DETAILED ACTION
Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

Response to Amendment
This is in response to the amendments filed on 12/30/2021. Claims 1, 8, 9, and 17 have been amended. Claims 1-20 remain pending and have been considered below.

Response to Arguments
Applicant’s arguments, see page 7, filed 12/30/2021, with respect to the rejections of claims 1-8, and 17-18 under 35 U.S.C. 112(b) have been considered and are persuasive. The rejections have been withdrawn. However, the rejections of claims 9-16 are maintained as will be discussed below.
Applicant’s arguments, see pages 7-8, filed 12/30/2021, with respect to the rejections of claims 1-20 under 35 U.S.C. 102/103 have been considered but are moot because the arguments do not apply to any of the references being used in the current rejection. 

Claim Rejections - 35 USC § 112
The following is a quotation of 35 U.S.C. 112(b):
(b)  CONCLUSION.—The specification shall conclude with one or more claims particularly pointing out and distinctly claiming the subject matter which the inventor or a joint inventor regards as the invention.

The following is a quotation of 35 U.S.C. 112 (pre-AIA ), second paragraph:
The specification shall conclude with one or more claims particularly pointing out and distinctly claiming the subject matter which the applicant regards as his invention.

Claims 9-16 are rejected under 35 U.S.C. 112(b) or 35 U.S.C. 112 (pre-AIA ), second paragraph, as being indefinite for failing to particularly point out and distinctly claim the subject matter which the inventor or a joint inventor, or for pre-AIA  the applicant regards as the invention.
Claim 9 recites the limitation “generating … at least the interaction data and the match result, or a derivative thereof…” It is unclear as to what the limitation “thereof” indicates. Does it mean that a derivative of the interaction data? Does it mean that a derivative of the match result? Or does it mean that a derivative of the interaction data and the match result, collectively?
Claims 10-16 are rejected under 112(b) as being dependent from the rejected claim 9.

Claim Rejections - 35 USC § 103
In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

Claims 1-20 are rejected under 35 U.S.C. 103 as being unpatentable over Wagner et al. (WO2017/019972 A1; hereinafter, “Wagner”) in view of Saito (US2005/0240778 A1: hereinafter, “Saito”), and further in view of Tame (US2010/0131414 A1; hereinafter, “Tame”).

