Detailed Action
Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
This communication is in response to Applicant’s response on December 30, 2021 and in response to telephonic and electronic communications with Applicant’s representative, Wei-Sern Cheah on May 4th – May 6th, 2022. See attached interview summary. 
In response to the interviews, approval of the Examiner’s amendments was received by Applicant’s representative on May 6, 2022. 
	As a result, the following claims are amended and are hereby entered by Examiner’s amendments. 
	The IDS submitted on 12/30/2021 has been considered. 

Examiner’s Amendment
	An Examiner’s amendment to the record appears below. Should the changes and/or additions be unacceptable to Applicant, an amendment may be filed as provided by 37 CFR 1.312. To ensure consideration of such an amendment, the amendment MUST be submitted no later than the payment of the issue fee. 
	Final authorization for this Examiner’s amendment was given by Applicant’s representative on May 6, 2022. 
	The Application has been amended as follows:

Please replace all previous claims with the below amended claims, wherein:
Claims 1-2, 5-10, 13-16, and 19 are pending.
All other claims are cancelled. 

Final Claims
1. (Currently Amended):  A method of authorizing a debit transaction comprising:
a debit terminal transmitting to a computer server an authorization request message requesting authorization for a debit transaction initiated from the debit terminal, the authorization request message including a payment credential, an online cryptogram and authorization data;
the computer server receiving the authorization request message, and authorizing the debit transaction without receiving confirmation of authenticity of an identity of an operator of the debit terminal, the authorizing the debit transaction comprising the computer server:
(i) recovering a session key by applying  a cryptographic master key as inputs to a cryptographic algorithm,
(ii) decrypting the online cryptogram with the session key,
(iii) computing a message authentication code from the authorization data, 
(iv) confirming that the computed message authentication code matches the decrypted online cryptogram,
[[(ii)]](v) from a payment definition database, determining an account number and a default payment amount associated with the payment credential in the payment definition database, and
[[(iii)]](vi) debiting a financial account associated with the account number by a debit amount equal to the default payment amount;
the computer server transmitting to the debit terminal an authorization response message including the debit amount;
the debit terminal receiving the authorization response message; and 
without the debit terminal confirming the authenticity of the identity of the operator, the debit terminal releasing funds in the debit amount in response to the authorization response message.

2. (Previously Presented):  The method according to claim 1, further comprising the debit terminal transmitting the authorization request message to the computer server without confirming the authenticity of the identity of the operator.

3-4. (Cancelled).

5. (Currently Amended):  The method according to claim 1, wherein the debiting [[a]] the financial account comprises the computer server:
transmitting a debit request message to another computer server managing the financial account, the debit request message including the account number and the default payment amount; and
receiving from the another computer server a debit response message confirming the debiting of the financial account by the debit amount.

6. (Currently Amended):  The method according to claim 1, wherein the debit terminal transmitting [[an]] the authorization request message comprises the debit terminal receiving the online cryptogram from a payment token interfaced with the debit terminal, and the authorizing the debit transaction comprises the computer server confirming the online cryptogram without the computer server receiving confirmation of authentication of the payment token.

7. (Original):  The method according to claim 1, wherein the debit terminal includes an input device, and the transmitting an authorization request message comprises the debit terminal transmitting the authorization request message without the debit terminal receiving input from the input device.

8. (Currently Amended):  The method according to claim 1, wherein the payment definition database identifies a maximum debit rate comprising a maximum total allowable amount that may be withdrawn within a predetermined period of time, and the debiting [[a]] the financial account comprises the computer server confirming that the debit transaction does not exceed the maximum debit rate.

9. (Currently Amended):  The method according to claim 1, wherein [[the]] a debit request message includes a geographic data associated with a location of the debit terminal, the computer server receives a plurality of previously transmitted authorization request messages each requesting authorization for a respective debit transaction, and the debiting [[a]] the financial account comprises the computer server confirming that the geographic data included with a last one of the plurality of previously transmitted authorization request messages is consistent with the geographic data included with the debit request message.

