DETAILED ACTION

Acknowledgements
This Office Action is in response to Applicant’s response/application filed on 09/24/2020.
The Examiner notes that citations to United States Patent Application Publication paragraphs are formatted as [####], #### representing the paragraph number.

Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

Status of Claims
Claims 1-20 have been canceled.
Claims 21-40 are currently pending and have been examined.






Claim Objections
Claims 22-33, and 36-40 are objected to because of the following informalities:  
In claim 22, “The method of claim 1” should be “The method of claim 21”. 
In claim 23, “The method of claim 2” should be “The method of claim 22”. 
In claim 24, “The method of claim 3” should be “The method of claim 23”. 
In claim 25, “The method of claim 4” should be “The method of claim 24”. 
In claim 26, “The method of claim 5” should be “The method of claim 25”. 
In claim 27, “The method of claim 6” should be “The method of claim 26”. 
In claim 28, “The method of claim 1” should be “The method of claim 21”. 
In claim 29, “The method of claim 8” should be “The method of claim 28”. 
In claim 30, “The method of claim 9” should be “The method of claim 29”. 
In claim 31, “The method of claim 8” should be “The method of claim 28”. 
In claim 32, “The method of claim 1” should be “The method of claim 21”. 
In claim 33, “The method of claim 1” should be “The method of claim 21”. 
In claim 36, “The method of claim 15” should be “The method of claim 35”. 
In claim 37, “The method of claim 16” should be “The method of claim 36”. 
In claim 38, “The method of claim 17” should be “The method of claim 37”. 
In claim 39, “The method of claim 15” should be “The method of claim 35”. 
In claim 40, “The method of claim 19” should be “The method of claim 39”. 
Appropriate correction is required.

Claim Rejections - 35 USC § 112(a)
The following is a quotation of the first paragraph of 35 U.S.C. 112(a):
(a) IN GENERAL.—The specification shall contain a written description of the invention, and of the manner and process of making and using it, in such full, clear, concise, and exact terms as to enable any person skilled in the art to which it pertains, or with which it is most nearly connected, to make and use the same, and shall set forth the best mode contemplated by the inventor or joint inventor of carrying out the invention.

The following is a quotation of the first paragraph of pre-AIA  35 U.S.C. 112:
The specification shall contain a written description of the invention, and of the manner and process of making and using it, in such full, clear, concise, and exact terms as to enable any person skilled in the art to which it pertains, or with which it is most nearly connected, to make and use the same, and shall set forth the best mode contemplated by the inventor of carrying out his invention.

Claim 32 is rejected under 35 U.S.C. 112(a) or 35 U.S.C. 112 (pre-AIA ), first paragraph, as failing to comply with the written description requirement. The claim(s) contains subject matter which was not described in the specification in such a way as to reasonably convey to one skilled in the relevant art that the inventor or a joint inventor, or for applications subject to pre-AIA  35 U.S.C. 112, the inventor(s), at the time the application was filed, had possession of the claimed invention. 
Claim 32 includes a limitation “signing the mobile device-specific information with the public key at the self-service terminal and forwarding the signed mobile device-specific information to the mobile device”. The specification filed on 09/24/2020 does not disclose “signing the mobile device-specific information with the public key at the self-service terminal and forwarding the signed mobile device-specific information to the mobile device” ([0022] of the specification). The specification discloses the mobile device-specific information is included in a CA digital certificate ([0022]), and the CA digital certificate is signed with a private key ([0018]). Therefore, the specification does not contain a full, clear, concise, and exact terms as to enable any person skilled in the art to which it pertains, or with which it is most nearly connected, to make and use the same (MPEP 2161.01).   

Claim Rejections - 35 USC § 112(b)
The following is a quotation of 35 U.S.C. 112(b):
(b)  CONCLUSION.—The specification shall conclude with one or more claims particularly pointing out and distinctly claiming the subject matter which the inventor or a joint inventor regards as the invention.


The following is a quotation of 35 U.S.C. 112 (pre-AIA ), second paragraph:
The specification shall conclude with one or more claims particularly pointing out and distinctly claiming the subject matter which the applicant regards as his invention.



Claim 32 is rejected under 35 U.S.C. 112(b) or 35 U.S.C. 112 (pre-AIA ), second paragraph, as being indefinite for failing to particularly point out and distinctly claim the subject matter which the inventor or a joint inventor (or for applications subject to pre-AIA  35 U.S.C. 112, the applicant), regards as the invention.
Claim 32 includes a limitation “signing the mobile device-specific information with the public key at the self-service terminal and forwarding the signed mobile device-specific information to the mobile device” that renders the scope of the claim indefinite because the claim is inconsistent with the disclosure of the Specification filed on 09/24/2020. In the claim, the mobile device-specific information is signed with a public key. However, the specification discloses the “mobile device-specific information” is included in a “CA digital certificate” ([0022]), and the a “CA digital certificate” is signed with a private key ([0018]). For purposes of examination, the claim language will be interpreted as described in the Specification. See MPEP 2173.03.



Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

The factual inquiries set forth in Graham v. John Deere Co., 383 U.S. 1, 148 USPQ 459 (1966), that are applied for establishing a background for determining obviousness under 35 U.S.C. 103(a) are summarized as follows:
1.	Determining the scope and contents of the prior art.
2.	Ascertaining the differences between the prior art and the claims at issue.
3.	Resolving the level of ordinary skill in the pertinent art.
4.	Considering objective evidence present in the application indicating obviousness or nonobviousness.

Claim(s) 21, and 35 is/are rejected under 35 U.S.C. 103 as being unpatentable over Billett (US 20160027006), in view of Durand (US 20060093138).
Regarding claim(s) 21, Billett discloses:
          establishing a communication channel between a mobile device of a customer and the self-service terminal (By disclosing, “The encrypting PIN receiver 100 establishes a secure session with a mobile device associated with the user and obtains PAN, PIN, and other data for a financial transaction” ([0026] of Billett); and “the encrypting PIN pad is located in the interior of a device, such as an ATM ([self-service terminal])” ([0017] of Billett));     
            encrypting a PIN for the customer at the mobile device (By disclosing, “a user 502 employing an application 504 installed on a mobile device is performing a financial transaction with an ATM” ([0038] of Billett); and “the user 502 enters a PIN for the ATM. At 526, the application generates a session key and encrypts the PIN for the ATM” ([0041] of Billett)); and 
            transmitting the encrypted PIN to the self-service terminal for decrypting the PIN (By disclosing, “The encrypting PIN receiver 100 establishes a secure session with a mobile device associated with the user and obtains PAN, PIN, and other data for a financial transaction” ([0026] of Billett); and “the encrypting PIN pad receives the PAN, PIN and other data for a financial transaction encrypted with a session key established with the mobile device associated with the user, decrypts the PAN, PIN, and other data for a financial transaction” ([0026] of Billett)).  
           Billett does not disclose:
           verifying a public key for the self-service terminal at the mobile device.
           However, Durand teaches:
           verifying a public key for the first device terminal at the second device (By disclosing, “The first device has a certificate (Ca) comprising a public key (ga) … The first device chooses a first ephemeral private key (x), calculates a first ephemeral public key (gx), and sends its certificate (Ca) and the first ephemeral public key (gx) to the second device. Upon reception of the certificate of the first device (Ca) and the first ephemeral public key (gx), the second device verifies the certificate of the first device (Ca)…” ([0018] of Durand)).
          Therefore, it would have been obvious to one of ordinary skill in the art at the effective filing date of the present application to modify a self-service device and a mobile device, in view of Durand to include a first device as the self-service terminal and a second device as the mobile device, and techniques of verifying a public key for the first device terminal at the second device.  Doing so would result in an improved invention because this would allow the mobile device authenticate the self-service device before transmitting sensitive information to the self-service device, thus improving the security of the claimed invention.
Regarding claim(s) 35, Billett discloses:
          a mobile device of a customer, the mobile device including a PIN entry application (By disclosing, “a user 502 employing an application 504 installed on a mobile device is performing a financial transaction with an ATM” ([0038] of Billett); and “The user 502 may also provide a PIN for the application 504” ([0040] of Billett)); 
          a self-service terminal comprising a central processing unit, a display, a card reader, a PIN entry device having an encryption processor, and a wireless interface for communicating wirelessly with the mobile device (By disclosing, “the ATM 200 comprises an ATM controller ([central processing unit]) 202 with logic for performing financial transactions, an encrypting PIN receiver ([PIN entry device]) 100, a display 204, and a cash dispenser 206” ([0025] of Billett); “The ATM 300 in this example optionally includes a card reader 302 and a PIN pad 304.” ([0027] of Billett); and “The encrypting PIN receiver 100 establishes a secure session with a mobile device associated with the user and obtains PAN, PIN, and other data for a financial transaction” ([0026] of Billett));    
           wherein the PIN entry application is configured to:
           encrypt a PIN for the customer (By disclosing, “a user 502 employing an application 504 installed on a mobile device is performing a financial transaction with an ATM” ([0038] of Billett); and “the user 502 enters a PIN for the ATM. At 526, the application generates a session key and encrypts the PIN for the ATM” ([0041] of Billett)), and 
           transmit the encrypted PIN to the self-service terminal (By disclosing, “The encrypting PIN receiver 100 establishes a secure session with a mobile device associated with the user and obtains PAN, PIN, and other data for a financial transaction” ([0026] of Billett); and “the encrypting PIN pad receives the PAN, PIN and other data for a financial transaction encrypted with a session key established with the mobile device associated with the user, decrypts the PAN, PIN, and other data for a financial transaction” ([0026] of Billett)); and 
           wherein the encryption processor is configured to decrypt the PIN (By disclosing, “The encrypting PIN receiver 100 establishes a secure session with a mobile device associated with the user and obtains PAN, PIN, and other data for a financial transaction” ([0026] of Billett); and “the encrypting PIN pad receives the PAN, PIN and other data for a financial transaction encrypted with a session key established with the mobile device associated with the user, decrypts the PAN, PIN, and other data for a financial transaction” ([0026] of Billett)).   
           Billett does not disclose:
          wherein the PIN entry application is configured to verify a public key for the self-service terminal at the mobile device.
           However, Durand teaches:
           verifying a public key for the first device terminal at the second device (By disclosing, “The first device has a certificate (Ca) comprising a public key (ga) … The first device chooses a first ephemeral private key (x), calculates a first ephemeral public key (gx), and sends its certificate (Ca) and the first ephemeral public key (gx) to the second device. Upon reception of the certificate of the first device (Ca) and the first ephemeral public key (gx), the second device verifies the certificate of the first device (Ca)…” ([0018] of Durand)).
          Therefore, it would have been obvious to one of ordinary skill in the art at the effective filing date of the present application to modify a PIN entry application of mobile device, and a self-service terminal, in view of Durand to include techniques of verifying a public key for the first device terminal at the second device.  Doing so would result in an improved invention because this would allow the mobile device authenticate the self-service device before transmitting sensitive information to the self-service device, thus improving the security of the claimed invention.