Regarding claim 1:
Wagner teaches:
A method (--- claim 1) comprising:
establishing, a first communication between a user device and a resource provider computer operating a host site in an interaction between the host site and a user of the user device (para. [0076]: Referring back to FIG. 2, resource provider computer 230 may be associated with a resource provider. The resource provider may engage in transactions, sell goods or services, or provide access to goods or services to user 210. The resource provider may accept multiple forms of payment (e.g. portable device 215) and may use multiple tools to conduct different types of transactions. For example, the resource provider may operate a physical store and use access device 225 for in- person transactions. The resource provider may also sell goods and/or services via a website, and may accept payments over the Internet; para. [0069]: Access device 225 may be associated and in communication with resource provider computer 230. --- Note that access device teaches a user device; resource provider computer teaches a resource provider computer; the resource provider may also sell goods and/or services via a website, which teaches operating a host site in an interaction between the host site and a user of the user device; Access device 225 may be associated and in communication with resource provider computer 230, which teaches establishing, a first communication between a user device and a resource provider computer);
… establishing the first communication (see above), establishing, a second communication between the user device and a portable device of the user (para. [0082]: In step S502, the user 510 wants to conduct a transaction and presents his or her portable device 515 containing biometric reference template data. The biometric reference template data may comprise a biometric reference template and verification entity preference such as the preferred biometric type or subtype of verification and/or the preferred amount of attempts for each type of biometric verification. In step S504, the portable device 515 is coupled to the access device 525 and initiates a session with the access device 525, wherein the user 510 may be authenticated in the transaction using biometric verification. --- Note that the portable device teaches a portable device; the portable device 515 is coupled to the access device 525 and initiates a session with the access device 525, which teaches establishing, a second communication between the user device and a portable device);
capturing, …, a biometric sample of the user (para. [0084]: In step S510, the user 510 enters or provides his or her biometric sample into the … device 525; para. [0085]: In step S518, the biometric verification applet on portable device 515 compares the biometric sample template received from the access device 525 to the biometric reference template stored on the portable device 515. --- Note that provides his or her biometric sample teaches capturing a biometric sample of the user);
converting, …, the biometric sample into a first biometric template (para. [0084]: In step S512, the access device 525 creates a biometric sample template of the biometric sample captured from the user 510. --- Note that creates a biometric sample template of the biometric sample captured from the user teaches converting the biometric sample into a first biometric template);
comparing, by the portable device, the first biometric template with a second biometric template stored on the portable device, and determining a match result (para. [0085]: In step S518, the biometric verification applet on portable device 515 compares the biometric sample template received from the access device 525 to the biometric reference template stored on the portable device 515; para. [0079]: In step S520, the biometric verification applet sends the results of the comparison (i.e. the verification results) to the payment applet so that it may communicate the verification results to the access device 525. --- Note that portable device 515 compares the biometric sample template to the biometric reference template stored on the portable device, which teaches comparing, by the portable device, the first biometric template with a second biometric template stored on the portable device; and the verification results teaches determining a match result);
receiving, by the portable device from the resource provider computer, via the user device, interaction data (para. [0051]: A "communications channel" may refer to any suitable path for communication between two or more entities. Suitable communications channels may be present directly between two entities such as a payment processing network and a merchant or issuer computer, or may include a number of different entities. Any suitable communications protocols may be used for generating a communications channel. A communication channel may in some instance comprise a "secure communication channel," which may be established in any known manner, including the use of mutual authentication and a session key and establishment of an SSL session. However, any method of creating a secure channel may be used. By establishing a secure channel, sensitive information related to a payment device (such as account number, CVV values, expiration dates, etc.) may be securely transmitted between the two entities to facilitate a transaction; para. [0072]: User 210 may be able to use portable device 215 to conduct transactions with a resource provider associated with resource provider computer 230. --- Note that portable device 215 to conduct transactions with a resource provider associated with resource provider computer 230, and sensitive information related to a payment device (such as account number, CVV values, expiration dates, etc.) may be securely transmitted between the two entities (see Fig. 2, which illustrates a communication channel between the portable device 215 and resources provider computer 230) to facilitate a transaction, thus which implies receiving, by the portable device from the resource provider computer, via the user device, interaction data; further note that the claim does not specify what the “interaction data” means. Thus, for the sake of examination, it is interpreted as any information or signal transmitted therebetween);
generating, by the portable device, a cryptogram by encrypting at least … data …, with an encryption key (para. [0057]: In one embodiment, the BDB may be encrypted using appropriate encryption keys so that a cardholder's biometric sample template cannot be obtained by an untrusted party; para. [0028]: A "biometric data block" or BDB can be any data that contains one or more biometric sample templates and may also contain additional information that is relevant to the process of biometric verification. --- Note that the BDB may be encrypted using appropriate encryption keys, which teaches generating, by the portable device, a cryptogram by encrypting with an encryption key); and
