DETAILED ACTION

Status of Claims
Claims 5, 8, 10, 16-17, 20-22, 26, and 29 have been amended via preliminary amendment.
Claims 6, 9, 11, 18, 23-25, 27-28, and 30-36 have been canceled.
Claims 1-5, 7-8, 10, 12-17, 19-22, 26, and 29 are currently pending and have been considered by the examiner.

Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

Information Disclosure Statement
The information disclosure statement (IDS) submitted on 19 December 2019, 29 August 2021, 14 September 2021, and 19 January 2022 have been considered by the examiner.

Double Patenting
The nonstatutory double patenting rejection is based on a judicially created doctrine grounded in public policy (a policy reflected in the statute) so as to prevent the unjustified or improper timewise extension of the “right to exclude” granted by a patent and to prevent possible harassment by multiple assignees. A nonstatutory double patenting rejection is appropriate where the conflicting claims are not identical, but at least one examined application claim is not patentably distinct from the reference claim(s) because the examined application claim is either anticipated by, or would have been obvious over, the reference claim(s). See, e.g., In re Berg, 140 F.3d 1428, 46 USPQ2d 1226 (Fed. Cir. 1998); In re Goodman, 11 F.3d 1046, 29 USPQ2d 2010 (Fed. Cir. 1993); In re Longi, 759 F.2d 887, 225 USPQ 645 (Fed. Cir. 1985); In re Van Ornum, 686 F.2d 937, 214 USPQ 761 (CCPA 1982); In re Vogel, 422 F.2d 438, 164 USPQ 619 (CCPA 1970); In re Thorington, 418 F.2d 528, 163 USPQ 644 (CCPA 1969).
A timely filed terminal disclaimer in compliance with 37 CFR 1.321(c) or 1.321(d) may be used to overcome an actual or provisional rejection based on nonstatutory double patenting provided the reference application or patent either is shown to be commonly owned with the examined application, or claims an invention made as a result of activities undertaken within the scope of a joint research agreement. See MPEP § 717.02 for applications subject to examination under the first inventor to file provisions of the AIA  as explained in MPEP § 2159. See MPEP § 2146 et seq. for applications not subject to examination under the first inventor to file provisions of the AIA . A terminal disclaimer must be signed in compliance with 37 CFR 1.321(b). 
The USPTO Internet website contains terminal disclaimer forms which may be used. Please visit www.uspto.gov/patent/patents-forms. The filing date of the application in which the form is filed determines what form (e.g., PTO/SB/25, PTO/SB/26, PTO/AIA /25, or PTO/AIA /26) should be used. A web-based eTerminal Disclaimer may be filled out completely online using web-screens. An eTerminal Disclaimer that meets all requirements is auto-processed and approved immediately upon submission. For more information about eTerminal Disclaimers, refer to www.uspto.gov/patents/process/file/efs/guidance/eTD-info-I.jsp.
Claims 1-4, 7, 13, and 16 are provisionally rejected on the ground of nonstatutory obviousness-type double patenting as being unpatentable over claims 1-5, 8, 14, and 17 of copending Application No. 16/695,337. Although the conflicting claims are not identical, they are not patentably distinct from each other because they differ merely in terminology, nonfunctional descriptive material, intended use, etc. 
This is a provisional obviousness-type double patenting rejection because the conflicting claims have not in fact been patented.

Claim Rejections - 35 USC § 102
In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  
(a)(1) the claimed invention was patented, described in a printed publication, or in public use, on sale, or otherwise available to the public before the effective filing date of the claimed invention.


Claim(s) 1-4, 7-8, 11-15, 17, 19-22, and 29 is/are rejected under 35 U.S.C. 102(a)(1) as being anticipated by Hawthorne (US 20030130955 A1).

