryptogram from a second mobile application, i.e. a untrusted mobile application (step 208). The untrusted mobile application may be stored on the same user device. The received user data may include one or more of the PAN, the expiration date, the name on the account, the billing address, the device identifier and the like  ); 
 	transmitting, by the second authentication server, the first message to an issuer server to authenticate the transaction( par 0050   The merchant computer 116 may process the payment transaction using the second payment token and the payment cryptogram (step S174 in FIG. 1B).); and
 	 reviewing, by an issuer server, the validation result and generating an authentication value including a validation indication based on the review of the validation result (par 0027 A cryptogram can be used by a recipient to determine if the generator of the cryptogram is in possession of a proper key, for example, by encrypting the underlying information with a valid key, and comparing the result to the received cryptogram. And 0070 The payment network cloud service system may send confirmation results to the second mobile application. The second mobile application may receive a second payment token and a second cryptographic key from the payment network cloud service system (step 314). The second mobile application may generate a payment cryptogram using the second cryptographic key. Using the second payment token and the payment cryptogram, the second mobile application may complete a payment transaction with a merchant (step 316). ).  
    	 Shastry does not explicitly disclose transmitting, by the directory server, the token and the cryptogram to a second authentication server;    reviewing by an issuer server the validation result of the sensitive data, generating an authentication value including a validation flag for the transaction data.
However, in analogous art, Blanco discloses reviewing by an issuer server the validation result of the sensitive data (0024 the issuer FI computer 106, i.e. an issuer server, of the anti-fraud system 108 is operable to analyze, i.e. reviewing, purchase transaction data, i.e. sensitive data), generating an authentication value including a validation flag for the transaction data. (0009, when an issuer financial institution 106 or other entity flags, i.e. authentication value, a potential fraudulent transaction data).

 	Therefore, it would have been obvious before the effective filing date of the claimed invention to implement the claimed invention by modifying a method of authenticating the payment token and cryptogram of Shastry, based on the teaching of flagging the transaction of Blanco, because doing so would prevent the fraudulent transaction(par 0009 ).
 	The combination fails to disclose transmitting, by the directory server, the token and the cryptogram to a second authentication server.
 	However, Dunjic discloses transmitting, by the directory server, the token and the cryptogram to a second authentication server(par 0032 sending, by the mobile computing device to the second remote server, the indication based on identifying information for the mobile computing device and on the session token as reconstructed by the mobile computing device may include: generating, by the mobile computing device, based on the session token as reconstructed by the mobile computing device and the identifying information for the mobile computing device, an authentication cryptogram;   and sending, by the mobile computing device, the authentication cryptogram to the second remote server ).

 	Therefore, it would have been obvious before the effective filing date of the claimed invention to implement the claimed invention by modifying a method of authenticating the payment token and cryptogram of Shastry, based on the teaching of flagging the transaction of Blanco,  based on the teaching of authenticating the token and authentication cryptogram by the second server of Dunjic, because doing so would  establish the trusted session in the session.

 
 	As per claim 4, Shastry in view of Blanco  in view of Dunjic discloses the computer-implemented method of claim 1  further comprising: Blanco discloses 
 	setting the validation flag to a first value if the cryptogram validation is successful  ( par 0036 the mobile device automatically powers up to display 406 the transaction alert information along with a secret mark , i.e.  setting flag, and  the transaction alert information displayed to the consumer and/or cardholder may include the name of a merchant, a monetary amount of a potentially fraudulent transaction, a currency type, and/or a location of the transaction, i.e. first value )or to a second value if the cryptogram validation is unsuccessful ( par 0044 The "Authorize Transaction" message may be transmitted and received in substantially real-time, i.e. second time, meaning immediately after the potentially fraudulent transaction has occurred or is occurring and The validation screen prompts the cardholder for entry of a secret mPIN. i.e. , a second value for validation ).  