Claim(s) 22-27, 36, and 38 is/are rejected under 35 U.S.C. 103 as being unpatentable over Billett (US 20160027006), in view of Durand (US 20060093138), further in view of Kazin (US 20180262339).
Regarding claim(s) 22, Billett does not disclose:
          generating an ephemeral symmetric encryption key at the mobile device.  
          However, Kazin teaches:
          generating an ephemeral symmetric encryption key at the mobile device (By disclosing, “the user application creates a symmetric session key and encrypts the symmetric session key to create an encrypted symmetric session key using a public key” ([0015] of Billett); and “It should be understood that the encrypted session key may be an ephemeral encrypted session key that is temporary and discarded after it is used” ([0066] of Kazin)).  
          Therefore, it would have been obvious to one of ordinary skill in the art at the effective filing date of the present application to modify the method of Billett in view of Kazin to include generating an ephemeral symmetric encryption key at the mobile device. Doing so would result in an improved invention because this would improve the security of the data transmission by using the generated ephemeral symmetric encryption key to encrypt the data to be transmitted, and reduce the risk of data being hacked since the encryption key can be used only one time. 

Regarding claim(s) 23, Billett does not disclose:
          encrypting the ephemeral symmetric encryption key using the public key at the mobile device.  
            However, Kazin teaches:
           encrypting the ephemeral symmetric encryption key using the public key at the mobile device (By disclosing, “the user application creates a symmetric session key and encrypts the symmetric session key to create an encrypted symmetric session key using a public key” ([0015] of Billett); and “It should be understood that the encrypted session key may be an ephemeral encrypted session key that is temporary and discarded after it is used” ([0066] of Kazin)).  
          Therefore, it would have been obvious to one of ordinary skill in the art at the effective filing date of the present application to modify the method of Billett in view of Kazin to include encrypting the ephemeral symmetric encryption key using the public key at the mobile device. Doing so would result in an improved invention because this would leverage the advantages of using public key encryption (e.g. allows message authentication, detects tampering, convenient, etc.).

Regarding claim(s) 24, Billett does not disclose:
          transmitting the encrypted ephemeral symmetric encryption key to the self-service terminal.  
          However, Kazin teaches:
          transmitting the encrypted ephemeral symmetric encryption key to an organization system (By disclosing, “the organization system 10 receives the encryption information (e.g., the encrypted session key) from the user application 17” ([0067] of Kazin)).
            Therefore, it would have been obvious to one of ordinary skill in the art at the effective filing date of the present application to modify a self-service terminal in view of Kazin to include an organization system, and transmitting the encrypted ephemeral symmetric encryption key to an organization system. Doing so would result in an improved invention because this would allow the encrypted session key being utilized by the self-service terminal to send and receive encrypted data to and from the user mobile device, thus improving the security of the claimed invention.
 
Regarding claim(s) 25 and 37, Billett does not disclose:
          decrypting the encrypted ephemeral symmetric encryption key at the self-service terminal using a private key for the self-service terminal, the private key corresponding to the public key for the self-service terminal.  
          However, Kazin teaches:
          decrypting the encrypted ephemeral symmetric encryption key at the organization system using a private key for the organization system, the private key corresponding to the public key for the organization system (By disclosing, “the organization system 10 receives the encryption information (e.g., the encrypted session key) from the user application 17 and decrypts the encryption information (e.g., the encrypted session key using the private key stored by the organization) to identify the session key” ([0067] of Kazin); and “in order to decrypt an encrypted session key provided to the organization application 17 by the user application 27, the organization application 17 needs to know what public key and algorithm was used (e.g., what certificate with a single public key and/or what public key from multiple public keys within a single certificate was used) in order to determine the proper associated private key and algorithm for decryption” ([0075] of Kazin)).  
            Therefore, it would have been obvious to one of ordinary skill in the art at the effective filing date of the present application to modify a self-service terminal in view of Kazin to include an organization system, and decrypting the encrypted ephemeral symmetric encryption key at the organization system using a private key for the organization system, the private key corresponding to the public key for the organization system. Doing so would result in an improved invention because this would allow the session key being utilized by the self-service terminal to send and receive encrypted data to and from the user mobile device, thus improving the security of the claimed invention.

