DETAILED ACTION
Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

Election/Restrictions
Applicant’s election without traverse of Group III, claims 31-39, in the reply filed on 21st December 2021, is acknowledged.
Claims 20-30 are withdrawn from further consideration pursuant to 37 CFR 1.142(b) as being drawn to a nonelected invention, there being no allowable generic or linking claim. Election was made without traverse in the reply of 21st December 2021.
Claims 1-19 are confirmed to have been cancelled.
Claims 31-39 are pending in the application and the status of the application is currently pending.

Claim Objections
Claim 39 objected to because of the following informalities:  Claim 39 recites raising at least one security event relating to a security status of the mobile electronic device, which describes managing a security event. Claim 39 depends on claim 35, which depends on independent claim 31, and both claims 35 and 31 are directed to the server performing the process and are not directed to a mobile device with a local risk engine. A proposed amendment involves the dependency of claim 39 to claim 38.  Appropriate correction is required.
Claim Rejections - 35 USC § 101
35 U.S.C. 101 reads as follows:
Whoever invents or discovers any new and useful process, machine, manufacture, or composition of matter, or any new and useful improvement thereof, may obtain a patent therefor, subject to the conditions and requirements of this title.


Claims 31, 33-35 and 37-39 are rejected under 35 U.S.C. 101 because the claims are directed to an abstract idea without significantly more. 
The rejection is based on the subject matter eligibility test that is detailed in the 2019 Revised Patent Subject Matter Eligibility Guidance (2019 PEG) and the October 2019 Patent Eligibility Guidance Update (October 2019 Update). The conclusions of the test support the rejection. 
In Step 1 of the test, the claims were found to be directed to one of the four statutory categories, which is a method of authenticating the user of a merchant device to proceed with processing a payment transaction. Therefore, Step 1 concludes the statutory category is a process.
In Step 2A(1), the claims were found to recite an abstract idea. Claim 31 recites 
receiving at a server, over an electronic network, an authentication request to authenticate an identity of a merchant operating the payment terminal application of the mobile electronic device, the authentication request comprising user credentials of a user linked to a merchant received via a user input module of the mobile electronic device;
authenticating, at the server, the identity of the merchant if the user credentials received over the electronic network from the mobile electronic device are validated
receiving at the server, over the electronic network, payment instrument data obtained from a wireless communication module of the mobile electronic device; and
processing a payment transaction at the server based on the payment instrument data received from the wireless communication module of the mobile electronic device and the identity authenticated based on the user credentials. 
The emphasized limitations describe the authentication of a user of a mobile device associated to a merchant, which is similar to visually identifying that an employee has signed in to work with the Point of Sale (POS) device prior to begin a transaction. The process of authentication to begin processing a transaction is similar to the abstract idea of managing legal transactions in the authentication of credentials, and commencing payment processing. This abstract idea is part of the grouping of Certain Methods of Organizing Human Activity.
The dependent claims 32-39 further support the interpretation of the abstract idea. The claims recite as follows:
Claim 32 recites: upon authenticating the identity of the merchant, transmitting one or more encryption keys from a payment switch of the server to the payment terminal application of the mobile electronic device, the one or more encryption keys configured for provisioning a software card acceptance device ("SCAD") instance on the mobile electronic device.
Claim 33 recites: if authentication of the merchant identity is declined based on exceeding a maximum permitted number of submissions of un-validated user credentials: declining authentication; and transmitting instructions to the payment terminal application of the mobile electronic device for blocking or timing-out submission of user credentials.
Claim 34 recites: if authentication of the merchant identity is declined based on failure to validate the user credentials: declining authentication; and transmitting degradation instructions or remedial action instructions to the payment terminal application of the mobile electronic device.
Claim 35 recites: receiving, at the payment terminal application of the mobile electronic device via the user input module of the mobile electronic device, user credentials of a user linked to a merchant; transmitting an authentication request message to a remote data server via the network interface module of the mobile electronic device, the authentication request message comprising the received user credentials; receiving an authentication response message from the remote data server at the payment terminal application of the mobile electronic device; and receiving payment instrument data of a payment instrument via the wireless communication module of the mobile electronic device.