 	Therefore, it would have been obvious before the effective filing date of the claimed invention to implement the claimed invention by modifying a method of authenticating the payment token and cryptogram of Shastry, based on the teaching of flagging the transaction of Blanco,  based on the teaching of authenticating the token and authentication cryptogram by the second server of Dunjic, because doing so would  establish the trusted session in the session.



 	As per claim 5, Shastry in view of Blanco  in view of Dunjic discloses a the computer-implemented method of claim 4, However, Blanco discloses further comprising:  Blanco discloses transmitting, by the issuer server, an authentication request message to a customer in response to  the validation flag being  set to the second value (par 0036 the mobile device automatically powers up to display 406 the transaction alert information along with a secret mark , i.e.  setting flag to the second value, and  the transaction alert information displayed to the consumer and/or cardholder may include the name of a merchant, a monetary amount of a potentially fraudulent transaction, a currency type, and/or a location of the transaction, i.e. first value).  

 	Therefore, it would have been obvious before the effective filing date of the claimed invention to implement the claimed invention by modifying a method of authenticating the payment token and cryptogram of Shastry, based on the teaching of flagging the transaction of Blanco,  based on the teaching of authenticating the token and authentication cryptogram by the second server of Dunjic, because doing so would  establish the trusted session in the session.

 	As per claim 6, Shastry in view of Blanco  in view of Dunjic discloses The computer-implemented method of claim 5, 
 	However,  Blanco discloses wherein the authentication request message comprises a time-restricted single use password ( par 0044, Authorize Transaction" message may be transmitted and received in substantially real-time  and The validation screen prompts the cardholder for entry of a secret mPIN, i.e. password, by utilizing the touch screen).  
 	
 	Therefore, it would have been obvious before the effective filing date of the claimed invention to implement the claimed invention by modifying a method of authenticating the payment token and cryptogram of Shastry, based on the teaching of flagging the transaction of Blanco,  based on the teaching of authenticating the token and authentication cryptogram by the second server of Dunjic, because doing so would  establish the trusted session in the session.

 	As per claim 7, Shastry in view of Blanco  in view of Dunjic discloses the computer-implemented method of claim 2, However, Shastry discloses wherein the second message comprises a token expiry period (par 0057 the LUK may be used to encrypt data that is specific to the user, the payment token, and/or the device that is being used to conduct the payment transaction. Such data might include the payment token, an expiration date, a payment account number, a current time).  
 	Therefore, it would have been obvious before the effective filing date of the claimed invention to implement the claimed invention by modifying a method of authenticating the payment token and cryptogram of Shastry, based on the teaching of flagging the transaction of Blanco,  based on the teaching of authenticating the token and authentication cryptogram by the second server of Dunjic, because doing so would  establish the trusted session in the session.

 	As per claim 8, Shastry in view of Blanco  in view of Dunjic discloses the computer-implemented method of claim 1 Shastry disclose  wherein the cryptogram is unique to the transaction( par 0058  [0058] The untrusted application 110 may send the transaction cryptogram to an access device of the merchant 116 to conduct the transaction).   
 	Therefore, it would have been obvious before the effective filing date of the claimed invention to implement the claimed invention by modifying a method of authenticating the payment token and cryptogram of Shastry, based on the teaching of flagging the transaction of Blanco, based on the teaching of authenticating the token and authentication cryptogram by the second server of Dunjic, because doing so would  establish the trusted session in the session.

 	As per claim 9, Shastry in view of Blanco  in view of Dunjic discloses the computer-implemented method of claim 1 Shatry discloses wherein the sensitive data payload comprises one or more of customer name, customer address, merchant name, and merchant address (par 0069 The user data may include one or more of the PAN, the expiration date, the name on the account, the billing address, the device identifier and the like. The payment network cloud service system may authenticate the user using the user data and send confirmation results to the first mobile application).  

 	Therefore, it would have been obvious before the effective filing date of the claimed invention to implement the claimed invention by modifying a method of authenticating the payment token and cryptogram of Shastry, based on the teaching of flagging the transaction of Blanco,  based on the teaching of authenticating the token and authentication cryptogram by the second server of Dunjic, because doing so would  establish the trusted session in the session.