Regarding claim(s) 26, Billett discloses:
          the PIN is encrypted using a session key (By disclosing, “the encrypting PIN PAD receives the PAN, PIN, and other data for a financial transaction encrypted with a session key established with the mobile device associated with the user” ([0026] of Billett)).
          Billett does not disclose:
          the PIN is encrypted using the ephemeral symmetric encryption key at the mobile device.
          However, Kazin teaches:
          the ephemeral symmetric encryption key at the mobile device is a session key (By disclosing, “the user application creates a symmetric session key and encrypts the symmetric session key to create an encrypted symmetric session key using a public key” ([0015] of Billett); and “It should be understood that the encrypted session key may be an ephemeral encrypted session key that is temporary and discarded after it is used” ([0066] of Kazin)).    
          Therefore, it would have been obvious to one of ordinary skill in the art at the effective filing date of the present application to modify the method of encrypting the PIN using a session key, in view of Kazin to include an ephemeral symmetric encryption key at the mobile device as a session key. Doing so would result in an improved invention because this leverage the advantages of using an ephemeral key to encrypt/decrypt sensitive information (e.g. reducing the risk of transmitted data being hacked). 

Regarding claim(s) 27, Billett discloses:
          wherein the PIN is decrypted using the decrypted session key at the self-service terminal (By disclosing, “At 546, the application 504 on the mobile device asymmetrically encrypts the session key that is forwarded to the mobile device secure element 506. The mobile device NFC device 508 sends the session key and the data representative of the PIN to the ATM's NFC device 510” ([0048] of Billett); and “The ATM NFC device 510 decrypts the data representative of the financial transaction and other data for performing the transaction. In an example embodiment, the data is decrypted using the session key” ([0049] of Billett)).  
           Billett does not disclose:
           wherein the PIN is decrypted using the decrypted ephemeral symmetric encryption key at the self-service terminal.  
            However, Kazin teaches:
            the ephemeral symmetric encryption key is a session key (By disclosing, “the user application creates a symmetric session key and encrypts the symmetric session key to create an encrypted symmetric session key using a public key” ([0015] of Billett); and “It should be understood that the encrypted session key may be an ephemeral encrypted session key that is temporary and discarded after it is used” ([0066] of Kazin)).    
          Therefore, it would have been obvious to one of ordinary skill in the art at the effective filing date of the present application to modify the method of decrypting the PIN using the decrypted session key at the self-service terminal, in view of Kazin to include an ephemeral symmetric encryption key as a session key. Doing so would result in an improved invention because this leverage the advantages of using an ephemeral key to encrypt/decrypt sensitive information (e.g. reducing the risk of transmitted data being hacked).

Regarding claim(s) 36, Billett does not disclose:
          generate an ephemeral symmetric encryption key; 
          encrypt the ephemeral symmetric encryption key using the public key; and
          transmit the encrypted ephemeral symmetric encryption key to the self-service terminal.  
          However, Kazin teaches:
          generating an ephemeral symmetric encryption key at the mobile device (By disclosing, “the user application creates a symmetric session key and encrypts the symmetric session key to create an encrypted symmetric session key using a public key” ([0015] of Billett); and “It should be understood that the encrypted session key may be an ephemeral encrypted session key that is temporary and discarded after it is used” ([0066] of Kazin));          
           encrypting the ephemeral symmetric encryption key using the public key at the mobile device (By disclosing, “the user application creates a symmetric session key and encrypts the symmetric session key to create an encrypted symmetric session key using a public key” ([0015] of Billett); and “It should be understood that the encrypted session key may be an ephemeral encrypted session key that is temporary and discarded after it is used” ([0066] of Kazin)); and  
          transmitting the encrypted ephemeral symmetric encryption key to an organization system (By disclosing, “the organization system 10 receives the encryption information (e.g., the encrypted session key) from the user application 17” ([0067] of Kazin)).
           Therefore, it would have been obvious to one of ordinary skill in the art at the effective filing date of the present application to modify a self-service terminal, in view of Kazin to include an organization system, and generating an ephemeral symmetric encryption key at the mobile device; transmitting the encrypted ephemeral symmetric encryption key to an organization system; and encrypting the ephemeral symmetric encryption key using the public key at the mobile device. Doing so would result in an improved invention because this would improve the security of the data transmission by using the generated ephemeral symmetric encryption key to encrypt the data to be transmitted, and reduce the risk of data being hacked since the encryption key can be used only one time, and this would also leverage the advantages of using public key encryption (e.g. allows message authentication, detects tampering, convenient, etc.).