transmitting, by the portable device, … access data stored on the portable device, to the resource provider computer via the user device (para. [0072]: User 210 may be able to use portable device 215 to conduct transactions with a resource provider associated with resource provider computer 230. Portable device 215 may store information associated with user 210 and/or a payment account. For example, portable device 215 may store payment credentials as well as personal information such as a name, address, email address, phone number, or any other suitable identification information of user 210. Portable device 215 may also store biometric data that may be read by access device 225. Portable device 215 may provide this information to access device 225 during a transaction;  para. [0086]: In step S522, the payment applet on the portable device 515 sends the verification results to the access device 525; para. [0087]: In step S524, the authorization request message comprising the verification results and the additional data are sent along a channel of communication to a verification entity that issued the verification entity preferences so that the transaction may be processed; para. [0048]: An authorization request message may also comprise additional data elements corresponding to "identification information" including, by way of example only: a service code, a CVV (card verification value), a dCVV (dynamic card verification value), an expiration date, etc. --- Note that Portable device 215 may provide this information (e.g., payment credentials) to access device 225, and the portable device 515 sends the verification results (which implies the cryptogram) to the access device 525, and further the authorization request message comprising the verification results and the additional data (i.e., identification information) are sent to a verification entity, which teaches transmitting, by the portable device, the cryptogram and access data stored on the portable device, to the resource provider computer via the user device; further note that as illustrated in Fig. 2, the portable device 215, the access device, the resource provider computer, and the authorizing entity are connected in series. Thus, any data transmitted to the authorizing entity should pass though the access device, the resource provider computer.), wherein a remote server computer in communication with the resource provider computer verifies the cryptogram …, analyzes the match result[ or the derivative of the interaction data and the match result], and allows the interaction to continue using the access data based upon the verification of the cryptogram (para. [0068]: In one embodiment, the issuer of card 110 or the verification entity may also serve as an authorization entity that authorizes a transaction, and the biometric verification results received by biometric terminal 120 may be forwarded along with the additional data to the authorization entity in the form of an authorization request message so that the transaction may be approved or declined; para. [0087]: In step S524, the authorization request message comprising the verification results and the additional data are sent along a channel of communication to a verification entity that issued the verification entity preferences so that the transaction may be processed; para. [0057]: In one embodiment, the BDB may be encrypted using appropriate encryption keys so that a cardholder's biometric sample template cannot be obtained by an untrusted party; para. [0028]: A "biometric data block" or BDB can be any data that contains one or more biometric sample templates and may also contain additional information that is relevant to the process of biometric verification. --- Note that the authorization entity and a verification entity teaches a remote server computer in communication with the resource provider computer; the authorization entity approves or declines the transaction based on the received the biometric verification results, and the biometric verification results is encrypted, which teaches verifies the cryptogram, analyzes the match result, and allows the interaction to continue using the access data based upon the verification of the cryptogram and the match result) 
Wagner is silent about:
	after establishing the first communication, establishing, a second communication between the user device and a portable device of the user;
capturing, by the portable device, a biometric sample …;
converting, by the portable device, the biometric sample into a first biometric template;
… 
generating, by the portable device, a cryptogram by encrypting at least the interaction data and the match result, or a derivative of the interaction data and the match result, with an encryption key; and
transmitting, by the portable device, the cryptogram …, wherein a remote server computer … verifies the cryptogram by decrypting the cryptogram to recover inputs to the cryptogram including the interaction data and the match result, [or the derivative of the interaction data and the match result,] analyzes the match result [or the derivative of the interaction data and the match result], and allows the interaction to continue using the access data based upon the verification of the cryptogram …
Saito teaches: 
capturing, by the portable device, a biometric sample … (para. [0031]: FIG. 1 schematically illustrates a smart card 10 for authenticating a person holding the smart card in accordance with one embodiment of the present invention; para. [0042]: FIG. 6 schematically illustrates an example of authentication process performed in the processor unit 32 in which fingerprints are used as the biometric information. First, fingerprint patterns of a person to be authenticated (who is holding the smart card) is captured by the fingerprint sensor (600). --- Note that a smart card (i.e., the processor unit 32) corresponds to the portable device; fingerprint patterns of a person is captured teaches capturing a biometric sample);
converting, by the portable device, the biometric sample into a first biometric template (para .[0042]: Then, specific characteristics to be used in the comparison are extracted from the captured finger print patterns (602) … These characteristics may be used alone or in combination. The extracted characteristics are compared with the corresponding templates stored in the memory (604). --- Note that specific characteristics to be used in the comparison are extracted, which teaches converting the biometric sample into a first biometric template);
… 
transmitting, by the portable device, the cryptogram … (para. [0042]: If the extracted characteristics are determined to match the templates, the authentication result is positive, i.e., the person is successfully authenticated … An authentication signal representing the result is generated (606), encrypted (608), and then transmitted (610) via the signal antenna. --- Note that the result is encrypted (608), and then transmitted (610) teaches transmitting the cryptogram).
Thus, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify Wagner’s system by enhancing Wagner’s portable device to capture the biometric sample instead of receiving it from the access device and transmit the encrypted result, as taught by Saito, to prevent the biometric information from leaking or being hacked while transferring therebetween.
The motivation is to protect the privacy of the personal information associated with the smart card while providing such a tamper-proof security system. (Saito, para. [0003])
Wagner in view of Saito is silent about:

	…
generating, by the portable device, a cryptogram by encrypting at least the interaction data and the match result, or a derivative of the interaction data and the match result, with an encryption key; and 
… wherein a remote server computer … verifies the cryptogram by decrypting the cryptogram to recover inputs to the cryptogram including the interaction data and the match result, [or the derivative of the interaction data and the match result,] analyzes the match result [or the derivative of the interaction data and the match result], and allows the interaction to continue using the access data based upon the verification of the cryptogram.
Tame teaches:
	after establishing the first communication (para. [0039]: The user of the device launches the transaction software on a mobile telephone or PC. --- Note that the communication to launch the transaction software teaches the first communication), establishing, a second communication between the user device and a portable device of the user (para. [0039]: The software now communicates with the portable identification device and instructs the user to place their finger on the device. --- Note that the communication between the software (i.e., mobile telephone) and the portable identification device teaches a second communication; here, the mobile telephone corresponds to the user device; and the portable identification device corresponds to a portable device);
	…
generating … a cryptogram by encrypting at least the interaction data and the match result[, or a derivative of the interaction data and the match result] … (para. [0039]: The portable identification device matches the biometric data acquired from the user's live finger scan to that of the stored biometric template. The portable identification device now creates a secure encrypted identification/authentication transaction message which contains the identification result code as well as a unique transaction ID code; para. [0047]: The transaction message is sent as a secured message by the portable identification device to a communication terminal via Blue Tooth or infra-red communication, which is communicated by the terminal to the authentication centre. The secure message includes the following data: the device's identity number/code; the digital signature of the stored matching biometrics template; the result code of the finger biometrics match; the date/time stamp of the transaction; the global positioning latitude and longitude co-ordinates (if a GPS module is included); certain details read from a smart card (if a smart card reading module is included in the device); data cheque codes such as CRC (cyclic redundancy codes) and other data verification codes created with Reed Solomon techniques; and other authentication data that may be required from the device by the authentication centre. --- Note that the secure message includes the result code of the finger biometrics match and the date/time stamp of the transaction, which teaches a cryptogram by encrypting at least the interaction data and the match result; here the date/time stamp of the transaction teaches the interaction data); and 
… wherein a remote server computer … verifies the cryptogram by decrypting the cryptogram to recover inputs to the cryptogram including the interaction data and the match result, [or the derivative of the interaction data and the match result,] analyzes the match result [or the derivative of the interaction data and the match result], and allows the interaction to continue using the access data based upon the verification of the cryptogram (para. [0042]: On receiving the transaction details the authentication centre will … decrypts the rest of the transaction message … It also carries out the various data checks on the data check code and in this manner authenticates the device and the transaction data.; para. [0043]: The message contains the authentication results plus the identification results received from the portable identification device; para. [0044]: The identity and authentication results from the authentication centre will determine whether the transaction will be granted and processed by the bank or logged as a suspicious attempt. --- Note that the authentication centre decrypts the transaction message teaches a remote server computer verifies the cryptogram by decrypting the cryptogram; carries out the various data checks and authenticates the device and the transaction data teaches analyzes the match result; the transaction will be granted teaches allows the interaction to continue using the access data based upon the verification of the cryptogram).
Thus, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify Wagner in view of Saito’s system by enhancing Wagner in view of Saito’s portable device to encrypt the result code of the finger biometrics match and the date/time stamp of the transaction, as taught by Tame, to make it clear which transaction is intended to be authorized. 
The motivation is to protect the system and the identity of the cardholder by preventing an unauthorized person to tamper the transaction data which is intended to be authorized.