In regards to Claims 1, 13, and 19, Hawthorne discloses:
A method for processing a payment made by a payment card comprising: receiving, from a device associated with a requestor, a request for a security code for at least one payment card/each of one or more payment cards assigned a unique token and which is associated with the requestor (See Hawthorne: Para. [0041] – “buyer's PC 10 initiates the second communication link D direct to the card issuer 18, after the buyer has decided to effect payment to the merchant: the buyer's software causes his PC to transmit, in plain, the card or account holder's reference number or other information to identify him.” – Hawthorne discloses a card issuer receiving a request for a security code from a buyer’s computer); 
responding to the request for the security code by authenticating the requestor, allowing the requestor to perform transactions using the at least one payment card/said each one or more payment cards (See Hawthorne: Para. [0041] – “In response, the card issuer's system 18 generates a random 8-digit transaction number to be used as a one-time number and encrypts this using the card holder's Unique Personal Key (retrieved from the system's file for the card holder or recreated from his reference number, name, card number and expiry date and other information and the master key, as previously described): this encrypted transaction number, preferably prefaced with the usual 6 digits identifying the card issuer and followed by the usual 2-digit check sum, is transmitted over the link D to the card holder's computer”), 
the authenticating the requestor including: accepting a first identifier for the device, and, accepting a second identifier associated with the requestor (See Hawthorne: Para. [0022] – “In carrying out each transaction, the apparatus used by the card holder is arranged to use the access PIN or password, when entered correctly by the card holder, to decrypt the encrypted Unique Personal Key. Preferably this apparatus is arranged to use the Unique Personal Key and the above-mentioned salt for encryption or decryption purposes.” – Hawthrone discloses the authentication being performed using a received first identifier (PIN) associated with a device and a received second identifier (unique personal key) associated with a requester); 
upon the authenticating the requestor being successful, generating a security code for the at least one payment card/said each one or more payment cards which has been assigned a unique token (See Hawthorne: Para. [0014] – “In a modified or second embodiment, the card issuer's apparatus may be arranged to generate a random transaction number, encrypt this and pass the encryption to the card holder: the card holder's system decrypts the encrypted transaction number and includes the random transaction number, in plain, in a one-time "card number" transmitted to the merchant and onwards to the card issuer, for checking against the random transaction number earlier generated” – Hawthorne discloses generating a random transaction number which is passed to the card holder after authentication for use in future transactions); 
opening a session for the generated security code, the session open for a time period in which the generated security code is valid (See Hawthorne: Para. [0019] – “In each of the above embodiments, preferably the encryption key is different for each transaction. Accordingly, whilst an unauthorised person may gain possession of the information relating to one transaction, this information cannot be used again, because the card number encryption will be inapplicable for such further uses. The variation of the encryption key may be derived by augmenting it with a salt, which may be the date and time generated from a time clock of the apparatus used for performing the card number encryption, or a random number generated by that apparatus. The use of the salt ensures that the encryption key is substantially different each time it is used. The salt is transmitted together with the encrypted number, to permit decryption of the latter” – Hawthorne discloses each transaction having a unique security code and thus it is clear to one of ordinary skill in the art that the security code is only valid until the next transaction is performed); and, 
providing the generated security code to the requestor (See Hawthorne: Para. [0014] – “In a modified or second embodiment, the card issuer's apparatus may be arranged to generate a random transaction number, encrypt this and pass the encryption to the card holder: the card holder's system decrypts the encrypted transaction number and includes the random transaction number, in plain, in a one-time "card number" transmitted to the merchant and onwards to the card issuer, for checking against the random transaction number earlier generated”);
receiving transaction data for a transaction using the at least one payment card, the transaction data including payment card information and a security code for the at least one payment card (See Hawthorne: Para. [0013] – “In a preferred embodiment, for use in performing transactions over the Internet, the card holder's apparatus is arranged to generate a random number which forms part of the card number passed to the merchant: we will call this random number part a transaction number. Typically the card number which is transmitted to the merchant consists of 16 digits, made up of an initial e.g. 6 digits identifying the card issuer, followed by the transaction number (e.g. 8 digits), followed by an e.g. 2- or 1-digit check sum. The card number received by the merchant is passed on by him to the card issuer, typically via his card acquirer and the card regulator (e.g. VISA or MASTERCARD). The card holder's apparatus also initiates a communication direct to the card issuer and transmits, over this link, the same "card number" (or the transaction number) in encrypted form, together with information to identify the card holder (e.g. a reference number for the card holder): the card issuer's apparatus is thus able to identify the card holder and retrieve information, from its customer records, to decrypt the encrypted "card number"” – Hawthorne discloses communicating transaction data to a merchant and card issuer including a transaction number, payment information, and a check sum), 
determining whether the payment card information corresponds to a payment card assigned to a unique token; and, if there is a correspondence, verifying the transaction for the at least one payment card, by comparing the received security code for the at least one payment card against the generated security code for the at least one payment card, provided the session for the generated security code is open (See Hawthorne: Para. [0037] – “Upon receipt of the "card number" in the usual way from the merchant's website 12, the card issuer's system makes a comparison between the 8-digit transaction number in this and its record of transaction numbers which it is ready to process. If there is a match, then the card issuer's system proceeds to process the proposed transaction in the conventional manner.” – Hawthorne discloses determining correspondence between payment information and a known card number and continuing convention transaction methodology in the event that the information corresponds).