Claim 36 recites: if the authentication response message comprises an indication that authentication was successful, then receiving and storing at least one encryption key received from the remote data server in a volatile storage module of the mobile electronic device.
Claim 37 recites: the user credentials are received via a touch-sensitive display screen of the mobile electronic device.
Claim 38 recites: performing at least one security check using a local risk engine of the mobile electronic device by: obtaining information relating to a security status of the mobile electronic device; processing one or more local risk engine rules from a local risk engine rule set using the obtained information; and determining whether to raise one or more security events based on the processed one or more local risk engine rules.
Claim 39 recites: raising at least one security event relating to a security status of the mobile electronic device; storing the at least one raised security event in a security event log; processing the security event log using a local risk engine of the mobile electronic device; and degrading the functionality of the payment terminal application based on a first degradation instruction received from the local risk engine, the degradation including at least one of requiring re-input of the user credentials, preventing transmission of the authentication request message, terminating the method, and invalidating stored cardholder information and encryption keys.
Claims 32 and 36 recite elements that are not part of the abstract idea and do not fall within the grouping of certain methods of organizing human activity. Thus, claim 32 and 36 are eligible.
Claim 37 recites the method of receiving the user credentials, which still is directed to the abstract idea of claim 31, because it recites the technology used to automate the acquisition of the user credentials. The other claims include emphasized limitations that show how they are still directed to the claim 31, Thus, claims 33-35 and 37-39, in context to claim 31, show how they are directed to the abstract idea.  Therefore, the result of Step 2A(1) is the claims 31, 33-35 and 37-39 recite an abstract idea.
In Step 2A(2), the claims that recite the abst4ract idea do not integrate the judicial exception into a practical application. In claim 31, the non-emphasized additional elements recite a system that automates the process of authentication through credentials and to process a transaction. The non-emphasized limitations of dependent claims 33-35 and 37-39 attempt to generally link the use of the abstract idea to a particular technological environment or field of use. Therefore, the result of Step 2A(2) is the claims 31, 33-35 and 37-39 are directed to the abstract idea. 
In Step 2B, the claims do not include additional elements that are sufficient to amount to significantly more than the abstract idea. The claims 31, 33-35 and 37-39 recite a server over an electronic network. The claims further recite a payment terminal application of a mobile electronic device, which are not recited to be part of the claimed invention that is focused on the server, and a payment switch of the server, which is part of the functions of the server that will process the payment transaction. While the additional elements limit the abstract idea to a specific field of technology, there is no improvement to the functioning of the recited devices nor is there an improvement to another technology or technical field. The additional elements were determined to automate the process of authentication and payment processing, and without the technical improvements from the additional elements the process is determined to merely implement the abstract idea. Considering the additional elements individually, the claims do not include elements that are sufficient to amount to significantly more than the judicial exception. Considering the additional elements in combination, the steps do not add any meaningful limits on practicing the abstract idea more than the elements analyzed individually and thus do not add significantly more to the claimed invention. A shown above, claims 32 and 36 include Therefore, the result of Step 2B conclude the claims 31, 33-35 and 37-39 do not have significantly more, and the test concludes these claims are patent ineligible.

Claim Rejections - 35 USC § 112
The following is a quotation of 35 U.S.C. 112(b):
(b)  CONCLUSION.—The specification shall conclude with one or more claims particularly pointing out and distinctly claiming the subject matter which the inventor or a joint inventor regards as the invention.


The following is a quotation of 35 U.S.C. 112 (pre-AIA ), second paragraph:
The specification shall conclude with one or more claims particularly pointing out and distinctly claiming the subject matter which the applicant regards as his invention.