Regarding claim 3:
Wagner in view of Saito and Tame teaches:
The method of claim 1.
Wagner further teaches:
wherein the portable device is in the form of a card (para. [0073]: FIG. 3 shows an example of a portable device 215 in the form of a card).

Regarding claim 4:
Wagner in view of Saito and Tame teaches:
The method of claim 1.
Wagner in view of Saito is silent about:
wherein the derivative is a hash of the interaction data and the match result, and wherein the method further comprises: hashing the interaction data and the match result
Tame teaches: 
wherein the derivative is a hash of the interaction data and the match result, and wherein the method further comprises: hashing the interaction data and the match result (para. [0035]: The transaction security is based on an encryption scheme that integrates the identification device and the authentication centre in an inter-reliant manner and enables the authentication centre to interrogate a device originated transaction and therefore securely authenticate the device, the matching biometrics and the transaction itself. A PKI (public key infrastructure) scheme with private and public keys as well as asymmetric encryption and digital signature hashing are used to form a secure authentication link between the device and the authentication centre).
Thus, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify Wagner in view of Saito’s system by enhancing Wagner in view of Saito’s portable device to use a hash for the transaction security, as taught by Tame, to securely authenticate the device and the transaction. 
The motivation is to protect the system and the identity of the cardholder by preventing an unauthorized person to tamper the transaction data which is intended to be authorized.

Regarding claim 5:
Wagner in view of Saito and Tame teaches:
The method of claim 1.
Wagner further teaches: 
(para. [0028]: A "biometric data block" or BDB can be any data that contains one or more biometric sample templates and may also contain additional information that is relevant to the process of biometric verification; para. [0029]: A "biometric matching object" or BMO can be a data element that contains one or more biometric reference templates and a biometric program. A BMO can have a specific biometric type and biometric subtype signifying the type of biometric reference template it contains (finger, palm, iris, face, voice, etc.)).

Regarding claim 6:
Wagner in view of Saito and Tame teaches:
The method of claim 1.
Wagner further teaches: 
wherein the remote server computer is an authorizing entity computer configured to allow or deny access to secure data (para. [0068]: In one embodiment, the issuer of card 110 or the verification entity may also serve as an authorization entity that authorizes a transaction, and the biometric verification results received by biometric terminal 120 may be forwarded along with the additional data to the authorization entity in the form of an authorization request message so that the transaction may be approved or declined. --- Note that an authorization entity teaches the remote server computer; the transaction may be approved or declined, which teaches  configured to allow or deny access to secure data).

Regarding claim 7:
Wagner in view of Saito and Tame teaches:
The method of claim 1.
Wagner further teaches: 
(para. [0078]: Transaction processing computer 250 may be disposed between transport computer 240 and authorizing entity computer 260. Transaction processing computer 250 may include data processing subsystems, networks, and operations used to support and deliver authorization services, exception file services, and clearing and settlement services. For example, transaction processing computer 250 may comprise a server coupled to a network interface (e.g. , by an external communication interface), and databases of information. Transaction processing computer 250 may be representative of a transaction processing network. --- Note that transaction processing computer is one of a remote server computer; Also, it is inherent that authorizing entity computer is a processing computer).

Regarding claim 8:
Wagner in view of Saito and Tame teaches:
The method of claim 1, further comprising.
Wagner further teaches: 
prior to receiving the interaction data (--- Note that it would be obvious to one of ordinary skill in the art to transmit a request to receive data prior to receiving data): transmitting, by the portable device to the remote server computer, a request for the interaction data (para. [0049]: An "authorization request message" may be an electronic message that is sent to a payment processing network and/or an issuer of a payment card to request authorization for a transaction; para. [0068]: In one embodiment, the issuer of card 1 10 or the verification entity may also serve as an authorization entity that authorizes a transaction, and the biometric verification results received by biometric terminal 120 may be forwarded along with the additional data to the authorization entity in the form of an authorization request message so that the transaction may be approved or declined. --- Note that the biometric verification results received by biometric terminal 120 may be forwarded along with the additional data to the authorization entity in the form of an authorization request message, which teaches transmitting, by the portable device to the remote server computer, a request for the interaction data; here, transaction may be approved or declined teaches the interaction data; further note that the claim does not specify what the “interaction data” means. Thus, for the sake of examination, it is interpreted as any information or signal).