In regards to Claims 2, 15, and 21, Hawthorne discloses:
The method of claim 1, additionally comprising: assigning a unique token to the at least one payment card when the at least one payment card is issued (See Hawthorne: Para. [0041] – “In response, the card issuer's system 18 generates a random 8-digit transaction number to be used as a one-time number and encrypts this using the card holder's Unique Personal Key (retrieved from the system's file for the card holder or recreated from his reference number, name, card number and expiry date and other information and the master key, as previously described): this encrypted transaction number, preferably prefaced with the usual 6 digits identifying the card issuer and followed by the usual 2-digit check sum, is transmitted over the link D to the card holder's computer” – Hawthorne discloses a card’s issuer having a card holder’s Unique Personal Key on file. It is clear to one of ordinary skill in the art that for this to be possible, said key would need to be generated and assigned at card issue).

In regards to Claims 3 and 22, Hawthorne discloses:
The method of claim 1, wherein the second identifier includes at least one of a personal identification number (PIN) or a fingerprint (See Hawthorne: Para. [0020] – “Preferably the card issuer's apparatus is arranged to encrypt the Unique Personal Key using an access PIN or password for the card holder. The card is sent to the card holder: also the encrypted Unique Personal Key is sent to the card holder and (preferably separately) the access PIN or password is sent to the card holder.” – Hawthorne discloses using a PIN as an identifier).

In regards to Claim 4, Hawthorne discloses:
The method of claim 3, wherein the device includes a smartphone, a mobile computer, a mobile device, or a device suitable for running a client application (See Hawthorne: Para. [0041] – “buyer's PC 10 initiates the second communication link D direct to the card issuer 18, after the buyer has decided to effect payment to the merchant: the buyer's software causes his PC to transmit, in plain, the card or account holder's reference number or other information to identify him.” – Hawthorne discloses the device being a computer which is a device suitable for running a client application).

In regards to Claims 10 and 29, Hawthorne discloses:
The method of claim 1, wherein: a) should the session not be open for the generated security code, the transaction is not verified; or, b) the time period for the session includes at least one of: a fixed time, or a random time within a range, and the session is closed when a new session is opened upon the generation of a new security code for the at least one payment card (See Hawthorne: Para. [0019] – “In each of the above embodiments, preferably the encryption key is different for each transaction. Accordingly, whilst an unauthorised person may gain possession of the information relating to one transaction, this information cannot be used again, because the card number encryption will be inapplicable for such further uses. The variation of the encryption key may be derived by augmenting it with a salt, which may be the date and time generated from a time clock of the apparatus used for performing the card number encryption, or a random number generated by that apparatus. The use of the salt ensures that the encryption key is substantially different each time it is used. The salt is transmitted together with the encrypted number, to permit decryption of the latter” – Hawthorne discloses each transaction having a unique security code and thus it is clear to one of ordinary skill in the art that the security code is only valid until the next transaction is performed. It is also clear that transaction sessions will not open unless the security code is currently active).

In regards to Claim 12, Hawthorne discloses:
The method of claim 1, wherein the payment associated with the payment card includes a card not present payment (See Hawthorne: Para. [0033] – “For placing an order over the Internet, the card holder uses, in his PC, the software and other information which was supplied to him. The software requires the card holder to enter his access PIN or password: if this PIN or password is accepted, the software enables the card holder to proceed with placing the order. It will be noted that the card holder's access PIN or password is used by his PC to permit him to proceed and place an order over the Internet, but also serves to decrypt the encrypted Unique Personal Key.” – Hawthorne discloses payment being performed online which is a card not present payment).

In regards to Claim 14, Hawthorne discloses:
The system of claim 10, wherein the processor is programmed to determine whether the payment card information corresponds to a payment card assigned to a unique token, is further programmed to query a second computer system whether the payment card information corresponds to a payment card assigned to a unique token (See Hawthorne: Para. [0041] – “This one-time number is handled in the same way as an ordinary card number and is passed on by the merchant 12 to the card issuer 18, typically via the acquirer 14 and regulator 16, together with the card expiry date and transaction value. The card issuer 18 checks whether the 8-digit transaction number, in the one-time card number thus received from the merchant, matches the random number with it generated for the transaction and, in the event of a match, proceeds to process the proposed transaction.” – Hawthorne discloses querying a regulator as well as an issuer to determine whether payment card information corresponds to a payment card assigned to a unique identifier).