Claim 35 is rejected under 35 U.S.C. 112(b) or 35 U.S.C. 112 (pre-AIA ), second paragraph, as being indefinite for failing to particularly point out and distinctly claim the subject matter which the inventor or a joint inventor (or for applications subject to pre-AIA  35 U.S.C. 112, the applicant), regards as the invention.
Claim 35 is rejected for being indefinite. The claim recites 
receiving, at the payment terminal application of the mobile electronic device via the user input module of the mobile electronic device, user credentials of a user linked to a merchant;
transmitting an authentication request message to a remote data server via the network interface module of the mobile electronic device, the authentication request message comprising the received user credentials;
receiving an authentication response message from the remote data server at the payment terminal application of the mobile electronic device; and 
receiving payment instrument data of a payment instrument via the wireless communication module of the mobile electronic device.
Independent claim 31 describes the functions of the server to receive an authentication request… comprising user credentials of a user linked to a merchant; and receiving at the server… payment instrument data. Claim 35 does not make it clear if the set of credentials and the payment instrument data are the same as recited in claim 31 or should they be a secondary set of credentials. If they are a secondary set of credentials, would the circumstances of a second set of credentials be a new transaction with a different user or a transaction with the same user. The lack of antecedent basis makes claim 35 indefinite. 

Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

The factual inquiries for establishing a background for determining obviousness under 35 U.S.C. 103 are summarized as follows:
1. Determining the scope and contents of the prior art.
2. Ascertaining the differences between the prior art and the claims at issue.

