DETAILED ACTIONStatus of Claims
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA . This is in response to a Request for Continued Examination dated  March 2, 2022.  Claims 1-3, 8 14-16 are amended.  Claim 21 is cancelled. Claims 1-20 are pending.  All pending claims are examined.


Continued Examination Under 37 CFR 1.114
A request for continued examination under 37 CFR 1.114, including the fee set forth in 37 CFR 1.17(e), was filed in this application after final rejection.  Since this application is eligible for continued examination under 37 CFR 1.11, and the fee set forth in 37 CFR 1.17(e) has been timely paid, the finality of the previous Office action has been withdrawn pursuant to 37 CFR 1.114.


Response to Arguments
Art Rejection
The invention as claimed entails receiving a request for a security code for a payment card from a requestor’s device.
Drozd discloses a POS terminal as a standard payment console used for accepting debit and credit cards and uses standard communication protocols for payment consoles…. This gateway is also used for communicating with money processor similarly to payment consoles. As a result, POS terminal engages into mobile payment transactions treating the attached apparatus as a standard payment console, which does not require any changes in POS terminal software.” (Drozd, para. 0009; see also Abstract and para. 0018).  
Moreover, Hawthorne, USP Pub. 20030130955  discloses a secure mechanism for executing card transactions that entails card number encryption that ensures the encryption key is substantially different each time it is used.  Examiner maintains the references disclose the amendments and therefore renders the arguments moot.

According to Applicant’s Specification:
[0011] user (requestor) (the terms “user” and “requestor” are used interchangeably herein, to indicate an entity, with the use of “user” and/or “requestor” depending on the stage of the process of the invention in which the entity is participating) within their phone application (app) and not on the card. The CVV does not exist until the user opens an application (app) on their trusted device, such as a smart phone…”
[0114] At the START block 302, tokens (also known as unique tokens, as each token is unique for a single issued card) are created and assigned for the card upon its issuance at the CARD ISSUER PROCESSOR 206 and shared with the CARD ISSUER/PROGRAM MANAGER 200. The process moves to block 304, where the CARD ISSUER/PROGRAM MANAGER 200 receives, from a user 240, also known as a requestor (e.g., a trusted device associated with the requestor): 1) a PIN (Personal Identification; 2) a login request, and, 3) a request for a CVV, from the device 242 (e.g., trusted device) of the requestor 240.

[0115] The process moves to block 306, where the user (requestor) 240 is attempting to log-in from a trusted device 242 (based on a unique secret device identifier) and with a user/requestor identifier, such as a PIN or other personal Identification or other identifier, such as a Touch ID (e.g., a fingerprint), which is known/available only to the user. For example, the trusted device 242 is from a list of trusted devices associated with each requestor. Should the log-in be accepted, the requestor (user) and the trusted device are acknowledged (by the CARD ISSUER/PROGRAM MANAGER 200), and the requestor (user) is logged in. This is a two factor identification, as the trusted device is identified, for example, via the unique secret device identifier, the first factor, and, the requestor (user) is identified via a user/requestor identifier such as the PIN, the second factor.

[0116] Also, should the first identifier of the two factor identification (authentication) for the trusted device represent a device which is not currently a trusted device (e.g., from a list of trusted devices associated with the requestor) for the requestor (user), this triggers a process of establishing trust in a new device to render the new device as the trusted device. This process includes, for example, confirming the current access to an identification method associated with the owner of the payment card(s), including a phone number associated with an account for the payment card(s).