Regarding claim 9:
Claim 9 recites a portable device which corresponds to a method of claim 1, and additionally contains: 
	a processor;
a memory; and
a computer readable medium.
However, Saito teaches:
	a processor (--- Fig. 2: a processor unit 32);
a memory (--- Fig. 2: a memory 34); and
a computer readable medium (para. [0034]: The processor unit 32 also includes a volatile memory such as a random access memory (RAM) to perform authentication, execute instructions and/or process data).
Therefore, claim 9 is rejected by applying the same rationale used to reject claim 1 above and the reason stated above.

Regarding claim 11:


Regarding claim 12:
Wagner in view of Saito and Tame teaches:
The portable device of claim 9.
Wagner further teaches:
	wherein the portable device is in the form of a phone (para. [0052]: Other examples of payment devices include cellular phones, personal digital assistants (PDAs), pagers, payment cards, security cards, access cards, smart media, transponders, an electronic or digital wallet, and the like).

Regarding claim 13:
Claim 13 recites the portable device corresponds to the method of claim 5, and contains no additional limitation. Therefore, claim 13 is rejected by applying the same rationale used to reject claim 5 above.

Regarding claim 14:
Wagner in view of Saito and Tame teaches:
The portable device of claim 9.
Wagner is silent about:
	wherein the portable device comprises a reader device configured to read data from the portable device.
Saito teaches:
(para. [0034]: As shown in FIG. 2, the sensor module 28 includes a biometric sensor 30. --- Note that a biometric sensor 30 reads data, thus which teaches a reader device; further note that it is unclear as to what is meant by the limitation “the portable device comprises a reader device configured to read data from the portable device”. In other words, how a reader device comprised in the portable device can read data from the portable device itself. Thus, for the sake of examination, it is interpreted the portable device comprises a reader device configured to read data).
Thus, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify Wagner’s system by enhancing Wagner’s portable device to include a biometric sensor, as taught by Saito, in order to capture fingerprint patterns of a person.
The motivation for claim 1 is applicable for claim 14.

Regarding claim 15:
Wagner in view of Saito and Tame teaches:
The portable device of claim 9.
Wagner is silent about:
wherein the encryption key is stored in the memory and wherein the memory is a secure memory
Saito teaches:
	wherein the encryption key is stored in the memory and wherein the memory is a secure memory (para. [0049]: The PROM is used to store the authentication program and other application programs, an encryption application and related data and files, such as encryption key, and the above-mentioned biometric information and personal information of a specific individual. Since the software programs and information stored in the PROM should not be altered or tampered, the PROM should be one-time programmable or writable. --- Note that PROM should not be altered or tampered, which teaches a secure memory).
Thus, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify Wagner’s system by enhancing Wagner’s portable device to store an encryption key in the PROM, as taught by Saito, in order not to be altered or tampered.
The motivation is to protect sensitive information associated with the smart card by preventing the encryption key from being altered or tampered.

Regarding claim 16:
Wagner in view of Saito and Tame teaches:
The portable device of claim 9.
Wagner in view of Saito is silent about:
wherein the interaction data comprises a time stamp.
Tame teaches:
wherein the interaction data comprises a time stamp (para. [0047]: The transaction message is sent as a secured message by the portable identification device to a communication terminal via Blue Tooth or infra-red communication, which is communicated by the terminal to the authentication centre. The secure message includes the following data: the device's identity number/code; the digital signature of the stored matching biometrics template; the result code of the finger biometrics match; the date/time stamp of the transaction; the global positioning latitude and longitude co-ordinates (if a GPS module is included); certain details read from a smart card (if a smart card reading module is included in the device); data cheque codes such as CRC (cyclic redundancy codes) and other data verification codes created with Reed Solomon techniques; and other authentication data that may be required from the device by the authentication centre).
The motivation for claim 1 is applicable for claim 16.

Regarding claim 17:
Claim 17 recites a method corresponds to a method of claim 1, and contains no additional limitation. Therefore, claim 17 is rejected by applying the same rationale used to reject claim 1 above.

Regarding claim 18:
Claim 18 recites the method corresponds to the method of claim 3, and contains no additional limitation. Therefore, claim 18 is rejected by applying the same rationale used to reject claim 3 above.