4. Considering objective evidence present in the application indicating obviousness or nonobviousness.
This application currently names joint inventors. In considering patentability of the claims the examiner presumes that the subject matter of the various claims was commonly owned as of the effective filing date of the claimed invention(s) absent any evidence to the contrary.  Applicant is advised of the obligation under 37 CFR 1.56 to point out the inventor and effective filing dates of each claim that was not commonly owned as of the effective filing date of the later invention in order for the examiner to consider the applicability of 35 U.S.C. 102(b)(2)(C) for any potential 35 U.S.C. 102(a)(2) prior art against the later invention.
Claims 31-39 are rejected under 35 U.S.C. 103 as being unpatentable over Jones-McFadden (US 2017/0195879, hereinafter “Jones”), in view of Labrou (US 2004/0098350, hereinafter “Labrou”).
Regarding Claim 31, Jones teaches 
receiving, at a server, over an electronic network, an authentication request to authenticate an identity of a merchant operating the payment terminal application of the mobile electronic device, the authentication request comprising user credentials of a user linked to a merchant received via a user input module of the mobile electronic device (interpreting the credentials as secure elements: “Tokens may be 16-digit numbers like credit, debit, or other like account numbers, may be numbers that are less than 16-digits, or may contain a combination of numbers, symbols, letters, or the like, and be more than, less than, or equal to 16-characters. In some 
authenticating, at the server, the identity of the merchant if the user credentials received over the electronic network from the mobile electronic device are validated (interpreting the validation is performed with the beginning of the transaction: “As illustrated in block 105, the system may identify in initiation of a transaction between the merchant and the user. This identification may be communicated from the merchant, such as an indication that a user is approaching a point of sale terminal at a merchant location or initiating check out during an online transaction session.” See Jones in [0050]);
receiving at the server, over the electronic network, payment instrument data obtained from a wireless communication module of the mobile electronic device (“Next, as illustrated in block 404, the process 400 continues by generating a merchant specific token coded for merchant input. In this way, the token may be generated specifically for the merchant to store. The token may be coded such that the merchant may input user authentication information into the token once the authentication has been identified. As such, the tokens are generated with specific programing and coding for merchant reading and allowance of the merchant to interject code into the generated token. … As illustrated in block 406, the system then allows the merchant to attach code to the token. The attached code identifies the user and user authentication into the merchant system. … This authentication may be for access to a shopping cart, loyalty account, merchant portal, or the like. 
Jones substantially teaches the allowance to complete the processing of the transaction based on the payment instrument data received from the wireless communication module of the mobile electronic device and the identity authenticated based on the user credentials (“the authentication application 258 may generate and distribute tokens, receive coded tokens, determine authentication confidence associated with received tokens, and initiate communication linkage for completion of a transaction.” See Jones in [0038]; “Finally, as illustrated in block 412, the process 400 is completed by allowing the user and the merchant to access user resources based on the token authentication for completion of the transaction between the user and the merchant.” See in [0084]).
Jones does not explicitly teach processing a payment transaction at the server 
However, Labrou does teach processing a transaction based on the response of authorization (“The service spot communicates (using a secure wired network) with the STS 106. As mentioned, the service spot acts as a medium for transporting the device 102's transaction request to the transaction server. Upon processing all the constituent parts of the transaction, the transaction server generated response, if any, will be forwarded to the device 102 and the merchant respectively. This response concludes the transaction between the merchant and the customer.” See Labrou in [0309]).  
It would have been obvious to a person having ordinary skill in the art, before the effective filing date of the claimed invention, to include in the teachings of Jones “a third party server processing the transaction”, as taught by Labrou, because it would be further secure to complete the secure transactions in a server where the client and merchant information are received in a secure format.
Regarding Claim 32, Jones, in view of Labrou, teaches the limitations of claim 31. Jones, in view of Labrou, further teaches upon authenticating the identity of the merchant, transmitting one or more encryption keys from a payment switch of the server to the payment terminal application of the mobile electronic device, the one or more encryption keys configured for provisioning a software card acceptance device ("SCAD") instance on the mobile electronic device (“Beyond that point all the workflows, security and transactions rely on using certificates. A certificate (assuming the existence of a Public Key Infrastructure, or PKI) is associated with a particular/specific banking account owned by the user; a user can have multiple certificates, each associated with a different account. Every time that the user accepts a payment, essentially she uses the certificate as a digital signature for signing the "payment contract" sent by the merchant from the physical POS that she connect to in the store.” See Labrou in [0053]).
Regarding Claim 35, Jones, in view of Labrou, teaches the limitations of claim 31. Jones, in view of Labrou, further teaches 
receiving, at the payment terminal application of the mobile electronic device via the user input module of the mobile electronic device, user credentials of a user linked to a merchant (“…comprise user 202 authentication credentials for the user 202 that logged into an authentication required program either using a user device 
transmitting an authentication request message to a remote data server via the network interface module of the mobile electronic device, the authentication request message comprising the received user credentials (See Jones [0047]-[0049]);
receiving an authentication response message from the remote data server at the payment terminal application of the mobile electronic device (See Jones in [0050]); and
receiving payment instrument data of a payment instrument via the wireless communication module of the mobile electronic device (“the tokens may be associated with a specific digital wallet or multiple digital wallets based on the institutions and accounts with which the tokens may be associated. Moreover, the tokens themselves, or the user accounts, users, digital wallets, or the like associated with the tokens may have limitations that limit the transactions that the users may enter into using the tokens.” See Jones in [0059]; “The user may select a digital wallet or account within the digital wallet in order to enter into a transaction using a specific type of user account. As such, the digital wallets may be associated with the user's issuing financial institutions 40, other financial institutions, merchants 10 with which the user enters into transactions, or a third party institutions that facilitates transactions between users 202 and merchants 10.” See Jones in [0062]).