[0117] For example, the user (requestor) 240 attempts to log in using their phone number such as “+447624222721” and their PIN “3234” from device 242. The unique secret device identifier (e.g., a long string value “asddad1314553636363663” which uniquely identifies the device 242) is automatically submitted to the CARD ISSUER/PROGRAM MANAGER 200 with the login request. The CARD ISSUER/PROGRAM MANAGER 200 checks whether “asddad1314553636363663” matches the currently valid trusted device identifier for the user represented by phone number “+447624222721”. Further the CARD ISSUER/PROGRAM MANAGER 200 also checks whether the PIN “3234” (entered by the user (requestor) 240) matches the PIN for the user represented by phone number “+447624222721”. If the PIN is valid but the device 242 (represented by unique secret device identifier “asddad1314553636363663”) is not trusted, a onetime password is sent (for example, by the CARD ISSUER/PROGRAM MANAGER 200), for example, by short message service (SMS) to the user's (requestor's) 240 phone number+447624222721. Providing the one time password results in the current device 242 (identified by secret identifier “asddad1314553636363663”) becoming the trusted device for user 240. If the device is a trusted device and the PIN is valid, the login is successful and a session is generated.

[0118] With the user (requestor) log-in verified and approved (authenticated), a user log-in session (for the authenticated user/requestor) is established (e.g., opened), the session being open and valid for a time period, as set by the CARD ISSUER/PROGRAM MANAGER 200. For any card the user possesses (including all cards possessed by the user/requestor), and which is identified by a linked or otherwise assigned token (unique token), a CVV (e.g., as a security code) is generated which is valid for the duration of the session. The opening of the session and the generation of the security code are performed contemporaneous in time, and may be performed in any order or simultaneously. The session may be, for example, of a fixed time, a random time within a time range. Further, a session is closed when a new session is opened such as by a new login, resulting in the generation of a new security code (CVV/CVC) for the same card(s), e.g., payment card(s).

[0119] The process moves to block 308, where the user is provided card selections of his cards from the CARD ISSUER/PROGRAM MANAGER 200, and the user selections for the card(s) are received, for example, by the CARD ISSUER/PROGRAM MANAGER 200. At block 310, the generated CVV(s) (as security code(s)) is/are transmitted to the user device 242 (e.g., from the server 200 to the client (device) 242) for each selected card (one or more cards of a user/requestor, including all of the cards for the user/requestor) together with a masked card number, for example, 5434-xxxx-xxxx-9456, and card expiry date.

[0120] Moving to block 312, the user 240, via the device 242 makes a card 20 purchase from a MERCHANT 210, for example, ARGOS®. The purchase includes the user 240 transmitting to, and the MERCHANT 210 receiving transaction data including at least: 1) the card PAN, 2) the CVV, and 3) the card expiry (expiration) date. The process moves to block 314, where the MERCHANT 210 transmits the transaction data including, for example, 1) the card PAN, 2) the CVV, and 3) the card expiry (expiration) date, to the MERCHANT ACQUIRER 212, for example, WorldPay Secure Payment Processing (WorldPay Group PLC of London UK, www.worldpay.com), who, for example, may work with ARGOS® to process ARGOS's card transactions.



Although the specification discloses tokens issued at the CARD ISSUER PROCESSOR 206 and shared with the CARD ISSUER/PROGRAM MANAGER 200, and upon authentication a session is opened that is valid for a time period as set by the card issuer /program manager “The opening of the session and the generation of the security code are performed contemporaneous in time, and may be performed in any order or simultaneously. The session may be, for example, of a fixed time, a random time within a time range. Further, a session is closed when a new session is opened such as by a new login, resulting in the generation of a new security code (CVV/CVC) for the same card(s), e.g., payment card(s).(see App. Spec. para. 0118).
However, absent is any support for “receiving, from the requestor, an indicator that the security code is to be kept active for a requestor designated time period”
The claims contain subject matter which was not described in the specification in such a way as to reasonably convey to one skilled in the relevant art that the inventor or a joint inventor, or for applications as what the invention claimed at the time of filing the application.

Claim Rejections - 35 USC § 112
The following is a quotation of the first paragraph of 35 U.S.C. 112(a):
(a) IN GENERAL.—The specification shall contain a written description of the invention, and of the manner and process of making and using it, in such full, clear, concise, and exact terms as to enable any person skilled in the art to which it pertains, or with which it is most nearly connected, to make and use the same, and shall set forth the best mode contemplated by the inventor or joint inventor of carrying out the invention.