10. (Currently Amended):  A credential processing server comprising:
a memory storing computer processing instructions and a payment definition database; and
a computer processing unit in communication with the memory, the computer processing instructions causing the computer processing unit to:
receive from a debit terminal an authorization request message requesting authorization for a debit transaction initiated from the debit terminal, the authorization request message including a payment credential, an online cryptogram and authorization data;
authorize the debit transaction without receiving confirmation of authenticity of an identity of an operator of the debit terminal, the authorizing the debit transaction comprising the computer processing unit:
(i) recovering a session key by applying  and a cryptographic master key as inputs to a cryptographic algorithm,
(ii) decrypting the online cryptogram with the session key,
(iii) computing a message authentication code from the authorization data, 
(iv) confirming that the computed message authentication code matches the decrypted online cryptogram,
[[(ii)]](v) from the payment definition database, determining an account number and a default payment amount associated with the payment credential in the payment definition database, and
[[(iii)]](vi) debiting a financial account associated with the account number by a debit amount equal to the default payment amount;
transmit to the debit terminal an authorization response message including the debit amount and authorizing the debit terminal to release funds in the debit amount.

11-12. (Cancelled).

13. (Previously Presented):  The credential processing server according to claim 10, wherein the computer processing instructions cause the computer processing unit to debit the financial account by:
transmitting a debit request message to another computer server managing the financial account, the debit request message including the account number and the default payment amount; and
receiving from the another computer server a debit response message confirming the debiting of the financial account by the debit amount.

14. (Previously Presented):  The credential processing server according to claim 10, wherein the payment definition database identifies a maximum debit rate comprising a maximum total allowable amount that may be withdrawn within a predetermined period of time, and the computer processing instructions cause the computer processing unit to debit the financial account by confirming that the debit transaction does not exceed the maximum debit rate.

15. (Currently Amended):  The credential processing server according to claim 10, wherein a plurality of previously transmitted authorization request messages is consistent with the geographic data included with the debit request message.

16. (Currently Amended):  A non-volatile computer-readable medium storing computer processing instructions and a payment definition database, the computer processing instructions, when executed by a computer server, causing the computer server to:
receive from a debit terminal an authorization request message requesting authorization for a debit transaction initiated from the debit terminal, the authorization request message including a payment credential, an online cryptogram and authorization data;
authorize the debit transaction without receiving confirmation of authenticity of an identity of an operator of the debit terminal, the authorizing the debit transaction comprising the computer server:
(i) recovering a session key by applying  and a cryptographic master key as inputs to a cryptographic algorithm,
(ii) decrypting the online cryptogram with the session key,
(iii) computing a message authentication code from the authorization data, 
(iv) confirming that the computed message authentication code matches the decrypted online cryptogram,
(ii)(v) from the payment definition database, determining an account number and a default payment amount associated with the payment credential in the payment definition database, and
(iii)(vi) debiting a financial account associated with the account number by a debit amount equal to the default payment amount;
transmit to the debit terminal an authorization response message including the debit amount and authorizing the debit terminal to release funds in the debit amount.

17-18. (Cancelled).

19. (Original):  The computer-readable medium according to claim 16, wherein the computer processing instructions cause the computer server to debit the financial account by:
transmitting a debit request message to another computer server managing the financial account, the debit request message including the account number and the default payment amount; and
receiving from the another computer server a debit response message confirming the debiting of the financial account by the debit amount.

Reasons for Allowance
Claims 1-2, 5-10, 13-16, and 19 are allowed. 

Applicant’s arguments filed on December 30, 2021, regarding claim rejection under 35 U.S.C. §112 have been fully considered and in light of the Examiner amendments, the rejections are withdrawn. 

Applicant’s arguments filed on 12/30/2021, regarding claim rejection under 35 U.S.C. §101 have been fully considered. As a result of the Examiner amendments the claims as a whole are determined to be patent eligible. Even if an abstract idea was recited, the claims include additional elements that as a whole result in the claims amounting to a practical application. The rejection is withdrawn. 