Regarding claim(s) 38, Billett discloses:
          the PIN is encrypted using a session key (By disclosing, “the encrypting PIN PAD receives the PAN, PIN, and other data for a financial transaction encrypted with a session key established with the mobile device associated with the user” ([0026] of Billett)); and
          wherein the PIN is decrypted using the decrypted session key at the self-service terminal (By disclosing, “At 546, the application 504 on the mobile device asymmetrically encrypts the session key that is forwarded to the mobile device secure element 506. The mobile device NFC device 508 sends the session key and the data representative of the PIN to the ATM's NFC device 510” ([0048] of Billett); and “The ATM NFC device 510 decrypts the data representative of the financial transaction and other data for performing the transaction. In an example embodiment, the data is decrypted using the session key” ([0049] of Billett)).  
          Billett does not disclose:
          the PIN is encrypted using the ephemeral symmetric encryption key at the mobile device and wherein the PIN is decrypted using the decrypted ephemeral symmetric encryption key at the self-service terminal.  
          However, Kazin teaches:
          the ephemeral symmetric encryption key at the mobile device is a session key (By disclosing, “the user application creates a symmetric session key and encrypts the symmetric session key to create an encrypted symmetric session key using a public key” ([0015] of Billett); and “It should be understood that the encrypted session key may be an ephemeral encrypted session key that is temporary and discarded after it is used” ([0066] of Kazin)).    
          Therefore, it would have been obvious to one of ordinary skill in the art at the effective filing date of the present application to modify the method of encrypting the PIN using a session key and decrypting the PIN using the decrypted session key at the self-service terminal, in view of Kazin to include an ephemeral symmetric encryption key as a session key. Doing so would result in an improved invention because this leverage the advantages of using an ephemeral key to encrypt/decrypt sensitive information (e.g. reducing the risk of transmitted data being hacked).

Claim(s) 28, 29, 30 and 39 is/are rejected under 35 U.S.C. 103 as being unpatentable over Billett (US 20160027006), in view of Durand (US 20060093138), further in view of Kazin (US 20180262339), and Muir (US 20060189382).
Regarding claim(s) 28 and 39, Billett discloses:
          encrypting the PIN using the public key. (By disclosing, “the session key and PIN are received. They may be received together (e.g., encrypted by the ATM's public key)” ([0056] of Billett)).
          Billett does not disclose:
          requesting a one-time public key from the self-service terminal;
          receiving the one-time public key from the self-service terminal; and 
          encrypting the PIN using the one-time public key.  
           However, Kazin teaches:
           requesting a public key from the organization system (By disclosing, “when a user 4 visits an application, such as an organization application 17 (e.g., secure website), the user application 27, such as the user’s web browser, requests a certificate (or in some cases multiple certificates for different purposes) from the secure website. The secure website then provides (e.g., allows access to or sends) the certificate with the certificate information to the user’s web browser” ([0041] of Kazin); and “the single certificate includes two or more digital signatures and may include encryption information (e.g., one or more public keys, or other encryption method)” ([0058] of Kazin)); 
           receiving the public key from the organization system (By disclosing, “when a user 4 visits an application, such as an organization application 17 (e.g., secure website), the user application 27, such as the user’s web browser, requests a certificate (or in some cases multiple certificates for different purposes) from the secure website. The secure website then provides (e.g., allows access to or sends) the certificate with the certificate information to the user’s web browser” ([0041] of Kazin); and “the single certificate includes two or more digital signatures and may include encryption information (e.g., one or more public keys, or other encryption method)” ([0058] of Kazin)).
          Therefore, it would have been obvious to one of ordinary skill in the art at the effective filing date of the present application to modify a self-service system in view of Kazin to include an organization system and include techniques of requesting a public key from the self-service terminal; and receiving the public key from the self-service terminal.  Doing so would result in an improved invention because this would allow the public key being received by the mobile device directly from the self-service terminal, thus reducing the risk of the public key being hacked and improving the security of the claimed invention.
          And Muir teaches:
          a one-time public key (By disclosing, “a gaming machine provides a mixed one time public key for the player” ([0150] of Muir)).
          Therefore, it would have been obvious to one of ordinary skill in the art at the effective filing date of the present application to modify a regular public key, in view of Muir to include one-time public key.  Doing so would result in an improved invention because this would allow the public key being discarded after it is used, thus improving the security of the claimed invention.