 	As per claim 10, Shastry discloses a system for authenticating a transaction on a secure network, the system comprising:
 a first authentication server computing device configured to ( fig.1B, 106 the OS CLOUD storage system server 106  ): 
 	receive a sensitive data payload  and a cryptogram ( par 0043 Upon verification, the payment network cloud service system 104 may send a first payment token and a first cryptographic key to the trusted mobile application 108 (step S154 in FIG. 1B );
 	either receive or generate a token associated with the sensitive data payload (par 0043 the first payment token may include a substitute account number used to identify the PAN without incorporating the actual PAN in the message. In some embodiments, the trusted mobile application 108 may conduct a payment transaction with the merchant computer 116 using the first token. ); and 
 	transmit the token and the cryptogram to a director server computing device (par  0044  Using the first cryptographic key, the trusted mobile application 108 may create an identity verification cryptogram (step S156 in FIG. 1B). That is, the trusted mobile application 108 may encrypt the user data (i.e. account credentials) using the first cryptographic key );
 	 a second authentication server computing device configured to (par 0062 the payment network cloud service system 104):
  receive the token and the cryptogram from the directory server computing device ([0050] The untrusted mobile application 110 may provide the retrieved identity verification cryptogram along with account credentials such as PAN, the expiration date, the name on the account, the billing address, the device identifier and the like to the payment network cloud service system 104 (step S166 in FIG. 1B). );
  validate the token and the cryptogram ( par 0050 the payment network cloud service system 104 may validate that the identity verification cryptogram is generated using the account credentials received from the untrusted mobile application 110.) and 
 	generate a first message including a validation result ( par 0050 the payment network cloud service system 104 may validate that the identity verification cryptogram is generated using the account credentials received from the untrusted mobile application 110. In some embodiments, the account credentials may be stored in a database 118. Upon receiving the identity verification cryptogram and the account credentials from the untrusted mobile application 110, the payment network cloud service system 104 may access the database 118 to retrieve the information stored in connection with the user device 102 and/or the user); and  
an issuer server computing device coupled in communication with the second authentication server computing device via a network (par 0068 The payment network cloud service system may validate that the identity verification cryptogram is generated with the user data provided by the untrusted mobile application (step 210). Upon verification, the payment network cloud service system may send a second payment token and a second cryptographic key to the untrusted mobile application (step 212). The untrusted mobile application may generate a payment cryptogram using the second cryptographic key, and use the second payment token and the payment cryptogram to conduct a transaction with a merchant ), the issuer server computing device configured  to review the validation result and generate an authentication value including a validation indication based on the review of the validation result (par 0070 generated identity verification cryptogram may be leveraged by the second mobile application for authentication. The second mobile application may retrieve the identity verification cryptogram from the mobile OS provider cloud storage system (step 310). The second mobile application may provide the identity verification cryptogram along with the user data to the payment network cloud service system (step 312). The user data may include one or more of the PAN, the expiration date, the name on the account, the billing address, the device identifier and the like. The payment network cloud service system may authenticate the user using the identity verification cryptogram and the user data. The payment network cloud service system may send confirmation results to the second mobile application. The second mobile application may receive a second payment token and a second cryptographic key from the payment network cloud service system (step 314). The second mobile application may generate a payment cryptogram using the second cryptographic key. Using the second payment token and the payment cryptogram, the second mobile application may complete a payment transaction with a merchant (step 316)).

 	Shastry does not explicitly disclose transmitting, by the directory server, the token and the cryptogram to a second authentication server;    reviewing by an issuer server the validation result of the sensitive data, generating an authentication value including a validation flag for the transaction data.
However, in analogous art, Blanco discloses reviewing by an issuer server the validation result of the sensitive data (0024 the issuer FI computer 106, i.e. an issuer server, of the anti-fraud system 108 is operable to analyze, i.e. reviewing, purchase transaction data, i.e. sensitive data), generating an authentication value including a validation flag for the transaction data. (0009, when an issuer financial institution 106 or other entity flags, i.e. authentication value, a potential fraudulent transaction data).