	A further search was carried out in which references cited but not relied upon, teach various elements of the claims at best. However, a combination of the references would not have been deemed obvious to one of ordinary skill in the art. 
	For instance, Great Britain Patent 2512944A to Cummins teaches making a payment using a mobile device 104 e.g. tablet, smart phone etc. which displays a 2D code e.g. QR code, including a payment cryptogram to be read by a POS terminal 120. The terminal transmits the payment information and transaction information to an acquirer 12 who transmits it to an issuer 108 for authentication. The mobile device receives payment details and a single use key via dual channel communication with mutual authentication from a remote secure element, which may also transmit the information to an issuer. Registration may be required with the remote secure element (Figure 8) and a payment application 106 may be installed and activated (Figure 9) on the mobile device which may store the payment details, a shared mobile key for decrypting received data and the single use key 118. The single use key may be generated in response to a request from a mobile including a mobile PIN. It may include an identifier identifying it with a card, an application transaction counter (ATC) and generating key e.g. CVC3 or an application cryptogram, used to generate a payment cryptogram to be included in the 2D code. An incorrect single use key may be provided if the correct PIN is not received, the payment then not being authorized. The mobile device may generate a chip authentication program (CAP) token which is authenticated by the remote system before transmitting the payment information. A contactless payment can be made without the use of a secure element.
	U.S. Patent Application Publication 2015/0019442 to Hird et al. focuses on pre-generating session keys for securing transactions are provided. A plurality of session cryptographic keys are generated from a master cryptographic key and a respective plurality of possible values of a transaction counter. The session cryptographic keys are encrypted to provide a plurality of encrypted session cryptographic keys, which are stored in the user terminal. The master cryptographic key is deleted from the user terminal after the session keys are generated. To secure a transaction, a cryptogram is generated based on one of the encrypted session cryptographic keys and transaction data for the transaction, and the cryptogram is transmitted to a transaction terminal. The transaction counter is updated, and the encrypted session cryptographic key is deleted from the user terminal.
	Korean Application 20090116813 to Weller et al. teaches authentication in a transaction using the identity of a payer during online transactions. The authentication service of the present invention allows a card issuer to verify a cardholder's identity using a variety of authentication methods, such as the use of passwords. Also, the only system participant requiring a certificate is the issuing financial institution. One embodiment of the invention for authenticating the identity of a cardholder during an online transaction involves querying an access control server to determine if a cardholder is enrolled in the payment authentication service, requests a password from the cardholder, verifies the password, and notifies a merchant whether the cardholder's authenticity has been verified. In another aspect of the invention, a chip card and the authentication service independently generate cryptograms that must match in order for the service to verify that the correct chip card is being used by the cardholder.
	Also, U.S. Patent Application Publication 2014/0040149 to Fiske teaches authorizing an EMV transaction between a user device and a POS without user authentication. EMV standards require a user to authentication to a device that has payment credentials, which meet the claim requirements. Also, the instant references uses the EMV standards and also adds the use of a session key when a secure element is not available. An application on a user device can receive the session key generated by the bank and use the session key to conduct an EMV transaction. User authentication is not required. 
	
The above references and all references considered throughout prosecution and those cited fail to teach the combined claim limitations of the instant Application.
An extensive new search was carried out, including prior art, non-patent literature, foreign patent search, and an interference search. The latest search did not result in any findings that were determined to read on the claimed invention.
All Applicant’s arguments, response to arguments, and prior art relied upon or cited throughout prosecution is incorporated herewith. 
An obviousness rejection is not applicable to the claimed invention:

A method of authorizing a debit transaction comprising:
a debit terminal transmitting to a computer server an authorization request message requesting authorization for a debit transaction initiated from the debit terminal, the authorization request message including a payment credential, an online cryptogram and authorization data;
the computer server receiving the authorization request message, and authorizing the debit transaction without receiving confirmation of authenticity of an identity of an operator of the debit terminal, the authorizing the debit transaction comprising the computer server:
(i) recovering a session key by applying the payment credential and a cryptographic master key as inputs to a cryptographic algorithm,
(ii) decrypting the online cryptogram with the session key,
(iii) computing a message authentication code from the authorization data, 
(iv) confirming that the computed message authentication code matches the decrypted online cryptogram,
 (v) from a payment definition database, determining an account number and a default payment amount associated with the payment credential in the payment definition database, and
 (vi) debiting a financial account associated with the account number by a debit amount equal to the default payment amount;
the computer server transmitting to the debit terminal an authorization response message including the debit amount;
the debit terminal receiving the authorization response message; and 
without the debit terminal confirming the authenticity of the identity of the operator, the debit terminal releasing funds in the debit amount in response to the authorization response message.

Conclusion
Any inquiry concerning this communication or earlier communications from the examiner should be directed to EL MEHDI OUSSIR whose telephone number is (571)270-0191.  The examiner can normally be reached on M-F 9AM - 5PM.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Neha W. Patel can be reached on 571-270-1492.  The fax phone number for the organization where this application or proceeding is assigned is 571-270-1191.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see http://pair-direct.uspto.gov. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). 
If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.



Sincerely,

/EL MEHDI OUSSIR/Primary Examiner, Art Unit 3685                                                                                                                                                                                                        05/06/2022