The following is a quotation of the first paragraph of pre-AIA  35 U.S.C. 112:
The specification shall contain a written description of the invention, and of the manner and process of making and using it, in such full, clear, concise, and exact terms as to enable any person skilled in the art to which it pertains, or with which it is most nearly connected, to make and use the same, and shall set forth the best mode contemplated by the inventor of carrying out his invention.

Claim1-20 are rejected under 35 U.S.C. 112(a) or 35 U.S.C. 112 (pre-AIA ), first paragraph, as failing to comply with the written description requirement. 
In particular, the specification discloses tokens issued by the card issuer, however absent is support for receiving, from the requestor, an indicator that the security code is to be kept active for a requestor designated time period”
The claim(s) contains subject matter which was not described in the specification in such a way as to reasonably convey to one skilled in the relevant art that the inventor or a joint inventor, or for applications subject to pre-AIA  35 U.S.C. 112, the inventor(s), at the time the application was filed, had possession of the claimed invention.  






Claim Rejections - 35 USC § 103
In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

Claims 1-20 are rejected under 35 U.S.C. 103 as being unpatentable over Drozd, USP Pub. No. 20120226565 in view of Hawthorne, USP Pub. No. 20030130955.
As to claim 1, Drozd discloses A method for processing a payment made by a payment card, by a first computer system including one or more computers, comprising:
receiving, by a computer of the first computer system, from a device associated with a requestor, a request for a security code for at least one payment which is associated with the requestor (Drozd, Abstract, paras. 0017-0019; claim 7; see also paras. 0009-0010)
a computer of the first computer system responding to the request for the security code by authenticating the requestor, and, allowing the requestor to perform transactions using the at least one payment card, the authenticating the requestor including: accepting and verifying a first identifier for the device, and, accepting and verifying a second identifier associated with the requestor(Drozd, Abstract, paras. 0017-0019; claim 7; see also paras. 0009-0010).
Drozd discloses upon the authenticating the requestor being successful (Drozd, paras. 0009-0010) but does not directly disclose but Hawthorne discloses receiving, from a device associated with a requestor, a request for a security code for at least one payment card assigned a unique token and which is associated with the requestor (Hawthorne, paras. 0019-0022; see also para. 0053);
generating a security code for the at least one payment card, the security code associated with the assigned to the payment card (Hawthorne, paras. 0013-0014; 0019-0022; see also para. 0041-0044, 0053);
opening a session for the generated security code, the session open for a time period in which the generated security code is valid (Hawthorne, paras. 0019-0022; see also para. 0053); and corresponds to a security code associated with the unique token(Hawthorne, paras. 0014, 0019-0022); and,
	providing the generated security code to the requestor (Hawthorne, paras. 0014, 0019-0022; see also para. 0053) and 
receiving, from the requestor, an indicator that the security code is to be kept active for a requestor designated time period. (Hawthorne, paras. 0019-0022; see also para. 0053). 
It would have been obvious to one skilled in the art as of the time of the invention to modify Drozd with Hawthorne because it offers an improvement in the authentication process in a seamless fashion that is efficient and secure and does not require an overhaul of existing infrastructure. The generation of alternative account numbers offers an additional layer of security that protects the cardholder’s information.
As to claim 2, Drozd does not directly disclose but Hawthorne discloses the method of claim 1, additionally comprising:
a computer of second computer system;
receiving transaction data for a transaction using the at least one payment card, the transaction data including Hawthorne, paras.0013-0014, 0019-0022; see also para. 0053);
determining whether the received transaction data including the security code corresponds to the generated security code for the at least one payment card assigned, to which the unique token is assigned (Hawthorne, paras. 0019-0022, 0041; see also para. 0053); and, 
if there is a correspondence, verifying the transaction for the at least one payment card, , for the generated security code, is open (Hawthorne, paras. 0019-0022; see also para. 0053 – see rationale for combination in claim 1).