Regarding claim(s) 29, Billett does not disclose:
          signing the one-time public key at the self-service terminal with a private key for the self-service terminal, the private key corresponding to the public key for the self-service terminal.  
           However, Kazin teaches:
           signing the public key at the organization system with a private key for the organization system, the private key corresponding to the public key for the organization system (By disclosing, “In other embodiments of the invention, the organization application may create a self-signed certificate or self-signed digital signature, or otherwise create its own encryption information, such as a self-signed or self-created public and private key pair. A self-signed certificate or digital signature may be the same as a certificate or digital signature generated by a certificate authority” ([0094] of Kazin); “one or more certificates (e.g., a first certificate, or the like) is provided by the organization application 17 to the user application 27. The first certificate includes the first digital signature and the first encryption information (e.g., first public key)” ([0070] of Kazin); and “the public key attached to the certificate (e.g., can be otherwise described as the organization application public key) has an associated private key (e.g., can be otherwise described as the organization application private key) to which only the organization holding the certificate has access” ([0052] of Kazin)).
         Therefore, it would have been obvious to one of ordinary skill in the art at the effective filing date of the present application to modify a self-service terminal in view of Kazin to include techniques of signing the public key at the organization system with a private key for the organization system, the private key corresponding to the public key for the organization system. Doing so would result in an improved invention because this would allow the public key being transferred securely by signing/encrypting the public key, thus improving the security of data transmission of the claimed invention.
           And Muir teaches:
          a one-time public key (By disclosing, “a gaming machine provides a mixed one time public key for the player” ([0150] of Muir)).
          Therefore, it would have been obvious to one of ordinary skill in the art at the effective filing date of the present application to modify a regular public key, in view of Muir to include a one-time public key.  Doing so would result in an improved invention because this would allow the public key being discarded after it is used, thus improving the security of the claimed invention.
Regarding claim(s) 30, Billett discloses:
          encrypting the PIN using the public key (By disclosing, “the session key and PIN are received. They may be received together (e.g., encrypted by the ATM's public key)” ([0056] of Billett)).
          Billett does not disclose:
          verifying the signature of the one-time public key at the mobile device using the public key for the self-service terminal prior to encrypting the PIN using the one-time public key.  
         However, Kazin teaches:
         verifying the signature of the public key at the mobile device using the public key for the organization system prior to encrypting using the public key (By disclosing, “as illustrated by block 320 in Fig. 4, one or more certificates (e.g., a first certificate, or the like) is provided by the organization application 17 to the user application 27. The first certificate includes the first digital signature and the first encryption information (e.g., first public key)” ([0070] of Kazin); “Block 330 of FIG. 4 illustrates that the user application 27 attempts to verify the first certificate the same way as was previously discussed with respect to block 230 of FIG. 3.” ([0071] of Kazin); and “As illustrated by block 370 in FIG. 4, and as previously discussed with respect to block 270 in FIG. 3, the user application utilizes the encryption information (e.g., the public key) from the certificate in order to create an encrypted session key (e.g., an encrypted symmetric session key)” ([0074] of Kazin)).
           Therefore, it would have been obvious to one of ordinary skill in the art at the effective filing date of the present application to modify encrypting the PIN using the public key, in view of Kazin to include techniques of verifying the signature of the public key at the mobile device using the public key for the organization system prior to encrypting using the public key. Doing so would result in an improved invention because this would allow the user authenticate the identity of the self-service terminal and this would also help the user determine that the interaction between the user and the self-service system has not been compromised, thus improving the security of the claimed invention.
          And Muir teaches:
          a one-time public key (By disclosing, “a gaming machine provides a mixed one time public key for the player” ([0150] of Muir)).
          Therefore, it would have been obvious to one of ordinary skill in the art at the effective filing date of the present application to modify a regular public key, in view of Muir to include a one-time public key.  Doing so would result in an improved invention because this would allow the public key being discarded after it is used, thus improving the security of the claimed invention.

Claim(s) 31 and 40 is/are rejected under 35 U.S.C. 103 as being unpatentable over Billett (US 20160027006), in view of Durand (US 20060093138), further in view of Kazin (US 20180262339), Muir (US 20060189382), and Kadiwala (US 20200013051).
Regarding claim(s) 31 and 40, Billett does not disclose:
         wherein the PIN is decrypted using a private key corresponding to the public key.
         However, Kadiwala teaches:
         wherein the PIN is decrypted using a private key corresponding to the public key (By disclosing, “The communication device 104, as configured by the payment application 114, then, may access the encrypted transaction PIN (e.g., before the encrypted transition PIN is deleted from memory) and decrypt the encrypted transaction PIN using the private key of the primary key pair during user authentication for a contactless payment (e.g., an NFC payment, etc.).” ([0034] of Kadiwala)). 
          Therefore, it would have been obvious to one of ordinary skill in the art at the effective filing date of the present application to modify the method of decrypting the PIN at the self-service system, in view of kadiwala to include wherein the PIN is decrypted using a private key corresponding to the public key.  Doing so would result in an improved invention because this would leverage the advantages of using public/private key encryption (e.g. allows message authentication, convenient, detects tampering, etc.).
          And Muir teaches:
          a one-time public key (By disclosing, “a gaming machine provides a mixed one time public key for the player” ([0150] of Muir)).
          Therefore, it would have been obvious to one of ordinary skill in the art at the effective filing date of the present application to modify a regular public key, in view of Muir to include a one-time public key.  Doing so would result in an improved invention because this would allow the public key being discarded after it is used, thus improving the security of the claimed invention.