Claims 33 and 34 are rejected under 35 U.S.C. 103 as being unpatentable over Jones, in view of Labrou and further in view of Hammad (US 10,430,794, hereinafter “Hammad”).
Regarding Claim 33, Jones, in view of Labrou, teaches the limitations of claim 31. Jones, in view of Labrou, does not explicitly teach if authentication of the merchant identity is declined based on exceeding a maximum permitted number of submissions of un-validated user credentials: declining authentication; and transmitting instructions to the payment terminal application of the mobile electronic device for blocking or timing-out submission of user credentials. 
The limitations based on exceeding a maximum permitted number of submissions of un-validated user credentials are not recited in the independent claim 31 as clearly limiting because the authentication is approved and validated in claim 31. Thus, the negative limitation does not clearly limit the functions of the claimed invention. 
However, Hammad does teach declining authentication; and transmitting instructions to the payment terminal application of the mobile electronic device for blocking or timing-out submission of user credentials (“In one embodiment, the payment processing network 150 then forwards the authorization request message to the issuer 160 along with an indicator that specifies whether there was a match between the dynamic verification values. In one embodiment, if the dynamic verification values do not match, payment processing network 150 may decline the transaction on behalf of the issuer 160. The issuer 160 or the payment processing network 150 can then generate an authorization response message which indicates whether the transaction is approved or declined. The 
It would have been obvious to a person having ordinary skill in the art, before the effective filing date of the claimed invention, to include in the teachings of Jones “a declined authentication”, as taught by Hammad, to further secure the account of the merchant from fraud and theft. 
Regarding Claim 34, Jones, in view of Labrou, teaches the limitations of claim 31. Jones, in view of Labrou, does not explicitly teach if authentication of the merchant identity is declined based on failure to validate the user credentials: declining authentication; and transmitting degradation instructions or remedial action instructions to the payment terminal application of the mobile electronic device.
The limitations if authentication of the merchant identity is declined based on failure to validate the user credentials are not recited in the independent claim 31 as clearly limiting because the authentication is approved and validated in claim 31. Thus, the negative limitation does not clearly limit the functions of the claimed invention.
However, Hammad does teach declining authentication; and transmitting degradation instructions or remedial action instructions to the payment terminal application of the mobile electronic device
It would have been obvious to a person having ordinary skill in the art, before the effective filing date of the claimed invention, to include in the teachings of Jones “a declined authentication”, as taught by Hammad, to further secure the account of the merchant from fraud and theft.

Claim 36 is rejected under 35 U.S.C. 103 as being unpatentable over Jones, in view of Labrou and further in view of Jiang (US 10,192,214, hereinafter “Jiang”).
Regarding Claim 36, Jones, in view of Labrou, teaches the limitations of claim 35. Jones, in view of Labrou, does not explicitly teach if the authentication response message comprises an indication that authentication was successful, then receiving and storing at least one encryption key received from the remote data server in a volatile storage module of the mobile electronic device.
However, Jiang does teach receiving and storing at least one encryption key received from the remote data server in a volatile storage module of the mobile electronic device (“In an example embodiment, one or more signing keys 167 are utilized to authenticate and certify data by the remote system 160. For example, the signing keys 167 may be symmetric or asymmetric keys. In an example embodiment, the signing keys 167 exist only on the remote system 160 and are not readable or otherwise accessible by the merchant device 120, smart card 110 or card reader 150. An example signing key 167 is designated as a teller signing key or a cashier signing key. An example teller signing key is used to authenticate and certify a depositing funds onto a smart card 110. An example cashier signing key is used to authenticate and certify a withdrawal of funds from a smart card 110. In an example embodiment, each deposit and each withdrawal transaction is certified by a 
It would have been obvious to a person having ordinary skill in the art, before the effective filing date of the claimed invention, to include in the teachings of Jones “a signing key”, as taught by Jiang, to further secure the account of the merchant, during a transaction, from fraud and theft. 