Regarding claim 19:
Claim 19 recites the method corresponds to the portable device of claim 16, and contains no additional limitation. Therefore, claim 19 is rejected by applying the same rationale used to reject claim 16 above.

Regarding claim 20:
Claim 20 recites the method corresponds to the method of claim 6, and contains no additional limitation. Therefore, claim 20 is rejected by applying the same rationale used to reject claim 6 above.

Claims 2, and 10 are rejected under 35 U.S.C. 103 as being unpatentable over Wagner et al. (WO2017/019972 A1; hereinafter, “Wagner”) in view of Saito (US2005/0240778 A1: hereinafter, “Saito”), and further in view of Tame (US2010/0131414 A1; hereinafter, “Tame”) and Russell et al. (US2016/0110721 A1; hereinafter, “Russell”).

Regarding claim 2:
Wagner in view of Saito Tame teaches:
The method of claim 1.
Wagner in view of Saito and Tame is silent about:
wherein the encryption key is symmetric key.
Russell teaches:
wherein the encryption key is symmetric key (para. [0171]: Preferably, signals received by the receiver 120 and signals transmitted by the transmitter 130 are encrypted. Preferably, an asymmetric encryption scheme, such as a public key/private key scheme is used. In particular, the RSA algorithm (which is described in detail in Schneier, B. C., Applied Cryptography—Protocols, Algorithms, and Source Code in C, Second Edition, John Wiley and Sons, Inc., New York, N.Y., 1996, which is incorporated herein by reference) is one preferred approach for encrypting information transmitted and received by the PID 100.; para. [0228]: Numerous variations to the encryption strategy can be used in various embodiments. In particular, hybrid schemes that exploit both asymmetric and symmetric algorithms may provide the convenience and security of asymmetric algorithms with the inherent speed advantage of symmetric algorithms. In a hybrid scheme, an asymmetric encryption algorithm is used to encrypt a key to a symmetric algorithm, which is used to encrypt the bulk of the message. --- Note that Numerous variations to the encryption strategy (e.g., symmetric algorithm) can be used, for example, encrypting information transmitted and received by the PID 100, which teaches wherein the encryption key is symmetric key ).
In this regard, Wagner describes that in one embodiment, the BDB may be encrypted using appropriate encryption keys so that a cardholder's biometric sample template cannot be obtained by an untrusted party. (See para. [0057])
Thus, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify Wagner in view of Saito and Tame’s system by enhancing Wagner in view of Saito and Tame’s portable device to encrypt the BDB by a symmetric algorithm, as taught by Russell, to prevent an untrusted party from obtaining a cardholder's biometric sample template. 
The motivation is to protect the privacy of the personal information associated with the smart card while providing such a tamper-proof security system (Saito, para. [0003]). Also, it is well known technology to encrypt sensitive information by a symmetric algorithm.

Regarding claim 10:
Claim 10 recites the portable device corresponds to the method of claim 2, and contains no additional limitation. Therefore, claim 10 is rejected by applying the same rationale used to reject claim 2 above.

Conclusion
The prior art made of record and not relied upon is considered pertinent to applicant's disclosure. Ding et al. (CN105959287A) discloses a safety certification based on biological characteristic Method and device. 

THIS ACTION IS MADE FINAL.  See MPEP § 706.07(a).  Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a).  
A shortened statutory period for reply to this final action is set to expire THREE MONTHS from the mailing date of this action.  In the event a first reply is filed within TWO MONTHS of the mailing date of this final action and the advisory action is not mailed until after the end of the THREE-MONTH shortened statutory period, then the shortened statutory period will expire on the date the advisory action is mailed, and any extension fee pursuant to 37 CFR 1.136(a) will be calculated from the mailing date of the advisory action.  In no event, however, will the statutory period for reply expire later than SIX MONTHS from the date of this final action. 
Contact Information
Any inquiry concerning this communication or earlier communications from the examiner should be directed to WANSIK YOU whose telephone number is (571)270-3360.  The examiner can normally be reached on 7:30-5:30 M-Th.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, KHOI TRAN can be reached on (571)-272-6919.  The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR 

/W.Y./Examiner, Art Unit 3664



/DANIEL B POTRATZ/Primary Examiner, Art Unit 2491