Claim(s) 32 is/are rejected under 35 U.S.C. 103 as being unpatentable over Billett (US 20160027006), in view of Durand (US 20060093138), further in view of Guo (US 20090300168), and Kamikura (WO 2007099608).
Regarding claim(s) 32, Billett does not disclose:
          transmitting mobile device-specific information from the mobile device to the self- service terminal; U.S. Pat. Appl. No. 17/030,8354 Docket No.: NCR00004 (20-0623) Preliminary AmendmentFebruary 26, 2021 
          signing the mobile device-specific information with a private key at the self-service terminal and forwarding the signed mobile device-specific information to the mobile device; 
          verifying that the public key is up to date by verifying the signature of the mobile device- specific information received from the self-service terminal.
          However, Guo teaches:
         transmitting mobile device-specific information from the mobile device to an account authority service (By disclosing, “The user device collects and sends a username/password and device ID/password (and potentially, a user-friendly device name) to the account authority service in a transmission operation 204 in association with a request to create an account” ([0028] of Guo)); U.S. Pat. Appl. No. 17/030,8354 Docket No.: NCR00004 (20-0623) Preliminary AmendmentFebruary 26, 2021 
          signing the mobile device-specific information with a private key at the self-service terminal and forwarding the signed mobile device-specific information to the mobile device (By disclosing, “In a generation operation 212, the account authority service builds the device ID and public key into a device certificate and then signs the certificate using the account authority service's private key to bind the user device's public key to the device ID.” ([0031] of Guo); and “The account authority service returns the generated device certificate to the user device in a return operation 214.” ([0033] of Guo)).
          Therefore, it would have been obvious to one of ordinary skill in the art at the effective filing date of the present application to modify a self-service terminal in Billett, in view of Guo to include transmitting mobile device-specific information from the mobile device to an account authority service; and signing the mobile device-specific information with a private key at the account authority service and forwarding the signed mobile device-specific information to the mobile device.  Doing so would result in an improved invention because this would allow the mobile device use the signed device-specific information as evidence that it is the device identified by the self-service terminal ([0033] of Guo).
          And Kamikura teaches:
          verifying that the public key is up to date by verifying the signature of a public key certificate received from the self-service terminal (By disclosing, “When an access request to the server device from the client device occurs, the client device and the server device acquire each other's public key certificate. This acquisition method includes acquisition of the public key certificate of the other party and acquisition of repository power. When the public key certificate of the communication partner is acquired, each device verifies its validity and validity based on the signature, expiration date, etc. of the acquired public key certificate.” ([0015] of Kamikura)).
          Therefore, it would have been obvious to one of ordinary skill in the art at the effective filing date of the present application to modify the method of receiving a public key and a signed mobile device-specific information from a self-service terminal, in view of Guo to include verifying that the public key is up to date by verifying the signature of a public key certificate received from the self-service terminal.  Doing so would result in an improved invention because this would a time limit can be set for the public key and this would also ensure the public key is available to use based on the time limit for authenticating the signed message, thus improving the security of the claimed invention.

Claim(s) 33 is/are rejected under 35 U.S.C. 103 as being unpatentable over Billett (US 20160027006), in view of Durand (US 20060093138), further in view of Gillen (US 20190019144).
Regarding claim(s) 33, Billett does not disclose:
          receiving the public key for the self- service terminal at the mobile device by reading a QR code version of the public key displayed on a display of the self-service terminal.  
          However, Gillen teaches:
          receiving the public key for a first device at the mobile device by reading a QR code version of the public key displayed on a display of the first device (By disclosing, “Optical recognition may require a computing device display certain information (e.g., the temporary digital address and/or a public key) through a visual output (e.g., a QR code). This may ensure physical proximity since, in order to obtain that information, the computing device has to be close enough to scan the displayed information via the optical sensor (e.g., a camera).” ([0144] of Gillen)).
         Therefore, it would have been obvious to one of ordinary skill in the art at the effective filing date of the present application to modify the method of transmitting a public key from a self-service terminal, in view of Gillen to include techniques of receiving the public key for a first device at the mobile device by reading a QR code version of the public key displayed on a display of the first device.  Doing so would result in an improved invention because this would allow the public key being transmitted to a mobile device which is in proximity of the self-service terminal, thus reducing the risk of the public key being hacked by a hacker through the internet. 