Claim 37 is rejected under 35 U.S.C. 103 as being unpatentable over Jones, in view of Labrou and further in view of Jiang (US 10,192,214, hereinafter “Jiang”).
Regarding Claim 37, Jones, in view of Labrou, teaches the limitations of claim 35. Jones, in view of Labrou, does not expressly teach the user credentials are received via a touch-sensitive display screen of the mobile electronic device 
However, McCauley does teach user information received via a touch-sensitive display screen of the mobile electronic device (“Referring back to the payment transaction flow 200, the seller 202 inputs, through the mobile payment application 240, various information to request for the token 208 (e.g., using a touch screen, keyboard, voice recognition, etc., of the mobile device 206). In the embodiment illustrated in FIG. 2, the various information includes personal information identifying the seller 202 
It would have been obvious to a person having ordinary skill in the art, before the effective filing date of the claimed invention, to include in the teachings of Jones “a device with touch screen”, as taught by McCauley, because in combination with the use of tokens would secure the account of the merchant, during a transaction, from fraud and theft.

Claims 38 and 39 are rejected under 35 U.S.C. 103 as being unpatentable over Jones, in view of Labrou and further in view of Liang (US 2015/0106867, hereinafter “Liang”).
Regarding Claim 38, Jones, in view of Labrou, teaches the limitations of claim 35. Jones, in view of Labrou, does not expressly teach performing at least one security check using a local risk engine of the mobile electronic device by: obtaining information relating to a security status of the mobile electronic device; processing one or more local risk engine rules from a local risk engine rule set using the obtained information; and determining whether to raise one or more security events based on the processed one or more local risk engine rules.
However, Liang does teach performing at least one security check using a local risk engine of the mobile electronic device (“At block 503, the correlation engine may adjust the risk level of the security event based on a reliability value relating to an inventory attribute of the target of the security event when the security event relates to the inventory attribute. Usually, an attack targets a leak or vulnerability that exists in a particular environment, such as a service, a port or an operation system. If the host does not have the 
It would have been obvious to a person having ordinary skill in the art, before the effective filing date of the claimed invention, to include in the teachings of Jones “a risk level analysis”, as taught by Liang, to improve the authentication process that would further secure the account of the merchant from fraud and theft.
Regarding Claim 39, Jones, in view of Labrou, teaches the limitations of claim 35. Jones, in view of Labrou, does not expressly teach raising at least one security event relating to a security status of the mobile electronic device; storing the at least one raised security event in a security event log; processing the security event log using a local risk engine of the mobile electronic device; and degrading the functionality of the payment terminal application based on a first degradation instruction received from the local risk engine, the degradation including at least one of requiring re-input of the user credentials, preventing transmission of the authentication request message, terminating the method, and invalidating stored cardholder information and encryption keys
However, Liang does teach raising at least one security event relating to a security status; processing the security event log using a local risk engine; degrading the functionality of the payment terminal application based on a first degradation instruction received from the local risk engine (“At block 501, when a security event is received by a correlation engine, a corresponding correlation policy may be obtained so that the correlation engine may conduct one or more correlations for the received security event. The SIEM device may receive different kinds of security events and each kind of event may relate to some aspect of the network. For some events, an asset correlation based on whether the events are targeted at the core assets of the network is enough for estimating the risk level of the events. For other events, multiple correlations based on multiple assets attributes of the network are conducted so that the correlation engine may calculate more accurate risk levels. The administrator may configure a correlation policy for each kind of security event to define which correlation processing should be conducted for a security event and how the correlation processing results should be combined.” See Liang in [0060]).
It would have been obvious to a person having ordinary skill in the art, before the effective filing date of the claimed invention, to include in the teachings of Jones “managing security events based on risk levels”, as taught by Liang, to improve the authentication process that would further secure the account of the merchant from fraud and theft.

Conclusion
Any inquiry concerning this communication or earlier communications from the examiner should be directed to EDGAR R MARTINEZ-HERNANDEZ whose telephone 
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, JOHN W. HAYES can be reached on (571) 272-6708. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.

/ERM/Examiner, Art Unit 3685       

/JOHN W HAYES/Supervisory Patent Examiner, Art Unit 3685