As to claim 3, Drozd does not directly disclose but Hawthorne discloses the method of claim 2, wherein the computer of the first computer system assigns the unique token to the at least one payment card when the at least one payment card is issued (Hawthorne, paras. 0019-0022; see also para. 0053 – see rationale for combination in claim 1).
As to claim 4 Drozd does not directly disclose but Hawthorne discloses the method of claim 2, wherein the second identifier includes at least one of a personal identification number (PIN) or a fingerprint (Hawthorne, paras. 0013-0014, 0019-0022; see also para. 0053 – see rationale for combination in claim 1)
As to claim 5, Drozd discloses the method of claim 4, wherein the device includes a smartphone, a mobile computer, a mobile device, or a device suitable for running a client application (Drozd, paras. 0018-0019).
As to claim 6, Drozd discloses the method of claim 5, wherein the first identifier is a unique secret identifier associated with a device, and where a list of trusted devices is associated with each requestor(Drozd, Abstract, paras. 0017-0019; claim 7; see also paras. 0009-0010)
As to claim 7, Drozd discloses the method of claim 5, wherein, should the first identifier represent a device which is not currently a trusted device for the requestor, triggering a process of establishing trust in a new device to render the new device as the trusted device, the process including: confirmation of current access to an identification method associated with the owner of the at least one payment card, including a phone number associated with an account for the at least one payment card(Drozd, Abstract, paras. 0017-0019; claim 7; see also paras. 0009-0010)
As to claim 8, Drozd does not directly disclose but Hawthorne discloses The method of claim [[2]] 1, wherein the generated security code includes at least one of a card verification value (CVV) or a card verification code (CVC) (Hawthorne, para.0014; see also paras. 0019-0022; see also para. 0053– see rationale for combination in claim 1) .
As to claim 9, Drozd does not directly disclose but Hawthorne discloses the method of claim 2, wherein the at least one payment card includes one payment card (Hawthorne, paras. 0019-0022; see also para. 0053 – see rationale for combination in claim 1).
As to claim 10, Drozd does not directly disclose but Hawthorne discloses the method of claim 2, wherein the at least one payment card includes a plurality of payment cards (Hawthorne, paras. 0019-0022; see also para. 0053 – see rationale for combination in claim 1).
As to claim 11, Drozd does not directly disclose but Hawthorne discloses the method of claim 2, wherein should the session not be open for the generated security code, the transaction is not verified(Hawthorne, paras. 0019-0022; see also para. 0053 – see rationale for combination in claim 1).
As to claim 12, Drozd does not directly disclose but Hawthorne discloses the method of claim 2, wherein the time period for the session includes at least one of: a fixed time, or a random time within a range, and the session is closed when a new session is opened upon the generation of a new security code for the at least one payment card (Hawthorne, paras. 0019-0022; see also para. 0053 – see rationale for combination in claim 1).
As to claim 13, Drozd does not directly disclose but Hawthorne discloses the method of claim 2, wherein the payment associated with the payment card includes a card not present payment (Hawthorne, paras. 0019-0022; see also para. 0053 – see rationale for combination in claim 1)
As to claims 14-20 contain limitations similar to claims 1-13 and are rejected in like manner.

Conclusion
The prior art made of record and not relied upon is considered pertinent to Applicant’s disclosure.  The following references are pertinent for disclosing various features relevant to the claimed invention, but they do not disclose all the claimed features, as explained further in the reasons for allowance above:
Korn, USP. Pub. No. 20070219926, discloses a mechanism for securely authenticating another entity in a transaction, thereby minimizing the  possibility of identity misrepresentation by both entities which prevents identity theft or identity fraud, and improving the security of the secure card.  
Any inquiry concerning this communication or earlier communications from the examiner should be directed to CHIKA OJIAKU whose telephone number is (571)270-3608. The examiner can normally be reached Monday - Friday: 8.30 AM -5:00 PM EST.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Namrata Boveja can be reached on 571 272-8105. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.


Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.



/CHIKAODINAKA OJIAKU/Primary Examiner, Art Unit 3696