In regards to Claims 17 and 20, Hawthorne discloses:
The system of claim 11, wherein the at least one payment card includes: a) one payment card; or, b) a plurality of payment cards (See Hawthorne: Para. [0041] – “buyer's PC 10 initiates the second communication link D direct to the card issuer 18, after the buyer has decided to effect payment to the merchant: the buyer's software causes his PC to transmit, in plain, the card or account holder's reference number or other information to identify him.”).



Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

Claims 7, 16, and 26 is/are rejected under 35 U.S.C. 103 as being unpatentable over Hawthorne in view of Huang et al. (US 20150371234 A1).

In regards to Claim 7, 16, and 26, Hawthorne discloses the method of claim 1 but fails to explicitly disclose:
wherein the generated security code includes at least one of a card verification value (CVV) or a card verification code (CVC).

However, in a similar field of endeavor, Huang discloses:
wherein the generated security code includes at least one of a card verification value (CVV) or a card verification code (CVC) (See Huang: Para. [0010] – “In an aspect, a dynamic cryptogram which can be called a dynamic-CVV (dCVV) is used to secure card payments. A dCVV is generated freshly with a key plus primary account number (PAN), expiration or expiry date (EXP), timestamp and counter, when the card is used for payment in both Card-Not-Present (CNP) and Card-Present (CP) transactions. The dCVV, which is cryptographically generated, cannot be generated without the knowledge of the card data and a secret key. Also, each dCVV is only valid for a short period of time. This prevents the replaying attack described above, since re-use of the dCVV from a previously monitored transaction will result in an authorization error.” – Huang discloses generating a CVV for card verification).

Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date to substitute the generated security code disclosed by Hawthorne for the CVV disclosed by Huang increasing the overall usability of the invention by incorporating conventional authentication factors such as a CVV.

Claims 5 is/are rejected under 35 U.S.C. 103 as being unpatentable over Hawthorne in view of 
Korn (US 20070219926 A1).

In regards to Claim 5, Hawthorne discloses:
 The method of claim 4, wherein the first identifier is a unique secret identifier associated with a device, and 

However, Hawthorne fails to explicitly disclose but discloses:
where a list of trusted devices is associated with each requestor, and should the first identifier represent a device which is not currently a trusted device for the requestor, triggering a process of establishing trust in a new device to render the new device as the trusted device (See Korn: Para. [0048] – “If the Secure Card is unable to verify that the UIN provided by the SCID belongs to a trusted device, it reports that fact to the user and ends the session, requiring the user to troubleshoot the problem. Otherwise, the next step is for the Secure Card to verify that the UIN provided by the SCID is the SCID's actual UIN. To this end, the Secure Card issues the SCID a decryption test, which consists of the Secure Card generating a string of random text, encrypting that string using the public encryption key corresponding to the UIN provided by the SCID, and sending that encrypted text to the SCID”), 
the process including: confirmation of current access to an identification method associated with the owner of the at least one payment card, including a phone number associated with an account for the at least one payment card (See Korn: Para. [0071] – “To use the SCID for telephone transactions, it must be connected to the phone line shared by the user's telephone at the phone jack preferably located in the back of the SCID. The SCID may, but need not be, connected to the user's computer for telephone transactions. If the SCID is not connected to the user's computer, the user can be guided through the identity authentication protocol via voice prompts given through the telephone.” – Korn discloses confirming authentication for a telephone transaction and thus is associated with a phone number of the card user).

Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date to apply the trust establishment method disclosed by Korn to create a list of trusted devices that can be referenced as an additional layer of the authentication method disclosed by Hawthorne increasing the overall security of the invention by introducing an additional layer of authentication and verification.

Conclusion
The prior art made of record and not relied upon is considered pertinent to applicant's disclosure..
Sabatier et al. (US 20160048836 A1) discloses a method of conducting transactions between a user device and merchant using unique identifier for authentication such as user passwords and ciphered data.
Bacastow (US 20150154597 A1) discloses systems and methods for authenticating transaction using a mobile device based primarily on the introduction of a layer of middleware facilitating authentication such as PINs and CVVs.
Any inquiry concerning this communication or earlier communications from the examiner should be directed to NICHOLAS K PHAN whose telephone number is (571)272-6748. The examiner can normally be reached M-F 8 am-5 pm EST.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Neha Patel can be reached on 570-270-1492. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.



/NICHOLAS K PHAN/Examiner, Art Unit 3685                                                                                                                                                                                                        
/JAMIE R KUCAB/Primary Examiner, Art Unit 3685