 	Therefore, it would have been obvious before the effective filing date of the claimed invention to implement the claimed invention by modifying a method of authenticating the payment token and cryptogram of Shastry, based on the teaching of flagging the transaction of Blanco, because doing so would prevent the fraudulent transaction(par 0009 ).
 	The combination fails to disclose transmitting, by the directory server, the token and the cryptogram to a second authentication server.
 	However, Dunjic discloses transmitting, by the directory server, the token and the cryptogram to a second authentication server(par 0032 sending, by the mobile computing device to the second remote server, the indication based on identifying information for the mobile computing device and on the session token as reconstructed by the mobile computing device may include: generating, by the mobile computing device, based on the session token as reconstructed by the mobile computing device and the identifying information for the mobile computing device, an authentication cryptogram;   and sending, by the mobile computing device, the authentication cryptogram to the second remote server ).

 	Therefore, it would have been obvious before the effective filing date of the claimed invention to implement the claimed invention by modifying a method of authenticating the payment token and cryptogram of Shastry, based on the teaching of flagging the transaction of Blanco,  based on the teaching of authenticating the token and authentication cryptogram by the second server of Dunjic, because doing so would  establish the trusted session in the session.

 			Examiner’s statement of reason of allowance

The following is an examiner's statement of reasons for allowance: In interpreting the claims, in light of the Specification and, the Examiner finds the claimed invention to be patentably distinct from the prior art of record.
 	The present relates to a method of authenticating a transaction over a secure network. The method comprises receiving, by a first authentication server, a sensitive data payload and a cryptogram, wherein the first authentication server is configured to either receive or generate a token associated with the sensitive data payload; transmitting, by the first authentication server, the token and the cryptogram to a second authentication server, wherein the second authentication server is configured to validate the token and the cryptogram and generate a first message including a validation result; transmitting, by the second authentication server, the first message to an issuer server to authenticate the transaction; and reviewing, by the issuer server, the validation result and generating an authentication value including a validation flag based on the review of the validation result.
	 The combination of claims 2-3 and claims 11-13 incorporate into the claims 1, and 10 respectively would be allowable of the cited above cited prior art.
 	However, the prior art of record, either individually or in a reasonable combination, fails to disclose or suggest the underline limitations when in combination with the remaining limitations currently recited in the independent claims 1, and 10. In addition, updated search also did not yield any new applicable prior art with respect to the underlined limitations.

Any comments considered necessary by applicant must be submitted no later than the payment of the issue fee and, to avoid processing delays, should preferably accompany the issue fee. Such submissions should be clearly labeled "Comments on Statement of Reasons for Allowance." 





Conclusion
Applicant's amendment necessitated the new ground(s) of rejection presented in this Office action.  Accordingly, THIS ACTION IS MADE FINAL.  See MPEP § 706.07(a).  Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a).  
A shortened statutory period for reply to this final action is set to expire THREE MONTHS from the mailing date of this action.  In the event a first reply is filed within TWO MONTHS of the mailing date of this final action and the advisory action is not mailed until after the end of the THREE-MONTH shortened statutory period, then the shortened statutory period will expire on the date the advisory action is mailed, and any extension fee pursuant to 37 CFR 1.136(a) will be calculated from the mailing date of the advisory action.  In no event, however, will the statutory period for reply expire later than SIX MONTHS from the date of this final action. 

Any inquiry concerning this communication or earlier communications from the examiner should be directed to ABU S SHOLEMAN whose telephone number is (571)270-7314. The examiner can normally be reached EST: 9am-5pm.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, JORGE ORTIZ CRIADO can be reached on 571-272-7624. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.





/ABU S SHOLEMAN/Primary Examiner, Art Unit 2496