Claim(s) 34 is/are rejected under 35 U.S.C. 103 as being unpatentable over Billett (US 20160027006), in view of Durand (US 20060093138), further in view of Kadiwala (US 20200013051).
Regarding claim(s) 34, Billett discloses:
          establishing a communication channel between a mobile device of a customer and the self-service terminal (By disclosing, “The encrypting PIN receiver 100 establishes a secure session with a mobile device associated with the user and obtains PAN, PIN, and other data for a financial transaction” ([0026] of Billett); and “the encrypting PIN pad is located in the interior of a device, such as an ATM ([self-service terminal])” ([0017] of Billett)); 
           encrypting a PIN for the customer at the mobile device; (By disclosing, “a user 502 employing an application 504 installed on a mobile device is performing a financial transaction with an ATM” ([0038] of Billett); and “the user 502 enters a PIN for the ATM. At 526, the application generates a session key and encrypts the PIN for the ATM” ([0041] of Billett)); and
          decrypting the PIN at the self-service terminal (By disclosing, “the encrypting PIN pad is located in the interior of a device, such as an ATM” ([0017] of Billett); and “the encrypting PIN pad receives the PAN, PIN and other data for a financial transaction encrypted with a session key established with the mobile device associated with the user, decrypts the PAN, PIN, and other data for a financial transaction” ([0026] of Billett)).
           Billett does not disclose:
           verifying a public key for the self-service terminal at the mobile device;
           transmitting the encrypted PIN to a host associated with the self-service terminal for signing the encrypted PIN;
           receiving the host-signed encrypted PIN at the mobile device; and
           transmitting the host-signed encrypted PIN to the self-service terminal for verifying the host signature of the host-signed encrypted PIN.
           However, Durand teaches:
          verifying a public key for the self-service terminal at the mobile device (By disclosing, “The first device has a certificate (Ca) comprising a public key (ga) … The first device chooses a first ephemeral private key (x), calculates a first ephemeral public key (gx), and sends its certificate (Ca) and the first ephemeral public key (gx) to the second device. Upon reception of the certificate of the first device (Ca) and the first ephemeral public key (gx), the second device ([mobile device]) verifies the certificate of the first device ([self-service terminal]) (Ca)…” ([0018] of Durand)).
          Therefore, it would have been obvious to one of ordinary skill in the art at the effective filing date of the present application to modify a self-service terminal and a mobile device, in view of Durand to include a first device as the self-service terminal and a second device as the mobile device, and techniques of verifying a public key for the first device terminal at the second device.  Doing so would result in an improved invention because this would allow the mobile device authenticate the self-service device before transmitting sensitive information to the self-service device, thus improving the security of the claimed invention.
           And Kadiwala teaches:          
          transmitting the encrypted PIN to a host associated with the self-service terminal for signing the encrypted PIN (By disclosing, “The user 106 provides the transaction PIN to the payment application 114, at 605, and the payment application 114 of the communication device 104 then submits a request to validate the transaction PIN, at 606, to the account server 102. The request to validate the transaction PIN includes the transaction PIN (e.g., in encrypted form) and other data (e.g., third-party data (e.g., the device token, etc.), etc.)” ([0068] OF Kadiwala); “The account server ([host]) 102, then, determines whether a secondary key (a time-based key) specific and/or unique to the user 106 and/or the communication device 104 is available at the account server 102 (e.g., in memory 204) to decrypt and/or sign the data included in the validation request (e.g., the transaction PIN and other data (e.g., third-party data (e.g., the device token, etc.), etc.).” ([0069] of Kadiwala); and “It should be appreciated that the third party may be a different entity in one or more other embodiments, often where the third party ([self-service terminal]) engages in and/or relies on communication with the account server 102 and/or …, in connection with a payment account transaction, or not, etc.” ([0019] of Kadiwala)); 
          receiving the host-signed encrypted PIN at the mobile device (By disclosing, “The account server 102, then, at 616, transmits a response, including the signed and/or decrypted data, to the request to validate the transaction PIN to the communication device ([mobile device]) 104, whereby the payment application 114 of the communication device 104 receives the response” ([0070] of Kadiwala)); and
          transmitting the host-signed encrypted PIN to the self-service terminal for verifying the host signature of the host-signed encrypted PIN (By disclosing, “The account server 102, then, at 616, transmits a response, including the signed and/or decrypted data, to the request to validate the transaction PIN to the communication device 104, whereby the payment application 114 of the communication device 104 receives the response … The payment application 114 of the communication device 104 then, at 620, makes a service call (e.g., a web service call, etc.) to the third party server 108. The service call includes the data included in the response to the request to validate the transaction PIN” ([0070] of Kadiwala)).  
          Therefore, it would have been obvious to one of ordinary skill in the art at the effective filing date of the present application to modify the method of encrypting a PIN at a mobile device, in view of Kadiwala to include techniques of transmitting the encrypted PIN to a host associated with the self-service terminal for signing the encrypted PIN; receiving the host-signed encrypted PIN at the mobile device; and transmitting the host-signed encrypted PIN to the self-service terminal for verifying the host signature of the host-signed encrypted PIN.
Doing so would result in an improved invention because this would allow the self-service terminal authenticate the host and determine that the host is legitimate to transmit the information in future communications, thus improving the security of the claimed invention.




Conclusion
The prior art made of record and not relied upon is considered pertinent to applicant's disclosure. 
WO 2010114799 to Coppinger for disclosing securing a payment transaction with trusted code base.
US 20190034900 to Lo for disclosing modular electronic funds transfer point of sale device.

Any inquiry concerning this communication or earlier communications from the examiner should be directed to DUAN ZHANG whose telephone number is (571)272-4642. The examiner can normally be reached Mon - Fri 10 AM-5 PM.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Neha Patel can be reached on 5712701492. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.





/DUAN ZHANG/Examiner, Art Unit 3685                                                                                                                                                                                                        /JAY HUANG/Primary Examiner, Art Unit 3619